2.4.5 New Features and Changes

pfSense® software version 2.4.5 contains a variety of bug fixes and maintenance updates.

Tip

For those who have not yet updated to 2.4.4-p3 or 2.4.4, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

Operating System / Architecture changes

  • Base OS upgraded to FreeBSD 11-STABLE (exact contents TBD)

Security / Errata

Aliases/Tables

  • Fixed an issue when resolving FQDN entries in aliases where some entries could be missing #9296

Authentication

  • Added exception handling to authentication attempts #9150

Backup/Restore

  • Added a special string (NoReMoTeBaCkUp) that when used in write_config() descriptions will prevent a remote backup #9693

  • Removed legacy AutoConfigBackup options (there were no more active accounts using the retired legacy service) #9687 #9785

  • Added CDATA protection to the encryption_password XML tag, which allows international characters to be used in that field #7186

  • Added CDATA escape to more auth-related fields #9327

Captive Portal

  • Fixed Captive Portal vouchers shortcut links #9722

  • Changed Captive Portal redirect page selection order #9819

Certificates

  • Added sorting and search/filtering to Certificate Authority & Certificate manager #9412

  • Corrected wording of CA/Cert CN input validation #9234

  • Fixed certificate Descriptive Name field behavior when adding a user certificate #9719

  • Added clientAuth EKU to Server type certificates #9868

  • Reduced the default GUI web server certificate lifetime to 825 days to prevent errors on Apple platforms #9825

Dashboard

  • Added option to disable PTI display in System Information widget #9323

DHCP

  • Fixed incorrect expansion of Dynamic DNS advanced options on the DHCPv6 Server page #9448

  • Changed DHCP relay backend code to determine and specify separate upstream and downstream interface lists #9466

  • Prevented OpenVPN interfaces from being used by DHCP relay, since that type of interface is not compatible #8443

  • Added an option to disable ping check in dhcpd #9285

  • Fixed Show all configured leases so it is persistent after deleting a DHCP lease #9133

  • Added search/filter to DHCP/DHCPv6 leases #9791

Diagnostics

  • Fixed a PHP warning in diag_dump_states.php #9780

  • Fixed reverse lookup of IPv6 addresses on diag_dns.php #9543

  • Fixed diag_system_activity.php to use batch mode for top so it displays process list w/o terminal, and increased amount of output displayed #9522

  • Added search/filter ARP table and NDP status #9791

DNS

  • Added 127.0.0.0/8 to the DNS Resolver private-address list for DNS rebinding protection #9708

  • Fixed CIDR selection issues with /32 entries in DNS Resolver Access List entries #9586

  • Fixed an issue saving DNS over TLS hostnames on systems with only one gateway #9898

Dynamic DNS

  • Fixed Dynamic DNS class constructor name #9779

  • Fixed errors in DNSimple Dynamic DNS #9580

  • Fixed handling of wildcard (*) hostname entries in Cloudflare Dynamic DNS #9361

  • Added support for AAAA records to Digital Ocean Dynamic DNS #9280

  • Cleaned up whitespace issues in Azure Dynamic DNS backend code #9271

  • Added support for Linode Dynamic DNS #9268

  • Fixed issues with IPv6 on Azure Dynamic DNS #9248

  • Fixed handling of wildcards in Route53 Dynamic DNS #9053

  • Fixed handling of wildcards in Loopia Dynamic DNS #8014

  • Fixed CloudFlare Dynamic DNS processing when proxied is enabled #9362

  • Changed hostname to optional for DNS-O-Matic Dynamic DNS #7601

Gateways

  • Corrected PHP errors when marking gateways down in certain edge cases #9851

Interfaces

  • Added more prefix delegation size entries to selection list on interfaces.php #9590

  • Added initialization to the VLAN array in console setup #9582

  • Fixed issues with Netgate & hardware model detection which caused problems with default interface mappings #8051

  • Fixed issues with display of previously-entered IP address values on interfaces_ppps_edit.php #9741

  • Added a confirmation prompt to disconnect/release actions on status_interfaces.php #9911

  • Added drivers for Mellanox mlx4 and mlx5 network interface cards #7537

IPsec

  • Fixed IPsec VTI interface creation logic #9781

  • Added GUI option for IPsec P2/Child SA close action #9767

  • Added IPsec DH and PFS groups 25, 26, and 27 #9757

  • Added 25519 curve-based IPsec DH and PFS group 31 #9531

  • Enabled NAT-T controls for IKEv2 #9695

  • Improved handling of IPsec restarts breaking VTI routing #9668

  • Fixed input validation that incorrectly prevented deleting IPsec P2 entries in some cases with VTI #9258

  • Fixed IPsec keyid identifier handling #9243

  • Fixed IPsec VTI MTU boot-time configuration #9111

  • Escape Windows domain backslash in IPsec widget #9747

  • Fixed VTI IPv6 address handling #9801

  • Fixed Child SA button JS hide on status_ipsec.php, along with other cosmetic improvements #8847

  • Added Connect Children button to status_ipsec.php to connect when IKE (Phase 1) is up but Child SAs (Phase 2 entries) are not #9954

Monitoring

  • Fixed custom view titles being forced to lower case #9681

Notifications

  • Fixed SMTP notification password being unintentionally changed when testing SMTP settings #9684

  • Reduced frequency of GEOM rebuild notifications #9256

NTPD

  • Added validation to ensure NTP values are treated as numbers before use #9558

  • Changed the default NTP pool server to 2.<domain> so that it can use IPv6 #9931

OpenVPN

  • Fixed JavaScript issue when selecting multiple OpenVPN NCP algorithms #9756

  • Fixed OpenVPN wizard so it does not show DH parameter lengths that are not available #9748

  • Fixed issues with OpenVPN resynchronizing when running on a gateway group #9595

  • Added an option to set the OpenVPN TLS Key Direction #9030

  • Added GUI options to configure OpenVPN keepalive parameters #3473

  • Fixed instances of hidden invalid OpenVPN options affecting save operations #9674

  • Added a copy action to OpenVPN pages #5851

  • Improved sorting of bytes sent/receives on OpenVPN status page #7359

  • Fixed visibility of the OpenVPN ‘interface’ option when multihome is selected #7840

  • Reduced the OpenVPN server certificate lifetime to 825 days in the wizard to prevent errors on Apple platforms #9825

Operating System

  • Fixed serial console terminal size issues #9569

  • Added the strings binary to base builds for troubleshooting #7791

Packet Capture

  • Fixed Packet Capture to match both IPv4+IPv6 CARP when that protocol is selected #9867

Routing

  • Fixed (Default) designation on routes to match the default route in the OS #9292

Rules / NAT

  • Fixed state kill ordering in rc.newwanip #4674

S.M.A.R.T.

  • Updated the SMART page with new capabilities #9367

SNMP

  • Fixed SNMP sysDescr contents to include hostname and patch version #9218

Traffic Shaping / Limiters

  • Added input validation for Limiter delay values #9921

Translations

  • Fixed an issue with international characters in configuration descriptions, which led to failures in certain cases, such as failing to set Manual Outbound NAT when the Language was set to pt_BR #6195

Upgrade / Installation

  • Revised update check to provide a more consistent version string in JSON format #9778

  • Disabled serial console on VGA memstick images #9488

  • Fixed a PHP error when upgrading older configurations from revision 14.4 to 14.5 #9840

User Manager / Privileges

  • Added input validation to prevent changing the authentication server name #9692

  • Added privilege to manage integrated switches #9620

  • Fixed privilege matching to handle JS anchor links #9550

  • Removed wildcards incorrectly used in isAllowedPage() #9541

  • Improved Deny Config Write privilege handling in the User & Group Manager #9259

  • Fixed input validation of group name sizes to allow longer remote groups #3792

Web Interface

  • Corrected input validation for firewall rule VLAN priority/set #9763

  • Restricted Thoth tests to arm64 in status.php NG 2569

  • Added kernel memory usage to status.php output #9705

  • Redacted several additional fields in status.php output #9784 #9729 #9728 #9727 #9694 #9736 #9764

  • Fixed a potential source of PHP errors when saving per-log settings #9540

  • Added GUI components for MDS mitigation #9532

  • Fixed integrated switch LAGG member editing on switch_ports.php #9447

  • Fixed wizard.php selection option size attribute handling #8907

  • Fixed platform detection for certain C2558/C2758 systems #6846

  • Set autocomplete=new-password for forms containing authentication fields to help prevent browser auto-fill from completing irrelevant fields #9864

  • Fixed processing of shortcuts for XML-based packages #9770