24.03 New Features and Changes¶

This is a regularly scheduled software release including new features and bug fixes.

Consult the Upgrade Guide before proceeding with any upgrade.

Warning

Before attempting the upgrade, check the list of current ZFS Boot Environments (System > Boot Environments) and clean up any older entries to ensure they do not consume space which may be needed during the upgrade. See Check and Clean Up ZFS Boot Environments for details.

General¶

pfSense Plus software version 24.03 makes sure the user changes the admin account password in the user manager away from the default value. It also ensures that the password is not set to the same value as the username. This validation happens during the setup wizard for new installations, on login and loading any GUI page for existing users, and at the console/shell menu.

Most users will not notice any difference since they have likely changed their admin account password to a secure custom value in the past.

Resetting the password via the console menu now prompts the user to set a custom password rather than using a default value.

Note

These restrictions apply to all accounts. Users are also prevented from changing passwords to problematic values.
The default State Policy has been changed from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing (route-to), reply-to, as well as with High Availability state synchronization (pfsync) on non-identical hardware.

The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab.

There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.
See also
This release adds support for Packet Flow Data export via pflow in PF. This feature natively exports NetFlow/IPFIX flow data to an external collector.
See also
- Firewall Packet Flow Data
This release includes support for enhanced gateway recovery “fail back” by optionally clearing states from lower tier gateways when a more preferred gateway recovers.
See also
- State Killing on Gateway Recovery
- Gateway Group Options
pfSense Plus software can no longer run on AWS “.nano” size instances as they lack sufficient RAM to upgrade properly. Attempting to upgrade a “.nano” instance to pfSense Plus software version 24.03 will fail before the upgrade is performed.

Migrate the instance to a “.micro” or larger size before attempting to upgrade, or redeploy instead.
This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation to MMC which has been followed by an installation to an add-on SSD without clearing the MMC contents.

In these cases the best practice is to wipe the unused disk so it cannot interfere. See Troubleshooting Multiple Disks for details.

Minor Revision¶

Devices running pfSense Plus software version 24.03 may be seeing a “24.03_1” update available which is a very minor revision made to address a missing dependency on 64-bit ARM devices (https://redmine.pfsense.org/issues/15433). The revision is kept the same on all platforms for consistency.

Upgrading to this version is safe, but not necessary at this time unless users are running on 64-bit ARM devices and want access to S.M.A.R.T. disk data (e.g. Netgate 2100 devices which have an add-on SSD).

Using the GUI or pfSense-upgrade from the console or shell to upgrade from 24.03 to 24.03_1, the device will want to reboot, but in this case that is unnecessary. However, doing so is harmless except for the minimal downtime involved in the reboot during that upgrade process.

Manually updating from the shell via pkg update; pkg upgrade will pull in the new revision and fixed dependency as needed. Run those commands from a shell prompt and confirm that the proposed changes are OK. No additional action is necessary.

Devices which have not yet upgraded to 24.03 or those installed fresh via the Online Network Installer will obtain the latest version automatically and do not require any additional action after upgrading.

Hardware-Specific Notes¶

Warning

Support for the EOL Netgate 3100 device architecture, armv7, is being phased out upstream in FreeBSD. While this release still contains base system functionality for the Netgate 3100, several packages are unavailable as they can no longer build for that architecture. The list of packages unavailable for the Netgate 3100 now also includes Suricata, Squid, and squidGuard.

Users who wish to continue using those packages on a Netgate 3100 should not upgrade to this release.

pfSense Plus¶

Changes in this version of pfSense Plus software.

Aliases / Tables¶

Fixed: Interface subnet aliases do not contain IPv6 VIPs #15096

Authentication¶

Changed: Prevent usage of the default password in User Manager accounts #15266
Fixed: PHP errors in LDAP server prevent it from falling back to Local Database #15122

Auto Configuration Backup¶

Fixed: services_acb_settings.php does not fully validate value of frequency, uses value without encoding #15224

Backup / Restore¶

Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728
Fixed: DHCP leases may not be restored from older configuration backups #15076
Fixed: PHP error when generating a notification after detecting a malformed configuration #15157

Captive Portal¶

Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226
Added: Support using a mask to block MAC addresses in Captive Portal #15257
Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299

DHCP (IPv4)¶

Added: Better handling of duplicate IP addresses in static DHCP assignments #13256
Changed: Reduce log spam when deleting a static DHCP entry #13263
Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894
Fixed: Stale Kea control socket lock file can prevent Kea from starting #14977
Fixed: Kea does not allow FQDNs for NTP servers but input validation does not prevent them from being added #14991
Fixed: Kea DHCP PHP error from WINS server value #14996
Fixed: Kea DHCP sends wrong bootloader file for UEFI #15032

DHCP (IPv6)¶

Fixed: DHCP6 client does not take any action if the interface IPv6 address changes during renewal #12947
Fixed: Shortcut bar on DHCPv6 leases (status_dhcpv6_leases.php) navigates to DHCPv4 destinations, not DHCPv6 #15117
Fixed: DHCPv6 settings page “DDNS Reverse” check box not showing current state #15118

DNS Forwarder¶

Added: Option to allow the DNS Forwarder to ignore system DNS servers #14165

DNS Resolver¶

Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942
Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071
Fixed: Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism #15135
Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139
Changed: Upgrade Unbound to >= 1.19.1 #15256

Dashboard¶

Fixed: Firewall Logs Dashboard Widget is slow and may fail to update #12673

Diagnostics¶

Changed: Add ZFS Boot Environment list to status output #15164
Added: Add Kea information to status.php #14953
Fixed: crash_reporter.php displays PHP Error log without encoding #15264
Added: Add EFI boot information to status.php #15297
Added: Add loader.conf.lua contents to status.php #15298
Fixed: Errors in status.php IPsec sections when IPsec is not configured #15310

Gateway Monitoring¶

Fixed: Gateway behavior differs when the gateway does not exist in the configuration #12920

Gateways¶

Fixed: Killing states on downed gateways breaks when Skip rules when gateway is down is enabled #15223
Fixed: Killing states on downed gateways breaks for static interface configurations #15225
Fixed: Removing a gateway group used as the default gateway results in no default route #15248

Hardware / Drivers¶

Fixed: Newer variant models within the PC Engines APU2 platform are not recognized, causing garbled early serial console output #13498
Added: Recognize QAT 4xxx devices in System Information Widget #15233

IGMP Proxy¶

Fixed: IGMP proxy works intermittently #15043

IPsec¶

Added: Group-based Mobile IPsec Virtual Address Pool assignment via RADIUS #13227
Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312
Fixed: Large number of IPsec tunnels causes long filter reload times #14893
Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of Network #15124
Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147
Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171
Fixed: Change Mobile IPsec RADIUS accounting to use accounting_requires_vip so accounting will not activate for non-mobile VPNs #15176
Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245
Fixed: Reordering IPsec Phase 2 entries may result in a malformed configuration #15384

IPv6 Router Advertisements (radvd/rtsold)¶

Fixed: radvd service shows as stopped in services list when it should be disabled and hidden from that list #14936
Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to None #14967
Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057

Installer¶

Fixed: Clean installation using Auto (ZFS) + MBR (BIOS) does not boot #14930

Interfaces¶

Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431
Fixed: PHP error in interfaces_qinq_edit.php when creating a QinQ interface #15181
Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282
Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318

LAGG Interfaces¶

Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453

Logging¶

Changed: Remove Time column from OS Boot logs #15106

Multi-WAN¶

Added: Ability to selectively kill states on gateway recovery #855

OpenVPN¶

Added: OpenVPN NBDD server options #13085
Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087
Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089
Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090
Fixed: openvpn.auth-user.php gets stuck at 100% CPU usage when RADIUS authentication times out #14386
Fixed: OpenVPN forms invalid route statements for empty local networks #14919
Fixed: OpenVPN Wizard fails when a VIP is used #15148
Changed: Remove deprecated OpenVPN hardware crypto engine option #15188

Operating System¶

Added: Operating System support for PF pflow packet data flow export #15038
Fixed: /etc/rc.local script content is executed at login instead of during boot sequence #10980
Fixed: Static ARP assignments lose permanent flag in ARP table #14970
Fixed: Permissions on tmpfs RAM disk for /var are too lenient #15054
Fixed: pfctl is unable to retrieve state creator list in certain circumstances #15108
Fixed: loader.conf may be missing loader_conf_files so loader.conf.lua may not be parsed #15288

PHP Interpreter¶

Fixed: Extensions directory is not set in rc.php_ini_setup #14488
Fixed: check_dnsavailable() failing even when DNS is available #15127
Fixed: PHP error display formatting issues #15263

Package System¶

Fixed: Extra space in pkg configuration file FreeBSD.conf #15069

Routing¶

Fixed: ICMPv6 Path MTU Discovery breaks with NPT #14290

Rules / NAT¶

Added: GUI to configure Packet Flow Data (pflow) export #15039
Added: Kill states using the pre-NAT address #11556
Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173
Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183
Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197
Fixed: Advanced rule options tooltip does not show negated Tag option #15214
Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234
Fixed: Egress states remain when killing states for scheduled rules #15252

Setup Wizard¶

Changed: Error handling in the Setup Wizard is very user-unfriendly #15302

Traffic Shaper (Limiters)¶

Fixed: Packets are passed through dummynet twice when using route-to leading to half the expected bandwidth #14854
Fixed: Fragmented packets delayed by limiters are lost #15156
Fixed: Reply traffic on a secondary WAN may be dropped when passed through dummynet #15363

Upgrade¶

Added: Boot Environments 2.0 #15280

Virtual IP Addresses¶

Fixed: choparp service is not stopped after deleting Proxy ARP type Virtual IP addresses #14929

Web Interface¶

Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943
Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413
Changed: Update vendor files #13537
Fixed: status_interfaces.php is missing several values for SFP modules #15112
Changed: Remove jquery-treegrid unit testing files #15265
Added: 50x and 404 error handling to GUI web server configuration #15322

XMLRPC¶

Fixed: Secondary node attempts to delete the admins group when synchronizing accounts via XMLRPC #15067