23.05 New Features and Changes¶
This is a regularly scheduled software release including new features and bug fixes.
This release includes support for cryptographic acceleration through the Multi-Buffer Crypto for IPsec Library (IPsec-MB, IIMB) which leverages special CPU instructions to accelerate several algorithms for multiple types of VPNs and other uses. See Cryptographic Accelerator Support for details.
This release includes experimental support for Ethernet (Layer 2) rules. See Ethernet (Layer 2) Rules for details.
As of this release, several new and recent features combined enable using the GUI alone to configure a setup compatible with the AT&T Residential Fiber Network. The same setup should work for any similar ISPs which require special handling such as Priority Code Point tagging on VLAN 0 and 802.1X authentication passthrough to a modem. Previous versions of pfSense Plus software required additional scripts (e.g. “pfatt”) and/or manual changes outside the GUI.
There is a new configuration recipe which covers using these features in the GUI to configure this use case: WAN Connectivity with 802.1X Authentication Bridging and VLAN 0 PCP Tagging.
Unicast CARP support can be configured on a per-VIP basis for environments where multicast CARP cannot function. This is a step toward future enhancements in virtualization and cloud environments which are still under development, including high availability in AWS and Azure. See VIP Configuration Options for details.
WireGuard is now installed by default on new installations. This does not affect upgrades or factory reset configurations, only fresh installations.
Several improvements have been made to memory usage reporting and to reduce some reported cases of increased memory usage in the previous release. See Memory Management and ZFS Tuning for additional information on memory usage and tuning
A bug in 23.01 caused some automatic dynamic gateway names to be in mixed case instead of all upper case, which may have led to loss of connectivity until the default gateway or gateway group membership was updated. This bug has been corrected, but anyone who worked around the problem by changing gateway entries will have to correct them again once they have upgraded to 23.05.
pfSense-SA-23_06.webgui A potential Authenticated Command Execution vulnerability from the
interfaces_bridge_edit.phpin the GUI.
Users of pfSense Plus software version 23.01, pfSense Plus software version 22.05.x, and pfSense CE software version 2.6.0 can obtain corrections for this issue from the Recommended Patches area of the System Patches package.
pfSense-SA-23_07.kernel Denial of Service on pfSense Plus software version 23.01 due to a kernel panic from oversize IPv6 packets.
There is no patch for this issue as it is a problem in the kernel. Users must upgrade to pfSense Plus software version 23.05 or later to correct the problem.
This problem did not affect any version of pfSense Plus software prior to 23.01, nor does it affect any released version of pfSense CE software. Users of pfSense CE development snapshots must upgrade to a current snapshot to correct the problem.
Devices running pfSense Plus software version 23.01 can upgrade directly to version 23.05.
Devices running pfSense Plus software version 22.05.1 and earlier must first upgrade to version 23.01, then they can upgrade to version 23.05.
Devices running pfSense CE software version 2.6.0 can also upgrade directly to pfSense Plus software version 23.05. Devices running pfSense CE software version 2.7.0 snapshots dated before the pfSense Plus software version 23.05 release can also upgrade directly. Snapshots after that time may still be able to upgrade, but check the forum for details.
Changes in this version of pfSense Plus software.
Aliases / Tables¶
Auto Configuration Backup¶
Fixed: PHP error if the configuration has an empty Auto Configuration Backup section #14076
Fixed: PHP errors when configuration lacks any certificates #14004
Fixed: PHP error when exporting a CRL for an old CA #14022
Fixed: Some blank SAN fields are not ignored when creating a certificate #14124
Added: Ability to edit Certificate Revocation List properties #14185
Changed: Add note to inform the user that the “Next Certificate Serial” value is ignored when the “Randomize Serial” option is enabled #14188
Added: Support for cryptographic acceleration using the Multi-Buffer Crypto for IPsec Library (IPsec-MB, IIMB) #14291
Fixed: DHCP Server generates an invalid configuration for static mappings when defining network booting and UEFI HTTPBoot URL #13573
Fixed: Automatic DHCP failover firewall rules are not present in the ruleset when failover is active #13965
Fixed: Multiple PHP errors in the DHCP Server when the configuration contains an empty section for an interface #13983
Fixed: DHCP Server page does not properly select a default interface tab if neither WAN nor LAN are capable of being DHCP servers #14115
Fixed: DNS Forwarder (
dnsmasq) is using an invalid combination of options when “Query DNS servers sequentially” is enabled #13655
Fixed: DNS Resolver does not generate automatic ACLs for IPv6 when Network Interfaces is set to “All” #13851
Fixed: System Information Dashboard widget stops showing CPU details on aarch64 #14204
Fixed: Changing the default IPsec widget tab removes all widgets #14053
Fixed: Uptime displays plural seconds for multiple minutes in the System Information Dashboard widget #14176
Added: Support for Intel PCH temperature values in thermal sensors #14255
Fixed: PHP error in RSS widget after saving settings #14365
Hardware / Drivers¶
Fixed: Switch ports on 7100/1100/2100 do not have Auto MDI-X support enabled #13993
Fixed: Undersized CESA TDMA descriptor pools can be exhausted, leading to errors #14235
Fixed: Status LEDs on the Netgate 1100 do not function properly #14292
Fixed: 2100/1100 PCIe bus devices are not recognized #14334
Fixed: Intel e1000 driver (
igb) cannot pass packets tagged with VLAN
Fixed: Malicious Driver Detection event on
Fixed: IGMP Proxy multicast group membership query packets have an invalid checksum #13929
Fixed: Deadlock in Charon VICI interface #13014
Fixed: PHP error from upgraded IPsec tunnel containing only deprecated ciphers #14009
Fixed: IPsec Phase 2 rekey failures with some PFS key groups #14217
Fixed: PHP Error performing IPv6
ip_in_subnet()when passing a host addresses within prefix #14256
IPv6 Router Advertisements (radvd/rtsold)¶
Fixed: No working IPv6 gateway if upstream RA does not contain M or O flags because rtsold does not execute script #14072
Added: Priority Code Point (PCP) option on interface configuration #13511
Fixed: SNMP logs “Device not configured” error message when queries involve built-in switch port interfaces #13976
Fixed: PHP Error on
status_interfaces.phpwith empty switch VLAN group configuration and assigned VLAN interfaces #13981
Added: Promiscuous Mode option on interface configuration #14295
dhcp6csends a request #13492
Fixed: DHCP client can fail permanently if an interface is down at boot #13671
Changed: Trim blank characters from static IP address fields on the Interface configuration page #13959
Fixed: PHP error in
gwlb.incwhen OpenVPN or IPsec instances referred to by assigned interface entries are missing #13973
Fixed: PHP error when attempting to create a GIF interface on ARM #14035
Fixed: Bridge interface is not properly validated when submitted on
Fixed: IPv6 interface configuration race condition can lead to kernel panic #14164
Fixed: Identical SMTP notifications repeat in an infinite loop under certain conditions #14031
Fixed: Early boot hangs on Hyper-V with Gen2 VMs #13895
Fixed: OpenVPN and GIF interface create/destroy operations fail due to outdated
Changed: Update memory graphs to account for changes in memory reporting #14011
Fixed: FreeBSD default
cronjobs are enabled when they should be disabled #14016
Fixed: Kernel panic from incoming IPv6 connections #14077
Fixed: Kernel panic when PF passes a large/fragmented ICMP6 packet #14092
Rules / NAT¶
Added: Support for Ethernet (L2) filtering rules #14308
Fixed: PHP Error loading Floating rule tab with OpenVPN group rules when there are no OpenVPN instances in the configuration #13953
Fixed: Custom default state timeouts are not respected in the ruleset #13992
Fixed: PHP Error enabling ICMP6 using EasyRule #14037
Fixed: The “Kill States” button does not work consistently #14091
Changed: Match upstream changes in PF syntax to disable fragment disassembly #14098
Fixed: PHP error when saving an ICMP firewall rule with no subtypes selected #14267
Fixed: Associated firewall rule for NAT port forward does not inherit
nosyncproperty, gets synchronized #14335
Fixed: PHP error from empty separator #14338
Fixed: Services Status page and Dashboard widget do not list the
radvdservice with certain static IPv6 configurations #14136
Changed: Update firewall host and domain fields in the Setup Wizard to match the description and warning text from
Traffic Shaper (Limiters)¶
Fixed: Traffic shaped by limiters is dropped when routed to a GIF gateway #14055
Traffic Shaper Wizards¶
Fixed: PHP errors when re-running Traffic Shaper Wizards with different settings #13915
User Manager / Privileges¶
Fixed: “All” user group overwritten after assigning an existing user to a group #14363
Virtual IP Addresses¶
Fixed: Firewall rules are not reloaded when removing a VIP, outdated rules/entries remain active #13908
Fixed: PHP errors in
xmlrpc.phpduring configuration synchronization if the target host has an empty XML tag for a given section #14034
Fixed: PHP error when XMLRPC client attempts to synchronize without any synchronization settings in the configuration #14182
Fixed: Filter/NAT rules configured with “No XMLRPC Sync” enabled are still synchronized #14316