2.8.0 New Features and Changes¶

This pfSense® CE software release includes new features and bug fixes.

Upgrade Notes¶

Warning

Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process.

To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade.

Before upgrading, pay particular attention to the Pre-Upgrade Tasks section of the Upgrade Guide. The most crucial points are noted in this section, but the best practice is to follow all of the precautions noted in the Upgrade Guide.

Boot Loader¶

This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation to MMC which has been followed by an installation to an add-on SSD without clearing the MMC contents.

In these cases the best practice is to wipe the unused disk so it cannot interfere. See Troubleshooting Multiple Disks for details.

Legacy Serial Console¶

After upgrading, older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. Devices may require manual intervention.

Low Memory Hardware¶

Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running.

Tip

For devices running ZFS, see ZFS Tuning for information on reducing ZFS memory usage.

For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade. Rebooting before attempting the upgrade can also be beneficial.

General¶

PHP has been upgraded from 8.2.x to 8.3.x
The base operating system has been upgraded to FreeBSD 15-CURRENT
This version of pfSense CE software includes a new kernel-based PPPoE backend, if_pppoe. This will replace the current MPD-based implementation. This new backend is more efficient and enables much faster speeds over PPPoE interfaces.

This new PPPoE backend is not active by default in this version, but can be enabled with the global option under **System > Advanced** on the **Networking** tab. This backend will be enabled by default on future versions of pfSense Plus software.

The if_pppoe backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.
The default State Policy has been changed from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing (route-to), reply-to, as well as with High Availability state synchronization (pfsync) on non-identical hardware. Workarounds are in place to fall back to Floating states in certain cases, such as IPsec/VTI.

The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab.

There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.
See also
This release includes support for enhanced gateway recovery “fail back” by optionally clearing states from lower tier gateways when a more preferred gateway recovers.
See also
- State Killing on Gateway Recovery
- Gateway Group Options
This release includes support for High Availability in the Kea DHCP daemon.

This implementation has several advantages over the older ISC DHCP implementation, including:
- Supports HA for DHCPv4 and DHCPv6.
- Simplified HA setup, all in one place on each node for each type.
- Works in hot standby mode, which is more reliable.
- Can synchronize lease data over the SYNC interface for security and ease of use, and can optionally encrypt the sync data for added protection.
See also

For in-depth information on this feature, see https://www.netgate.com/blog/improvements-to-kea-dhcp
This release includes support for DNS Registration of DHCP client hostnames from the Kea DHCP daemon to the Unbound DNS Resolver
- DNS records are updated dynamically on-the-fly, they do not require a resolver restart and are not disruptive.
- Supports DNS Registration for DHCPv4 and DHCPv6
- DNS Registration can be configured on a per-interface or global manner, with the ability to enable or disable specific interfaces as needed.
- DNS records are not limited to the system domain name. DNS Registration honors the domain name on the DHCP settings for each interface and on static mappings.
- DNS records are accurate/updated on both high availability peers
- Static mappings can be registered when Kea starts (similar to ISC) or when a static mapping client obtains a lease.

pfSense CE¶

Changes in this version of pfSense CE software.

Aliases / Tables¶

Added: Allow user-defined rules to utilize built-in system aliases #1979
Fixed: Interface subnet aliases do not contain IPv6 VIPs #15096
Added: System Aliases for various reserved networks #15776
Changed: Exclude the WireGuard and Tailscale interface group system aliases from rules #15848

Authentication¶

Fixed: PHP errors in LDAP server prevent it from falling back to Local Database #15122
Fixed: GUI logout messages do not use the auth log facility #15719

Auto Configuration Backup¶

Fixed: Long configuration revision reasons can cause AutoConfigBackup upload to fail #12249
Fixed: services_acb_settings.php does not fully validate value of frequency, uses value without encoding #15224
Fixed: Special characters in the ACB configuration change description can cause PHP errors #15711
Fixed: AutoConfigBackup tries to upload backups before the system has finished booting #15718
Fixed: AutoConfigBackup scheduled backups always upload even when the configuration has not changed #16010
Fixed: AutoConfigBackup remote revision timestamps may not be unique due to batch uploads #16011
Fixed: “Reset” button on AutoConfigBackup Restore tab does not submit the form #16012
Changed: AutoConfigBackup code cleanup and GUI refresh #16013
Added: Download function for AutoConfigBackup entries #16014
Added: Method to change the AutoConfigBackup device key #16015

Backup / Restore¶

Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728
Fixed: DHCP leases may not be restored from older configuration backups #15076
Fixed: PHP error when generating a notification after detecting a malformed configuration #15157
Fixed: Skip Packages option for Configuration Backups fails with large configurations #15624

CARP¶

Fixed: HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address #14026

Captive Portal¶

Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226
Added: Support using a mask to block MAC addresses in Captive Portal #15257
Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299
Fixed: Captive Portal logo fails to load after authenticated redirect #15404
Fixed: Captive Portal zones can fail to start due to ID conflict #15772
Fixed: PHP error in Captive Portal with undefined zone interface list #15907
Fixed: Captive Portal service management via pfSsh.php svc fails when the zone name contains uppercase letters #16030
Fixed: Creating a Captive Portal zone with uppercase letters overwrites existing zones of the same name #16032

Certificates¶

Fixed: Certificate Manager GUI inconsistency in Revocation tab titles #15454
Added: Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical #15818
Changed: Additional error handling for invalid certificate configuration #15975

Configuration Backend¶

Fixed: System proxy credentials with certain characters may fail to authenticate #15565

DHCP (IPv4)¶

Added: Settings tab for global Kea DHCP server options #5080
Added: Better handling of duplicate IP addresses in static DHCP assignments #13256
Changed: Reduce log spam when deleting a static DHCP entry #13263
Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894
Fixed: Kea fails to restart due to race between process termination and startup #14977
Fixed: Kea does not allow FQDNs for NTP servers but input validation does not prevent them from being added #14991
Fixed: Kea DHCP PHP error from WINS server value #14996
Fixed: Kea DHCP sends wrong bootloader file for UEFI #15032
Fixed: Kea will not start with identical MAC address filters on multiple interfaces #15130
Added: Kea DHCP Custom Configuration Support (IPv4 and IPv6) #15321
Fixed: Changes in Kea DHCP interface pools may invalidate lease database content #15328
Fixed: Kea fails to start if DHCP pool configuration contains default lease time or max lease time #15332
Added: Kea High Availability Support (IPv4 and IPv6) #15575
Added: Kea Static ARP Support (IPv4 only) #15654
Fixed: IPv4 DHCP client responses may be routed unexpectedly out unrelated WANs #15702
Added: Kea DHCP lease database RAM disk support (IPv4 and IPv6) #15828
Fixed: Kea can unintentionally attempt to spawn multiple processes and fail #16019

DHCP (IPv6)¶

Fixed: Old IPv6 addresses may continue to be used after DHCP or RA changes #12947
Fixed: Shortcut bar on DHCPv6 leases (status_dhcpv6_leases.php) navigates to DHCPv4 destinations, not DHCPv6 #15117
Fixed: DHCPv6 settings page “DDNS Reverse” check box not showing current state #15118

DNS Forwarder¶

Added: Option to allow the DNS Forwarder to ignore system DNS servers #14165
Fixed: DNS Forwarder ignores “Use remote DNS Servers, ignore local DNS” setting #15434
Changed: Update dnsmasq to version 2.90 #15465

DNS Resolver¶

Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942
Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071
Fixed: Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism #15135
Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139
Changed: Update Unbound to 1.22.0 #15483
Fixed: Automatic EDNS value may be lower than expected #15704
Fixed: Unbound configuration file contains Localhost address in forwarding mode with TLS enabled #15722
Fixed: unbound-checkconf fails with python mode enabled #15723

Dashboard¶

Fixed: Firewall Logs Dashboard Widget is slow and may fail to update #12673
Added: Improve Thermal Sensors Dashboard widget readability #13520
Fixed: Traffic Graph widget displays bandwidth usage values which are half the actual usage amount #14933
Fixed: Firewall Logs Dashboard widget update interval does not behave as expected #15373
Added: Show current boot method in System Information Dashboard widget #15422
Fixed: Incorrect icon on collapsed dashboard widgets #15439
Fixed: Dashboard widgets refresh at unintended intervals #15725
Changed: Improve Thermal Sensors Dashboard widget refresh code #15728
Fixed: Session cookie warnings #15729
Fixed: Clicking the picture widget image downloads the image with an invalid filename instead of showing it inline #15767
Changed: Improve the system load impact from Dashboard widgets #15969

Diagnostics¶

Added: Add Kea information to status.php #14953
Fixed: Adding Wake-On-LAN entry from ARP table view can incorrectly include OEM text in MAC address field #15162
Fixed: crash_reporter.php displays PHP Error log without encoding #15264
Added: Add EFI boot information to status.php #15297
Added: Add loader.conf.lua contents to status.php #15298
Fixed: Errors in status.php IPsec sections when IPsec is not configured #15310
Fixed: Sanitize RFC 2136 Dynamic DNS update keys in status.php output #15490
Fixed: File browser on diag_edit.php does not encode directory names before display #15525
Fixed: State table entries printed on diag_dump_states.php may contain an unexpected interface #15657
Fixed: PHP error from invalid IPv6 address on diagnostics_ping.php #16005
Fixed: Cannot kill states using the post-NAT address #16047

Dynamic DNS¶

Added: Enable @ support for Azure in Dynamic DNS #10000
Added: Improve Dynamic DNS client IPv6 support #11177
Added: Per-instance options to control Dynamic DNS client Check IP Service behavior #14067
Added: Enable @ support for name.com in Dynamic DNS #14289
Fixed: Dynamic DNS uses the default gateway interface instead of the specified interface #14605
Changed: Update Dynamic DNS API URL for porkbun.com #15779
Fixed: Dynamic DNS attempts to resolve entries with disabled interfaces #15802
Fixed: RFC 2136 Dynamic DNS cannot update AAAA records over IPv6 #16028
Fixed: Dynamic DNS IP address may not be updated after changing the interface of a Dynamic DNS entry #16046

FreeBSD¶

Fixed: Kernel panic in HA nodes when under high load #15413

Gateway Monitoring¶

Fixed: Gateway behavior differs when the gateway does not exist in the configuration #12920
Fixed: Gateway monitoring includes disabled gateways #15635
Fixed: The monitoring IP address for dynamic gateways may be unexpectedly routed via a different gateway #16069

Gateways¶

Fixed: Killing states on downed gateways breaks when Skip rules when gateway is down is enabled #15223
Fixed: Killing states on downed gateways breaks for static interface configurations #15225
Fixed: Removing a gateway group used as the default gateway results in no default route #15248
Changed: Clarify descriptions for gateway recovery options #15429
Fixed: Saving an IPv6 gateway overrides the IPv4 gateway #15589
Fixed: No default route after boot #15791

Hardware / Drivers¶

Fixed: Newer variant models within the PC Engines APU2 platform are not recognized, causing garbled early serial console output #13498
Added: Recognize QAT 4xxx devices in System Information Widget #15233

High Availability¶

Fixed: Removing a route from the High Availability primary node does not remove the entry from the routing table on the secondary node #15795

IGMP Proxy¶

Fixed: IGMP proxy works intermittently #15043
Fixed: Kernel Panic when IGMPProxy gets CIDR Removed #15831

IPsec¶

Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312
Fixed: Large number of IPsec tunnels causes long filter reload times #14893
Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of Network #15124
Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147
Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171
Fixed: Change Mobile IPsec RADIUS accounting to use accounting_requires_vip so accounting will not activate for non-mobile VPNs #15176
Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245
Fixed: Reordering IPsec Phase 2 entries may result in a malformed configuration #15384
Fixed: Input validation for duplicate remote gateways does not work when using the duplicate P1 button #15598
Fixed: Mobile IPsec does not automatically switch to failover gateway #15685
Fixed: Mobile IPsec sends incorrect DNS attribute IDs #15755
Fixed: Firewall generates invalid rules for IPsec tunnels with descriptions containing special symbols #16095

IPv6 Router Advertisements (radvd/rtsold)¶

Fixed: Non Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD #12581
Fixed: Incorrect warning from radvd about AdvRDNSSLifetime value #12938
Fixed: radvd service shows as stopped in services list when it should be disabled and hidden from that list #14936
Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to None #14967
Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057
Added: PREF64 support in Router Advertisements #15808
Fixed: Routing Advertisements daemon fails to start when configured with more than 3 RDNSS entries in a prefix #15876

Installer¶

Fixed: Clean installation using Auto (ZFS) + MBR (BIOS) does not boot #14930
Fixed: Installing to ZFS mirror does not format or populate EFI partition on additional disks #15083

Interfaces¶

Fixed: Adding MSS and MTU values on a LAGG VLAN interface breaks connectivity #14083
Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431
Fixed: PHP error in interfaces_qinq_edit.php when creating a QinQ interface #15181
Fixed: PHP error when applying interface settings if the /tmp/.interfaces.apply file is present but empty #15423
Added: Use natural sorting when sorting interfaces #15437
Fixed: OpenVPN QinQ interface creation fails #15692
Fixed: Interface group members are not validated on load/save on interfaces_groups_edit.php, and are printed without encoding on interfaces_groups.php #15778
Fixed: Config access error with null static routes #16104
Fixed: Config access error after changing an interface from DHCP to Static #16105

LAGG Interfaces¶

Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453

Logging¶

Fixed: Restarting the logging daemon during rotation also restarts sshguard, leading to frequent log messages #12747
Changed: Remove Time column from OS Boot logs #15106
Added: Enhanced firewall log action information display #15415
Fixed: PHP error when saving System Log settings #15988

Multi-WAN¶

Added: Ability to selectively kill states on gateway recovery #855

NTPD¶

Added: NTP authentication support #8794

OpenVPN¶

Added: More GUI options for OpenVPN Client-Specific Overrides #12522
Added: OpenVPN NBDD server options #13085
Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087
Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089
Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090
Fixed: openvpn.auth-user.php gets stuck at 100% CPU usage when RADIUS authentication times out #14386
Fixed: OpenVPN forms invalid route statements for empty local networks #14919
Fixed: PHP error with OpenVPN server certificate verification if the certificate has multiple CN attributes #15133
Fixed: OpenVPN Wizard fails when a VIP is used #15148
Changed: Remove deprecated OpenVPN hardware crypto engine option #15188

Operating System¶

Fixed: /etc/rc.local script content is executed at login instead of during boot sequence #10980
Fixed: Values obtained from sysctl are sometimes unexpectedly empty, leading to PHP and other math errors #14648
Fixed: Static ARP assignments lose permanent flag in ARP table #14970
Fixed: Permissions on tmpfs RAM disk for /var are too lenient #15054
Fixed: pfctl is unable to retrieve state creator list in certain circumstances #15108
Fixed: loader.conf may be missing loader_conf_files so loader.conf.lua may not be parsed #15288
Fixed: Proxy variables in crontab contents are improperly formatted #15502
Fixed: resizewin occasionally gets fed a spurious line feed over certain serial console+client combinations #15777
Fixed: Panic accessing sysctl OID net.inet.ip.nhdispatch with an INVARIANTS kernel #16081

PHP Interpreter¶

Fixed: Cookie named id prevents some forms from being loaded or saved properly #11268
Fixed: Extensions directory is not set in rc.php_ini_setup #14488
Changed: Update PHP to 8.3.x #15053
Fixed: check_dnsavailable() failing even when DNS is available #15127
Fixed: PHP error display formatting issues #15263
Fixed: Memory leak in pfSense module function pfSense_get_ifaddrs() #15471

Package System¶

Added: Allow overriding text scrolling during package install/uninstall #15022
Fixed: Extra space in pkg configuration file FreeBSD.conf #15069
Fixed: Updates fail against an authenticated upstream proxy #15094
Fixed: Package navigation menus can be duplicated when reinstalling the package #15700
Fixed: The package post-install script does not run with a system upgrade on ZFS #16057
Changed: pkg no longer supports setting ALTABI manually at run-time #16060

Packet Capture¶

Fixed: Unable to perform Packet Captures on a tailscale interface in GUI with default settings #15145
Added: Allow filtering packet captures by system-defined protocols #15609

Routing¶

Fixed: ICMPv6 Path MTU Discovery breaks with NPT #14290
Fixed: IPsec VTI static routes may not be added after the system boots #15449
Fixed: Routes with IPv6 Address as Next Hop for IPv4 Destination Causes Kernel Panic #15601

Rules / NAT¶

Added: NAT64 support #2358
Added: Kill states using the pre-NAT address #11556
Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173
Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183
Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197
Fixed: Advanced rule options tooltip does not show negated Tag option #15214
Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234
Fixed: Egress states remain when killing states for scheduled rules #15252
Fixed: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on enc0 interface #15430
Fixed: Per-rule byte counter values lost across a filter reload #15516
Fixed: Separator positions are incorrect when copying interface group rules #15537
Added: GUI options to change default SCTP state timeouts #15661
Fixed: Setting the Port Forward interface to an interface group selects an invalid destination #15671
Fixed: Incorrect rule may be opened for editing after rule order has changed #15935
Fixed: Deleting or adding a firewall rule may result in an unexpected rule order #16076

S.M.A.R.T.¶

Changed: Query for SMART data only on root disk devices #15586

SNMP¶

Fixed: File descriptor leak in bsnmpd #15481

Services¶

Fixed: NTP option “DNS Resolution” has no effect when using NTP pool hostnames #15552

Setup Wizard¶

Changed: Error handling in the Setup Wizard is very user-unfriendly #15302

System Logs¶

Added: Separate IDS/IPS and link-local firewall log entries from default block logging #16092

Traffic Shaper (Limiters)¶

Fixed: Input validation error when applying limiter changes #13158
Fixed: Setting a limiter queue length greater than 100 prevents the limiter from loading #13662
Fixed: Cannot add limiters named new #13687
Fixed: Packets are passed through dummynet twice when using route-to leading to half the expected bandwidth #14854
Fixed: Fragmented packets delayed by limiters are lost #15156
Fixed: Reply traffic on a secondary WAN may be dropped when passed through dummynet #15363
Fixed: PHP error when a queue is added with the same name as a limiter #15914

UPnP IGD & PCP¶

Fixed: Port forward rules created by miniupnpd do not expire #15470
Changed: Update UPnP IGD & PCP GUI text #15864
Changed: Make the UPnP IGD & PCP STUN port optional #15865

Upgrade¶

Fixed: Upgrading an EFI system installed to ZFS mirror does not upgrade EFI loader on additional disks #15084
Changed: Link to release information on the system update page #15953
Fixed: Boot loader is not upgraded on UFS installs #16064

User Manager / Privileges¶

Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282
Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318
Fixed: CLI password check exits with a write access error when checking is a read-only operation #15442
Fixed: PHP error when a user is denied access to the dashboard #15873
Fixed: Users with Deny Config Write privilege can trigger logging operations #15874
Fixed: Users with Deny Config Write privilege can change their own password #15908

Virtual IP Addresses¶

Fixed: choparp service is not stopped after deleting Proxy ARP type Virtual IP addresses #14929
Fixed: Network and broadcast address input validation is incorrectly applied to IPv6 VIPs #15361

Web Interface¶

Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943
Added: Custom message text for the login screen #9293
Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413
Changed: Update vendor files #13537
Fixed: status_interfaces.php is missing several values for SFP modules #15112
Changed: Remove jquery-treegrid unit testing files #15265
Added: 50x and 404 error handling to GUI web server configuration #15322
Changed: Remove deprecated HTTP/1.0 Pragma header #15781
Changed: Use minified nvd3 vendor files #15782
Changed: Update nginx HTTP2 syntax #15863
Fixed: Incorrect color in button text within disabled rows #15977

XMLRPC¶

Fixed: Secondary node attempts to delete the admins group when synchronizing accounts via XMLRPC #15067
Fixed: Changes to the admins user group are not synced to the secondary node #15898