2.4.4 New Features and Changes

Significant Changes

OS Upgrade:

Base Operating System upgraded to FreeBSD 11.2-RELEASE-p3. As a part of moving to FreeBSD 11.2, new hardware support is included for C3000-based hardware.

PHP 7.2:

PHP upgraded to 7.2, which required numerous changes to syntax throughout the source code and packages.

Routed IPsec (VTI):

Routed IPsec is now possible using FreeBSD if_ipsec(4) Virtual Tunnel Interfaces (VTI). #8544 (See also: Routed IPsec (VTI))

IPsec Speed Improvements:

The new Asynchronous Cryptography option under the IPsec Advanced Settings tab can dramatically improve IPsec performance on multi-core hardware #8772

Default Gateway Group:

The default gateway may now be configured using a Gateway Group setup for failover (each gateway on a different tier), which replaces Default Gateway Switching. #8187

Limiter AQM/Queue Schedulers:

Limiters now include support for several Active Queue Management (AQM) methods and Queue Scheduler configurations such as FQ_CODEL. #6620 (See also: pfSense PR #3941)

Certificate Subject Requirements:

The Certificate Manager and OpenVPN wizard now only require the Common Name to be set, and all other fields are optional. #8381

AutoConfigBackup is free!:

AutoConfigBackup now integrated and free for all to use. (See also: Using the AutoConfigBackup Service)

DNS over TLS:

The DNS Resolver now includes support for DNS over TLS as both a client and a server, including for domain overrides. #8388 #8030 #8431

Captive Portal Authentication:

Captive Portal authentication is now integrated with the User Manager system. Captive Portal instances may now use RADIUS, LDAP, or Local Authentication like other integrated services. The firewall will migrate existing Captive Portal RADIUS settings to the User Manager automatically on upgrade.

Captive Portal HTML Design and Usability:

The default Captive Portal page has been redesigned. Controls have also been added which allow for the logo and background images and Terms of Service text to be customized without editing and uploading custom HTML code. #8793

Integrated Switch Improvements:

Netgate devices with integrated switches such as the SG-3100 and XG-7100 can now configure per-port speed and duplex settings, discrete port configuration interfaces can now be tied to switch ports for up/down status, and LAGG support is also now available (Load Balance mode only)

Security

  • FreeBSD SA for CVE-2018-6922: Resource exhaustion in TCP reassembly FreeBSD-SA-18:08.tcp

  • FreeBSD SA for CVE-2018-3620, CVE-2018-3646: L1 Terminal Fault (L1TF) Kernel Information Disclosure FreeBSD-SA-18:09.l1tf

  • FreeBSD SA for CVE-2018-6923: Resource exhaustion in IP fragment reassembly FreeBSD-SA-18:10.ip

  • FreeBSD SA for CVE-2018-14526: Unauthenticated EAPOL-Key Decryption Vulnerability FreeBSD-SA-18:11.hostapd

  • FreeBSD SA for CVE-2018-6924: Improper ELF header parsing FreeBSD-SA-18:12.elf

  • FreeBSD errata notice for LazyFPU remediation causing potential data corruption FreeBSD-EN-18:08.lazyfpu

  • Fixed a potential XSS vulnerability via GUI rule separators pfSense-SA-18_06.webgui #8654

  • Fixed a potential XSS via custom GUI/dashboard settings pfSense-SA-18_07.webgui #8726

  • Fixed a potential authenticated ACE vulnerability pfSense-SA-18_08.webgui #8843

  • Upgraded strongSwan to 5.6.3 to address a buffer underflow leading to denial of service (CVE-2018-5388) #8746

  • Updated default cryptographic settings for OpenVPN, IPsec, and Certificates #8594

  • Changed the included DH groups to those defined in RFC 7919 #8582

  • Added stronger IPsec Pre-Shared Key usage warnings, and a button to generate a secure PSK #8667

  • Disabled OpenVPN compression by default on new instances for security reasons due to VORACLE – Users should strongly consider disabling compression on OpenVPN instances if they pass unencrypted data such as HTTP to arbitrary Internet sites #8788

  • Patched OpenSSH for CVE-2018-15473, username enumeration/disclosure through malformed packets.

  • Changed from sshlockout_pf to sshguard for monitoring failed logins and locking out offenders, this allows the lockout to work on IPv4 and IPv6 and also terminates states when adding offenders to the block list #7694 #7695

Errata

Warning

Third party packages from alternate repositories are causing problems for users with the upgrade process and also with post-upgrade behavior. These packages have never been supported, and had to be manually added by users outside of the GUI.

Due to the major changes required for FreeBSD 11.2 and PHP 7.2, third party packages from alternate repositories cannot be present during the upgrade. There is no way to predict if a third party package supports the new version or will cause the upgrade itself to fail.

The upgrade process will automatically remove pfSense-pkg-* packages installed from alternate repositories. After the upgrade completes, the user can reinstall these packages. Packages from alternate repositories will not appear in the Installed Packages list in the GUI, and must be entirely managed in the command line.

This change does not affect packages installed from the official pfSense® package repository.

  • Removed options for the deprecated FEC LAGG Protocol #8734

Certificates

  • Changed the Certificate Manager and OpenVPN wizard to only require the Common Name for the CA/Cert subject #8381

  • Updated default cryptographic settings Certificates #8594

  • Added support for OCSP Must-Staple certificates in the GUI (and ACME package) #8418

  • Changed CRL support from using an abandoned PHP OpenSSL module patch to a pure PHP implementation compatible with PHP 7.2 #8762

  • Fixed issues with several areas not properly parsing CA fields properly when they were not in the expected order #8801

  • Changed the default CA and Certificate create action from “Import…” to “Create an internal…” #8851

DNS

  • Added DNS over TLS for upstream forwarders to the DNS Resolver #8388

  • Added DNS over TLS server support to the DNS Resolver #8030

  • Added DNS over TLS options for DNS Resolver Domain Override #8431

  • Fixed editing DNS Resolver ACLs in non-English languages #8539

  • Added a DNS Resolver status page #8430

  • Clarified that “Register DHCP leases in the DNS Resolver” only works for IPv4 addresses #8592

  • Added IPv6 representation of IPv4 addresses in DNS Resolver DNS Rebinding checks #8750

  • Fixed disabling the DHCP Server on interfaces when the DNS Resolver DHCP Registration option is enabled (Only one enabled interface is required) #8120

  • Added advanced option for qname-minimization to the DNS Resolver #8028

  • Fixed an issue with IDs when editing or deleting DNS Forwarder host override entries #8767

Dynamic DNS

  • Added Dynamic DNS client for DigitalOcean DNS #8478

  • Fixed Dynamic DNS clients usage of custom check IP services #8664

  • Added Dynamic DNS client for Azure #7769

  • Updated DNSimple Dynamic DNS client to use DNSimple API v2 #8071

  • Fixed handling of username and password fields for custom Dynamic DNS entries #8782

Routing/Gateways

  • Added the ability to set a Gateway Group as the default gateway. #3781 #8187

  • Extended the maximum Gateway monitoring Probe Interval #8593

  • Fixed handling of Gateway Group Trigger Level #8586

  • Fixed inconsistency in display and usage of units for Gateway latency #8477

  • Upgraded FRR to 5.0.1 for compatibility with FreeBSD 11.2 #8449

  • Fixed FRR BGP MD5 support #8407

  • Fixed handling of Router Advertisement preferences #6237

IPsec

  • Added routed IPsec using FreeBSD if_ipsec(4) VTI #8544

  • Added a GUI option to the IPsec Advanced Settings tab for Asynchronous Cryptography which can dramatically improve IPsec crypto operation performance on multi-core hardware #8772

  • Added IPsec identifiers to Status > IPsec #8598

  • Fixed a JavaScript variable issue in IPsec IKE Phase 1 causing the Key Length field to be blank in some browsers such as IE #8543

  • Added IPsec mobile client options to configure different (virtual) IP addresses per user #8292

  • Added IPsec mobile client options to configure different DNS servers per user #8644

  • Updated default cryptographic settings for IPsec #8594

  • Changed the default behavior of an IPsec Phase 1 to rekey as needed #8540

  • Fixed handling of per-user IPsec rules from an authentication server #8765

  • Added warnings and hints to IPsec encryption and hash choices about potentially insecure selections #8766

  • Fixed an issue with handling IP Alias VIPs with CARP parent after an interface up/down event #8768

OpenVPN

  • Disabled compression by default for new OpenVPN client and server instances for security reasons #8788

  • Changed OpenVPN Authentication to use an asynchronous authentication plugin which avoids stalling server traffic during the authentication process, especially noticeable on down/broken authentication servers #7905

  • Fixed display of Bridge Route Gateway options on OpenVPN tap bridge servers #8658

  • Fixed handling of LDAP fields in the OpenVPN wizard and brought the options in line with current LDAP server options #8605

  • Updated default cryptographic settings for OpenVPN #8594

  • Added missing OpenVPN compression options (stub-v2 and plain compress) #8788

DHCP Server

  • Fixed validation of custom DHCP options #8534

  • Fixed a situation where DHCPv6 was configured for LAN when the LAN interface was not assigned #8048

  • Fixed an issue with XMLRPC synchronization of DHCP static mappings #8721

Interfaces / VIPs

  • Removed IPv4 and IPv6 settings from the Interface configuration for assigned OpenVPN/GIF/GRE/Routed IPsec instances, since the IP addresses are managed by the parent config not interfaces.php #8687

  • Fixed an HTTP_REFERER issue when changing the LAN IP address in the Setup Wizard #8524

  • Fixed an HTTP_REFERER issue when changing an interface IP address while accessing the GUI from the same interface #8822

  • Fixed handling of the FreeBSD 11.2-BETA dhclient MTU value #8507

  • Added PPPoE multi-link over single link to allow users with a supported provider to have a larger MTU #8737

  • Fixed a PPPoE MTU issue with ORANGE FR #8595

  • Fixed QinQ interface assignment #8446

  • Fixed radvd/IPv6 when using a LAN bridge #8429

  • Fixed deleting IP Alias VIPs outside an interface subnet where a gateway exists in the same subnet #4438

  • Fixed handling of IP Alias and CARP VIP subnet mask/prefix autodetection #8741

  • Fixed a panic in IPv6 fragment logging #8499

  • Fixed handling of DHCP option 77 in the DHCP client #7425

  • Fixed deleting Interface Group members which are disabled #8800

  • Fixed MAC address spoofing for bridge interfaces #8138

  • Fixed an issue with string termination when creating interfaces through the pfSense PHP module #8683

  • Fixed an issue where changing a LAGG could cause a VLAN using that LAGG as a parent interface to lose its association with the LAGG #8527

Integrated Switches

  • Added GUI controls to configure LAGG on integrated switch ports (Load Balance mode only)

  • Added GUI controls to configure Speed/Duplex for switch ports on integrated switches

  • Added the ability to tie the status of an assigned VLAN interface to a switch port for integrated switches

  • Added Switch Status to status.php for platforms with a switch #8525

  • Fixed an issue switching between Port VLAN and 802.1q VLAN mode on integrated switches #8422

  • Fixed an SNMP error on hardware with integrated switches #8600

  • Added Preserve Switch Configuration option when restoring config.xml to keep the current active switch settings instead of those from the imported configuration to help with hardware transitions

Hardware/Platform

  • Added support for the new SG-5100

  • Fixed an issue with ARM hardware not completely halting when shut down (SG-3100 and SG-1000)

  • Fixed HDMI hotplug issues on Minnowboard Turbot hardware (MBT-2220 and MBT-4220)

  • Fixed SG-1000 autonegotiation for 10baseT speed and duplex #7532

User Management / Authentication

  • Added a visible warning to the user when default password has not been changed #8596

  • Fixed configuration descriptions user management operations and added logging #8548

  • Fixed escaping of LDAP search parameters #8626

  • Fixed an OS issue with adding a group to a user when creating the user #8553

  • Fixed handling of LDAP bind credentials #8583

  • Removed some legacy code from auth.inc #8742

  • Fixed Group selections after an input error in the User Manager #8622

  • Fixed inconsistent usage of sshdkeyonly in system_advanced_admin.php #8403

  • Added SSH configuration option to require both Key and Username+Password authentication at the same time #8402

  • Replaced radius.inc by pear-Auth_RADIUS #7024

  • Fixed synchronization of User Manager group scope and operating system groups #7013

  • Fixed logging and display of GUI user authentication source IP address when the user logs in through a proxy #8813

  • Fixed logging and display of GUI user authentication sources to show what source authorized the login (e.g. LDAP, RADIUS, Local, Fallback) #8816

Captive Portal

  • Integrated Captive Portal authentication into the User Manager to enable support for LDAP #5112

  • Updated Captive Portal HTML/CSS to a modern design and added controls to customize images and ToS without uploading custom HTML #8793

  • Fixed deleting Allowed Hostnames and Allowed IP Addresses entries in Captive Portal when a zone is disabled #8530

  • Added support for setting Captive Portal traffic quotas #8202

  • Added display of a custom username when Captive Portal is set to None for the authentication type #8361

  • Changed handling of Called-Station-Id/Calling-Station ID to send a MAC address instead of IP address when using RADIUS authentication #4294

  • Changed to a standardized NAS-Identifier when using RADIUS authentication #3686

  • Corrected accounting updates not being sent when expected #8655

  • Fixed an issue with XMLRPC synchronization of Captive Portal settings #8806

WebGUI / Dashboard

  • Enabled HTTP2 for the Web GUI server #8552

  • Updated the text and links in the HTML footer #8733

  • Fixed display of available swap with multiple swap disks in the System Information Dashboard widget #8587

  • Updated text in the Setup Wizard #8753

  • Moved the simplepie RSS reader code to a FreeBSD port for easier updates #6998

  • Fixed handling of the Inverse option in the Traffic Graphs Dashboard Widget #8367

  • Fixed issues with the GUI following upgrade progress #8519

  • Added a line to display the current GUI user viewing the Dashboard in the System Information Widget #8817

Firewall Rules / NAT / Shaping

  • Added CoDel, FQ-CoDel, PIE and FQ-PIE AQMs to limiters #6620

  • Fixed firewall ruleset errors related to VIPs and outbound rules #8518 #8408

  • Added validation for IPv6 NPt input #8575

  • Fixed a race condition in NAT reflection filter rules that could lead to a ruleset load failure #8604

  • Fixed viewing the list of Port Forwards when a user only has the “WebCfg - Firewall: NAT: Port Forward” privilege #8563

  • Fixed an issue with default field selection when editing Firewall Rules #8597

  • Added code to prevent nested alias loops #8101

  • Added interface groups support for NAT rules #1933

  • Fixed a case where invalid IPv6 NAT rules could be generated #8437

  • Fixed a case where IPv6 Neighbor Discovery and other similar valid messages sent from the unspecified address (::) were not allowed by default #8791

  • Added Select All functionality to firewall and NAT rules #8812

  • Fixed IPv6 address form field format tooltip #8834

Packages

  • Fixed situation where the firewall would get stuck attempting to reinstall packages after restoring a configuration when there is no Internet connection #7604

  • Added a new tag for package services, <starts_on_sync/>, to allow packages to declare that they start themselves during the sync process, which lets packages opt out of a (second) forced start at boot and during interface events #8850

    See also: #8620

Miscellaneous

  • Fixed display of stored Load Balancer custom settings #8704

  • Fixed handling of loader.conf and loader.conf.local so it will not remove customized options that override defaults #8571

  • Fixed the restoration process for a config.xml from USB during install to remove RRD data so that the data does not indefinitely stay in config.xml #7634

  • Fixed handling of special characters in L2TP user passwords #7623

  • Fixed handling of sample bounds with custom timer periods on Status > Monitoring #6477

  • Changed the crash reporter so that users can download the reports locally rather than submitting to a server #8764

  • Added more redacted XML tags to status.php #8819

  • Changed status.php to use ifconfig -va to show more detail, including attached SFP devices with certain network interface drivers #8860