21.09 New Features and Changes

This is a regularly scheduled software release of pfSense Plus software including new features, additional hardware support, and bug fixes.


When upgrading to pfSense Plus 21.09 and later versions, the pfSense-upgrade process will forcefully reinstall all operating system packages and add-on packages to ensure a consistent state and package set. This may increase the time the upgrade will take to download and install.


  • This release contains several significant changes to IPsec for stability and performance. Read the IPsec section of this document carefully.


    IPsec VTI interface names have changed in this release. Configurations will be updated automatically where possible to use the new names. If any third party software configurations or other manual changes referenced the old IPsec VTI interface names directly (e.g. ipsecNNNN) they must be updated to the new format.

  • Log Compression for rotation of System Logs is now disabled by default for new ZFS installations as ZFS performs its own compression.


    The best practice is to disable Log Compression for rotation of System Logs manually for not only existing ZFS installations, but also for any system with slower CPUs. This setting can be changed under Status > System Logs on the Settings tab.

  • The default password hash format in the User Manager has been changed from bcrypt to SHA-512. New users created in the User Manager will have their password stored as a SHA-512 hash. Existing user passwords will be changed to SHA-512 next time their password is changed.


    User Manager passwords are only stored as a hash, thus existing users cannot be automatically changed to the new format. To convert a user password from an older hash format, change the password for the user in the User Manager.

pfSense Plus

Aliases / Tables

  • Fixed: Error loading rules when URL Table Ports content is empty #4893

  • Fixed: Mixed use of aliases in a port range produces unloadable ruleset #11818

  • Fixed: Unable to create nested URL aliases #11863

  • Fixed: Creating or editing aliases fails with multiple hosts separated by spaces #12124

  • Fixed: When attempting to delete an in-use alias, input validation only prints the first item using the alias in the error message #12177


  • Changed: Use SHA-512 for user password hashes #10298

Backup / Restore

  • Fixed: Output from reboot process is printed on Backup & Restore page when restoring a configuration file #11909

  • Fixed: Custom value for AutoConfigBackup schedule Hours is not shown when loading the settings page #11946

  • Fixed: Viewing an AutoConfigBackup entry takes approximately 60 seconds to completely load #12247

Build / Release

  • Changed: Remove deprecated libzmq code and references #12060


  • Fixed: Cannot enter persistent CARP maintenance mode when CARP is disabled #11727

  • Fixed: When a CARP VIP VHID change is synchronized to a secondary node, the CARP VIP is removed from the interface and the old VHIDs remain active #12202

  • Fixed: Changing VHID on CARP VIP does not update VHID of related IP Alias VIPs #12227

Captive Portal

  • Fixed: Vouchers may expire too early when using RAM disks #11894

  • Fixed: Incorrect variable substitution in captive portal error page #11902

  • Fixed: Clicking “logout” on portal page does not function when logout popup is disabled #12138


  • Fixed: Certificate Revocation tab does not list active users of CRL entries #11831

  • Fixed: Certificate manager reports CA as in use by an LDAP server when LDAP is not configured for TLS #11922

  • Fixed: Certificate Manager performs redundant escaping of special characters in certificate DN fields #12034

  • Fixed: Certificate Manager shows incorrect DN for imported entries with UTF-8 encoding #12041

Console Menu

  • Fixed: Cannot configure WAN IP address with /32 CIDR mask via console menu #11581


  • Added: Support for UEFI HTTP Boot option in DHCPv4 Server #11659

  • Fixed: DHCPv4 server configuration does not include ARM TFTP filenames #11905

  • Fixed: ARM 32/64 network boot options are not parsed on Static DHCP Mapping page #12216


  • Fixed: DHCPv6 Server should not offer configuration options for unsupported PPPoE Server interfaces #12277

DHCP Relay

  • Fixed: PHP error if no DHCPv6 Relay interfaces are selected #11969

DNS Resolver

  • Fixed: Unbound crashes with signal 11 when reloading #11316

  • Fixed: Unbound fails to start if its configuration references a python script which does not exist #12274


  • Fixed: System Information widget unnecessarily polls data for hidden items #12241

  • Fixed: IPsec widget generates errors if no tunnels are defined #12337

  • Added: Disks dashboard widget to replace Disk Usage section of System Information widget #12349


  • Fixed: State table content on diag_dump_states.php does not sort properly #11852

  • Changed: Hide “Reboot and run a filesystem check” for ZFS systems #11983

  • Fixed: “GoTo line #” function does not work on diag_edit.php #12050

  • Fixed: Sanitize WireGuard private and pre-shared keys in status output #12256

  • Added: Include firewall rules from packages which failed to load in status output #12269

Dynamic DNS

  • Added: Option to set interval of forced Dynamic DNS updates #9092

  • Added: Support DNS Made Easy authentication without a username #9341

  • Fixed: RFC 2136 Dynamic DNS client uses IPv6 alias VIP instead of Track IPv6 address for AAAA records #11816

  • Added: New Dynamic DNS Provider: Strato #11978

  • Fixed: Dynamic DNS cache expiration time check calculation method may cause update to happen on the wrong day #12007

  • Fixed: NoIP.com incorrectly encodes Dynamic DNS update credentials #12021

  • Added: New Dynamic DNS Provider: deSEC #12086

  • Added: Support Check IP services which return bare IP address values #12194

  • Fixed: Yandex Dynamic DNS client does not set the PddToken value #12331


  • Fixed: Duplicate comconsole_port lines in /boot/loader.conf #11653

  • Changed: Upgrade to pkg 1.17.x #12171


  • Fixed: Default IPv4 gateway may be set to IPv6 gateway value in certain cases #12282

High Availability

  • Fixed: Incorrect RADVD log message on HA event #11966


  • Fixed: Disconnected IPsec phase 2 entries are not shown in IPsec status #6275

  • Fixed: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded #7801

  • Fixed: EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes #11447

  • Fixed: Incorrect phase 2 entry removed when deleting multiple items consecutively #11552

  • Fixed: strongSwan configuration contains incorrect structure for mobile pool DNS records #11891

  • Fixed: IPsec status tunnel descriptions are incorrect #11910

  • Changed: PC/SC Smart Card Daemon pcscd running on all devices at all times, should be optional #11933

  • Fixed: IPsec status fails when many tunnels are connected #11951

  • Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967

  • Fixed: Mobile IPsec NAT/BINAT entries missing from firewall rules #12023

  • Fixed: Applying IPsec settings for many tunnels is slow or times out #12026

  • Fixed: Gateway alarm always triggers IPsec restart #12039

  • Changed: Improve IPsec identifier settings #12044

  • Fixed: IPsec status IKE disconnect button drops all connections for the IKE ID, not a specific IKE SA ID #12052

  • Fixed: Tunnels with conflicting REQID values can lead to multiple identical Child SA entries #12155

  • Added: IPsec keep alive option to initiate phase 2 without using ICMP #12169

  • Added: Add connect/disconnect buttons to IPsec dashboard widget #12181

  • Fixed: IPsec status shows connect buttons while tunnel is connecting #12189

  • Fixed: IPsec writes CRL files when tunnel does not use certificates #12195

  • Fixed: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available #12196

  • Fixed: Mobile IPsec phase 1 should not display “Gateway duplicates” option #12197

  • Fixed: Disabling an IPsec phase 1 entry does not disable related phase 2 entries #12198

  • Fixed: Disabled IPsec VTI interfaces are always created #12212

  • Fixed: IPsec bypass rules display help text under each entry #12236

  • Fixed: IPsec phase 1 entry with as its remote gateway does not receive correct automatic firewall rules #12262

  • Changed: Update “IPsec Filter Mode” option values and help text to reflect that VTI mode also helps transport mode (e.g. GRE) #12289

  • Fixed: IPsec manual initiation and termination should use a timeout value or forced actions #12298

  • Fixed: IPsec tunnels using a gateway group do not get reloaded in some cases #12315

  • Fixed: IPsec Phase 2 entry incorrectly orders proposals in AH mode #12323

  • Fixed: Hash algorithm GUI options are disabled after switching a phase 2 entry to AH mode #12324

  • Fixed: IPsec VTI interface remote endpoint is not resolved the correct way #12328

IPv6 Router Advertisements (RADVD)

  • Fixed: “Default preferred lifetime” router advertisement validation check uses incorrect variable #12159

  • Fixed: IPv6 RA DNSSL lifetime is too short, not compliant with RFC 8106 #12173

  • Fixed: Default IPv6 router advertisement intervals and lifetime are too low #12280


  • Fixed: GRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot #6507

  • Fixed: Interface column empty in list of GIF tunnels when using IP Alias on CARP VIP as Interface #11337

  • Fixed: QinQ using OpenVPN ovpn interface as a parent is not configured at boot time #11662

  • Fixed: VLAN and QinQ edit pages allows selecting incompatible OpenVPN tun interfaces #11675

  • Fixed: Advanced DHCP client configuration “Protocol timing” help text is in the wrong location #11926

  • Added: VLAN list sorting #11968

  • Fixed: Boot messages contain entries about configuring LAGG/VLAN/QinQ interfaces even when no entries of those types are configured #12002

  • Fixed: Input validation incorrectly rejects a second IPv4-only GRE tunnel #12049

  • Fixed: Interface assignment mismatch is not detected if VLAN-only parent interface is removed #12170

  • Fixed: IPv6 DNS servers from dynamic sources are not listed on status_interfaces.php #12252

  • Fixed: IPv6 gateway for an interface is not shown on status_interfaces.php if the interface does not also have an IPv4 gateway #12253


  • Fixed: Kernel panic during L2TP retransmit #9058

  • Fixed: FQDN L2TP server address is only resolved at boot #12072


  • Fixed: Logging configuration added by a package is not removed on uninstall #11846

  • Fixed: Remote log server input validation allows invalid values #12000

  • Added: Disable log compression on new installations when /var/log is a ZFS dataset with compression enabled #12011

  • Changed: Improve log settings help text for file size, compression, and retention count #12012

  • Added: Create a log entry when a configuration change occurs #12118


  • Added: Support SHA-256 hash NTP authentication #12213


  • Added: Option to suppress expiration notifications for revoked certificates #12109


  • Added: Support aliases in OpenVPN local/remote/tunnel network fields #2668

  • Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684

  • Fixed: OpenVPN client certificate validation with OCSP always fails #11829

  • Added: Option to validate OpenVPN peer TLS certificate key usage #11865

  • Added: Log external IP address of OpenVPN clients on connect and disconnect #11935

  • Fixed: DNS Resolver does not add PTR record for OpenVPN clients #11938

  • Fixed: OpenVPN IPv6 tunnel network is not validated properly #11999

  • Fixed: OpenVPN RADIUS-based firewall rules use incorrect port ranges #12020

  • Fixed: Incorrect OpenVPN Client Export help link #12022

  • Fixed: OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses #12076

  • Fixed: Prevent using OpenVPN “Exit Notify” option with point-to-point modes #12102

  • Fixed: OpenVPN Wizard configuration missing recently added default values #12172

  • Fixed: OpenVPN does not clean up previous CA and CRL files #12192

  • Changed: Move “Description” option on OpenVPN server and client pages to top of the page, show internal instance ID #12218

  • Fixed: Prevent using OpenVPN “Inactive” option with point-to-point modes #12219

  • Fixed: Configuration files are not deleted after disabling an OpenVPN instance #12223

  • Fixed: OpenVPN page allows to delete/disable instance with an assigned interface #12224

  • Fixed: OpenVPN status incorrect for TAP servers without a defined tunnel network #12232

  • Fixed: OpenVPN client connect/disconnect scripts are not used in Remote Access (SSL/TLS) mode #12238

Operating System

  • Changed: Ensure /usr/local/sbin/ scripts use full path to executable files #11985

  • Fixed: Update NGINX to address CVE-2021-23017 #12061

  • Added: Suppress kernel messages for lo0 configuration during boot #12094

  • Changed: Convert RAM disks to tmpfs #12145

PHP Interpreter

  • Fixed: PHP exits with signal 11 on SG-3100 when calling PCRE functions #11466

PPP Interfaces

  • Fixed: PPP interfaces lose the description field in ifconfig output when restarted #11959

Package System

  • Fixed: Package <plugins> and <tabs> content missing from configuration in some cases #11290

  • Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105

RRD Graphs

  • Added: Graph for hardware temperature readings #9297

Rules / NAT

  • Added: IPv6 support in easyrule CLI script #11439

  • Fixed: NAT rule overlap detection is inconsistent #11734

  • Fixed: Input validation not working for 1:1 NAT entries using an alias as a destination #11923

  • Fixed: easyrule script does not function properly #12151

  • Fixed: IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ::/0 #12164

  • Fixed: 1:1 NAT rule with internal IP address of “Any” results in an invalid firewall rule #12168

  • Fixed: Firewall rule tabs load slowly when many rules on the tab utilize gateways #12174

  • Fixed: VIP network addresses are not expanded on Port Forward rules #12233

  • Fixed: Duplicating a Port Forward does not copy “Filter Rule Association” values of “None” or “Pass” #12272


  • Fixed: System attempts to stop inactive services at shutdown #12001

  • Fixed: System attempts to start inactive services at boot #12038

Traffic Shaper (ALTQ)

  • Fixed: Panic when using CBQ traffic shaping #11470


  • Added: UPnP/NAT-PMP STUN configuration options #10587


  • Changed: pfSense-upgrade should reinstall all packages on new version upgrades #12235

User Manager / Privileges

  • Added: Copy button for group entries in the User Manager #12226

Web Interface

  • Changed: Update font formats to WOFF2 #11507

  • Fixed: Notifications page cannot be saved without configuring or disabling SMTP #12107

  • Changed: Convert help shortcut links to server-side redirects #12314


  • Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453

  • Fixed: Interfaces page does not show Wireless EAP client options #12239


  • Added: XMLRPC synchronization for DHCP relay settings #11957

  • Changed: XMLRPC client improvements #12051

  • Fixed: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync #12075