23.09 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

Consult the Upgrade Guide before proceeding with any upgrade.

Warning

Before attempting the upgrade, check the list of current ZFS Boot Environments (System > Boot Environments) and clean up any older entries to ensure they do not consume space which may be needed during the upgrade. See Check and Clean Up ZFS Boot Environments for details.

General

• PHP has been upgraded to 8.2.11

• The base operating system has been upgraded to a more recent point on FreeBSD 14-CURRENT

• Support for SCTP has been improved in PF for firewall rules, NAT, and logging. Rules can now act on SCTP packets by port number, previously it was only possible to filter on source or destination address.

• OpenSSL in the base system has been upgraded from 1.1.1t to 3.0.12.

  For details, see OpenSSL upgraded to 3.0.12.

• Kea DHCP Server has been added as an opt-in feature preview for IPv4 and IPv6 DHCP service. Kea will eventually replace the ISC DHCPD daemon which is EOL.

  Warning

  Kea is not yet feature complete. For details, see Kea DHCP Server feature preview now available.

• IPv6 Router Advertisement configuration has been relocated to Services > Router Advertisement as a part of the ongoing DHCP Server changes.

• Certain parts of the base system are being migrated to packages rather than grouping them all together in an archive in the “base” package. For the most part this should be entirely transparent to users.

  Specifically, the code from the main pfSense software repository is now a part of the “pfSense” package. This lets management of files be handled entirely by pkg rather than carrying them in an archive. This migration is ongoing, so future versions will include additional portions of the system being packaged differently.

• The default driver for NVMe storage devices changed from nvd(4) to nda(4). For most users this will be a transparent change since the majority of installations are mounted by label and do not reference a storage device by name.

  Some swap configurations may reference the old device name in /etc/fstab. Editing that file and correcting device names from nvd to nda, followed by a reboot, should restore swap functionality.

  If the new driver is problematic in certain environments the default can be changed back to nvd(4) by adding a loader tunable for hw.nvme.use_nvd=1.

OpenSSL upgraded to 3.0.12

OpenSSL has been upgraded to 3.0.12 from 1.1.1 in FreeBSD.

This change was necessary as OpenSSL 1.1.1 reached its End of Life (EOL) on September 11, 2023. This means there will be no security patches for vulnerabilities affecting OpenSSL 1.1.1.

The OpenSSL team decided to make an explicit jump in numbering from 1.1.x to 3.x to highlight that this new version included major structural, and more importantly, application programming interface (API) and application binary interface (ABI) changes compared to previous OpenSSL versions.

In addition to the differences in the library they also deprecated numerous weak algorithms of various types.

Due to these differences, changing from OpenSSL 1.1 to OpenSSL 3.0 is not a simple upgrade. Netgate developers have handled most of these changes as automatically as possible, though some things may still require manual adjustments. See the warnings in the next section for details.

OpenSSL 3.0.x Upgrade Warnings

Weak Certificate Digests such as SHA1 are Deprecated

Warning

OpenSSL 3.0.x no longer supports certificates signed with SHA1 or other older/weaker hashes. The minimum recommended hash strength is SHA256.

The upgrade process detects usage of weak certificates for the GUI, Captive Portal, and OpenVPN:

• If the GUI or a Captive Portal zone utilizes a weak CA or server certificate, the upgrade process generates a new self-signed certificate as a stopgap measure to allow the processes to start and let the user in to make any necessary corrections.

• If an OpenVPN instance is using a weak certificate, the instance is disabled as there is no viable general automated recovery method.

• OpenVPN peers using SHA1 certificates will fail, but such issues must be corrected on the peers. This may mean renewing or reissuing certificates or re-exporting clients for peers if they are currently using weak certificates.

• Other consumers of certificates, such as add-on packages, may be similarly affected but cannot be automatically adjusted.

The best practice is to reconfigure all services utilizing certificates with stronger certificates and to test these functions before performing an upgrade to ensure a smoother transition.

Numerous Deprecated Encryption and Digest Algorithms Removed

Warning

OpenSSL 3.0.x removes a large number of deprecated encryption and digest algorithms. This primarily affects OpenVPN, as other areas had not supported the affected algorithms in some time.

Encryption algorithms removed from OpenVPN:

• ARIA

• Blowfish (e.g. BF-CBC), which was formerly an OpenVPN default

• CAST5

• DES

• DESX

• IDEA

• RC2

• RC5

• SEED

• SM4

Hash algorithms removed from OpenVPN:

• MD4

• MDC2

• SM3

• Whirlpool

On upgrade, tunnels using these deprecated algorithms will be adjusted so they use more secure default values when necessary.

The best practice is to reconfigure tunnels using modern secure encryption and hashing, and to test tunnels before performing an upgrade to ensure a smoother transition.

Other OpenSSL-Related Concerns

• The certificate manager in the GUI can still read and generate certificates using weak hashes, but warns against their use. Avoid creating any new entries using weak hashes. This support will eventually be removed.

• The certificate manager no longer supports importing PKCS#12 archive files which were encrypted with weak ciphers, such as RC2-40. Some operating systems still export using such weak ciphers by default, including macOS and Windows.

• IPsec does not require any adjustments, it still supports SHA1 certificates for the time being and no additional algorithms have been deprecated or removed.

• Unbound does not require any adjustments, it still supports SHA1 certificates for the time being.

• Though the legacy provider for OpenSSL 3.0.x is built and included it does not help to work around the issues mentioned above in any meaningful way.

Kea DHCP Server feature preview now available

The ISC DHCPD server has reached its End of Life (EOL) as of October 5, 2022. Though ISC has stated they may continue to publish security fixes if they are warranted.

Netgate developers have started the migration to Kea DHCP server from ISC as a replacement for ISC DHCPD for IPv4 and IPv6 DHCP service. Basic functionality is present, but not all features are supported at this time.

Warning

Currently the Kea implementation lacks the following DHCP server features:

• Local DNS Resolver/Forwarder Registration for static and dynamic DHCP clients

• Remote DNS server registration

• DHCPv6 Prefix Delegation

• High Availability Failover

• Lease statistics/graphs

• Custom DHCP options

Kea is available as an opt-in preview feature on this release. The UI and settings for Kea are shared with the existing DHCP server. Administrators can easily switch between ISC DHCPD and Kea by navigating to System > Advanced, Networking tab and changing the new Server Backend setting in the DHCP Options section.

After Kea integration is complete it will become the default DHCP server on a future release of pfSense software and eventually the deprecated ISC DHCP server will be removed. The exact timing of these changes has not been finalized.

Note

As a part of changes to the DHCP server, IPv6 Router Advertisement configuration has been separated from the DHCP server UI and relocated to Services > Router Advertisement.

Security

In addition to OpenSSL and other concerns in the base OS and packages, this release addresses the following vulnerabilities in pfSense software:

• pfSense-SA-23_08.webgui (XSS in getserviceproviders.php, #14547)

• pfSense-SA-23_09.webgui (XSS in status_logs_filter_dynamic.php, #14548)

• pfSense-SA-23_10.webgui (Authenticated Command Execution in interfaces_gif_edit.php and interfaces_gre_edit.php, #14549)

• pfSense-SA-23_11.webgui (Authenticated Command Execution in packet_capture.php, #14809)

Tip

Patches for these issues are also available in the latest version of the System Patches Package for users of pfSense Plus software version 23.05.1 and pfSense CE software version 2.7.0.

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

• Fixed: Firewall rules fail to load when a URL table alias file does not exist #13068

• Added: Type column on Alias lists #13245

• Fixed: Static ARP entries are not configured at boot #14374

• Fixed: Firewall rules are not displayed properly when they reference a URL table alias and its file does not exist #14574

Authentication

• Added: Option to invalidate GUI login session if the client address changes #14265

Backup / Restore

• Changed: Increase timeout for password entry when restoring an encrypted configuration via ECL #14769

CARP

• Added: Add unicast CARP indication and peer address to CARP status #14348

• Fixed: Adding an IP Alias VIP using a unicast CARP VIP as its parent changes the CARP VIP to multicast at the OS level #14586

• Added: Prevent CARP status/maintenance mode from being erroneously toggled #13804

• Fixed: IPsec restart in CARP event scripts does not check VIP properly and never runs #14738

Captive Portal

• Fixed: Captive Portal incorrectly allows leading zeroes on voucher roll numbers #14325

• Fixed: Link to view Captive Portal custom HTML page content does not work #14598

Certificates

• Fixed: Cannot validate Certificates against Certificate Revocation Lists for Intermediate Certificate Authorities #9889

• Added: Improve System menu behavior for Certificate Manager privileges #14347

• Fixed: CA and Certificate renewal page does not properly list some SHA1 certificates as being weak #14678

Configuration Upgrade

• Fixed: PHP Error in upgrade216_ipsec_create_vtimap() #14400

Console Menu

• Fixed: Serial console output fails to render properly in certain cases on 4100, 6100, and 8200. #13455

• Fixed: PHP shell script pfanchordrill shows duplicate anchor content #14637

DHCP (IPv4)

• Added: Introduce Kea DHCP as an alternative DHCP server for IPv4 and IPv6 #6960

DNS Resolver

• Fixed: DNS Resolver experiences intermittent resolution failures with SSL over TLS due to ASLR #14056

• Added: Unbound Advanced Settings entry for sock-queue-timeout #14731

• Changed: Update Unbound to 1.18.0 #14732

Dashboard

• Fixed: System Information widget does not properly form list of active hardware crypto algorithms #14417

• Fixed: Gateway widget tooltip incorrectly indicates some gateways as being default #14542

Diagnostics

• Fixed: diag_edit.php warning is not cleared after picking non-directory to load #7589

• Changed: Combining Interface and Rule ID state table filter fields returns no results #14399

• Fixed: Improve error handling in status.php #14513

• Added: Status output plugin hook for packages to include their own data #14777

Dynamic DNS

• Added: Include hostname being updated in Dynamic DNS notifications #9504

• Added: Dynamic DNS support for Porkbun #14402

• Fixed: PHP error with One.com Dynamic DNS provider #14649

• Fixed: List of Dynamic DNS types with split host+domain name is missing several providers #14783

• Fixed: Correct name of Gandi LiveDNS #14784

• Fixed: Multi-WAN Dynamic DNS does not fail over when preferred WAN loses link #14829

FreeBSD

• Fixed: Kernel textdumps are not recovered properly on systems with multiple swap partitions #14767

Gateways

• Fixed: Misleading error message when adding/editing static routes which use a gateway on a disabled interface #8846

• Fixed: Cannot select IP Alias VIP with CARP VIP parent in Virtual IP drop-down on Gateway Groups #14524

• Fixed: A default route can remain after setting the default gateway to None #14717

Hardware / Drivers

• Fixed: Unnecessary delay when querying ixgbe(4) interfaces with SFP ports #13911

• Added: Options to control Intel Speed Shift #14047

• Fixed: Cavium qlnxe / if_qlnxe driver is not present #14534

• Fixed: bnxt(4) driver errors #14569

• Added: QAT 200xx devices are not recognized as supported #14844

IGMP Proxy

• Fixed: Kernel panic when running IGMP Proxy: Sleeping thread owns a non-sleepable lock #12079

• Fixed: Input validation error when saving IGMP Proxy settings #14301

• Fixed: IGMP Proxy cannot start on VirtIO (vtnet) interfaces #14665

IPsec

• Changed: Clarify that the IPsec keep alive check option ignores Child SA Start Action #12762

• Fixed: PHP error in status_ipsec.php after removing active IPsec tunnel configuration #14525

• Fixed: Multi-WAN IPsec does not fail over when preferred WAN loses link #14626

• Added: Show IPsec phase 1 authentication type in Mode column of tunnel list #14726

• Fixed: IPsec rejects certificate without any SANs #14831

IPv6 Router Advertisements (radvd/rtsold)

• Fixed: IPv6 neighbor discovery protocol (NDP) fails in some cases #13423

Interfaces

• Fixed: GIF-based interface MTU is assigned to parent interface on boot when parent interface is a LAGG #13218

• Fixed: Cannot add a QinQ interface to a bridge #14377

• Fixed: find_interface_ipv6_ll() can return a VIP instead of the interface address #14392

• Fixed: Interface value is not properly validated when submitted on interfaces_gif_edit.php and interfaces_gre_edit.php #14549

• Fixed: Primary interface address is incorrectly set to the last address on the interface #14623

• Fixed: Link loss causes interfaces configured as Track Interface for IPv6 to lose their IPv4 addresses #14756

• Changed: Eliminate direct config access in interfaces.php #14790

Logging

• Fixed: Log rotation is not active if the configuration contains an empty <syslog> section or if that section is not present #14517

• Fixed: Per-log settings for file size and retention count are not honored #14545

• Added: Improve SCTP support in filterlog #14667

Notifications

• Added: Allow SMTP notifications from non-root processes #14337

• Fixed: PHP error when failing to write config.cache #14432

OpenVPN

• Fixed: DCO OpenVPN server bound to Localhost does not pass traffic as expected #14682

• Fixed: Rapidly clicking certain options on OpenVPN Client Overrides can cause hide/show field behavior to invert #13088

• Fixed: OpenVPN can select the wrong interface IP address when multiple addresses are present #14646

• Changed: Prevent weak SHA1 certificates from being used with OpenVPN clients and servers #14677

• Changed: Check for deprecated OpenVPN encryption and digest options on upgrade #14686

Operating System

• Fixed: Error when deleting ZFS Boot Environment created from duplicate of non-default entry #13348

• Fixed: Console and system log may contain unnecessary Netlink debug messages from IPsec #14370

• Added: Support receiving EAPOL frames on VLAN 0 in wpa_supplicant #14457

• Changed: Automatically configure PF states hash table size #14750

• Fixed: Panic when pfsync attempts to synchronize states between hosts with different rulesets #14804

PHP Interpreter

• Added: Option to configure a custom value for the PHP memory limit #13377

• Fixed: URL scheme is not properly validated in some cases #14356

PPP Interfaces

• Fixed: PPP interface default username/password are not being populated from provider data on interfaces.php and interfaces_ppps_edit.php #14544

• Fixed: getserviceproviders.php does not always validate value of $connection, displays without encoding #14547

PPPoE Server

• Fixed: PPPoE Server address input validation is incorrectly allowing IPv6 #13903

Packet Capture

• Added: Change default match modifier from “all of” to “any of” #14650

• Fixed: packet_capture.php uses count and length values in command execution without validation or encoding #14809

Rules / NAT

• Fixed: Ethernet rules using (self) as a source or destination make the ruleset fail to load #14478

• Fixed: Ethernet rule Action field hint text lists “reject” option which is not compatible with Ethernet rules #14515

• Fixed: Changes in Ethernet ruleset can lead to incorrect rule and separator order #14705

• Added: Support interface macros in Outbound NAT rules #3288

• Fixed: Negating <interface> net when a VIP exists on the interface results in unintended behavior #6799

• Added: Option to wait for interface selection before displaying firewall rules #13124

• Fixed: Default tab on firewall_rules.php is not selected if the configuration has no WAN interface #14345

• Added: Support interface groups in firewall rule source/destination fields #14448

• Fixed: “Convert interface definitions” option is not respected when bulk copying rules #14576

• Fixed: Rule separators are ordered incorrectly after removing rules in certain positions #14619

• Fixed: Rule separators are hidden when their index is greater than the number of rules #14621

• Added: Extend support for SCTP in firewall and NAT rules #14640

• Fixed: Separators get shifted when copying firewall rules between interfaces #14691

• Fixed: ctype_digit() returns unexpected result for values <= 255 which can break some validation functions/usages #14702

System Logs

• Fixed: Firewall log parser does not handle SCTP log entries #13940

• Fixed: status_logs_filter_dynamic.php does not encode value of interfacefilter in raw mode #14548

Traffic Graphs

• Fixed: PHP Error when viewing Traffic Graphs in iftop mode #14500

Traffic Shaper (ALTQ)

• Added: Include ixv in ALTQ capable NIC list #14408

• Fixed: Kernel panic when using traffic shaping on a PPPoE interface #14497

Traffic Shaper (Limiters)

• Fixed: Limiters have no effect on upload traffic passed by policy routing rules #14039

Translations

• Fixed: Some functions fail if the Language does not exactly match an available Locale #13776

• Fixed: Polish translation contains an invalid sprintf() format in the text for firewall_nat_out_edit.php #13946

UPnP/NAT-PMP

• Changed: Update miniupnpd to 2.3.3 #14307

• Fixed: Remove broken stun.sipgate.net from UPnP STUN server list #14673

Upgrade

• Fixed: Update check in GUI does not always honor the configured proxy settings #14609

User Manager / Privileges

• Fixed: Copy function for User Manager Groups does not work for first group in list #14695

Web Interface

• Changed: GUI pages should use POST for AJAX calls, not GET #12431

• Fixed: Refactor IPsec code using config access functions #13704

• Fixed: PHP error in CSRF Magic from invalid time value #14394

• Fixed: Breadcrumb path missing on system_register.php #14462

• Changed: Prevent weak SHA1 certificates from being used with GUI and Captive Portal #14672

• Fixed: status_carp.php and diag_dump_states.php unresponsive with large state tables #14758

• Fixed: GUI TCP port is not updated in the configuration when saving with the field empty to remove an existing value #14820

Wireless

• Fixed: PHP error in handle_wireless_post() when toggling some wireless interface options #14579