Netgate Documentation
2.4.3 New Features and Changes
Security / Errata
FreeBSD-SA-18:01.ipsec
Kernel PTI mitigations for Meltdown (optional tunable)
FreeBSD-SA-18:03.speculative_execution.asc
IBRS mitigation for Spectre V2 (requires updated CPU microcode)
FreeBSD-SA-18:03.speculative_execution.asc
Added a CPU Microcode update mechanism (cpuctl module,
sysutils/devcpu-data port)
Imported a FreeBSD patch to fix boot issues when running as a
hypervisor guest on AMD Family 15h processors (FreeBSD PR
#213155 )
Added validation for RRD parameters to ensure passed filenames are
valid #8269
Fixed a potential XSS vector in RRD error output encoding
#8269
pfSense-SA-18_01.packages
Fixed a potential XSS vector in diag_system_activity.php output
encoding #8300
pfSense-SA-18_02.webgui
Fixed a potential XSS vector in traffic_graphs.widget.php settings
#8302
pfSense-SA-18_03.webgui
Fixed a potential CSRF issue in service control request processing
#8296
Enabled CSRF protection for all dashboard widgets
#8301
Added encoding for firewall schedule range descriptions
#8259
Changed sshd to use delayed compression
#8245
Increased PHP-FPM resources on systems with over 1GB RAM to improve
performance #8125
Imported a netstat fix for ARM platforms to improve performance and
reduce CPU usage, especially on the Dashboard
#8237
Fixed a memory leak in the pfSense_getall_interface_addresses()
function in the pfSense PHP module
#8249
Hardware support for the XG-7100, including:
C3000 NIC support (factory installations only)
C3000 SoC support (factory installations only)
Marvell 88E6190 switch support (factory installations only)
Traffic Shaping / Limiters
Fixed hangs due to Limiters and pfsync in HA
#4310
Added the Chelsio cxl driver to the list of ALTQ capable interfaces
#7607
Fixed an issue with limiters that had fractional bandwidth values
#8091
Changed status_queues.php to provide ‘realtime’ statistics
#8185
IPsec
Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the
local side can allow inbound connections to either address family
#6886
Changed IPsec Phase 1 to allow configuration of multiple IKE
encryption algorithms, key lengths, hashes, and DH groups
#8186
Fixed a problem when IPsec bypasslan was enabled while the LAN
interface is disabled or doesn’t have an IP address
#8239
Added IPv6 LAN Network to the IPsec LAN bypass list
#8321
OpenVPN
Fixed an error message encountered by a few users when manually
killing OpenVPN connections
#8266
Added an OpenVPN tap bridge configuration option to push the bridged
interface address to clients as a route-gateway for routes/redirects
#8267
Added an option to the DNS Resolver which allows registering the CN
of OpenVPN clients as hostnames
#6847
Added an option to OpenVPN clients and servers to suppress creation
of IPv4 or IPv6 gateway addresses for an interface
#6848
Fixed issues with OpenVPN when using a /31 IPv4 Tunnel Network
#8261
Updated the OpenVPN wizard with the current UDP and TCP protocol
selections #8298
Added the interface for a VPN to the OpenVPN client and server list
screens
Notifications
Changed SMTP notifications handling so they are batched, to avoid
sending multiple e-mail messages in a short amount of time
#4031
Added a notification when the firewall boot sequence is complete
#7643
Dashboard
Fixed issues with the IPsec dashboard widget causes GUI failure
#6318
Changed the Dynamic DNS Widget so it shows the description of custom
entries to identify them
#7843
Fixed a reference to deprecated updateGatewayDisplays() function in
the Gateways dashboard widget
#8303
Added a setting to the temperature widget to display readings in
Fahrenheit 8205
Changed the picture widget so the picture is stored on the firewall
filesystem and not in config.xml to reduce the size of backup data
#8371
On upgrade, pictures will be moved out of config.xml, so backup
this file separately if it is important
DHCP
Added an option to the DHCP Server Dynamic DNS configuration to set
the server key algorithm
#6621
Added DDNS Client Updates option to DHCPv4
#7131
Fixed handling of the DHCPv6 DDNS reverse zone key
#6319
Fixed DHCPv4 static mappings so that multiple MAC for same DHCP
address or hostname are allowed
#8220
Fixed a potential issue in detecting primary/secondary node in a
failover configuration
Improved DHCP relay destination interface discovery
Fixed DHCPv6 lease display for entries that were not parsed properly
from the lease database
#7413
Dynamic DNS
Added an option for RFC 2136 Dynamic DNS server key algorithm
#8244
Added an option for RFC 2136 source address used to send updates
#8278
Fixed issues with Dynamic DNS updates using a gateway group when the
primary route is down
#8333
Added GoDaddy Dynamic DNS provider
Interfaces / VIPs
Fixed issues on assign_interfaces.php with large numbers of
interfaces #6400
Fixed handling of CARP VIPs on disabled interfaces at boot time
#6677
Fixed issues with radvd being enabled on a disconnected interface
#6974
Fixed issues with rtsold on VLAN interfaces
#7412
Fixed issues with dhcp6c lock files after unclean shutdown when using
“Do not wait for an RA” on IPv6 WAN interface
#8106
Added a feature to allow pppoe on a CARP VIP so it will only be
active on whichever node is master
#8184
Fixed an error when editing PPP interfaces on a system with no VIPs
#8322
Added VLAN priority tagging for DHCPv6 client requests
#8200
Added support for configuring the DUID type for an IPv6 interfaces
#8191
Allow custom INIT string for PPP modem SIM Pin and APN settings
Added an indicator for disabled interfaces on status_interfaces.php
Fixed an issue with the PPP linkup and linkdown scripts and cellular
modems
Fixed an issue where the combination of CARP with bridging could lead
to a deadlock #8056
Packages
Fixed reinstall process for missing packages
#8183
Captive Portal
Fixed Pass-through MAC automatic additions so it does not add
duplicate entries #8226
Fixed a missing global definition in Captive Portal pass-through MAC
removal #8238
Fixed Captive Portal voucher sync errors when vouchers are expired or
disconnected while the secondary node is master
#8317
Fixed Captive Portal voucher synchronization between HA nodes
#7972
Certificates
Fixed automatic SAN handling when the CN of a certificate contains a
space #8252
Fixed input validation for Certificate SAN values to disallow IP
addresses for FQDN/Hostname entries
#8275
Gateways/Routing
Fixed handling of the Router Lifetime value on
services_router_advertisements.php so it allows a value of 0
#7502
Added ospf6d to the routing log
Allow recursive aliases to be used with static routes
Rules/NAT
Fixed various pf “busy” errors when the ruleset is reloaded
Fixed issues with editing firewall rules in non-English languages
that contain single quotes in translated strings
#8219
Added an option to disable drag-and-drop of firewall and NAT rules
Added a check to prevent 1:1 NAT rules with missing information from
being added to the ruleset
Added firewall rule tracking ID to rule list (in counter tooltip) and
firewall rule edit page
#8348
Fixed cases where automatic or scripted rules were not getting
tracking IDs #8353
Added a check to prevent automatic outbound firewall rules with
missing information from being added to the ruleset
#8360
Users/Authentication
Fixed issues with XMLRPC user account synchronization causing GUI
inaccessibility on secondary HA nodes
#7469
Fixed an issue where a user with no privileges could not logout
#8297
Increased maximum username length from 16 to 32 characters to catch
up to the current allowed length in FreeBSD
Fixed required field markings on LDAP authentication server
configuration fields
#8337
Fixed display of the LDAP host when testing the GUI authentication
source #8338
Misc
Fixed NTP Status server time for zones with minute offsets (fractions
of an hour) #8129
Added support for custom shutdown scripts in /usr/local/etc/rc.d
#8182
Fixed a references to an undefined function while restoring a
config.xml file from an older version
#8231
Added support to diag_packet_capture.php to capture traffic on the
loopback interface
#8257
Fixed an issue with the RAM disk warning pop-up appearing when no
changes were made #8268
Fixed an issue with the address familiy selection for remote syslog
servers using IPv6
#8323
Silenced warnings from sysctl that otherwise went to stderr
Added a disk size check to ZFS to prevent it from being used on disk
which are too small to contain the OS and swap space
#7308
Added a check to prevent pfSense-upgrade from running as a non-root
user #7762
Added an option to disable the IGMP Proxy service
#8356
Fixed an issue with package handling when restoring a configuration
that contains a branch configuration that is not valid for the target
system version #8208
Additional Resources
v: latest
Software Documentation
pfSense
TNSR
Product Manuals
pfSense
All Manuals
Amazon AWS
Microsoft Azure
SG-1000
SG-2220
SG-2440
SG-3100
SG-4860
SG-4860-1U
SG-5100
SG-8860-1U
XG-1537
XG-1541
XG-2758
XG-7100
XG-7100-1U
TNSR
All Products
Amazon AWS
SG-5100
XG-1537-1U
XG-1541-1U
Loading wikipedia summary...