pfSense CE

Aliases / Tables

• Fixed: Error loading rules when URL Table Ports content is empty #4893

• Fixed: Mixed use of aliases in a port range produces unloadable ruleset #11818

• Fixed: Unable to create nested URL aliases #11863

• Fixed: Creating or editing aliases fails with multiple hosts separated by spaces #12124

• Fixed: When attempting to delete an in-use alias, input validation only prints the first item using the alias in the error message #12177

Authentication

• Changed: Use SHA-512 for user password hashes #10298

• Fixed: Deny SSH access for admin and root users when the admin GUI account is disabled #12346

Backup / Restore

• Fixed: Restoring from AutoConfigBackup presents reboot type selection option then reboots automatically #10662

• Added: Backup and restore SSH host key(s) #11118

• Fixed: Output from reboot process is printed on Backup & Restore page when restoring a configuration file #11909

• Fixed: Custom value for AutoConfigBackup schedule Hours is not shown when loading the settings page #11946

• Added: AutoConfigBackup performance improvements #12193

• Fixed: Viewing an AutoConfigBackup entry takes approximately 60 seconds to completely load #12247

• Changed: Explicitly state where AutoConfigBackup stores encrypted backup data #12296

Build / Release

• Changed: Remove deprecated libzmq code and references #12060

CARP

• Fixed: Cannot enter persistent CARP maintenance mode when CARP is disabled #11727

• Fixed: When a CARP VIP VHID change is synchronized to a secondary node, the CARP VIP is removed from the interface and the old VHIDs remain active #12202

• Fixed: Changing VHID on CARP VIP does not update VHID of related IP Alias VIPs #12227

• Fixed: rc.carpmaster only sends notifications via SMTP #12584

Captive Portal

• Fixed: Vouchers may expire too early when using RAM disks #11894

• Fixed: Incorrect variable substitution in captive portal error page #11902

• Fixed: Clicking “logout” on portal page does not function when logout popup is disabled #12138

• Fixed: Captive Portal database and ipfw rules are out of sync after unclean shutdown #12355

• Fixed: Captive Portal input validation for “After authentication Redirection URL” and “Blocked MAC address redirect URL” is swapped #12388

• Fixed: Captive Portal online user statistics data is not cleared on unclean shutdown #12455

Certificates

• Fixed: Certificate Revocation tab does not list active users of CRL entries #11831

• Fixed: Certificate manager reports CA as in use by an LDAP server when LDAP is not configured for TLS #11922

• Fixed: Certificate Manager performs redundant escaping of special characters in certificate DN fields #12034

• Added: Input validation to prevent unsupported UTF-8 characters from being used in certificate subject components #12035

• Fixed: Certificate Manager shows incorrect DN for imported entries with UTF-8 encoding #12041

Console Menu

• Fixed: Cannot configure WAN IP address with /32 CIDR mask via console menu #11581

• Changed: Suppress kernel messages when loading dummynet and thermal sensor modules #12454

DHCP (IPv4)

• Added: DHCPv4 client does not support supersede statement for option 54 #7416

• Added: Support for UEFI HTTP Boot option in DHCPv4 Server #11659

• Fixed: DHCPv4 server configuration does not include ARM TFTP filenames #11905

• Fixed: ARM 32/64 network boot options are not parsed on Static DHCP Mapping page #12216

DHCP (IPv6)

• Fixed: DHCPv6 Server should not offer configuration options for unsupported PPPoE Server interfaces #12277

DHCP Relay

• Fixed: PHP error if no DHCPv6 Relay interfaces are selected #11969

DNS Resolver

• Fixed: Unbound crashes with signal 11 when reloading #11316

• Fixed: Unbound fails to start if its configuration references a python script which does not exist #12274

• Fixed: Unbound falls back to using all outgoing network interfaces if manually selected outgoing interface(s) are unavailable #12460

Dashboard

• Fixed: System Information widget unnecessarily polls data for hidden items #12241

• Fixed: IPsec widget generates errors if no tunnels are defined #12337

• Fixed: IPsec widget treats phase 1 in “connecting” state as connected #12347

• Added: Disks dashboard widget to replace Disk Usage section of System Information widget #12349

• Fixed: Thermal Sensors Dashboard widget filter for negative values refers to invalid variable #12470

Diagnostics

• Fixed: State table content on diag_dump_states.php does not sort properly #11852

• Changed: Hide “Reboot and run a filesystem check” for ZFS systems #11983

• Fixed: “GoTo line #” function does not work on diag_edit.php #12050

• Fixed: Sanitize WireGuard private and pre-shared keys in status output #12256

• Added: Include firewall rules from packages which failed to load in status output #12269

• Added: Include firewall rules generated from OpenVPN RADIUS ACL entries in status output #12316

• Fixed: ARP table interface column empty for entries on unassigned interfaces #12698

Dynamic DNS

• Added: Option to set interval of forced Dynamic DNS updates #9092

• Added: Support DNS Made Easy authentication without a username #9341

• Fixed: RFC 2136 Dynamic DNS client uses IPv6 alias VIP instead of Track IPv6 address for AAAA records #11816

• Added: New Dynamic DNS Provider: Strato #11978

• Fixed: Dynamic DNS cache expiration time check calculation method may cause update to happen on the wrong day #12007

• Fixed: NoIP.com incorrectly encodes Dynamic DNS update credentials #12021

• Added: New Dynamic DNS Provider: deSEC #12086

• Added: Support Check IP services which return bare IP address values #12194

• Fixed: Yandex Dynamic DNS client does not set the PddToken value #12331

• Added: Dynamic DNS client proxy support #12342

• Fixed: Update Dynamic DNS code for one.com to use their new login process #12352

• Fixed: Dynamic DNS updates do not respect certificate authority trust store #12589

• Fixed: Dynamic DNS client updates using a private IP address when it cannot determine the public IP address #12617

• Fixed: Dynamic DNS may not use the correct interface when updating during failover #12631

FreeBSD

• Fixed: Duplicate comconsole_port lines in /boot/loader.conf #11653

• Changed: Upgrade to pkg 1.17.x #12171

Gateways

• Added: Support DNS server gateway selection on system.php for multiple gateways not assigned to interfaces #12116

• Fixed: Default IPv4 gateway may be set to IPv6 gateway value in certain cases #12282

Hardware / Drivers

• Added: Support for network interfaces using the qlnxe driver #11750

High Availability

• Fixed: Incorrect RADVD log message on HA event #11966

IGMP Proxy

• Added: Support 0 CIDR mask for IGMP Proxy networks #7749

IPsec

• Fixed: Disconnected IPsec phase 2 entries are not shown in IPsec status #6275

• Fixed: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded #7801

• Fixed: EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes #11447

• Fixed: Incorrect phase 2 entry removed when deleting multiple items consecutively #11552

• Fixed: strongSwan configuration contains incorrect structure for mobile pool DNS records #11891

• Fixed: IPsec status tunnel descriptions are incorrect #11910

• Changed: PC/SC Smart Card Daemon pcscd running on all devices at all times, should be optional #11933

• Fixed: IPsec status fails when many tunnels are connected #11951

• Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967

• Fixed: Mobile IPsec NAT/BINAT entries missing from firewall rules #12023

• Fixed: Applying IPsec settings for many tunnels is slow or times out #12026

• Fixed: Gateway alarm always triggers IPsec restart #12039

• Changed: Improve IPsec identifier settings #12044

• Fixed: IPsec status IKE disconnect button drops all connections for the IKE ID, not a specific IKE SA ID #12052

• Fixed: Tunnels with conflicting REQID values can lead to multiple identical Child SA entries #12155

• Added: IPsec keep alive option to initiate phase 2 without using ICMP #12169

• Added: Add connect/disconnect buttons to IPsec dashboard widget #12181

• Added: GUI options to configure IKE retransmission behavior #12184

• Fixed: IPsec status shows connect buttons while tunnel is connecting #12189

• Fixed: IPsec writes CRL files when tunnel does not use certificates #12195

• Fixed: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available #12196

• Fixed: Mobile IPsec phase 1 should not display “Gateway duplicates” option #12197

• Fixed: Disabling an IPsec phase 1 entry does not disable related phase 2 entries #12198

• Fixed: Disabled IPsec VTI interfaces are always created #12212

• Fixed: IPsec bypass rules display help text under each entry #12236

• Fixed: IPsec phase 1 entry with 0.0.0.0 as its remote gateway does not receive correct automatic firewall rules #12262

• Changed: Update “IPsec Filter Mode” option values and help text to reflect that VTI mode also helps transport mode (e.g. GRE) #12289

• Fixed: IPsec manual initiation and termination should use a timeout value or forced actions #12298

• Fixed: IPsec tunnels using a gateway group do not get reloaded in some cases #12315

• Fixed: IPsec Phase 2 entry incorrectly orders proposals in AH mode #12323

• Fixed: Hash algorithm GUI options are disabled after switching a phase 2 entry to AH mode #12324

• Fixed: IPsec VTI interface remote endpoint is not resolved the correct way #12328

• Fixed: Incorrect label for IPsec DH group 32 #12350

• Added: Distinguish between policy-based and route-based entries on IPsec status SPD tab #12397

• Fixed: Console boot output includes Configuring IPsec VTI interfaces when no VTI interfaces are configured #12419

• Changed: Add IPsec phase 2 BINAT subnet size input validation #12430

• Fixed: IPsec initiates on HA backup node when a tunnel interface is set to a gateway group #12566

• Fixed: IPsec Mobile Client RADIUS Advanced parameters are not reset to default values when disabled #12575

IPv6 Router Advertisements (RADVD)

• Fixed: radvd only responds to the first Router Solicitation received after each multicast Router Advertisement #10304

• Fixed: “Default preferred lifetime” router advertisement validation check uses incorrect variable #12159

• Fixed: IPv6 RA DNSSL lifetime is too short, not compliant with RFC 8106 #12173

• Fixed: Default IPv6 router advertisement intervals and lifetime are too low #12280

• Fixed: “Default preferred lifetime” field for IPv6 RA does not have input validation #12439

• Fixed: IPv6 interface prefix change not reflected in RADVD configuration #12604

• Fixed: Router Advertisement DNS search domain from one interface may unintentionally be used by other interfaces #12626

Installer

• Added: Restore RRD and extra data from configuration backups when restoring during installation #12518

• Fixed: Minnowboard Turbo cannot boot a clean install #12707

Interfaces

• Fixed: GRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot #6507

• Fixed: Interface column empty in list of GIF tunnels when using IP Alias on CARP VIP as Interface #11337

• Fixed: QinQ using OpenVPN ovpn interface as a parent is not configured at boot time #11662

• Fixed: VLAN and QinQ edit pages allows selecting incompatible OpenVPN tun interfaces #11675

• Fixed: Advanced DHCP client configuration “Protocol timing” help text is in the wrong location #11926

• Added: VLAN list sorting #11968

• Fixed: Boot messages contain entries about configuring LAGG/VLAN/QinQ interfaces even when no entries of those types are configured #12002

• Fixed: Input validation incorrectly rejects a second IPv4-only GRE tunnel #12049

• Fixed: Interface assignment mismatch is not detected if VLAN-only parent interface is removed #12170

• Fixed: IPv6 DNS servers from dynamic sources are not listed on status_interfaces.php #12252

• Fixed: IPv6 gateway for an interface is not shown on status_interfaces.php if the interface does not also have an IPv4 gateway #12253

• Fixed: Remove subnet overlap check on LAN interfaces when using 6rd #12371

• Fixed: “6RD Prefix” field does not have input validation #12435

• Fixed: Trying to delete an assigned PPPoE interface fails without printing an error message #12514

L2TP

• Fixed: Kernel panic during L2TP retransmit #9058

• Fixed: FQDN L2TP server address is only resolved at boot #12072

Logging

• Fixed: Logging configuration added by a package is not removed on uninstall #11846

• Fixed: Remote log server input validation allows invalid values #12000

• Added: Disable log compression on new installations when /var/log is a ZFS dataset with compression enabled #12011

• Changed: Improve log settings help text for file size, compression, and retention count #12012

• Added: Create a log entry when a configuration change occurs #12118

• Fixed: Rotation settings for individual log files do not take effect after saving #12366

NTPD

• Added: Poll Interval For GPS and PPS #9439

• Added: Support for NTP Peer mode #11496

• Fixed: File overwrite in services_ntpd_gps.php via gpsport parameter #12191

• Added: Support SHA-256 hash NTP authentication #12213

• Fixed: ZFS installations without an RTC battery boot with clock at BIOS/EFI default value because they do not receive initial clock value from filesystem data #12769

Notifications

• Added: Option to suppress expiration notifications for revoked certificates #12109

• Added: Support for Slack notifications #12291

• Added: Send notification for halt, reboot, and reroot events #12441

• Fixed: rc.notify_message only sends notifications via SMTP #12585

OpenVPN

• Added: Support aliases in OpenVPN local/remote/tunnel network fields #2668

• Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684

• Fixed: OpenVPN client certificate validation with OCSP always fails #11829

• Added: Option to validate OpenVPN peer TLS certificate key usage #11865

• Added: Log external IP address of OpenVPN clients on connect and disconnect #11935

• Fixed: DNS Resolver does not add PTR record for OpenVPN clients #11938

• Fixed: OpenVPN IPv6 tunnel network is not validated properly #11999

• Fixed: OpenVPN RADIUS-based firewall rules use incorrect port ranges #12020

• Fixed: Incorrect OpenVPN Client Export help link #12022

• Fixed: OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses #12076

• Fixed: Prevent using OpenVPN “Exit Notify” option with point-to-point modes #12102

• Fixed: OpenVPN Wizard configuration missing recently added default values #12172

• Fixed: OpenVPN does not clean up previous CA and CRL files #12192

• Changed: Move “Description” option on OpenVPN server and client pages to top of the page, show internal instance ID #12218

• Fixed: Prevent using OpenVPN “Inactive” option with point-to-point modes #12219

• Fixed: Configuration files are not deleted after disabling an OpenVPN instance #12223

• Fixed: OpenVPN page allows to delete/disable instance with an assigned interface #12224

• Fixed: OpenVPN status incorrect for TAP servers without a defined tunnel network #12232

• Fixed: OpenVPN client connect/disconnect scripts are not used in Remote Access (SSL/TLS) mode #12238

• Added: Pop-up window to view firewall rules generated from RADIUS ACL entries on the OpenVPN status page #12321

• Added: Support OpenVPN client-kill to terminate remote clients instead of clearing their session #12416

• Fixed: Set OpenVPN Gateway Creation value to “Both” by default for new instances #12448

• Fixed: OpenVPN form validation issues #12677

Operating System

• Changed: Ensure /usr/local/sbin/ scripts use full path to executable files #11985

• Fixed: Update NGINX to address CVE-2021-23017 #12061

• Added: Suppress kernel messages for lo0 configuration during boot #12094

• Changed: Convert RAM disks to tmpfs #12145

• Changed: Improve uses of grep which utilize user-supplied patterns #12265

• Fixed: Update mpd5 to address vulnerabilities in < 5.9_2 #12373

• Fixed: Update python to address vulnerabilities < 3.8.12 #12374

• Fixed: Multiple cURL Vulnerabilities #12434

• Changed: Add note in log settings that disabling logging also disables sshguard login protection #12511

• Fixed: Kernel panic in nd6_dad_timer() #12548

PHP Interpreter

• Fixed: diag_dump_states.php no longer filters by rule ID #12605

PPP Interfaces

• Fixed: PPP interfaces lose the description field in ifconfig output when restarted #11959

PPPoE Server

• Added: Option to select PPPoE Server authentication protocol #12438

Package System

• Fixed: Package <plugins> and <tabs> content missing from configuration in some cases #11290

• Added: Add librdkafka package to the pfSense package repository #12290

• Fixed: PHP error on pkg_mgr_install.php when multiple instances are running #12713

• Fixed: Potential XSS in pkg.php via pkg_filter #12725

RRD Graphs

• Added: Graph for hardware temperature readings #9297

Routing

• Fixed: Static routes using aliases are not automatically updated when alias content changes #7547

• Fixed: Input validation does not prevent removing a gateway used by a DNS server #8390

• Fixed: Kernel route table entries are removed if they match disabled static route entries #10706

• Fixed: Modifying static routes results in a logged error, changes are not reflected in routing table #11599

• Added: Require user to manually apply changes after altering static route entries #11895

• Fixed: Route data collection method on diag_routes.php has multiple issues #12257

Rules / NAT

• Added: IPv6 support in easyrule CLI script #11439

• Fixed: NAT rule overlap detection is inconsistent #11734

• Fixed: Input validation not working for 1:1 NAT entries using an alias as a destination #11923

• Fixed: easyrule script does not function properly #12151

• Fixed: IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ::/0 #12164

• Fixed: 1:1 NAT rule with internal IP address of “Any” results in an invalid firewall rule #12168

• Fixed: Firewall rule tabs load slowly when many rules on the tab utilize gateways #12174

• Fixed: VIP network addresses are not expanded on Port Forward rules #12233

• Fixed: Duplicating a Port Forward does not copy “Filter Rule Association” values of “None” or “Pass” #12272

• Added: Display default “Reflection Timeout” value on system_advanced_firewall.php #12318

• Fixed: NAT rule overlap detection does not check special networks #12361

• Fixed: Input validation prevents creating 1:1 NAT rules on OpenVPN #12408

• Fixed: 1:1 NAT edit page lists incorrect entries in the Destination field #12410

• Added: Icon for traffic direction on floating rules tab #12433

• Fixed: Port forward rules are not created for special networks (pppoe, openvpn) #12452

• Fixed: Automatic outbound NAT for reflection does not support IPv6 #12500

• Fixed: Interface group name starting with a digit creates invalid XML for rule separators #12529

• Added: Change Gateway/Group name in firewall rule list to clickable link to edit page for the entry #12555

• Fixed: Automatic rule tracker IDs incorrect after multiple filter reloads #12588

• Fixed: PHP error when clicking Delete on Outbound NAT with no rules selected #12694

SNMP

• Added: IPv6 support for base system SNMP service #12325

Services

• Fixed: System attempts to stop inactive services at shutdown #12001

• Fixed: System attempts to start inactive services at boot #12038

Traffic Shaper (ALTQ)

• Added: IPv6 support in the Traffic Shaper Wizard #4769

• Fixed: Panic when using CBQ traffic shaping #11470

• Added: Allow Chelsio T6 CXGBE (cc) drivers to be used for ALTQ traffic shaping #12499

• Changed: Traffic shaper wizard default bandwidth type should be Mbit/s #12501

Traffic Shaper (Limiters)

• Fixed: Unable to delete limiter referenced in filter rules #12503

• Fixed: Kernel panic when using fq_pie limiter scheduler #12622

UPnP/NAT-PMP

• Added: UPnP/NAT-PMP STUN configuration options #10587

Upgrade

• Changed: pfSense-upgrade should reinstall all packages on new version upgrades #12235

User Manager / Privileges

• Added: Copy button for group entries in the User Manager #12226

Virtual IP Addresses

• Fixed: Validation when deleting a VIP does not check if the VIP is used by IPsec phase 1 entries #12356

• Fixed: Validation when deleting a VIP does not prevent deleting a CARP VIP used as a parent for an IP Aliases VIP #12362

Wake on LAN

• Added: Wake on LAN button to wake all devices #12480

Web Interface

• Changed: Update font formats to WOFF2 #11507

• Fixed: DHCP Leases page and ARP table page fail to load if DNS is not available #11512

• Fixed: Notifications page cannot be saved without configuring or disabling SMTP #12107

• Changed: Convert help shortcut links to server-side redirects #12314

• Fixed: Help text for RAM disk settings does not mention Captive Portal data #12389

• Fixed: Input validation error can unintentionally result in removal of PPP type interface settings #12498

Wireless

• Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453

• Fixed: Interfaces page does not show Wireless EAP client options #12239

XMLRPC

• Fixed: XMLRPC sync results in an error when a failover peer IP address is specified in DHCP server settings for an unconfigured interface #10955

• Added: XMLRPC synchronization for DHCP relay settings #11957

• Changed: XMLRPC client improvements #12051

• Fixed: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync #12075