2.5.0 New Features and Changes¶
pfSense® software version 2.5.0 brings a major OS version upgrade, OpenSSL upgrades, PHP and Python upgrades, and numerous bug fixes.
Warning
The original plan was to include a RESTCONF API in pfSense version 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense version 2.5.0 WILL NOT require AES-NI.
Tip
For those who have not yet updated to 2.4.4-p3 or 2.4.4, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.
Operating System / Architecture changes¶
Security / Errata¶
Deprecated the built-in relayd Load Balancer #9386
relayd
does not function with OpenSSL 1.1.xThe
relayd
FreeBSD port has been changed to require libressl – There is no apparent sign of work to make it compatible with OpenSSL 1.1.xThe HAProxy package may be used in its place; It is a much more robust and more feature-complete load balancer and reverse proxy
For more information on implementing HAProxy, see HAProxy package and the Hangout
Warning
See the FreeBSD 12.0 Release Notes for information on deprecated hardware drivers that may impact firewalls upgrading to pfSense version 2.5.0. Some of these were renamed or folded into other drivers, others have been removed, and more are slated for removal in FreeBSD 13 in the future.
Known Issues¶
During development of pfSense version 2.5.0, there is a significant chance that packages will be unstable until closer to the release. Most of this is due to OpenSSL changes. This will stabilize as development progresses.
Aliases/Tables¶
Authentication¶
Backup/Restore¶
Captive Portal¶
Changed Captive Portal vouchers to use
phpseclib
so it can generate keys natively in PHP, and to work around OpenSSL deprecating key sizes needed for vouchers #9443Added
trim()
to the submitted username, so that spaces before/after in input do not cause authentication errors #9274Optimized Captive Portal authentication attempts when using multiple authentication servers #9255
Fixed Captive Portal session timeout values for RADIUS users who do not have a timeout returned from the server #9208
Changed Captive Portal so that users no longer get disconnected when changes are made to Captive Portal settings #8616
Added an option so that Captive Portals may choose to remove or retain logins across reboot #5644
Certificates¶
Fixed OCSP stapling detection for OpenSSL 1.1.x #9408
Fixed GUI detection of revoked status for certificates issued and revoked by an intermediate CA #9924
Added an option to globally trust local CA manager entries #4068
Added support for randomized certificate serial numbers when creating or signing certificates with local internal CAs #9883
Added support for importing ECDSA keys in certificates and when completing signing requests #9745
Added support for creating and signing certificates using ECDSA keys #9843
Added detailed certificate information block to the CA list, using code shared with the Certificate list #9856
Added Certificate Lifetime to certificate information block #7332
Added CA validity checks when attempting to pre-fill certificate fields from a CA #3956
Added a daily certificate expiration check and notice, with settings to control its behavior and notifications (Default: 28 days) #7332
Added CA/Certificate renewal functionality #9842
This allows a CA or certificate to be renewed using its current settings (or a more secure profile), replacing the entry with a fresh one, and optionally retaining the existing key.
- Improved default GUI certificate strength and handling of weak values #9825
Reduced the default GUI web server certificate lifetime to 825 days to prevent errors on Apple platforms #9825
Added notes on CA/Cert pages about using potentially insecure parameter choices
Added visible warnings on CA/Cert pages if parameters are known to be insecure or not recommended
- Revamped CRL management to be easier to use and more capable
- Optimized CA/Cert/CRL code in various ways, including:
Actions are now performed by
refid
rather than array index, which is more accurate and not as prone to being affected by parallel changesImproved configuration change descriptions as shown in the GUI and configuration history/backups
Miscellaneous style and code re-use improvements
Changed CA/Cert date calculations to use a more accurate method, which ensures accuracy on ARM past the 2038 date barrier #9899
DHCP¶
Diagnostics¶
DNS¶
Dynamic DNS¶
Interfaces¶
Fixed issues with PPPoE over a VLAN failing to reconnect #9148
Changed the way interface VLAN support is detected so it does not rely on the VLANMTU flag #9548
Added a PHP shell playback script
restartallwan
which restarts all WAN-type interfaces #9688Added drivers for Mellanox
mlx4
andmlx5
network interface cards #7537
IPsec¶
Added 25519 curve-based IPsec DH and PFS groups 31 and 32 #9531
Enabled the strongSwan PKCS#11 plugin #6775
Fixed IPsec configuration generation so that encryption options for every P2 on a given P1 are not duplicated on each P2 #6263
Renamed IPsec “RSA” options to “Certificate” since both RSA and ECDSA certificates are now supported, and it is also easier for users to recognize #9903
Logging¶
Changed system logging to use plain text logging and log rotation, the old binary clog format has been deprecated #8350
Updated firewall log daemon to match data structure changes for FreeBSD 12.x #9411
Updated firewall log parsing to match new format of logs in FreeBSD 12.x #9415
Updated default log size (512k + rotated copies), default lines to display (500, was 50), and max line limits (200k, up from 2k) #9734
Added log tabs for nginx, userlog, utx/lastlog, and some other previously hidden logs #9714
Relocated Package Logs into a tab under System Logs and standardized display/filtering of package logs #9714
Added GUI options to control log rotation #9711
Added code for packages to set their own log rotation parameters #9712
Removed the redundant
nginx-error.log
file #7198Fixed some instances where logs were mixed into the wrong log files/tabs (Captive Portal/DHCP/squid/php/others) #1375
Reorganized/restructured several log tabs #9714
Added a dedicated authentication log #9754
Notifications¶
OpenVPN¶
Updated OpenVPN local auth to handle changes in fcgicli output #9460
Added connection count to OpenVPN status and widget #9788
Enabled the OpenVPN x509-alt-username build option #9884
Added input validation to prevent OpenVPN tunnel network reuse #3244
Added Exit Notify to OpenVPN servers/client options #9078
Added an option to enable/disable OpenVPN
username-as-common-name
#8289Restructured the OpenVPN settings directory layout
Changed from
/var/etc/openvpn[-csc]/<mode><id>.<file>
to/var/etc/openvpn/<mode><id>/<x>
This keeps all settings for each client and server in a clean structure
Moved to
CApath
style CA structure for OpenVPN CA/CRL usage #9915
Packet Capture¶
Routing¶
Upgrade / Installation¶
User Manager / Privileges¶
Added menu entry for User Password Manager if the user does not have permission to reach the User Manager #9428
Web Interface¶
Increased the number of colors available for the login screen #9706
Added TLS 1.3 to GUI and Captive Portal web server configuration, and removed older versions (TLS 1.0 removed from Captive Portal, TLS 1.1 removed from GUI) #9607
Fixed empty lines in various forms throughout the GUI #9449
Improved validation of FQDNs #9023
Updated jQuery #9407
Added
poly1305-chacha20
tonginx
cipher list #9896