23.05 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

General

  • This release includes support for cryptographic acceleration through the Multi-Buffer Crypto for IPsec Library (IPsec-MB, IIMB) which leverages special CPU instructions to accelerate several algorithms for multiple types of VPNs and other uses. See Cryptographic Accelerator Support for details.

  • This release includes experimental support for Ethernet (Layer 2) rules. See Ethernet (Layer 2) Rules for details.

  • As of this release, several new and recent features combined enable using the GUI alone to configure a setup compatible with the AT&T Residential Fiber Network. The same setup should work for any similar ISPs which require special handling such as Priority Code Point tagging on VLAN 0 and 802.1X authentication passthrough to a modem. Previous versions of pfSense Plus software required additional scripts (e.g. “pfatt”) and/or manual changes outside the GUI.

    There is a new configuration recipe which covers using these features in the GUI to configure this use case: WAN Connectivity with 802.1X Authentication Bridging and VLAN 0 PCP Tagging.

  • Unicast CARP support can be configured on a per-VIP basis for environments where multicast CARP cannot function. This is a step toward future enhancements in virtualization and cloud environments which are still under development, including high availability in AWS and Azure. See VIP Configuration Options for details.

  • WireGuard is now installed by default on new installations. This does not affect upgrades or factory reset configurations, only fresh installations.

  • Several improvements have been made to memory usage reporting and to reduce some reported cases of increased memory usage in the previous release. See Memory Management and ZFS Tuning for additional information on memory usage and tuning

  • A bug in 23.01 caused some automatic dynamic gateway names to be in mixed case instead of all upper case, which may have led to loss of connectivity until the default gateway or gateway group membership was updated. This bug has been corrected, but anyone who worked around the problem by changing gateway entries will have to correct them again once they have upgraded to 23.05.

Security

  • pfSense-SA-23_06.webgui A potential Authenticated Command Execution vulnerability from the bridgeif parameter on interfaces_bridge_edit.php in the GUI.

    Note

    Users of pfSense Plus software version 23.01, pfSense Plus software version 22.05.x, and pfSense CE software version 2.6.0 can obtain corrections for this issue from the Recommended Patches area of the System Patches package.

  • pfSense-SA-23_07.kernel Denial of Service on pfSense Plus software version 23.01 due to a kernel panic from oversize IPv6 packets.

    Warning

    There is no patch for this issue as it is a problem in the kernel. Users must upgrade to pfSense Plus software version 23.05 or later to correct the problem.

    This problem did not affect any version of pfSense Plus software prior to 23.01, nor does it affect any released version of pfSense CE software. Users of pfSense CE development snapshots must upgrade to a current snapshot to correct the problem.

Upgrade Paths

Devices running pfSense Plus software version 23.01 can upgrade directly to version 23.05.

Devices running pfSense Plus software version 22.05.1 and earlier must first upgrade to version 23.01, then they can upgrade to version 23.05.

Devices running pfSense CE software version 2.6.0 can also upgrade directly to pfSense Plus software version 23.05. Devices running pfSense CE software version 2.7.0 snapshots dated before the pfSense Plus software version 23.05 release can also upgrade directly. Snapshots after that time may still be able to upgrade, but check the forum for details.

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Using PF reserved keywords for interface descriptions results in an invalid ruleset #14007

  • Fixed: PHP error when attempting to bulk import Alias content #14013

  • Fixed: Alias list is not sorted #14015

Authentication

  • Added: Option to enable/disable console bell, enabled by default #14002

Auto Configuration Backup

  • Fixed: PHP error if the configuration has an empty Auto Configuration Backup section #14076

Captive Portal

  • Fixed: PHP error in Captive Portal if usedmacs list is empty #14172

Certificates

  • Fixed: PHP errors when configuration lacks any certificates #14004

  • Fixed: PHP error when exporting a CRL for an old CA #14022

  • Fixed: Some blank SAN fields are not ignored when creating a certificate #14124

  • Added: Ability to edit Certificate Revocation List properties #14185

  • Changed: Add note to inform the user that the “Next Certificate Serial” value is ignored when the “Randomize Serial” option is enabled #14188

Console Menu

  • Fixed: Console menu incorrectly shows option 99 on some ARMv7/ARM64 installations #14102

  • Added: Print ZFS Boot Environment status in console menu banner #14323

Cryptographic Modules

  • Added: Support for cryptographic acceleration using the Multi-Buffer Crypto for IPsec Library (IPsec-MB, IIMB) #14291

DHCP (IPv4)

  • Fixed: DHCP Server generates an invalid configuration for static mappings when defining network booting and UEFI HTTPBoot URL #13573

  • Fixed: Automatic DHCP failover firewall rules are not present in the ruleset when failover is active #13965

  • Fixed: Multiple PHP errors in the DHCP Server when the configuration contains an empty section for an interface #13983

  • Fixed: DHCP Server page does not properly select a default interface tab if neither WAN nor LAN are capable of being DHCP servers #14115

DHCP (IPv6)

  • Fixed: Typo in filter.inc variable for DHCPv6 VLAN priority tag value #14010

DNS Forwarder

  • Fixed: DNS Forwarder (dnsmasq) is using an invalid combination of options when “Query DNS servers sequentially” is enabled #13655

DNS Resolver

  • Fixed: DNS Resolver does not generate automatic ACLs for IPv6 when Network Interfaces is set to “All” #13851

Dashboard

  • Fixed: System Information Dashboard widget stops showing CPU details on aarch64 #14204

  • Fixed: Changing the default IPsec widget tab removes all widgets #14053

  • Fixed: Uptime displays plural seconds for multiple minutes in the System Information Dashboard widget #14176

  • Added: Support for Intel PCH temperature values in thermal sensors #14255

  • Fixed: PHP error in RSS widget after saving settings #14365

Diagnostics

  • Added: Packet Capture GUI with granular control #13382

  • Changed: Add more disk information to status output #14103

Dynamic DNS

  • Changed: Improve DynDNS help text readability #14186

FreeBSD

  • Fixed: Kernel panic accessing the GUI over IPsec in certain environments when using nginx sendfile with unmapped mbufs #13938

  • Changed: Update Time Zone data to 2023c or later #14209

Gateways

  • Fixed: Dynamic gateway names use mixed case instead of upper case, leading to configuration mismatches #14057

  • Fixed: Gateway popup in firewall rule list does not indicate current gateway status #14327

Hardware / Drivers

  • Fixed: Switch ports on 7100/1100/2100 do not have Auto MDI-X support enabled #13993

  • Fixed: Undersized CESA TDMA descriptor pools can be exhausted, leading to errors #14235

  • Fixed: Status LEDs on the Netgate 1100 do not function properly #14292

  • Fixed: 2100/1100 PCIe bus devices are not recognized #14334

  • Fixed: Intel e1000 driver (em, igb) cannot pass packets tagged with VLAN 0 #12821

  • Fixed: Malicious Driver Detection event on ixl(4) driver #13003

IGMP Proxy

  • Fixed: IGMP Proxy multicast group membership query packets have an invalid checksum #13929

IPsec

  • Fixed: Deadlock in Charon VICI interface #13014

  • Fixed: PHP error from upgraded IPsec tunnel containing only deprecated ciphers #14009

  • Fixed: IPsec Phase 2 rekey failures with some PFS key groups #14217

  • Fixed: PHP Error performing IPv6 ip_in_subnet() when passing a host addresses within prefix #14256

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: No working IPv6 gateway if upstream RA does not contain M or O flags because rtsold does not execute script #14072

Interfaces

  • Added: Priority Code Point (PCP) option on interface configuration #13511

  • Fixed: SNMP logs “Device not configured” error message when queries involve built-in switch port interfaces #13976

  • Fixed: PHP Error on status_interfaces.php with empty switch VLAN group configuration and assigned VLAN interfaces #13981

  • Added: Promiscuous Mode option on interface configuration #14295

  • Changed: Start rtsold immediately after dhcp6c sends a request #13492

  • Fixed: DHCP client can fail permanently if an interface is down at boot #13671

  • Changed: Trim blank characters from static IP address fields on the Interface configuration page #13959

  • Fixed: PHP error in gwlb.inc when OpenVPN or IPsec instances referred to by assigned interface entries are missing #13973

  • Fixed: PHP error when attempting to create a GIF interface on ARM #14035

  • Fixed: Bridge interface is not properly validated when submitted on interfaces_bridge_edit.php #14052

  • Fixed: IPv6 interface configuration race condition can lead to kernel panic #14164

Logging

  • Added: Option to control log level of authentication messages in system logs (“Emergency” vs “Notice” level) #12464

  • Fixed: Nothing is logged through syslog if the configuration contains an empty <syslogd> section or if that section is not present #14283

NTPD

  • Fixed: PHP error in NTP widget and status with GPS data #13999

  • Fixed: PHP error in NTP Server if the configuration contains a partial section of old openntpd settings #14033

  • Fixed: PHP error when the timeserver section of the configuration is empty #14036

Notifications

  • Fixed: Identical SMTP notifications repeat in an infinite loop under certain conditions #14031

OpenVPN

  • Fixed: SSL/TLS OpenVPN Client fails with ifconfig error when the IPv4 Tunnel Network is defined #13350

  • Fixed: OpenVPN crashes with Signal 8 with very low fragment size #13943

  • Changed: Update OpenVPN Wizard to match current certificate and OpenVPN options #14183

Operating System

  • Fixed: Early boot hangs on Hyper-V with Gen2 VMs #13895

  • Fixed: OpenVPN and GIF interface create/destroy operations fail due to outdated linker.hints #13963

  • Changed: Update memory graphs to account for changes in memory reporting #14011

  • Fixed: FreeBSD default cron jobs are enabled when they should be disabled #14016

  • Fixed: Kernel panic from incoming IPv6 connections #14077

  • Fixed: Kernel panic when PF passes a large/fragmented ICMP6 packet #14092

PHP Interpreter

  • Changed: Update PHP to 8.2.4 #14027

  • Fixed: PHP error if a non-privileged shell user attempts an operation which needs to write config.cache #14061

PPP Interfaces

  • Fixed: IPv6 does not work on secondary PPPoE WAN #13939

  • Fixed: PPP interfaces do not request DNS servers when “DNS Server Override” is enabled #13962

  • Fixed: PHP Error on status_interfaces.php from PPP interface uptime #14117

Package System

  • Added: Package plugin hook for pf Ethernet rules #14293

  • Added: Package plugin hook for web server configuration stanzas #13054

Rules / NAT

  • Added: Support for Ethernet (L2) filtering rules #14308

  • Fixed: PHP Error loading Floating rule tab with OpenVPN group rules when there are no OpenVPN instances in the configuration #13953

  • Fixed: Custom default state timeouts are not respected in the ruleset #13992

  • Fixed: PHP Error enabling ICMP6 using EasyRule #14037

  • Fixed: The “Kill States” button does not work consistently #14091

  • Changed: Match upstream changes in PF syntax to disable fragment disassembly #14098

  • Fixed: PHP error when saving an ICMP firewall rule with no subtypes selected #14267

  • Fixed: Associated firewall rule for NAT port forward does not inherit nosync property, gets synchronized #14335

  • Fixed: PHP error from empty separator #14338

Services

  • Fixed: Services Status page and Dashboard widget do not list the radvd service with certain static IPv6 configurations #14136

Setup Wizard

  • Changed: Update firewall host and domain fields in the Setup Wizard to match the description and warning text from system.php #14250

System Logs

  • Fixed: PHP error on status_logs_settings.php if the configuration contains an empty syslog section #13942

  • Fixed: syslogd tries to bind interfaces with no IP address #14120

Traffic Graphs

  • Fixed: PHP Error when viewing Traffic Graphs in iftop mode #14236

Traffic Shaper (Limiters)

  • Fixed: Traffic shaped by limiters is dropped when routed to a GIF gateway #14055

Traffic Shaper Wizards

  • Fixed: PHP errors when re-running Traffic Shaper Wizards with different settings #13915

Upgrade

  • Fixed: pfSense Plus Upgrade repo data remains on the system after upgradng #14137

  • Fixed: pfSense-boot can fail to copy the EFI bootloader #14045

User Manager / Privileges

  • Fixed: “All” user group overwritten after assigning an existing user to a group #14363

Virtual IP Addresses

  • Fixed: Firewall rules are not reloaded when removing a VIP, outdated rules/entries remain active #13908

Web Interface

  • Changed: Replace direct config accesses for the rest of the paths in system_advanced_admin.inc #13701

  • Changed: Replace direct config accesses in system_advanced_sysctl #13702

  • Added: Support for iwlwifi wireless interfaces #14050

XMLRPC

  • Fixed: PHP errors in xmlrpc.php during configuration synchronization if the target host has an empty XML tag for a given section #14034

  • Fixed: PHP error when XMLRPC client attempts to synchronize without any synchronization settings in the configuration #14182

  • Fixed: Filter/NAT rules configured with “No XMLRPC Sync” enabled are still synchronized #14316