25.03 New Features and Changes¶

This is a regularly scheduled software release including new features and bug fixes.

General¶

Older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. pfSense plus software attempts to detect known affected models of hardware from Netgate. Other devices may require manual intervention.

See ISA Serial Console not Fully Functional for details and a workaround.
This version of pfSense Plus software includes a new kernel-based PPPoE backend, if_pppoe. This will replace the current MPD-based implementation. This new backend is more efficient and enables much faster speeds over PPPoE interfaces.

This new PPPoE backend is not active by default in this version, but can be enabled with the global option under System > Advanced on the Networking tab. This backend will be enabled by default on future versions of pfSense Plus software.

The if_pppoe backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.
This release includes support for DHCPv6 Prefix Delegation in the Kea DHCP daemon.

Warning

Prefix Delegation settings in Kea use a different format than the ISC DHCPv6 daemon, so Kea cannot use existing settings for Prefix Delegation. Settings for Prefix Delegation must be re-created manually when switching from ISC DHCPv6 to Kea DHCPv6. For details, see DHCPv6 Prefix Delegation.
Users of the Gandi Dynamic DNS service must change their current API token to a Personal Access Token (PAT) as Gandi now requires this authentication method for Dynamic DNS updates. For uninterrupted Dynamic DNS service, create a new PAT and save that PAT value in Gandi Dynamic DNS entries before upgrading to this release.

pfSense Plus¶

Changes in this version of pfSense Plus software.

Aliases / Tables¶

Added: System Aliases for various reserved networks #15776
Changed: Exclude the WireGuard and Tailscale interface group system aliases from rules #15848

Auto Configuration Backup¶

Fixed: Long configuration revision reasons can cause AutoConfigBackup upload to fail #12249
Fixed: AutoConfigBackup scheduled backups always upload even when the configuration has not changed #16010
Fixed: AutoConfigBackup remote revision timestamps may not be unique due to batch uploads #16011
Fixed: “Reset” button on AutoConfigBackup Restore tab does not submit the form #16012
Changed: AutoConfigBackup code cleanup and GUI refresh #16013
Added: Download function for AutoConfigBackup entries #16014
Added: Method to change the AutoConfigBackup device key #16015

Backup / Restore¶

Fixed: Reinstall Packages button reports another instance of pfSense-upgrade is running #15494
Fixed: Backup configuration cache is not cleaned automatically #15994

Captive Portal¶

Fixed: PHP error in Captive Portal with undefined zone interface list #15907
Fixed: Captive Portal does not function with MAC filtering disabled #15926
Fixed: Captive Portal service management via pfSsh.php svc fails when the zone name contains uppercase letters #16030
Fixed: Creating a Captive Portal zone with uppercase letters overwrites existing zones of the same name #16032

Certificates¶

Added: Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical #15818
Changed: Additional error handling for invalid certificate configuration #15975

Configuration Backend¶

Fixed: PHP error on save with very long configuration change descriptions #15911

DHCP (IPv4)¶

Added: Kea DHCP Custom Configuration Support (IPv4 and IPv6) #15321
Fixed: Kea fails to start if DHCP pool configuration contains default lease time or max lease time #15332
Added: Kea Static ARP Support (IPv4 only) #15654
Fixed: Kea can unintentionally attempt to spawn multiple processes and fail #16019
Fixed: Static lease DNS records are incorrectly removed when backing lease expires #16022

DHCP (IPv6)¶

Fixed: Old IPv6 addresses may continue to be used after DHCP or RA changes #12947
Added: Kea DHCPv6 Prefix Delegation Support (IPv6 Only) #15652

DNS Forwarder¶

Fixed: Unable to change DNS Forwarder domain overrides #15890

DNS Resolver¶

Fixed: DNS Resolver option for Query Name Minimization cannot be disabled #15925

Dashboard¶

Fixed: Clicking the picture widget image downloads the image with an invalid filename instead of showing it inline #15767
Changed: Improve the system load impact from Dashboard widgets #15969

Diagnostics¶

Fixed: Adding Wake-On-LAN entry from ARP table view can incorrectly include OEM text in MAC address field #15162
Fixed: PHP error from invalid IPv6 address on diagnostics_ping.php #16005
Fixed: The filtered states shown may include states for interfaces other than the selected interface #16043
Fixed: Cannot kill states using the post-NAT address #16047

Dynamic DNS¶

Added: Improve Dynamic DNS client IPv6 support #11177
Added: Per-instance options to control Dynamic DNS client Check IP Service behavior #14067
Fixed: Dynamic DNS uses the default gateway interface instead of the specified interface #14605
Changed: Update Gandi LiveDNS service with API changes #15258
Fixed: RFC 2136 Dynamic DNS cannot update AAAA records over IPv6 #16028
Fixed: Dynamic DNS IP address may not be updated after changing the interface of a Dynamic DNS entry #16046

Gateway Monitoring¶

Fixed: The monitoring IP address for dynamic gateways may be unexpectedly routed via a different gateway #16069

Gateways¶

Changed: Clarify descriptions for gateway recovery options #15429
Fixed: Cannot set a new name when duplicating an existing gateway group #16036

IPsec¶

Fixed: Input validation for duplicate remote gateways does not work when using the duplicate P1 button #15598
Fixed: Firewall generates invalid rules for IPsec tunnels with descriptions containing special symbols #16095

IPv6 Router Advertisements (radvd/rtsold)¶

Fixed: Incorrect warning from radvd about AdvRDNSSLifetime value #12938
Added: PREF64 support in Router Advertisements #15808
Fixed: Routing Advertisements daemon fails to start when configured with more than 3 RDNSS entries in a prefix #15876

Interfaces¶

Fixed: Config access error with null static routes #16104
Fixed: Config access error after changing an interface from DHCP to Static #16105

L2TP¶

Fixed: L2TP server settings are not saved correctly #15882

Logging¶

Added: Enhanced firewall log action information display #15415
Fixed: PHP error when saving System Log settings #15988

Multi-Instance Management¶

Fixed: MIM GUI is unable to write IPv6 aliases #15959
Fixed: Renaming an alias in MIM does not update firewall and NAT rules with the new alias name #15989

NTPD¶

Fixed: PHP error after saving NTP settings with an interface selected #16063

OpenVPN¶

Fixed: Configuration upgrade from before revision 19.1 removes OpenVPN settings #15895

Operating System¶

Fixed: pftop core dump with ICMP states #15595
Fixed: Azure: User credentials entered during new VM deployments are not applied to the system #15871
Fixed: Values obtained from sysctl are sometimes unexpectedly empty, leading to PHP and other math errors #14648
Fixed: Errors on the console when starting/stopping services #15912
Fixed: RAM disk configuration check fails at boot #16023
Fixed: RAM Disk cron jobs are not saved correctly #16059
Fixed: Panic accessing sysctl OID net.inet.ip.nhdispatch with an INVARIANTS kernel #16081

PHP Interpreter¶

Fixed: Cookie named id prevents some forms from being loaded or saved properly #11268

PPP Interfaces¶

Fixed: PPPoE WAN loses IPv4 addresses on IPV6CP LayerDown events #16103
Added: Support if_pppoe backend for PPPoE WAN interfaces #16134

Package System¶

Fixed: Deleting one pre-installed package may delete other pre-installed packages #15643
Fixed: The package post-install script does not run with a system upgrade on ZFS #16057
Changed: pkg no longer supports setting ALTABI manually at run-time #16060

Rules / NAT¶

Fixed: Separators for Ethernet rules span past the actions column #16079
Added: NAT64 support #2358
Fixed: SCTP states not purged causing subsequent SCTP INIT to be blocked #15924
Fixed: Incorrect rule may be opened for editing after rule order has changed #15935
Fixed: Tracking information for firewall rules is not shown when editing the rule #15936
Fixed: Warning message in logs when changing firewall rules after setting Require Firewall Interface #15961
Fixed: Deleting or adding a firewall rule may result in an unexpected rule order #16076
Fixed: Input validation prevents creating port forwards for the same port using a different address family #16130

System Logs¶

Added: Separate IDS/IPS and link-local firewall log entries from default block logging #16092

Traffic Shaper (ALTQ)¶

Fixed: Error when viewing ALTQ Traffic Shaper queue status #15885

Traffic Shaper (Limiters)¶

Fixed: Limiters saved while MIM is enabled disappear after reboot #16051
Fixed: Input validation error when applying limiter changes #13158
Fixed: Setting a limiter queue length greater than 100 prevents the limiter from loading #13662
Fixed: Cannot add limiters named new #13687
Fixed: PHP error when a queue is added with the same name as a limiter #15914

UPnP IGD & PCP¶

Changed: Update UPnP IGD & PCP GUI text #15864
Changed: Make the UPnP IGD & PCP STUN port optional #15865

Upgrade¶

Fixed: Upgrade available LED not set before branch is selected. #15880
Changed: Link to release information on the system update page #15953
Fixed: Boot loader is not upgraded on UFS installs #16064

User Manager / Privileges¶

Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282
Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318
Fixed: PHP error when a user is denied access to the dashboard #15873
Fixed: Users with Deny Config Write privilege can trigger logging operations #15874
Fixed: Users with Deny Config Write privilege can change their own password #15908

Web Interface¶

Added: Custom message text for the login screen #9293
Changed: Update nginx HTTP2 syntax #15863
Fixed: Incorrect color in button text within disabled rows #15977