2.5.2 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

Known Issues / Errata

  • Dynamic DNS incorrectly encodes NoIP update credentials #12021


This release includes corrections for the following vulnerabilities in pfSense® software:


  • Added: WireGuard add-on package

pfSense CE

Aliases / Tables

  • Added: PHP shell playback script to modify Alias contents #11380


  • Added: Copy button for Authentication Server entries #11390

Backup / Restore

  • Added: Randomize time of scheduled AutoConfigBackup runs #10811

  • Fixed: Automated corruption recovery from cached config.xml backup files should check multiple backups #11748

  • Fixed: AutoConfigBackup schedule custom hour value lost on page load #11946

Captive Portal

  • Added: Redirect Captive Portal users to login page after they logout #11264

  • Fixed: Captive Portal post-auth redirect is not properly respected #11842

  • Fixed: Potential XSS vulnerability in Captive Portal redirurl handling #11843


  • Fixed: Certificate Manager does not report Unbound as using a certificate #11678

  • Fixed: PHP error on certificate list due to unreadable private key #11859

  • Fixed: Export P12 icon is missing if certificate is not locally renewable #11884

Configuration Upgrade

  • Fixed: PHP error in upgrade_212_to_213() when upgrading certain IPsec tunnels #11801

Console Menu

  • Changed: Allow reroot on ZFS from console and GUI reboot menu entries #11914


  • Fixed: dhcp6withoutra_script.sh does not get executed when advanced options are set #11883

DNS Forwarder

  • Fixed: Disable DNSSEC option for dnsmasq #11781

  • Fixed: Update dnsmasq to 2.85 to fix CVE-2021-3448 #11866

DNS Resolver

  • Fixed: Unbound Python Integration repeatedly mounts dev without unmounting #11456

  • Fixed: Stale hostname registration data for OpenVPN clients is not deleted from the DNS Resolver configuration at boot #11704

  • Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x #11915


  • Fixed: Thermal sensors widget no longer shows values from certain hardware #11787

  • Fixed: IPsec Dashboard widget only displays first P2 subnet when using a single traffic selector #11893

  • Fixed: Editing widgets on Dashboard causes a PHP Warning #11939


  • Fixed: ARP Table populates hostname values using expired DHCP lease data #11510

  • Fixed: Sanitize OpenVPN Client Export certificate password in status output #11767

  • Fixed: Sanitize Captive Portal RADIUS MAC secret in status output #11769

  • Fixed: MAC address OEM information missing from ARP table #11819

  • Fixed: State table content on diag_dump_states.php does not sort properly #11852

Dynamic DNS

  • Added: New Dynamic DNS Provider: Mythic-Beasts #7842

  • Added: New Dynamic DNS Provider: one.com #11293

  • Added: New Dynamic DNS Provider: Yandex PDD #11294

  • Added: New Dynamic DNS Provider: NIC.RU #11358

  • Added: New Dynamic DNS Provider: Gandi LiveDNS IPv6 #11420

  • Fixed: Automatic 25-day forced Dynamic DNS update removes wildcard domain #11667

  • Fixed: Digital Ocean Dynamic DNS help text is incorrect #11754

  • Fixed: NoIP.com Dynamic DNS update failure is not detected properly #11815

  • Fixed: Dynamic DNS edit page incorrectly hides username field when switching away from Digital Ocean #11840


  • Added: Input validation to prevent setting a load balancing gateway group as default #11164

Hardware / Drivers

  • Changed: Deprecate old cryptographic accelerator hardware which is not viable on modern systems #11426

  • Fixed: Using SHA1 or SHA256 with AES-NI may fail if AES-NI attempts to accelerate hashing #11524

High Availability

  • Fixed: Incorrect RADVD log message on HA event #11966

IGMP Proxy

  • Fixed: IGMP Proxy restarts unnecessarily after IPv6 gateway events #11904


  • Added: GUI option to set RADIUS Timeout for EAP-RADIUS #11211

  • Added: Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering #11395

  • Changed: Move custom IPsec NAT-T port settings to Advanced Options #11518

  • Fixed: strongSwan configuration always contains user EAP/PSK values #11564

  • Added: IPsec GUI option to control Child SA start_action #11576

  • Fixed: Error when adding both IPv4 and IPv6 P2 under an IPv4 or IPv6 only IKEv1 P1 #11651

  • Fixed: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled #11792

  • Fixed: IPsec VTI interface names are not properly formed for more than 32 interfaces #11794

  • Fixed: Applying IPsec settings for more than ~30 tunnels times out PHP #11795

  • Fixed: ipsec_vti() does not skip disabled VTI entries #11832

  • Fixed: IPsec GUI allows creating multiple identical Phase 1 entries when using FQDN for remote gateway #11912

  • Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967

IPv6 Router Advertisements (RADVD)

  • Added: Use virtual link local IP address as RA source address for HA environments #11103

  • Added: Shortcut buttons for service control and logs on RADVD configuration #11911

  • Fixed: RADVD breaks on SIGHUP #11913


  • Fixed: DHCP interfaces are always treated as having a gateway, even if one is not assigned by the upstream DHCP server #5135

  • Fixed: Interfaces page displays MAC Address field for interfaces which do not support L2 #11387

  • Fixed: CLI interface configuration without IPv6 leaves RA enabled #11609

  • Fixed: Incomplete PPPoE custom reset values lead to invalid cron entry #11698

  • Fixed: Error when changing MTU if the interface is used for both IPv4 and IPv6 default routes #11855

  • Added: VLAN list sorting #11968


  • Fixed: Unused L2TP VPN files are not removed when the service is disabled #11299

  • Added: GUI option to set MTU for L2TP VPN server #11406


  • Fixed: NTP widget displays incorrect status #11495

  • Fixed: NTP authentication input validation rejects valid keys #11850


  • Fixed: Invalid HTML encoding in modal Notices window #11765


  • Added: Allow the firewall to use DNS servers provided to an OpenVPN client instance #11140

  • Fixed: OpenVPN Wizard does not support gateway groups #11141

  • Added: Set Explicit Exit Notify to 1 by default for new OpenVPN client instances #11521

  • Added: Support for Cisco AVPair {clientipv6} template in firewall rules returns by RADIUS #11596

  • Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684

  • Fixed: OpenVPN does not clean up parsed Cisco-AVPair rules on non-graceful disconnect #11699

  • Fixed: OpenVPN does not kill IPv6 client states on disconnect #11700

  • Fixed: OpenVPN client starts when CARP VIP is in BACKUP status when bound to Virtual IP aliased to CARP VIP #11793

  • Fixed: Certificate validation with OCSP always fails in openvpn.tls-verify.php #11830

  • Changed: Update OpenVPN to 2.5.2 #11844

  • Fixed: OpenVPN client startup error if IPv6 Tunnel Network is defined in TAP mode #11869

Operating System

  • Added: Kernel modules for alternate congestion control algorithms #7092

  • Added: Kernel module for RTL8153 driver #11125

  • Added: Xen console support #11402

  • Fixed: Unquoted variable in dot.tcshrc can cause proxy password to be printed #11867


  • Fixed: IPv4 link-local (169.254.x.x) gateway does not function #11806

Rules / NAT

  • Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address #6626

  • Fixed: Disabling all interfaces associated with a floating rule causes the firewall to generate an incorrect pf rule #11688

  • Fixed: Input validation prevents creating 1:1 NAT rules on IPsec #11751

  • Fixed: Invalid combinations of TCP flag matching options cause pfctl parser error #11762

  • Fixed: Port forward rules only function through the default gateway interface, reply-to does not work for Multi-WAN (CE Only) #11805

  • Fixed: Error loading rules in certain cases where an interface is temporarily without an address #11861

  • Fixed: NAT 1:1 fail to validate aliases #11923

Traffic Shaper (ALTQ)

  • Fixed: Harmless error when enabling traffic shaper #11229

  • Fixed: Segmentation fault when loading ALTQ traffic shaping rules using FAIRQ #11550

Traffic Shaper (Limiters)

  • Fixed: Unused Limiter entries with schedules create unnecessary cron jobs #11636

  • Fixed: Error when setting queue limit on CODELQ limiter #11725


  • Fixed: Language presented to user during upgrade is misleading #11897

Web Interface

  • Added: Replace HTTP links with HTTPS in the GUI #11228

  • Fixed: Ambiguous text in help and input validation error for system domain name #11658

  • Fixed: PHP error if PHP_error.log file is too large #11685

  • Fixed: RAM Disk Settings shows Kernel Memory at 0 Kb and does not allow the user to create RAM disks #11702

  • Fixed: HTTP Referer error message text is incorrect #11873

  • Fixed: Missing /0 subnet when cloning repeatable CIDR mask controls #11880

  • Fixed: Update NGINX to address CVE-2021-23017 #12061


  • Fixed: Ignore WireGuard configurations under <installedpackages></installedpackages> #11808


  • Added: GUI options for WPA Enterprise with identity/password #2400

  • Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453


  • Fixed: XMLRPC synchronization restarts all OpenVPN instances on the secondary node when making any change on the primary node #11082

  • Fixed: XMLRPC Client does not honor its default timeout value #11718