Hi there,For almost four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.Download links, an installation guide[1] and the checksums for the images can be found below as well.o Europe: https://opnsense.c0urier.net/releases/19.1/ o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/ o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/ o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/ o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/ o Full mirror list: https://opnsense.org/download/ Here are the full changes against version 18.7.10:o system: console port assignment can now assign OPT without LANo system: anti-lockout will use OPT1 if LAN is not presento system: allow creation of combined client/server SSL certificateo system: gateway monitoring switches to Dpinger with Apinger removedo system: detect unassigned gateways in static address setupso system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion)o system: removal of the old notification system in favour of Monito system: only allow syslog remote binding to assigned interfaceso system: disable IP aliases configured with VHID on temporary disableo system: remove AHCI MSI disable workaround used in FreeBSD 11.1o system: default gateway switching moves back to general settingso system: beep sound notification setting moves to misc. settingso system: limit log line length in log widgeto interfaces: change 6RD/6to4 interface prefix from internal name to physical deviceo interfaces: prohibit tracking on 6RD with /64 upstream prefixo interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 trackingo interfaces: clear an apparently faulty system DUID when no manual DUID is seto interfaces: updated custom dhclient-script used for DHCPv4o interfaces: VIP support for GRE deviceso interfaces: simplify find_interface_ip* functionso interfaces: remove get_interface_subnet* functionso interfaces: remove unused get_possible_listen_ips functiono interfaces: link status indicator on assignments pageo interfaces: unify interface removal codeo firewall: switch GeoIP database download to HTTPSo firewall: find IP reference tool for aliaseso firewall: improve alias page responsiveness with large number of addresseso firewall: show system errors when reloading aliaseso firewall: NAT port forward logging option and live view supporto firewall: optionally resolve all host names in live viewo firewall: not all states could be removed in diagnostics pageo firewall: clean up unused NAT rule association codeo reporting: improve handling of empty Insight datasetso reporting: prepare for Python 3 conversiono firmware: switch default mirror location to HTTPSo firmware: health check for base and kernel files including version checko firmware: support base and kernel file size in packages overviewo firmware: /var MFS compatibility on base installation when reboot is deferredo firmware: command line core lock feature prevents package upgradeso firmware: internally remember plugins installed or removed in the GUIo firmware: show last known update log on page openo firmware: show untrusted repository error in GUIo firmware: separate chanelogs tab for clarityo dhcp: refuse setup of instances that have no associated IP addresso dhcp: fix lease time local vs. UTC display in IPv6 leaseso installer: change communication from TCP to named pipeso installer: fix sporadic segmentation faults in frontend codeo installer: allow config import from ZFS poolso installer: allow password reset on ZFS poolso installer: removed a number of unused moduleso ipsec: generate correct config for "Hybrid-RSA + XAuth" (contributed by Max Weller)o ipsec: reworked strongswan.conf generationo ipsec: use new interface subnet retrieval codeo monit: support declaring dependencies (contributed by Alexander Werner)o monit: add Service/Test type relation (contributed by Frank Brendel)o monit: add CARP status to standard serviceso monit: add gateway alerts to standard serviceso monit: backend rework to simplify the serviceo intrusion detection: support base ruleset overlays and improve loggingo intrusion detection: GeoIP feature in user-defined rules has been removedo intrusion detection: obey Content-Disposition headero openvpn: client export rewrite, new export option for The Green Bowo unbound: reworked slab calculationo unbound: added statistics pageo unbound: only bind to interfaces or OpenVPN instances, always bind to loopbacko unbound: fix ACL subnet calculation for OpenVPN instanceso unbound: do not generate host entries for OpenVPN instanceso unbound: improve help text wording and general settings layouto web proxy: parent proxy support (contributed by Michael Muenz)o wizard: fix checkbox label stylingo mvc: converted reboot, halt and license page to MVCo mvc: compared-to-field constraint (contributed by Fabian Franz)o mvc: external clients which set Authorization header now receive raw JSON responseso mvc: fix empty value check in grid (contributed by Smart-Soft)o mvc: globally lock config when multiple items are deleted at onceo mvc: volt template JavaScript cleanupso ui: updated bootstrap-select to version 1.13.3o ui: collapsible sidebar support in default theme (contributed by Team Rebellion)o plugins: os-acme-client 1.19[2]o plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz)o plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft)o plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic)o plugins: os-frr switches to FRR 5.0.2, please see belowo plugins: os-l2tp 1.8 interface now selects reachable server addresso plugins: os-pptp 1.8 interface now selects reachable server addresso plugins: os-openconnect 1.3.3[3]o plugins: os-quagga removed, please use os-frr insteado plugins: os-nginx 1.6[4]o plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz)o plugins: os-snmp removed, please use os-net-snmp insteado plugins: os-theme-cicada 1.13o plugins: os-theme-tukan 1.12o plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)o src: HardenedBSD 11.2-RELEASE-p7[5][6][7]o src: fix missing transmit visibility for BPF-based listeners in native netmap modeo src: limit the maximum number of fragments per packet in pfo src: replace rwlock on PF_RULES_LOCK with rmlock in pfo src: do not discard UDP6 traffic in Hyper-V adaptorso src: fix state sync during initial bulk update in pfsynco src: unbreak dhclient(8) option 26 processingo src: import APU 1-3 LED kernel moduleo ports: krb5 1.17[8]o ports: php 7.1.26[9]o ports: sudo 1.8.27[10]o ports: perl 5.28.1[11]o ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)Known issues and limitations:o Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.o Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.o Monit general settings do not save. A patch exists[12] to remedy this problem: opnsense-patch a2899594o Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1.o Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.o Please read the FRR documentation with regard to the required system tunables[13].o SNMP plugin has been superseded by Net-SNMP plugin.o ZFS guided installation pending.The public key for the 19.1 series is:-----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdycip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXiQYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9mpyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82MxNkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGDFb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAzYk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvHC3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==-----END PUBLIC KEY-----Please let us know about your experience!Stay safe,Your OPNsense team--[1] https://docs.opnsense.org/manual/install.html [2] https://github.com/opnsense/plugins/pull/1134 [3] https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr [4] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr [5] https://hardenedbsd.org/content/easy-feature-comparison [6] https://www.freebsd.org/releases/11.2R/relnotes.html [7] https://www.freebsd.org/releases/11.2R/errata.html [8] https://web.mit.edu/kerberos/krb5-1.17/ [9] http://php.net/ChangeLog-7.php#7.1.26 [10] https://www.sudo.ws/stable.html#1.8.27 [11] https://metacpan.org/changes/release/SHAY/perl-5.28.1 [12] https://github.com/opnsense/core/commit/a2899594 [13] https://docs.opnsense.org/manual/dynamic_routing.html SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bdSHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db