Netgate is offering COVID-19 aid for pfSense software users, learn more.

2.4.5-p1 New Features and Changes

pfSense® software version 2.4.5-p1 addresses performance, security, and other miscellaneous issues found in 2.4.5.


Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are in effect.

During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.


For those who have not yet updated to 2.4.4-p3 or 2.4.4, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

Security / Errata

  • Addressed an issue with large pf tables causing system instability and high CPU usage during filter reload events #10414

  • Fixed an issue with sshguard which could prevent it from protecting against brute force logins #10488

Aliases / Tables

  • Fixed handling of URL/URL table aliases with IDN hostnames #10321


  • Fixed handling of misconfigured groups which prevented the admin user from making configuration changes #10492

Backup / Restore

  • Fixed handling of redundant/extraneous RRD tags when making configuration backups #10508


  • Fixed handling of IPv6 CARP VIPs with non-significant zeros during XMLRPC sync #6579


  • Fixed a bug which prevented the user from removing a CA private key when editing #10509

Configuration Upgrade

  • Fixed a PHP error during upgrade from <2.4.3 with empty tags in the IPsec configuration #10458

Console Menu

  • Changed the naming convention of gateways created at the console to be the same as those created in the GUI #10264


  • Added default value placeholders to some DHCPv6 RA configuration options #10448

  • Fixed DHCPv6 service Dynamic DNS errors #10346

  • Fixed rc.newwanipv6 being called for Request messages which dhcp6c should have discarded #9634

  • Added dashed DUID support to DHCPv6 static mappings #2568

DHCP Relay

  • Fixed DHCP Relay handling of scenarios where a target server may be on the same interface as some clients #10416

  • Excluded unsupported interface types from DHCP Relay #10341

DHCP Server

  • Fixed DHCPv6 static entries not being updated on external Dynamic DNS servers #10412

  • Fixed DHCPv6 domain-search list not being sent to clients #10200

  • Fixed DHCP Server not accepting IPv6 addresses for Dynamic DNS servers #6600


  • Several improvements and items added to status.php diagnostic output #10455 #10424 #10423 #10350 #10349

  • Fixed Require State Filter setting on diag_states.php breaking filter rule link to associated states #10359

DNS Resolver

  • Fixed IPsec and OpenVPN IPv6 tunnel network/pool prefixes not being added to automatic DNS Resolver ACLs #10460

  • Fixed EDNS buffer size values to prepare for 2020 DNS flag day #10293

  • Fixed DNS Resolver handling of entries from DHCP server which contain a trailing dot in domain names #8054

Dynamic DNS

  • Fixed DigitalOcean Dynamic DNS client handling of IPv6 addresses #10390

Hardware / Drivers

  • Added support for iwm devices #7725


    This device only supports Station mode. It does not support acting as an access point.


  • Fixed selection of IPsec VTI Phase 2 local network address/mask values #10418

  • Fixed saving IPsec connection breaking FRR BGP on VTI interfaces #10351

  • Updated DH group warnings to say that group 5 is also weak #10221

  • Fixed disabling IPsec Phase 1 with a VTI Phase 2 #10190

  • Fixed disabled IPsec Phase 2 entries being unintentionally included in vpn_networks table #7622


  • Changed L2TP mpd.secret handling so that the server is not restarted after adding/modifying L2TP users #4866

  • Fixed handling of L2TP usernames containing a realm separator (@) #9828


  • Fixed input validation of limiters with ECN #10211

  • Fixed bogus extra warning dialog on when deleting limiters #9334


  • Fixed SMTP notification SSL validation to respect the user-selected behavior #10317


  • Added localhost to NTP Interface selection options #10348


  • Fixed OpenVPN remote statement protocol handling #10368

  • Added option to configure OpenVPN username as common name behavior #8289

Operating System

  • Added ng_etf module to armv6 and aarch64 kernels #10463

  • Fixed handling of RAM disk sizes not accounting for existing disk usage when calculating available kernel memory, which could prevent saving #10420


  • Fixed handling of FreeRADIUS passwords containing non-XML-safe characters #4497

  • Fixed handling of Squid LDAP search filters containing an accent #7654

Rules / NAT

  • Fixed Duplicate Outbound NAT entries from L2TP server addresses #10247

  • Fixed Outbound NAT rules for mobile IPsec users with per-user addresses defined #9320

  • Fixed IPv6 IP Alias VIPs not being added to Interface Network macros #8256

  • Fixed Destination port range “Any” in Port Forward rules #7704

  • Fixed display of interfaces on the Floating rules list #4629


  • Fixed language selection for Chinese (Taiwan) / HK Translations #10525

Web Interface

  • Fixed dark theme auto-complete popup field having dark text on dark background #10499

  • Fixed using special characters in Schedule descriptions #10305

  • Fixed WebGUI main page loading very slowly when there is no Internet connectivity #8987