24.03 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.


  • pfSense Plus software version 24.03 makes sure the user changes the admin account password in the user manager away from the default value. It also ensures that the password is not set to the same value as the username. This validation happens during the setup wizard for new installations, on login and loading any GUI page for existing users, and at the console/shell menu.

    Most users will not notice any difference since they have likely changed their admin account password to a secure custom value in the past.

    Resetting the password via the console menu now prompts the user to set a custom password rather than using a default value.


    These restrictions apply to all accounts. Users are also prevented from changing passwords to problematic values.

  • The default State Policy has been changed from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with Multi-WAN policy routing (route-to), reply-to, as well as with High Availability state synchronization (pfsync) on non-identical hardware.

    The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab.

    There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.

  • This release adds support for Packet Flow Data export via pflow in PF. This feature natively exports NetFlow/IPFIX flow data to an external collector.

  • This release includes support for enhanced gateway recovery “fail back” by optionally clearing states from lower tier gateways when a more preferred gateway recovers.

Hardware-Specific Notes


Support for the EOL Netgate 3100 device architecture, armv7, is being phased out upstream in FreeBSD. While this release still contains base system functionality for the Netgate 3100, several packages are unavailable as they can no longer build for that architecture. The list of packages unavailable for the Netgate 3100 now also includes Suricata, Squid, and squidGuard.

Users who wish to continue using those packages on a Netgate 3100 should not upgrade to this release.

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Interface subnet aliases do not contain IPv6 VIPs #15096


  • Changed: Prevent usage of the default password in User Manager accounts #15266

  • Fixed: PHP errors in LDAP server prevent it from falling back to Local Database #15122

Backup / Restore

  • Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728

  • Fixed: DHCP leases may not be restored from older configuration backups #15076

Captive Portal

  • Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226

  • Added: Support using a mask to block MAC addresses in Captive Portal #15257

  • Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299

Console Menu

  • Changed: Dynamically adjust the interface name maximum width in the login banner #13268


  • Added: Better handling of duplicate IP addresses in static DHCP assignments #13256

  • Changed: Reduce log spam when deleting a static DHCP entry #13263

  • Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894


  • Fixed: DHCP6 client does not take any action if the interface IPv6 address changes during renewal #12947

  • Fixed: Shortcut bar on DHCPv6 leases (status_dhcpv6_leases.php) navigates to DHCPv4 destinations, not DHCPv6 #15117

DNS Forwarder

  • Added: Option to allow the DNS Forwarder to ignore system DNS servers #14165

DNS Resolver

  • Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942

  • Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071

  • Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139

  • Changed: Upgrade Unbound to >= 1.19.1 #15256


  • Fixed: Firewall Logs Widget fails to update at intervals below 5 seconds. #12673


  • Changed: Add ZFS Boot Environment list to status output #15164

  • Added: Add Kea information to status.php #14953

  • Added: Add EFI boot information to status.php #15297

  • Added: Add loader.conf.lua contents to status.php #15298

  • Fixed: Errors in status.php IPsec sections when IPsec is not configured #15310

Gateway Monitoring

  • Fixed: Gateway behavior differs when the gateway does not exist in the configuration #12920


  • Fixed: Killing states on downed gateways breaks when Skip rules when gateway is down is enabled #15223

  • Fixed: Killing states on downed gateways breaks for static interface configurations #15225

  • Fixed: Removing a gateway group used as the default gateway results in no default route #15248

Hardware / Drivers

  • Fixed: Newer variant models within the PC Engines APU2 platform are not recognized, causing garbled early serial console output #13498

  • Added: Recognize QAT 4xxx devices in System Information Widget #15233

IGMP Proxy

  • Fixed: IGMP proxy works intermittently #15043


  • Added: Group-based Mobile IPsec Virtual Address Pool assignment via RADIUS #13227

  • Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312

  • Fixed: Large number of IPsec tunnels causes long filter reload times #14893

  • Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of Network #15124

  • Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147

  • Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171

  • Fixed: Change Mobile IPsec RADIUS accounting to use accounting_requires_vip so accounting will not activate for non-mobile VPNs #15176

  • Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to None #14967

  • Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057


  • Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431

  • Fixed: PHP error in interfaces_qinq_edit.php when creating a QinQ interface #15181

  • Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282

  • Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318

LAGG Interfaces

  • Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453


  • Changed: Remove Time column from OS Boot logs #15106


  • Added: Ability to selectively kill states on gateway recovery #855


  • Added: OpenVPN NBDD server options #13085

  • Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087

  • Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089

  • Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090

  • Fixed: openvpn.auth-user.php gets stuck at 100% CPU usage when RADIUS authentication times out #14386

  • Fixed: OpenVPN forms invalid route statements for empty local networks #14919

  • Fixed: OpenVPN Wizard fails when a VIP is used #15148

  • Changed: Remove deprecated OpenVPN hardware crypto engine option #15188

Operating System

  • Added: Operating System support for PF pflow packet data flow export #15038

  • Fixed: /etc/rc.local script content is executed at login instead of during boot sequence #10980

  • Fixed: Static ARP assignments lose permanent flag in ARP table #14970

  • Fixed: Permissions on tmpfs RAM disk for /var are too lenient #15054

  • Fixed: pfctl is unable to retrieve state creator list in certain circumstances #15108

  • Fixed: loader.conf may be missing loader_conf_files so loader.conf.lua may not be parsed #15288

PHP Interpreter

  • Fixed: Extensions directory is not set in rc.php_ini_setup #14488

  • Fixed: check_dnsavailable() failing even when DNS is available #15127

Package System

  • Fixed: Extra space in pkg configuration file FreeBSD.conf #15069


  • Fixed: ICMPv6 Path MTU Discovery breaks with NPT #14290

Rules / NAT

  • Added: GUI to configure Packet Flow Data (pflow) export #15039

  • Added: Kill states using the pre-NAT address #11556

  • Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173

  • Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183

  • Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197

  • Fixed: Advanced rule options tooltip does not show negated Tag option #15214

  • Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234

  • Fixed: Egress states remain when killing states for scheduled rules #15252

Setup Wizard

  • Changed: Error handling in the Setup Wizard is very user-unfriendly #15302

Traffic Shaper (Limiters)

  • Fixed: Packets are passed through dummynet twice when using route-to leading to half the expected bandwidth #14854

  • Fixed: Fragmented packets delayed by limiters are lost #15156

Virtual IP Addresses

  • Fixed: choparp service is not stopped after deleting Proxy ARP type Virtual IP addresses #14929

Web Interface

  • Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943

  • Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413

  • Changed: Update vendor files #13537

  • Fixed: status_interfaces.php is missing several values for SFP modules #15112

  • Added: 50x and 404 error handling to GUI web server configuration #15322


  • Fixed: Secondary node attempts to delete the admins group when synchronizing accounts via XMLRPC #15067