2.3.4-p1 New Features and Changes

The pfSense® software version 2.3.4-p1 errata release is a minor release after 2.3.4 and contains beneficial security and bug fixes.

Security / Errata

  • pfSense Security Advisories

    • pfSense-SA-17_05.webgui:

      • Fixed a potential XSS issue in the diag_edit.php file browser #7650

      • Fixed a potential XSS in handling of the ‘type’ parameter on diag_table.php #7652

      • Fixed validation and a potential XSS in interface names on firewall_nat_edit.php #7651

    • pfSense-SA-17_06.webgui:

      • Added a warning screen to the GUI and prevent access if the client IP address is currently in the lockout table, and also remove the client’s connection states #7693

Bug Fixes

Captive Portal

  • Fixed Captive Portal RADIUS Authentication to only cache credentials when required to perform reauthentication #7528

  • Restored the captive portal feature to view the captive portal page directly from the portal web server as an additional button #7646

Dynamic DNS

  • Fixed issues with wildcard CNAME records disappearing from Loopia when doing a DNS update

  • Fixed issues with CloudFlare Dynamic DNS

  • Fixed Hover Dynamic DNS updates so they Verify the SSL Peer


  • Added syslogd service definition to enable status display and control #4382

  • Fixed issues with syslogd stopping when installing or uninstalling some packages #7256

Virtual IP Addresses

  • Fixed issues with CARP status display overmatching some VIP numbers #7638

  • Fixed pid file handling for choparp (Proxy ARP Daemon)

  • Added the ability to sort the Virtual IP address list


  • Fixed diag_dns.php so it will not create an empty alias if name does not resolve

  • Fixed diag_dns.php to not show Add Alias if the user does not have privileges to add an alais

  • Fixed diag_dns.php to change the update alias button text after adding an alias

  • Fixed diag_dns.php to disable the Add Alias button when the host field is changed

  • Fixed calls to unbound-control to have the full configuration path specified so they do not fail #7667

  • Fixed handling of “redirect” zone entries in the DNS Resolver so they do not produce invalid zones #7690

  • Changed the way the DNS Resolver code writes out host entries, so the zones are more well-formed #7690

  • Changed the way the DNS Resolver process (unbound) is stopped, to allow it to exit cleanly. #7326


  • Fixed DHCPv6 to request a prefix delegation even if no interfaces are set to track6 #4544

  • Updated handling of original MAC address retention for interfaces with spoofed MACs

  • Fixed an array handling problem when working with gateway entries on the Interface configuration page #7659

  • Fixed handling of MSS clamping values for PPPoE/L2TP/PPTP WANs #7675


  • Fixed an issue where some DHCP Lease information was encoded twice with htmlentities/htmlspecialchars

  • Fixed an issue where in some edge cases, a variable was not properly set in a loop, leading to a previous value being reused


  • Removed “/usr/local/share/examples” from obsolete files list, some packages rely on the files being there

  • Added a few more items to status.php for support purposes, such as a download button, socket buffer info, and the netgate ID

  • Fixed status.php to redact BGP MD5 password/key in output #7642

  • Fixed OpenVPN to use is_numeric() to make sure $prefix is not 0

  • Changed the “Rule Information” section so it is consistent between firewall and NAT rule pages

  • Fixed APU2 detection for devices running coreboot v4.x

  • Fixed the tunable description for net.inet.ip.random_id #6087

  • Fixed some outdated links for help and support

  • Fixed some issues with empty config tags in packages #7624

  • Fixed issues with entry IDs after deleting Authentication Server instances #7682