pfSense CE

Aliases / Tables

  • Fixed: Alias name change is not reflected in firewall rules #11568


  • Fixed: Unreachable LDAP server for SSH auth causes boot process to stop at ‘Synchronizing user settings’ and no user can login over SSH #11644


  • Fixed: Invalid certificate data can cause a PHP error #11489

  • Fixed: Renewing a self-signed CA or certificate does not update the serial number #11514

  • Fixed: Unable to renew a certificate without a SAN #11652

  • Fixed: Certificates with escaped x509 characters display the escaped version when renewing #11654

  • Fixed: Creating a certificate while creating a user does not fully configure the certificate properly #11705

  • Fixed: Renewing a certificate without a type value assumes a server certificate #11706

DNS Resolver

  • Fixed: DNS Resolver does not add a local-zone type for domain override #11403

  • Fixed: DNS Resolver does not bind to an interface when it recovers from a down state #11547


  • Fixed: CPU details are incorrect in the System Information widget after resetting log files #11428

  • Fixed: Disabling ‘State Table Size’ in the System Information widget prevents other data from being displayed #11443

Gateway Monitoring

  • Fixed: Automatic default gateway mode does not select expected entries #11729


  • Fixed: Gateways with “Use non-local gateway” set are not added to routing table #11433


  • Fixed: IPsec status incorrect for entries using expanded IKE connection numbers #11435

  • Fixed: Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in swanctl.conf secrets #11442

  • Fixed: Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses #11446

  • Fixed: Broken help link on IPsec Advanced Settings tab #11474

  • Fixed: Connect and disconnect buttons on the IPsec status page do not work for all tunnels #11486

  • Fixed: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in swanctl.conf #11487

  • Fixed: IPsec tunnel definitions have pools = entry in swanctl.conf with no value #11488

  • Fixed: Mobile IPsec broken when using strict certificate revocation list checking #11526

  • Fixed: IPsec VTI tunnel between IPv6 peers may not configure correctly #11537

  • Fixed: IPsec peer ID of “Any” does not generate a proper remote definition or related secrets #11555

  • Fixed: IPsec tunnel does not function when configured on a 6RD interface #11643

IPv6 Router Advertisements (RADVD)

  • Fixed: IPv6 RA RDNSS lifetime is too short, not compliant with RFC 8106 #11105


  • Fixed: Installer does not add required module to loader.conf when using ZFS #11483


  • Fixed: IPv4 MSS value is incorrectly applied to IPv6 packets #11409

  • Fixed: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information #11454

  • Fixed: Delayed packet transmission in cxgbe driver can lead to latency and reduced performance #11602

  • Fixed: DHCP6 interfaces are reconfigured multiple times at boot when more than one interface is set to Track #11633


  • Fixed: Entries from rotated log files may be displayed out of order when log display includes contents from multiple files #11639


  • Fixed: Telegram and Pushover notification API calls do not respect proxy configuration #11476


  • Fixed: OpenVPN authentication and certificate validation fail due to size of data passed through fcgicli #4521

  • Added: Display negotiated data encryption algorithm in OpenVPN connection status #7077

  • Fixed: OpenVPN does not start with several authentication sources selected #11104

  • Fixed: OpenVPN client configuration page displays Shared Key option when set for SSL/TLS #11382

  • Fixed: Incorrect order of route-nopull option in OpenVPN client-specific override configuration #11448

  • Fixed: OpenVPN using the wrong OpenSSL command to list digest algorithms #11500

  • Fixed: Selected Data Encryption Algorithms list items reset when an input validation error occurs #11554

  • Fixed: OpenVPN does not start with a long list of Data Encryption Algorithms #11559

  • Fixed: ACLs generated from RADIUS reply attributes do not parse {clientip} macro #11561

  • Fixed: ACLs generated from RADIUS reply attributes have incorrect syntax #11569

  • Fixed: OpenVPN binds to all interfaces when configured on a 6RD interface #11674

Operating System

  • Fixed: Unexpected Operator error on console at boot with ZFS and RAM Disks #11617

  • Changed: Upgrade OpenSSL to 1.1.1k #11755


  • Fixed: Disabled static route entries trigger ‘route delete’ error at boot #3709

  • Fixed: Route tables with many entries can lead to PHP errors and timeouts when looking up routes #11475

  • Fixed: Error when removing automatic DNS server route #11578

  • Fixed: IPv6 routes with a prefix length of 128 result in an invalid route table entry #11594

  • Fixed: Error when deleting IPv6 link-local routes #11713

Rules / NAT

  • Fixed: Saved state timeout values not loaded into GUI fields on system_advanced_firewall.php #11565

  • Fixed: Firewall rule schedule cannot be changed #11747


  • Fixed: pfSense Proxy Authentication not working #11383

Wake on LAN

  • Fixed: Potential stored XSS vulnerability in services_wol.php #11616

Web Interface

  • Fixed: Requests to do not honor proxy configuration #11464


  • Fixed: XMLRPC error with Captive Portal and CARP failover when GUI is on non-standard port #11425

  • Fixed: Incorrect DHCP failover IP address configured on peer after XMLRPC sync #11519

  • Fixed: PHP error in logs from XMLRPC if no sections are selected to sync #11638