23.01 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

General

  • PHP has been upgraded from 7.4 to 8.1

  • The base operating system has been upgraded to FreeBSD 14-CURRENT

    Warning

    As a part of the FreeBSD upgrade this version removes several deprecated IPsec algorithms:

    • 3DES Encryption

    • Blowfish Encryption

    • CAST 128 Encryption

    • MD5 HMAC Authentication

    The best practice is to reconfigure tunnels using better encryption and test them before performing an upgrade to ensure a smoother transition.

    On upgrade, IPsec tunnels will be adjusted to remove any deprecated algorithms from their configuration. The upgrade process will disable tunnels if they have no valid encryption or authentication options remaining. The upgrade process will notify the user of any changes it makes.

    This change only affects IPsec and not other uses of these algorithms. For example, BGP can still use TCP-MD5 authentication.

  • A long-standing difficult-to-reproduce crash in Unbound during reloading has been addressed. Christian McDonald tracked down the source of the Unbound SIGHUP crashes to a reference counting bug within the MaxMindDB Python module. Both a patch to MaxMind and a port revision to FreeBSD ports were submitted and accepted, and the fix is included in the 23.01 release. It is now safe again to enable DHCP registration alongside Unbound Python mode in pfBlockerNG.

  • In addition to the Unbound crash, Christian also identified a memory leak with DHCP registration and Unbound Python mode (#10624). This is largely mitigated by updates to Python and related libraries, but there is additional ongoing work to resolve it further for future release.

  • Due to #13507, batch copying rules between interfaces on a previous release may have created multiple rules with the same internal tracker ID. This issue has been corrected, but any rules with duplicate IDs must be corrected manually (e.g. by deleting and re-copying or re-creating the rules).

  • The pfBlockerNG package has been updated to match pfBlockerNG-devel. After upgrade it is safe to uninstall pfBlockerNG-devel (keeping settings) and install pfBlockerNG instead.

Note

On systems using ZFS, the first boot post-upgrade will appear to have higher than normal memory usage due to the large volume of filesystem activity that takes place during the upgrade process. This is harmless, however. This is due to ZFS ARC memory usage, which it will yield as needed if other processes require more memory. Rebooting the firewall after the upgrade completes will return the reported memory usage to a normal level.

If an installation continues to show higher than usual memory usage after rebooting, see potentially related issues #14016 and #14011.

Security

pfSense Plus 23.01-RELEASE includes fixes for multiple potential vulnerabilities:

  • pfSense-SA-23_01.webgui: A potential XSS vulnerability in diag_edit.php from browsing directories containing specially crafted filenames on the filesystem.

  • pfSense-SA-23_02.webgui: A potential XSS vulnerability in system_camanager.php and system_certmanager.php from specially crafted descriptions when editing entries.

  • pfSense-SA-23_03.webgui: A potential authenticated arbitrary file creation vulnerability from the name parameter when creating or editing URL table aliases.

  • pfSense-SA-23_04.webgui: A potential authenticated arbitrary command execution vulnerability in status.php from specially crafted filenames on the filesystem.

  • pfSense-SA-23_05.sshguard: Anti-brute force protection bypass for GUI authentication requests containing certain proxy headers.

Note

Users of pfSense Plus 22.05.x and pfSense CE 2.6.0 can obtain corrections for these issues from the Recommended Patches area of the System Patches package.

Errata/Known Hardware Issues

  • The Netgate 1000 does not function on FreeBSD 14 and as a consequence it is unable to upgrade to this release. Attempting to check for updates on a Netgate 1000 device will print a notification to this effect. No other models are impacted.

  • Some older installations of pfSense Plus software on Netgate 1100, Netgate 2100, and Netgate 2100 MAX devices contain an EFI partition which does not have sufficient space to accommodate the new EFI loader for version 23.01 and later. This primarily affects UFS-based systems initially installed with version 21.02-p1 or before.

    Users with affected units must reinstall pfSense Plus software to run version 23.01 or later.

    Read Troubleshooting Upgrades on Netgate 1100 and Netgate 2100 Devices for details.

  • The PCI bus in the Netgate 1100 and Netgate 2100 models does not currently function on 23.01. This was never an advertised feature, though some users have taken advantage of it in the past. If a device relies on the PCI bus, such as an add-on Wireless card, then consider the impact of upgrading to 23.01 where that will not be available (NG 9622).

  • Devices based on “ADI” or “RCC” hardware, such as the 4860, 8860, and potentially other similar models, may have issues with the ichsmb0 and/or ehci0 devices encountering an interrupt loop, leading to higher than usual CPU usage (NG 8916).

    This can typically be worked around by disabling the affected device, with some caveats.

    To disable the ichsmb0 device, which will disable the LED status indicators, add the following Loader Tunable:

    hint.ichsmb.0.disabled=1
    

    A similar method can be used to disable ehci0 but doing so will also disable the internal MMC drive, so that should only be disabled when the device is booted and running from an add-on SSD.

    This does not affect the 2220, 2440 or XG-2758.

  • There have been a small number of reports that pfSense Plus software version 23.01 installations using ZFS will not boot in Hyper-V, though it works OK for others (#13895). Test in a lab or non-production environment before attempting to deploy this version. In some cases removing the optical drive from the VM settings before upgrading has allowed it to boot successfully.

  • Azure instances now use Gen2 and currently do not have a functional serial console, developers are working to address this in the next release.

  • Devices using the i915 video driver require manual changes because FreeBSD moved the driver from the kernel to a package. In most cases this driver is not necessary, but it can be helpful on some platforms for HDMI hotplug support.

    To continue using the driver on 23.01, after the upgrade completes run pkg install -y drm-510-kmod from a shell. Then add the following Loader Tunable:

    kld_list="i915kms"
    

    Reboot the firewall after making the changes to activate the driver.

  • There have been a small number of reports on non-Netgate hardware that accessing the GUI of a pfSense Plus software installation over IPsec can trigger a kernel panic. Developers have not yet been able to reproduce the crash, but there is a workaround for users encountering this problem: Create a system tunable entry to set kern.ipc.mb_use_ext_pgs=0. See #13938 for details and alternate workarounds.

  • Some devices have an issue with the serial console display of password protected consoles and other aspects of the boot process, such as Boot Environment selection. The features may not render properly, but are still functional. This is not a regression in 23.01 as it also happened on 22.05.x. This has been reported on Netgate 4100, Netgate 6100, and Netgate 8200 models. See #13455 for more information.

  • The switch ports on the Netgate 7100 do not have Auto-MDIX enabled on 23.01-RELEASE. If a straight-through Ethernet cable is connecting two 7100 units together (e.g. back-to-back for HA), it will not link on 23.01-RELEASE. This will be addressed in a future release. Replacing the cable with a crossover Ethernet cable will allow it to link in the meantime.

  • On Netgate 3100 units, OpenVPN, GIF, and other types of virtual interfaces may not function on 23.01 until the kernel linker hints are updated by running the following command from a shell prompt:

    kldxref /boot/kernel
    

    See #13963 for details.

  • Dynamic interfaces (DHCP, PPP, etc) with mixed case descriptions may not have the same gateway name after upgrading, leading to a loss of connectivity due to the gateway name not matching the configuration. The simplest workaround is to change the interface name to all capital letters. For a patch, see #14057.

See also

Numerous additional issues have been fixed since 23.01-RELEASE. Before reporting an error on the forum or elsewhere, first check the existing known issues on Redmine to see if the error already been reported and/or fixed.

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296

  • Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708

  • Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282

  • Added: Specify CA trust store location when downloading and validating URL alias content #13367

  • Fixed: Invalid alias name can still be used by code attempting to validate URL table content #13425

  • Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration #13538

  • Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned when deleting an in-use alias #13539

Authentication

  • Fixed: Google LDAP connections fail due to lack of SNI for TLS 1.3 #11626

  • Fixed: RADIUS authentication attempts no longer send RADIUS NAS IP attribute #13356

  • Fixed: Unable to set web interface session timeout to 0 (i.e. never expire) #13561

  • Fixed: Extra remote address information can confuse sshguard #13574

  • Changed: Improve LDAP debugging #13718

Auto Configuration Backup

  • Added: Option to list AutoConfigBackup entries in “reverse” order (newest at top) #11266

  • Added: Support for international characters in the AutoConfigBackup Hint/Identifier field #13388

Backup / Restore

  • Fixed: Multiple <sshdata> or <rrddata> sections in config.xml lead to an XML parsing error during restore #13132

  • Fixed: Attempting to restore a 0 byte config.xml prints an error that the file cannot be read #13289

  • Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861

  • Fixed: RRD restore process does not sanitize filenames from backup XML #13935

Build / Release

  • Changed: Disable pkg compatibility flag which creates txz file extension symbolic links #12782

Captive Portal

  • Fixed: Traffic passed by Captive Portal cannot use limiter queues on other rules #13148

  • Fixed: Voucher CSV output has leading space before voucher code #13272

  • Fixed: Error dummynet: bad switch 21! when using Captive Portal with Limiters #13290

  • Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323

  • Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391

  • Fixed: Custom logo or background image is created with two dots (..) before the file extension #13396

  • Fixed: Captive Portal does not keep track of client data usage #13418

  • Fixed: All Captive Portal users are given the same limiter pipe pair #13488

  • Fixed: Captive Portal blocked MAC addresses are not blocked #13747

  • Fixed: Rules for authenticated Captive Portal users are not removed when a zone is disabled #13756

  • Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838

  • Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853

Certificates

  • Fixed: CA path is not defined when using curl in the shell #12737

  • Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm #13257

  • Fixed: Input validation is not rejecting invalid description characters when editing a CA or Certificate #13387

  • Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424

  • Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437

Configuration Backend

  • Fixed: Input validation is checking RAM disk sizes when they are inactive #13479

Console Menu

  • Fixed: Changing an interface IP address and gateway at the console does not save the new gateway if one already exists for the interface #12632

  • Fixed: Hidden menu option 100 incorrectly handles HTTPS detection #13258

DHCP (IPv4)

  • Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345

  • Changed: Clean up DHCP Server option language #13250

  • Added: Input validation for numbered DHCP options in static mappings #13584

  • Fixed: DHCP server “Disable Ping Check” option does not store value on save #13748

DHCP (IPv6)

  • Fixed: dhcp6c is not restarted when applying settings when multiple WANs are configured for DHCP6 #13253

  • Fixed: Advanced DHCP6 client settings only work for a single interface #13462

  • Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is reloaded #13594

  • Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633

DNS Forwarder

  • Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901

DNS Resolver

  • Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624

  • Fixed: Unbound crashes with signal 11 when reloading #11316

  • Fixed: DNS Resolver is restarted during every rc.newwanip event even for interfaces not used in the resolver #12612

  • Fixed: DNS resolver does not update its configuration or reload during link down events #13254

  • Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is enabled #13393

  • Fixed: Incorrect word in “Network Interfaces” help text on services_unbound.php #13453

  • Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867

  • Changed: Update Unbound to 1.17.1 #13893

Dashboard

  • Fixed: QAT detection on dashboard is incorrect if the driver does not attach #13674

  • Fixed: APU1 hardware is not properly identified with current BIOS versions #13471

Diagnostics

  • Fixed: File browser on diag_edit.php does not encode filenames before display #13262

  • Fixed: Neighbor hostnames in the NDP Table on diag_ndp.php are always empty #13318

  • Fixed: status.php uses <name> component of /tmp/rules.packages.<name> filenames in shell command without encoding #13426

  • Changed: Add multicast group membership (ifmcstat) to status.php #13731

Dynamic DNS

  • Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816

  • Fixed: DigitalOcean Dynamic DNS update fails with a “bad request” error #13167

  • Fixed: Dynv6 Dynamic DNS client does not check the response code when updating #13298

  • Fixed: DNSExit Dynamic DNS updates no longer work #13303

FilterDNS

  • Fixed: Resolve interval for filterdns may not match the configured value #13067

FreeBSD

  • Fixed: Cannot set EFI console as primary console when using both EFI and Serial #13080

  • Fixed: CVE-2022-23093 / FreeBSD-SA-22:15.ping #13716

Gateway Monitoring

  • Fixed: Marking a gateway as down does not affect IPsec entries using gateway groups #13076

  • Fixed: Incorrect function parameters for get_dpinger_status() call in gwlb.inc #13295

Gateways

  • Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected #13228

Hardware / Drivers

  • Fixed: Software VLAN tagging does not work on ixgbe(4) interfaces #13381

  • Fixed: Intel i226 network interfaces do not honor a manually selected link speed #13529

  • Fixed: UDP checksum errors with ixgbe interfaces #13883

IPsec

  • Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645

  • Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373

  • Changed: Information box on status_ipsec.php says “IPsec not enabled” even when a tunnel is established #13398

  • Fixed: Incorrect quoting of Split DNS attribute value in strongswan.conf #13579

  • Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647

  • Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing) #13648

Interfaces

  • Fixed: Primary interface address is not always used when VIPs are present #11545

  • Added: Support for VLAN 0 #12070

  • Fixed: Bridges with QinQ interfaces not properly set up at boot #13225

  • Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493

  • Changed: Clean up obsolete code in pfSense-dhclient-script #13501

  • Fixed: Assigned bridge interfaces are not configured at boot #13666

  • Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675

OpenVPN

  • Fixed: OpenVPN DCO panics with short UDP packets #13338

  • Fixed: OpenVPN crashes after reaching the configured concurrent connection limit #13355

  • Fixed: Traffic to OpenVPN DCO RA clients above the first available tunnel IP address is incorrectly routed #13358

  • Added: Support for ChaCha20-Poly1305 and AES-128-GCM encryption with OpenVPN DCO #13649

  • Fixed: GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30) #13664

  • Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to display #13243

Operating System

  • Fixed: Entries for net.link.ifqmaxlen duplicated in /boot/loader.conf #13280

  • Fixed: vmstat -m value for temp is accounted for incorrectly, resulting in underflows #13316

  • Fixed: Memory leak in PF when retrieving Ethernet rules #13525

  • Changed: Update Python 3.9.15 to 3.9.16 in base system #13865

  • Changed: Add Python 3.11.1 to base system #13866

PHP Interpreter

  • Added: Upgrade PHP from 7.4 to 8.1 #13446

  • Fixed: fcgicli fails to write packets with nvpair values that exceed 128 bytes #13638

PPP Interfaces

  • Fixed: Services are not restarted when PPP interfaces connect #12811

  • Fixed: PPP interface custom reset date/time Hour and Minute fields do not properly handle 0 value #13307

Routing

  • Added: Enable ROUTE_MPATH multipath routing #9544

Rules / NAT

  • Fixed: Rule separator positions change when deleting multiple rules #9887

  • Fixed: User is forced to pick an NPt destination IPv6 prefix length even when choosing a drop-down entry which contains a defined prefix length #13240

  • Fixed: The negate_networks table is duplicated in rules.debug #13308

  • Fixed: Each line in the NPt destination IPv6 prefix list also contains the network of the previous line when multiple choices are present #13310

  • Fixed: Using the copy (not clone) function on firewall rules unintentionally converts interface address to interface net #13364

  • Fixed: PF can fail to load a new ruleset #13408

  • Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420

  • Fixed: easyrule CLI script has multiple bugs and undesirable behaviors #13445

  • Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505

  • Fixed: Copying multiple rules at the same time results in new rules with duplicate tracker IDs #13507

  • Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545

  • Fixed: Error creating port forward rule with port alias #13601

Traffic Shaper (ALTQ)

  • Added: ALTQ GUI support for Broadcom Netextreme II (bxe) interfaces #13304

UPnP/NAT-PMP

  • Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500

User Manager / Privileges

  • Fixed: RADIUS authentication not working over IPv6 #4154

Web Interface

  • Fixed: Unnecessary link tag in login page #7996

  • Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists #11730

  • Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without making changes #12960

  • Changed: Spelling and typo corrections #13357

  • Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390

  • Fixed: Input validation on system_advanced_firewall.inc uses incorrect variable references for some fields #13436

  • Changed: Update external HTTPS/HTTP links #13440

  • Fixed: Table row selection has poor contrast in Dark theme #13448

  • Fixed: Changing the GUI port does not redirect the browser to the new port on save #13591