24.11 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

General

  • This release includes support for High Availability in the Kea DHCP daemon.

    This implementation has several advantages over the older ISC DHCP implementation, including:

    • Supports HA for DHCPv4 and DHCPv6.

    • Simplified HA setup, all in one place on each node for each type.

    • Works in hot standby mode, which is more reliable.

    • Can synchronize lease data over the SYNC interface for security and ease of use, and can optionally encrypt the sync data for added protection.

    See also

    For in-depth information on this feature, see https://www.netgate.com/blog/improvements-to-kea-dhcp

  • This release includes support for DNS Registration of DHCP client hostnames from the Kea DHCP daemon to the Unbound DNS Resolver

    • DNS records are updated dynamically on-the-fly, they do not require a resolver restart and are not disruptive.

    • Supports DNS Registration for DHCPv4 and DHCPv6

    • DNS Registration can be configured on a per-interface or global manner, with the ability to enable or disable specific interfaces as needed.

    • DNS records are limited to the system domain name. DNS Registration honors the domain name on the DHCP settings for each interface and on static mappings.

    • DNS records are accurate/updated on both high availability peers

    • Static mappings can be registered when Kea starts (similar to ISC) or when a static mapping client obtains a lease.

See also

For additional details on implementation of Kea DHCP features see https://redmine.pfsense.org/issues/15650

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Added: Allow user-defined rules to utilize built-in system aliases #1979

Authentication

  • Fixed: sshguard is not properly detecting GUI login failures #15687

  • Fixed: GUI logout messages do not use the auth log facility #15719

Auto Configuration Backup

  • Fixed: Special characters in the ACB configuration change description can cause PHP errors #15711

  • Fixed: AutoConfigBackup tries to upload backups before the system has finished booting #15718

Backup / Restore

  • Fixed: Factory resetting the configuration removes WireGuard #15511

  • Fixed: Skip Packages option for Configuration Backups fails with large configurations #15624

CARP

  • Fixed: HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address #14026

Captive Portal

  • Fixed: Captive Portal logo fails to load after authenticated redirect #15404

  • Fixed: Captive Portal zones can fail to start due to ID conflict #15772

Certificates

  • Fixed: CA certificates are not added to the Trust Store #15440

  • Fixed: Certificate Manager GUI inconsistency in Revocation tab titles #15454

Configuration Backend

  • Fixed: System proxy credentials with certain characters may fail to authenticate #15565

Console Menu

  • Fixed: Declining to reset the admin account via the console menu still prompts to change the password #15751

DHCP (IPv4)

  • Added: Settings tab for global Kea DHCP server options #5080

  • Fixed: Kea fails to restart due to race between process termination and startup #14977

  • Fixed: Kea will not start with identical MAC address filters on multiple interfaces #15130

  • Fixed: Changes in Kea DHCP interface pools may invalidate lease database content #15328

  • Fixed: Kea does not send configured TFTP server name #15518

  • Added: Kea High Availability Support (IPv4 and IPv6) #15575

  • Added: Kea DNS Resolver (Unbound) Integration (IPv4 and IPv6) #15651

  • Fixed: IPv4 DHCP client responses may be routed unexpectedly out unrelated WANs #15702

  • Fixed: Hostnames for ISC DHCP leases are not removed from Unbound when switching to Kea #15750

  • Added: Kea DHCP lease database RAM disk support (IPv4 and IPv6) #15828

DNS Forwarder

  • Fixed: DNS Forwarder ignores “Use remote DNS Servers, ignore local DNS” setting #15434

  • Changed: Update dnsmasq to version 2.90 #15465

DNS Resolver

  • Fixed: Reduce disruptions when changing DNS records from DHCP leases in Unbound #5413

  • Changed: Update Unbound to 1.22.0 #15483

  • Fixed: Automatic EDNS value may be lower than expected #15704

  • Fixed: Unbound configuration file contains Localhost address in forwarding mode with TLS enabled #15722

  • Fixed: unbound-checkconf fails with python mode enabled #15723

Dashboard

  • Added: Improve Thermal Sensors Dashboard widget readability #13520

  • Fixed: Traffic Graph widget displays bandwidth usage values which are half the actual usage amount #14933

  • Fixed: Firewall Logs Dashboard widget update interval does not behave as expected #15373

  • Added: Show current boot method in System Information Dashboard widget #15422

  • Fixed: Incorrect icon on collapsed dashboard widgets #15439

  • Fixed: Dashboard widgets refresh at unintended intervals #15725

  • Changed: Improve Thermal Sensors Dashboard widget refresh code #15728

  • Fixed: Session cookie warnings #15729

Diagnostics

  • Fixed: Sanitize RFC 2136 Dynamic DNS update keys in status.php output #15490

  • Fixed: File browser on diag_edit.php does not encode directory names before display #15525

  • Fixed: State table entries printed on diag_dump_states.php may contain an unexpected interface #15657

Dynamic DNS

  • Added: Enable @ support for Azure in Dynamic DNS #10000

  • Added: Enable @ support for name.com in Dynamic DNS #14289

  • Changed: Update Dynamic DNS API URL for porkbun.com #15779

  • Fixed: Dynamic DNS attempts to resolve entries with disabled interfaces #15802

FreeBSD

  • Fixed: Kernel panic in HA nodes when under high load #15413

Gateway Monitoring

  • Fixed: Gateway monitoring includes disabled gateways #15635

Gateways

  • Fixed: No default route after boot #15791

High Availability

  • Fixed: Removing a route from the High Availability primary node does not remove the entry from the routing table on the secondary node #15795

IGMP Proxy

  • Fixed: Kernel Panic when IGMPProxy gets CIDR Removed #15831

IPsec

  • Fixed: Mobile IPsec does not automatically switch to failover gateway #15685

  • Fixed: Mobile IPsec sends incorrect DNS attribute IDs #15755

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Non Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD #12581

Installer

  • Fixed: Installing to ZFS mirror does not format or populate EFI partition on additional disks #15083

Interfaces

  • Fixed: Adding MSS and MTU values on a LAGG VLAN interface breaks connectivity #14083

  • Fixed: PHP error when applying interface settings if the /tmp/.interfaces.apply file is present but empty #15423

  • Added: Use natural sorting when sorting interfaces #15437

  • Fixed: OpenVPN QinQ interface creation fails #15692

  • Fixed: Interface group members are not validated on load/save on interfaces_groups_edit.php, and are printed without encoding on interfaces_groups.php #15778

Logging

  • Fixed: Restarting the logging daemon during rotation also restarts sshguard, leading to frequent log messages #12747

Multi-WAN

  • Fixed: State Killing on Gateway Recovery fails for the default gateway group with the “Kill all” option selected #15694

NTPD

  • Added: NTP authentication support #8794

OpenVPN

  • Added: More GUI options for OpenVPN Client-Specific Overrides #12522

  • Fixed: PHP error with OpenVPN server certificate verification if the certificate has multiple CN attributes #15133

Operating System

  • Fixed: Kernel panic with pflow configured and active #15446

  • Fixed: Proxy variables in crontab contents are improperly formatted #15502

  • Fixed: resizewin occasionally gets fed a spurious line feed over certain serial console+client combinations #15777

PHP Interpreter

  • Changed: Update PHP to 8.3.x #15053

  • Fixed: Memory leak in pfSense module function pfSense_get_ifaddrs() #15471

Package System

  • Fixed: Updates fail against an authenticated upstream proxy #15094

  • Fixed: Package navigation menus can be duplicated when reinstalling the package #15700

Packet Capture

  • Added: Allow filtering packet captures by system-defined protocols #15609

Routing

  • Fixed: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on enc0 interface #15430

  • Fixed: IPsec VTI static routes may not be added after the system boots #15449

  • Fixed: Saving an IPv6 gateway overrides the IPv4 gateway #15589

  • Fixed: Routes with IPv6 Address as Next Hop for IPv4 Destination Causes Kernel Panic #15601

  • Fixed: Static routes using null gateways are not installed #15669

Rules / NAT

  • Fixed: Per-rule byte counter values lost across a filter reload #15516

  • Fixed: Separator positions are incorrect when copying interface group rules #15537

  • Added: GUI options to change default SCTP state timeouts #15661

  • Fixed: Setting the Port Forward interface to an interface group selects an invalid destination #15671

S.M.A.R.T.

  • Changed: Query for SMART data only on root disk devices #15586

SNMP

  • Fixed: File descriptor leak in bsnmpd #15481

Services

  • Fixed: NTP option “DNS Resolution” has no effect when using NTP pool hostnames #15552

UPnP/NAT-PMP

  • Fixed: Port forward rules created by miniupnpd do not expire #15470

Upgrade

  • Fixed: Upgrading an EFI system installed to ZFS mirror does not upgrade EFI loader on additional disks #15084

User Manager / Privileges

  • Fixed: CLI password check exits with a write access error when checking is a read-only operation #15442

Virtual IP Addresses

  • Fixed: Network and broadcast address input validation is incorrectly applied to IPv6 VIPs #15361

Web Interface

  • Changed: Remove deprecated HTTP/1.0 Pragma header #15781

  • Changed: Use minified nvd3 vendor files #15782