23.01 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

General

  • PHP has been upgraded from 7.4 to 8.1

  • The base operating system has been upgraded to FreeBSD 14-CURRENT

    Warning

    As a part of the FreeBSD upgrade this version removes several deprecated IPsec algorithms:

    • 3DES Encryption

    • Blowfish Encryption

    • CAST 128 Encryption

    • MD5 HMAC Authentication

    The best practice is to reconfigure tunnels using better encryption and test them before performing an upgrade to ensure a smoother transition.

    On upgrade, IPsec tunnels will be adjusted to remove any deprecated algorithms from their configuration. The upgrade process will disable tunnels if they have no valid encryption or authentication options remaining. The upgrade process will notify the user of any changes it makes.

    This change only affects IPsec and not other uses of these algorithms. For example, BGP can still use TCP-MD5 authentication.

  • A long-standing difficult-to-reproduce crash in Unbound during reloading has been addressed. Christian McDonald tracked it down the source of the Unbound SIGHUP crashes to a reference counting bug within the MaxMindDB Python module. Both a patch to MaxMind and a port revision to FreeBSD ports were submitted and accepted, and the fix will be included in the 23.01 release. It is now safe again to enable DHCP registration alongside Unbound Python mode in pfBlockerNG.

  • In addition to the Unbound crash, Christian also identified a memory leak with DHCP registration and Unbound Python mode (#10624). This is largely mitigated by updates to Python and related libraries, but there is additional ongoing work to resolve it further for future release.

  • Due to #13507, batch copying rules between interfaces on a previous release may have created multiple rules with the same internal tracker ID. This issue has been corrected, but any rules with duplicate IDs must be corrected manually (e.g. by deleting and re-copying or re-creating the rules).

  • The pfBlockerNG package has been updated to match pfBlockerNG-devel. After upgrade it is safe to uninstall pfBlockerNG-devel (keeping settings) and install pfBlockerNG instead.

Note

On systems using ZFS, the first boot post-upgrade will appear to have higher than normal memory usage due to the large volume of filesystem activity that takes place during the upgrade process. This is harmless, however. This is due to ZFS arc memory usage, which it will yield as needed if other processes require more memory. Rebooting the firewall after the upgrade completes will return the reported memory usage to a normal level.

Hardware Errata

  • The Netgate 1000 does not function on FreeBSD 14 and as a consequence it is unable to upgrade to this release. Attempting to check for updates on a Netgate 1000 device will print a notification to this effect. No other models are impacted.

  • The PCI bus in the Netgate 1100 and Netgate 2100 models does not currently function on 23.01. This was never an advertised feature, though some users have taken advantage of it in the past. If a device relies on the PCI bus, such as an add-on Wireless card, then consider the impact of upgrading to 23.01 where that will not be available (NG 9622).

  • Devices based on “ADI” or “RCC” hardware, such as the 4860, 8860, and potentially other similar models, may have issues with the ichsmb0 and/or ehci0 devices encountering an interrupt loop, leading to higher than usual CPU usage (NG 8916). This can typically be worked around by disabling the affected device. For example, by placing the following in /boot/loader.conf.local:

    hint.ichsmb.0.disabled=1
    

    This does not affect the 2220, 2440 or XG-2758.

  • There have been a small number of reports that pfSense Plus software version 23.01 installations using ZFS will not boot in Hyper-V, though it works OK for others (#13895). Test in a lab or non-production environment before attempting to deploy this version. In some cases removing the optical drive from the VM settings before upgrading has allowed it to boot successfully.

  • Azure instances now use Gen2 and currently do not have a functional serial console, developers are working to address this in the next release.

  • Devices using the i915 video driver require manual changes because FreeBSD moved the driver from the kernel to a package. In most cases this driver is not necessary, but it can be helpful on some platforms for HDMI hotplug support.

    To continue using the driver on 23.01, after the upgrade completes run pkg install -y drm-510-kmod from a shell. Then add the following line to /boot/loader.conf.local:

    kld_list="i915kms"
    

    Reboot the firewall after making the changes to activate the driver.

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296

  • Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708

  • Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282

  • Added: Specify CA trust store location when downloading and validating URL alias content #13367

  • Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration #13538

  • Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned when deleting an in-use alias #13539

Authentication

  • Fixed: Google LDAP connections fail due to lack of SNI for TLS 1.3 #11626

  • Fixed: RADIUS authentication attempts no longer send RADIUS NAS IP attribute #13356

  • Fixed: Unable to set web interface session timeout to 0 (i.e. never expire) #13561

  • Changed: Improve LDAP debugging #13718

Auto Configuration Backup

  • Added: Option to list AutoConfigBackup entries in “reverse” order (newest at top) #11266

  • Added: Support for international characters in the AutoConfigBackup Hint/Identifier field #13388

Backup / Restore

  • Fixed: Multiple <sshdata> or <rrddata> sections in config.xml lead to an XML parsing error during restore #13132

  • Fixed: Attempting to restore a 0 byte config.xml prints an error that the file cannot be read #13289

  • Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861

Build / Release

  • Changed: Disable pkg compatibility flag which creates txz file extension symbolic links #12782

Captive Portal

  • Fixed: Traffic passed by Captive Portal cannot use limiter queues on other rules #13148

  • Fixed: Voucher CSV output has leading space before voucher code #13272

  • Fixed: Error dummynet: bad switch 21! when using Captive Portal with Limiters #13290

  • Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323

  • Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391

  • Fixed: Custom logo or background image is created with two dots (..) before the file extension #13396

  • Fixed: Captive Portal does not keep track of client data usage #13418

  • Fixed: All Captive Portal users are given the same limiter pipe pair #13488

  • Fixed: Captive Portal blocked MAC addresses are not blocked #13747

  • Fixed: Rules for authenticated Captive Portal users are not removed when a zone is disabled #13756

  • Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838

  • Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853

Certificates

  • Fixed: CA path is not defined when using curl in the shell #12737

  • Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm #13257

  • Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424

  • Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437

Configuration Backend

  • Fixed: Input validation is checking RAM disk sizes when they are inactive #13479

Console Menu

  • Fixed: Changing an interface IP address and gateway at the console does not save the new gateway if one already exists for the interface #12632

  • Fixed: Hidden menu option 100 incorrectly handles HTTPS detection #13258

DHCP (IPv4)

  • Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345

  • Changed: Clean up DHCP Server option language #13250

  • Added: Input validation for numbered DHCP options in static mappings #13584

  • Fixed: DHCP server “Disable Ping Check” option does not store value on save #13748

DHCP (IPv6)

  • Fixed: dhcp6c is not restarted when applying settings when multiple WANs are configured for DHCP6 #13253

  • Fixed: Advanced DHCP6 client settings only work for a single interface #13462

  • Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is reloaded #13594

  • Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633

DNS Forwarder

  • Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901

DNS Resolver

  • Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624

  • Fixed: Unbound crashes with signal 11 when reloading #11316

  • Fixed: DNS Resolver is restarted during every rc.newwanip event even for interfaces not used in the resolver #12612

  • Fixed: DNS resolver does not update its configuration or reload during link down events #13254

  • Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is enabled #13393

  • Fixed: Incorrect word in “Network Interfaces” help text on services_unbound.php #13453

  • Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867

  • Changed: Update Unbound to 1.17.1 #13893

Dashboard

  • Fixed: QAT detection on dashboard is incorrect if the driver does not attach #13674

  • Fixed: APU1 hardware is not properly identified with current BIOS versions #13471

Diagnostics

  • Fixed: Neighbor hostnames in the NDP Table on diag_ndp.php are always empty #13318

  • Changed: Add multicast group membership (ifmcstat) to status.php #13731

Dynamic DNS

  • Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816

  • Fixed: DigitalOcean Dynamic DNS update fails with a “bad request” error #13167

  • Fixed: Dynv6 Dynamic DNS client does not check the response code when updating #13298

  • Fixed: DNSExit Dynamic DNS updates no longer work #13303

FilterDNS

  • Fixed: Resolve interval for filterdns may not match the configured value #13067

FreeBSD

  • Fixed: Cannot set EFI console as primary console when using both EFI and Serial #13080

  • Fixed: CVE-2022-23093 / FreeBSD-SA-22:15.ping #13716

Gateway Monitoring

  • Fixed: Marking a gateway as down does not affect IPsec entries using gateway groups #13076

  • Fixed: Incorrect function parameters for get_dpinger_status() call in gwlb.inc #13295

Gateways

  • Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected #13228

Hardware / Drivers

  • Fixed: Software VLAN tagging does not work on ixgbe(4) interfaces #13381

  • Fixed: Intel i226 network interfaces do not honor a manually selected link speed #13529

IPsec

  • Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645

  • Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373

  • Changed: Information box on status_ipsec.php says “IPsec not enabled” even when a tunnel is established #13398

  • Fixed: Incorrect quoting of Split DNS attribute value in strongswan.conf #13579

  • Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647

  • Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing) #13648

Interfaces

  • Fixed: Primary interface address is not always used when VIPs are present #11545

  • Added: Support for VLAN 0 #12070

  • Fixed: Bridges with QinQ interfaces not properly set up at boot #13225

  • Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493

  • Changed: Clean up obsolete code in pfSense-dhclient-script #13501

  • Fixed: Assigned bridge interfaces are not configured at boot #13666

  • Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675

OpenVPN

  • Fixed: OpenVPN DCO panics with short UDP packets #13338

  • Fixed: OpenVPN crashes after reaching the configured concurrent connection limit #13355

  • Fixed: Traffic to OpenVPN DCO RA clients above the first available tunnel IP address is incorrectly routed #13358

  • Added: Support for ChaCha20-Poly1305 and AES-128-GCM encryption with OpenVPN DCO #13649

  • Fixed: GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30) #13664

  • Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to display #13243

Operating System

  • Fixed: Entries for net.link.ifqmaxlen duplicated in /boot/loader.conf #13280

  • Fixed: vmstat -m value for temp is accounted for incorrectly, resulting in underflows #13316

  • Fixed: Memory leak in PF when retrieving Ethernet rules #13525

  • Changed: Update Python 3.9.15 to 3.9.16 in base system #13865

  • Changed: Add Python 3.11.1 to base system #13866

PHP Interpreter

  • Added: Upgrade PHP from 7.4 to 8.1 #13446

  • Fixed: fcgicli fails to write packets with nvpair values that exceed 128 bytes #13638

PPP Interfaces

  • Fixed: Services are not restarted when PPP interfaces connect #12811

  • Fixed: PPP interface custom reset date/time Hour and Minute fields do not properly handle 0 value #13307

Routing

  • Added: Enable ROUTE_MPATH multipath routing #9544

Rules / NAT

  • Fixed: Rule separator positions change when deleting multiple rules #9887

  • Fixed: User is forced to pick an NPt destination IPv6 prefix length even when choosing a drop-down entry which contains a defined prefix length #13240

  • Fixed: The negate_networks table is duplicated in rules.debug #13308

  • Fixed: Each line in the NPt destination IPv6 prefix list also contains the network of the previous line when multiple choices are present #13310

  • Fixed: Using the copy (not clone) function on firewall rules unintentionally converts interface address to interface net #13364

  • Fixed: PF can fail to load a new ruleset #13408

  • Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420

  • Fixed: easyrule CLI script has multiple bugs and undesirable behaviors #13445

  • Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505

  • Fixed: Copying multiple rules at the same time results in new rules with duplicate tracker IDs #13507

  • Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545

  • Fixed: Error creating port forward rule with port alias #13601

Traffic Shaper (ALTQ)

  • Added: ALTQ GUI support for Broadcom Netextreme II (bxe) interfaces #13304

UPnP/NAT-PMP

  • Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500

User Manager / Privileges

  • Fixed: RADIUS authentication not working over IPv6 #4154

Web Interface

  • Fixed: Unnecessary link tag in login page #7996

  • Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists #11730

  • Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without making changes #12960

  • Changed: Spelling and typo corrections #13357

  • Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390

  • Fixed: Input validation on system_advanced_firewall.inc uses incorrect variable references for some fields #13436

  • Changed: Update external HTTPS/HTTP links #13440

  • Fixed: Table row selection has poor contrast in Dark theme #13448

  • Fixed: Changing the GUI port does not redirect the browser to the new port on save #13591