2.4.5 New Features and Changes

pfSense® software version 2.4.5 contains a variety of bug fixes and maintenance updates.


Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are in effect.

During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.


For those who have not yet updated to 2.4.5-p1, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

Operating System / Architecture changes

Security / Errata


  • Fixed an issue when resolving FQDN entries in aliases where some entries could be missing #9296

  • Improved URL Table aliases to support FQDNs which return muliple entries #8531

  • Added a function to download the contents of an individual alias #9816


  • Added exception handling to authentication attempts #9150


  • Added a special string (NoReMoTeBaCkUp) that when used in write_config() descriptions will prevent a remote backup #9693

  • Removed legacy AutoConfigBackup options (there were no more active accounts using the retired legacy service) #9687 #9785

  • Added CDATA protection to the encryption_password XML tag, which allows international characters to be used in that field #7186

  • Added CDATA escape to more auth-related fields #9327

  • Ensured that kern.cam.boot_delay is set for new installations and upgrades so that USB devices are properly initialized in time for configuration restore in the installer and ECL to function #9533

Captive Portal

  • Fixed Captive Portal vouchers shortcut links #9722

  • Changed Captive Portal redirect page selection order #9819

  • Fixed a rare and intermittent issue where users could encounter an nginx error when restarting Captive Portal instances #10159


  • Added sorting and search/filtering to Certificate Authority & Certificate manager #9412

  • Corrected wording of CA/Cert CN input validation #9234

  • Fixed certificate Descriptive Name field behavior when adding a user certificate #9719

  • Added clientAuth EKU to Server type certificates #9868

  • Reduced the default GUI web server certificate lifetime to 398 days to prevent errors on Apple platforms #9825


  • Added option to disable PTI display in System Information widget #9323


  • Fixed incorrect expansion of Dynamic DNS advanced options on the DHCPv6 Server page #9448

  • Changed DHCP relay backend code to determine and specify separate upstream and downstream interface lists #9466

  • Prevented OpenVPN interfaces from being used by DHCP relay, since that type of interface is not compatible #8443

  • Added an option to disable ping check in dhcpd #9285

  • Fixed Show all configured leases so it is persistent after deleting a DHCP lease #9133

  • Added search/filter to DHCP/DHCPv6 leases #9791

  • Improved DHCP client handling of timeout conditions and script failures #9267


  • Fixed a PHP warning in diag_dump_states.php #9780

  • Fixed reverse lookup of IPv6 addresses on diag_dns.php #9543

  • Fixed diag_system_activity.php to use batch mode for top so it displays process list w/o terminal, and increased amount of output displayed #9522

  • Added search/filter ARP table and NDP status #9791


  • Added to the DNS Resolver private-address list for DNS rebinding protection #9708

  • Fixed CIDR selection issues with /32 entries in DNS Resolver Access List entries #9586

  • Fixed an issue saving DNS over TLS hostnames on systems with only one gateway #9898

  • Fixed an issue where manually configured DNS servers may not have been active if “allow override” was disabled and they were also assigned dynamically #9963

  • Added DNS Resolver (Unbound) Python Integration #9251

Dynamic DNS

  • Fixed Dynamic DNS class constructor name #9779

  • Fixed errors in DNSimple Dynamic DNS #9580

  • Fixed handling of wildcard (*) hostname entries in Cloudflare Dynamic DNS #9361

  • Added support for AAAA records to Digital Ocean Dynamic DNS #9280

  • Fixed issues with Digital Ocean Dynamic DNS handling of empty hostnames #9602

  • Cleaned up whitespace issues in Azure Dynamic DNS backend code #9271

  • Added support for Linode Dynamic DNS #9268

  • Fixed issues with IPv6 on Azure Dynamic DNS #9248

  • Fixed handling of wildcards in Route53 Dynamic DNS #9053

  • Fixed handling of wildcards in Loopia Dynamic DNS #8014

  • Fixed CloudFlare Dynamic DNS processing when proxied is enabled #9362

  • Fixed CloudFlare Dynamic DNS “Invalid TTL” error due to CloudFlare API update #10196

  • Changed hostname to optional for DNS-O-Matic Dynamic DNS #7601

  • Added support for Gandi LiveDNS Dynamic DNS #9452


  • Corrected PHP errors when marking gateways down in certain edge cases #9851


  • Added more prefix delegation size entries to selection list on interfaces.php #9590

  • Added initialization to the VLAN array in console setup #9582

  • Fixed issues with Netgate & hardware model detection which caused problems with default interface mappings #8051

  • Fixed issues with display of previously-entered IP address values on interfaces_ppps_edit.php #9741

  • Added a confirmation prompt to disconnect/release actions on status_interfaces.php #9911

  • Added drivers for Mellanox mlx4 and mlx5 network interface cards #7537


  • Fixed IPsec VTI interface creation logic #9781

  • Added GUI option for IPsec P2/Child SA close action #9767

  • Added IPsec DH and PFS groups 25, 26, and 27 #9757

  • Added 25519 curve-based IPsec DH and PFS group 31 #9531

  • Enabled NAT-T controls for IKEv2 #9695

  • Improved handling of IPsec restarts breaking VTI routing #9668

  • Fixed input validation that incorrectly prevented deleting IPsec P2 entries in some cases with VTI #9258

  • Fixed IPsec keyid identifier handling #9243

  • Fixed IPsec VTI MTU boot-time configuration #9111

  • Escape Windows domain backslash in IPsec widget #9747

  • Fixed VTI IPv6 address handling #9801

  • Fixed Child SA button JS hide on status_ipsec.php, along with other cosmetic improvements #8847

  • Added Connect Children button to status_ipsec.php to connect when IKE (Phase 1) is up but Child SAs (Phase 2 entries) are not #9954

  • Fixed IPsec Phase 2 Remote Network field show/hide when changing between Phase 2 modes #9720

  • Fixed IPsec configuration generation so that encryption options for every P2 on a given P1 are not duplicated on each P2 #6263

  • Fixed a PHP error in IPsec package plugin hook processing #10217

Load Balancer

  • Fixed a PHP when processing services when the configuration does not contain Load Balancer entries #10308


  • Moved igmpproxy logs to routing.log #10139

  • Moved igmpproxy verbose logging option to services_igmpproxy.php (formerly at status_logs_settings.php) #10139

  • Updated sshguard and fixed a log processing regression #9971

  • Fixed PHP errors in filter log processing when entries contain an invalid port #10255


  • Fixed custom view titles being forced to lower case #9681

  • Fixed packet graph scaling #9807

  • Fixed a PHP error in RRD processing of ALTQ data #10248


  • Fixed SMTP notification password being unintentionally changed when testing SMTP settings #9684

  • Reduced frequency of GEOM rebuild notifications #9256


  • Added validation to ensure NTP values are treated as numbers before use #9558

  • Changed the default NTP pool server to 2.<domain> so that it can use IPv6 #9931

  • Improved handling of errors on the NTP status page to work/fail gracefully with custom ACLs for localhost in place #9829


  • Fixed JavaScript issue when selecting multiple OpenVPN NCP algorithms #9756

  • Fixed OpenVPN wizard so it does not show DH parameter lengths that are not available #9748

  • Fixed issues with OpenVPN resynchronizing when running on a gateway group #9595

  • Added an option to set the OpenVPN TLS Key Direction #9030

  • Added GUI options to configure OpenVPN keepalive parameters #3473

  • Fixed instances of hidden invalid OpenVPN options affecting save operations #9674

  • Added a copy action to OpenVPN pages #5851

  • Improved sorting of bytes sent/receives on OpenVPN status page #7359

  • Fixed visibility of the OpenVPN ‘interface’ option when multihome is selected #7840

  • Reduced the OpenVPN server certificate lifetime to 398 days in the wizard to prevent errors on Apple platforms #9825

  • Added input validation to prevent OpenVPN tunnel network reuse #3244

  • Added Exit Notify to OpenVPN servers/client options #9078

Operating System

  • Fixed serial console terminal size issues #9569

  • Added the strings binary to base builds for troubleshooting #7791

  • Changed UFS filesystem defaults to noatime on new installations #9483

  • Fixed an issue where the IP header checksum was incorrect when reassembling packet fragments to a link with a different MTU #10189

Packet Capture

  • Changed Packet Capture GUI to allow multiple TCP/UDP ports to be specified #9766

  • Added start time to Packet Capture display #9831

  • Added OSPF/OSPFv3 to Packet Capture protocols #9905

  • Fixed Packet Capture to match both IPv4+IPv6 CARP when that protocol is selected #9867

  • Fixed Packet Capture for the pfsync protocol #10183


  • Fixed (Default) designation on routes to match the default route in the OS #9292

  • Fixed static routes remaining in routing table after removal #9969

Rules / NAT

  • Fixed state kill ordering in rc.newwanip #4674

  • Added the ability to search firewall logs by tracking ID #8703

  • Added GUI option to disable default blocking of APIPA networks #9966

  • Added more common ports to the firewall rule drop-down list #10166

  • Added input validation to prevent selecting !* (“not any”) in source or destination #10168

  • Fixed invalid rules generated when using NAT reflection with a negated destination #10246


  • Updated the SMART page with new capabilities #9367


  • Fixed SNMP sysDescr contents to include hostname and patch version #9218

Traffic Shaping / Limiters

  • Added input validation for Limiter delay values #9921

  • Fixed the queue statistics parser to handle large values #9938


  • Fixed an issue with international characters in configuration descriptions, which led to failures in certain cases, such as failing to set Manual Outbound NAT when the Language was set to pt_BR #6195

  • Fixed a PHP error on system_advanced_admin.php when the language was set to French #10331

Upgrade / Installation

  • Revised update check to provide a more consistent version string in JSON format #9778

  • Disabled serial console on VGA memstick images #9488

  • Fixed a PHP error when upgrading older configurations from revision 14.4 to 14.5 #9840


  • Fixed display of active UPnP sessions when configured with an alternate external address #9961

User Manager / Privileges

  • Added input validation to prevent changing the authentication server name #9692

  • Added privilege to manage integrated switches #9620

  • Fixed privilege matching to handle JS anchor links #9550

  • Removed wildcards incorrectly used in isAllowedPage() #9541

    • This issue could prevent a user in the admins group from reaching certain pages such as the User Manager.

  • Improved Deny Config Write privilege handling in the User & Group Manager #9259

  • Fixed input validation of group name sizes to allow longer remote groups #3792

  • Fixed handling of L2TP and PPPoE user passwords containing invalid characters #10275

Web Interface

  • Corrected input validation for firewall rule VLAN priority/set #9763

  • Restricted Thoth tests to arm64 in status.php NG 2569

  • Added kernel memory usage to status.php output #9705

  • Redacted several additional fields in status.php output #9784 #9729 #9728 #9727 #9694 #9736 #9764

  • Fixed a potential source of PHP errors when saving per-log settings #9540

  • Added GUI components for MDS mitigation #9532

  • Fixed integrated switch LAGG member editing on switch_ports.php #9447

  • Fixed wizard.php selection option size attribute handling #8907

  • Fixed platform detection for certain C2558/C2758 systems #6846

  • Set autocomplete=new-password for forms containing authentication fields to help prevent browser auto-fill from completing irrelevant fields #9864

  • Fixed processing of shortcuts for XML-based packages #9770

  • Updated jQuery #9407

  • Improved consistency of SSL/TLS references throughout the GUI #10172

  • Updated various help references and links to use the pfSense book instead of external resources #10135 #10184


  • Fixed removal of the last ALTQ traffic shaping entry from the target system when performing an XMLRPC sync #9469

  • Fixed removal of the last limiter entry from the target system when performing an XMLRPC sync #9468