Netgate is offering COVID-19 aid for pfSense software users, learn more.

2.3.3 New Features and Changes

Security / Errata

Known Issues

  • The Captive Portal Disconnect All Users button does not fully disconnect all users PR#3565

  • RFC 2136 Dynamic DNS Entries will show red on the Dashboard widget even when correctly updated #7290

  • If an OpenVPN server set for SSL/TLS+User Auth contains a single user certificate shared between multiple users with different usernames, the Duplicate Connections option must be enabled on the server. In this situation, each user must have their own unique certificate or the certificate requirement should be removed (User Auth only). As this configuration is not valid nor a recommended practice, this issue is not considered a bug. When this condition is present only a single user can connect, additional users may see a client log entry such as “CreateIpForwardEntry: The object already exists”.

  • Firewall rules without an IP protocol set in the configuration which also have an ICMP type set may not load or display correctly. #7299 #7300

General Info

  • Added Packages: tinc, cellular, LCDproc, TFTP Server

  • Fixed numerous typos and wording issues

  • Added marking for required fields on various pages #7083

  • Input validation fixes on various pages

  • Cleaned up some unneeded files/pages/functions

  • Fixed broken/outdated links


  • Changed OpenVPN RADIUS authentication to send proper NAS-Port-Type, NAS-Port, and NAS-Identifier values #6609

  • Added compression option to handle connecting to OpenVPN peers which do not have LZO compiled into their OpenVPN executable #6739

  • Added a workaround to block outside DNS on Windows 10 OpenVPN clients to prevent DNS leaks #6719

  • Improved OpenVPN server handling when using CARP VIPs in Gateway Groups

  • Improved handling of chained/intermediate CAs in OpenVPN #2800

  • Changed OpenVPN widget so it updates dynamically #6723

  • Adapted the encryption cipher list to the new output format in OpenVPN 2.3.12, also now displays key and block lengths #6849

  • Changed OpenVPN server list to display more information

  • Improved error message to explicitly state allowable characters for certificate fields in the OpenVPN wizard #6432

  • Fixed handling of OpenVPN authentication when the backend server name contains special characters (e.g. ‘&’) #7002

  • Fixed saving an OpenVPN instance on a DHCP interface that does not currently have an IP address #7031

  • Added an IPv6 Tunnel Network field to OpenVPN Client-Specific Overrides #7053

  • Fixed changing between tun and tap mode for OpenVPN Clients

  • Changed OpenVPN startup to avoid overwriting its configuration, and to wait for its PID file to be written

  • Fixed OpenVPN binding to an IP Alias VIP #7136

  • Fixed display of disabled OpenVPN clients #7180

  • Fixed handling of “redirect-gateway” in Client-Specific Overrides #6633


  • Clarified IPsec Key Exchange Version drop-down to specify IKEv1/IKEv2 #6898

  • Fixed handling of static routes for IPsec peers on tunnels bound to IP Aliases VIPs with CARP parents

  • Fixed MSS clamping for mobile IPsec clients #7005

  • Added IPsec to the State Table interface list


  • Fixed handling of LAGG MTU when child QinQ interfaces are present #6227

  • Improved behavior when using DHCP before RA #5993

  • Added the ability to send a DHCP Release from Status > Interfaces, rather than only stopping dhclient

  • Fixed issues adding/editing QinQ entries

  • Fixed input validation of QinQ entries

  • Fixed validation to prevent an interface, interface group, and alias from using the same name #6976

  • Updated interface group name validation rules to match limits of the operating system

  • Prevented interface group names, interface names, and aliases from starting with pkg_ to reserve it for packages use (e.g. tinc) #7173

  • Added validation to prevent Interface Group Names from containing a dash #7173

  • Added validation to prevent Interface Groups from being renamed to an existing name #7183

  • Fixed issues with Interface Statistics widget display #7134

  • Fixes for interfaces_ppps_edit.php to fix MTU validation, interface friendly names, advanced options expansion

  • Changed linkup event handling to ignore events for interfaces that are member of bridges which have no IP address configured

  • Fixed input validation for L2TP and PPTP WAN type interfaces #6732

  • Added validation to prevent adding duplicate gateways from the Interface configuration page

  • Fixed handling of IPv6 checksum options for “Disable hardware checksum offload” #5321

  • Fixed handling of the confirmation dialog when deleting a VLAN #6916

  • Fixed handling of wireless MAC address spoofing

  • Fixed wireless channel changing #6833

  • Improved labels and help text for IPv6 tunneling options

  • Added the ability for an L2TP or PPTP WAN to use a hostname for the remote gateway #6899

Certificate Management

  • Added missing recommended key lengths and digests to certificate manager

  • Fixed CRL editing so that certificates already contained the CRL are not displayed

Users / Authentication / Privileges

  • Fixed SSH Keyboard-Interactive authentication #6963

  • Added STARTTLS to LDAP Authentication Server Configuration

  • Improved WebGUI usability when a remote LDAP server is not available

  • Fixed issues with local_sync_accounts failing during boot when using an LDAP server on a non-local network or hostname #6857

  • Fixed port build options for scponly #7012

  • Fixed notifications so that the Mark All as Read button is not shown to users who do not have sufficient privileges to use it #3454

  • Added privileges to control display of notices #7051

  • Standardized privilege name capitalization

  • Fixed issues with low-privilege users accessing Help pages #7139 #7140

  • Added a privilege for UPnP & NAT-PMP configuration #7141

  • Simplified tcsh prompt and changed the prompt so it respects default terminal colors

Firewall / Rules / NAT / Aliases / States

  • Fixed restoring rule type selection after input errors while saving firewall rules

  • Fixed a copy/paste error in variable test when validating firewall rule ports.

  • Corrected the descriptions and behavior of the Adaptive Start and Adaptive End settings for firewall state handling

  • Fixed display of the number of states in the Firewall Rules page

  • Moved “Any” to top of protocol list in firewall rules

  • Fixed issues with hidden fields on firewall_rules_edit.php #7057

  • Fixed issues with moving rules that required scrolling while dragging #6895

  • Enhanced ICMP type handling in rules

  • Fixed issues when hovering the mouse pointer over aliases on disabled rules making the hint difficult to read #6448

  • Fixed handling of firewall rule separators when a NAT associated rule is deleted #6676

  • Added field to specify source-hash key for outbound NAT rules

  • Fixed issues with Firewall > NAT > Edit forgetting destination type selection when input errors occur #6224

  • Removed “self” as a destination from NAT 1:1 rules

  • Fixed NAT rules so that when a port forward is disabled, its associated firewall rule is also disabled #6472

  • Fixed 1:1 NAT address family validation #6927

  • Fixed problems with nested aliases containing FQDNs #6982

  • Changed the Status > Filter Reload page so it shows the entire filter reload progress, rather than only the last state #6931

  • Fixed labels on diag_states_summary.php #6711

  • Fixed initial state of confirmation checkboxes on diag_resetstate.php

  • Changed Diag > States so it can optionally require a filter before displaying states, to improve handling with large state tables #7069

Traffic Shaping

  • Added Chelsio network cards (cxl) to the list of drivers that are capable of using ALTQ #6830

  • Fixed the traffic shaper wizard so it uses whole numbers instead of decimals #6779


  • Fixed issues when XMLRPC synchronizes IP Alias type Virtual IP addresses bound to Localhost #7010

  • Fixed a bug where the CARP VIP status was incorrect when the interface has more than one CARP VIP

DHCP/DHCPv6 Server / Router Advertisements

  • Updated the ISC DHCP Daemon to fix issues with missing hostnames in leases, and removed workarounds that are no longer needed #6840

  • Fixed reversed behavior of “Change DHCPv6 display lease time from UTC to local time” #6640

  • Fixed incorrect index for edit action on DHCP Leases #7233

  • Added an option to force a Dynamic DNS hostname in DHCP/DHCP6 Server settings

  • Changed DHCP lease times to always display in 24-hour clock format

  • Added an option to allow BOOTP to be specifically disabled in the DHCP Server settings #4351

  • Fixed validation to allow URLs for TFTP Server in DHCP Server settings #6634

  • Improve dhcpd and dhcpleases reload handling

  • Fixed DHCP NTP Server form validation to allow hyphens #6806

  • Fixed restore of DHCP6 leases on full install when using MFS /var

  • Fixed a problem with the DHCP range being reset if the Setup Wizard was re-run when a custom DHCP range already exists #4820

  • Fixed issues with DHCP traffic being blocked with DHCP Relay enabled #6996

  • Changed the DHCP/DHCPv6 server GUI so it can be configured (but not run) while DHCP Relay is enabled #6997

  • Added Client ID to DHCP Leases display, if present

  • Added Client ID to DHCP Mapping list, if present

  • Disabled DHCP server on interfaces with subnet >= 31 #6930

  • Changed DHCP6 client to allow a prefix size of /59

  • Changed DHCP6 server to allow a prefix size of /59 and /61

  • Added new “Ignore client identifiers” option to DHCP Server

  • Fixed handling of DNS entries for IPv6 static mappings when using delegated prefixes #6768

  • Improved the help text for Router Advertisement configuration #6889

DNS / Resolver / Forwarder

  • Allow a variable number of DNS servers #5549

  • Changed interface boxes in the DNS Resolver so they can be resized

  • Fixed sorting of DNS Forwarder hosts and domains in config.xml #6903

  • Fixed DNS Resolver (unbound) logging after clearing logs #6915

  • Added support for “deny_non_local” and “refuse_non_local” ACLs in the DNS Resolver #6914

  • Fixed DNS Server Gateway validation

  • Changed behavior of DNS Resolver overrides to only add FQDN entries, not short hostnames #6064

  • Fixed issues with DNS Resolver Host Overrides not being updated properly #6712


  • Fixed display of Prefer/No Select checkboxes invisible when adding entries in NTP Server settings #6788

  • Fixed handling of NTP IPv6 restrict clauses

  • Fixed setting default NTP access restrictions when there are no custom restrictions #6454

  • Fixed NTP status widget IPv6 address handling so addresses are not truncated #4815

  • Fixed the NTP Orphan Mode stratum field #7034

  • Fixed issues with NTP GPS status

  • Fixed a case that could result in an empty ‘restrict’ line in the NTP configuration #7110

  • Added a limit for NTP time source fields so they cannot exceed the maximum number saved to configuration #7164

  • Fixed display and behavior issues with NTP ACLs #6984

  • Improved parsing of GPS initialization and output, and add support for more GPS output formats and extended status

  • Added an autocorrect tool for checksums on GPS initialization commands #7159

Captive Portal

  • Changed Captive Portal MACs page to be sortable #6786

  • Fixed handling of Captive Portal user bandwidth set to 0 #6872

  • Changed Captive portal to send “Admin Reset” as termination cause when disconnecting a user from the WebGUI

  • Added option to Captive Portal to include idle time in total session time

  • Fix bandwidth limitation settings in Captive Portal MAC passthrough

  • Fixed links to view current Captive Portal page for all interfaces #6391

  • Converted Captive Portal active sessions to a sortable table

  • Added code to hide the client MAC address column in Captive Portal status when MAC filtering is disabled, rather than displaying an empty column

  • Added popup with session details to the Captive Portal active sessions list on the status page

  • Added button to disconnect all Captive Portal users

  • Worked around race condition between captiveportal_disconnect_all() and captiveportal_prune_old()

  • Added locking to avoid race conditions between rc.prunecaptiveportal and captiveportal_disconnect_all()

  • Reworked logging and RADIUS accounting when disabling a Captive Portal zone or rebooting

  • Increased speed of captiveportal_disconnect_all()

Dynamic DNS

  • Added the ability to change the URL queried by Dynamic DNS entries to check the external IP address (Services > Dynamic DNS, Check IP Services tab) #6591

  • Added support for All-Inkl Dynamic DNS provider

  • Added support for Dynamic DNS provider

  • Added support for CloudFlare Proxy to Dynamic DNS

  • Added Cloudflare Dynamic DNS IPv6 support #6623

  • Fixed status checking on Dynamic DNS (RFC2136), updates were always considered successful even on failure #6357

  • Fixed handling of multiple RFC2136 entries #6153

  • Fixed links in RFC2136 entries in the Dynamic DNS widget #7126

  • Fixed HTTP header processing for Dynamic DNS updates

  • Fixed handling of custom IPv6 Dynamic DNS in the widget #6922

  • Changed Cloudflare and Gratis plus Dynamic DNS to store passwords in base64

  • Updated Route 53 Dynamic DNS to fix several reported issues #3973 #6751 #5054

  • Fixed handling of ZoneEdit Dynamic DNS when used with a CARP VIP #6992

  • Removed excess loops from the Dynamic DNS Widget

Gateways / Routing

  • Added the ability to disable gateway monitoring actions without disabling gateway monitoring #3151

  • Changed gateway notifications to notify by email and syslog when a gateway goes up or down

  • Improved gateway notification mechanisms

  • Fixed handling of deleting or disabling static default gateways so they are properly removed from the routing table #6659

  • Fixed L2TP WAN dynamic gateway naming #6980

  • Fixed status display for unmonitored gateways

  • Fixed static blackhole route handling

  • Fixed handling of long hostnames on Diagnostics > Routes #6869

  • Corrected behavior of disabled static routes #3560

  • Created a PHP Shell playback script to view the gateway status from the shell and status output #7046


  • Fixed SMTP settings test so it properly displays results

  • Fixed validation of secure SMTP Connection Modes (SSL/TLS and STARTTLS are mutually exclusive)

  • Removed validation of password mismatches when SMTP or Growl notifications are disabled #7129

  • Changed format of file_notice() alerts in webgui for easier reading

Graphs / Monitoring

  • Changed traffic graphs to use d3.js (Dashboard and Status > Traffic Graphs)

  • Moved export button to heading for Status > Monitoring page

  • Moved graph labels so long hostnames do not overlap as easily #6138

  • Improved error checking in case JSON isn’t returned when building graphs #6748

  • Added a missing RRD step value to lookup table #6860

  • Added support for multiple views in Status > Monitoring graphs (Adds tab shortcuts to different graph views)

  • Added a per-view “Refresh Interval” option to Status > Monitoring graphs

  • Fixed fix null acronyms and axis label for queues/queuedrops graph in Status > Monitoring

  • Enabled Area and Bar graph types for Status > Monitoring graphs


  • Added an option to allow display of the firewall hostname on the login page

  • Added filtering to widgets where appropriate

  • Standardized PHP memory limit configuration

  • Fixed formatting issues with the Installed Packages widget #6601

  • Improved Compact-RED theme

  • Changed service running/stopped icons

  • Fixed issues with JavaScript confirmation prompts missing words (e.g. “Are you sure you wish to?”) #6972

  • Fixed issues with packages that toggle visibility of advanced options areas #7100

  • Removed the crash reporter link from the dashboard when a user does not have crash_reporter page access #7043

  • Fixed display of Package installation message #7226

  • Fixed “” tag processing in package XML handling

  • Fixed inconsistent handling of empty/null configuration settings in config.xml #6893


  • Increased filtering tail limit for logging to ensure enough entries will be displayed #6652

  • Added a means for packages to request a syslogd socket inside a chroot environment #4898

  • Added BIND logging to proper facility #5524

  • Improved handling of the TFTP Proxy/xinetd process when it is disabled, to reduce log messages #6308


  • Updated simplepie (RSS Parsing library) to 1.4.3

  • Fixed storing of IPv6 addresses so they are always saved in lower case #6864

  • Fixed bsnmpd “printcap” log errors #6838

  • Fixed a foreach error when restoring a configuration without packages

  • Fixed handling of signal traps in the console menu #6741

  • Fixed “Goto line #” action on diag_edit.php so pressing the enter key also activates the function

  • Changed the PHP Execute feature of Diagnostics > Command so that it does not generate a crash report from a syntax error #6702

  • Added enable link to Status > UPnP & NAT-PMP error message if disabled #6689

  • Changed the time zone help text to clarify and warn against the use of the Etc time zones that use POSIX style signs, which are the opposite of what most users expect #7089

  • Added validation to prevent duplicate Wake on LAN entries

  • Fixed permissions on /var/tmp when /var is a RAM disk #7120

  • Added a fallback for get_pkg_info() to use pkg info if there is no local copy of the repository catalog

  • Removed spurious output from the PHP Shell executable when running a playback script from a command prompt #7045

  • Updated status.php with new info and changed its output organization #7246