Back online!
The issue affecting IPsec tunnels has been identified and fixed.
It is now safe to proceed with the upgrade to version 8.7.1.
What to do
-
If you haven’t upgraded yet to version 8.7.1, you can now safely proceed with the update.
-
If you already upgraded yesterday (October 30, 2025) to version 8.7.1 simply click the “Check for fixes” button on the updates page to force the update.
We’re excited to announce the release of NethSecurity 8.7.1 based on OpenWrt 24.10.3.
N.B. We strongly recommend always using the latest version when migrating from NethSecurity 7.
Update Now 
Release Highlights
NethSecurity 8.7.1 introduces several new features and improvements. The image also includes updates released after version 8.6 through package updates.
New Features
High availability
After extensive testing and refinement, High Availability for NethSecurity is now ready for production use.
Please note that the HA system has undergone significant changes compared to the beta version and must be reconfigured from scratch.
WireGuard UI
The new WireGuard tunnel UI has been released.
You can now configure and manage VPN tunnels directly from the interface using the WireGuard protocol, known for being secure, high-performance, and interoperable.
It supports multiple independent servers, and configurations can be shared with peers via file or QR code.
Both the Server and peer sections are designed for easy integration with other devices, whether NethSecurity units or third-party systems.
Note: any WireGuard tunnels previously configured from the command line will be migrated and displayed in the new UI.
Security and protection
Flood firewall protection:
Improved flood protection handling against DDoS and flood attacks. Configuration is now centralized under the Threat Shield IP section.
Threat Shield DNS allowlist:
A new local allowlist for URLs has been added to the Threat Shield DNS interface, providing more granular control.
Zone management
Zone creation automation:
Automatic configuration templates have been introduced for GUEST and DMZ zones during creation.
Backup
Backup download options:
It is now always possible to download unencrypted backups locally using the dedicated button.
DNS and networking
-
*DNS server configuration:
Behavior has been adjusted when DNS servers are provided via DHCP or PPPoE.
When DNS servers are manually defined from the UI, those manually set always take priority. -
DHCP isolation (FlashStart):
Improved behavior when using FlashStart. It is no longer necessary to specify the DNS server in DHCP options when FlashStart is active.
The DHCP server behavior is now consistent with or without FlashStart.
Port forwarding and security
-
Port forwards display:
System-generated rules remain visible but cannot be modified. They are now clearly marked as automated, combining functionality with transparency for the user. -
Threat Shield IP:
Firewalls with an active subscription automatically whitelist the IPs of Nethesis enterprise services when Threat Shield IP is enabled, preventing false positives.
VPN
- IPSec DH Groups support:
Added support for DH groups 19, 20, and 21 in the IPSec interface.
Controller
-
Added unit-group based access control, IP-based access restrictions, performance optimizations, and UI improvements for large-scale management.
-
Data transmitted over VPN: all data and logs sent to the controller now pass through the VPN tunnel, ensuring higher security.
-
Unit description: added a description field in the unit table to simplify identification. The field is synchronized between units and controller and can be edited from the firewall.
-
MTU configuration: added MTU settings to resolve connectivity issues in networks with limited quality.
-
Remote support access (nethsupport): support agents can now access the controller using a temporary code, without user credentials or 2FA, and access is automatically revoked at the end of the support session.
Bug fixes
-
Port forward kebab menu: fixed enabling/disabling rules via the kebab menu when a domain set object is configured.
-
Port forward validation: improved validation to reject invalid IPs when a destination port is defined.
-
OpenVPN LZO compression: fixed an issue preventing OpenVPN tunnels with LZO compression from starting.
-
Interfaces: QoS and MultiWAN configurations now update correctly when a WAN interface is removed, preventing obsolete settings and state inconsistencies.
-
DPI: DPI rules now correctly block ICMP traffic using automatic conntrack labels. The fix also resolves a startup segfault and improves performance under load.
-
Port forwarding: enabling or disabling rules via the kebab menu now works even when a domain set is used in the limit access to section.
-
Reverse proxy: certificate usage indicators now display the correct status.
-
Controller: fixed an issue where 2FA could be activated after canceling the setup process; it is now only enabled after successful completion with a valid OTP.
-
DHCP: the DHCP server now correctly replies with a single message per request when multiple dnsmasq instances are configured.
The full list of fixes is available here:
Known Bugs
The full list of known bugs is available here:
How to update NethSecurity 
- Go to the System → Updates section in the UI
- The UI should show a new available version (NethSecurity 8.7.1)
- Click Update system (the update includes automatic device reboot)
What is NethSecurity?
NethSecurity is a powerful, open-source Linux firewall designed to simplify network security deployment. It offers full-featured protection and an easy-to-use interface.
Choose your preferred Subscription Plan
A NethSecurity subscription ensures that your deployment is backed by top-tier technical expertise and the support necessary to maintain your organization’s security infrastructure.
Subscribing also grants exclusive access to the Enterprise repository, which includes Automatic Updates, advanced DPI Applications/protocol detection, and VPN integration with LDAP/AD user databases.
Get your subscription
Help shape NethSecurity’s future
Your feedback is invaluable as we continue to refine and enhance NethSecurity. Please share your thoughts, report issues, and suggest features by opening a new topic in the NethSecurity category, using tags like Feature, Bug, or Support.