2.3.2 New Features and Changes

SSH Daemon


The ssh host keys were made more secure, and if a client remembers an older, weaker key, the ssh client may refuse to connect. Remove the older key and then make the ssh client learn the new key.

  • Changed sshd to use stronger Key Exchange algorithms and disabled some older, weaker algorithms. Clients may need to be updated to handle the new Key Exchange methods.

    Currently allowed Key Exchange Algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

  • Removed the ECDSA host key from the sshd configuration

  • Added ED25519 host key to the sshd configuration

  • Changed the list of available ciphers.

    Current allowed ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

  • Changed the list of available Message Authentication Code methods,

    Current MAC list: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com


  • Don’t allow applying changes on interface mismatch post-config restore until the reassignment is saved. #6613


  • Dashboard now has per-user configuration options, documented in User Manager. #6388

DHCP Server

  • Disabled dhcp-cache-threshold to avoid bug in ISC dhcpd 4.3.x omitting client-hostname from leases file, which makes dynamic hostname registration fail in some edge cases. #6589

  • Note that DDNS key must be HMAC-MD5. #6622

DHCP Relay

  • Imported fix for dhcrelay relaying requests on the interface where the target DHCP server resides. #6355

Dynamic DNS

  • Allow * for hostname with Namecheap. #6260


  • Fix “can’t assign requested address” during boot with track6 interfaces. #6317

  • Remove deprecated link options from GRE and gif. #6586, #6587

  • Obey “Reject leases from” when DHCP “Advanced options” is checked. #6595

  • Protect enclosed delimiters in DHCP client advanced configuration, so commas can be used there. #6548

  • Fix default route on PPPoE interfaces missing in some edge cases. #6495


  • strongSwan upgraded to 5.5.0.

  • Include aggressive in ipsec.conf where IKE mode auto is selected. #6513

Gateway Monitoring

  • Fixed “socket name too large” making gateway monitoring fail on long interface names and IPv6 addresses. #6505


  • Set pipe_slot_limit automatically to maximum configured qlimit value. #6553


  • Fixed no data periods being reported as 0, skewing averages. #6334

  • Fix tooltip showing as “none” for some values. #6044

  • Fix saving of some default configuration options. #6402

  • Fix X axis ticks not responding to resolution for custom time periods. #6464


  • Re-sync client specific configurations after save of OpenVPN server instances to ensure their settings reflect the current server configuration. #6139

Operating System

  • Fixed pf fragment states not being purged, triggering “PF frag entries limit reached”. #6499

  • Set core file location so they can’t end up in /var/run and exhaust its available space. #6510

  • Fixed “runtime went backwards” log spam in Hyper-V. #6446

  • Fixed traceroute6 hang with non-responding hop in path. #3069

  • Added symlink /var/run/dmesg.boot for vm-bhyve. #6573

  • Set net.isr.dispatch=direct on 32 bit systems with IPsec enabled to prevent crash when accessing services on the host itself via VPN. #4754

Router Advertisements

  • Added configuration fields for minimum and maximum router advertisement intervals and router lifetime. #6533


  • Fixed static routes with IPv6 link local target router to include interface scope. #6506

Rules / NAT

  • Fixed “PPPoE Clients” placeholder in rules and NAT, and ruleset error when using floating rules specifying PPPoE server. #6597

  • Fixed failure to load ruleset with URL Table aliases where empty file specified. #6181

  • Fixed TFTP proxy with xinetd. #6315


  • Fixed nanobsd upgrade failures where DNS Forwarder/Resolver not bound to localhost. #6557

Virtual IPs

  • Fixed performance problems with large numbers of virtual IPs. #6515

  • Fixed PHP memory exhaustion on CARP status page with large state tables. #6364

Web Interface

  • Added sorting to DHCP static mappings table. #6504

  • Fixed file upload of NTP leap seconds. #6590

  • Added IPv6 support to diag_dns.php. #6561

  • Added IPv6 support to filter logs reverse lookup. #6585

  • Package system - retain field data on input error. #6577

  • Fixed multiple IPv6 input validation issues allowing invalid IPv6 IPs. #6551, #6552

  • Fixed some DHCPv6 leases missing from GUI leases display. #6543

  • Fixed state killing for ‘in’ direction and states with translated destination. #6530, #6531

  • Restore input validation of captive portal zone names to prevent invalid XML. #6514

  • Replaced calendar date picker in the user manager with one that works in browsers other than Chrome and Opera. #6516

  • Restored proxy port field to OpenVPN client. #6372

  • Clarify description of ports aliases. #6523

  • Fixed translation output where gettext passed an empty string. #6394

  • Fixed speed selection for 9600 in NTP GPS configuration. #6416

  • Only allow IPv6 IPs on NPT screen. #6498

  • Add alias import support for networks and ports. #6582

  • Fixed sortable table header wrap oddities. #6074

  • Clean up Network Booting section of DHCP Server screen. #6050

  • Fix “UNKNOWN” links in package manager. #6617

  • Fix missing bandwidth field for traffic shaper CBQ queues. #6437


  • UPnP presentation URL and model number now configurable. #6002

User Manager

  • Prohibit admins from deleting their own accounts in the user manager. #6450


  • Added PHP shell sessions to enable and disable persistent CARP maintenance mode. “playback enablecarpmaint” and “playback disablecarpmaint”. #6560

  • Exposed serial console configuration for nanobsd VGA. #6291