22.05/22.05.1 New Features and Changes¶

Version 22.05.1¶

pfSense Plus software version 22.05.1 is a special patch release which adds hardware support for the Netgate 8200 and newer hardware revsions of the 2100, as well as built-in dynamic repository support.

Important

The majority of pfSense Plus users will not need to run this version unless directed to do so by Netgate TAC. This limited patch release is not currently offered as an upgrade from 22.05.

Version 22.05¶

This is a regularly scheduled release of pfSense® Plus software including new features and bug fixes.

General¶

Added: OpenVPN Data Channel Offload (DCO) support (Plus only)

Note

Some OpenVPN features and use cases are not compatible with DCO. See Limitations for a list of known DCO limitations.

Added: ZFS Boot Environment (BE) snapshots support (Plus only)
Changed: Captive Portal and Limiters now use only PF and not IPFW (Plus and CE)

Security¶

pfSense Plus 22.05-RELEASE includes a fix for the following potential vulnerability:

pfSense-SA-22_05.webgui: A potential XSS vulnerability in firewall_aliases.php from URL table alias URLs.

Note

Users of pfSense CE 2.6.0 can obtain a correction for this issue from the Recommended Patches area of the System Patches package.

pfSense Plus¶

Changes in this version of pfSense Plus software.

Aliases / Tables¶

Fixed: Renaming an alias does not update the alias names in static routes and OpenVPN instances #12727
Added: Retain descriptions when exporting and importing aliases #12842

Authentication¶

Added: GUI option to select the user password hashing algorithm #12855
Fixed: LDAP setup does not display ‘Global Root CA List’ option unless another CA also exists #13185

Backup / Restore¶

Changed: Comply with current iteration standards when encrypting and decrypting configuration files #12556
Added: Support encrypted config.xml files when restoring via ECL #12685
Added: Notify user if AutoConfigBackup is unable to successfully upload a backup #12724
Added: Ability to sort AutoConfigBackup entries #12773
Fixed: PHP error when upgrading from before configuration revision 21.6, ipsec_create_vtimap() is undefined #13097
Added: Option to restore dashboard widget layout #13125
Fixed: PHP error restoring DHCP lease data on fresh installation: #13157

CARP¶

Changed: Reorganize CARP status page #12701
Fixed: CARP event storm when leaving persistent CARP maintenance mode. #12961

Captive Portal¶

Fixed: Allowed IP/Hostname “Direction” option is never used #12649
Fixed: nginx logs an error that the port is already in use when restarting Captive Portal services #12651
Fixed: Value of net.inet.ip.dummynet.* OIDs in sysctl are ignored #12733
Fixed: Only TCP traffic is passed outbound though IPFW #12834
Changed: Transition Captive Portal from IPFW to PF #13100

Certificates¶

Added: Option to retain the existing serial number when renewing a CA or certificate #13010

Configuration Backend¶

Added: Move command line history to a GUI option stored in config.xml rather than a manual flag file #12675
Added: Eliminate duplicate shell commands from history file #12741

Configuration Upgrade¶

Added: Playback script to perform a configuration upgrade on an arbitrary config.xml file #12973

DHCP (IPv4)¶

Fixed: Disabling DHCP Server RRD statistics does not work #12710
Fixed: HTTPClient option not sent when using UEFI HTTP Boot #12892
Fixed: HTTPClient option does not work for static mappings #12896
Fixed: DHCP “Ignore denied clients” option with MAC Deny list set causes DHCP server to not start #12923
Fixed: DHCP network boot filename can be incorrectly placed in DHCP Pool Options #12986
Added: Relax DHCP maximum lease time input validation #13118
Fixed: DHCP lease list displays wrong interface name in the “Leases in Use” summary if DHCP settings for a disabled interface remain in the configuration #13127

DHCP (IPv6)¶

Fixed: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients #6880
Fixed: DHCPv6 server does not skip interfaces configured with invalid ranges #12527
Fixed: RADVD can be started on both HA nodes when configured with an IPv6 link-local address #12582
Fixed: Uninitialized array in array_remove_duplicates() #12749

DNS Forwarder¶

Fixed: DNS Forwarder creates a loop when “Use local DNS, ignore remote DNS servers” is selected #12902
Fixed: DNS Forwarder custom options may fail after save/restore when options are only separated by newline #13105

DNS Resolver¶

Fixed: DNS Resolver does not restart during link up/down events on a static IP address interface #12613
Added: Automatically create DNS Resolver ACLs for OpenVPN CSO entries #12636
Fixed: DNS Resolver help text for System Domain Local Zone Type option refers users to unbound.conf(5) man page instead of pfSense docs #12781
Fixed: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access #12985
Fixed: DNS Resolver ACLs are not updated when OpenVPN networks change #12991
Added: DNS Resolver option to keep probing when servers are down #13023

Dashboard¶

Fixed: Firewall log widget action icon features stop working when new log entries are added dynamically #6253
Added: Show Inactive for Hardware Crypto output instead of empty field on System Information dashboard widget when nothing can be accelerated #12714

Diagnostics¶

Fixed: diag_pftop.php does not fully encode output #12915

Dynamic DNS¶

Fixed: Dynamic DNS custom IPv6 service fails on 6rd tunnels #12590
Fixed: GleSYS Dynamic DNS responses are not parsed properly #12672
Added: IPv6 support for DNSimple Dynamic DNS #12744
Fixed: Input validation prevents configuring wildcard Dynamic DNS records on GoDaddy #12750
Added: Support wildcard Dynamic DNS records on DigitalOcean #12752
Fixed: Google Domains Dynamic DNS responses are not parsed properly #12754
Fixed: Input validation prevents configuring wildcard Dynamic DNS records on Google Domains #12761
Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816
Fixed: Clicking Save & Force Update on a Dynamic DNS entry results in a GUI timeout #12870

Gateway Monitoring¶

Fixed: Gateway monitoring should mark gateway as “offline” on PPPoE parent interface disconnect #12633
Added: Option to disable auto-addition of static routes for dpinger #12687
Changed: Update dpinger to 3.2 #12881

Gateways¶

Fixed: fixup_default_gateway() should not remove a default gateway managed by a dynamic routing daemon #11692
Fixed: IPv6 link local gateway default status not indicated in GUI #11764
Fixed: IPv6 gateway group using link local addresses incorrectly logs a gateway change because it not including interface scope properly #12721
Added: Retain knowledge of previous dynamic gateway IP address when interface is down #12931

Hardware / Drivers¶

Added: Chelsio TOE support using the t4_tom module #9091
Fixed: Hyper-V RSC support in hn(4) driver is enabled by default and results in very low throughput #12873

High Availability¶

Added: Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings #12702

IGMP Proxy¶

Fixed: IGMP Proxy server is restarted during every rc.newwanip event #12609

IPsec¶

Added: Option to choose default tab in IPsec status Dashboard widget #2456
Fixed: IPsec VTI phase 2 traffic selectors default to address when defined as a network #11226
Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645
Fixed: Disallow remote gateway of 0.0.0.0 for VTI mode #12723
Fixed: VTI gateway status stuck as “pending” after reboot #12763
Changed: Update strongSwan #12934
Fixed: ESP description in IPsec phase 2 proposal help text is ambiguous #12953
Fixed: IKEv2 Mobile IPsec clients do not receive INTERNAL_DNS_DOMAIN (value 25) attribute #12975
Added: GUI option for IPsec dns-interval setting #13057
Fixed: Delete function for IPsec SAD entries on status_ipsec_sad.php does not work #13071
Fixed: Mobile IPsec clients cannot be manually disconnected from IPsec status screen #13131

Installer¶

Fixed: Support encrypted config.xml files when restoring during install #12691
Added: Recover existing SSH keys during installation #12809

Interfaces¶

Added: Show SFP module details on status_interfaces.php #8861
Added: Improved support for USB interfaces that may not always be present #9393
Fixed: PPPoE WAN IP address different than expected when set static by ISP #11629
Fixed: devd is not configured to act on USB interface attach/detach events #12606
Changed: Restart services on interface changes #12619
Fixed: Interface status “Total Interrupts” display is non-functional #12735
Fixed: L2TP/PPTP interface assignment page loses some values after input validation error #12780
Fixed: Link-Local IPv6 address on WAN with MAC spoofing changes if there is an IP Alias on WAN #12790
Fixed: Link-local address does not reset after removing MAC address spoofing #12794
Fixed: Disabled Captive Portal configuration prevents adding an interface to a bridge #12866
Fixed: The ruleset is not regenerated after assigning an interface #12949

L2TP¶

Fixed: L2TP MPD configuration is not updated when a dynamic WAN IP address changes #13066
Fixed: L2TP stays bound to previous IP address after static IP address change #13082
Fixed: Static routes to destinations at L2TP clients are not re-added after a client reconnects #13099

LAGG Interfaces¶

Added: GUI option to configure layers for LACP hash #12819

Notifications¶

Fixed: Slack notification options only allow `` -`` as a special character in channel names #13083

OpenVPN¶

Fixed: OpenVPN IPv4 Tunnel Network incorrectly allows hostnames #11416
Fixed: OpenVPN stays bound to previous IP address after interface changes #11864
Added: OpenVPN option to limit concurrent connections per user #12267
Fixed: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases #12332
Added: Use deferred client connections in OpenVPN #12407
Fixed: OpenVPN re-synchronization also synchronizes override entries unnecessarily in some cases #12628
Fixed: Automatic filter reload with OpenVPN client gateway uplink happens too soon or not at all #12771
Fixed: PHP error when terminating OpenVPN sessions via the dashboard widget #12817
Fixed: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases #12884
Fixed: GUI does not reject an invalid OpenVPN tap mode configuration with an empty tunnel network “Bridge DHCP” disabled #12887
Fixed: FQDN in network alias is omitted from OpenVPN networks list #12925
Changed: Warn about OpenVPN shared key deprecation #12981
Fixed: OpenVPN remote_cert_tls option does not behave correctly when enabled and later disabled #13056
Fixed: Gateway events for IPv6 affect IPv4 OpenVPN instances and vice versa #13061
Fixed: OpenVPN client tls-client/client configuration directive not handled properly #13116
Changed: OpenVPN status page improvements #13129
Fixed: OpenVPN client-connect file contains topology #13133
Fixed: Per-user route files are not removed from /tmp when they are no longer needed #13145
Fixed: OpenVPN override IPv4 tunnel network field changing value improperly #13274

Operating System¶

Fixed: pf hostid value is handled inconsistently #12703
Fixed: Some sysctl OIDs in loader.conf.local are silently removed #12862
Fixed: Output from pfctl -vvsr does not include ridentifier value in the expected location #12868

PPP Interfaces¶

Fixed: PPPoE WANs fail to reconnect after parameter negotiation failure #13092

PPPoE Server¶

Fixed: PPPoE server panics with multiple client connections #13210

Package System¶

Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105
Fixed: Packages with custom internal_name values do not reinstall properly when restoring a backup #12766
Fixed: write_rcfile() does not create rc_restart() entry #13004

Packet Capture¶

Added: Button to clear previous packet capture data #12968

Routing¶

Fixed: Setting a default gateway of “None” does not remove the default gateway from the routing table #12536
Fixed: Cannot remove IPv6 static routes #12728
Fixed: Explicit PPPoE disconnect of a WAN Gateway Group member may not restore a default route. #13048

Rules / NAT¶

Added: Toggle button to disable/enable multiple firewall rules #2505
Added: Port forward NAT rules with “any” protocol #4259
Added: Allow NPt to use dynamic IPv6 networks #4881
Added: Button to copy rules from one interface to another #8365
Fixed: Automatic Outbound NAT mode can create incorrect rules in some cases #11984
Added: Utilize new pfctl abilities to kill states #12092
Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode #12319
Added: Allow the selection of “any” interface in floating rules #12392
Fixed: Applying firewall rule changes does not clear dirty flag for aliases subsystem #12678
Fixed: Automatic Outbound NAT rules do not include OpenVPN CSO entries #12792
Fixed: Error loading ruleset due to illegal TOS value #12803
Fixed: High latency and packet loss during a filter reload #12827
Fixed: On startup “No routing address with matching address” might appear #12847
Fixed: Some action buttons are always active for firewall rules, even if no rules are selected #12871
Added: Toggle button to disable/enable multiple entries on NAT pages #12879
Fixed: Delete button is always active for NAT rules, even if no rules are selected #12957
Fixed: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet #13012
Fixed: NAT generates duplicate no nat on rules for port forwards with a destination of Any #13015
Fixed: Input validation requires a gateway for floating match out rules #13027
Fixed: Empty negate_networks table breaks policy routing rules #13049
Fixed: The negate_networks table is not updated when an OpenVPN server is deleted #13055
Added: Allow auto prefix with manual prefix-length in NPt #13070
Fixed: Info icon on firewall_nat_out.php is incorrectly placed in manual outbound NAT mode #13164
Fixed: Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule #13171
Fixed: Incorrect usage of DSCP hex value #13178

SNMP¶

Fixed: SNMP daemon is restarted during every rc.newwanip event #12611

Services¶

Fixed: NTP service is not listed on status_services.php unless config.xml contains NTP configuration data #12775
Fixed: Stale sshdkeys.dirty lock file prevents generating SSH server keys #13139

Traffic Shaper (ALTQ)¶

Changed: Remove code references to unused reset parameter from traffic shaper pages #13042

Traffic Shaper (Limiters)¶

Fixed: Incorrect ICMP reply when using limiters #9263
Fixed: Pie and fq_pie are missing options and do not handle floating point number input correctly #12003
Fixed: Utilize dnctl(8) to apply limiter changes without a filter reload #12579
Fixed: Traffic routed through DUMMYNET by PF fails when IPFW is enabled #12954

Traffic Shaper Wizards¶

Fixed: Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server #12937
Fixed: Traffic shaper wizard rewrites Mbits to Kbits #13086

UPnP/NAT-PMP¶

Added: uPnP fails to properly give out subsequent reservations when multiple gaming systems are playing the same game/using the same port. #7727
Changed: Reorganize UPnP options #12624

Unknown¶

Fixed: Many exec() functions do not use full path to executable files #11941

Upgrade¶

Fixed: Upgrade does not work when using only IPv6 DNS servers #13162

User Manager / Privileges¶

Fixed: Icon missing for user manager entries with a scope other than “user” #13174

Web Interface¶

Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141
Fixed: Zero-value prefix IPv6 addresses are mishandled #12440
Added: Option to filter state table contents by rule ID #12616
Fixed: Changing RAM disk size does not prompt to reboot #12876
Fixed: Input validation for IPv6 addresses allows invalid address compression in some cases #13069
Added: Trim whitespace from MAC addresses in user input #13109

Wireless¶

Fixed: Wireless interface WPA configuration fields are always visible #12998
Fixed: Duplicate wireless interfaces are created at boot #12999

XMLRPC¶

Fixed: Deleting a user on the primary node does not delete its home directory on secondary node during XMLRPC sync #12940