2.4.5-p1 New Features and Changes

pfSense® software version 2.4.5-p1 addresses performance, security, and other miscellaneous issues found in 2.4.5.


Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are in effect.

During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.


For those who have not yet updated to 2.4.5-p1, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.


Upgrading to pfSense software version 2.4.5-p1 requires pfSense-upgrade version 0.70 or later. Most installations will automatically pick up the new version and upgrade normally. If this does not happen automatically and the upgrade to version 2.4.5-p1 is not offered, use the following procedure:

  • Navigate to System > Updates

  • Set Branch to Previous stable version

  • Wait a few moments for the upgrade check to complete

  • Optional: Confirm that the latest version of pfSense-upgrade is present (version >= 0.70) using pkg-static info -x pfSense-upgrade.

    If the correct version is not present, wait a bit longer and check again as that package may be updating in the background.

  • Set Branch to Latest stable version

  • Wait a few moments for the upgrade check to complete

At this point, the upgrade check should see 2.4.5-p1 and the upgrade can proceed.


pfSense software version 2.4.5-p1 includes pkg version 1.13.x which introduces a new metadata version. Most installations will automatically pick up the new version and upgrade normally. In certain cases, especially coming from much older versions, the pkg utility may require a manual update before it can correctly process the new metadata.

The pkg utility can be upgraded manually with the following command run from an ssh or console shell:

# pkg-static bootstrap -f

See Repository Metadata Version Errors for more details.

Security / Errata

Aliases / Tables

  • Fixed handling of URL/URL table aliases with IDN hostnames #10321


  • Fixed handling of misconfigured groups which prevented the admin user from making configuration changes #10492

  • Fixed a potential temporary privilege downgrade when deleting an account #9259

Backup / Restore

  • Fixed handling of redundant/extraneous RRD tags when making configuration backups #10508


  • Fixed handling of IPv6 CARP VIPs with non-significant zeros during XMLRPC sync #6579


  • Fixed a bug which prevented the user from removing a CA private key when editing #10509

Configuration Upgrade

  • Fixed a PHP error during upgrade from <2.4.3 with empty tags in the IPsec configuration #10458

Console Menu

  • Changed the naming convention of gateways created at the console to be the same as those created in the GUI #10264


  • Added default value placeholders to some DHCPv6 RA configuration options #10448

  • Fixed DHCPv6 service Dynamic DNS errors #10346

  • Fixed rc.newwanipv6 being called for Request messages which dhcp6c should have discarded #9634

  • Added dashed DUID support to DHCPv6 static mappings #2568

DHCP Relay

  • Fixed DHCP Relay handling of scenarios where a target server may be on the same interface as some clients #10416

  • Excluded unsupported interface types from DHCP Relay #10341

DHCP Server

  • Fixed DHCPv6 static entries not being updated on external Dynamic DNS servers #10412

  • Fixed DHCPv6 domain-search list not being sent to clients #10200

  • Fixed DHCP Server not accepting IPv6 addresses for Dynamic DNS servers #6600


  • Several improvements and items added to status.php diagnostic output #10455 #10424 #10423 #10350 #10349 #10568

  • Fixed Require State Filter setting on diag_states.php breaking filter rule link to associated states #10359

DNS Resolver

  • Fixed IPsec and OpenVPN IPv6 tunnel network/pool prefixes not being added to automatic DNS Resolver ACLs #10460

  • Fixed EDNS buffer size values to prepare for 2020 DNS flag day #10293

  • Fixed DNS Resolver handling of entries from DHCP server which contain a trailing dot in domain names #8054

Dynamic DNS

  • Fixed DigitalOcean Dynamic DNS client handling of IPv6 addresses #10390

  • Fixed DNSExit update URL #9632

Hardware / Drivers

  • Added support for iwm devices #7725


    This device only supports Station mode. It does not support acting as an access point.

  • Added ng_etf module to armv6 and aarch64 kernels #10463

  • Added QLogic 10G driver (qlxgb/qla80xx) #9891

  • Added virtio_console to the kernel #9985


  • Fixed selection of IPsec VTI Phase 2 local network address/mask values #10418

  • Fixed saving IPsec connection breaking FRR BGP on VTI interfaces #10351

  • Updated DH group warnings to say that group 5 is also weak #10221

  • Fixed disabling IPsec Phase 1 with a VTI Phase 2 #10190

  • Fixed disabled IPsec Phase 2 entries being unintentionally included in vpn_networks table #7622


  • Changed L2TP mpd.secret handling so that the server is not restarted after adding/modifying L2TP users #4866

  • Fixed handling of L2TP usernames containing a realm separator (@) #9828

  • Fixed Shared Secret handling in L2TP #10531 #10527


  • Fixed input validation of limiters with ECN #10211

  • Fixed bogus extra warning dialog on when deleting limiters #9334


  • Fixed SMTP notification SSL validation to respect the user-selected behavior #10317


  • Added localhost to NTP Interface selection options #10348


  • Fixed OpenVPN remote statement protocol handling #10368

  • Added option to configure OpenVPN username as common name behavior #8289

Operating System

  • Fixed handling of RAM disk sizes not accounting for existing disk usage when calculating available kernel memory, which could prevent saving #10420

  • Updated pkg to 1.13.x #10564

  • Fixed problems preventing the Netgate Coreboot Package from updating Coreboot properly #10573


  • Fixed handling of FreeRADIUS passwords containing non-XML-safe characters #4497

  • Fixed handling of Squid LDAP search filters containing an accent #7654

  • Fixed issues preventing FRR from working on certain platforms such as SG-1100 (arm64/aarch64) #10444

  • Fixed issues preventing Suricata from working on certain platforms such as SG-1100 (arm64/aarch64) #10228

Rules / NAT

  • Fixed Duplicate Outbound NAT entries from L2TP server addresses #10247

  • Fixed Outbound NAT rules for mobile IPsec users with per-user addresses defined #9320

  • Fixed IPv6 IP Alias VIPs not being added to Interface Network macros #8256

  • Fixed Destination port range “Any” in Port Forward rules #7704

  • Fixed display of interfaces on the Floating rules list #4629

  • Fixed rule description validation to reject \ #10542

  • Fixed setting NAT reflection timeout values #10591


  • Fixed language selection for Chinese (Taiwan) / HK Translations #10525


  • Fixed is_process_running() handling of empty process, which could lead to an error when using the CLI to query the status of a service which does not exist #10540

Web Interface

  • Fixed dark theme auto-complete popup field having dark text on dark background #10499

  • Fixed using special characters in Schedule descriptions #10305

  • Fixed WebGUI main page loading very slowly when there is no Internet connectivity #8987