21.02/21.02-p1/2.5.0 New Features and Changes

pfSense® Plus software version 21.02 and pfSense Community Edition (CE) software version 2.5.0 include a major OS version upgrade, a kernel WireGuard implementation, OpenSSL upgrades, VPN and related security improvements, plus numerous other bug fixes and new features.


The original plan was to include a RESTCONF API in pfSense® Plus software version 21.02 and pfSense software version 2.5.0, which for security reasons would have required hardware AES-NI or equivalent cryptographic accelerator support. Plans have since changed, and these versions do not contain the planned RESTCONF API, thus pfSense® Plus software version 21.02 and pfSense Community Edition (CE) software version 2.5.0 DO NOT require AES-NI.


For those who have not yet updated to 2.4.5-p1, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

pfSense Plus

Version 21.02 is the first release of pfSense Plus software, formerly known as Factory Edition. For more details about the distinctions between pfSense Plus and pfSense CE, read the pfSense Plus Announcement. Customers running the Factory Edition of pfSense software version 2.4.5-p1 and older can upgrade in-place automatically to pfSense Plus software version 21.02 as with any other previous upgrade.

In this version, the changes in pfSense Plus software and pfSense CE software are roughly the same, with a few notable exceptions which are only available in pfSense Plus software:

  • Support for Intel® QuickAssist Technology, also known as QAT.

    • QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.

    • Supported hardware includes many Intel-based systems sold by Netgate (e.g. XG-7100, SG-5100) and add-on cards.

    • From the FreeBSD man page:

      • The qat driver supports the QAT devices integrated with Atom C2000 and C3000 and Xeon C620 and D-1500 chipsets, and the Intel QAT Adapter 8950.

      • It can accelerate AES in CBC, CTR, XTS (except for the C2000) and GCM modes, and can perform authenticated encryption combining the CBC, CTR and XTS modes with SHA1-HMAC and SHA2-HMAC. The qat driver can also compute SHA1 and SHA2 digests.

  • Improved SafeXcel cryptographic accelerator support for SG-2100 and SG-1100 which can improve IPsec performance.

    • From the FreeBSD man page:

      • The driver can accelerate the following AES modes: AES-CBC, AES-CTR, AES-XTS, AES-GCM, AES-CCM

      • The driver also implements SHA1 and SHA2 transforms, and can combine AES-CBC and AES-CTR with SHA1-HMAC and SHA2-HMAC for encrypt-then-authenticate operations.

  • Updated IPsec profile export

    • Exports Apple profiles compatible with current iOS and macOS versions

    • New export function for Windows clients to configure tunnels using PowerShell

Version 21.02-p1

pfSense Plus software version 21.02-p1 is a special patch release to address a kernel problem affecting the SG-3100 which caused system instability (#11444). No additional fixes are present in the 21.02-p1 release.

See the detailed bug analysis blog post for more details.

Operating System / Architecture changes

  • Base OS upgraded to FreeBSD 12.2-STABLE

  • OpenSSL upgraded to 1.1.1i-freebsd

  • PHP upgraded to 7.4 #9365 #10659

  • Python upgraded to 3.7 #9360

Known Issues / Errata

  • Deprecated the built-in relayd Load Balancer #9386

    • relayd does not function with OpenSSL 1.1.x

    • The relayd FreeBSD port has been changed to require libressl – There is no apparent sign of work to make it compatible with OpenSSL 1.1.x

    • The HAProxy package may be used in its place; It is a much more robust and more feature-complete load balancer and reverse proxy

    • For more information on implementing HAProxy, see HAProxy package and the Hangout

  • There is an issue in this release with port forwarding on pfSense Plus software installations with multiple WANs, which has been resolved in the 21.02.2 patch release, see #11436 for details.

  • There is an issue with AES-NI hash acceleration for SHA1 and SHA-256. If the AES-NI driver detects a system capable of accelerating SHA1 or SHA-256 and the firewall attempts to utilize one of those hashes, the affected operation may fail. This affects IPsec and OpenVPN, among other uses. pfSense Plus users can change to QAT acceleration on supported hardware instead. In cases where QAT is unavailable, change to AES-GCM, change to a different unaccelerated hash (e.g. SHA-512), or disable AES-NI. See #11524 for details.

  • There is a similar issue which affects SafeXcel SHA1 and SHA2 hash acceleration on SG-1100 and SG-2100. On that hardware, change to an AEAD cipher such as AES-GCM or switch to an unaccelerated hash. This issue is being tracked internally on NG #6005

  • The FRR package on pfSense Plus 21.02 and pfSense CE 2.5.0 and later no longer exchanges routes with BGP peers by default without being explicitly allowed to do so. This is more secure behavior but requires a manual change. To replicate the previous behavior, use ONE of the following workarounds:

    • Navigate to Services > FRR BGP on the Advanced tab and check Disable eBGP Require Policy, then Save.

    • Instead of disabling the policy check, create route maps which match and allow expected incoming and outgoing routes explicitly. This is the most secure method. See Peer Filtering and BGP Example Configuration for more information.

    • Manually create a route map to permit all routes (Name: allow-all, Action: Permit, Sequence: 100), then set that route map on BGP neighbors for inbound and outbound peer filtering. This can be used as a placeholder for later migration to more secure route map filtering.


See the FreeBSD 12.0 Release Notes for information on deprecated hardware drivers that may impact firewalls upgrading to pfSense software version 2.5.0. Some of these were renamed or folded into other drivers, others have been removed, and more are slated for removal in FreeBSD 13 in the future.


  • Fixed aliases to allow IPv6 prefix entries which end in IPv4 addresses (e.g. x:x:x:x:x:x:d.d.d.d from RFC 4291 section 2.2.2) #10694

  • Fixed a PHP error processing aliases when the configuration contains no aliases section #9936

  • Fixed URL-based Alias only storing last-most entry in the configuration #9074

  • Fixed an issue with PF tables remaining active after they had been deleted #9790

  • Added Internationalized domain names support for aliases #7255

  • Added the ability to copy an existing alias when creating a new entry #6908

  • Fixed handling of URL-based aliases containing multiple URLs #11256


  • Added RADIUS authentication for SSH users #10545

  • Added LDAP authentication for SSH users #8698

  • Added option to control behavior of unauthenticated LDAP binds #9909

  • Converted LDAP TLS setup from environment variables to LDAP_OPT_X_TLS_* options #9417

  • Set RADIUS NAS Identifier to include webConfigurator and the firewall hostname when logging in the GUI #9209

  • Added LDAP extended query for groups in RFC2307 containers #9527

  • Fixed errors when using RADIUS for GUI authentication while the WAN is down #11109


  • Changed crypt_data() to use stronger key derivation #9421

  • Updated crypt_data() syntax for OpenSSL 1.1.x #9420 #10178

  • Disabled AutoConfigBackup manual backups when AutoConfigBackup is disabled #9785

  • Improved error handling when attempting to restore encrypted and otherwise invalid configurations which result in errors (e.g. wrong encryption passphrase, malformed XML) #10179

  • Added option to include the DHCP v4/v6 leases database in config.xml backups #10910

  • Added option to include the Captive Portal database in config.xml backups #10868

  • Added option to include the Captive Portal used MACs database in config.xml backups #10856

  • Added option to prevent all extra data from being added to config.xml backups #10914

  • Added password confirmation when encrypting a config.xml backup #10301

  • Added support for GPT partitioned drives to the External Configuration Locator #9097

  • Added support for Limiters to the Traffic Shaper backup and restore area option #4763

  • Added option to backup Dynamic DNS area #3559

  • Fixed restoration of active voucher data from backup #3128

Captive Portal

  • Improved XMLRPC sync of Captive Portal database information #97

  • Changed Captive Portal vouchers to use phpseclib so it can generate keys natively in PHP, and to work around OpenSSL deprecating key sizes needed for vouchers #9443

  • Added trim() to the submitted username, so that spaces before/after in input do not cause authentication errors #9274

  • Optimized Captive Portal authentication attempts when using multiple authentication servers #9255

  • Fixed Captive Portal session timeout values for RADIUS users who do not have a timeout returned from the server #9208

  • Changed Captive Portal so that users no longer get disconnected when changes are made to Captive Portal settings #8616

  • Added an option so that Captive Portals may choose to remove or retain logins across reboot #5644

  • Fixed deletion of related files when removing a Captive Portal zone #10891

  • Fixed XMLRPC sync of Captive Portal used MACs database #10857

  • Added validation of Captive Portal zone names to prevent using reserved words #10798

  • Added support for IDN hostnames to Captive Portal Allowed Hostnames tab #10747

  • Improved Captive Portal Allowed Hostnames so it supports multiple DNS records in responses #10724

  • Fixed retention of automatic pass-through MAC entries when using Captive Portal Vouchers #9933

  • Fixed Captive Portal Bandwidth per-user bandwidth limit values being applied when disabled #9437 #9311

  • Changed handling of voucher logins with Concurrent Login option so that new logins are prevented rather than removing old sessions #9432 #2146

  • Changed XMLRPC behavior to not remove zones from secondary node when disabling Captive Portal #9303

  • Fixed XMLRPC sync failing to propagate voucher roll option changes to the secondary node #8809

  • Fixed XMLRPC sync failing to create Captive Portal voucher files on secondary node #8807

  • Fixed Captive Portal + Bridge interface validation #6528

  • Added support for masking of Captive Portal pass-thru MACs #2424

  • Added support for pre-filling voucher codes via URL parameters, so they can be used via QR code #1984


  • Fixed OCSP stapling detection for OpenSSL 1.1.x #9408

  • Fixed GUI detection of revoked status for certificates issued and revoked by an intermediate CA #9924

  • Removed PKCS#12 export links for entries which cannot be exported in that format (e.g. no private key) #10284

  • Added an option to globally trust local CA manager entries #4068

  • Added support for randomized certificate serial numbers when creating or signing certificates with local internal CAs #9883

  • Added validation for CA/CRL serial numbers #9883 #9869

  • Added support for importing ECDSA keys in certificates and when completing signing requests #9745

  • Added support for creating and signing certificates using ECDSA keys #9843 #10658

  • Added detailed certificate information block to the CA list, using code shared with the Certificate list #9856

  • Added Certificate Lifetime to certificate information block #7332

  • Added CA validity checks when attempting to pre-fill certificate fields from a CA #3956

  • Added a daily certificate expiration check and notice, with settings to control its behavior and notifications (Default: 27 days) #7332

  • Added functionality to import certificates without private keys (e.g. PKCS#11) #9834

  • Added functionality to upload a PKCS#12 file to import a certificate #8645

  • Added CA/Certificate renewal functionality #9842

    • This allows a CA or certificate to be renewed using its current settings (or a more secure profile), replacing the entry with a fresh one, and optionally retaining the existing key.

  • Added an “Edit” screen for Certificate entries
    • This view allows editing the Certificate Descriptive name field #7861

    • This view also adds a (not stored) password field and buttons for exporting encrypted private keys and PKCS#12 archives #1192

  • Improved default GUI certificate strength and handling of weak values #9825
    • Reduced the default GUI web server certificate lifetime to 398 days to prevent errors on Apple platforms #9825

    • Added notes on CA/Cert pages about using potentially insecure parameter choices

    • Added visible warnings on CA/Cert pages if parameters are known to be insecure or not recommended

  • Revamped CRL management to be easier to use and more capable
    • Added the ability to revoke certificates by serial number #9869

    • Added the ability to revoke multiple entries at a time #3258

    • Decluttered the main CRL list screen

    • Moved to a single CRL create control to the bottom under the list rather than multiple buttons

  • Optimized CA/Cert/CRL code in various ways, including:
    • Actions are now performed by refid rather than array index, which is more accurate and not as prone to being affected by parallel changes

    • Improved configuration change descriptions as shown in the GUI and configuration history/backups

    • Miscellaneous style and code re-use improvements

    • Changed CA/Cert date calculations to use a more accurate method, which ensures accuracy on ARM past the 2038 date barrier #9899

Configuration Backend

  • Changed error handling on boot error ‘XML configuration file not found’ so the user is given an opportunity to fix the problem manually #10556

Configuration Upgrade

  • Retired m0n0wall configuration upgrade support #10997

Console Menu

  • Fixed rc.initial execution of rc.local.running #10978

  • Fixed rc.initial handling of -c commands with arguments #10603

  • Fixed console menu display of subnet masks for DHCP interfaces #10740


  • Added PPP uptime to the Dashboard Interfaces Widget #9426

  • Improved long description truncation behavior in the services status widget #10795

  • Fixed Dashboard traffic graph widget display of bandwidth units (b/s vs. B/s) #9072

  • Added adaptive state timeout indication to the state table usage meter #7016

  • Fixed Thermal Sensors dashboard widget showing invalid sensors #10963

  • Added default route indicator to Gateways widget #11057

  • Added hardware interface name as a tooltip on Interfaces widget entries #11041


  • Fixed handling of spaces in DHCP lease hostnames by dhcpleases #9758

  • Fixed DHCP leases hostname parsing problems which prevented some hostnames from being displayed in the GUI #3500

  • Added OMAPI settings to the DHCP Server #7304

  • Increased number of NTP servers sent via DHCP to 3 #9661

  • Added an option to prevent known DHCP clients from obtaining addresses on any interface (e.g. known clients may only obtain an address from the interface where the entry is defined) #1605

  • Added count of static mappings to list when editing DHCP settings for an interface #9282

  • Fixed handling of client identifiers on static mappings containing double quotes #10295

  • Added ARM32/64 network booting support to the DHCP Server #10374

  • Increased the number of NTP servers for DHCP Static Mappings #10333

  • Fix DHCP Dynamic DNS handling of per-host zone and key options from static mappings #10224

  • Added per-host custom BOOTP/DHCP Options to static mappings #8990

  • Added a button to clear all DHCP leases #7406

  • Fixed ARPA zone declaration formatting in DHCP server configuration file #11224


  • Added options to disable pushing IPv6 DNS servers to clients via DHCP6 #9302

  • Fixed DHCPv6 domain search list #10200

  • Fixed validation to allow omission of DHCPv6 range for use with stateless DHCP #9596

  • Fixed issues creating IPv6 Static Mappings #7443

  • Fixed DHCPv6 merging an IPv6 prefix with the input submitted in DNS servers field when using Track Interface #7384

  • Fixed prefix delegation not being requested if no interfaces were set to track6 #11005

  • Fixed DHCPv6 Dynamic DNS domain key name validation #10844

  • Fixed line formatting issues in the DHCPv6 configuration file #10675

  • Fixed prefix not being included in the DNS entry registered by DHCPv6 #8156

  • Fixed DHCPv6 static mapping changes requiring a restart of the DNS resolver to activate #10882

  • Fixed issues running DHCPv6 on certain types of tracked interfaces (e.g. bridges, VLANs) #3965

  • Fixed issues with WAN not renewing IPv6 address after an upstream failure #10966

DHCP Relay

  • Fixed DHCP Relay validation to allow OpenVPN TAP interfaces #10711

  • Fixed inconsistent validation behavior for DHCP relay and bridges #7778


  • Added Reroot and Reboot with Filesystem Check options to GUI Reboot page #9771

  • Added option to control wait time between ICMP echo request (ping) packets diag_ping.php #9862

  • Improved data sanitization in status.php #10946 #10944 Sanitize MaxMind GeoIP key #10797 #10569 #10794

  • Added config history list to status.php #10696

  • Added DNS Resolver configuration to status.php #10635

  • Added L2TP VPN configuration to status.php #10583

  • Changed pftop page to hide filtering controls for views which do not support filtering #10625

  • Added support for IDN hostnames to DNS Lookup, Ping, and Traceroute #10538

  • Fixed diag_dns.php link to Ping passing incorrect parameters #10537

  • Added a button to clear the NDP cache #10975

  • Added a button to clear the ARP cache #4038

  • Fixed hostname being ignored when DNS Lookup calculates response time #11018

  • Fixed Kill States button on diag_dump_states.php when used with CIDR-masked subnets #9270

DNS Forwarder

  • Updated dnsmasq to 2.84 #11278

DNS Resolver

  • Added IPv6 OpenVPN client addresses resolution to the DNS Resolver #8624

  • Added DNS64 options to the DNS Resolver #10274

  • Added support for multiple IP addresses in a DNS Resolver Host Override entry #10896

  • Fixed DNS Resolver restart commands to work around potential environment issues #10781

  • Fixed saving DNS Resolver ACL entries when using a non-English translation #10742

  • Added support for IDN symbols in DNS Resolver ACL entries #10730

  • Added Aggressive NSEC option to the DNS Resolver #10449

  • Fixed DNS Resolver unintentionally retaining DHCP registration entries after disabling that feature #8981

  • Fixed DNS Resolver restarting on every OpenVPN client connection when registering clients in DNS #11129

  • Fixed issues with the DNS Resolver not starting when bound to disabled interfaces or interfaces without carrier #11087

  • Fixed DNS Resolver custom TLS listen port being ignored #11051

  • Improved formatting and ordering of items in the DNS Resolver access list configuration file #11309

Dynamic DNS

  • Fixed Dynamic DNS Dashboard Widget address parsing for entries with split hostname/domain (e.g. Namecheap) #9564

  • Added support for new CloudFlare Dynamic DNS API tokens #9639

  • Added IPv6 support to No-IP Dynamic DNS #10256

  • Fixed issues with Hover Dynamic DNS #10241

  • Updated Cloudflare Dynamic DNS to query Zone ID with token #10992

  • Added support for IPv6 to easyDNS Dynamic DNS #10972

  • Added support for Domeneshop Dynamic DNS #10826

  • Added Zone option to RFC 2136 Dynamic DNS #10684

  • Updated FreeDNS Dynamic DNS to use their v2 API #10617

  • Fixed DigitalOcean Dynamic DNS processing of zones with multiple pages of records #10592

  • Improved Dynamic DNS Logging #10459

  • Added support for dynv6.com Dynamic DNS #9642

  • Fixed handling of Dynamic DNS AAAA records on 6rd tunnel interfaces bound to PPPoE interfaces #9641

  • Added a button to duplicate Dynamic DNS entries #8952

  • Fixed Dynamic DNS update for HE.net Tunnelbroker always setting IP address of the default WAN interface #11024

  • Updated HE.net Tunnelbroker Dynamic DNS to use their current API #11037

  • Added support for Wildcard A records for Gandi Dynamic DNS #11159

  • Updated No-IP Dynamic DNS to use a newer API #6638

  • Fixed Namecheap Dynamic DNS error code checking #5308

  • Improved color blind accessibility of Dynamic DNS status #3229


  • Added support for obtaining a gateway via DHCP which is outside of the interface subnet #7380

  • Added validation to prevent using descriptions on interfaces which would cause gateway names to exceeded the maximum allowed length #9401

  • Added tooltip text to icons on the Gateways #10719

  • Fixed issues with dpinger failing to update IPv6 gateway address on DHCPv6 WAN interfaces #8136

Hardware / Drivers

  • Added bnxt driver for Broadcom NetXtreme interfaces #9155

  • Added iOS/Android/Generic USB tethering driver #7467

IGMP Proxy

  • Added input validation for IGMP Proxy settings #7163


  • Created separate Auto (UFS) UEFI and Auto (UFS) BIOS installation options to avoid problems on hardware which boots differently on USB and non-USB disks #8638

  • Fixed reinstalling with UFS on a ZFS formatted drive #10690

  • Fixed platform detection for MBT-4220 and MBT-2220 on newer BIOS revisions #9242

  • Fixed an issue with shutting down instead of rebooting after installing using ZFS #7307


  • Added support for using IPv4 and IPv6 addresses on GRE interfaces at the same time #10392

  • Added a check to disable Hardware Checksum Offloading in environments with interfaces which do not support it (e.g. vtnet, ena) #10723

  • Changed the way interface VLAN support is detected so it does not rely on the VLANMTU flag #9548

  • Added a PHP shell playback script restartallwan which restarts all WAN-type interfaces #9688

  • Changed assignment of the fe80::1:1 default IPv6 link-local LAN address so it does not remove existing entries, which could cause problems such as Unbound failing to start #9998

  • Added automatic MTU adjustment for GRE interfaces using IPsec as a transport #10222

  • Fixed SLAAC interface selection when using IPv6 on a link which also uses PPP #9324

  • Added GUI interface descriptions to Operating System interfaces #1557

  • Added the ability to assign virtual type interfaces (IPsec, OpenVPN, GIF, GRE, etc) during console interface assignment #10947

  • Fixed TSO not being disabled in some cases #10836

  • Fixed group name length input validation #10835

  • Improved interface caching for environments with many interfaces #10680

  • Fixed fe80::1:1 being added to interfaces without track6 #10661

  • Added a check to prevent stf (6RD/6to4) interfaces from being used as parent interfaces #10626

  • Fixed redundant disabling of static ARP at boot before it could be enabled #10589

  • Fixed initialization of bridges which include a GIF interface at boot #10524

  • Fixed problems with post-install interface changes not being retained if the user did not complete the wizard #10383

  • Fixed inefficiencies when applying settings to a VLAN parent interface #9154

  • Fixed interface MTU setting not being applied to all IPv6 routes #6868

  • Fixed handling of MTU setting for 6rd and 6to4 interfaces #6377

  • Fixed IPv6 IP Alias preventing Track Interface from working with DHCPv6 and RA #5999

  • Changed DHCP interface renewal behavior to not restart services if the IP address did not change #11142

  • Fixed an error when changing bridge STP settings #11122

  • Added a binary package with updated Realtek interface drivers #11079

  • Improved link state visibility on Status > Interfaces #11045

  • Removed VTI interfaces from Interface Group selection since they do not currently function in this manner #11134

  • Fixed issues with IPv6 on top of IPv4 PPPoE placing default route on incorrect interface #9324


  • Added 25519 curve-based IPsec DH and PFS groups 31 and 32 #9531

  • Enabled the strongSwan PKCS#11 plugin #6775

  • Added support for ECDSA certificates to IPsec for IKE #4991

  • Renamed IPsec “RSA” options to “Certificate” since both RSA and ECDSA certificates are now supported, and it is also easier for users to recognize #9903

  • Converted IPsec configuration code from ipsec.conf ipsec/stroke style to swanctl.conf swanctl/vici style #9603

    • Split up much of the single large IPsec configuration function into multiple functions as appropriate.

    • Optimized code along the way, including reducing code duplication and finding ways to generalize functions to support future expansion.

    • For IKEv1 and IKEv2 with Split Connections enabled, P2 settings are properly respected for each individual P2, such as separate encryption algorithms #6263

      • N.B.: In rare cases this may expose a previous misconfiguration which allowed a Phase 2 SA to connect with improper settings, for example if a required encryption algorithm was enabled on one P2 but not another.

    • New GUI option under VPN > IPsec, Mobile Clients tab to enable RADIUS Accounting which was previously on by default. This is now disabled by default as RADIUS accounting data will be sent for every tunnel, not only mobile clients, and if the accounting data fails to reach the RADIUS server, tunnels may be disconnected.

    • Additional developer & advanced user notes:

      • For those who may have scripts which touched files in /var/etc/ipsec, note that the structure of this directory has changed to the new swanctl layout.

      • Any usage of /usr/local/sbin/ipsec or the stroke plugin must also be changed to /usr/local/sbin/swanctl and VICI. Note that some commands have no direct equivalents, but the same or better information is available in other ways.

      • IPsec start/stop/reload functions now use /usr/local/sbin/strongswanrc

      • IPsec-related functions were converged into ipsec.inc, removed from vpn.inc, and renamed from vpn_ipsec_<name> to ipsec_<name>

    • Reworked how reauthentication and rekey behavior functions, giving more control to the user compared to previous options #9983

  • Reformatted status_ipsec.php to include more available information (rekey timer, encryption key size, IKE SPIs, ports) #9979

  • Added support for PKCS#11 authentication (e.g. hardware tokens such as Yubikey) for IPsec #9878

  • Fixed usage of Hash Algorithm on child ESP/AH proposals using AEAD ciphers #9726

  • Added support for IPsec remote gateway entries using FQDNs which resolve to IPv6 addresses #9405

  • Added manual selection of Pseudo-Random Function (PRF) for use with AEAD ciphers #9309

  • Added support for using per-user addresses from RADIUS and falling back to a local pool otherwise #8160

  • Added an option which allows multiple tunnels to use the same remote peer in certain situations (read warnings on the option before use) #10214

  • Improved visible distinction of online/offline mobile IPsec users in the IPsec status and dashboard widget #10340

  • Added options to change the IPsec NAT-T ports (local and remote) #10870

  • Improved boot-time initialization of IPsec VTI interfaces #10842

  • Added support for limiting IPsec VPN access by RADIUS user group #10748

  • Changed IPsec to share the same RADIUS Cisco-AVPair parser code as OpenVPN for Xauth users #10469

  • Fixed handling of IPsec VTI interfaces in environments with large numbers of IPsec tunnels #9592

  • Added IPsec Advanced option to control maximum allowed Parallel P2 Rekey exchanges #9331

  • Fixed issues with bringing up new Phase 2 entries on IPsec tunnels with “Split connections” enabled #8472

  • Fixed issues where, in rare cases, IPsec tunnels would not reconnect until the firewall was rebooted #8015

  • Improved the Remote Gateway field description for IPsec Phase 1 entries to indicate that is allowed #7095

  • Fixed issues with IKEv2 IPsec tunnels with multiple phase 2 entries combining traffic selectors in unexpected ways (set “Split Connections” to isolate them) #6324

  • Added options to create IPsec bypass rules which prevent specific source and destination network pairs from entering policy-based IPsec tunnels #3329

  • Documented settings which work around SA duplication issues experienced by users in certain cases #10176

  • Improved IPsec GUI options for P1/P2 SA expiration and replacement to help prevent SA duplication #11219

  • Fixed a PHP error in mobile IPsec input validation #11212

  • Added validation to prevent unsupported wildcard certificates from being selected for use with IPsec #11297

IPv6 Router Advertisements (RADVD)

  • Fixed Router Advertisement configuration missing information in Unmanaged mode #9710

  • Fixed Router Advertisement lifetime input validation #10709


  • Fixed L2TP secret using an empty value after removing it from the GUI #10710

  • Fixed L2TP input validation to allow leaving the remote address field blank when assigning addresses from RADIUS #7562

  • Fixed inefficiencies in the initial L2TP reconfiguration process #7558

  • Fixed L2TP Server and Client both using l2tpX for interface names #11006

  • Fixed static routes on L2TP interfaces not being reapplied when reconnecting #10407

  • Fixed L2TP server being restarted when making user account changes #11059

LAGG Interfaces

  • Improved Interface Status and Widget information for LAGG #9187

  • Fixed route for GIF/GRE peer when using VLAN on LAGG #10623

  • Added option to toggle LACP PDU transmission fast timeout #10504

  • Fixed LAGG member interface events causing filter reloads #10365

  • Fixed issues with LAGG interface MTU being incorrectly applied to VLAN subinterfaces #8585

  • Added option to control the master interface for LAGG in Failover mode #1019


  • Changed system logging to use plain text logging and log rotation, the old binary clog format has been deprecated #8350

  • Updated default log size (512k + rotated copies), default lines to display (500, was 50), and max line limits (200k, up from 2k) #9734

  • Added log tabs for nginx, userlog, utx/lastlog, and some other previously hidden logs #9714

  • Relocated Package Logs into a tab under System Logs and standardized display/filtering of package logs #9714

  • Added GUI options to control log rotation #9711

  • Added code for packages to set their own log rotation parameters #9712

  • Removed the redundant nginx-error.log file #7198

  • Fixed some instances where logs were mixed into the wrong log files/tabs (Captive Portal/DHCP/squid/php/others) #1375

  • Reorganized/restructured several log tabs #9714

  • Added a dedicated authentication log #9754

  • Added an option for RFC 5424 format log messages which have RFC 3339 timestamps #9808

  • Fixed an issue where a firewall log entry for loopback source/destination occasionally reported as 127.0.01 #10776

  • Fixed issues with syslogd using an old IP address after an interface IP address change #9660

  • Added watchfrr to routing log #11207


  • Fixed Gateways being removed from routing groups based on low alert thresholds #10546

  • Fixed a possible race condition in gateway group fail-over causing unexpected behavior #9450

  • Fixed a load balancing failure when one gateway had a weight of 1 and another gateway had a weight >1 #6025

NAT Reflection

  • Fixed port forwards where the destination is a network alias creating invalid refection rules if multiple subnets are in that alias #7614


  • Deprecated & Removed Growl Notifications #8821

  • Added a daily certificate expiration notification with settings to control its behavior #7332

  • Fixed input validation of SMTP notification settings #8522

  • Added support for sending notifications via Pushover API #10495

  • Added support for sending notifications via Telegram #10354

  • Fixed a PHP error when SMTP notifications fail #11063


  • Added GUI options for NTP sync/poll intervals #6787

  • Added validation to prevent using noselect and noserve with pools #9830

  • Added feature to automatically detect GPS baud rate #7284

  • Fixed status and widget display of long hostnames and stratum #10307

  • Fixed handling of the checkbox options on NTP servers #10276

  • Updated GPS initialization commands for Garmin devices #10327

  • Added an option to limit NTP pool server usage #10323

  • Added option to force IPv4/IPv6 DNS resolution for NTP servers #10322

  • Added support for NTP server authentication #8794

  • Added an option to disable NTP #3567

  • Added units to the NTP status page #2850


  • Updated OpenVPN to 2.5.0 #11020

    • The default compression behavior has changed for security reasons. Incoming packets will be decompressed, outgoing packets will not be compressed. There is a GUI control to alter this behavior.

    • Data cipher negotiation (Formerly known as Negotiable Cryptographic Parameters, or NCP) is now compulsory. Disabling negotiation has been deprecated. The option is still present in the GUI, but negotiation will be unilaterally enabled on upgrade. The upgrade process will attempt to use the expected data encryption algorithms before and after the upgrade completes, but in some cases more secure algorithms may be enabled as well. #10919

      We strongly encourage using AEAD ciphers such as AES-GCM, future versions of OpenVPN will require them and will not have configurable cipher lists.

  • Added connection count to OpenVPN status and widget #9788

  • Enabled the OpenVPN x509-alt-username build option #9884

  • Restructured the OpenVPN settings directory layout

    • Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to /var/etc/openvpn/<mode><id>/<x>

      • This keeps all settings for each client and server in a clean structure

  • Moved to CApath style CA structure for OpenVPN CA/CRL usage #9915

  • Added support for OCSP verification of client certificates #7767

  • Fixed a potential race condition in OpenVPN client ACLs obtained via RADIUS #9206

  • Added support for more protocols (IP, ICMP), ports, and a template variable ({clientip}) in OpenVPN client ACLs obtained via RADIUS #9206

  • Added the ability to register OpenVPN Remote Access (User Auth) clients in the DNS Resolver #10999

  • Fixed an issue where duplicating an OpenVPN instance did not copy the password #10703

  • Fixed issues with OpenVPN TCP clients failing to start #10650

  • Added support for IPv6 OpenVPN ACLs obtained via RADIUS #10454

  • Fixed validation to enforce OpenVPN client password usage when setting a username, to prevent a missing password from interrupting the boot process #10409

  • Enabled asynchronous push in OpenVPN binary #10273

  • Added OpenVPN client-specific override option to ignore routes pushed by the server (“push-reset”) #9702

  • Clarified behavior of OpenVPN server option for Duplicate Connections #10363

Operating System

  • Fixed a network performance regression in the fast forwarding path with IP redirects enabled NG4965

  • Fixed double ZFS entries in loader.conf #10375

  • Added a method to enable persistent command history in the shell #11029

  • Changed the default domain name of the firewall from .localdomain to .home.arpa #10533

Package System

  • Disabled spell checking on package upgrade progress textarea #10637

  • Fixed issues with package upgrade or reinstall hanging indefinitely #10610

  • Fixed description used for buttons when editing packages #11208

  • Deprecated the following packages: OpenBGPd, Quagga_OSPF, routed, blinkled, and gwled

PPP Interfaces

  • Fixed issues with PPPoE over a VLAN failing to reconnect #9148

  • Enabled selection of QinQ interfaces for use with PPP #9472

  • Added option to set Host-Uniq value for PPPoE #10597

  • Fixed incorrect interface assignment after switching from PPPoE #10240

  • Fixed IPv6 not being disabled in mpd.conf when the IPv6 GUI option is set to ‘disabled’ #7386

  • Fixed PPPoE interface errors due to MTU settings #11035

PPPoE Server

  • Fixed PPPoE server ignoring secondary RADIUS Server #10926

  • Fixed PPPoE server Accounting updates option #10869

  • Removed unnecessary restarts of the PPPoE server when adding/modifying users #10318

  • Added input validation to prevent enabling the PPPoE server on a PPPoE client interface #4510


  • Fixed automatic static routes set for DNS gateway bindings not being removed when no longer necessary #8922

  • Fixed missing tooltip text for icons on the Static Routes Page #10889

RRD Graphs

  • Fixed RRD graph handling of NTP graph data with negative freq values #6503

  • Fixed RRD graph creation for interfaces using CODELQ #6277

Rules / NAT

  • Added the ability to configure negated tagging, to match packets which do not contain a given tag #10186

  • Added support for IPv6 Port Forwards #10984

  • Fixed handling of IPv6 NPt rules on 6rd WAN interfaces #10757

  • Fixed 1:1 NAT issue when internal interface has VIPs #10752

  • Fixed policy routing rules not being written correctly for a down gateway #10716

  • Added EoIP to firewall rule Protocol list #10698

  • Fixed separator bars on floating rules not covering the full table width #10667

  • Fixed 1:1 NAT for IPv6 applying wrong subnet mask to “Single Host” #7742

  • Added validation to prevent accidentally overlapping NPt networks and interface networks #7741

  • Added support for dynamic interface addresses in 1:1 NAT rules #7705

  • Added default values of TCP and UDP timeouts to the GUI #7362

  • Fixed handling of IPv6 floating rules on 6rd interfaces #7142

  • Fixed firewall rules for “PPPoE clients” only including the first PPPoE server instance #6598

  • Fixed duplicated tracker IDs on block private networks rules #6030

  • Fixed reply-to on rules for PPPoE WANs with IPv6 SLAAC #5258

  • Added gateway/group IP addresses to mouseover on rules #885

  • Fixed formatting of floating rules with large numbers interfaces #10892

  • Fixed form rendering issues with Port Forward Address Fields in Safari #10674

  • Fixed firewall ruleset failing to load at boot when new ruleset would be invalid #6028

  • Fixed an issue adding or deleting separator bars when no rules are present #10827


  • Updated S.M.A.R.T. Page with new capabilities #9367


  • Fixed SNMP reporting incorrect speed for switch uplink interface on Netgate SG-3100 #10793

  • Fixed SNMP input validation to require the Host Resources module when the PF module is also enabled #10471

Traffic Graphs

  • Changed the Traffic Graph page from rate to iftop which brings IPv6 support and various other improvements #3334

Traffic Shaper (ALTQ)

  • Changed default ALTQ queue bandwidth type to Mbit/s #10988

  • Updated traffic shaper wizard settings for XBox and Wii ports #10837

  • Added Broadcom NetXtreme to ALTQ-capable list #10762

  • Added ALTQ support to the ix(4) driver #7378

  • Fixed deletion of associated shaper queues when deleting an interface #3488

  • Fixed ALTQ root queue bandwidth calculation #3381

  • Fixed input validation for amount of queues supported by ALTQ schedulers #1353

  • Added Google Stadia port range to the traffic shaper wizard #10743

  • Fixed PHP errors in the traffic shaper wizard #10660

  • Fixed ALTQ on hn(4) interfaces #8954

Traffic Shaper (Limiters)

  • Fixed issues with net.inet.ip.dummynet.* tunables being ignored #10780

  • Fixed issues with renaming limiters removing them from firewall rules #3924

  • Fixed mask options not applying to sched limiter #10838

  • Changed default Limiter queue bandwidth type to Mbit/s #10727


  • Added Italian translation #9716


  • Fixed issues with checking for updates from the GUI behind a proxy with authentication #9478

  • Changed phrasing of message indicating the firewall is rebooting to upgrade #10387

  • Fixed issues with the GUI incorrectly reporting “The system is on the latest version” #8870


  • Improved handling of UPnP with multiple gaming systems #7727

User Manager / Privileges

  • Added menu entry for User Password Manager if the user does not have permission to reach the User Manager #9428

  • Improved consistency of SSL/TLS references in LDAP authentication servers #10172

  • Fixed irrelevant output being printed to users with ssh_tunnel_shell #9260

  • Fixed theme not being applied to LDAP test results modal #7912

  • Changed to more secure default values for certificates created through the user manager #11167

  • Changed SSL/TLS LDAP authentication implementation to improve handling of multiple secure LDAP (SSL/TLS or STARTTLS) servers used at the same time #10704

Virtual IP Addresses

  • Fixed a problem with PID file handling for the proxy ARP daemon #7379

  • Fixed IP Alias VIPs on PPPoE interfaces #7132

Web Interface

  • Updated JQuery to address multiple issues #10676

  • Updated Bootstrap to 3.4.1 #9892

  • Updated Font-Awesome to v5 #9052

  • Increased the number of colors available for the login screen #9706

  • Added TLS 1.3 to GUI and Captive Portal web server configuration, and removed older versions (TLS 1.0 removed from Captive Portal, TLS 1.1 removed from GUI) #9607

  • Fixed empty lines in various forms throughout the GUI #9449

  • Improved validation of FQDNs #9023

  • Added CHACHA20-POLY1305 to nginx cipher list #9896

  • Fixed Setup Wizard input validation to allow Primary/Secondary DNS Server field to remain empty #10982

  • Fixed Setup Wizard input validation for IPv6 DNS Servers #10720

  • Added an option to omit DNS Servers from resolv.conf #10931

  • Fixed the icon area within buttons not being clickable #10846

  • Fixed visibility issues with multiple selection form control in the pfsense-BETA-dark theme #10705

  • Updated documentation links in the GUI #10481

  • Fixed netmask/prefix form control incorrectly resetting to 128/32 #10433

  • Updated Help shortcut links #10135

  • Improved handling of multiple login form submissions to avoid a potential CSRF error #9855

  • Fixed reboot message when changing the Hardware Checksum Offloading setting #3031

  • Added support for new site icons requested by current versions of Safari #11068

  • Added descriptions to all write_config() calls #204



  • Added support for the athp(4) wireless interface driver #9538 #9600

  • Added support for the ral(4) wireless interface driver to arm64 #10934

  • Added support for the rtwn(4) wireless interface driver #10639

  • Added support for selecting 802.11n channel width (HT) #10678


  • Added a “periodic” style framework to allow for daily/weekly/monthly tasks from the base system or packages by way of plugin calls #7332

  • Added a central file download function for internal use throughout the GUI

  • Added TCP_RFC7413 in kernel, required for the BIND package #7293


  • Fixed XMLRPC synchronization of admin authorized keys for the admin user #9539

  • Added option to synchronize changes for the account used for XMLRPC sync #9622

  • Fixed XMLRPC synchronization for firewall rule descriptions with special characters #1478

  • Fixed Incorrect synchronize IP address value causing XMLRPC errors #11017