2.3.1 New Features and Changes¶
Security/Errata¶
FreeBSD Security Advisories
- OpenVPN upgraded from 2.3.10 to 2.3.11. Fixes two potential security
issues.
pfSense® Software Advisories
2.3.1 update 1 patches pfSense-SA-16_05.webgui.
Config Upgrade¶
Fixed config upgrade for CARP VIPs on gateway groups, GRE and gif for uniqid format. #6222
Fixed config upgrade for IP aliases with CARP IP parent. #6164
Correct OpenVPN topology config upgrade to retain 2.2.x and prior net30 topology. #6140
Correct and adjust apinger parameters to dpinger parameters automatically on upgrade. #6142
Gateways¶
OS / Backend¶
NanoBSD is now permanent read-write, to avoid issues with slow rw->ro mount times and systems getting stuck read-only mounted. #6184
Systems using a RAM disk for /var/ have their alias tables backed up and restored during bootup. #6189
Set console settings (serial configuration, password protection, etc.) post-upgrade. #6120
Ensure package repo is updated with latest metadata when checking for latest version. #6115
Display consistent firmware version on dashboard and in update checker. #6320
Correct description of update branch options. #6136
Prevent update checking failures from killing webGUI. #6177
Make pkg use configured proxy server settings where they exist. #6149
Web GUI¶
Fix row delete button on unsaved aliases, NTP, UPnP and other screens. #6101
Captive portal MAC passthrough credits waiting period box restored. #6290
Outbound NAT edit screen destination field alias auto-completion restored. #6287
Captive portal allowed IPs direction selection on edit fixed. #6267
Restored input validation on port forwards to prohibit IPv6. #6265
Restored input validation on firewall rules to prohibit IPv6 IPs in IPv4 rules and vice versa. #6211
Fixed PHP error on edit of PPP interfaces. #6264
Fixed radio button placement on gateways dashboard widget settings. #6259
Fixed display post-refresh of system information dashboard widget. #6251
Restored in/out bytes counters on Status>Interfaces. #6244
Correctly show and hide OpenVPN topology field as applicable. #6236 #6214
Correct voucher character set input validation. #6231
Disable background update checking on dashboard update check is disabled. #6212
Restore input validation of IP address family and rule type, verifying IPv6 IPs with IPv6 rules, and IPv4 for IPv4 rules. #6218
Add validation of address family and protocol combinations on packet capture page. #6219
Add validation of IP aliases with CARP parent interfaces to ensure matching address family. #6218
Restore GET parameters on status_graph.php. #6192
Fixed PHP error on input validation failure with floating rules in some cases. #6175
Use CDATA for firewall rule separator descriptions so non-English characters work. #6174
Fix port forward edit destination field filling when virtual IPs configured. #6173
Fix load balancer monitor edit. #6171
Restore “none” in load balancer fall-back pool. #6170
Restore use of aliases in load balancer. #6169
Fix duplicate for load balancer pools and virtual servers. #6168
Restore description field on lagg edit page. #6163
Fix saving of bogons update frequency. #6162
Restore description field on captive portal IP passthrough. #6161
Fix saving of sticky connections timeout field. #6146
Show all restore areas in backup/restore screen. #6144
Fix moving of rule separator before saving. #6128
Use consistent up and down arrow formats on dashboard widgets. #6123
Fix typo on OpenVPN server description. #6102
Fix missing string on notification “mark as read” button. #6104
Fix firewall rule separator positioning with easy rule addition. #6105
Prevent closing of info box on monitoring page. #6106
Add custom date range option to monitoring page. Use infoblock on IPsec PSK screen. #6107
Fixed loss of “Do not NAT” enable on edit on outbound NAT. #6112
Correct label of 1:1 NAT edit screen. #6114
Add AJAX updates to NTP status page. #6117
Fix button spacing on Edit File and Command pages. #5995
Fix specification of port in DNS Resolver domain overrides. #6091
Fix moving of multiple items to bottom of list on firewall, NAT and IPsec screens. #6092
Fix setup wizard with only WAN assigned and using static IP. #6093
Remove logo from wizard since it’s now redundant. #6095
Fix gateway widget cut-off with 3 column dashboard. #6096
Fixed force update on RFC 2136 DDNS. https://redmine.pfsense.org/issues/6359
Fix reboot prompt when changing RAM disk setting and encountering an input error. #6349
Fix highlighted tab when editing IPsec mobile P1. #6341
Fix selection of configured speed and duplex on interface page. #6331
Fix division by zero in status_queues.php. #6329
Fix alignment issues in forms. #6327
Fix entry of CIDR range in host aliases for conversion to IPs. #6322
Allow use of # and ! again in DNS Forwarder domain overrides. #6310
Restored hostname infobox in menu bar. #6306
Fixed editing and deleting of additional DHCP pools. #6303
Fixed requests to diag_system_activity.php piling up on slow systems. #6166
Interfaces¶
Unset LAN DHCPv6/RA configuration if LAN interface is removed. #6152
IPsec¶
Fix starting of strongswan twice. #6160
DNS Resolver¶
Switched domain overrides from stub-zone to forward-zone so domain overrides don’t require the target server provide recursion. #6065
Allow adding 0.0.0.0/0 to access lists. #6073
Added 100,000 and 200,000 options for Unbound cache limit. #6230
Fix Unbound startup where both DNS Forwarder and Resolver are enabled. #6354
DHCP Server¶
Hostnames now allowed for NTP servers. #6239
IPsec¶
Notifications¶
Captive Portal¶
OpenVPN¶
Prevent leading space in tunnel network configuration causing invalid configuration. #6198
User Manager¶
Package System¶
Other¶
Removed lua support from nginx to not deprecate old CPUs lacking CMOV support. #6185
Added validation to console menu interface assignment to prevent creating duplicate VLANs. #6183
Blacklisted S.M.A.R.T. options with Hyper-V to prevent crash. #6147
Silence SSH host key log spam. #6143
Fix order of gateway and gateway group name in gateway down log message. #6134
Allow use of @ in hostname field for Namecheap DDNS. #6122
Fix console error where $nat_if_list isn’t an array. #6307
Include patch number in version display. #6309
Fix pw groupdel error in log during boot. #6352
Fixed stale xmlrpc.lock preventing config sync from functioning. #6328
Fixed failed chown on startup with /var as a RAM disk. #6131
Crash reporter now ignores warnings in release versions. #6178
Fixed crash reporter to show full PHP warnings in development versions. #6097
Update 1¶
2.3.1 update 1 (2.3.1_1) was released on May 25, 2016 with the following fixes/changes since 2.3.1-RELEASE.
Security issue pfSense-SA-16_05.webgui patched.
Lowered default LDAP timeout from 25 seconds to 5 seconds. #6367
Fixed handling of IPsec negotiation mode with IKE version set to auto. #6360
Increase PHP’s memory limit to 512 MB on 64 bit versions to better accommodate systems with a large number of active states. #6364
Set request_terminate_timeout the same as max_execution_time to prevent many possible circumstances of “504 gateway error” from occurring. #6396
Fix use of URL IP type aliases in firewall rules. #6403
Fix show/hide fields Javascript in Chrome on macOS. #6401
Fixed save of “IPv6 over IPv4 Tunneling” address on System>Advanced, Networking. #6381
Update 2 through 4¶
These were internal-only versions that weren’t publicly-released.
Update 5¶
2.3.1 update 5 (2.3.1_5) was released on June 16, 2016 with the following fixes/changes since 2.3.1_1.
Fixed command injection vulnerability in auth.inc via User Manager. #6475
Fixed command injection vulnerability in pkg_mgr_install.php id parameter. #6474
Upgraded PHP to 5.6.22
Fixed Captive Portal redirect hangs caused by longer keepalive_timeout in nginx. #6421
Fixed DDNS PTR zone in dhcpd.conf with third octet of 0. #6413
Fixed save and reset buttons on load balancer status page. #6254
Fixed schedule editing on firewall rules page. #6428
Allow “-” character in TFTP server field on DHCP Server page. #6433
Allow “-” and “_” characters in system tunables. #6438
Fixed changing of link type on PPPs edit screen. #6439
Fixed setting of “RADIUS issued IPs” on L2TP page. #6440
Restored apply changes button for interface mismatch post-config restore. #6460
Fixed display of Outbound NAT port aliases. #6463
Fixed schedule edit allowing invalid time range. #6468