Netgate Documentation
2.3.3 New Features and Changes
Security / Errata
Updated to FreeBSD 10.3-RELEASE-p16
FreeBSD Security Advisories
FreeBSD Errata Notices
pfSense Advisories
pfSense-SA-17_01.webgui
Fixed validation and encoding on Captive Portal status pages
#7019
pfSense-SA-17_02.webgui
Fixed update_config_field() in wizard.php so it does not pass
user input through eval()
#7230
pfSense-SA-17_03.webgui
Added encoding for ‘from’ and ‘to’ before output on
pkg_mgr_install.php
#7225
Added encoding for the contents of pkg_filter before output
#7227
Converted easyrule.php to use a confirmation landing page so
that the parameters can be submitted via POST
#7228
Updated numerous third-party libraries and supporting programs
Changed behavior of fsck during bootup to improve filesystem
stability #6340
Added protection to /etc/ttys to prevent corruption or missing lines
Known Issues
The Captive Portal Disconnect All Users button does not fully
disconnect all users
PR#3565
RFC 2136 Dynamic DNS Entries will show red on the Dashboard widget
even when correctly updated
#7290
If an OpenVPN server set for SSL/TLS+User Auth contains a single
user certificate shared between multiple users with different
usernames, the Duplicate Connections option must be enabled on
the server. In this situation, each user must have their own unique
certificate or the certificate requirement should be removed (User
Auth only). As this configuration is not valid nor a recommended
practice, this issue is not considered a bug. When this condition is
present only a single user can connect, additional users may see a
client log entry such as “CreateIpForwardEntry: The object already
exists”.
Firewall rules without an IP protocol set in the configuration which
also have an ICMP type set may not load or display correctly.
#7299
#7300
General Info
Added Packages: tinc, cellular, LCDproc, TFTP Server
Fixed numerous typos and wording issues
Added marking for required fields on various pages
#7083
Input validation fixes on various pages
Cleaned up some unneeded files/pages/functions
Fixed broken/outdated links
OpenVPN
Changed OpenVPN RADIUS authentication to send proper NAS-Port-Type,
NAS-Port, and NAS-Identifier values
#6609
Added compression option to handle connecting to OpenVPN peers which
do not have LZO compiled into their OpenVPN executable
#6739
Added a workaround to block outside DNS on Windows 10 OpenVPN clients
to prevent DNS leaks
#6719
Improved OpenVPN server handling when using CARP VIPs in Gateway
Groups
Improved handling of chained/intermediate CAs in OpenVPN
#2800
Changed OpenVPN widget so it updates dynamically
#6723
Adapted the encryption cipher list to the new output format in
OpenVPN 2.3.12, also now displays key and block lengths
#6849
Changed OpenVPN server list to display more information
Improved error message to explicitly state allowable characters for
certificate fields in the OpenVPN wizard
#6432
Fixed handling of OpenVPN authentication when the backend server name
contains special characters (e.g. ‘&’)
#7002
Fixed saving an OpenVPN instance on a DHCP interface that does not
currently have an IP address
#7031
Added an IPv6 Tunnel Network field to OpenVPN Client-Specific
Overrides #7053
Fixed changing between tun and tap mode for OpenVPN Clients
Changed OpenVPN startup to avoid overwriting its configuration, and
to wait for its PID file to be written
Fixed OpenVPN binding to an IP Alias VIP
#7136
Fixed display of disabled OpenVPN clients
#7180
Fixed handling of “redirect-gateway” in Client-Specific Overrides
#6633
IPsec
Clarified IPsec Key Exchange Version drop-down to specify IKEv1/IKEv2
#6898
Fixed handling of static routes for IPsec peers on tunnels bound to
IP Aliases VIPs with CARP parents
Fixed MSS clamping for mobile IPsec clients
#7005
Added IPsec to the State Table interface list
Interfaces
Fixed handling of LAGG MTU when child QinQ interfaces are present
#6227
Improved behavior when using DHCP before RA
#5993
Added the ability to send a DHCP Release from Status > Interfaces,
rather than only stopping dhclient
Fixed issues adding/editing QinQ entries
Fixed input validation of QinQ entries
Fixed validation to prevent an interface, interface group, and alias
from using the same name
#6976
Updated interface group name validation rules to match limits of the
operating system
Prevented interface group names, interface names, and aliases from
starting with pkg_
to reserve it for packages use (e.g. tinc)
#7173
Added validation to prevent Interface Group Names from containing a
dash #7173
Added validation to prevent Interface Groups from being renamed to an
existing name #7183
Fixed issues with Interface Statistics widget display
#7134
Fixes for interfaces_ppps_edit.php to fix MTU validation, interface
friendly names, advanced options expansion
Changed linkup event handling to ignore events for interfaces that
are member of bridges which have no IP address configured
Fixed input validation for L2TP and PPTP WAN type interfaces
#6732
Added validation to prevent adding duplicate gateways from the
Interface configuration page
Fixed handling of IPv6 checksum options for “Disable hardware
checksum offload” #5321
Fixed handling of the confirmation dialog when deleting a VLAN
#6916
Fixed handling of wireless MAC address spoofing
Fixed wireless channel changing
#6833
Improved labels and help text for IPv6 tunneling options
Added the ability for an L2TP or PPTP WAN to use a hostname for the
remote gateway #6899
Certificate Management
Added missing recommended key lengths and digests to certificate
manager
Fixed CRL editing so that certificates already contained the CRL are
not displayed
Users / Authentication / Privileges
Fixed SSH Keyboard-Interactive authentication
#6963
Added STARTTLS to LDAP Authentication Server Configuration
Improved WebGUI usability when a remote LDAP server is not available
Fixed issues with local_sync_accounts failing during boot when
using an LDAP server on a non-local network or hostname
#6857
Fixed port build options for scponly
#7012
Fixed notifications so that the Mark All as Read button is not shown
to users who do not have sufficient privileges to use it
#3454
Added privileges to control display of notices
#7051
Standardized privilege name capitalization
Fixed issues with low-privilege users accessing Help pages
#7139
#7140
Added a privilege for UPnP & NAT-PMP configuration
#7141
Simplified tcsh prompt and changed the prompt so it respects default
terminal colors
Firewall / Rules / NAT / Aliases / States
Fixed restoring rule type selection after input errors while saving
firewall rules
Fixed a copy/paste error in variable test when validating firewall
rule ports.
Corrected the descriptions and behavior of the Adaptive Start and
Adaptive End settings for firewall state handling
Fixed display of the number of states in the Firewall Rules page
Moved “Any” to top of protocol list in firewall rules
Fixed issues with hidden fields on firewall_rules_edit.php
#7057
Fixed issues with moving rules that required scrolling while dragging
#6895
Enhanced ICMP type handling in rules
Fixed issues when hovering the mouse pointer over aliases on disabled
rules making the hint difficult to read
#6448
Fixed handling of firewall rule separators when a NAT associated rule
is deleted #6676
Added field to specify source-hash key for outbound NAT rules
Fixed issues with Firewall > NAT > Edit forgetting destination
type selection when input errors occur
#6224
Removed “self” as a destination from NAT 1:1 rules
Fixed NAT rules so that when a port forward is disabled, its
associated firewall rule is also disabled
#6472
Fixed 1:1 NAT address family validation
#6927
Fixed problems with nested aliases containing FQDNs
#6982
Changed the Status > Filter Reload page so it shows the entire filter
reload progress, rather than only the last state
#6931
Fixed labels on diag_states_summary.php
#6711
Fixed initial state of confirmation checkboxes on
diag_resetstate.php
Changed Diag > States so it can optionally require a filter before
displaying states, to improve handling with large state tables
#7069
Traffic Shaping
Added Chelsio network cards (cxl) to the list of drivers that are
capable of using ALTQ
#6830
Fixed the traffic shaper wizard so it uses whole numbers instead of
decimals #6779
HA / CARP
Fixed issues when XMLRPC synchronizes IP Alias type Virtual IP
addresses bound to Localhost
#7010
Fixed a bug where the CARP VIP status was incorrect when the
interface has more than one CARP VIP
DHCP/DHCPv6 Server / Router Advertisements
Updated the ISC DHCP Daemon to fix issues with missing hostnames in
leases, and removed workarounds that are no longer needed
#6840
Fixed reversed behavior of “Change DHCPv6 display lease time from UTC
to local time” #6640
Fixed incorrect index for edit action on DHCP Leases
#7233
Added an option to force a Dynamic DNS hostname in DHCP/DHCP6 Server
settings
Changed DHCP lease times to always display in 24-hour clock format
Added an option to allow BOOTP to be specifically disabled in the
DHCP Server settings
#4351
Fixed validation to allow URLs for TFTP Server in DHCP Server
settings #6634
Improve dhcpd and dhcpleases reload handling
Fixed DHCP NTP Server form validation to allow hyphens
#6806
Fixed restore of DHCP6 leases on full install when using MFS /var
Fixed a problem with the DHCP range being reset if the Setup Wizard
was re-run when a custom DHCP range already exists
#4820
Fixed issues with DHCP traffic being blocked with DHCP Relay enabled
#6996
Changed the DHCP/DHCPv6 server GUI so it can be configured (but not
run) while DHCP Relay is enabled
#6997
Added Client ID to DHCP Leases display, if present
Added Client ID to DHCP Mapping list, if present
Disabled DHCP server on interfaces with subnet >= 31
#6930
Changed DHCP6 client to allow a prefix size of /59
Changed DHCP6 server to allow a prefix size of /59 and /61
Added new “Ignore client identifiers” option to DHCP Server
Fixed handling of DNS entries for IPv6 static mappings when using
delegated prefixes
#6768
Improved the help text for Router Advertisement configuration
#6889
DNS / Resolver / Forwarder
Allow a variable number of DNS servers
#5549
Changed interface boxes in the DNS Resolver so they can be resized
Fixed sorting of DNS Forwarder hosts and domains in config.xml
#6903
Fixed DNS Resolver (unbound) logging after clearing logs
#6915
Added support for “deny_non_local” and “refuse_non_local” ACLs in
the DNS Resolver #6914
Fixed DNS Server Gateway validation
Changed behavior of DNS Resolver overrides to only add FQDN entries,
not short hostnames
#6064
Fixed issues with DNS Resolver Host Overrides not being updated
properly #6712
NTP / GPS
Fixed display of Prefer/No Select checkboxes invisible when adding
entries in NTP Server settings
#6788
Fixed handling of NTP IPv6 restrict clauses
Fixed setting default NTP access restrictions when there are no
custom restrictions
#6454
Fixed NTP status widget IPv6 address handling so addresses are not
truncated #4815
Fixed the NTP Orphan Mode stratum field
#7034
Fixed issues with NTP GPS status
Fixed a case that could result in an empty ‘restrict’ line in the NTP
configuration #7110
Added a limit for NTP time source fields so they cannot exceed the
maximum number saved to configuration
#7164
Fixed display and behavior issues with NTP ACLs
#6984
Improved parsing of GPS initialization and output, and add support
for more GPS output formats and extended status
Added an autocorrect tool for checksums on GPS initialization
commands #7159
Captive Portal
Changed Captive Portal MACs page to be sortable
#6786
Fixed handling of Captive Portal user bandwidth set to 0
#6872
Changed Captive portal to send “Admin Reset” as termination cause
when disconnecting a user from the WebGUI
Added option to Captive Portal to include idle time in total session
time
Fix bandwidth limitation settings in Captive Portal MAC passthrough
Fixed links to view current Captive Portal page for all interfaces
#6391
Converted Captive Portal active sessions to a sortable table
Added code to hide the client MAC address column in Captive Portal
status when MAC filtering is disabled, rather than displaying an
empty column
Added popup with session details to the Captive Portal active
sessions list on the status page
Added button to disconnect all Captive Portal users
Worked around race condition between captiveportal_disconnect_all()
and captiveportal_prune_old()
Added locking to avoid race conditions between rc.prunecaptiveportal
and captiveportal_disconnect_all()
Reworked logging and RADIUS accounting when disabling a Captive
Portal zone or rebooting
Increased speed of captiveportal_disconnect_all()
Dynamic DNS
Added the ability to change the URL queried by Dynamic DNS entries to
check the external IP address (Services > Dynamic DNS, Check IP
Services tab) #6591
Added support for All-Inkl Dynamic DNS provider
Added support for duiadns.net Dynamic DNS provider
Added support for CloudFlare Proxy to Dynamic DNS
Added Cloudflare Dynamic DNS IPv6 support
#6623
Fixed status checking on Dynamic DNS (RFC2136), updates were always
considered successful even on failure
#6357
Fixed handling of multiple RFC2136 entries
#6153
Fixed links in RFC2136 entries in the Dynamic DNS widget
#7126
Fixed HTTP header processing for Dynamic DNS updates
Fixed handling of custom IPv6 Dynamic DNS in the widget
#6922
Changed Cloudflare and Gratis plus Dynamic DNS to store passwords in
base64
Updated Route 53 Dynamic DNS to fix several reported issues
#3973
#6751
#5054
Fixed handling of ZoneEdit Dynamic DNS when used with a CARP VIP
#6992
Removed excess loops from the Dynamic DNS Widget
Gateways / Routing
Added the ability to disable gateway monitoring actions without
disabling gateway monitoring
#3151
Changed gateway notifications to notify by email and syslog when a
gateway goes up or down
Improved gateway notification mechanisms
Fixed handling of deleting or disabling static default gateways so
they are properly removed from the routing table
#6659
Fixed L2TP WAN dynamic gateway naming
#6980
Fixed status display for unmonitored gateways
Fixed static blackhole route handling
Fixed handling of long hostnames on Diagnostics > Routes
#6869
Corrected behavior of disabled static routes
#3560
Created a PHP Shell playback script to view the gateway status from
the shell and status output
#7046
Notifications
Fixed SMTP settings test so it properly displays results
Fixed validation of secure SMTP Connection Modes (SSL/TLS and
STARTTLS are mutually exclusive)
Removed validation of password mismatches when SMTP or Growl
notifications are disabled
#7129
Changed format of file_notice() alerts in webgui for easier reading
Graphs / Monitoring
Changed traffic graphs to use d3.js (Dashboard and Status > Traffic
Graphs)
Moved export button to heading for Status > Monitoring page
Moved graph lables so long hostnames do not overlap as easily
#6138
Improved error checking in case JSON isn’t returned when building
graphs #6748
Added a missing RRD step value to lookup table
#6860
Added support for multiple views in Status > Monitoring graphs (Adds
tab shortcuts to different graph views)
Added a per-view “Refresh Interval” option to Status > Monitoring
graphs
Fixed fix null acronyms and axis label for queues/queuedrops graph in
Status > Monitoring
Enabled Area and Bar graph types for Status > Monitoring graphs
WebGUI
Added an option to allow display of the firewall hostname on the
login page
Added filtering to widgets where appropriate
Standardized PHP memory limit configuration
Fixed formatting issues with the Installed Packages widget
#6601
Improved Compact-RED theme
Changed service running/stopped icons
Fixed issues with JavaScript confirmation prompts missing words (e.g.
“Are you sure you wish to?”)
#6972
Fixed issues with packages that toggle visibility of advanced options
areas #7100
Removed the crash reporter link from the dashboard when a user does
not have crash_reporter page access
#7043
Fixed display of Package installation message
#7226
Fixed “” tag processing in package XML handling
Fixed inconsistent handling of empty/null configuration settings in
config.xml #6893
Logging
Increased filtering tail limit for logging to ensure enough entries
will be displayed #6652
Added a means for packages to request a syslogd socket inside a
chroot environment
#4898
Added BIND logging to proper facility
#5524
Improved handling of the TFTP Proxy/xinetd process when it is
disabled, to reduce log messages
#6308
Misc
Updated simplepie (RSS Parsing library) to 1.4.3
Fixed storing of IPv6 addresses so they are always saved in lower
case #6864
Fixed bsnmpd “printcap” log errors
#6838
Fixed a foreach error when restoring a configuration without packages
Fixed handling of signal traps in the console menu
#6741
Fixed “Goto line #” action on diag_edit.php so pressing the enter
key also activates the function
Changed the PHP Execute feature of Diagnostics > Command so that it
does not generate a crash report from a syntax error
#6702
Added enable link to Status > UPnP & NAT-PMP error message if
disabled #6689
Changed the time zone help text to clarify and warn against the use
of the Etc time zones that use POSIX style signs, which are the
opposite of what most users expect
#7089
Added validation to prevent duplicate Wake on LAN entries
Fixed permissions on /var/tmp when /var is a RAM disk
#7120
Added a fallback for get_pkg_info() to use pkg info if there is no
local copy of the repository catalog
Removed spurious output from the PHP Shell executable when running a
playback script from a command prompt
#7045
Updated status.php with new info and changed its output organization
#7246
Additional Resources
v: latest
Software Documentation
pfSense
TNSR
Product Manuals
pfSense
All Manuals
Amazon AWS
Microsoft Azure
SG-1000
SG-2220
SG-2440
SG-3100
SG-4860
SG-4860-1U
SG-5100
SG-8860-1U
XG-1537
XG-1541
XG-2758
XG-7100
XG-7100-1U
TNSR
All Products
Amazon AWS
SG-5100
XG-1537-1U
XG-1541-1U
Loading wikipedia summary...