2.5.0 New Features and Changes

pfSense® software version 2.5.0 brings a major OS version upgrade, OpenSSL upgrades, PHP and Python upgrades, and numerous bug fixes.

Warning

The original plan was to include a RESTCONF API in pfSense version 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense version 2.5.0 WILL NOT require AES-NI.

Tip

For those who have not yet updated to 2.4.4-p3 or 2.4.4, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

Operating System / Architecture changes

  • Base OS upgraded to FreeBSD 12.0-RELEASE-p10

  • OpenSSL upgraded to 1.1.1a-freebsd

  • PHP upgraded to 7.3 #9365

  • Python upgraded to 3.6 #9360

Security / Errata

  • Deprecated the built-in relayd Load Balancer #9386

    • relayd does not function with OpenSSL 1.1.x

    • The relayd FreeBSD port has been changed to require libressl – There is no apparent sign of work to make it compatible with OpenSSL 1.1.x

    • The HAProxy package may be used in its place; It is a much more robust and more feature-complete load balancer and reverse proxy

    • For more information on implementing HAProxy, see HAProxy package and the Hangout

Warning

See the FreeBSD 12.0 Release Notes for information on deprecated hardware drivers that may impact firewalls upgrading to pfSense version 2.5.0. Some of these were renamed or folded into other drivers, others have been removed, and more are slated for removal in FreeBSD 13 in the future.

Known Issues

  • During development of pfSense version 2.5.0, there is a significant chance that packages will be unstable until closer to the release. Most of this is due to OpenSSL changes. This will stabilize as development progresses.

Aliases/Tables

  • Fixed URL-based Alias only storing last-most entry in the configuration #9074

  • Fixed an issue with PF tables remaining active after they had been deleted #9790

Authentication

  • Set RADIUS NAS Identifier to include webConfigurator and the firewall hostname when logging in the GUI #9209

  • Added LDAP extended query for groups in RFC2307 containers #9527

Backup/Restore

  • Changed crypt_data() to use stronger key derivation #9421

  • Updated crypt_data() syntax for OpenSSL 1.1.x #9420

  • Disabled AutoConfigBackup manual backups when AutoConfigBackup is disabled #9785

Captive Portal

  • Changed Captive Portal vouchers to use phpseclib so it can generate keys natively in PHP, and to work around OpenSSL deprecating key sizes needed for vouchers #9443

  • Added trim() to the submitted username, so that spaces before/after in input do not cause authentication errors #9274

  • Optimized Captive Portal authentication attempts when using multiple authentication servers #9255

  • Fixed Captive Portal session timeout values for RADIUS users who do not have a timeout returned from the server #9208

  • Changed Captive Portal so that users no longer get disconnected when changes are made to Captive Portal settings #8616

  • Added an option so that Captive Portals may choose to remove or retain logins across reboot #5644

Certificates

  • Fixed OCSP stapling detection for OpenSSL 1.1.x #9408

  • Fixed GUI detection of revoked status for certificates issued and revoked by an intermediate CA #9924

  • Added an option to globally trust local CA manager entries #4068

  • Added support for randomized certificate serial numbers when creating or signing certificates with local internal CAs #9883

  • Added validation for CA/CRL serial numbers #9883 #9869

  • Added support for importing ECDSA keys in certificates and when completing signing requests #9745

  • Added support for creating and signing certificates using ECDSA keys #9843

  • Added detailed certificate information block to the CA list, using code shared with the Certificate list #9856

  • Added Certificate Lifetime to certificate information block #7332

  • Added CA validity checks when attempting to pre-fill certificate fields from a CA #3956

  • Added a daily certificate expiration check and notice, with settings to control its behavior and notifications (Default: 28 days) #7332

  • Added CA/Certificate renewal functionality #9842

    • This allows a CA or certificate to be renewed using its current settings (or a more secure profile), replacing the entry with a fresh one, and optionally retaining the existing key.

  • Added an “Edit” screen for Certificate entries

    • This view allows editing the Certificate Descriptive name field #7861

    • This view also adds a (not stored) password field and buttons for exporting encrypted private keys and PKCS#12 archives #1192

  • Improved default GUI certificate strength and handling of weak values #9825

    • Reduced the default GUI web server certificate lifetime to 825 days to prevent errors on Apple platforms #9825

    • Added notes on CA/Cert pages about using potentially insecure parameter choices

    • Added visible warnings on CA/Cert pages if parameters are known to be insecure or not recommended

  • Revamped CRL management to be easier to use and more capable

    • Added the ability to revoke certificates by serial number #9869

    • Added the ability to revoke multiple entries at a time #3258

    • Decluttered the main CRL list screen

    • Moved to a single CRL create control to the bottom under the list rather than multiple buttons

  • Optimized CA/Cert/CRL code in various ways, including:

    • Actions are now performed by refid rather than array index, which is more accurate and not as prone to being affected by parallel changes

    • Improved configuration change descriptions as shown in the GUI and configuration history/backups

    • Miscellaneous style and code re-use improvements

    • Changed CA/Cert date calculations to use a more accurate method, which ensures accuracy on ARM past the 2038 date barrier #9899

Dashboard

  • Added PPP uptime to the Dashboard Interfaces Widget #9426

DHCP

  • Fixed handling of spaces in DHCP lease hostnames by dhcpleases #9758

  • Fixed DHCP leases hostname parsing problems which prevented some hostnames from being displayed in the GUI #3500

  • Added OMAPI settings to the DHCP Server #7304

Diagnostics

  • Added Reroot and Reboot with Filesystem Check options to GUI Reboot page #9771

  • Added option to control wait time between ICMP echo request (ping) packets diag_ping.php #9862

DNS

  • Added DNS Resolver (Unbound) Python Integration #9251

  • Added TCP_RFC7413 in kernel, required for the BIND package #7293

Dynamic DNS

  • Fixed Dynamic DNS Dashboard Widget address parsing for entries with split hostname/domain (e.g. Namecheap) #9564

  • Added support for Gandi LiveDNS Dynamic DNS #9452

Interfaces

  • Fixed issues with PPPoE over a VLAN failing to reconnect #9148

  • Changed the way interface VLAN support is detected so it does not rely on the VLANMTU flag #9548

  • Added a PHP shell playback script restartallwan which restarts all WAN-type interfaces #9688

  • Added drivers for Mellanox mlx4 and mlx5 network interface cards #7537

IPsec

  • Added 25519 curve-based IPsec DH and PFS groups 31 and 32 #9531

  • Enabled the strongSwan PKCS#11 plugin #6775

  • Fixed IPsec configuration generation so that encryption options for every P2 on a given P1 are not duplicated on each P2 #6263

  • Renamed IPsec “RSA” options to “Certificate” since both RSA and ECDSA certificates are now supported, and it is also easier for users to recognize #9903

Logging

  • Changed system logging to use plain text logging and log rotation, the old binary clog format has been deprecated #8350

  • Updated firewall log daemon to match data structure changes for FreeBSD 12.x #9411

  • Updated firewall log parsing to match new format of logs in FreeBSD 12.x #9415

  • Updated default log size (512k + rotated copies), default lines to display (500, was 50), and max line limits (200k, up from 2k) #9734

  • Added log tabs for nginx, userlog, utx/lastlog, and some other previously hidden logs #9714

  • Relocated Package Logs into a tab under System Logs and standardized display/filtering of package logs #9714

  • Added GUI options to control log rotation #9711

  • Added code for packages to set their own log rotation parameters #9712

  • Removed the redundant nginx-error.log file #7198

  • Fixed some instances where logs were mixed into the wrong log files/tabs (Captive Portal/DHCP/squid/php/others) #1375

  • Reorganized/restructured several log tabs #9714

  • Added a dedicated authentication log #9754

Notifications

  • Deprecated & Removed Growl Notifications #8821

  • Added a daily certificate expiration notification with settings to control its behavior #7332

NTPD

  • Added GUI options for NTP sync/poll intervals #6787

OpenVPN

  • Updated OpenVPN local auth to handle changes in fcgicli output #9460

  • Added connection count to OpenVPN status and widget #9788

  • Enabled the OpenVPN x509-alt-username build option #9884

  • Added input validation to prevent OpenVPN tunnel network reuse #3244

  • Added Exit Notify to OpenVPN servers/client options #9078

  • Added an option to enable/disable OpenVPN username-as-common-name #8289

  • Restructured the OpenVPN settings directory layout

    • Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to /var/etc/openvpn/<mode><id>/<x>

      • This keeps all settings for each client and server in a clean structure

  • Moved to CApath style CA structure for OpenVPN CA/CRL usage #9915

Packet Capture

  • Changed Packet Capture GUI to allow multiple TCP/UDP ports to be specified #9766

  • Added start time to Packet Capture display #9831

  • Added OSPF/OSPFv3 to Packet Capture protocols #9905

Routing

  • Enabled the RADIX_MPATH kernel option for multi-path routing #9544

  • Fixed automatic static routes set for DNS gateway bindings not being removed when no longer necessary #8922

Translations

  • Added Italian translation #9716

Upgrade / Installation

  • Fixed issues with checking for updates from the GUI behind a proxy with authentication #9478

  • Created separate Auto (UFS) UEFI and Auto (UFS) BIOS installation options to avoid problems on hardware which boots differently on USB and non-USB disks #8638

User Manager / Privileges

  • Added menu entry for User Password Manager if the user does not have permission to reach the User Manager #9428

Web Interface

  • Increased the number of colors available for the login screen #9706

  • Added TLS 1.3 to GUI and Captive Portal web server configuration, and removed older versions (TLS 1.0 removed from Captive Portal, TLS 1.1 removed from GUI) #9607

  • Fixed empty lines in various forms throughout the GUI #9449

  • Improved validation of FQDNs #9023

  • Updated jQuery #9407

  • Added poly1305-chacha20 to nginx cipher list #9896

Wireless

  • Added support for the athp(4) wireless interface driver #9538 #9600

Development

  • Added a “periodic” style framework to allow for daily/weekly/monthly tasks from the base system or packages by way of plugin calls #7332

  • Added a central file download function for internal use throughout the GUI