2.4.5-p1 New Features and Changes¶

pfSense® software version 2.4.5-p1 addresses performance, security, and other miscellaneous issues found in 2.4.5.

Warning

Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are in effect.

During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.

Tip

For those who have not yet updated to 2.4.5-p1, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

Note

Upgrading to pfSense software version 2.4.5-p1 requires pfSense-upgrade version 0.70 or later. Most installations will automatically pick up the new version and upgrade normally. If this does not happen automatically and the upgrade to version 2.4.5-p1 is not offered, use the following procedure:

Navigate to System > Updates
Set Branch to Previous stable version
Wait a few moments for the upgrade check to complete
Optional: Confirm that the latest version of pfSense-upgrade is present (version >= 0.70) using pkg-static info -x pfSense-upgrade.

If the correct version is not present, wait a bit longer and check again as that package may be updating in the background.
Set Branch to Latest stable version
Wait a few moments for the upgrade check to complete

At this point, the upgrade check should see 2.4.5-p1 and the upgrade can proceed.

Note

pfSense software version 2.4.5-p1 includes pkg version 1.13.x which introduces a new metadata version. Most installations will automatically pick up the new version and upgrade normally. In certain cases, especially coming from much older versions, the pkg utility may require a manual update before it can correctly process the new metadata.

The pkg utility can be upgraded manually with the following command run from an ssh or console shell:

# pkg-static bootstrap -f

See Repository Metadata Version Errors for more details.

Security / Errata¶

Addressed an issue with large pf tables causing system instability and high CPU usage during filter reload events #10414
Fixed an issue with sshguard which could prevent it from protecting against brute force logins #10488
Updated unbound to address CVE-2020-12662 and CVE-2020-12663 #10576
Updated json-c to address CVE-2020-12762 #10609
Addressed FreeBSD Security Advisories & Errata Notices including:

Aliases / Tables¶

Fixed handling of URL/URL table aliases with IDN hostnames #10321

Authentication¶

Fixed handling of misconfigured groups which prevented the admin user from making configuration changes #10492
Fixed a potential temporary privilege downgrade when deleting an account #9259

Backup / Restore¶

Fixed handling of redundant/extraneous RRD tags when making configuration backups #10508

CARP¶

Fixed handling of IPv6 CARP VIPs with non-significant zeros during XMLRPC sync #6579

Certificates¶

Fixed a bug which prevented the user from removing a CA private key when editing #10509

Configuration Upgrade¶

Fixed a PHP error during upgrade from <2.4.3 with empty tags in the IPsec configuration #10458

DHCP (IPv6)¶

Added default value placeholders to some DHCPv6 RA configuration options #10448
Fixed DHCPv6 service Dynamic DNS errors #10346
Fixed rc.newwanipv6 being called for Request messages which dhcp6c should have discarded #9634
Added dashed DUID support to DHCPv6 static mappings #2568

DHCP Relay¶

Fixed DHCP Relay handling of scenarios where a target server may be on the same interface as some clients #10416
Excluded unsupported interface types from DHCP Relay #10341

DHCP Server¶

Fixed DHCPv6 static entries not being updated on external Dynamic DNS servers #10412
Fixed DHCPv6 domain-search list not being sent to clients #10200
Fixed DHCP Server not accepting IPv6 addresses for Dynamic DNS servers #6600

Diagnostics¶

Several improvements and items added to status.php diagnostic output #10455 #10424 #10423 #10350 #10349 #10568
Fixed Require State Filter setting on diag_states.php breaking filter rule link to associated states #10359

DNS Resolver¶

Fixed IPsec and OpenVPN IPv6 tunnel network/pool prefixes not being added to automatic DNS Resolver ACLs #10460
Fixed EDNS buffer size values to prepare for 2020 DNS flag day #10293
Fixed DNS Resolver handling of entries from DHCP server which contain a trailing dot in domain names #8054

Dynamic DNS¶

Fixed DigitalOcean Dynamic DNS client handling of IPv6 addresses #10390
Fixed DNSExit update URL #9632

Hardware / Drivers¶

Added support for iwm devices #7725

Note

This device only supports Station mode. It does not support acting as an access point.
Added ng_etf module to armv6 and aarch64 kernels #10463
Added QLogic 10G driver (qlxgb/qla80xx) #9891
Added virtio_console to the kernel #9985

IPsec¶

Fixed selection of IPsec VTI Phase 2 local network address/mask values #10418
Fixed saving IPsec connection breaking FRR BGP on VTI interfaces #10351
Updated DH group warnings to say that group 5 is also weak #10221
Fixed disabling IPsec Phase 1 with a VTI Phase 2 #10190
Fixed disabled IPsec Phase 2 entries being unintentionally included in vpn_networks table #7622

L2TP¶

Changed L2TP mpd.secret handling so that the server is not restarted after adding/modifying L2TP users #4866
Fixed handling of L2TP usernames containing a realm separator (@) #9828
Fixed Shared Secret handling in L2TP #10531 #10527

Limiters¶

Fixed input validation of limiters with ECN #10211
Fixed bogus extra warning dialog on when deleting limiters #9334

Notifications¶

Fixed SMTP notification SSL validation to respect the user-selected behavior #10317

NTPD¶

Added localhost to NTP Interface selection options #10348

OpenVPN¶

Fixed OpenVPN remote statement protocol handling #10368
Added option to configure OpenVPN username as common name behavior #8289

Operating System¶

Fixed handling of RAM disk sizes not accounting for existing disk usage when calculating available kernel memory, which could prevent saving #10420
Updated pkg to 1.13.x #10564
Fixed problems preventing the Netgate Coreboot Package from updating Coreboot properly #10573

Packages¶

Fixed handling of FreeRADIUS passwords containing non-XML-safe characters #4497
Fixed handling of Squid LDAP search filters containing an accent #7654
Fixed issues preventing FRR from working on certain platforms such as SG-1100 (arm64/aarch64) #10444
Fixed issues preventing Suricata from working on certain platforms such as SG-1100 (arm64/aarch64) #10228

Rules / NAT¶

Fixed Duplicate Outbound NAT entries from L2TP server addresses #10247
Fixed Outbound NAT rules for mobile IPsec users with per-user addresses defined #9320
Fixed IPv6 IP Alias VIPs not being added to Interface Network macros #8256
Fixed Destination port range “Any” in Port Forward rules #7704
Fixed display of interfaces on the Floating rules list #4629
Fixed rule description validation to reject \ #10542
Fixed setting NAT reflection timeout values #10591

Translations¶

Fixed language selection for Chinese (Taiwan) / HK Translations #10525

Services¶

Fixed is_process_running() handling of empty process, which could lead to an error when using the CLI to query the status of a service which does not exist #10540

Web Interface¶

Fixed dark theme auto-complete popup field having dark text on dark background #10499
Fixed using special characters in Schedule descriptions #10305
Fixed WebGUI main page loading very slowly when there is no Internet connectivity #8987