25.03 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

General

  • Older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. pfSense plus software attempts to detect known affected models of hardware from Netgate. Other devices may require manual intervention.

    See ISA Serial Console not Fully Functional for details and a workaround.

  • This version of pfSense Plus software includes a new kernel-based PPPoE backend, if_pppoe. This will replace the current MPD-based implementation. This new backend is more efficient and enables much faster speeds over PPPoE interfaces.

    This new PPPoE backend is not active by default in this version, but can be enabled with the global option under System > Advanced on the Networking tab. This backend will be enabled by default on future versions of pfSense Plus software.

    The if_pppoe backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.

  • This release includes support for DHCPv6 Prefix Delegation in the Kea DHCP daemon.

    Warning

    Prefix Delegation settings in Kea use a different format than the ISC DHCPv6 daemon, so Kea cannot use existing settings for Prefix Delegation. Settings for Prefix Delegation must be re-created manually when switching from ISC DHCPv6 to Kea DHCPv6. For details, see DHCPv6 Prefix Delegation.

  • Users of the Gandi Dynamic DNS service must change their current API token to a Personal Access Token (PAT) as Gandi now requires this authentication method for Dynamic DNS updates. For uninterrupted Dynamic DNS service, create a new PAT and save that PAT value in Gandi Dynamic DNS entries before upgrading to this release.

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Added: System Aliases for various reserved networks #15776

  • Changed: Exclude the WireGuard and Tailscale interface group system aliases from rules #15848

Auto Configuration Backup

  • Fixed: Long configuration revision reasons can cause AutoConfigBackup upload to fail #12249

  • Fixed: AutoConfigBackup scheduled backups always upload even when the configuration has not changed #16010

  • Fixed: AutoConfigBackup remote revision timestamps may not be unique due to batch uploads #16011

  • Fixed: “Reset” button on AutoConfigBackup Restore tab does not submit the form #16012

  • Changed: AutoConfigBackup code cleanup and GUI refresh #16013

  • Added: Download function for AutoConfigBackup entries #16014

  • Added: Method to change the AutoConfigBackup device key #16015

Backup / Restore

  • Fixed: Reinstall Packages button reports another instance of pfSense-upgrade is running #15494

  • Fixed: Backup configuration cache is not cleaned automatically #15994

Captive Portal

  • Fixed: PHP error in Captive Portal with undefined zone interface list #15907

  • Fixed: Captive Portal does not function with MAC filtering disabled #15926

  • Fixed: Captive Portal service management via pfSsh.php svc fails when the zone name contains uppercase letters #16030

  • Fixed: Creating a Captive Portal zone with uppercase letters overwrites existing zones of the same name #16032

Certificates

  • Added: Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical #15818

  • Changed: Additional error handling for invalid certificate configuration #15975

Configuration Backend

  • Fixed: PHP error on save with very long configuration change descriptions #15911

DHCP (IPv4)

  • Added: Kea DHCP Custom Configuration Support (IPv4 and IPv6) #15321

  • Fixed: Kea fails to start if DHCP pool configuration contains default lease time or max lease time #15332

  • Added: Kea Static ARP Support (IPv4 only) #15654

  • Fixed: Kea can unintentionally attempt to spawn multiple processes and fail #16019

  • Fixed: Static lease DNS records are incorrectly removed when backing lease expires #16022

DHCP (IPv6)

  • Fixed: Old IPv6 addresses may continue to be used after DHCP or RA changes #12947

  • Added: Kea DHCPv6 Prefix Delegation Support (IPv6 Only) #15652

DNS Forwarder

  • Fixed: Unable to change DNS Forwarder domain overrides #15890

DNS Resolver

  • Fixed: DNS Resolver option for Query Name Minimization cannot be disabled #15925

Dashboard

  • Fixed: Clicking the picture widget image downloads the image with an invalid filename instead of showing it inline #15767

  • Changed: Improve the system load impact from Dashboard widgets #15969

Diagnostics

  • Fixed: Adding Wake-On-LAN entry from ARP table view can incorrectly include OEM text in MAC address field #15162

  • Fixed: PHP error from invalid IPv6 address on diagnostics_ping.php #16005

  • Fixed: The filtered states shown may include states for interfaces other than the selected interface #16043

  • Fixed: Cannot kill states using the post-NAT address #16047

Dynamic DNS

  • Added: Improve Dynamic DNS client IPv6 support #11177

  • Added: Per-instance options to control Dynamic DNS client Check IP Service behavior #14067

  • Fixed: Dynamic DNS uses the default gateway interface instead of the specified interface #14605

  • Changed: Update Gandi LiveDNS service with API changes #15258

  • Fixed: RFC 2136 Dynamic DNS cannot update AAAA records over IPv6 #16028

  • Fixed: Dynamic DNS IP address may not be updated after changing the interface of a Dynamic DNS entry #16046

Gateway Monitoring

  • Fixed: The monitoring IP address for dynamic gateways may be unexpectedly routed via a different gateway #16069

Gateways

  • Changed: Clarify descriptions for gateway recovery options #15429

  • Fixed: Cannot set a new name when duplicating an existing gateway group #16036

IPsec

  • Fixed: Input validation for duplicate remote gateways does not work when using the duplicate P1 button #15598

  • Fixed: Firewall generates invalid rules for IPsec tunnels with descriptions containing special symbols #16095

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Incorrect warning from radvd about AdvRDNSSLifetime value #12938

  • Added: PREF64 support in Router Advertisements #15808

  • Fixed: Routing Advertisements daemon fails to start when configured with more than 3 RDNSS entries in a prefix #15876

Interfaces

  • Fixed: Config access error with null static routes #16104

  • Fixed: Config access error after changing an interface from DHCP to Static #16105

L2TP

  • Fixed: L2TP server settings are not saved correctly #15882

Logging

  • Added: Enhanced firewall log action information display #15415

  • Fixed: PHP error when saving System Log settings #15988

Multi-Instance Management

  • Fixed: MIM GUI is unable to write IPv6 aliases #15959

  • Fixed: Renaming an alias in MIM does not update firewall and NAT rules with the new alias name #15989

NTPD

  • Fixed: PHP error after saving NTP settings with an interface selected #16063

OpenVPN

  • Fixed: Configuration upgrade from before revision 19.1 removes OpenVPN settings #15895

Operating System

  • Fixed: pftop core dump with ICMP states #15595

  • Fixed: Azure: User credentials entered during new VM deployments are not applied to the system #15871

  • Fixed: Values obtained from sysctl are sometimes unexpectedly empty, leading to PHP and other math errors #14648

  • Fixed: Errors on the console when starting/stopping services #15912

  • Fixed: RAM disk configuration check fails at boot #16023

  • Fixed: RAM Disk cron jobs are not saved correctly #16059

  • Fixed: Panic accessing sysctl OID net.inet.ip.nhdispatch with an INVARIANTS kernel #16081

PHP Interpreter

  • Fixed: Cookie named id prevents some forms from being loaded or saved properly #11268

PPP Interfaces

  • Fixed: PPPoE WAN loses IPv4 addresses on IPV6CP LayerDown events #16103

  • Added: Support if_pppoe backend for PPPoE WAN interfaces #16134

Package System

  • Fixed: Deleting one pre-installed package may delete other pre-installed packages #15643

  • Fixed: The package post-install script does not run with a system upgrade on ZFS #16057

  • Changed: pkg no longer supports setting ALTABI manually at run-time #16060

Rules / NAT

  • Fixed: Separators for Ethernet rules span past the actions column #16079

  • Added: NAT64 support #2358

  • Fixed: SCTP states not purged causing subsequent SCTP INIT to be blocked #15924

  • Fixed: Incorrect rule may be opened for editing after rule order has changed #15935

  • Fixed: Tracking information for firewall rules is not shown when editing the rule #15936

  • Fixed: Warning message in logs when changing firewall rules after setting Require Firewall Interface #15961

  • Fixed: Deleting or adding a firewall rule may result in an unexpected rule order #16076

  • Fixed: Input validation prevents creating port forwards for the same port using a different address family #16130

System Logs

  • Added: Separate IDS/IPS and link-local firewall log entries from default block logging #16092

Traffic Shaper (ALTQ)

  • Fixed: Error when viewing ALTQ Traffic Shaper queue status #15885

Traffic Shaper (Limiters)

  • Fixed: Limiters saved while MIM is enabled disappear after reboot #16051

  • Fixed: Input validation error when applying limiter changes #13158

  • Fixed: Setting a limiter queue length greater than 100 prevents the limiter from loading #13662

  • Fixed: Cannot add limiters named new #13687

  • Fixed: PHP error when a queue is added with the same name as a limiter #15914

UPnP IGD & PCP

  • Changed: Update UPnP IGD & PCP GUI text #15864

  • Changed: Make the UPnP IGD & PCP STUN port optional #15865

Upgrade

  • Fixed: Upgrade available LED not set before branch is selected. #15880

  • Changed: Link to release information on the system update page #15953

  • Fixed: Boot loader is not upgraded on UFS installs #16064

User Manager / Privileges

  • Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282

  • Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318

  • Fixed: PHP error when a user is denied access to the dashboard #15873

  • Fixed: Users with Deny Config Write privilege can trigger logging operations #15874

  • Fixed: Users with Deny Config Write privilege can change their own password #15908

Web Interface

  • Added: Custom message text for the login screen #9293

  • Changed: Update nginx HTTP2 syntax #15863

  • Fixed: Incorrect color in button text within disabled rows #15977