2.7.0 New Features and Changes

This pfSense® CE software release includes new features and bug fixes.

Upgrade Notes


Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process.

To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade.


  • PHP has been upgraded from 7.4.x to 8.2.6

  • The base operating system has been upgraded to FreeBSD 14-CURRENT


    As a part of the FreeBSD upgrade this version removes several deprecated IPsec algorithms:

    • 3DES Encryption

    • Blowfish Encryption

    • CAST 128 Encryption

    • MD5 HMAC Authentication

    The best practice is to reconfigure tunnels using better encryption and test them before performing an upgrade to ensure a smoother transition.

    On upgrade, IPsec tunnels will be adjusted to remove any deprecated algorithms from their configuration. The upgrade process will disable tunnels if they have no valid encryption or authentication options remaining. The upgrade process will notify the user of any changes it makes.

    This change only affects IPsec and not other uses of these algorithms. For example, BGP can still use TCP-MD5 authentication.

  • Added support for ChaCha20-Poly1305 encryption with IPsec

  • Captive Portal has been migrated from IPFW to PF

  • A long-standing difficult-to-reproduce crash in Unbound during reloading has been addressed. Christian McDonald tracked down the source of the Unbound SIGHUP crashes to a reference counting bug within the MaxMindDB Python module. Both a patch to MaxMind and a port revision to FreeBSD ports were submitted and accepted, and the fix is included in the 2.7.0 release. It is now safe again to enable DHCP registration alongside Unbound Python mode in pfBlockerNG.

  • In addition to the Unbound crash, Christian also identified a memory leak with DHCP registration and Unbound Python mode (#10624). This is largely mitigated by updates to Python and related libraries, but there is additional ongoing work to resolve it further for future release.

  • Fix for UPnP and multiple game systems

  • New gateway state killing options for smoother failover

  • Firewall/NAT rule usability improvements such as buttons to toggle multiple rules and copy rules to other interfaces

  • OpenVPN upgraded to 2.6.4

  • OpenVPN Shared Key Tunnels Deprecated – They still work, but will trigger warnings in the logs and GUI.

  • New Packet Capture GUI

  • UDP Broadcast Relay Package


This version includes newer ZFS features which may not be compatible with older boot loaders. These features are not enabled by default when upgrading to avoid potential problems with older boot loaders. Some ZFS commands run at the CLI, such as zpool status, may report that a pool can be upgraded, but doing so may also require manually updating the boot loader for the device to boot properly. Upgrading the ZFS pool is not necessary at this time. As such, the best practice is to leave it as-is. This will be handled automatically as needed in future updates.

Reinstalling the OS from current installation media will result in having the most recent boot loader and ZFS feature set.


pfSense CE 2.7.0-RELEASE includes fixes for the following potential vulnerabilities:

  • pfSense-SA-22_05.webgui: A potential XSS vulnerability in firewall_aliases.php from URL table alias URLs.

  • pfSense-SA-23_01.webgui: A potential XSS vulnerability in diag_edit.php from browsing directories containing specially crafted filenames on the filesystem.

  • pfSense-SA-23_02.webgui: A potential XSS vulnerability in system_camanager.php and system_certmanager.php from specially crafted descriptions when editing entries.

  • pfSense-SA-23_03.webgui: A potential authenticated arbitrary file creation vulnerability from the name parameter when creating or editing URL table aliases.

  • pfSense-SA-23_04.webgui: A potential authenticated arbitrary command execution vulnerability in status.php from specially crafted filenames on the filesystem.

  • pfSense-SA-23_05.sshguard: Anti-brute force protection bypass for GUI authentication requests containing certain proxy headers.

  • pfSense-SA-23_06.webgui A potential Authenticated Command Execution vulnerability from the bridgeif parameter on interfaces_bridge_edit.php in the GUI.

pfSense CE

Changes in this version of pfSense CE software.

Aliases / Tables

  • Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296

  • Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708

  • Fixed: Renaming an alias does not update the alias names in static routes and OpenVPN instances #12727

  • Added: Retain descriptions when exporting and importing aliases #12842

  • Fixed: Potential XSS from URL and URL Table alias URLs #13060

  • Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282

  • Added: Specify CA trust store location when downloading and validating URL alias content #13367

  • Fixed: Invalid alias name can still be used by code attempting to validate URL table content #13425

  • Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration #13538

  • Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned when deleting an in-use alias #13539

  • Fixed: Using PF reserved keywords for interface descriptions results in an invalid ruleset #14007

  • Fixed: Alias list is not sorted #14015


  • Fixed: User password hashes pseudo-random number generator may return insecure salt value #12801

  • Added: GUI option to select the user password hashing algorithm #12855

  • Fixed: LDAP setup does not display ‘Global Root CA List’ option unless another CA also exists #13185

  • Fixed: Unable to set web interface session timeout to 0 (i.e. never expire) #13561

  • Fixed: Extra remote address information can confuse sshguard #13574

  • Changed: Improve LDAP debugging #13718

  • Added: Option to enable/disable console bell, enabled by default #14002

Auto Configuration Backup

  • Added: Option to list AutoConfigBackup entries in “reverse” order (newest at top) #11266

  • Added: Support for international characters in the AutoConfigBackup Hint/Identifier field #13388

  • Fixed: Auto Config Backup prints a confusing decryption error when using the wrong key #14060

Backup / Restore

  • Changed: Comply with current iteration standards when encrypting and decrypting configuration files #12556

  • Added: Support encrypted config.xml files when restoring via ECL #12685

  • Added: Notify user if AutoConfigBackup is unable to successfully upload a backup #12724

  • Added: Ability to sort AutoConfigBackup entries #12773

  • Fixed: Sanitize SHA-512 user password hashes in status.php output #12810

  • Added: Option to restore dashboard widget layout #13125

  • Fixed: PHP error restoring DHCP lease data on fresh installation: #13157

  • Fixed: Attempting to restore a 0 byte config.xml prints an error that the file cannot be read #13289

  • Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861

  • Fixed: RRD restore process does not sanitize filenames from backup XML #13935

Build / Release

  • Changed: Disable pkg compatibility flag which creates txz file extension symbolic links #12782


  • Fixed: CARP VIPs can become master too early at boot time #2218

  • Changed: Reorganize CARP status page #12701

  • Fixed: CARP event storm when leaving persistent CARP maintenance mode #12961

Captive Portal

  • Fixed: Allowed IP/Hostname “Direction” option is never used #12649

  • Fixed: nginx logs an error that the port is already in use when restarting Captive Portal services #12651

  • Fixed: Value of net.inet.ip.dummynet.* OIDs in sysctl are ignored #12733

  • Fixed: Only TCP traffic is passed outbound through IPFW #12834

  • Changed: Transition Captive Portal from IPFW to PF #13100

  • Fixed: Voucher CSV output has leading space before voucher code #13272

  • Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323

  • Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391

  • Fixed: Custom logo or background image is created with two dots (..) before the file extension #13396

  • Fixed: Captive Portal does not keep track of client data usage #13418

  • Fixed: All Captive Portal users are given the same limiter pipe pair #13488

  • Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838

  • Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853


  • Fixed: CA path is not defined when using curl in the shell #12737

  • Added: Option to retain the existing serial number when renewing a CA or certificate #13010

  • Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm #13257

  • Fixed: Input validation is not rejecting invalid description characters when editing a CA or Certificate #13387

  • Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424

  • Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437

  • Fixed: Some blank SAN fields are not ignored when creating a certificate #14124

  • Added: Ability to edit Certificate Revocation List properties #14185

  • Changed: Add note to inform the user that the “Next Certificate Serial” value is ignored when the “Randomize Serial” option is enabled #14188

Configuration Backend

  • Added: Move command line history to a GUI option stored in config.xml rather than a manual flag file #12675

  • Added: Eliminate duplicate shell commands from history file #12741

  • Fixed: Input validation is checking RAM disk sizes when they are inactive #13479

Configuration Upgrade

  • Added: Playback script to perform a configuration upgrade on an arbitrary config.xml file #12973

  • Fixed: PHP Error in upgrade216_ipsec_create_vtimap() #14400

Console Menu

  • Fixed: Changing an interface IP address and gateway at the console does not save the new gateway if one already exists for the interface #12632

  • Added: Warn the user if they attempt to disable SSH from the menu while connected through SSH #13103

  • Fixed: Hidden menu option 100 incorrectly handles HTTPS detection #13258


  • Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345

  • Fixed: Disabling DHCP Server RRD statistics does not work #12710

  • Fixed: HTTPClient option not sent when using UEFI HTTP Boot #12892

  • Fixed: HTTPClient option does not work for static mappings #12896

  • Fixed: DHCP “Ignore denied clients” option with MAC Deny list set causes DHCP server to not start #12923

  • Added: Relax DHCP maximum lease time input validation #13118

  • Fixed: DHCP lease list displays wrong interface name in the “Leases in Use” summary if DHCP settings for a disabled interface remain in the configuration #13127

  • Changed: Clean up DHCP Server option language #13250

  • Fixed: DHCP Server generates an invalid configuration for static mappings when defining network booting and UEFI HTTPBoot URL #13573

  • Added: Input validation for numbered DHCP options in static mappings #13584

  • Fixed: DHCP Server page does not properly select a default interface tab if neither WAN nor LAN are capable of being DHCP servers #14115


  • Fixed: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients #6880

  • Fixed: DHCPv6 server does not skip interfaces configured with invalid ranges #12527

  • Fixed: RADVD can be started on both HA nodes when configured with an IPv6 link-local address #12582

  • Fixed: Uninitialized array in array_remove_duplicates() #12749

  • Fixed: Advanced DHCP6 client settings only work for a single interface #13462

  • Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is reloaded #13594

  • Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633

DNS Forwarder

  • Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901

  • Fixed: DNS Forwarder creates a loop when “Use local DNS, ignore remote DNS servers” is selected #12902

  • Fixed: DNS Forwarder custom options may fail after save/restore when options are only separated by newline #13105

  • Fixed: DNS Forwarder (dnsmasq) is using an invalid combination of options when “Query DNS servers sequentially” is enabled #13655

DNS Resolver

  • Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624

  • Fixed: Unbound crashes with signal 11 when reloading #11316

  • Fixed: DNS Resolver is restarted during every rc.newwanip event even for interfaces not used in the resolver #12612

  • Fixed: DNS Resolver does not restart during link up/down events on a static IP address interface #12613

  • Added: Automatically create DNS Resolver ACLs for OpenVPN CSO entries #12636

  • Fixed: DNS Resolver help text for System Domain Local Zone Type option refers users to unbound.conf(5) man page instead of pfSense docs #12781

  • Fixed: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access #12985

  • Fixed: DNS Resolver ACLs are not updated when OpenVPN networks change #12991

  • Added: DNS Resolver option to keep probing when servers are down #13023

  • Fixed: DNS resolver does not update its configuration or reload during link down events #13254

  • Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is enabled #13393

  • Fixed: Incorrect word in “Network Interfaces” help text on services_unbound.php #13453

  • Fixed: DNS Resolver does not generate automatic ACLs for IPv6 when Network Interfaces is set to “All” #13851

  • Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867

  • Changed: Update Unbound to 1.17.1 #13893

  • Fixed: DNS Resolver experiences intermittent resolution failures with SSL over TLS due to ASLR #14056

  • Fixed: Setting system DNS servers can incorrectly modify routes for interface addresses #14288

  • Fixed: Discrepancy in “TTL for Host Cache Entries” Description #14358


  • Fixed: Firewall log widget action icon features stop working when new log entries are added dynamically #6253

  • Added: Show Inactive for Hardware Crypto output instead of empty field on System Information dashboard widget when nothing can be accelerated #12714

  • Fixed: Uptime displays plural seconds for multiple minutes in the System Information Dashboard widget #14176

  • Added: Support for Intel PCH temperature values in thermal sensors #14255


  • Fixed: diag_pftop.php does not fully encode output #12915

  • Fixed: File browser on diag_edit.php does not encode filenames before display #13262

  • Fixed: Neighbor hostnames in the NDP Table on diag_ndp.php are always empty #13318

  • Fixed: status.php uses <name> component of /tmp/rules.packages.<name> filenames in shell command without encoding #13426

  • Changed: Add multicast group membership (ifmcstat) to status.php #13731

  • Changed: Add more disk information to status output #14103

Dynamic DNS

  • Fixed: Dynamic DNS custom IPv6 service fails on 6rd tunnels #12590

  • Fixed: GleSYS Dynamic DNS responses are not parsed properly #12672

  • Added: IPv6 support for DNSimple Dynamic DNS #12744

  • Fixed: Input validation prevents configuring wildcard Dynamic DNS records on GoDaddy #12750

  • Added: Support wildcard Dynamic DNS records on DigitalOcean #12752

  • Fixed: Google Domains Dynamic DNS responses are not parsed properly #12754

  • Fixed: Input validation prevents configuring wildcard Dynamic DNS records on Google Domains #12761

  • Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816

  • Fixed: Clicking Save & Force Update on a Dynamic DNS entry results in a GUI timeout #12870

  • Fixed: DigitalOcean Dynamic DNS update fails with a “bad request” error #13167

  • Fixed: Dynv6 Dynamic DNS client does not check the response code when updating #13298

  • Fixed: DNSExit Dynamic DNS updates no longer work #13303

  • Changed: Improve DynDNS help text readability #14186


  • Fixed: Resolve interval for filterdns may not match the configured value #13067


  • Fixed: Cannot set EFI console as primary console when using both EFI and Serial #13080

  • Fixed: CVE-2022-23093 / FreeBSD-SA-22:15.ping #13716

  • Changed: Update Time Zone data to 2023c or later #14209

Gateway Monitoring

  • Fixed: Gateway monitoring should mark gateway as “offline” on PPPoE parent interface disconnect #12633

  • Added: Option to disable auto-addition of static routes for dpinger #12687

  • Changed: Update dpinger to 3.2 #12881

  • Fixed: Marking a gateway as down does not affect IPsec entries using gateway groups #13076

  • Fixed: Incorrect function parameters for get_dpinger_status() call in gwlb.inc #13295


  • Fixed: fixup_default_gateway() should not remove a default gateway managed by a dynamic routing daemon #11692

  • Fixed: IPv6 link local gateway default status not indicated in GUI #11764

  • Fixed: IPv6 gateway group using link local addresses incorrectly logs a gateway change because it not including interface scope properly #12721

  • Added: Retain knowledge of previous dynamic gateway IP address when interface is down #12931

  • Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected #13228

  • Fixed: Gateway popup in firewall rule list does not indicate current gateway status #14327

Hardware / Drivers

  • Added: Chelsio TOE support using the t4_tom module #9091

  • Fixed: Intel e1000 driver (em, igb) cannot pass packets tagged with VLAN 0 #12821

  • Fixed: Hyper-V RSC support in hn(4) driver is enabled by default and results in very low throughput #12873

  • Fixed: Malicious Driver Detection event on ixl(4) driver #13003

  • Fixed: UDP checksum errors with ixgbe interfaces #13883

High Availability

  • Added: Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings #12702

IGMP Proxy

  • Fixed: IGMP Proxy server is restarted during every rc.newwanip event #12609


  • Added: Option to choose default tab in IPsec status Dashboard widget #2456

  • Fixed: IPsec VTI phase 2 traffic selectors default to address when defined as a network #11226

  • Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645

  • Fixed: Disallow remote gateway of for VTI mode #12723

  • Fixed: VTI gateway status stuck as “pending” after reboot #12763

  • Fixed: ESP description in IPsec phase 2 proposal help text is ambiguous #12953

  • Fixed: IKEv2 Mobile IPsec clients do not receive INTERNAL_DNS_DOMAIN (value 25) attribute #12975

  • Fixed: Deadlock in Charon VICI interface #13014

  • Added: GUI option for IPsec dns-interval setting #13057

  • Fixed: Delete function for IPsec SAD entries on status_ipsec_sad.php does not work #13071

  • Fixed: Mobile IPsec clients cannot be manually disconnected from IPsec status screen #13131

  • Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373

  • Changed: Information box on status_ipsec.php says “IPsec not enabled” even when a tunnel is established #13398

  • Fixed: Incorrect quoting of Split DNS attribute value in strongswan.conf #13579

  • Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647

  • Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing) #13648

  • Fixed: Reassembled packets received on a VTI are not forwarded #14396


  • Fixed: Support encrypted config.xml files when restoring during install #12691

  • Added: Recover existing SSH keys during installation #12809


  • Added: Show SFP module details on status_interfaces.php #8861

  • Added: Improved support for USB interfaces that may not always be present #9393

  • Fixed: Primary interface address is not always used when VIPs are present #11545

  • Fixed: PPPoE WAN IP address different than expected when set static by ISP #11629

  • Added: Support for VLAN 0 #12070

  • Fixed: devd is not configured to act on USB interface attach/detach events #12606

  • Changed: Restart services on interface changes #12619

  • Fixed: Interface status “Total Interrupts” display is non-functional #12735

  • Fixed: L2TP/PPTP interface assignment page loses some values after input validation error #12780

  • Fixed: Link-Local IPv6 address on WAN with MAC spoofing changes if there is an IP Alias on WAN #12790

  • Fixed: Link-local address does not reset after removing MAC address spoofing #12794

  • Fixed: Disabled Captive Portal configuration prevents adding an interface to a bridge #12866

  • Fixed: The ruleset is not regenerated after assigning an interface #12949

  • Fixed: Bridges with QinQ interfaces not properly set up at boot #13225

  • Changed: Start rtsold immediately after dhcp6c sends a request #13492

  • Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493

  • Changed: Clean up obsolete code in pfSense-dhclient-script #13501

  • Fixed: DHCP client can fail permanently if an interface is down at boot #13671

  • Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675

  • Changed: Trim blank characters from static IP address fields on the Interface configuration page #13959

  • Fixed: Bridge interface is not properly validated when submitted on interfaces_bridge_edit.php #14052


  • Fixed: L2TP MPD configuration is not updated when a dynamic WAN IP address changes #13066

  • Fixed: L2TP stays bound to previous IP address after static IP address change #13082

  • Fixed: Static routes to destinations at L2TP clients are not re-added after a client reconnects #13099

LAGG Interfaces

  • Added: GUI option to configure layers for LACP hash #12819


  • Added: Option to control log level of authentication messages in system logs (“Emergency” vs “Notice” level) #12464


  • Fixed: Slack notification options only allow - as a special character in channel names #13083

  • Fixed: Identical SMTP notifications repeat in an infinite loop under certain conditions #14031

  • Fixed: Notices incorrectly set system LEDs on hardware with less than three LEDs #14482


  • Fixed: OpenVPN IPv4 Tunnel Network incorrectly allows hostnames #11416

  • Fixed: OpenVPN stays bound to previous IP address after interface changes #11864

  • Added: OpenVPN option to limit concurrent connections per user #12267

  • Fixed: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases #12332

  • Added: Use deferred client connections in OpenVPN #12407

  • Fixed: OpenVPN re-synchronization also synchronizes override entries unnecessarily in some cases #12628

  • Fixed: Automatic filter reload with OpenVPN client gateway uplink happens too soon or not at all #12771

  • Fixed: PHP error when terminating OpenVPN sessions via the dashboard widget #12817

  • Fixed: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases #12884

  • Fixed: GUI does not reject an invalid OpenVPN tap mode configuration with an empty tunnel network “Bridge DHCP” disabled #12887

  • Fixed: FQDN in network alias is omitted from OpenVPN networks list #12925

  • Changed: Warn about OpenVPN shared key deprecation #12981

  • Fixed: OpenVPN remote_cert_tls option does not behave correctly when enabled and later disabled #13056

  • Fixed: Gateway events for IPv6 affect IPv4 OpenVPN instances and vice versa #13061

  • Fixed: OpenVPN Client Overrides: properly hide/show form fields #13088

  • Fixed: OpenVPN client tls-client/client configuration directive not handled properly #13116

  • Changed: OpenVPN status page improvements #13129

  • Fixed: OpenVPN client-connect file contains topology #13133

  • Fixed: Per-user route files are not removed from /tmp when they are no longer needed #13145

  • Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to display #13243

  • Fixed: OpenVPN override IPv4 tunnel network field changing value improperly #13274

  • Changed: Update OpenVPN Wizard to match current certificate and OpenVPN options #14183

  • Changed: Remove deprecated NCP enable/disable toggle from OpenVPN #14201

Operating System

  • Fixed: pf hostid value is handled inconsistently #12703

  • Fixed: Some sysctl OIDs in loader.conf.local are silently removed #12862

  • Fixed: Output from pfctl -vvsr does not include ridentifier value in the expected location #12868

  • Changed: Update memory graphs to account for changes in memory reporting #14011

  • Fixed: Netlink debug messages from IPsec #14370

  • Added: wpa_supplicant: add VLAN 0 support #14457

PHP Interpreter

  • Added: Upgrade PHP from 7.4 to 8.1 #13446

  • Fixed: fcgicli fails to write packets with nvpair values that exceed 128 bytes #13638

  • Changed: Update PHP to 8.2.6 #14027

PPP Interfaces

  • Fixed: Services are not restarted when PPP interfaces connect #12811

  • Fixed: PPPoE WANs fail to reconnect after parameter negotiation failure #13092

  • Fixed: PPP interface custom reset date/time Hour and Minute fields do not properly handle 0 value #13307

  • Fixed: IPv6 does not work on secondary PPPoE WAN #13939

PPPoE Server

  • Fixed: PPPoE server panics with multiple client connections #13210

Package System

  • Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105

  • Fixed: Packages with custom internal_name values do not reinstall properly when restoring a backup #12766

  • Fixed: write_rcfile() does not create rc_restart() entry #13004

  • Added: Package plugin hook for web server configuration stanzas #13054

Packet Capture

  • Added: Button to clear previous packet capture data #12968

  • Added: Packet Capture GUI with granular control #13382


  • Added: Enable ROUTE_MPATH multipath routing #9544

  • Fixed: Setting a default gateway of “None” does not remove the default gateway from the routing table #12536

  • Fixed: Cannot remove IPv6 static routes #12728

  • Fixed: Explicit PPPoE disconnect of a WAN Gateway Group member may not restore a default route #13048

Rules / NAT

  • Added: Toggle button to disable/enable multiple firewall rules #2505

  • Added: Port forward NAT rules with “any” protocol #4259

  • Added: Allow NPt to use dynamic IPv6 networks #4881

  • Added: Button to copy rules from one interface to another #8365

  • Fixed: Rule separator positions change when deleting multiple rules #9887

  • Fixed: Automatic Outbound NAT mode can create incorrect rules in some cases #11984

  • Added: Utilize new pfctl abilities to kill states #12092

  • Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode #12319

  • Added: Allow the selection of “any” interface in floating rules #12392

  • Fixed: Applying firewall rule changes does not clear dirty flag for aliases subsystem #12678

  • Fixed: Automatic Outbound NAT rules do not include OpenVPN CSO entries #12792

  • Fixed: Error loading ruleset due to illegal TOS value #12803

  • Fixed: High latency and packet loss during a filter reload #12827

  • Fixed: On startup “No routing address with matching address” might appear #12847

  • Added: Toggle button to disable/enable multiple entries on NAT pages #12879

  • Fixed: Delete button is always active for NAT rules, even if no rules are selected #12957

  • Fixed: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet #13012

  • Fixed: NAT generates duplicate no nat on rules for port forwards with a destination of Any #13015

  • Fixed: Input validation requires a gateway for floating match out rules #13027

  • Fixed: Empty negate_networks table breaks policy routing rules #13049

  • Fixed: The negate_networks table is not updated when an OpenVPN server is deleted #13055

  • Added: Allow auto prefix with manual prefix-length in NPt #13070

  • Fixed: Info icon on firewall_nat_out.php is incorrectly placed in manual outbound NAT mode #13164

  • Fixed: Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule #13171

  • Fixed: Incorrect usage of DSCP hex value #13178

  • Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420

  • Fixed: easyrule CLI script has multiple bugs and undesirable behaviors #13445

  • Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505

  • Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545

  • Fixed: The “Kill States” button does not work consistently #14091

  • Changed: Match upstream changes in PF syntax to disable fragment disassembly #14098

  • Fixed: Associated firewall rule for NAT port forward does not inherit nosync property, gets synchronized #14335

  • Fixed: Default tab on firewall_rules.php is not selected if the configuration has no WAN interface #14345

  • Fixed: Outbound NAT rule input validation error when attempting to manually specify “Other Subnet” with a valid address #14354

  • Fixed: Enable IPv6 over IPv4 tunneling option results in invalid PF rule #14415


  • Fixed: SNMP daemon is restarted during every rc.newwanip event #12611


  • Fixed: NTP service is not listed on status_services.php unless config.xml contains NTP configuration data #12775

Setup Wizard

  • Changed: Update firewall host and domain fields in the Setup Wizard to match the description and warning text from system.php #14250

System Logs

  • Fixed: Firewall log parser does not handle SCTP log entries #13940

Traffic Shaper (ALTQ)

  • Changed: Remove code references to unused reset parameter from traffic shaper pages #13042

  • Added: ALTQ GUI support for Broadcom Netextreme II (bxe) interfaces #13304

  • Added: Include ixv in ALTQ capable NIC list #14408

Traffic Shaper (Limiters)

  • Fixed: Incorrect ICMP reply when using limiters #9263

  • Fixed: Pie and fq_pie are missing options and do not handle floating point number input correctly #12003

  • Fixed: Utilize dnctl(8) to apply limiter changes without a filter reload #12579

  • Fixed: Traffic routed through DUMMYNET by PF fails when IPFW is enabled #12954

  • Fixed: Traffic shaped by limiters is dropped when routed to a GIF gateway #14055

Traffic Shaper Wizards

  • Fixed: Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server #12937


  • Fixed: Polish translation contains an invalid sprintf() format in the text for firewall_nat_out_edit.php #13946


  • Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500

  • Added: uPnP fails to properly give out subsequent reservations when multiple gaming systems are playing the same game/using the same port #7727

  • Changed: Reorganize UPnP options #12624

  • Changed: Update miniupnpd to 2.3.3 #14307


  • Fixed: Many exec() functions do not use full path to executable files #11941

  • Fixed: URL scheme is not properly validated in some cases #14356


  • Fixed: Upgrade does not work when using only IPv6 DNS servers #13162

  • Fixed: pfSense-boot can fail to copy the EFI bootloader #14045

User Manager / Privileges

  • Added: Support for RADIUS authentication over IPv6 #4154

  • Fixed: Icon missing for user manager entries with a scope other than “user” #13174

Virtual IP Addresses

  • Fixed: Firewall rules are not reloaded when removing a VIP, outdated rules/entries remain active #13908

Web Interface

  • Fixed: Unnecessary link tag in login page #7996

  • Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists #11730

  • Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141

  • Changed: GUI pages should use POST for AJAX calls, not GET #12431

  • Fixed: Zero-value prefix IPv6 addresses are mishandled #12440

  • Added: Option to filter state table contents by rule ID #12616

  • Fixed: Changing RAM disk size does not prompt to reboot #12876

  • Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without making changes #12960

  • Fixed: Input validation for IPv6 addresses allows invalid address compression in some cases #13069

  • Added: Trim whitespace from MAC addresses in user input #13109

  • Changed: Spelling and typo corrections #13357

  • Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390

  • Fixed: Input validation on system_advanced_firewall.inc uses incorrect variable references for some fields #13436

  • Changed: Update external HTTPS/HTTP links #13440

  • Fixed: Table row selection has poor contrast in Dark theme #13448

  • Added: Support for iwlwifi wireless interfaces #14050


  • Fixed: Wireless interface WPA configuration fields are always visible #12998

  • Fixed: Duplicate wireless interfaces are created at boot #12999


  • Fixed: Deleting a user on the primary node does not delete its home directory on secondary node during XMLRPC sync #12940

  • Fixed: Filter/NAT rules configured with “No XMLRPC Sync” enabled are still synchronized #14316