2.3.3 New Features and Changes¶
Security / Errata¶
Updated to FreeBSD 10.3-RELEASE-p16
FreeBSD Security Advisories
FreeBSD Errata Notices
pfSense® Software Advisories
Updated numerous third-party libraries and supporting programs
Changed behavior of fsck during bootup to improve filesystem stability #6340
Added protection to /etc/ttys to prevent corruption or missing lines
Known Issues¶
The Captive Portal Disconnect All Users button does not fully disconnect all users PR#3565
RFC 2136 Dynamic DNS Entries will show red on the Dashboard widget even when correctly updated #7290
Firewall rules without an IP protocol set in the configuration which also have an ICMP type set may not load or display correctly. #7299 #7300
General Info¶
Added Packages: tinc, cellular, LCDproc, TFTP Server
Fixed numerous typos and wording issues
Added marking for required fields on various pages #7083
Input validation fixes on various pages
Cleaned up some unneeded files/pages/functions
Fixed broken/outdated links
OpenVPN¶
Changed OpenVPN RADIUS authentication to send proper NAS-Port-Type, NAS-Port, and NAS-Identifier values #6609
Added compression option to handle connecting to OpenVPN peers which do not have LZO compiled into their OpenVPN executable #6739
Added a workaround to block outside DNS on Windows 10 OpenVPN clients to prevent DNS leaks #6719
Improved OpenVPN server handling when using CARP VIPs in Gateway Groups
Improved handling of chained/intermediate CAs in OpenVPN #2800
Changed OpenVPN widget so it updates dynamically #6723
Adapted the encryption cipher list to the new output format in OpenVPN 2.3.12, also now displays key and block lengths #6849
Changed OpenVPN server list to display more information
Improved error message to explicitly state allowable characters for certificate fields in the OpenVPN wizard #6432
Fixed handling of OpenVPN authentication when the backend server name contains special characters (e.g. ‘&’) #7002
Fixed saving an OpenVPN instance on a DHCP interface that does not currently have an IP address #7031
Added an IPv6 Tunnel Network field to OpenVPN Client-Specific Overrides #7053
Fixed changing between tun and tap mode for OpenVPN Clients
Changed OpenVPN startup to avoid overwriting its configuration, and to wait for its PID file to be written
Fixed OpenVPN binding to an IP Alias VIP #7136
Fixed display of disabled OpenVPN clients #7180
Fixed handling of “redirect-gateway” in Client-Specific Overrides #6633
IPsec¶
Interfaces¶
Fixed handling of LAGG MTU when child QinQ interfaces are present #6227
Improved behavior when using DHCP before RA #5993
Added the ability to send a DHCP Release from Status > Interfaces, rather than only stopping dhclient
Fixed issues adding/editing QinQ entries
Fixed input validation of QinQ entries
Fixed validation to prevent an interface, interface group, and alias from using the same name #6976
Updated interface group name validation rules to match limits of the operating system
Prevented interface group names, interface names, and aliases from starting with
pkg_
to reserve it for packages use (e.g. tinc) #7173Added validation to prevent Interface Group Names from containing a dash #7173
Added validation to prevent Interface Groups from being renamed to an existing name #7183
Fixed issues with Interface Statistics widget display #7134
Fixes for interfaces_ppps_edit.php to fix MTU validation, interface friendly names, advanced options expansion
Changed linkup event handling to ignore events for interfaces that are member of bridges which have no IP address configured
Fixed input validation for L2TP and PPTP WAN type interfaces #6732
Added validation to prevent adding duplicate gateways from the Interface configuration page
Fixed handling of IPv6 checksum options for “Disable hardware checksum offload” #5321
Fixed handling of the confirmation dialog when deleting a VLAN #6916
Fixed handling of wireless MAC address spoofing
Fixed wireless channel changing #6833
Improved labels and help text for IPv6 tunneling options
Added the ability for an L2TP or PPTP WAN to use a hostname for the remote gateway #6899
Certificate Management¶
Added missing recommended key lengths and digests to certificate manager
Fixed CRL editing so that certificates already contained the CRL are not displayed
Users / Authentication / Privileges¶
Fixed SSH Keyboard-Interactive authentication #6963
Added STARTTLS to LDAP Authentication Server Configuration
Improved WebGUI usability when a remote LDAP server is not available
Fixed issues with local_sync_accounts failing during boot when using an LDAP server on a non-local network or hostname #6857
Fixed port build options for scponly #7012
Fixed notifications so that the Mark All as Read button is not shown to users who do not have sufficient privileges to use it #3454
Added privileges to control display of notices #7051
Standardized privilege name capitalization
Fixed issues with low-privilege users accessing Help pages #7139 #7140
Added a privilege for UPnP & NAT-PMP configuration #7141
Simplified tcsh prompt and changed the prompt so it respects default terminal colors
Firewall / Rules / NAT / Aliases / States¶
Fixed restoring rule type selection after input errors while saving firewall rules
Fixed a copy/paste error in variable test when validating firewall rule ports.
Corrected the descriptions and behavior of the Adaptive Start and Adaptive End settings for firewall state handling
Fixed display of the number of states in the Firewall Rules page
Moved “Any” to top of protocol list in firewall rules
Fixed issues with hidden fields on firewall_rules_edit.php #7057
Fixed issues with moving rules that required scrolling while dragging #6895
Enhanced ICMP type handling in rules
Fixed issues when hovering the mouse pointer over aliases on disabled rules making the hint difficult to read #6448
Fixed handling of firewall rule separators when a NAT associated rule is deleted #6676
Added field to specify source-hash key for outbound NAT rules
Fixed issues with Firewall > NAT > Edit forgetting destination type selection when input errors occur #6224
Removed “self” as a destination from NAT 1:1 rules
Fixed NAT rules so that when a port forward is disabled, its associated firewall rule is also disabled #6472
Fixed 1:1 NAT address family validation #6927
Fixed problems with nested aliases containing FQDNs #6982
Changed the Status > Filter Reload page so it shows the entire filter reload progress, rather than only the last state #6931
Fixed labels on diag_states_summary.php #6711
Fixed initial state of confirmation checkboxes on diag_resetstate.php
Changed Diag > States so it can optionally require a filter before displaying states, to improve handling with large state tables #7069
Traffic Shaping¶
HA / CARP¶
Fixed issues when XMLRPC synchronizes IP Alias type Virtual IP addresses bound to Localhost #7010
Fixed a bug where the CARP VIP status was incorrect when the interface has more than one CARP VIP
DHCP/DHCPv6 Server / Router Advertisements¶
Updated the ISC DHCP Daemon to fix issues with missing hostnames in leases, and removed workarounds that are no longer needed #6840
Fixed reversed behavior of “Change DHCPv6 display lease time from UTC to local time” #6640
Fixed incorrect index for edit action on DHCP Leases #7233
Added an option to force a Dynamic DNS hostname in DHCP/DHCP6 Server settings
Changed DHCP lease times to always display in 24-hour clock format
Added an option to allow BOOTP to be specifically disabled in the DHCP Server settings #4351
Fixed validation to allow URLs for TFTP Server in DHCP Server settings #6634
Improve dhcpd and dhcpleases reload handling
Fixed DHCP NTP Server form validation to allow hyphens #6806
Fixed restore of DHCP6 leases on full install when using MFS /var
Fixed a problem with the DHCP range being reset if the Setup Wizard was re-run when a custom DHCP range already exists #4820
Fixed issues with DHCP traffic being blocked with DHCP Relay enabled #6996
Changed the DHCP/DHCPv6 server GUI so it can be configured (but not run) while DHCP Relay is enabled #6997
Added Client ID to DHCP Leases display, if present
Added Client ID to DHCP Mapping list, if present
Disabled DHCP server on interfaces with subnet >= 31 #6930
Changed DHCP6 client to allow a prefix size of /59
Changed DHCP6 server to allow a prefix size of /59 and /61
Added new “Ignore client identifiers” option to DHCP Server
Fixed handling of DNS entries for IPv6 static mappings when using delegated prefixes #6768
Improved the help text for Router Advertisement configuration #6889
DNS / Resolver / Forwarder¶
Allow a variable number of DNS servers #5549
Changed interface boxes in the DNS Resolver so they can be resized
Fixed sorting of DNS Forwarder hosts and domains in config.xml #6903
Fixed DNS Resolver (unbound) logging after clearing logs #6915
Added support for “deny_non_local” and “refuse_non_local” ACLs in the DNS Resolver #6914
Fixed DNS Server Gateway validation
Changed behavior of DNS Resolver overrides to only add FQDN entries, not short hostnames #6064
Fixed issues with DNS Resolver Host Overrides not being updated properly #6712
NTP / GPS¶
Fixed display of Prefer/No Select checkboxes invisible when adding entries in NTP Server settings #6788
Fixed handling of NTP IPv6 restrict clauses
Fixed setting default NTP access restrictions when there are no custom restrictions #6454
Fixed NTP status widget IPv6 address handling so addresses are not truncated #4815
Fixed the NTP Orphan Mode stratum field #7034
Fixed issues with NTP GPS status
Fixed a case that could result in an empty ‘restrict’ line in the NTP configuration #7110
Added a limit for NTP time source fields so they cannot exceed the maximum number saved to configuration #7164
Fixed display and behavior issues with NTP ACLs #6984
Improved parsing of GPS initialization and output, and add support for more GPS output formats and extended status
Added an autocorrect tool for checksums on GPS initialization commands #7159
Captive Portal¶
Changed Captive Portal MACs page to be sortable #6786
Fixed handling of Captive Portal user bandwidth set to 0 #6872
Changed Captive portal to send “Admin Reset” as termination cause when disconnecting a user from the WebGUI
Added option to Captive Portal to include idle time in total session time
Fix bandwidth limitation settings in Captive Portal MAC passthrough
Fixed links to view current Captive Portal page for all interfaces #6391
Converted Captive Portal active sessions to a sortable table
Added code to hide the client MAC address column in Captive Portal status when MAC filtering is disabled, rather than displaying an empty column
Added popup with session details to the Captive Portal active sessions list on the status page
Added button to disconnect all Captive Portal users
Worked around race condition between captiveportal_disconnect_all() and captiveportal_prune_old()
Added locking to avoid race conditions between rc.prunecaptiveportal and captiveportal_disconnect_all()
Reworked logging and RADIUS accounting when disabling a Captive Portal zone or rebooting
Increased speed of captiveportal_disconnect_all()
Dynamic DNS¶
Added the ability to change the URL queried by Dynamic DNS entries to check the external IP address (Services > Dynamic DNS, Check IP Services tab) #6591
Added support for All-Inkl Dynamic DNS provider
Added support for duiadns.net Dynamic DNS provider
Added support for CloudFlare Proxy to Dynamic DNS
Added Cloudflare Dynamic DNS IPv6 support #6623
Fixed status checking on Dynamic DNS (RFC2136), updates were always considered successful even on failure #6357
Fixed handling of multiple RFC2136 entries #6153
Fixed links in RFC2136 entries in the Dynamic DNS widget #7126
Fixed HTTP header processing for Dynamic DNS updates
Fixed handling of custom IPv6 Dynamic DNS in the widget #6922
Changed Cloudflare and Gratis plus Dynamic DNS to store passwords in base64
Updated Route 53 Dynamic DNS to fix several reported issues #3973 #6751 #5054
Fixed handling of ZoneEdit Dynamic DNS when used with a CARP VIP #6992
Removed excess loops from the Dynamic DNS Widget
Gateways / Routing¶
Added the ability to disable gateway monitoring actions without disabling gateway monitoring #3151
Changed gateway notifications to notify by email and syslog when a gateway goes up or down
Improved gateway notification mechanisms
Fixed handling of deleting or disabling static default gateways so they are properly removed from the routing table #6659
Fixed L2TP WAN dynamic gateway naming #6980
Fixed status display for unmonitored gateways
Fixed static blackhole route handling
Fixed handling of long hostnames on Diagnostics > Routes #6869
Corrected behavior of disabled static routes #3560
Created a PHP Shell playback script to view the gateway status from the shell and status output #7046
Notifications¶
Fixed SMTP settings test so it properly displays results
Fixed validation of secure SMTP Connection Modes (SSL/TLS and STARTTLS are mutually exclusive)
Removed validation of password mismatches when SMTP or Growl notifications are disabled #7129
Changed format of file_notice() alerts in webgui for easier reading
Graphs / Monitoring¶
Changed traffic graphs to use d3.js (Dashboard and Status > Traffic Graphs)
Moved export button to heading for Status > Monitoring page
Moved graph labels so long hostnames do not overlap as easily #6138
Improved error checking in case JSON isn’t returned when building graphs #6748
Added a missing RRD step value to lookup table #6860
Added support for multiple views in Status > Monitoring graphs (Adds tab shortcuts to different graph views)
Added a per-view “Refresh Interval” option to Status > Monitoring graphs
Fixed fix null acronyms and axis label for queues/queuedrops graph in Status > Monitoring
Enabled Area and Bar graph types for Status > Monitoring graphs
WebGUI¶
Added an option to allow display of the firewall hostname on the login page
Added filtering to widgets where appropriate
Standardized PHP memory limit configuration
Fixed formatting issues with the Installed Packages widget #6601
Improved Compact-RED theme
Changed service running/stopped icons
Fixed issues with JavaScript confirmation prompts missing words (e.g. “Are you sure you wish to?”) #6972
Fixed issues with packages that toggle visibility of advanced options areas #7100
Removed the crash reporter link from the dashboard when a user does not have crash_reporter page access #7043
Fixed display of Package installation message #7226
Fixed “” tag processing in package XML handling
Fixed inconsistent handling of empty/null configuration settings in config.xml #6893
Logging¶
Increased filtering tail limit for logging to ensure enough entries will be displayed #6652
Added a means for packages to request a syslogd socket inside a chroot environment #4898
Added BIND logging to proper facility #5524
Improved handling of the TFTP Proxy/xinetd process when it is disabled, to reduce log messages #6308
Misc¶
Updated simplepie (RSS Parsing library) to 1.4.3
Fixed storing of IPv6 addresses so they are always saved in lower case #6864
Fixed bsnmpd “printcap” log errors #6838
Fixed a foreach error when restoring a configuration without packages
Fixed handling of signal traps in the console menu #6741
Fixed “Goto line #” action on diag_edit.php so pressing the enter key also activates the function
Changed the PHP Execute feature of Diagnostics > Command so that it does not generate a crash report from a syntax error #6702
Added enable link to Status > UPnP & NAT-PMP error message if disabled #6689
Changed the time zone help text to clarify and warn against the use of the Etc time zones that use POSIX style signs, which are the opposite of what most users expect #7089
Added validation to prevent duplicate Wake on LAN entries
Fixed permissions on /var/tmp when /var is a RAM disk #7120
Added a fallback for get_pkg_info() to use pkg info if there is no local copy of the repository catalog
Removed spurious output from the PHP Shell executable when running a playback script from a command prompt #7045
Updated status.php with new info and changed its output organization #7246