2.8.0 New Features and Changes¶
This pfSense® CE software release includes new features and bug fixes.
Upgrade Notes¶
Warning
Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process.
To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade.
Before upgrading, pay particular attention to the Pre-Upgrade Tasks section of the Upgrade Guide. The most crucial points are noted in this section, but the best practice is to follow all of the precautions noted in the Upgrade Guide.
Boot Loader¶
This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation to MMC which has been followed by an installation to an add-on SSD without clearing the MMC contents.
In these cases the best practice is to wipe the unused disk so it cannot interfere. See Troubleshooting Multiple Disks for details.
Legacy Serial Console¶
After upgrading, older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. Devices may require manual intervention.
See also
See ISA Serial Console not Fully Functional for details and a workaround.
Low Memory Hardware¶
Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running.
Tip
For devices running ZFS, see ZFS Tuning for information on reducing ZFS memory usage.
For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade. Rebooting before attempting the upgrade can also be beneficial.
General¶
PHP has been upgraded from 8.2.x to 8.3.x
The base operating system has been upgraded to FreeBSD 15-CURRENT
This version of pfSense CE software includes a new kernel-based PPPoE backend,
if_pppoe
. This will replace the current MPD-based implementation. This new backend is more efficient and enables much faster speeds over PPPoE interfaces.This new PPPoE backend is not active by default in this version, but can be enabled with the global option under **System > Advanced** on the **Networking** tab. This backend will be enabled by default on future versions of pfSense Plus software.
The
if_pppoe
backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.The default State Policy has been changed from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing (
route-to
),reply-to
, as well as with High Availability state synchronization (pfsync) on non-identical hardware. Workarounds are in place to fall back to Floating states in certain cases, such as IPsec/VTI.The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab.
There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.
This release includes support for enhanced gateway recovery “fail back” by optionally clearing states from lower tier gateways when a more preferred gateway recovers.
This release includes support for High Availability in the Kea DHCP daemon.
This implementation has several advantages over the older ISC DHCP implementation, including:
Supports HA for DHCPv4 and DHCPv6.
Simplified HA setup, all in one place on each node for each type.
Works in hot standby mode, which is more reliable.
Can synchronize lease data over the SYNC interface for security and ease of use, and can optionally encrypt the sync data for added protection.
See also
For in-depth information on this feature, see https://www.netgate.com/blog/improvements-to-kea-dhcp
This release includes support for DNS Registration of DHCP client hostnames from the Kea DHCP daemon to the Unbound DNS Resolver
DNS records are updated dynamically on-the-fly, they do not require a resolver restart and are not disruptive.
Supports DNS Registration for DHCPv4 and DHCPv6
DNS Registration can be configured on a per-interface or global manner, with the ability to enable or disable specific interfaces as needed.
DNS records are not limited to the system domain name. DNS Registration honors the domain name on the DHCP settings for each interface and on static mappings.
DNS records are accurate/updated on both high availability peers
Static mappings can be registered when Kea starts (similar to ISC) or when a static mapping client obtains a lease.
See also
For additional details on implementation of Kea DHCP features see https://redmine.pfsense.org/issues/15650
pfSense CE¶
Changes in this version of pfSense CE software.
Aliases / Tables¶
Authentication¶
Auto Configuration Backup¶
Fixed: Long configuration revision reasons can cause AutoConfigBackup upload to fail #12249
Fixed:
services_acb_settings.php
does not fully validate value offrequency
, uses value without encoding #15224Fixed: Special characters in the ACB configuration change description can cause PHP errors #15711
Fixed: AutoConfigBackup tries to upload backups before the system has finished booting #15718
Fixed: AutoConfigBackup scheduled backups always upload even when the configuration has not changed #16010
Fixed: AutoConfigBackup remote revision timestamps may not be unique due to batch uploads #16011
Fixed: “Reset” button on AutoConfigBackup Restore tab does not submit the form #16012
Changed: AutoConfigBackup code cleanup and GUI refresh #16013
Added: Download function for AutoConfigBackup entries #16014
Added: Method to change the AutoConfigBackup device key #16015
Backup / Restore¶
Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728
Fixed: DHCP leases may not be restored from older configuration backups #15076
Fixed: PHP error when generating a notification after detecting a malformed configuration #15157
Fixed: Skip Packages option for Configuration Backups fails with large configurations #15624
CARP¶
Fixed: HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address #14026
Captive Portal¶
Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226
Added: Support using a mask to block MAC addresses in Captive Portal #15257
Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299
Fixed: Captive Portal logo fails to load after authenticated redirect #15404
Fixed: Captive Portal zones can fail to start due to ID conflict #15772
Fixed: PHP error in Captive Portal with undefined zone interface list #15907
Fixed: Captive Portal service management via
pfSsh.php svc
fails when the zone name contains uppercase letters #16030Fixed: Creating a Captive Portal zone with uppercase letters overwrites existing zones of the same name #16032
Certificates¶
Configuration Backend¶
Fixed: System proxy credentials with certain characters may fail to authenticate #15565
DHCP (IPv4)¶
Added: Settings tab for global Kea DHCP server options #5080
Added: Better handling of duplicate IP addresses in static DHCP assignments #13256
Changed: Reduce log spam when deleting a static DHCP entry #13263
Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894
Fixed: Kea fails to restart due to race between process termination and startup #14977
Fixed: Kea does not allow FQDNs for NTP servers but input validation does not prevent them from being added #14991
Fixed: Kea DHCP PHP error from WINS server value #14996
Fixed: Kea DHCP sends wrong bootloader file for UEFI #15032
Fixed: Kea will not start with identical MAC address filters on multiple interfaces #15130
Added: Kea DHCP Custom Configuration Support (IPv4 and IPv6) #15321
Fixed: Changes in Kea DHCP interface pools may invalidate lease database content #15328
Fixed: Kea fails to start if DHCP pool configuration contains default lease time or max lease time #15332
Added: Kea High Availability Support (IPv4 and IPv6) #15575
Added: Kea Static ARP Support (IPv4 only) #15654
Fixed: IPv4 DHCP client responses may be routed unexpectedly out unrelated WANs #15702
Added: Kea DHCP lease database RAM disk support (IPv4 and IPv6) #15828
Fixed: Kea can unintentionally attempt to spawn multiple processes and fail #16019
DHCP (IPv6)¶
DNS Forwarder¶
DNS Resolver¶
Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942
Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071
Fixed: Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism #15135
Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139
Changed: Update Unbound to 1.22.0 #15483
Fixed: Automatic EDNS value may be lower than expected #15704
Fixed: Unbound configuration file contains Localhost address in forwarding mode with TLS enabled #15722
Fixed:
unbound-checkconf
fails with python mode enabled #15723
Dashboard¶
Fixed: Firewall Logs Dashboard Widget is slow and may fail to update #12673
Added: Improve Thermal Sensors Dashboard widget readability #13520
Fixed: Traffic Graph widget displays bandwidth usage values which are half the actual usage amount #14933
Fixed: Firewall Logs Dashboard widget update interval does not behave as expected #15373
Added: Show current boot method in System Information Dashboard widget #15422
Fixed: Incorrect icon on collapsed dashboard widgets #15439
Fixed: Dashboard widgets refresh at unintended intervals #15725
Changed: Improve Thermal Sensors Dashboard widget refresh code #15728
Fixed: Session cookie warnings #15729
Fixed: Clicking the picture widget image downloads the image with an invalid filename instead of showing it inline #15767
Changed: Improve the system load impact from Dashboard widgets #15969
Diagnostics¶
Added: Add Kea information to
status.php
#14953Fixed: Adding Wake-On-LAN entry from ARP table view can incorrectly include OEM text in MAC address field #15162
Fixed:
crash_reporter.php
displays PHP Error log without encoding #15264Added: Add EFI boot information to
status.php
#15297Added: Add
loader.conf.lua
contents tostatus.php
#15298Fixed: Errors in
status.php
IPsec sections when IPsec is not configured #15310Fixed: Sanitize RFC 2136 Dynamic DNS update keys in
status.php
output #15490Fixed: File browser on
diag_edit.php
does not encode directory names before display #15525Fixed: State table entries printed on
diag_dump_states.php
may contain an unexpected interface #15657Fixed: PHP error from invalid IPv6 address on
diagnostics_ping.php
#16005Fixed: Cannot kill states using the post-NAT address #16047
Dynamic DNS¶
Added: Enable
@
support for Azure in Dynamic DNS #10000Added: Improve Dynamic DNS client IPv6 support #11177
Added: Per-instance options to control Dynamic DNS client Check IP Service behavior #14067
Added: Enable
@
support for name.com in Dynamic DNS #14289Fixed: Dynamic DNS uses the default gateway interface instead of the specified interface #14605
Changed: Update Dynamic DNS API URL for porkbun.com #15779
Fixed: Dynamic DNS attempts to resolve entries with disabled interfaces #15802
Fixed: RFC 2136 Dynamic DNS cannot update AAAA records over IPv6 #16028
Fixed: Dynamic DNS IP address may not be updated after changing the interface of a Dynamic DNS entry #16046
FreeBSD¶
Fixed: Kernel panic in HA nodes when under high load #15413
Gateway Monitoring¶
Gateways¶
Fixed: Killing states on downed gateways breaks when
Skip rules when gateway is down
is enabled #15223Fixed: Killing states on downed gateways breaks for static interface configurations #15225
Fixed: Removing a gateway group used as the default gateway results in no default route #15248
Changed: Clarify descriptions for gateway recovery options #15429
Fixed: Saving an IPv6 gateway overrides the IPv4 gateway #15589
Fixed: No default route after boot #15791
Hardware / Drivers¶
High Availability¶
Fixed: Removing a route from the High Availability primary node does not remove the entry from the routing table on the secondary node #15795
IGMP Proxy¶
IPsec¶
Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312
Fixed: Large number of IPsec tunnels causes long filter reload times #14893
Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of
Network
#15124Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147
Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171
Fixed: Change Mobile IPsec RADIUS accounting to use
accounting_requires_vip
so accounting will not activate for non-mobile VPNs #15176Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245
Fixed: Reordering IPsec Phase 2 entries may result in a malformed configuration #15384
Fixed: Input validation for duplicate remote gateways does not work when using the duplicate P1 button #15598
Fixed: Mobile IPsec does not automatically switch to failover gateway #15685
Fixed: Mobile IPsec sends incorrect DNS attribute IDs #15755
Fixed: Firewall generates invalid rules for IPsec tunnels with descriptions containing special symbols #16095
IPv6 Router Advertisements (radvd/rtsold)¶
Fixed: Non Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD #12581
Fixed: Incorrect warning from
radvd
aboutAdvRDNSSLifetime
value #12938Fixed:
radvd
service shows as stopped in services list when it should be disabled and hidden from that list #14936Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to
None
#14967Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057
Added: PREF64 support in Router Advertisements #15808
Fixed: Routing Advertisements daemon fails to start when configured with more than 3 RDNSS entries in a prefix #15876
Installer¶
Interfaces¶
Fixed: Adding MSS and MTU values on a LAGG VLAN interface breaks connectivity #14083
Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431
Fixed: PHP error in
interfaces_qinq_edit.php
when creating a QinQ interface #15181Fixed: PHP error when applying interface settings if the
/tmp/.interfaces.apply
file is present but empty #15423Added: Use natural sorting when sorting interfaces #15437
Fixed: OpenVPN QinQ interface creation fails #15692
Fixed: Interface group members are not validated on load/save on
interfaces_groups_edit.php
, and are printed without encoding oninterfaces_groups.php
#15778Fixed: Config access error with null static routes #16104
Fixed: Config access error after changing an interface from DHCP to Static #16105
LAGG Interfaces¶
Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453
Logging¶
Multi-WAN¶
Added: Ability to selectively kill states on gateway recovery #855
NTPD¶
Added: NTP authentication support #8794
OpenVPN¶
Added: More GUI options for OpenVPN Client-Specific Overrides #12522
Added: OpenVPN NBDD server options #13085
Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087
Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089
Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090
Fixed:
openvpn.auth-user.php
gets stuck at 100% CPU usage when RADIUS authentication times out #14386Fixed: OpenVPN forms invalid
route
statements for empty local networks #14919Fixed: PHP error with OpenVPN server certificate verification if the certificate has multiple
CN
attributes #15133Fixed: OpenVPN Wizard fails when a VIP is used #15148
Changed: Remove deprecated OpenVPN hardware crypto engine option #15188
Operating System¶
Fixed:
/etc/rc.local
script content is executed at login instead of during boot sequence #10980Fixed: Values obtained from
sysctl
are sometimes unexpectedly empty, leading to PHP and other math errors #14648Fixed: Static ARP assignments lose
permanent
flag in ARP table #14970Fixed: Permissions on tmpfs RAM disk for
/var
are too lenient #15054Fixed:
pfctl
is unable to retrieve state creator list in certain circumstances #15108Fixed:
loader.conf
may be missingloader_conf_files
soloader.conf.lua
may not be parsed #15288Fixed: Proxy variables in
crontab
contents are improperly formatted #15502Fixed:
resizewin
occasionally gets fed a spurious line feed over certain serial console+client combinations #15777Fixed: Panic accessing
sysctl
OIDnet.inet.ip.nhdispatch
with an INVARIANTS kernel #16081
PHP Interpreter¶
Fixed: Cookie named
id
prevents some forms from being loaded or saved properly #11268Fixed: Extensions directory is not set in
rc.php_ini_setup
#14488Changed: Update PHP to 8.3.x #15053
Fixed:
check_dnsavailable()
failing even when DNS is available #15127Fixed: PHP error display formatting issues #15263
Fixed: Memory leak in pfSense module function
pfSense_get_ifaddrs()
#15471
Package System¶
Added: Allow overriding text scrolling during package install/uninstall #15022
Fixed: Extra space in
pkg
configuration fileFreeBSD.conf
#15069Fixed: Updates fail against an authenticated upstream proxy #15094
Fixed: Package navigation menus can be duplicated when reinstalling the package #15700
Fixed: The package
post-install
script does not run with a system upgrade on ZFS #16057Changed:
pkg
no longer supports settingALTABI
manually at run-time #16060
Packet Capture¶
Routing¶
Rules / NAT¶
Added: NAT64 support #2358
Added: Kill states using the pre-NAT address #11556
Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173
Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183
Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197
Fixed: Advanced rule options tooltip does not show negated Tag option #15214
Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234
Fixed: Egress states remain when killing states for scheduled rules #15252
Fixed: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on
enc0
interface #15430Fixed: Per-rule byte counter values lost across a filter reload #15516
Fixed: Separator positions are incorrect when copying interface group rules #15537
Added: GUI options to change default SCTP state timeouts #15661
Fixed: Setting the Port Forward interface to an interface group selects an invalid destination #15671
Fixed: Incorrect rule may be opened for editing after rule order has changed #15935
Fixed: Deleting or adding a firewall rule may result in an unexpected rule order #16076
S.M.A.R.T.¶
Changed: Query for SMART data only on root disk devices #15586
SNMP¶
Fixed: File descriptor leak in
bsnmpd
#15481
Services¶
Fixed: NTP option “DNS Resolution” has no effect when using NTP pool hostnames #15552
Setup Wizard¶
Changed: Error handling in the Setup Wizard is very user-unfriendly #15302
System Logs¶
Added: Separate IDS/IPS and link-local firewall log entries from default block logging #16092
Traffic Shaper (Limiters)¶
Fixed: Input validation error when applying limiter changes #13158
Fixed: Setting a limiter queue length greater than 100 prevents the limiter from loading #13662
Fixed: Cannot add limiters named
new
#13687Fixed: Packets are passed through dummynet twice when using
route-to
leading to half the expected bandwidth #14854Fixed: Fragmented packets delayed by limiters are lost #15156
Fixed: Reply traffic on a secondary WAN may be dropped when passed through dummynet #15363
Fixed: PHP error when a queue is added with the same name as a limiter #15914
UPnP IGD & PCP¶
Upgrade¶
User Manager / Privileges¶
Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282
Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318
Fixed: CLI password check exits with a write access error when checking is a read-only operation #15442
Fixed: PHP error when a user is denied access to the dashboard #15873
Fixed: Users with Deny Config Write privilege can trigger logging operations #15874
Fixed: Users with Deny Config Write privilege can change their own password #15908
Virtual IP Addresses¶
Web Interface¶
Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943
Added: Custom message text for the login screen #9293
Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413
Changed: Update vendor files #13537
Fixed:
status_interfaces.php
is missing several values for SFP modules #15112Changed: Remove
jquery-treegrid
unit testing files #15265Added: 50x and 404 error handling to GUI web server configuration #15322
Changed: Remove deprecated HTTP/1.0 Pragma header #15781
Changed: Use minified nvd3 vendor files #15782
Changed: Update nginx HTTP2 syntax #15863
Fixed: Incorrect color in button text within disabled rows #15977