23.09 New Features and Changes¶
This is a regularly scheduled software release including new features and bug fixes.
This version is still under development and is subject to change at any time.
PHP has been upgraded to 8.2.8
The base operating system has been upgraded to a more recent point on FreeBSD 14-CURRENT
Support for SCTP has been improved in PF for firewall rules, NAT, and logging. Rules can now act on SCTP packets by port number, previously it was only possible to filter on source or destination address.
OpenSSL in the base system has been upgraded from 1.1.1t to 3.0.10.
This change was necessary as OpenSSL 1.1.1 reached its End of Life (EOL) on September 11, 2023. This means there will be no security patches for vulnerabilities affecting OpenSSL 1.1.1.
The OpenSSL team decided to make an explicit jump in numbering from 1.1.x to 3.x to highlight that this new version included major structural, and more importantly, application programming interface (API) and application binary interface (ABI) changes compared to previous OpenSSL versions.
In addition to the differences in the library they also deprecated numerous weak algorithms of various types.
Due to these differences, changing from OpenSSL 1.1 to OpenSSL 3.0 is not a simple upgrade. Netgate developers have handled most of these changes as automatically as possible, though some things may still require manual adjustments. See the warnings in the next section for details.
The ISC DHCPD server has reached its End of Life (EOL) as of October 5, 2022. Though ISC has stated they may continue to publish security fixes if they are warranted.
Netgate developers have started the migration to Kea DHCP server from ISC as a replacement for ISC DHCPD. Basic functionality is present, but not all features are supported at this time.
Currently the Kea implementation lacks the following DHCP server features:
Local DNS Resolver/Forwarder Registration for DHCP clients
Remote DNS server registration
High Availability Failover
Custom DHCP options
Kea is available as an opt-in preview feature on this release. The UI and settings for Kea are shared with the existing DHCP server. Administrators can easily switch between ISC DHCPD and Kea by navigating to System > Advanced, Networking tab and changing the new Server Backend setting in the DHCP Options section.
After Kea integration is complete it will become the default DHCP server on a future release of pfSense software and eventually the deprecated ISC DHCP server will be removed. The exact timing of these changes has not been finalized.
Certain parts of the base system are being migrated to packages rather than grouping them all together in an archive in the “base” package. For the most part this should be entirely transparent to users.
Specifically, the code from the main pfSense software repository is now a part of the “pfSense” package. This lets management of files be handled entirely by
pkgrather than carrying them in an archive. This migration is ongoing, so future versions will include additional portions of the system being packaged differently.
OpenSSL 3.0.x Upgrade Warnings¶
Weak Certificate Digests such as SHA1 are Deprecated¶
OpenSSL 3.0.x no longer supports certificates signed with SHA1 or other older/weaker hashes. The minimum recommended hash strength is SHA256.
The upgrade process detects usage of weak certificates for the GUI, Captive Portal, and OpenVPN.
If the GUI or a Captive Portal zone utilize a weak certificate, the upgrade process generates a new self-signed certificate as a stopgap measure to allow the processes to start and let the user in to make any necessary corrections.
If an OpenVPN instance is using a weak certificate, the instance is disabled as there is no viable general automated recovery method.
OpenVPN peers using SHA1 certificates will fail, but such issues must be corrected on the peers. This may mean renewing or reissuing certificates or re-exporting clients for peers if they are currently using weak certificates.
Other consumers of certificates, such as add-on packages, may be similarly affected but cannot be automatically adjusted.
The best practice is to reconfigure all services utilizing certificates with stronger certificates and to test these functions before performing an upgrade to ensure a smoother transition.
Numerous Deprecated Encryption and Digest Algorithms Removed¶
OpenSSL 3.0.x removes a large number of deprecated encryption and digest algorithms. This primarily affects OpenVPN, as other areas had not supported the affected algorithms in some time.
- Encryption algorithms removed from OpenVPN:
Blowfish (e.g. BF-CBC), which was formerly an OpenVPN default
- Hash algorithms removed from OpenVPN:
On upgrade, tunnels using these deprecated algorithms will be adjusted so they use more secure default values when necessary.
The best practice is to reconfigure tunnels using modern secure encryption and hashing, and to test tunnels before performing an upgrade to ensure a smoother transition.
Changes in this version of pfSense Plus software.
Aliases / Tables¶
Fixed: Firewall rules fail to load when a URL table alias file does not exist #13068
Added: Type column on Alias lists #13245
Fixed: Static ARP entries are not configured at boot #14374
Fixed: Firewall rules are not displayed properly when they reference a URL table alias and its file does not exist #14574
Backup / Restore¶
Changed: Increase timeout for password entry when restoring an encrypted configuration via ECL #14769
Added: Add unicast CARP indication and peer address to CARP status #14348
Fixed: Adding an IP Alias VIP using a unicast CARP VIP as its parent changes the CARP VIP to multicast at the OS level #14586
Added: Prevent CARP status/maintenance mode from being erroneously toggled #13804
Fixed: IPsec restart in CARP event scripts does not check VIP properly and never runs #14738
Fixed: Cannot validate Certificates against Certificate Revocation Lists for Intermediate Certificate Authorities #9889
Added: Improve System menu behavior for Certificate Manager privileges #14347
Fixed: CA and Certificate renewal page does not properly list some SHA1 certificates as being weak #14678
diag_edit.phpwarning is not cleared after picking non-directory to load #7589
Changed: Combining Interface and Rule ID state table filter fields returns no results #14399
Fixed: Improve error handling in
Added: Status output plugin hook for packages to include their own data #14777
Fixed: Kernel textdumps are not recovered properly on systems with multiple swap partitions #14767
Fixed: Misleading error message when adding/editing static routes which use a gateway on a disabled interface #8846
Fixed: Cannot select IP Alias VIP with CARP VIP parent in Virtual IP drop-down on Gateway Groups #14524
Fixed: A default route can remain after setting the default gateway to None #14717
Hardware / Drivers¶
IPv6 Router Advertisements (radvd/rtsold)¶
Fixed: IPv6 neighbor discovery protocol (NDP) fails in some cases #13423
Fixed: GIF-based interface MTU is assigned to parent interface on boot when parent interface is a LAGG #13218
Fixed: Cannot add a QinQ interface to a bridge #14377
find_interface_ipv6_ll()can return a VIP instead of the interface address #14392
Fixed: Primary interface address is incorrectly set to the last address on the interface #14623
Changed: Eliminate direct config access in
Fixed: DCO OpenVPN server bound to Localhost does not pass traffic as expected #14682
Fixed: Rapidly clicking certain options on OpenVPN Client Overrides can cause hide/show field behavior to invert #13088
Fixed: OpenVPN can select the wrong interface IP address when multiple addresses are present #14646
Changed: Prevent weak SHA1 certificates from being used with OpenVPN clients and servers #14677
Changed: Check for deprecated OpenVPN encryption and digest options on upgrade #14686
Fixed: Error when deleting ZFS Boot Environment created from duplicate of non-default entry #13348
Fixed: Console and system log may contain unnecessary Netlink debug messages from IPsec #14370
Added: Support receiving
EAPOLframes on VLAN
Changed: Automatically configure PF states hash table size #14750
Fixed: PPP interface default username/password are not being populated from provider data on
Rules / NAT¶
Fixed: Ethernet rule Action field hint text lists “reject” option which is not compatible with Ethernet rules #14515
Added: Support interface macros in Outbound NAT rules #3288
Added: Option to wait for interface selection before displaying firewall rules #13124
Fixed: Default tab on
firewall_rules.phpis not selected if the configuration has no WAN interface #14345
Added: Support interface groups in firewall rule source/destination fields #14448
Fixed: “Convert interface definitions” option is not respected when bulk copying rules #14576
Fixed: Rule separators are ordered incorrectly after removing rules in certain positions #14619
Fixed: Rule separators are hidden when their index is greater than the number of rules #14621
Added: Extend support for SCTP in firewall and NAT rules #14640
Fixed: Separators get shifted when copying firewall rules between interfaces #14691
ctype_digit()returns unexpected result for values <=
255which can break some validation functions/usages #14702
Traffic Shaper (ALTQ)¶
Traffic Shaper (Limiters)¶
Fixed: Limiters have no effect on upload traffic passed by policy routing rules #14039
User Manager / Privileges¶
Fixed: Copy function for User Manager Groups does not work for first group in list #14695
Changed: GUI pages should use
POSTfor AJAX calls, not
Fixed: Refactor IPsec code using config access functions #13704
Fixed: PHP error in CSRF Magic from invalid time value #14394
Fixed: Breadcrumb path missing on
Changed: Prevent weak SHA1 certificates from being used with GUI and Captive Portal #14672