21.02.2/2.5.1 New Features and Changes

pfSense Plus software version 21.02.2 and pfSense CE software version 2.5.1 are maintenance releases to address recently identified issues.

Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Tip

To remove WireGuard tunnels, navigate to VPN > WireGuard and click the delete button for each tunnel. When the page displays No WireGuard tunnels have been configured., the upgrade can proceed.

Note

This pfSense Plus software version contains all of the items noted below for pfSense CE as well.

Tip

For those who have not yet updated to 2.4.5-p1, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

Known Issues / Errata

  • There is an issue in this release with port forwarding on pfSense CE software installations with multiple WANs, see #11805 for details.

  • There is an issue with AES-NI hash acceleration for SHA1 and SHA-256. If the AES-NI driver detects a system capable of accelerating SHA1 or SHA-256 and the firewall attempts to utilize one of those hashes, the affected operation may fail. This affects IPsec and OpenVPN, among other uses. pfSense Plus users can change to QAT acceleration on supported hardware instead. In cases where QAT is unavailable, change to AES-GCM, change to a different unaccelerated hash (e.g. SHA-512), or disable AES-NI. See #11524 for details.

  • There is a similar issue which affects SafeXcel SHA1 and SHA2 hash acceleration on SG-1100 and SG-2100. On that hardware, change to an AEAD cipher such as AES-GCM or switch to an unaccelerated hash. This issue is being tracked internally on NG #6005

  • The FRR package on pfSense Plus 21.02 and pfSense CE 2.5.0 and later no longer exchanges routes with BGP peers by default without being explicitly allowed to do so. This is more secure behavior but requires a manual change. To replicate the previous behavior, use ONE of the following workarounds:

    • Navigate to Services > FRR BGP on the Advanced tab and check Disable eBGP Require Policy, then Save.

    • Instead of disabling the policy check, create route maps which match and allow expected incoming and outgoing routes explicitly. This is the most secure method. See Peer Filtering and BGP Example Configuration for more information.

    • Manually create a route map to permit all routes (Name: allow-all, Action: Permit, Sequence: 100), then set that route map on BGP neighbors for inbound and outbound peer filtering. This can be used as a placeholder for later migration to more secure route map filtering.

Security

This release includes corrections for the following vulnerabilities in pfSense software:

General

pfSense Plus

Certificates

  • Fixed: CA and certificate validity end dates after 2038 are not handled properly on 32-bit ARM #11504

Interfaces

  • Added: Interface Status page information for switch uplinks may be replaced by switch port data when media state monitoring is set #10804

Rules / NAT

  • Fixed: State matching problem with reponses to packets arriving on non-default WANs #11436

Upgrade

  • Fixed: LEDs do not indicate available upgrade status #11689

pfSense CE

Aliases / Tables

  • Fixed: Alias name change is not reflected in firewall rules #11568

Authentication

  • Fixed: Unreachable LDAP server for SSH auth causes boot process to stop at at ‘Synchronizing user settings’ and no user can login over SSH #11644

Certificates

  • Fixed: Invalid certificate data can cause a PHP error #11489

  • Fixed: Renewing a self-signed CA or certificate does not update the serial number #11514

  • Fixed: Unable to renew a certificate without a SAN #11652

  • Fixed: Certificates with escaped x509 characters display the escaped version when renewing #11654

  • Fixed: Creating a certificate while creating a user does not fully configure the certificate properly #11705

  • Fixed: Renewing a certificate without a type value assumes a server certificate #11706

DNS Resolver

  • Fixed: DNS Resolver does not add a local-zone type for ip6.arpa domain override #11403

  • Fixed: DNS Resolver does not bind to an interface when it recovers from a down state #11547

Dashboard

  • Fixed: CPU details are incorrect in the System Information widget after resetting log files #11428

  • Fixed: Disabling ‘State Table Size’ in the System Information widget prevents other data from being displayed #11443

Gateway Monitoring

  • Fixed: Automatic default gateway mode does not select expected entries #11729

Gateways

  • Fixed: Gateways with “Use non-local gateway” set are not added to routing table #11433

IPsec

  • Fixed: IPsec status incorrect for entries using expanded IKE connection numbers #11435

  • Fixed: Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in swanctl.conf secrets #11442

  • Fixed: Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses #11446

  • Fixed: Broken help link on IPsec Advanced Settings tab #11474

  • Fixed: Connect and disconnect buttons on the IPsec status page do not work for all tunnels #11486

  • Fixed: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in swanctl.conf #11487

  • Fixed: IPsec tunnel definitions have pools = entry in swanctl.conf with no value #11488

  • Fixed: Mobile IPsec broken when using strict certificate revocation list checking #11526

  • Fixed: IPsec VTI tunnel between IPv6 peers may not configure correctly #11537

  • Fixed: IPsec peer ID of “Any” does not generate a proper remote definition or related secrets #11555

  • Fixed: IPsec tunnel does not function when configured on a 6RD interface #11643

IPv6 Router Advertisements (RADVD)

  • Fixed: IPv6 RA RDNSS lifetime is too short, not compliant with RFC 8106 #11105

Installer

  • Fixed: Installer does not add required module to loader.conf when using ZFS #11483

Interfaces

  • Fixed: IPv4 MSS value is incorrectly applied to IPv6 packets #11409

  • Fixed: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information #11454

  • Fixed: Delayed packet transmission in cxgbe driver can lead to latency and reduced performance #11602

  • Fixed: DHCP6 interfaces are reconfigured multiple times at boot when more than one interface is set to Track #11633

Logging

  • Fixed: Entries from rotated log files may be displayed out of order when log display includes contents from multiple files #11639

Notifications

  • Fixed: Telegram and Pushover notification API calls do not respect proxy configuration #11476

OpenVPN

  • Fixed: OpenVPN authentication and certificate validation fail due to size of data passed through fcgicli #4521

  • Added: Display negotiated data encryption algorithm in OpenVPN connection status #7077

  • Fixed: OpenVPN does not start with several authentication sources selected #11104

  • Fixed: OpenVPN client configuration page displays Shared Key option when set for SSL/TLS #11382

  • Fixed: Incorrect order of route-nopull option in OpenVPN client-specific override configuration #11448

  • Fixed: OpenVPN using the wrong OpenSSL command to list digest algorithms #11500

  • Fixed: Selected Data Encryption Algorithms list items reset when an input validation error occurs #11554

  • Fixed: OpenVPN does not start with a long list of Data Encryption Algorithms #11559

  • Fixed: ACLs generated from RADIUS reply attributes do not parse {clientip} macro #11561

  • Fixed: ACLs generated from RADIUS reply attributes have incorrect syntax #11569

  • Fixed: OpenVPN binds to all interfaces when configured on a 6RD interface #11674

Operating System

  • Fixed: Unexpected Operator error on console at boot with ZFS and RAM Disks #11617

  • Changed: Upgrade OpenSSL to 1.1.1k #11755

Routing

  • Fixed: Disabled static route entries trigger ‘route delete’ error at boot #3709

  • Fixed: Route tables with many entries can lead to PHP errors and timeouts when looking up routes #11475

  • Fixed: Error when removing automatic DNS server route #11578

  • Fixed: IPv6 routes with a prefix length of 128 result in an invalid route table entry #11594

  • Fixed: Error when deleting IPv6 link-local routes #11713

Rules / NAT

  • Fixed: Saved state timeout values not loaded into GUI fields on system_advanced_firewall.php #11565

  • Fixed: Firewall rule schedule cannot be changed #11747

Upgrade

  • Fixed: pfSense Proxy Authentication not working #11383

Wake on LAN

  • Fixed: Potential stored XSS vulnerability in services_wol.php #11616

Web Interface

  • Fixed: Requests to ews.netgate.com do not honor proxy configuration #11464

XMLRPC

  • Fixed: XMLRPC error with Captive Portal and CARP failover when GUI is on non-standard port #11425

  • Fixed: Incorrect DHCP failover IP address configured on peer after XMLRPC sync #11519

  • Fixed: PHP error in logs from XMLRPC if no sections are selected to sync #11638