21.02.2/2.5.1 New Features and Changes¶
pfSense Plus software version 21.02.2 and pfSense CE software version 2.5.1 are maintenance releases to address recently identified issues.
WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.
If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes
WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.
The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel
To remove WireGuard tunnels, navigate to VPN > WireGuard and click the delete button for each tunnel. When the page displays No WireGuard tunnels have been configured., the upgrade can proceed.
This pfSense Plus software version contains all of the items noted below for pfSense CE as well.
Known Issues / Errata¶
There is an issue in this release with port forwarding on pfSense CE software installations with multiple WANs, see #11805 for details.
There is an issue with AES-NI hash acceleration for SHA1 and SHA-256. If the AES-NI driver detects a system capable of accelerating SHA1 or SHA-256 and the firewall attempts to utilize one of those hashes, the affected operation may fail. This affects IPsec and OpenVPN, among other uses. pfSense Plus users can change to QAT acceleration on supported hardware instead. In cases where QAT is unavailable, change to AES-GCM, change to a different unaccelerated hash (e.g. SHA-512), or disable AES-NI. See #11524 for details.
There is a similar issue which affects SafeXcel SHA1 and SHA2 hash acceleration on SG-1100 and SG-2100. On that hardware, change to an AEAD cipher such as AES-GCM or switch to an unaccelerated hash. This issue is being tracked internally on NG #6005
The FRR package on pfSense Plus 21.02 and pfSense CE 2.5.0 and later no longer exchanges routes with BGP peers by default without being explicitly allowed to do so. This is more secure behavior but requires a manual change. To replicate the previous behavior, use ONE of the following workarounds:
Navigate to Services > FRR BGP on the Advanced tab and check Disable eBGP Require Policy, then Save.
Instead of disabling the policy check, create route maps which match and allow expected incoming and outgoing routes explicitly. This is the most secure method. See Peer Filtering and BGP Example Configuration for more information.
Manually create a route map to permit all routes (Name:
allow-all, Action: Permit, Sequence:
100), then set that route map on BGP neighbors for inbound and outbound peer filtering. This can be used as a placeholder for later migration to more secure route map filtering.
This release includes corrections for the following vulnerabilities in pfSense software:
Fixed: CA and certificate validity end dates after 2038 are not handled properly on 32-bit ARM #11504
Added: Interface Status page information for switch uplinks may be replaced by switch port data when media state monitoring is set #10804
Rules / NAT¶
Fixed: State matching problem with reponses to packets arriving on non-default WANs #11436
Fixed: Unreachable LDAP server for SSH auth causes boot process to stop at at ‘Synchronizing user settings’ and no user can login over SSH #11644
Fixed: Invalid certificate data can cause a PHP error #11489
Fixed: Renewing a self-signed CA or certificate does not update the serial number #11514
Fixed: Unable to renew a certificate without a SAN #11652
Fixed: Certificates with escaped x509 characters display the escaped version when renewing #11654
Fixed: Creating a certificate while creating a user does not fully configure the certificate properly #11705
Fixed: Renewing a certificate without a
typevalue assumes a server certificate #11706
Fixed: IPsec status incorrect for entries using expanded IKE connection numbers #11435
Fixed: Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in
Fixed: Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses #11446
Fixed: Broken help link on IPsec Advanced Settings tab #11474
Fixed: Connect and disconnect buttons on the IPsec status page do not work for all tunnels #11486
Fixed: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in
Fixed: IPsec tunnel definitions have
pools =entry in
swanctl.confwith no value #11488
Fixed: Mobile IPsec broken when using strict certificate revocation list checking #11526
Fixed: IPsec VTI tunnel between IPv6 peers may not configure correctly #11537
Fixed: IPsec peer ID of “Any” does not generate a proper remote definition or related secrets #11555
Fixed: IPsec tunnel does not function when configured on a 6RD interface #11643
IPv6 Router Advertisements (RADVD)¶
Fixed: IPv6 RA RDNSS lifetime is too short, not compliant with RFC 8106 #11105
Fixed: IPv4 MSS value is incorrectly applied to IPv6 packets #11409
Fixed: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information #11454
Fixed: Delayed packet transmission in cxgbe driver can lead to latency and reduced performance #11602
Fixed: DHCP6 interfaces are reconfigured multiple times at boot when more than one interface is set to Track #11633
Fixed: Entries from rotated log files may be displayed out of order when log display includes contents from multiple files #11639
Fixed: Telegram and Pushover notification API calls do not respect proxy configuration #11476
Fixed: OpenVPN authentication and certificate validation fail due to size of data passed through
Added: Display negotiated data encryption algorithm in OpenVPN connection status #7077
Fixed: OpenVPN does not start with several authentication sources selected #11104
Fixed: OpenVPN client configuration page displays Shared Key option when set for SSL/TLS #11382
Fixed: Incorrect order of
route-nopulloption in OpenVPN client-specific override configuration #11448
Fixed: OpenVPN using the wrong OpenSSL command to list digest algorithms #11500
Fixed: Selected Data Encryption Algorithms list items reset when an input validation error occurs #11554
Fixed: OpenVPN does not start with a long list of Data Encryption Algorithms #11559
Fixed: ACLs generated from RADIUS reply attributes do not parse
Fixed: ACLs generated from RADIUS reply attributes have incorrect syntax #11569
Fixed: OpenVPN binds to all interfaces when configured on a 6RD interface #11674
Fixed: Disabled static route entries trigger ‘route delete’ error at boot #3709
Fixed: Route tables with many entries can lead to PHP errors and timeouts when looking up routes #11475
Fixed: Error when removing automatic DNS server route #11578
Fixed: IPv6 routes with a prefix length of 128 result in an invalid route table entry #11594
Fixed: Error when deleting IPv6 link-local routes #11713