2.3.1 New Features and Changes

Security/Errata

Config Upgrade

  • Fixed config upgrade for CARP VIPs on gateway groups, GRE and gif for uniqid format. #6222

  • Fixed config upgrade for IP aliases with CARP IP parent. #6164

  • Correct OpenVPN topology config upgrade to retain 2.2.x and prior net30 topology. #6140

  • Correct and adjust apinger parameters to dpinger parameters automatically on upgrade. #6142

Gateways

  • Fix static route for IPv6 monitor IP with link-local gateway. #6353

  • Fix default gateway switching with IPv6 and link-local gateways. #6258

OS / Backend

  • NanoBSD is now permanent read-write, to avoid issues with slow rw->ro mount times and systems getting stuck read-only mounted. #6184

  • Systems using a RAM disk for /var/ have their alias tables backed up and restored during bootup. #6189

  • Set console settings (serial configuration, password protection, etc.) post-upgrade. #6120

  • Ensure package repo is updated with latest metadata when checking for latest version. #6115

  • Display consistent firmware version on dashboard and in update checker. #6320

  • Correct description of update branch options. #6136

  • Prevent update checking failures from killing webGUI. #6177

  • Make pkg use configured proxy server settings where they exist. #6149

Web GUI

  • Fix row delete button on unsaved aliases, NTP, UPnP and other screens. #6101

  • Captive portal MAC passthrough credits waiting period box restored. #6290

  • Outbound NAT edit screen destination field alias auto-completion restored. #6287

  • Captive portal allowed IPs direction selection on edit fixed. #6267

  • Restored input validation on port forwards to prohibit IPv6. #6265

  • Restored input validation on firewall rules to prohibit IPv6 IPs in IPv4 rules and vice versa. #6211

  • Fixed PHP error on edit of PPP interfaces. #6264

  • Fixed radio button placement on gateways dashboard widget settings. #6259

  • Fixed display post-refresh of system information dashboard widget. #6251

  • Restored in/out bytes counters on Status>Interfaces. #6244

  • Correctly show and hide OpenVPN topology field as applicable. #6236 #6214

  • Correct voucher character set input validation. #6231

  • Disable background update checking on dashboard update check is disabled. #6212

  • Restore input validation of IP address family and rule type, verifying IPv6 IPs with IPv6 rules, and IPv4 for IPv4 rules. #6218

  • Add validation of address family and protocol combinations on packet capture page. #6219

  • Add validation of IP aliases with CARP parent interfaces to ensure matching address family. #6218

  • Restore GET parameters on status_graph.php. #6192

  • Fixed PHP error on input validation failure with floating rules in some cases. #6175

  • Use CDATA for firewall rule separator descriptions so non-English characters work. #6174

  • Fix port forward edit destination field filling when virtual IPs configured. #6173

  • Fix load balancer monitor edit. #6171

  • Restore “none” in load balancer fall-back pool. #6170

  • Restore use of aliases in load balancer. #6169

  • Fix duplicate for load balancer pools and virtual servers. #6168

  • Restore description field on lagg edit page. #6163

  • Fix saving of bogons update frequency. #6162

  • Restore description field on captive portal IP passthrough. #6161

  • Fix saving of sticky connections timeout field. #6146

  • Show all restore areas in backup/restore screen. #6144

  • Fix moving of rule separator before saving. #6128

  • Use consistent up and down arrow formats on dashboard widgets. #6123

  • Fix typo on OpenVPN server description. #6102

  • Fix missing string on notification “mark as read” button. #6104

  • Fix firewall rule separator positioning with easy rule addition. #6105

  • Prevent closing of info box on monitoring page. #6106

  • Add custom date range option to monitoring page. Use infoblock on IPsec PSK screen. #6107

  • Fixed loss of “Do not NAT” enable on edit on outbound NAT. #6112

  • Correct label of 1:1 NAT edit screen. #6114

  • Add AJAX updates to NTP status page. #6117

  • Fix button spacing on Edit File and Command pages. #5995

  • Fix specification of port in DNS Resolver domain overrides. #6091

  • Fix moving of multiple items to bottom of list on firewall, NAT and IPsec screens. #6092

  • Fix setup wizard with only WAN assigned and using static IP. #6093

  • Remove logo from wizard since it’s now redundant. #6095

  • Fix gateway widget cut-off with 3 column dashboard. #6096

  • Fixed force update on RFC 2136 DDNS. https://redmine.pfsense.org/issues/6359

  • Fix reboot prompt when changing RAM disk setting and encountering an input error. #6349

  • Fix highlighted tab when editing IPsec mobile P1. #6341

  • Fix selection of configured speed and duplex on interface page. #6331

  • Fix division by zero in status_queues.php. #6329

  • Fix alignment issues in forms. #6327

  • Fix entry of CIDR range in host aliases for conversion to IPs. #6322

  • Allow use of # and ! again in DNS Forwarder domain overrides. #6310

  • Restored hostname infobox in menu bar. #6306

  • Fixed editing and deleting of additional DHCP pools. #6303

  • Fixed requests to diag_system_activity.php piling up on slow systems. #6166

Interfaces

  • Unset LAN DHCPv6/RA configuration if LAN interface is removed. #6152

IPsec

  • Fix starting of strongswan twice. #6160

DNS Resolver

  • Switched domain overrides from stub-zone to forward-zone so domain overrides don’t require the target server provide recursion. #6065

  • Allow adding 0.0.0.0/0 to access lists. #6073

  • Added 100,000 and 200,000 options for Unbound cache limit. #6230

  • Fix Unbound startup where both DNS Forwarder and Resolver are enabled. #6354

DHCP Server

  • Hostnames now allowed for NTP servers. #6239

IPsec

  • Fixed LAN interfaces stopping functioning when IPsec is in use. #6296

  • Mobile PSK matching issue with multiple PSKs fixed. #6286

  • leftsendcert=always specified for all RSA types. #6082

  • rc.newipsecdns fixed to check correct enabled status. #6351

Notifications

  • Fixed growl notifications to unresolvable hostname generating crash report. #6187

  • Fixed growl notification test with no password. #6221

Captive Portal

  • Fixed error handling captive portal username with single quote. #6203

  • Fixed issues with mixed-case zone names. #6278

OpenVPN

  • Prevent leading space in tunnel network configuration causing invalid configuration. #6198

User Manager

  • Fix RADIUS login with attribute class (25) when the server returns multiple attribute entries with different data. #6086

  • Honor deny config write for RADIUS users. #6088

Package System

  • Uninstall all packages pre-upgrade from <= 2.2.x to 2.3 to avoid problems from old packages. Reinstall them post-upgrade. #6137

  • Fix reinstall of renamed packages post-upgrade to 2.3. #6118

  • Fix package reinstallation getting stuck in loop when there is no Internet connectivity post-upgrade. #6180

Other

  • Removed lua support from nginx to not deprecate old CPUs lacking CMOV support. #6185

  • Added validation to console menu interface assignment to prevent creating duplicate VLANs. #6183

  • Blacklisted S.M.A.R.T. options with Hyper-V to prevent crash. #6147

  • Silence SSH host key log spam. #6143

  • Fix order of gateway and gateway group name in gateway down log message. #6134

  • Allow use of @ in hostname field for Namecheap DDNS. #6122

  • Fix console error where $nat_if_list isn’t an array. #6307

  • Include patch number in version display. #6309

  • Fix pw groupdel error in log during boot. #6352

  • Fixed stale xmlrpc.lock preventing config sync from functioning. #6328

  • Fixed failed chown on startup with /var as a RAM disk. #6131

  • Crash reporter now ignores warnings in release versions. #6178

  • Fixed crash reporter to show full PHP warnings in development versions. #6097

Update 1

2.3.1 update 1 (2.3.1_1) was released on May 25, 2016 with the following fixes/changes since 2.3.1-RELEASE.

  • Security issue pfSense-SA-16_05.webgui patched.

  • Lowered default LDAP timeout from 25 seconds to 5 seconds. #6367

  • Fixed handling of IPsec negotiation mode with IKE version set to auto. #6360

  • Increase PHP’s memory limit to 512 MB on 64 bit versions to better accommodate systems with a large number of active states. #6364

  • Set request_terminate_timeout the same as max_execution_time to prevent many possible circumstances of “504 gateway error” from occurring. #6396

  • Fix use of URL IP type aliases in firewall rules. #6403

  • Fix show/hide fields Javascript in Chrome on macOS. #6401

  • Fixed save of “IPv6 over IPv4 Tunneling” address on System>Advanced, Networking. #6381

Update 2 through 4

These were internal-only versions that weren’t publicly-released.

Update 5

2.3.1 update 5 (2.3.1_5) was released on June 16, 2016 with the following fixes/changes since 2.3.1_1.

  • Fixed command injection vulnerability in auth.inc via User Manager. #6475

  • Fixed command injection vulnerability in pkg_mgr_install.php id parameter. #6474

  • Upgraded PHP to 5.6.22

  • Fixed Captive Portal redirect hangs caused by longer keepalive_timeout in nginx. #6421

  • Fixed DDNS PTR zone in dhcpd.conf with third octet of 0. #6413

  • Fixed save and reset buttons on load balancer status page. #6254

  • Fixed schedule editing on firewall rules page. #6428

  • Allow “-” character in TFTP server field on DHCP Server page. #6433

  • Allow “-” and “_” characters in system tunables. #6438

  • Fixed changing of link type on PPPs edit screen. #6439

  • Fixed setting of “RADIUS issued IPs” on L2TP page. #6440

  • Restored apply changes button for interface mismatch post-config restore. #6460

  • Fixed display of Outbound NAT port aliases. #6463

  • Fixed schedule edit allowing invalid time range. #6468