23.01 New Features and Changes¶

This is a regularly scheduled software release including new features and bug fixes.

General¶

PHP has been upgraded from 7.4 to 8.1
The base operating system has been upgraded to FreeBSD 14-CURRENT
Warning

As a part of the FreeBSD upgrade this version removes several deprecated IPsec algorithms:
- 3DES Encryption
- Blowfish Encryption
- CAST 128 Encryption
- MD5 HMAC Authentication
The best practice is to reconfigure tunnels using better encryption and test them before performing an upgrade to ensure a smoother transition.

On upgrade, IPsec tunnels will be adjusted to remove any deprecated algorithms from their configuration. The upgrade process will disable tunnels if they have no valid encryption or authentication options remaining. The upgrade process will notify the user of any changes it makes.

This change only affects IPsec and not other uses of these algorithms. For example, BGP can still use TCP-MD5 authentication.
A long-standing difficult-to-reproduce crash in Unbound during reloading has been addressed. Christian McDonald tracked down the source of the Unbound SIGHUP crashes to a reference counting bug within the MaxMindDB Python module. Both a patch to MaxMind and a port revision to FreeBSD ports were submitted and accepted, and the fix is included in the 23.01 release. It is now safe again to enable DHCP registration alongside Unbound Python mode in pfBlockerNG.
In addition to the Unbound crash, Christian also identified a memory leak with DHCP registration and Unbound Python mode (#10624). This is largely mitigated by updates to Python and related libraries, but there is additional ongoing work to resolve it further for future release.
Due to #13507, batch copying rules between interfaces on a previous release may have created multiple rules with the same internal tracker ID. This issue has been corrected, but any rules with duplicate IDs must be corrected manually (e.g. by deleting and re-copying or re-creating the rules).
The pfBlockerNG package has been updated to match pfBlockerNG-devel. After upgrade it is safe to uninstall pfBlockerNG-devel (keeping settings) and install pfBlockerNG instead.

Note

On systems using ZFS, the first boot post-upgrade will appear to have higher than normal memory usage due to the large volume of filesystem activity that takes place during the upgrade process. This is harmless, however. This is due to ZFS ARC memory usage, which it will yield as needed if other processes require more memory. Rebooting the firewall after the upgrade completes will return the reported memory usage to a normal level.

Security¶

pfSense Plus 23.01-RELEASE includes fixes for multiple potential vulnerabilities:

pfSense-SA-23_01.webgui: A potential XSS vulnerability in diag_edit.php from browsing directories containing specially crafted filenames on the filesystem.
pfSense-SA-23_02.webgui: A potential XSS vulnerability in system_camanager.php and system_certmanager.php from specially crafted descriptions when editing entries.
pfSense-SA-23_03.webgui: A potential authenticated arbitrary file creation vulnerability from the name parameter when creating or editing URL table aliases.
pfSense-SA-23_04.webgui: A potential authenticated arbitrary command execution vulnerability in status.php from specially crafted filenames on the filesystem.
pfSense-SA-23_05.sshguard: Anti-brute force protection bypass for GUI authentication requests containing certain proxy headers.

Note

Users of pfSense Plus 22.05.x and pfSense CE 2.6.0 can obtain corrections for these issues from the Recommended Patches area of the System Patches package.

Errata/Known Hardware Issues¶

The Netgate 1000 does not function on FreeBSD 14 and as a consequence it is unable to upgrade to this release. Attempting to check for updates on a Netgate 1000 device will print a notification to this effect. No other models are impacted.
Some older installations of pfSense Plus software on Netgate 1100, Netgate 2100, and Netgate 2100 MAX devices contain an EFI partition which does not have sufficient space to accommodate the new EFI loader for version 23.01 and later. This primarily affects UFS-based systems initially installed with version 21.02-p1 or before.

Users with affected units must reinstall pfSense Plus software to run version 23.01 or later.

Read Troubleshooting Upgrades on Netgate 1100 and Netgate 2100 Devices for details.
The PCI bus in the Netgate 1100 and Netgate 2100 models does not currently function on 23.01. This was never an advertised feature, though some users have taken advantage of it in the past. If a device relies on the PCI bus, such as an add-on Wireless card, then consider the impact of upgrading to 23.01 where that will not be available (NG 9622).
Devices based on “ADI” or “RCC” hardware, such as the 4860, 8860, and potentially other similar models, may have issues with the ichsmb0 and/or ehci0 devices encountering an interrupt loop, leading to higher than usual CPU usage (NG 8916).

This can typically be worked around by disabling the affected device, with some caveats.

To disable the ichsmb0 device, which will disable the LED status indicators, add the following Loader Tunable:
```
hint.ichsmb.0.disabled=1
```
A similar method can be used to disable ehci0 but doing so will also disable the internal MMC drive, so that should only be disabled when the device is booted and running from an add-on SSD.

This does not affect the 2220, 2440 or XG-2758.
There have been a small number of reports that pfSense Plus software version 23.01 installations using ZFS will not boot in Hyper-V, though it works OK for others (#13895). Test in a lab or non-production environment before attempting to deploy this version. In some cases removing the optical drive from the VM settings before upgrading has allowed it to boot successfully.
Azure instances now use Gen2 and currently do not have a functional serial console, developers are working to address this in the next release.
Devices using the i915 video driver require manual changes because FreeBSD moved the driver from the kernel to a package. In most cases this driver is not necessary, but it can be helpful on some platforms for HDMI hotplug support.

To continue using the driver on 23.01, after the upgrade completes run pkg install -y drm-510-kmod from a shell. Then add the following Loader Tunable:
```
kld_list="i915kms"
```
Reboot the firewall after making the changes to activate the driver.
There have been a small number of reports on non-Netgate hardware that accessing the GUI of a pfSense Plus software installation over IPsec can trigger a kernel panic. Developers have not yet been able to reproduce the crash, but there is a workaround for users encountering this problem: Create a system tunable entry to set kern.ipc.mb_use_ext_pgs=0. See #13938 for details and alternate workarounds.
Some devices have an issue with the serial console display of password protected consoles and other aspects of the boot process, such as Boot Environment selection. The features may not render properly, but are still functional. This is not a regression in 23.01 as it also happened on 22.05.x. This has been reported on Netgate 4100, Netgate 6100, and Netgate 8200 models. See #13455 for more information.
The switch ports on the Netgate 7100 do not have Auto-MDIX enabled on 23.01-RELEASE. If a straight-through Ethernet cable is connecting two 7100 units together (e.g. back-to-back for HA), it will not link on 23.01-RELEASE. This will be addressed in a future release. Replacing the cable with a crossover Ethernet cable will allow it to link in the meantime.
On Netgate 3100 units, OpenVPN, GIF, and other types of virtual interfaces may not function on 23.01 until the kernel linker hints are updated by running the following command from a shell prompt:
```
kldxref /boot/kernel
```
See #13963 for details.
Dynamic interfaces (DHCP, PPP, etc) with mixed case descriptions may not have the same gateway name after upgrading, leading to a loss of connectivity due to the gateway name not matching the configuration. The simplest workaround is to change the interface name to all capital letters. For a patch, see #14057.

pfSense Plus¶

Changes in this version of pfSense Plus software.

Aliases / Tables¶

Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296
Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708
Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282
Added: Specify CA trust store location when downloading and validating URL alias content #13367
Fixed: Invalid alias name can still be used by code attempting to validate URL table content #13425
Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration #13538
Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned when deleting an in-use alias #13539

Authentication¶

Fixed: Google LDAP connections fail due to lack of SNI for TLS 1.3 #11626
Fixed: RADIUS authentication attempts no longer send RADIUS NAS IP attribute #13356
Fixed: Unable to set web interface session timeout to 0 (i.e. never expire) #13561
Fixed: Extra remote address information can confuse sshguard #13574
Changed: Improve LDAP debugging #13718

Auto Configuration Backup¶

Added: Option to list AutoConfigBackup entries in “reverse” order (newest at top) #11266
Added: Support for international characters in the AutoConfigBackup Hint/Identifier field #13388

Backup / Restore¶

Fixed: Multiple <sshdata> or <rrddata> sections in config.xml lead to an XML parsing error during restore #13132
Fixed: Attempting to restore a 0 byte config.xml prints an error that the file cannot be read #13289
Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861
Fixed: RRD restore process does not sanitize filenames from backup XML #13935

Build / Release¶

Changed: Disable pkg compatibility flag which creates txz file extension symbolic links #12782

Captive Portal¶

Fixed: Traffic passed by Captive Portal cannot use limiter queues on other rules #13148
Fixed: Voucher CSV output has leading space before voucher code #13272
Fixed: Error dummynet: bad switch 21! when using Captive Portal with Limiters #13290
Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323
Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391
Fixed: Custom logo or background image is created with two dots (..) before the file extension #13396
Fixed: Captive Portal does not keep track of client data usage #13418
Fixed: All Captive Portal users are given the same limiter pipe pair #13488
Fixed: Captive Portal blocked MAC addresses are not blocked #13747
Fixed: Rules for authenticated Captive Portal users are not removed when a zone is disabled #13756
Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838
Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853

Certificates¶

Fixed: CA path is not defined when using curl in the shell #12737
Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm #13257
Fixed: Input validation is not rejecting invalid description characters when editing a CA or Certificate #13387
Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424
Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437

Configuration Backend¶

Fixed: Input validation is checking RAM disk sizes when they are inactive #13479

DHCP (IPv4)¶

Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345
Changed: Clean up DHCP Server option language #13250
Added: Input validation for numbered DHCP options in static mappings #13584
Fixed: DHCP server “Disable Ping Check” option does not store value on save #13748

DHCP (IPv6)¶

Fixed: dhcp6c is not restarted when applying settings when multiple WANs are configured for DHCP6 #13253
Fixed: Advanced DHCP6 client settings only work for a single interface #13462
Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is reloaded #13594
Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633

DNS Forwarder¶

Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901

DNS Resolver¶

Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624
Fixed: Unbound crashes with signal 11 when reloading #11316
Fixed: DNS Resolver is restarted during every rc.newwanip event even for interfaces not used in the resolver #12612
Fixed: DNS resolver does not update its configuration or reload during link down events #13254
Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is enabled #13393
Fixed: Incorrect word in “Network Interfaces” help text on services_unbound.php #13453
Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867
Changed: Update Unbound to 1.17.1 #13893

Dashboard¶

Fixed: QAT detection on dashboard is incorrect if the driver does not attach #13674
Fixed: APU1 hardware is not properly identified with current BIOS versions #13471

Diagnostics¶

Fixed: File browser on diag_edit.php does not encode filenames before display #13262
Fixed: Neighbor hostnames in the NDP Table on diag_ndp.php are always empty #13318
Fixed: status.php uses <name> component of /tmp/rules.packages.<name> filenames in shell command without encoding #13426
Changed: Add multicast group membership (ifmcstat) to status.php #13731

Dynamic DNS¶

Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816
Fixed: DigitalOcean Dynamic DNS update fails with a “bad request” error #13167
Fixed: Dynv6 Dynamic DNS client does not check the response code when updating #13298
Fixed: DNSExit Dynamic DNS updates no longer work #13303

FilterDNS¶

Fixed: Resolve interval for filterdns may not match the configured value #13067

FreeBSD¶

Fixed: Cannot set EFI console as primary console when using both EFI and Serial #13080
Fixed: CVE-2022-23093 / FreeBSD-SA-22:15.ping #13716

Gateway Monitoring¶

Fixed: Marking a gateway as down does not affect IPsec entries using gateway groups #13076
Fixed: Incorrect function parameters for get_dpinger_status() call in gwlb.inc #13295

Gateways¶

Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected #13228

Hardware / Drivers¶

Fixed: Software VLAN tagging does not work on ixgbe(4) interfaces #13381
Fixed: Intel i226 network interfaces do not honor a manually selected link speed #13529
Fixed: UDP checksum errors with ixgbe interfaces #13883

IPsec¶

Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645
Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373
Changed: Information box on status_ipsec.php says “IPsec not enabled” even when a tunnel is established #13398
Fixed: Incorrect quoting of Split DNS attribute value in strongswan.conf #13579
Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647
Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing) #13648

Interfaces¶

Fixed: Primary interface address is not always used when VIPs are present #11545
Added: Support for VLAN 0 #12070
Fixed: Bridges with QinQ interfaces not properly set up at boot #13225
Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493
Changed: Clean up obsolete code in pfSense-dhclient-script #13501
Fixed: Assigned bridge interfaces are not configured at boot #13666
Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675

OpenVPN¶

Fixed: OpenVPN DCO panics with short UDP packets #13338
Fixed: OpenVPN crashes after reaching the configured concurrent connection limit #13355
Fixed: Traffic to OpenVPN DCO RA clients above the first available tunnel IP address is incorrectly routed #13358
Added: Support for ChaCha20-Poly1305 and AES-128-GCM encryption with OpenVPN DCO #13649
Fixed: GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30) #13664
Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to display #13243

Operating System¶

Fixed: Entries for net.link.ifqmaxlen duplicated in /boot/loader.conf #13280
Fixed: vmstat -m value for temp is accounted for incorrectly, resulting in underflows #13316
Fixed: Memory leak in PF when retrieving Ethernet rules #13525
Changed: Update Python 3.9.15 to 3.9.16 in base system #13865
Changed: Add Python 3.11.1 to base system #13866

PHP Interpreter¶

Added: Upgrade PHP from 7.4 to 8.1 #13446
Fixed: fcgicli fails to write packets with nvpair values that exceed 128 bytes #13638

PPP Interfaces¶

Fixed: Services are not restarted when PPP interfaces connect #12811
Fixed: PPP interface custom reset date/time Hour and Minute fields do not properly handle 0 value #13307

Routing¶

Added: Enable ROUTE_MPATH multipath routing #9544

Rules / NAT¶

Fixed: Rule separator positions change when deleting multiple rules #9887
Fixed: User is forced to pick an NPt destination IPv6 prefix length even when choosing a drop-down entry which contains a defined prefix length #13240
Fixed: The negate_networks table is duplicated in rules.debug #13308
Fixed: Each line in the NPt destination IPv6 prefix list also contains the network of the previous line when multiple choices are present #13310
Fixed: Using the copy (not clone) function on firewall rules unintentionally converts interface address to interface net #13364
Fixed: PF can fail to load a new ruleset #13408
Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420
Fixed: easyrule CLI script has multiple bugs and undesirable behaviors #13445
Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505
Fixed: Copying multiple rules at the same time results in new rules with duplicate tracker IDs #13507
Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545
Fixed: Error creating port forward rule with port alias #13601

Traffic Shaper (ALTQ)¶

Added: ALTQ GUI support for Broadcom Netextreme II (bxe) interfaces #13304

UPnP/NAT-PMP¶

Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500

User Manager / Privileges¶

Fixed: RADIUS authentication not working over IPv6 #4154

Web Interface¶

Fixed: Unnecessary link tag in login page #7996
Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists #11730
Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without making changes #12960
Changed: Spelling and typo corrections #13357
Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390
Fixed: Input validation on system_advanced_firewall.inc uses incorrect variable references for some fields #13436
Changed: Update external HTTPS/HTTP links #13440
Fixed: Table row selection has poor contrast in Dark theme #13448
Fixed: Changing the GUI port does not redirect the browser to the new port on save #13591