24.03 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

Tip

Consult the Upgrade Guide before proceeding with any upgrade.

Pre-Upgrade Cautions

Before upgrading, pay particular attention to the Pre-Upgrade Tasks section of the Upgrade Guide. The most crucial points are noted in this section, but the best practice is to follow all of the precautions noted in the Upgrade Guide.

ZFS Boot Environment Space Usage

Before attempting the upgrade, check the list of current ZFS Boot Environments (System > Boot Environments) and clean up any older entries to ensure they do not consume space which may be needed during the upgrade. See Check and Clean Up ZFS Boot Environments for details.

Low Memory Hardware and AWS/Azure Instances

Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running. This includes some Netgate hardware such as the Netgate 1100 when running with ZFS and/or certain services/packages. For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade.

pfSense Plus software can no longer run on AWS “.nano” size instances as they lack sufficient RAM to upgrade properly. Attempting to upgrade a “.nano” instance to pfSense Plus software version 24.03 will fail before the upgrade is performed. Migrate the instance to a “.micro” or larger size before attempting to upgrade, or redeploy instead.

Similar to the above, pfSense Plus software can no longer run on Azure A0 instances. Migrate to instances with more memory.

Netgate 3100 (32-Bit ARM) Limitations

Support for the EOL Netgate 3100 device architecture, armv7, is being phased out upstream in FreeBSD. While this release still contains base system functionality for the Netgate 3100, several packages are unavailable as they can no longer build for that architecture. The list of packages unavailable for the Netgate 3100 now also includes Suricata, Squid, and squidGuard.

Users who wish to continue using those packages on a Netgate 3100 should not upgrade to this release.

General

• pfSense Plus software version 24.03 makes sure the user changes the admin account password in the user manager away from the default value. It also ensures that the password is not set to the same value as the username. This validation happens during the setup wizard for new installations, on login and loading any GUI page for existing users, and at the console/shell menu.

  Most users will not notice any difference since they have likely changed their admin account password to a secure custom value in the past.

  Resetting the password via the console menu now prompts the user to set a custom password rather than using a default value.

  Note

  These restrictions apply to all accounts. Users are also prevented from changing passwords to problematic values.

• The default State Policy has been changed from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing (route-to), reply-to, as well as with High Availability state synchronization (pfsync) on non-identical hardware.

  The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab.

  There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.

  See also

  • State Policy History

  • Firewall State Policy

  • State Policy

• This release adds support for Packet Flow Data export via pflow in PF. This feature natively exports NetFlow/IPFIX flow data to an external collector.

  See also

  • Firewall Packet Flow Data

• This release includes support for enhanced gateway recovery “fail back” by optionally clearing states from lower tier gateways when a more preferred gateway recovers.

  See also

  • State Killing on Gateway Recovery

  • Gateway Group Options

• This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation to MMC which has been followed by an installation to an add-on SSD without clearing the MMC contents.

  In these cases the best practice is to wipe the unused disk so it cannot interfere. See Troubleshooting Multiple Disks for details.

Minor Revision

Devices running pfSense Plus software version 24.03 may be seeing a “24.03_1” update available which is a very minor revision made to address a missing dependency on 64-bit ARM devices (https://redmine.pfsense.org/issues/15433). The revision is kept the same on all platforms for consistency.

Upgrading to this version is safe, but not necessary at this time unless users are running on 64-bit ARM devices and want access to S.M.A.R.T. disk data (e.g. Netgate 2100 devices which have an add-on SSD).

Using the GUI or pfSense-upgrade from the console or shell to upgrade from 24.03 to 24.03_1, the device will want to reboot, but in this case that is unnecessary. However, doing so is harmless except for the minimal downtime involved in the reboot during that upgrade process.

Manually updating from the shell via pkg update; pkg upgrade will pull in the new revision and fixed dependency as needed. Run those commands from a shell prompt and confirm that the proposed changes are OK. No additional action is necessary.

Devices which have not yet upgraded to 24.03 or those installed fresh via the Netgate Installer will obtain the latest version automatically and do not require any additional action after upgrading.

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

• Fixed: Interface subnet aliases do not contain IPv6 VIPs #15096

Authentication

• Changed: Prevent usage of the default password in User Manager accounts #15266

• Fixed: PHP errors in LDAP server prevent it from falling back to Local Database #15122

Auto Configuration Backup

• Fixed: services_acb_settings.php does not fully validate value of frequency, uses value without encoding #15224

Backup / Restore

• Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728

• Fixed: DHCP leases may not be restored from older configuration backups #15076

• Fixed: PHP error when generating a notification after detecting a malformed configuration #15157

Captive Portal

• Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226

• Added: Support using a mask to block MAC addresses in Captive Portal #15257

• Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299

Console Menu

• Changed: Dynamically adjust the interface name maximum width in the login banner #13268

DHCP (IPv4)

• Added: Better handling of duplicate IP addresses in static DHCP assignments #13256

• Changed: Reduce log spam when deleting a static DHCP entry #13263

• Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894

• Fixed: Stale Kea control socket lock file can prevent Kea from starting #14977

• Fixed: Kea does not allow FQDNs for NTP servers but input validation does not prevent them from being added #14991

• Fixed: Kea DHCP PHP error from WINS server value #14996

• Fixed: Kea DHCP sends wrong bootloader file for UEFI #15032

DHCP (IPv6)

• Fixed: DHCP6 client does not take any action if the interface IPv6 address changes during renewal #12947

• Fixed: Shortcut bar on DHCPv6 leases (status_dhcpv6_leases.php) navigates to DHCPv4 destinations, not DHCPv6 #15117

• Fixed: DHCPv6 settings page “DDNS Reverse” check box not showing current state #15118

DNS Forwarder

• Added: Option to allow the DNS Forwarder to ignore system DNS servers #14165

DNS Resolver

• Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942

• Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071

• Fixed: Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism #15135

• Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139

• Changed: Upgrade Unbound to >= 1.19.1 #15256

Dashboard

• Fixed: Firewall Logs Dashboard Widget is slow and may fail to update #12673

Diagnostics

• Changed: Add ZFS Boot Environment list to status output #15164

• Added: Add Kea information to status.php #14953

• Fixed: crash_reporter.php displays PHP Error log without encoding #15264

• Added: Add EFI boot information to status.php #15297

• Added: Add loader.conf.lua contents to status.php #15298

• Fixed: Errors in status.php IPsec sections when IPsec is not configured #15310

Gateway Monitoring

• Fixed: Gateway behavior differs when the gateway does not exist in the configuration #12920

Gateways

• Fixed: Killing states on downed gateways breaks when Skip rules when gateway is down is enabled #15223

• Fixed: Killing states on downed gateways breaks for static interface configurations #15225

• Fixed: Removing a gateway group used as the default gateway results in no default route #15248

Hardware / Drivers

• Fixed: Newer variant models within the PC Engines APU2 platform are not recognized, causing garbled early serial console output #13498

• Added: Recognize QAT 4xxx devices in System Information Widget #15233

IGMP Proxy

• Fixed: IGMP proxy works intermittently #15043

IPsec

• Added: Group-based Mobile IPsec Virtual Address Pool assignment via RADIUS #13227

• Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312

• Fixed: Large number of IPsec tunnels causes long filter reload times #14893

• Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of Network #15124

• Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147

• Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171

• Fixed: Change Mobile IPsec RADIUS accounting to use accounting_requires_vip so accounting will not activate for non-mobile VPNs #15176

• Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245

• Fixed: Reordering IPsec Phase 2 entries may result in a malformed configuration #15384

IPv6 Router Advertisements (radvd/rtsold)

• Fixed: radvd service shows as stopped in services list when it should be disabled and hidden from that list #14936

• Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to None #14967

• Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057

Installer

• Fixed: Clean installation using Auto (ZFS) + MBR (BIOS) does not boot #14930

Interfaces

• Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431

• Fixed: PHP error in interfaces_qinq_edit.php when creating a QinQ interface #15181

• Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282

• Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318

LAGG Interfaces

• Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453

Logging

• Changed: Remove Time column from OS Boot logs #15106

Multi-WAN

• Added: Ability to selectively kill states on gateway recovery #855

OpenVPN

• Added: OpenVPN NBDD server options #13085

• Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087

• Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089

• Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090

• Fixed: openvpn.auth-user.php gets stuck at 100% CPU usage when RADIUS authentication times out #14386

• Fixed: OpenVPN forms invalid route statements for empty local networks #14919

• Fixed: OpenVPN Wizard fails when a VIP is used #15148

• Changed: Remove deprecated OpenVPN hardware crypto engine option #15188

Operating System

• Added: Operating System support for PF pflow packet data flow export #15038

• Fixed: /etc/rc.local script content is executed at login instead of during boot sequence #10980

• Fixed: Static ARP assignments lose permanent flag in ARP table #14970

• Fixed: Permissions on tmpfs RAM disk for /var are too lenient #15054

• Fixed: pfctl is unable to retrieve state creator list in certain circumstances #15108

• Fixed: loader.conf may be missing loader_conf_files so loader.conf.lua may not be parsed #15288

PHP Interpreter

• Fixed: Extensions directory is not set in rc.php_ini_setup #14488

• Fixed: check_dnsavailable() failing even when DNS is available #15127

• Fixed: PHP error display formatting issues #15263

Package System

• Fixed: Extra space in pkg configuration file FreeBSD.conf #15069

Routing

• Fixed: ICMPv6 Path MTU Discovery breaks with NPT #14290

Rules / NAT

• Added: GUI to configure Packet Flow Data (pflow) export #15039

• Added: Kill states using the pre-NAT address #11556

• Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173

• Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183

• Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197

• Fixed: Advanced rule options tooltip does not show negated Tag option #15214

• Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234

• Fixed: Egress states remain when killing states for scheduled rules #15252

Setup Wizard

• Changed: Error handling in the Setup Wizard is very user-unfriendly #15302

Traffic Shaper (Limiters)

• Fixed: Packets are passed through dummynet twice when using route-to leading to half the expected bandwidth #14854

• Fixed: Fragmented packets delayed by limiters are lost #15156

• Fixed: Reply traffic on a secondary WAN may be dropped when passed through dummynet #15363

Upgrade

• Added: Boot Environments 2.0 #15280

Virtual IP Addresses

• Fixed: choparp service is not stopped after deleting Proxy ARP type Virtual IP addresses #14929

Web Interface

• Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943

• Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413

• Changed: Update vendor files #13537

• Fixed: status_interfaces.php is missing several values for SFP modules #15112

• Changed: Remove jquery-treegrid unit testing files #15265

• Added: 50x and 404 error handling to GUI web server configuration #15322

XMLRPC

• Fixed: Secondary node attempts to delete the admins group when synchronizing accounts via XMLRPC #15067