22.05/22.05.1 New Features and Changes

Version 22.05.1

pfSense Plus software version 22.05.1 is a special patch release which adds hardware support for the Netgate 8200 and newer hardware revsions of the 2100, as well as built-in dynamic repository support.

Important

The majority of pfSense Plus users will not need to run this version unless directed to do so by Netgate TAC. This limited patch release is not currently offered as an upgrade from 22.05.

Version 22.05

This is a regularly scheduled release of pfSense® Plus software including new features and bug fixes.

General

Note

OpenVPN DCO is generally stable but still under development.

OpenVPN DCO has been successful in many scenarios in lab and production environments, but there is still a small potential for instability or undesirable behavior.

Some OpenVPN features and use cases are not compatible with DCO. See Limitations for a list of known DCO limitations.

If a problem occurs with DCO, start a thread on the Netgate Forum to discuss and diagnose the issue.

  • Added: ZFS Boot Environment (BE) snapshots support (Plus only)

  • Changed: Captive Portal and Limiters now use only PF and not IPFW (Plus and CE)

Security

pfSense Plus 22.05-RELEASE includes a fix for the following potential vulnerability:

Note

Users of pfSense CE 2.6.0 can obtain a correction for this issue from the Recommended Patches area of the System Patches package.

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Renaming an alias does not update the alias names in static routes and OpenVPN instances #12727

  • Added: Retain descriptions when exporting and importing aliases #12842

Authentication

  • Added: GUI option to select the user password hashing algorithm #12855

  • Fixed: LDAP setup does not display ‘Global Root CA List’ option unless another CA also exists #13185

Backup / Restore

  • Changed: Comply with current iteration standards when encrypting and decrypting configuration files #12556

  • Added: Support encrypted config.xml files when restoring via ECL #12685

  • Added: Notify user if AutoConfigBackup is unable to successfully upload a backup #12724

  • Added: Ability to sort AutoConfigBackup entries #12773

  • Fixed: PHP error when upgrading from before configuration revision 21.6, ipsec_create_vtimap() is undefined #13097

  • Added: Option to restore dashboard widget layout #13125

  • Fixed: PHP error restoring DHCP lease data on fresh installation: #13157

CARP

  • Changed: Reorganize CARP status page #12701

  • Fixed: CARP event storm when leaving persistent CARP maintenance mode. #12961

Captive Portal

  • Fixed: Allowed IP/Hostname “Direction” option is never used #12649

  • Fixed: nginx logs an error that the port is already in use when restarting Captive Portal services #12651

  • Fixed: Value of net.inet.ip.dummynet.* OIDs in sysctl are ignored #12733

  • Fixed: Only TCP traffic is passed outbound though IPFW #12834

  • Changed: Transition Captive Portal from IPFW to PF #13100

Certificates

  • Added: Option to retain the existing serial number when renewing a CA or certificate #13010

Configuration Backend

  • Added: Move command line history to a GUI option stored in config.xml rather than a manual flag file #12675

  • Added: Eliminate duplicate shell commands from history file #12741

Configuration Upgrade

  • Added: Playback script to perform a configuration upgrade on an arbitrary config.xml file #12973

Console Menu

  • Added: Warn the user if they attempt to disable SSH from the menu while connected through SSH #13103

DHCP (IPv4)

  • Fixed: Disabling DHCP Server RRD statistics does not work #12710

  • Fixed: HTTPClient option not sent when using UEFI HTTP Boot #12892

  • Fixed: HTTPClient option does not work for static mappings #12896

  • Fixed: DHCP “Ignore denied clients” option with MAC Deny list set causes DHCP server to not start #12923

  • Fixed: DHCP network boot filename can be incorrectly placed in DHCP Pool Options #12986

  • Added: Relax DHCP maximum lease time input validation #13118

  • Fixed: DHCP lease list displays wrong interface name in the “Leases in Use” summary if DHCP settings for a disabled interface remain in the configuration #13127

DHCP (IPv6)

  • Fixed: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients #6880

  • Fixed: DHCPv6 server does not skip interfaces configured with invalid ranges #12527

  • Fixed: RADVD can be started on both HA nodes when configured with an IPv6 link-local address #12582

  • Fixed: Uninitialized array in array_remove_duplicates() #12749

DNS Forwarder

  • Fixed: DNS Forwarder creates a loop when “Use local DNS, ignore remote DNS servers” is selected #12902

  • Fixed: DNS Forwarder custom options may fail after save/restore when options are only separated by newline #13105

DNS Resolver

  • Fixed: DNS Resolver does not restart during link up/down events on a static IP address interface #12613

  • Added: Automatically create DNS Resolver ACLs for OpenVPN CSO entries #12636

  • Fixed: DNS Resolver help text for System Domain Local Zone Type option refers users to unbound.conf(5) man page instead of pfSense docs #12781

  • Fixed: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access #12985

  • Fixed: DNS Resolver ACLs are not updated when OpenVPN networks change #12991

  • Added: DNS Resolver option to keep probing when servers are down #13023

Dashboard

  • Fixed: Firewall log widget action icon features stop working when new log entries are added dynamically #6253

  • Added: Show Inactive for Hardware Crypto output instead of empty field on System Information dashboard widget when nothing can be accelerated #12714

Diagnostics

  • Fixed: diag_pftop.php does not fully encode output #12915

Dynamic DNS

  • Fixed: Dynamic DNS custom IPv6 service fails on 6rd tunnels #12590

  • Fixed: GleSYS Dynamic DNS responses are not parsed properly #12672

  • Added: IPv6 support for DNSimple Dynamic DNS #12744

  • Fixed: Input validation prevents configuring wildcard Dynamic DNS records on GoDaddy #12750

  • Added: Support wildcard Dynamic DNS records on DigitalOcean #12752

  • Fixed: Google Domains Dynamic DNS responses are not parsed properly #12754

  • Fixed: Input validation prevents configuring wildcard Dynamic DNS records on Google Domains #12761

  • Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816

  • Fixed: Clicking Save & Force Update on a Dynamic DNS entry results in a GUI timeout #12870

Gateway Monitoring

  • Fixed: Gateway monitoring should mark gateway as “offline” on PPPoE parent interface disconnect #12633

  • Added: Option to disable auto-addition of static routes for dpinger #12687

  • Changed: Update dpinger to 3.2 #12881

Gateways

  • Fixed: fixup_default_gateway() should not remove a default gateway managed by a dynamic routing daemon #11692

  • Fixed: IPv6 link local gateway default status not indicated in GUI #11764

  • Fixed: IPv6 gateway group using link local addresses incorrectly logs a gateway change because it not including interface scope properly #12721

  • Added: Retain knowledge of previous dynamic gateway IP address when interface is down #12931

Hardware / Drivers

  • Added: Chelsio TOE support using the t4_tom module #9091

  • Fixed: Hyper-V RSC support in hn(4) driver is enabled by default and results in very low throughput #12873

High Availability

  • Added: Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings #12702

IGMP Proxy

  • Fixed: IGMP Proxy server is restarted during every rc.newwanip event #12609

IPsec

  • Added: Option to choose default tab in IPsec status Dashboard widget #2456

  • Fixed: IPsec VTI phase 2 traffic selectors default to address when defined as a network #11226

  • Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645

  • Fixed: Disallow remote gateway of 0.0.0.0 for VTI mode #12723

  • Fixed: VTI gateway status stuck as “pending” after reboot #12763

  • Changed: Update strongSwan #12934

  • Fixed: ESP description in IPsec phase 2 proposal help text is ambiguous #12953

  • Fixed: IKEv2 Mobile IPsec clients do not receive INTERNAL_DNS_DOMAIN (value 25) attribute #12975

  • Added: GUI option for IPsec dns-interval setting #13057

  • Fixed: Delete function for IPsec SAD entries on status_ipsec_sad.php does not work #13071

  • Fixed: Mobile IPsec clients cannot be manually disconnected from IPsec status screen #13131

Installer

  • Fixed: Support encrypted config.xml files when restoring during install #12691

  • Added: Recover existing SSH keys during installation #12809

Interfaces

  • Added: Show SFP module details on status_interfaces.php #8861

  • Added: Improved support for USB interfaces that may not always be present #9393

  • Fixed: PPPoE WAN IP address different than expected when set static by ISP #11629

  • Fixed: devd is not configured to act on USB interface attach/detach events #12606

  • Changed: Restart services on interface changes #12619

  • Fixed: Interface status “Total Interrupts” display is non-functional #12735

  • Fixed: L2TP/PPTP interface assignment page loses some values after input validation error #12780

  • Fixed: Link-Local IPv6 address on WAN with MAC spoofing changes if there is an IP Alias on WAN #12790

  • Fixed: Link-local address does not reset after removing MAC address spoofing #12794

  • Fixed: Disabled Captive Portal configuration prevents adding an interface to a bridge #12866

  • Fixed: The ruleset is not regenerated after assigning an interface #12949

L2TP

  • Fixed: L2TP MPD configuration is not updated when a dynamic WAN IP address changes #13066

  • Fixed: L2TP stays bound to previous IP address after static IP address change #13082

  • Fixed: Static routes to destinations at L2TP clients are not re-added after a client reconnects #13099

LAGG Interfaces

  • Added: GUI option to configure layers for LACP hash #12819

Notifications

  • Fixed: Slack notification options only allow `` -`` as a special character in channel names #13083

OpenVPN

  • Fixed: OpenVPN IPv4 Tunnel Network incorrectly allows hostnames #11416

  • Fixed: OpenVPN stays bound to previous IP address after interface changes #11864

  • Added: OpenVPN option to limit concurrent connections per user #12267

  • Fixed: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases #12332

  • Added: Use deferred client connections in OpenVPN #12407

  • Fixed: OpenVPN re-synchronization also synchronizes override entries unnecessarily in some cases #12628

  • Fixed: Automatic filter reload with OpenVPN client gateway uplink happens too soon or not at all #12771

  • Fixed: PHP error when terminating OpenVPN sessions via the dashboard widget #12817

  • Fixed: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases #12884

  • Fixed: GUI does not reject an invalid OpenVPN tap mode configuration with an empty tunnel network “Bridge DHCP” disabled #12887

  • Fixed: FQDN in network alias is omitted from OpenVPN networks list #12925

  • Changed: Warn about OpenVPN shared key deprecation #12981

  • Fixed: OpenVPN remote_cert_tls option does not behave correctly when enabled and later disabled #13056

  • Fixed: Gateway events for IPv6 affect IPv4 OpenVPN instances and vice versa #13061

  • Fixed: OpenVPN client tls-client/client configuration directive not handled properly #13116

  • Changed: OpenVPN status page improvements #13129

  • Fixed: OpenVPN client-connect file contains topology #13133

  • Fixed: Per-user route files are not removed from /tmp when they are no longer needed #13145

  • Fixed: OpenVPN override IPv4 tunnel network field changing value improperly #13274

Operating System

  • Fixed: pf hostid value is handled inconsistently #12703

  • Fixed: Some sysctl OIDs in loader.conf.local are silently removed #12862

  • Fixed: Output from pfctl -vvsr does not include ridentifier value in the expected location #12868

PPP Interfaces

  • Fixed: PPPoE WANs fail to reconnect after parameter negotiation failure #13092

PPPoE Server

  • Fixed: PPPoE server panics with multiple client connections #13210

Package System

  • Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105

  • Fixed: Packages with custom internal_name values do not reinstall properly when restoring a backup #12766

  • Fixed: write_rcfile() does not create rc_restart() entry #13004

Packet Capture

  • Added: Button to clear previous packet capture data #12968

Routing

  • Fixed: Setting a default gateway of “None” does not remove the default gateway from the routing table #12536

  • Fixed: Cannot remove IPv6 static routes #12728

  • Fixed: Explicit PPPoE disconnect of a WAN Gateway Group member may not restore a default route. #13048

Rules / NAT

  • Added: Toggle button to disable/enable multiple firewall rules #2505

  • Added: Port forward NAT rules with “any” protocol #4259

  • Added: Allow NPt to use dynamic IPv6 networks #4881

  • Added: Button to copy rules from one interface to another #8365

  • Fixed: Automatic Outbound NAT mode can create incorrect rules in some cases #11984

  • Added: Utilize new pfctl abilities to kill states #12092

  • Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode #12319

  • Added: Allow the selection of “any” interface in floating rules #12392

  • Fixed: Applying firewall rule changes does not clear dirty flag for aliases subsystem #12678

  • Fixed: Automatic Outbound NAT rules do not include OpenVPN CSO entries #12792

  • Fixed: Error loading ruleset due to illegal TOS value #12803

  • Fixed: High latency and packet loss during a filter reload #12827

  • Fixed: On startup “No routing address with matching address” might appear #12847

  • Fixed: Some action buttons are always active for firewall rules, even if no rules are selected #12871

  • Added: Toggle button to disable/enable multiple entries on NAT pages #12879

  • Fixed: Delete button is always active for NAT rules, even if no rules are selected #12957

  • Fixed: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet #13012

  • Fixed: NAT generates duplicate no nat on rules for port forwards with a destination of Any #13015

  • Fixed: Input validation requires a gateway for floating match out rules #13027

  • Fixed: Empty negate_networks table breaks policy routing rules #13049

  • Fixed: The negate_networks table is not updated when an OpenVPN server is deleted #13055

  • Added: Allow auto prefix with manual prefix-length in NPt #13070

  • Fixed: Info icon on firewall_nat_out.php is incorrectly placed in manual outbound NAT mode #13164

  • Fixed: Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule #13171

  • Fixed: Incorrect usage of DSCP hex value #13178

SNMP

  • Fixed: SNMP daemon is restarted during every rc.newwanip event #12611

Services

  • Fixed: NTP service is not listed on status_services.php unless config.xml contains NTP configuration data #12775

  • Fixed: Stale sshdkeys.dirty lock file prevents generating SSH server keys #13139

Traffic Shaper (ALTQ)

  • Changed: Remove code references to unused reset parameter from traffic shaper pages #13042

Traffic Shaper (Limiters)

  • Fixed: Incorrect ICMP reply when using limiters #9263

  • Fixed: Pie and fq_pie are missing options and do not handle floating point number input correctly #12003

  • Fixed: Utilize dnctl(8) to apply limiter changes without a filter reload #12579

  • Fixed: Traffic routed through DUMMYNET by PF fails when IPFW is enabled #12954

Traffic Shaper Wizards

  • Fixed: Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server #12937

  • Fixed: Traffic shaper wizard rewrites Mbits to Kbits #13086

UPnP/NAT-PMP

  • Added: uPnP fails to properly give out subsequent reservations when multiple gaming systems are playing the same game/using the same port. #7727

  • Changed: Reorganize UPnP options #12624

Unknown

  • Fixed: Many exec() functions do not use full path to executable files #11941

Upgrade

  • Fixed: Upgrade does not work when using only IPv6 DNS servers #13162

User Manager / Privileges

  • Fixed: Icon missing for user manager entries with a scope other than “user” #13174

Web Interface

  • Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141

  • Fixed: Zero-value prefix IPv6 addresses are mishandled #12440

  • Added: Option to filter state table contents by rule ID #12616

  • Fixed: Changing RAM disk size does not prompt to reboot #12876

  • Fixed: Input validation for IPv6 addresses allows invalid address compression in some cases #13069

  • Added: Trim whitespace from MAC addresses in user input #13109

Wireless

  • Fixed: Wireless interface WPA configuration fields are always visible #12998

  • Fixed: Duplicate wireless interfaces are created at boot #12999

XMLRPC

  • Fixed: Deleting a user on the primary node does not delete its home directory on secondary node during XMLRPC sync #12940