NethSecurity 8.7.2: Live Flows, IPsec, OpenVPN, improved additional packages management

NethSecurity
1

We are pleased to announce the release of NethSecurity 8.7.2.
This version includes all updates already released for version 8.7.1, some new features not yet released and the system rebase on OpenWrt 24.10.5.

Update now :backhand_index_pointing_left:

:fire: Release highlights

Rebase to the latest version of OpenWrt (24.10.5) which updates several packages and introduces security fixes.

:rocket: New features

:gear: DPI engine update and scanning mode

The DPI engine has been updated to version 5.2 and a new scanning mode has also been introduced that significantly improves performance.
This also brings a substantial increase in efficiency, with up to a 90% reduction in workload for DPI inspection activities.

The new engine also integrates advanced features that made it possible to develop new tools such as Live Flows, and opens the way to further evolutions in traffic control and reporting capabilities.

:shuffle_tracks_button: Live Flows

In the Monitoring section, Live Flows are now available, allowing real-time monitoring of all traffic crossing the firewall, providing details on IPs, ports, applications and much more.

Live Flows allow you to:

  • immediately identify hosts generating the most traffic

  • identify the type of traffic they are generating, providing destination host, protocol and application

  • view DPI filter blocks

Live Flows
Live Flows2270×960 280 KB

Live Flows also show blocks performed by the DPI filter

DPI blocks
DPI blocks2270×960 318 KB

From Flows it is possible to trace back to the corresponding connection reported in conntrack, which has also been enriched with a label related to flows

Conntrack
Conntrack2269×1048 213 KB

:locked_with_key: Improved certificate management in OpenVPN

OpenVPN Roadwarrior now displays validity dates, start dates and expiration warnings of Certification Authority (CA) and server certificates, for better certificate lifecycle management.

OpenVPN certificates
OpenVPN certificates1870×202 25.3 KB

Certificate actions
Certificate actions885×357 29.6 KB

:locked_with_key: VPN IPSEC: Tunnel details

For each IPsec tunnel, the status of individual Security Associations (SA) is shown, with direct access to the full status output.
This makes it possible to have clearer information in the presence of tunnels with multiple networks.

Tunnel list

SA details
SA details1221×384 30 KB

Full status
Full status1212×910 172 KB

  • IPSec “Close action”: in the IPSec tunnel configuration it is now possible to choose a specific close action (previously always “none”).

:globe_with_meridians: Reverse Proxy

The reverse proxy now supports listening on both HTTP (port 80) and HTTPS (port 443), with optional redirection from HTTP to HTTPS for each instance.

:shield: IPS

Bypass management has been unified: configured IP addresses are now excluded both as source and destination.

:globe_with_meridians: DHCP and Network

The DHCP server now allows the firewall’s IP address to be included within the DHCP range. Although it is generally recommended to keep the firewall’s interface IP outside the DHCP pool, this option can be particularly useful during migration scenarios (as was allowed in version 7), enabling a smoother transition without requiring changes to the existing network configuration.

:fire: Port Forward

The port forward interface has been improved in case you want to redirect all traffic to a host, with a dedicated option now available.

A specific option is also present for traffic destined to the firewall.

Port forward drawer
Port forward drawer302×490 25 KB

:gear: Persistent additional packages

A mechanism has been introduced that allows persistence of manually installed additional packages.
Packages installed via CLI are now automatically reinstalled at first boot after an image upgrade.

:bug: Bug fixes

  • Fixed an issue in MultiWAN rules that did not preserve source and destination after modification.

  • Fixed an error in LAN QoS upload/download bandwidth limits, which were reversed.

  • Fixed sorting of static and dynamic DHCP leases by IP address.

  • Resolved pppd crashes with SIGILL (illegal instruction) during PPPoE negotiation with some ISPs.

  • Fixed home_net configuration in Snort, which was not updated after changes to LAN interface network settings.

  • Aligned IPSec tunnel status between UI, API and CLI after configuration changes, without requiring service restart.

  • Fixed an intermittent authentication error in the backup screen (“Unable to retrieve subscription information”) at first access after firewall reboot.

:bug: Known Bugs

The full list of known bugs is available here.

How to update NethSecurity :arrow_up:

  1. Go to the System → Updates section in the UI
  2. The UI should show a new available version (NethSecurity 8.7.2)
  3. Click Update system (the update includes automatic device reboot)

:question: What is NethSecurity?

NethSecurity is a powerful, open-source Linux firewall designed to simplify network security deployment. It offers full-featured protection and an easy-to-use interface.

Choose your preferred Subscription Plan

A NethSecurity subscription ensures that your deployment is backed by top-tier technical expertise and the support necessary to maintain your organization’s security infrastructure.

Subscribing also grants exclusive access to the Enterprise repository, which includes Automatic Updates and VPN integration with LDAP/AD user databases.

It also provides advanced DPI-based application and protocol detection, with over five times more applications and protocols recognized compared to the Community version.

:point_right: Get your subscription

:rocket: Help shape NethSecurity’s future

Your feedback is invaluable as we continue to refine and enhance NethSecurity. Please share your thoughts, report issues, and suggest features by opening a new topic in the NethSecurity category, using tags like Feature, Bug, or Support.

:point_right: Download and use it! :point_left:

9 Likes
3

Can I test all the features of Nethsecurity with all its features and emulate corporate networks for a period of 120 days without having to subscribe?

4

Yes, just create an account inside the community subscription portal.
Then, you can create a 30-days free trial.

Access to services with an extra fee is not included. If you want to test them, please contacts sales.

We have plans to remove almost all limitation that you can encounter using an installation without a subscription. But this will take few months, ad probably changes will be out with the next major release.

2 Likes
5

The ideal is to do like Sophos, let us test everything for a period of time, so we will have security to deploy in customers.

Will I need two subscriptions to test VPN Site-to-Site, or can I use the same subscription on more than one firewall?

Thank you very much.

6

Let’ me be a little bold: I think the current NethSecurity approach is better in this case.
The product is Open Source: you can inspect, change the code, and build your own image.
And, of course, use it for free.

2 different ones, but you will not need any subscription to use such feature.

1 Like
7

I have clients who use internet access groups, AD usage and the content filter, site-to-site, OpenVPN RoadWarrior in NS7, everything works perfectly, for example: financial, use bank and some websites. I want to migrate this way and they will pay the subscription.

8

Hello. I’ve downloaded nethsecurity-8.7.2-x86-64-generic-squashfs-combined-efi image and I’ve converted it into a vdi disk in order to use with VirtualBox by executing the command vboxmanage convertfromraw –format vdi . The issue is that when booting from a UEFI VM, it doesn’t recognize the disk as bootable while when booting from a BIOS VM Grub’s menu appears (but then, system gets stuck in a blanck black screen). So, something weird is happening with Nethsecuriy image and VirtualBox (I’m running v.7.2.8 from RPMFusion repository in a Fedora 44). Just to notice