2.4.5 New Features and Changes¶
pfSense® software version 2.4.5 contains a variety of bug fixes and maintenance updates.
Warning
Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are in effect.
During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.
Tip
For those who have not yet updated to 2.4.5-p1, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.
Operating System / Architecture changes¶
Base OS upgraded to FreeBSD 11.3-STABLE@r357046
PHP upgraded to 7.2.29
Security / Errata¶
Fixed dependency issues with
pfSense-upgrade
which may have caused it not to update itself properly #10303Tip
If the update check fails, or the update does not complete, run
pkg install -y pfSense-upgrade
to ensure thatpfSense-upgrade
is present.Added encoding to the hostname in
services_acb.php
#9584Added encoding to error output in
services_captiveportal_mac.php
#9609Added a
fsck
run with-z
forUFS
filesystems on upgrade to address FreeBSD-SA-19:10.ufs #9612Fixed format of XMLRPC auth error to match GUI auth error #9782
Added a custom CSRF Error page with warnings and confirmation prompts before resubmitting potentially harmful data #9799
Fixed Status_Monitoring
rrd_fetch_json.php
error encoding #9601Fixed encoding of the user full name on
system_usermanager_addprivs.php
#10324Fixed input validation and output encoding of host on
diag_ping.php
#10355Addressed FreeBSD Security Advisories & Errata Notices
Aliases/Tables¶
Authentication¶
Added exception handling to authentication attempts #9150
Backup/Restore¶
Added a special string (
NoReMoTeBaCkUp
) that when used inwrite_config()
descriptions will prevent a remote backup #9693Removed legacy AutoConfigBackup options (there were no more active accounts using the retired legacy service) #9687 #9785
Added CDATA protection to the
encryption_password
XML tag, which allows international characters to be used in that field #7186Added CDATA escape to more auth-related fields #9327
Ensured that
kern.cam.boot_delay
is set for new installations and upgrades so that USB devices are properly initialized in time for configuration restore in the installer and ECL to function #9533
Captive Portal¶
Certificates¶
Added sorting and search/filtering to Certificate Authority & Certificate manager #9412
Corrected wording of CA/Cert CN input validation #9234
Fixed certificate Descriptive Name field behavior when adding a user certificate #9719
Added
clientAuth
EKU to Server type certificates #9868Reduced the default GUI web server certificate lifetime to 398 days to prevent errors on Apple platforms #9825
Dashboard¶
Added option to disable PTI display in System Information widget #9323
DHCP¶
Fixed incorrect expansion of Dynamic DNS advanced options on the DHCPv6 Server page #9448
Changed DHCP relay backend code to determine and specify separate upstream and downstream interface lists #9466
Prevented OpenVPN interfaces from being used by DHCP relay, since that type of interface is not compatible #8443
Added an option to disable ping check in dhcpd #9285
Fixed Show all configured leases so it is persistent after deleting a DHCP lease #9133
Added search/filter to DHCP/DHCPv6 leases #9791
Improved DHCP client handling of timeout conditions and script failures #9267
Diagnostics¶
Fixed a PHP warning in diag_dump_states.php #9780
Fixed reverse lookup of IPv6 addresses on diag_dns.php #9543
Fixed diag_system_activity.php to use batch mode for top so it displays process list w/o terminal, and increased amount of output displayed #9522
Added search/filter ARP table and NDP status #9791
DNS¶
Added
127.0.0.0/8
to the DNS Resolverprivate-address
list for DNS rebinding protection #9708Fixed CIDR selection issues with /32 entries in DNS Resolver Access List entries #9586
Fixed an issue saving DNS over TLS hostnames on systems with only one gateway #9898
Fixed an issue where manually configured DNS servers may not have been active if “allow override” was disabled and they were also assigned dynamically #9963
Added DNS Resolver (Unbound) Python Integration #9251
Dynamic DNS¶
Fixed Dynamic DNS class constructor name #9779
Fixed errors in DNSimple Dynamic DNS #9580
Fixed handling of wildcard (
*
) hostname entries in Cloudflare Dynamic DNS #9361Added support for AAAA records to Digital Ocean Dynamic DNS #9280
Fixed issues with Digital Ocean Dynamic DNS handling of empty hostnames #9602
Cleaned up whitespace issues in Azure Dynamic DNS backend code #9271
Added support for Linode Dynamic DNS #9268
Fixed issues with IPv6 on Azure Dynamic DNS #9248
Fixed handling of wildcards in Route53 Dynamic DNS #9053
Fixed handling of wildcards in Loopia Dynamic DNS #8014
Fixed CloudFlare Dynamic DNS processing when
proxied
is enabled #9362Fixed CloudFlare Dynamic DNS “Invalid TTL” error due to CloudFlare API update #10196
Changed hostname to optional for DNS-O-Matic Dynamic DNS #7601
Added support for Gandi LiveDNS Dynamic DNS #9452
Gateways¶
Corrected PHP errors when marking gateways down in certain edge cases #9851
Interfaces¶
Added more prefix delegation size entries to selection list on interfaces.php #9590
Added initialization to the VLAN array in console setup #9582
Fixed issues with Netgate & hardware model detection which caused problems with default interface mappings #8051
Fixed issues with display of previously-entered IP address values on interfaces_ppps_edit.php #9741
Added a confirmation prompt to disconnect/release actions on status_interfaces.php #9911
Added drivers for Mellanox
mlx4
andmlx5
network interface cards #7537
IPsec¶
Fixed IPsec VTI interface creation logic #9781
Added GUI option for IPsec P2/Child SA close action #9767
Added IPsec DH and PFS groups 25, 26, and 27 #9757
Added 25519 curve-based IPsec DH and PFS group 31 #9531
Enabled NAT-T controls for IKEv2 #9695
Improved handling of IPsec restarts breaking VTI routing #9668
Fixed input validation that incorrectly prevented deleting IPsec P2 entries in some cases with VTI #9258
Fixed IPsec
keyid
identifier handling #9243Fixed IPsec VTI MTU boot-time configuration #9111
Escape Windows domain backslash in IPsec widget #9747
Fixed VTI IPv6 address handling #9801
Fixed Child SA button JS hide on status_ipsec.php, along with other cosmetic improvements #8847
Added Connect Children button to status_ipsec.php to connect when IKE (Phase 1) is up but Child SAs (Phase 2 entries) are not #9954
Fixed IPsec Phase 2 Remote Network field show/hide when changing between Phase 2 modes #9720
Fixed IPsec configuration generation so that encryption options for every P2 on a given P1 are not duplicated on each P2 #6263
Fixed a PHP error in IPsec package plugin hook processing #10217
Load Balancer¶
Fixed a PHP when processing services when the configuration does not contain Load Balancer entries #10308
Logging¶
Moved
igmpproxy
logs torouting.log
#10139Moved
igmpproxy
verbose logging option toservices_igmpproxy.php
(formerly atstatus_logs_settings.php
) #10139Updated
sshguard
and fixed a log processing regression #9971Fixed PHP errors in filter log processing when entries contain an invalid port #10255
Monitoring¶
Notifications¶
NTPD¶
OpenVPN¶
Fixed JavaScript issue when selecting multiple OpenVPN NCP algorithms #9756
Fixed OpenVPN wizard so it does not show DH parameter lengths that are not available #9748
Fixed issues with OpenVPN resynchronizing when running on a gateway group #9595
Added an option to set the OpenVPN TLS Key Direction #9030
Added GUI options to configure OpenVPN keepalive parameters #3473
Fixed instances of hidden invalid OpenVPN options affecting save operations #9674
Added a copy action to OpenVPN pages #5851
Improved sorting of bytes sent/receives on OpenVPN status page #7359
Fixed visibility of the OpenVPN ‘interface’ option when multihome is selected #7840
Reduced the OpenVPN server certificate lifetime to 398 days in the wizard to prevent errors on Apple platforms #9825
Added input validation to prevent OpenVPN tunnel network reuse #3244
Added Exit Notify to OpenVPN servers/client options #9078
Operating System¶
Fixed serial console terminal size issues #9569
Added the
strings
binary to base builds for troubleshooting #7791Changed UFS filesystem defaults to
noatime
on new installations #9483Fixed an issue where the IP header checksum was incorrect when reassembling packet fragments to a link with a different MTU #10189
Packet Capture¶
Changed Packet Capture GUI to allow multiple TCP/UDP ports to be specified #9766
Added start time to Packet Capture display #9831
Added OSPF/OSPFv3 to Packet Capture protocols #9905
Fixed Packet Capture to match both IPv4+IPv6 CARP when that protocol is selected #9867
Fixed Packet Capture for the
pfsync
protocol #10183
Routing¶
Rules / NAT¶
Fixed state kill ordering in rc.newwanip #4674
Added the ability to search firewall logs by tracking ID #8703
Added GUI option to disable default blocking of APIPA networks #9966
Added more common ports to the firewall rule drop-down list #10166
Added input validation to prevent selecting
!*
(“not any”) in source or destination #10168Fixed invalid rules generated when using NAT reflection with a negated destination #10246
S.M.A.R.T.¶
Updated the SMART page with new capabilities #9367
SNMP¶
Fixed SNMP sysDescr contents to include hostname and patch version #9218
Traffic Shaping / Limiters¶
Translations¶
Upgrade / Installation¶
UPnP¶
Fixed display of active UPnP sessions when configured with an alternate external address #9961
User Manager / Privileges¶
Added input validation to prevent changing the authentication server name #9692
Added privilege to manage integrated switches #9620
Fixed privilege matching to handle JS anchor links #9550
Removed wildcards incorrectly used in
isAllowedPage()
#9541This issue could prevent a user in the admins group from reaching certain pages such as the User Manager.
Improved Deny Config Write privilege handling in the User & Group Manager #9259
Fixed input validation of group name sizes to allow longer remote groups #3792
Fixed handling of L2TP and PPPoE user passwords containing invalid characters #10275
Web Interface¶
Corrected input validation for firewall rule VLAN priority/set #9763
Restricted Thoth tests to arm64 in status.php NG 2569
Added kernel memory usage to status.php output #9705
Redacted several additional fields in status.php output #9784 #9729 #9728 #9727 #9694 #9736 #9764
Fixed a potential source of PHP errors when saving per-log settings #9540
Added GUI components for MDS mitigation #9532
Fixed integrated switch LAGG member editing on switch_ports.php #9447
Fixed wizard.php selection option size attribute handling #8907
Fixed platform detection for certain C2558/C2758 systems #6846
Set
autocomplete=new-password
for forms containing authentication fields to help prevent browser auto-fill from completing irrelevant fields #9864Fixed processing of shortcuts for XML-based packages #9770
Updated jQuery #9407
Improved consistency of SSL/TLS references throughout the GUI #10172
Updated various help references and links to use the pfSense book instead of external resources #10135 #10184