2.3 New Features and Changes¶
FreeBSD Security Advisories:
pfSense® Security Advisories:
Several obsolete items were removed from this release. The items are noted again in the sections below, but worth emphasizing:
The PPTP VPN Server has been completely removed. The protocol has been broken for over three years.
The PPTP WAN client remains for use with ISPs still using PPTP.
Layer 7 classification support has been removed from the traffic shaper.
It was rarely used, had been broken for all of 2.2.x, had absurdly high CPU usage, and snort filters better/faster
WEP support has been removed from Wireless interfaces. #5123
No reason to still be using this in this day and age. If it is still needed, use external AP.
Single DES support has been removed from IPsec (3DES remains).
It should not be used, it is not secure.
1GB NanoBSD images have been removed, as they were not large enough to proper accommodate the system and upgrade data. The supported sizes for NanoBSD images are now 2GB and 4GB.
The default system password hash has been changed to bcrypt. Current passwords will continue to work. Existing users need to reset their password to convert to the new hash. More info below under “Authentication”. #4120
The LiveCD platform has been removed. The ISO is a bootable installer, as always, but it cannot run a live system.
The installer ISO image is now named “pfSense–RELEASE-.iso”, with the .iso extension signifying the type of image it is (optical media installer).
For the very few people who were still using LiveCD, if the hardware can boot from USB, install to a USB thumb drive and run from it instead. If the options to keep /var and /tmp in RAM are active, and no packages are installed, the net result should be similar but ultimately more functional.
Converted GUI to the Bootstrap framework, completely new look
Changed the GUI and Captive Portal web server to nginx; removed lighttpd. #5719
Cleaned up a lot of GUI code, option text, etc
TLS v1.0 disabled for the GUI. #5984
Removed old style themes, introduced new CSS-based themes
Added more AJAX updating in widgets and other places
Changed to more intuitive and modern icons and action buttons rather than the old confusing icon set (now using font-awesome icons)
Changed log display to be more consistent (single page for most logs, common filtering options)
Removed obsolete fifolog support. It was never used or fully implemented, and had no GUI option.
Improved notices in the GUI
Made breadcrumbs and page title handling more consistent
Added an option to have the top menu follows the user when scrolling
Renamed several GUI file names to match menu structure. #5628
Fixed AES-NI hardware display in the system information widget. #4911
Added widescreen support to the Dashboard. #5195
Improved password field handling security. Stored passwords are not presented back to the user in HTML. A masked value is returned instead. All password fields have also been changed to require confirmation.
Many pages have been reworked for improved internationalization
Changed info box functions, removed print_info_box_np, now print_info_box and print_apply_box are used to print appropriate boxes without problematic automatic detection
Moved RRD graphs to Status > Monitoring #5498
Changed RRD GUI interface to D3 rather than using the RRD graph command, so that a newer rrdtool base could be used with minimal added dependencies. #5498
Monitor IP added to gateways widget. #4782
Increased max_input_vars from 1000 to 5000 to accommodate larger aliases. #4780
Fixed NTP RRD graphs to accommodate negative values. #4423
Moved to a FreeBSD 10.3-RELEASE base
Added tryforward() support to get (nearly all of) the performance of fastforward with IPsec enabled
Overhauled the build system
Eliminated the -tools repository
Removed Patches, changes are now applied a vendor branch of FreeBSD
Rewrote/changed the build scripts significantly
Moved the new build scripts to the main pfSense repository
PHP Upgraded to 5.6
Replaced pecl-APC with opcache. #4744
Added support for -c parameters to /etc/rc.initial. #4422
Added optional package for kernel debug symbols. #5330
Rewrote system_set_harddisk_standby() for the current CAM-based ATA stack. #4569
Fixed a Panic/Crash with “sbflush_internal: cc 4294967166 || mb 0 || mbcnt 0”. #4689
Fixed a kernel panic with AES-NI. #4702
Updated AES-GCM/AES-NI bits from FreeBSD -HEAD. #4841
Removed zoneinfo.tgz file for Time Zones, move to the same format as FreeBSD. #4726
Fixed tcpdump with zerocopy enabled (net.bpf.zerocopy_enable=1). #5257
Added ability to disable PV disks and NICs on Xen. #5452
Removed the built-in but unused MySQL PHP modules and added them to the pkg server instead. They may be added as package dependencies or manually installed as needed.
Followed FreeBSD (r294560) in ceasing generation of rsa1 and dsa ssh server host keys by default
Removed support for nanobsd images < 2GB #5836
Overhauled IP address handling code in various parts of the system
scponly package is included by default. #5190
Shortened F1 boot prompt delay on nanobsd. #3426
The list of available packages in pfSense 2.3 has been significantly trimmed. Netgate has removed packages that have been deprecated upstream, no longer have an active maintainer, or were never stable.
Removed use of PBI-based packages, moved to pkg(ng)
Fixed installation and handling of packages to use pkg, now works identically in the GUI and shell/console
Changed packages to use the FreeBSD ports format/layout to work with pkg
XMLRPC calls for package information and installation have been removed, replaced with native pkg functions. #4575
Added support for packages to be (re)built automatically by Poudriere
Added search capability to Available Packages list to filter packages by keywords. #5324
Fixed the version comparison code in the Package manager. #4924
Added support for tags in listtopic fields for use by packages
Factory reset now completely uninstalls packages. #5829
Improved handling of package install post-upgrade. #3597
Major changes to update management
Removed “full update” or “full slice” upgrade for systems on 2.3 to later versions
These files will remain available for use by older versions updating to 2.3.
The “Full Backup” feature has been deprecated.
Changed system updates to be handled via pkg
Changed Base, kernel, and standard pre-installed binares to packages
Removed “Firmware” nomenclature, now only referred to as “Update”
Fixed updating of base to work the same from the console or the GUI
Added preliminary support for restarting system services without rebooting in cases when the base is updated but the kernel is the same.
Replaced apinger with dpinger(!). #5624
This fixes many gateway monitoring related issues, including incorrect latency and loss in various edge cases.
Eliminates status file race conditions that caused update failures on services bound to gateway groups in some edge cases. #5180 and #3818 among others.
Fixed gateway monitoring startup at boot time with assigned OpenVPN interfaces. #4587
Check gateway monitor settings after upgrade, dpinger has different options than apinger.
Added code to allow gateways outside of an interface subnet. #972
Corrected “State Killing on Gateway Failure” description. #4709
Fixed disabling of a static route set to use a disabled gateway. #4813
Added standard deviation to gateway status and widget
Fixed dynamic gateway logic to prevent GIF/GRE from making dummy/unusable gateways that show up for monitoring/routing/etc #5766
Changed static routes handling for DNS servers so they are removed when a gateway is disabled #4921
Increased gateway weight limit from 5 to 30. #5843
Fixed issues with PPP type WANs and the Default Gateway Switching option. #1837
Fixed dynamic gateway handling for OpenVPN tap clients. #5981
Fixed display of full interface name in Diagnostics>Routes. #5484
Added drag-and-drop rule reordering for firewall and NAT rules.
Fixed a situation where pf drops IPv6 packets with fragment header followed by a last fragment only. #2762
Fixed “LAN network” in v6 rules not working when a link-local address is assigned to LAN. #3656
Added reordering for 1:1 NAT rules. #3888
Improved handling of firewall rule tracker IDs for port forward associated rules
Added support for a separator bar in firewall and NAT rules for use as a visual reference. #5373
Standardized the NPt options in the GUI so their options and appearance are more similar to 1:1 NAT
Added a “no binat” checkbox to 1:1 NAT screen for exclusions. #3887
Limited pfsync syncpeer to IPv4 since it does not support IPv6 #4648
Changed the default CARP pass rules to use “no state” to avoid issues with broken L2 gear that duplicates packets #5800
Added sorting to Alias lists #4195
Added a hit counter to the firewall rule display with states and bandwidth consumed by packets matching rules.
Fixed issues with the DNS Forwarder and DNS Resolver being enabled concurrently (on different ports) in an HA environment #5882
Added a visual indication in the rule list for floating rules with the “quick” property set #5860
Improved state display on Diagnostics > States, now shows packets and bytes for each state
Fixed aliases containing both FQDNs and IPv6 subnets. #5872
Fixed removal of downloaded URL table alias contents when alias is deleted. #5856
Significantly improved validation of downloaded data for URL Table aliases. #5848
Fixed possibilities for creating an invalid ruleset with missing URL Table Ports aliases. #5845
Fixed filterdns issues with significant system clock time jumps. #4166
Added firewall rules hit counter. #3504
Fixed pfSense_getall_interface_addresses truncating IPv6 link local IP addresses. #4062
Add GUI setting for VLANs PCP. #4133
Fixed GRE interfaces failing to have a RUNNING state after reboot. #4191
Fixed setting non-default MTUs in some edge cases. #4397
Added input validation on bridges to prevent adding the same interface to multiple bridges. #4595
Fixed CARP not working under bhyve. #4623
Improved input validation for 6RD, GRE and gif interfaces, helping prevent invalid configurations.
Changed input validation to allow /31 to be used for CARP VIPs since that is now supported and works in FreeBSD. #5533
Added debug logging option for DHCP6 client. #4534
Fixed cases where DHCP6 client (dhcp6c) was being launched multiple times in some circumstances. #5621
Upgraded dhcp6c. #5734
Upgraded DHCP client to ISC dhcpd 4.3.3P1.
Fixed applying of non-default MTU on gif interfaces post-boot with dynamic IP WANs. #5842
Added support for PPPoE with MTU/MRU > 1492, RFC 4638. #4542
Fixed issues with link cycling on some Intel 10G ix NICs #5913
Corrected ALTQ test to show that ix/ixgbe NICs are capable of traffic shaping. #5923
Improved handling of default interface assignment for some hardware. #4535
Corrected input validation for invalid IPv6 IPs with leading or trailing colon. #6024
Fixed orphaning of VLANs on lagg interfaces after editing the lagg. #6014
Fixed loss of some dhcpleases and dhcpleases6 logs. #5968
Fixed adding of routes immediately post-reboot for delegated IPv6 prefixes to sub-routers. #5957
Fixes to DHCPv6 leases status page and prefixes.php. #5944 #4206
Fixed loss of IPv6 IP on track6 interfaces when saving and applying changes on that interface. #5945
Fixed incorrect interface mismatch prompt post-config restore when using VLANs on lagg. #5892
Added support for multiple span interfaces on bridges. #5871
Prevent naming conflicts between interfaces and interface groups. #5795
Prevent naming conflicts between interfaces and aliases. #5778
Fixed use of IP aliases with GRE tunnels. #4450
Fixed application of bridge advanced options after interface added to bridge. #4312
Set MTU back to default after clearing the field. #3926
Fixed IPv6 IP aliases on CARP IPs. #3716
Fixed IP alias on CARP IPs where IP alias above CARP parent in list. #3257
Fixed modifying unassigned VLAN interfaces changing assigned VLAN. #3209
Fixed the WebGUI becoming slow or unusable when an LDAP server used for GUI auth is unreachable. #3383
Fixed a problem with using ‘local’ as the name of an authentication server ‘Descriptive Name’. #4469
Fixed default Auth Server selection on system_usermanager_settings.php. #5440
Added support for bcrypt as a passwd hash and enabled it as the system default #4120
Replaced the default passwd hash for root/admin using bcrypt (blowfish).
Existing user passwords will continue to work in their existing format until the user’s password is changed.
User passwords cannot be automatically converted as they are not stored plain text. To convert the password hash of an existing user to bcrypt, edit the user and change their password.
Added the ability to filter privileges when adding them to a user or group, to make finding them easier.
Fixed updating of group file for renamed groups. #6013
Fixed handling of groups with spaces in their names. Local group names can no longer contain spaces. New group scope option “Remote” added for LDAP and RADIUS use where spaces in group names are valid. #6012
Added support for RFC2307 style LDAP groups. #4923
Fixed handling of the SNMP Bind Interface. #3883
Fixed ntpd crashes on 32 bit with dynamic WAN reconnections and OpenVPN client configured. #4155
Fixed a kernel panic with APU and SNMP with mibII. #4403
Updated igmpproxy to the latest version. #4672
The old version had some custom patches, so be wary of behavior changes
Added encoding for DHCP/DHCPv6 server additional BOOTP text options to preserve data when stored in XML #5623
Fixed duplication action for Load Balancer Monitor entries #4441
Upgraded DHCP Server and Relay to ISC dhcpd 4.3.3P1
Added statistics gathering for DHCP Server leases. #5387
Fixed DDNS key issues with DHCP and DHCPv6 Server enabled on multiple interfaces. #5603
Added custom ACLs for NTP (restrictions by network) #4463
Prevent starting of radvd in circumstances where it shouldn’t. #5812
Added description column to DHCP leases status screen. #5729
inetd replaced with xinetd (used for proxy mode NAT reflection and TFTP proxy). #5707
DHCP lease counters added to Status>DHCP Leases. #5186
Allow configuration of RAs when DHCPv6 Relay is enabled. #6063
Fixed DHCPv6 Server’s DDNS. #4675
DHCP Server menu item now defaults to the first interface with an enabled DHCP Server instance. #4647
Allow configuring DHCPv6 and RAs on track6 interfaces. #3029
Fixed RADIUS NAS IP in PPPoE server. #185
Deprecated ntpdate_sync_once.sh, replacing with ntpd -g. #6053
Fixed Unbound IPv6 link local handling. #4021
Added validation for advanced configuration directives in Unbound. #4411
Upgraded dnsmasq to 2.76.0test8 to fix crashes in 2.75. #5341
Fixed Unbound binding to IP alias virtual IPs. #5464
Changed Namecheap dynamic DNS to use separate hostname and domain name fields #4366
Added Multi-WAN support to RFC 2136 Dynamic DNS.
Added RFC 2136 support to the Dynamic DNS widget
Added input validation to prevent the same DNS server from being added multiple times on System > General #5915
Fixed CloudFlare dynamic DNS to not configure ‘proxiable’ and ‘proxied’ parameters. #6005
Fixed dnsmasq host overrides when both DNS Forwarder and Resolver are enabled. #5883
Added RFC 2136 dynamic DNS to dashboard widget. #5862
Added multi-WAN support to RFC 2136 dynamic DNS client. #5862
Don’t specify 127.0.0.0/8 IPs as forward-addr in Unbound configuration. #5750
Added input validation to require configured DNS servers before enabling Resolver’s forwarding mode. #4747
Added Google Domains DDNS support. #4322
Added DNS Made Easy DDNS support. #1258
Allow @ in Dynamic DNS hostnames. #3900
Improve IPv6 link local handling in DNS Resolver and Forwarder so it works across configuration restores and with HA config sync. #3802
Upgraded to strongSwan 5.4.0.
Fixed multiple possibilities for IPsec status hangs. #5520
Revised handling of IPsec reloading when strongswan.conf is changed. #4353
Fixed problems with the search domain in IPsec mobile clients. #4418
Added support for elliptic curve for IPsec on webconfigurator. #4683
Added input validation for authentication backend when using EAP-RADIUS with IKEv2 Mobile IPsec. #5219
Fixed unit display on IPsec status pages for time and data to be more human-friendly. #5364
Removed support for single DES from IPsec #5543 (3DES Remains)
Removed global IPsec disable flag as it is no longer necessary. On upgrade, if the IPsec enable box was unchecked, all Phase 1 entries are disabled individually instead.
Changed IPsec ‘up’ commands to start in the backgound so they are non-blocking #5882
Disabled the strongSwan unity plugin by default, and improved the method used to disable the plugin #4178
Removed unnecessary and troublesome ‘pass out’ rules for mobile IPsec #5819
Fixed “no valid leases object found” log spam with IPsec dashboard widget. #5855
Fixed automatically added WAN rules (UDP 500, 4500, ESP) when using IPsec with IP aliases. #5500
Fixed IKEv2 to Cisco ASA resulting in traffic selector mismatch when initiated by traffic. #4719
Added “split connections” option to phase 1 for IKEv2 for interoperability with third party devices that do not support multiple traffic selectors on one child SA (Cisco ASA, others). #4704
Added dynamic AJAX update to status_ipsec.php. #6049
Changed the default behavior of the OpenVPN server to use topology subnet, not net30. #5526
Changed Client-Specific Overrides so they can be set to apply to specific servers rather than being globally set. #5526
Fixed OpenVPN Server validation of self-signed certificates with a depth of 2. #4329
Fixed overwriting of custom
/etc/dh-parameters.*on upgrade. #4816
Fixed invalid rules generated with some AVPair-defined ACLs. #5451
Improved display of server certificates on OpenVPN servers to help avoid users incorrectly picking user certificates for servers. #5602
Fixed OpenVPN client specification of auth-user-pass in shared key modes where it’s not valid. #5941
Fixed problems with OpenVPN and some use of special characters in the username or password. #4605
Fixed Captive Portal to support more than 120 VLAN interfaces. #4150
Added an option in Captive Portal for FreeRADIUS-friendly stop/start RADIUS accounting updates that solves problems with user session time limits. #2164
Fixed selection of RADIUS NAS IP with VIPs when editing Captive Portal zone. #5656
Fixed CODELQ scheduler defaults. #4692
Removed Layer 7 classification support from the traffic shaper #5508
Relaxed the shaper wizard interface validation when there are no interfaces with gateways selected #4524
Fixed traffic shaper failure with “bandwidth for q… higher than interface” in some edge cases. #5721
Allow wildcards in Certificate Subject Alternative Names. #3733
Removed the “Certificate Authority” option on the Certificates tab of the Cert Manager when creating a Certificate. To make a Certificate Authority, use the CAs tab instead. #5924
Adapted gitsync to new repo structure. #4999
Changed the packet capture output in the GUI so that when the protocol is set for CARP, tcpdump interprets it as CARP for more accurate output
Added pfsync protocol option to packet capture page. #5866
Added “GoTo line #” control to Diagnostics > Edit File
Corrected help in pfSsh.php to properly reflect how recording works
Fixed validation of playback file passed to pfSsh.php #5657
Fixed disabling of filter.log logging where local logging is disabled. #6018
Updated included software on licenses.php page. #5903
Internationalization improvements. #5777
Fixed use of IP aliases on Test Port page. #5185
Fixed key map, screen map and font selection in installer. #4387
Prevent deletion of certificates in use by packages. #4142
This section lists the changes contained in patch updates post-release.
The 2.3_1 update upgrades NTP to fix FreeBSD security advisory SA-16:16.ntp. The only change is upgrading ntpd from 4.2.8p6 to 4.2.8p7.