2.8.0 New Features and Changes

This pfSense® CE software release includes new features and bug fixes.

Upgrade Notes

Warning

Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process.

To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade.

Before upgrading, pay particular attention to the Pre-Upgrade Tasks section of the Upgrade Guide. The most crucial points are noted in this section, but the best practice is to follow all of the precautions noted in the Upgrade Guide.

Boot Loader

This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation to MMC which has been followed by an installation to an add-on SSD without clearing the MMC contents.

In these cases the best practice is to wipe the unused disk so it cannot interfere. See Troubleshooting Multiple Disks for details.

Legacy Serial Console

After upgrading, older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. Devices may require manual intervention.

See also

See ISA Serial Console not Fully Functional for details and a workaround.

Low Memory Hardware

Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running.

Tip

For devices running ZFS, see ZFS Tuning for information on reducing ZFS memory usage.

For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade. Rebooting before attempting the upgrade can also be beneficial.

General

  • PHP has been upgraded from 8.2.x to 8.3.x

  • The base operating system has been upgraded to FreeBSD 15-CURRENT

  • This version of pfSense CE software includes a new kernel-based PPPoE backend, if_pppoe. This will replace the current MPD-based implementation. This new backend is more efficient and enables much faster speeds over PPPoE interfaces.

    This new PPPoE backend is not active by default in this version, but can be enabled with the global option under **System > Advanced** on the **Networking** tab. This backend will be enabled by default on future versions of pfSense Plus software.

    The if_pppoe backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.

  • The default State Policy has been changed from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing (route-to), reply-to, as well as with High Availability state synchronization (pfsync) on non-identical hardware. Workarounds are in place to fall back to Floating states in certain cases, such as IPsec/VTI.

    The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab.

    There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.

  • This release includes support for enhanced gateway recovery “fail back” by optionally clearing states from lower tier gateways when a more preferred gateway recovers.

  • This release includes support for High Availability in the Kea DHCP daemon.

    This implementation has several advantages over the older ISC DHCP implementation, including:

    • Supports HA for DHCPv4 and DHCPv6.

    • Simplified HA setup, all in one place on each node for each type.

    • Works in hot standby mode, which is more reliable.

    • Can synchronize lease data over the SYNC interface for security and ease of use, and can optionally encrypt the sync data for added protection.

    See also

    For in-depth information on this feature, see https://www.netgate.com/blog/improvements-to-kea-dhcp

  • This release includes support for DNS Registration of DHCP client hostnames from the Kea DHCP daemon to the Unbound DNS Resolver

    • DNS records are updated dynamically on-the-fly, they do not require a resolver restart and are not disruptive.

    • Supports DNS Registration for DHCPv4 and DHCPv6

    • DNS Registration can be configured on a per-interface or global manner, with the ability to enable or disable specific interfaces as needed.

    • DNS records are not limited to the system domain name. DNS Registration honors the domain name on the DHCP settings for each interface and on static mappings.

    • DNS records are accurate/updated on both high availability peers

    • Static mappings can be registered when Kea starts (similar to ISC) or when a static mapping client obtains a lease.

See also

For additional details on implementation of Kea DHCP features see https://redmine.pfsense.org/issues/15650

pfSense CE

Changes in this version of pfSense CE software.

Aliases / Tables

  • Added: Allow user-defined rules to utilize built-in system aliases #1979

  • Fixed: Interface subnet aliases do not contain IPv6 VIPs #15096

  • Added: System Aliases for various reserved networks #15776

  • Changed: Exclude the WireGuard and Tailscale interface group system aliases from rules #15848

Authentication

  • Fixed: PHP errors in LDAP server prevent it from falling back to Local Database #15122

  • Fixed: GUI logout messages do not use the auth log facility #15719

Auto Configuration Backup

  • Fixed: Long configuration revision reasons can cause AutoConfigBackup upload to fail #12249

  • Fixed: services_acb_settings.php does not fully validate value of frequency, uses value without encoding #15224

  • Fixed: Special characters in the ACB configuration change description can cause PHP errors #15711

  • Fixed: AutoConfigBackup tries to upload backups before the system has finished booting #15718

  • Fixed: AutoConfigBackup scheduled backups always upload even when the configuration has not changed #16010

  • Fixed: AutoConfigBackup remote revision timestamps may not be unique due to batch uploads #16011

  • Fixed: “Reset” button on AutoConfigBackup Restore tab does not submit the form #16012

  • Changed: AutoConfigBackup code cleanup and GUI refresh #16013

  • Added: Download function for AutoConfigBackup entries #16014

  • Added: Method to change the AutoConfigBackup device key #16015

Backup / Restore

  • Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728

  • Fixed: DHCP leases may not be restored from older configuration backups #15076

  • Fixed: PHP error when generating a notification after detecting a malformed configuration #15157

  • Fixed: Skip Packages option for Configuration Backups fails with large configurations #15624

CARP

  • Fixed: HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address #14026

Captive Portal

  • Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226

  • Added: Support using a mask to block MAC addresses in Captive Portal #15257

  • Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299

  • Fixed: Captive Portal logo fails to load after authenticated redirect #15404

  • Fixed: Captive Portal zones can fail to start due to ID conflict #15772

  • Fixed: PHP error in Captive Portal with undefined zone interface list #15907

  • Fixed: Captive Portal service management via pfSsh.php svc fails when the zone name contains uppercase letters #16030

  • Fixed: Creating a Captive Portal zone with uppercase letters overwrites existing zones of the same name #16032

Certificates

  • Fixed: Certificate Manager GUI inconsistency in Revocation tab titles #15454

  • Added: Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical #15818

  • Changed: Additional error handling for invalid certificate configuration #15975

Configuration Backend

  • Fixed: System proxy credentials with certain characters may fail to authenticate #15565

Console Menu

  • Changed: Dynamically adjust the interface name maximum width in the login banner #13268

  • Fixed: Declining to reset the admin account via the console menu still prompts to change the password #15751

DHCP (IPv4)

  • Added: Settings tab for global Kea DHCP server options #5080

  • Added: Better handling of duplicate IP addresses in static DHCP assignments #13256

  • Changed: Reduce log spam when deleting a static DHCP entry #13263

  • Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894

  • Fixed: Kea fails to restart due to race between process termination and startup #14977

  • Fixed: Kea does not allow FQDNs for NTP servers but input validation does not prevent them from being added #14991

  • Fixed: Kea DHCP PHP error from WINS server value #14996

  • Fixed: Kea DHCP sends wrong bootloader file for UEFI #15032

  • Fixed: Kea will not start with identical MAC address filters on multiple interfaces #15130

  • Added: Kea DHCP Custom Configuration Support (IPv4 and IPv6) #15321

  • Fixed: Changes in Kea DHCP interface pools may invalidate lease database content #15328

  • Fixed: Kea fails to start if DHCP pool configuration contains default lease time or max lease time #15332

  • Added: Kea High Availability Support (IPv4 and IPv6) #15575

  • Added: Kea Static ARP Support (IPv4 only) #15654

  • Fixed: IPv4 DHCP client responses may be routed unexpectedly out unrelated WANs #15702

  • Added: Kea DHCP lease database RAM disk support (IPv4 and IPv6) #15828

  • Fixed: Kea can unintentionally attempt to spawn multiple processes and fail #16019

DHCP (IPv6)

  • Fixed: Old IPv6 addresses may continue to be used after DHCP or RA changes #12947

  • Fixed: Shortcut bar on DHCPv6 leases (status_dhcpv6_leases.php) navigates to DHCPv4 destinations, not DHCPv6 #15117

  • Fixed: DHCPv6 settings page “DDNS Reverse” check box not showing current state #15118

DNS Forwarder

  • Added: Option to allow the DNS Forwarder to ignore system DNS servers #14165

  • Fixed: DNS Forwarder ignores “Use remote DNS Servers, ignore local DNS” setting #15434

  • Changed: Update dnsmasq to version 2.90 #15465

DNS Resolver

  • Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942

  • Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071

  • Fixed: Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism #15135

  • Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139

  • Changed: Update Unbound to 1.22.0 #15483

  • Fixed: Automatic EDNS value may be lower than expected #15704

  • Fixed: Unbound configuration file contains Localhost address in forwarding mode with TLS enabled #15722

  • Fixed: unbound-checkconf fails with python mode enabled #15723

Dashboard

  • Fixed: Firewall Logs Dashboard Widget is slow and may fail to update #12673

  • Added: Improve Thermal Sensors Dashboard widget readability #13520

  • Fixed: Traffic Graph widget displays bandwidth usage values which are half the actual usage amount #14933

  • Fixed: Firewall Logs Dashboard widget update interval does not behave as expected #15373

  • Added: Show current boot method in System Information Dashboard widget #15422

  • Fixed: Incorrect icon on collapsed dashboard widgets #15439

  • Fixed: Dashboard widgets refresh at unintended intervals #15725

  • Changed: Improve Thermal Sensors Dashboard widget refresh code #15728

  • Fixed: Session cookie warnings #15729

  • Fixed: Clicking the picture widget image downloads the image with an invalid filename instead of showing it inline #15767

  • Changed: Improve the system load impact from Dashboard widgets #15969

Diagnostics

  • Added: Add Kea information to status.php #14953

  • Fixed: Adding Wake-On-LAN entry from ARP table view can incorrectly include OEM text in MAC address field #15162

  • Fixed: crash_reporter.php displays PHP Error log without encoding #15264

  • Added: Add EFI boot information to status.php #15297

  • Added: Add loader.conf.lua contents to status.php #15298

  • Fixed: Errors in status.php IPsec sections when IPsec is not configured #15310

  • Fixed: Sanitize RFC 2136 Dynamic DNS update keys in status.php output #15490

  • Fixed: File browser on diag_edit.php does not encode directory names before display #15525

  • Fixed: State table entries printed on diag_dump_states.php may contain an unexpected interface #15657

  • Fixed: PHP error from invalid IPv6 address on diagnostics_ping.php #16005

  • Fixed: Cannot kill states using the post-NAT address #16047

Dynamic DNS

  • Added: Enable @ support for Azure in Dynamic DNS #10000

  • Added: Improve Dynamic DNS client IPv6 support #11177

  • Added: Per-instance options to control Dynamic DNS client Check IP Service behavior #14067

  • Added: Enable @ support for name.com in Dynamic DNS #14289

  • Fixed: Dynamic DNS uses the default gateway interface instead of the specified interface #14605

  • Changed: Update Dynamic DNS API URL for porkbun.com #15779

  • Fixed: Dynamic DNS attempts to resolve entries with disabled interfaces #15802

  • Fixed: RFC 2136 Dynamic DNS cannot update AAAA records over IPv6 #16028

  • Fixed: Dynamic DNS IP address may not be updated after changing the interface of a Dynamic DNS entry #16046

FreeBSD

  • Fixed: Kernel panic in HA nodes when under high load #15413

Gateway Monitoring

  • Fixed: Gateway behavior differs when the gateway does not exist in the configuration #12920

  • Fixed: Gateway monitoring includes disabled gateways #15635

  • Fixed: The monitoring IP address for dynamic gateways may be unexpectedly routed via a different gateway #16069

Gateways

  • Fixed: Killing states on downed gateways breaks when Skip rules when gateway is down is enabled #15223

  • Fixed: Killing states on downed gateways breaks for static interface configurations #15225

  • Fixed: Removing a gateway group used as the default gateway results in no default route #15248

  • Changed: Clarify descriptions for gateway recovery options #15429

  • Fixed: Saving an IPv6 gateway overrides the IPv4 gateway #15589

  • Fixed: No default route after boot #15791

Hardware / Drivers

  • Fixed: Newer variant models within the PC Engines APU2 platform are not recognized, causing garbled early serial console output #13498

  • Added: Recognize QAT 4xxx devices in System Information Widget #15233

High Availability

  • Fixed: Removing a route from the High Availability primary node does not remove the entry from the routing table on the secondary node #15795

IGMP Proxy

  • Fixed: IGMP proxy works intermittently #15043

  • Fixed: Kernel Panic when IGMPProxy gets CIDR Removed #15831

IPsec

  • Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312

  • Fixed: Large number of IPsec tunnels causes long filter reload times #14893

  • Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of Network #15124

  • Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147

  • Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171

  • Fixed: Change Mobile IPsec RADIUS accounting to use accounting_requires_vip so accounting will not activate for non-mobile VPNs #15176

  • Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245

  • Fixed: Reordering IPsec Phase 2 entries may result in a malformed configuration #15384

  • Fixed: Input validation for duplicate remote gateways does not work when using the duplicate P1 button #15598

  • Fixed: Mobile IPsec does not automatically switch to failover gateway #15685

  • Fixed: Mobile IPsec sends incorrect DNS attribute IDs #15755

  • Fixed: Firewall generates invalid rules for IPsec tunnels with descriptions containing special symbols #16095

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Non Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD #12581

  • Fixed: Incorrect warning from radvd about AdvRDNSSLifetime value #12938

  • Fixed: radvd service shows as stopped in services list when it should be disabled and hidden from that list #14936

  • Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to None #14967

  • Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057

  • Added: PREF64 support in Router Advertisements #15808

  • Fixed: Routing Advertisements daemon fails to start when configured with more than 3 RDNSS entries in a prefix #15876

Installer

  • Fixed: Clean installation using Auto (ZFS) + MBR (BIOS) does not boot #14930

  • Fixed: Installing to ZFS mirror does not format or populate EFI partition on additional disks #15083

Interfaces

  • Fixed: Adding MSS and MTU values on a LAGG VLAN interface breaks connectivity #14083

  • Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431

  • Fixed: PHP error in interfaces_qinq_edit.php when creating a QinQ interface #15181

  • Fixed: PHP error when applying interface settings if the /tmp/.interfaces.apply file is present but empty #15423

  • Added: Use natural sorting when sorting interfaces #15437

  • Fixed: OpenVPN QinQ interface creation fails #15692

  • Fixed: Interface group members are not validated on load/save on interfaces_groups_edit.php, and are printed without encoding on interfaces_groups.php #15778

  • Fixed: Config access error with null static routes #16104

  • Fixed: Config access error after changing an interface from DHCP to Static #16105

LAGG Interfaces

  • Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453

Logging

  • Fixed: Restarting the logging daemon during rotation also restarts sshguard, leading to frequent log messages #12747

  • Changed: Remove Time column from OS Boot logs #15106

  • Added: Enhanced firewall log action information display #15415

  • Fixed: PHP error when saving System Log settings #15988

Multi-WAN

  • Added: Ability to selectively kill states on gateway recovery #855

NTPD

  • Added: NTP authentication support #8794

OpenVPN

  • Added: More GUI options for OpenVPN Client-Specific Overrides #12522

  • Added: OpenVPN NBDD server options #13085

  • Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087

  • Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089

  • Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090

  • Fixed: openvpn.auth-user.php gets stuck at 100% CPU usage when RADIUS authentication times out #14386

  • Fixed: OpenVPN forms invalid route statements for empty local networks #14919

  • Fixed: PHP error with OpenVPN server certificate verification if the certificate has multiple CN attributes #15133

  • Fixed: OpenVPN Wizard fails when a VIP is used #15148

  • Changed: Remove deprecated OpenVPN hardware crypto engine option #15188

Operating System

  • Fixed: /etc/rc.local script content is executed at login instead of during boot sequence #10980

  • Fixed: Values obtained from sysctl are sometimes unexpectedly empty, leading to PHP and other math errors #14648

  • Fixed: Static ARP assignments lose permanent flag in ARP table #14970

  • Fixed: Permissions on tmpfs RAM disk for /var are too lenient #15054

  • Fixed: pfctl is unable to retrieve state creator list in certain circumstances #15108

  • Fixed: loader.conf may be missing loader_conf_files so loader.conf.lua may not be parsed #15288

  • Fixed: Proxy variables in crontab contents are improperly formatted #15502

  • Fixed: resizewin occasionally gets fed a spurious line feed over certain serial console+client combinations #15777

  • Fixed: Panic accessing sysctl OID net.inet.ip.nhdispatch with an INVARIANTS kernel #16081

PHP Interpreter

  • Fixed: Cookie named id prevents some forms from being loaded or saved properly #11268

  • Fixed: Extensions directory is not set in rc.php_ini_setup #14488

  • Changed: Update PHP to 8.3.x #15053

  • Fixed: check_dnsavailable() failing even when DNS is available #15127

  • Fixed: PHP error display formatting issues #15263

  • Fixed: Memory leak in pfSense module function pfSense_get_ifaddrs() #15471

Package System

  • Added: Allow overriding text scrolling during package install/uninstall #15022

  • Fixed: Extra space in pkg configuration file FreeBSD.conf #15069

  • Fixed: Updates fail against an authenticated upstream proxy #15094

  • Fixed: Package navigation menus can be duplicated when reinstalling the package #15700

  • Fixed: The package post-install script does not run with a system upgrade on ZFS #16057

  • Changed: pkg no longer supports setting ALTABI manually at run-time #16060

Packet Capture

  • Fixed: Unable to perform Packet Captures on a tailscale interface in GUI with default settings #15145

  • Added: Allow filtering packet captures by system-defined protocols #15609

Routing

  • Fixed: ICMPv6 Path MTU Discovery breaks with NPT #14290

  • Fixed: IPsec VTI static routes may not be added after the system boots #15449

  • Fixed: Routes with IPv6 Address as Next Hop for IPv4 Destination Causes Kernel Panic #15601

Rules / NAT

  • Added: NAT64 support #2358

  • Added: Kill states using the pre-NAT address #11556

  • Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173

  • Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183

  • Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197

  • Fixed: Advanced rule options tooltip does not show negated Tag option #15214

  • Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234

  • Fixed: Egress states remain when killing states for scheduled rules #15252

  • Fixed: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on enc0 interface #15430

  • Fixed: Per-rule byte counter values lost across a filter reload #15516

  • Fixed: Separator positions are incorrect when copying interface group rules #15537

  • Added: GUI options to change default SCTP state timeouts #15661

  • Fixed: Setting the Port Forward interface to an interface group selects an invalid destination #15671

  • Fixed: Incorrect rule may be opened for editing after rule order has changed #15935

  • Fixed: Deleting or adding a firewall rule may result in an unexpected rule order #16076

S.M.A.R.T.

  • Changed: Query for SMART data only on root disk devices #15586

SNMP

  • Fixed: File descriptor leak in bsnmpd #15481

Services

  • Fixed: NTP option “DNS Resolution” has no effect when using NTP pool hostnames #15552

Setup Wizard

  • Changed: Error handling in the Setup Wizard is very user-unfriendly #15302

System Logs

  • Added: Separate IDS/IPS and link-local firewall log entries from default block logging #16092

Traffic Shaper (Limiters)

  • Fixed: Input validation error when applying limiter changes #13158

  • Fixed: Setting a limiter queue length greater than 100 prevents the limiter from loading #13662

  • Fixed: Cannot add limiters named new #13687

  • Fixed: Packets are passed through dummynet twice when using route-to leading to half the expected bandwidth #14854

  • Fixed: Fragmented packets delayed by limiters are lost #15156

  • Fixed: Reply traffic on a secondary WAN may be dropped when passed through dummynet #15363

  • Fixed: PHP error when a queue is added with the same name as a limiter #15914

UPnP IGD & PCP

  • Fixed: Port forward rules created by miniupnpd do not expire #15470

  • Changed: Update UPnP IGD & PCP GUI text #15864

  • Changed: Make the UPnP IGD & PCP STUN port optional #15865

Upgrade

  • Fixed: Upgrading an EFI system installed to ZFS mirror does not upgrade EFI loader on additional disks #15084

  • Changed: Link to release information on the system update page #15953

  • Fixed: Boot loader is not upgraded on UFS installs #16064

User Manager / Privileges

  • Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282

  • Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318

  • Fixed: CLI password check exits with a write access error when checking is a read-only operation #15442

  • Fixed: PHP error when a user is denied access to the dashboard #15873

  • Fixed: Users with Deny Config Write privilege can trigger logging operations #15874

  • Fixed: Users with Deny Config Write privilege can change their own password #15908

Virtual IP Addresses

  • Fixed: choparp service is not stopped after deleting Proxy ARP type Virtual IP addresses #14929

  • Fixed: Network and broadcast address input validation is incorrectly applied to IPv6 VIPs #15361

Web Interface

  • Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943

  • Added: Custom message text for the login screen #9293

  • Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413

  • Changed: Update vendor files #13537

  • Fixed: status_interfaces.php is missing several values for SFP modules #15112

  • Changed: Remove jquery-treegrid unit testing files #15265

  • Added: 50x and 404 error handling to GUI web server configuration #15322

  • Changed: Remove deprecated HTTP/1.0 Pragma header #15781

  • Changed: Use minified nvd3 vendor files #15782

  • Changed: Update nginx HTTP2 syntax #15863

  • Fixed: Incorrect color in button text within disabled rows #15977

XMLRPC

  • Fixed: Secondary node attempts to delete the admins group when synchronizing accounts via XMLRPC #15067

  • Fixed: Changes to the admins user group are not synced to the secondary node #15898