pfSense CE

Aliases / Tables

  • Fixed: Error loading rules when URL Table Ports content is empty #4893

  • Fixed: Mixed use of aliases in a port range produces unloadable ruleset #11818

  • Fixed: Unable to create nested URL aliases #11863

  • Fixed: Creating or editing aliases fails with multiple hosts separated by spaces #12124

  • Fixed: When attempting to delete an in-use alias, input validation only prints the first item using the alias in the error message #12177


  • Changed: Use SHA-512 for user password hashes #10298

  • Fixed: Deny SSH access for admin and root users when the admin GUI account is disabled #12346

Backup / Restore

  • Fixed: Restoring from AutoConfigBackup presents reboot type selection option then reboots automatically #10662

  • Added: Backup and restore SSH host key(s) #11118

  • Fixed: Output from reboot process is printed on Backup & Restore page when restoring a configuration file #11909

  • Fixed: Custom value for AutoConfigBackup schedule Hours is not shown when loading the settings page #11946

  • Added: AutoConfigBackup performance improvements #12193

  • Fixed: Viewing an AutoConfigBackup entry takes approximately 60 seconds to completely load #12247

  • Changed: Explicitly state where AutoConfigBackup stores encrypted backup data #12296

Build / Release

  • Changed: Remove deprecated libzmq code and references #12060


  • Fixed: Cannot enter persistent CARP maintenance mode when CARP is disabled #11727

  • Fixed: When a CARP VIP VHID change is synchronized to a secondary node, the CARP VIP is removed from the interface and the old VHIDs remain active #12202

  • Fixed: Changing VHID on CARP VIP does not update VHID of related IP Alias VIPs #12227

  • Fixed: rc.carpmaster only sends notifications via SMTP #12584

Captive Portal

  • Fixed: Vouchers may expire too early when using RAM disks #11894

  • Fixed: Incorrect variable substitution in captive portal error page #11902

  • Fixed: Clicking “logout” on portal page does not function when logout popup is disabled #12138

  • Fixed: Captive Portal database and ipfw rules are out of sync after unclean shutdown #12355

  • Fixed: Captive Portal input validation for “After authentication Redirection URL” and “Blocked MAC address redirect URL” is swapped #12388

  • Fixed: Captive Portal online user statistics data is not cleared on unclean shutdown #12455


  • Fixed: Certificate Revocation tab does not list active users of CRL entries #11831

  • Fixed: Certificate manager reports CA as in use by an LDAP server when LDAP is not configured for TLS #11922

  • Fixed: Certificate Manager performs redundant escaping of special characters in certificate DN fields #12034

  • Added: Input validation to prevent unsupported UTF-8 characters from being used in certificate subject components #12035

  • Fixed: Certificate Manager shows incorrect DN for imported entries with UTF-8 encoding #12041

Console Menu

  • Fixed: Cannot configure WAN IP address with /32 CIDR mask via console menu #11581

  • Changed: Suppress kernel messages when loading dummynet and thermal sensor modules #12454


  • Added: DHCPv4 client does not support supersede statement for option 54 #7416

  • Added: Support for UEFI HTTP Boot option in DHCPv4 Server #11659

  • Fixed: DHCPv4 server configuration does not include ARM TFTP filenames #11905

  • Fixed: ARM 32/64 network boot options are not parsed on Static DHCP Mapping page #12216


  • Fixed: DHCPv6 Server should not offer configuration options for unsupported PPPoE Server interfaces #12277

DHCP Relay

  • Fixed: PHP error if no DHCPv6 Relay interfaces are selected #11969

DNS Resolver

  • Fixed: Unbound crashes with signal 11 when reloading #11316

  • Fixed: Unbound fails to start if its configuration references a python script which does not exist #12274

  • Fixed: Unbound falls back to using all outgoing network interfaces if manually selected outgoing interface(s) are unavailable #12460


  • Fixed: System Information widget unnecessarily polls data for hidden items #12241

  • Fixed: IPsec widget generates errors if no tunnels are defined #12337

  • Fixed: IPsec widget treats phase 1 in “connecting” state as connected #12347

  • Added: Disks dashboard widget to replace Disk Usage section of System Information widget #12349

  • Fixed: Thermal Sensors Dashboard widget filter for negative values refers to invalid variable #12470


  • Fixed: State table content on diag_dump_states.php does not sort properly #11852

  • Changed: Hide “Reboot and run a filesystem check” for ZFS systems #11983

  • Fixed: “GoTo line #” function does not work on diag_edit.php #12050

  • Fixed: Sanitize WireGuard private and pre-shared keys in status output #12256

  • Added: Include firewall rules from packages which failed to load in status output #12269

  • Added: Include firewall rules generated from OpenVPN RADIUS ACL entries in status output #12316

  • Fixed: ARP table interface column empty for entries on unassigned interfaces #12698

Dynamic DNS

  • Added: Option to set interval of forced Dynamic DNS updates #9092

  • Added: Support DNS Made Easy authentication without a username #9341

  • Fixed: RFC 2136 Dynamic DNS client uses IPv6 alias VIP instead of Track IPv6 address for AAAA records #11816

  • Added: New Dynamic DNS Provider: Strato #11978

  • Fixed: Dynamic DNS cache expiration time check calculation method may cause update to happen on the wrong day #12007

  • Fixed: incorrectly encodes Dynamic DNS update credentials #12021

  • Added: New Dynamic DNS Provider: deSEC #12086

  • Added: Support Check IP services which return bare IP address values #12194

  • Fixed: Yandex Dynamic DNS client does not set the PddToken value #12331

  • Added: Dynamic DNS client proxy support #12342

  • Fixed: Update Dynamic DNS code for to use their new login process #12352

  • Fixed: Dynamic DNS updates do not respect certificate authority trust store #12589

  • Fixed: Dynamic DNS client updates using a private IP address when it cannot determine the public IP address #12617

  • Fixed: Dynamic DNS may not use the correct interface when updating during failover #12631


  • Fixed: Duplicate comconsole_port lines in /boot/loader.conf #11653

  • Changed: Upgrade to pkg 1.17.x #12171


  • Added: Support DNS server gateway selection on system.php for multiple gateways not assigned to interfaces #12116

  • Fixed: Default IPv4 gateway may be set to IPv6 gateway value in certain cases #12282

Hardware / Drivers

  • Added: Support for network interfaces using the qlnxe driver #11750

High Availability

  • Fixed: Incorrect RADVD log message on HA event #11966

IGMP Proxy

  • Added: Support 0 CIDR mask for IGMP Proxy networks #7749


  • Fixed: Disconnected IPsec phase 2 entries are not shown in IPsec status #6275

  • Fixed: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded #7801

  • Fixed: EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes #11447

  • Fixed: Incorrect phase 2 entry removed when deleting multiple items consecutively #11552

  • Fixed: strongSwan configuration contains incorrect structure for mobile pool DNS records #11891

  • Fixed: IPsec status tunnel descriptions are incorrect #11910

  • Changed: PC/SC Smart Card Daemon pcscd running on all devices at all times, should be optional #11933

  • Fixed: IPsec status fails when many tunnels are connected #11951

  • Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967

  • Fixed: Mobile IPsec NAT/BINAT entries missing from firewall rules #12023

  • Fixed: Applying IPsec settings for many tunnels is slow or times out #12026

  • Fixed: Gateway alarm always triggers IPsec restart #12039

  • Changed: Improve IPsec identifier settings #12044

  • Fixed: IPsec status IKE disconnect button drops all connections for the IKE ID, not a specific IKE SA ID #12052

  • Fixed: Tunnels with conflicting REQID values can lead to multiple identical Child SA entries #12155

  • Added: IPsec keep alive option to initiate phase 2 without using ICMP #12169

  • Added: Add connect/disconnect buttons to IPsec dashboard widget #12181

  • Added: GUI options to configure IKE retransmission behavior #12184

  • Fixed: IPsec status shows connect buttons while tunnel is connecting #12189

  • Fixed: IPsec writes CRL files when tunnel does not use certificates #12195

  • Fixed: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available #12196

  • Fixed: Mobile IPsec phase 1 should not display “Gateway duplicates” option #12197

  • Fixed: Disabling an IPsec phase 1 entry does not disable related phase 2 entries #12198

  • Fixed: Disabled IPsec VTI interfaces are always created #12212

  • Fixed: IPsec bypass rules display help text under each entry #12236

  • Fixed: IPsec phase 1 entry with as its remote gateway does not receive correct automatic firewall rules #12262

  • Changed: Update “IPsec Filter Mode” option values and help text to reflect that VTI mode also helps transport mode (e.g. GRE) #12289

  • Fixed: IPsec manual initiation and termination should use a timeout value or forced actions #12298

  • Fixed: IPsec tunnels using a gateway group do not get reloaded in some cases #12315

  • Fixed: IPsec Phase 2 entry incorrectly orders proposals in AH mode #12323

  • Fixed: Hash algorithm GUI options are disabled after switching a phase 2 entry to AH mode #12324

  • Fixed: IPsec VTI interface remote endpoint is not resolved the correct way #12328

  • Fixed: Incorrect label for IPsec DH group 32 #12350

  • Added: Distinguish between policy-based and route-based entries on IPsec status SPD tab #12397

  • Fixed: Console boot output includes Configuring IPsec VTI interfaces when no VTI interfaces are configured #12419

  • Changed: Add IPsec phase 2 BINAT subnet size input validation #12430

  • Fixed: IPsec initiates on HA backup node when a tunnel interface is set to a gateway group #12566

  • Fixed: IPsec Mobile Client RADIUS Advanced parameters are not reset to default values when disabled #12575

IPv6 Router Advertisements (RADVD)

  • Fixed: radvd only responds to the first Router Solicitation received after each multicast Router Advertisement #10304

  • Fixed: “Default preferred lifetime” router advertisement validation check uses incorrect variable #12159

  • Fixed: IPv6 RA DNSSL lifetime is too short, not compliant with RFC 8106 #12173

  • Fixed: Default IPv6 router advertisement intervals and lifetime are too low #12280

  • Fixed: “Default preferred lifetime” field for IPv6 RA does not have input validation #12439

  • Fixed: IPv6 interface prefix change not reflected in RADVD configuration #12604

  • Fixed: Router Advertisement DNS search domain from one interface may unintentionally be used by other interfaces #12626


  • Added: Restore RRD and extra data from configuration backups when restoring during installation #12518

  • Fixed: Minnowboard Turbo cannot boot a clean install #12707


  • Fixed: GRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot #6507

  • Fixed: Interface column empty in list of GIF tunnels when using IP Alias on CARP VIP as Interface #11337

  • Fixed: QinQ using OpenVPN ovpn interface as a parent is not configured at boot time #11662

  • Fixed: VLAN and QinQ edit pages allows selecting incompatible OpenVPN tun interfaces #11675

  • Fixed: Advanced DHCP client configuration “Protocol timing” help text is in the wrong location #11926

  • Added: VLAN list sorting #11968

  • Fixed: Boot messages contain entries about configuring LAGG/VLAN/QinQ interfaces even when no entries of those types are configured #12002

  • Fixed: Input validation incorrectly rejects a second IPv4-only GRE tunnel #12049

  • Fixed: Interface assignment mismatch is not detected if VLAN-only parent interface is removed #12170

  • Fixed: IPv6 DNS servers from dynamic sources are not listed on status_interfaces.php #12252

  • Fixed: IPv6 gateway for an interface is not shown on status_interfaces.php if the interface does not also have an IPv4 gateway #12253

  • Fixed: Remove subnet overlap check on LAN interfaces when using 6rd #12371

  • Fixed: “6RD Prefix” field does not have input validation #12435

  • Fixed: Trying to delete an assigned PPPoE interface fails without printing an error message #12514


  • Fixed: Kernel panic during L2TP retransmit #9058

  • Fixed: FQDN L2TP server address is only resolved at boot #12072


  • Fixed: Logging configuration added by a package is not removed on uninstall #11846

  • Fixed: Remote log server input validation allows invalid values #12000

  • Added: Disable log compression on new installations when /var/log is a ZFS dataset with compression enabled #12011

  • Changed: Improve log settings help text for file size, compression, and retention count #12012

  • Added: Create a log entry when a configuration change occurs #12118

  • Fixed: Rotation settings for individual log files do not take effect after saving #12366


  • Added: Poll Interval For GPS and PPS #9439

  • Added: Support for NTP Peer mode #11496

  • Fixed: File overwrite in services_ntpd_gps.php via gpsport parameter #12191

  • Added: Support SHA-256 hash NTP authentication #12213

  • Fixed: ZFS installations without an RTC battery boot with clock at BIOS/EFI default value because they do not receive initial clock value from filesystem data #12769


  • Added: Option to suppress expiration notifications for revoked certificates #12109

  • Added: Support for Slack notifications #12291

  • Added: Send notification for halt, reboot, and reroot events #12441

  • Fixed: rc.notify_message only sends notifications via SMTP #12585


  • Added: Support aliases in OpenVPN local/remote/tunnel network fields #2668

  • Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684

  • Fixed: OpenVPN client certificate validation with OCSP always fails #11829

  • Added: Option to validate OpenVPN peer TLS certificate key usage #11865

  • Added: Log external IP address of OpenVPN clients on connect and disconnect #11935

  • Fixed: DNS Resolver does not add PTR record for OpenVPN clients #11938

  • Fixed: OpenVPN IPv6 tunnel network is not validated properly #11999

  • Fixed: OpenVPN RADIUS-based firewall rules use incorrect port ranges #12020

  • Fixed: Incorrect OpenVPN Client Export help link #12022

  • Fixed: OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses #12076

  • Fixed: Prevent using OpenVPN “Exit Notify” option with point-to-point modes #12102

  • Fixed: OpenVPN Wizard configuration missing recently added default values #12172

  • Fixed: OpenVPN does not clean up previous CA and CRL files #12192

  • Changed: Move “Description” option on OpenVPN server and client pages to top of the page, show internal instance ID #12218

  • Fixed: Prevent using OpenVPN “Inactive” option with point-to-point modes #12219

  • Fixed: Configuration files are not deleted after disabling an OpenVPN instance #12223

  • Fixed: OpenVPN page allows to delete/disable instance with an assigned interface #12224

  • Fixed: OpenVPN status incorrect for TAP servers without a defined tunnel network #12232

  • Fixed: OpenVPN client connect/disconnect scripts are not used in Remote Access (SSL/TLS) mode #12238

  • Added: Pop-up window to view firewall rules generated from RADIUS ACL entries on the OpenVPN status page #12321

  • Added: Support OpenVPN client-kill to terminate remote clients instead of clearing their session #12416

  • Fixed: Set OpenVPN Gateway Creation value to “Both” by default for new instances #12448

  • Fixed: OpenVPN form validation issues #12677

Operating System

  • Changed: Ensure /usr/local/sbin/ scripts use full path to executable files #11985

  • Fixed: Update NGINX to address CVE-2021-23017 #12061

  • Added: Suppress kernel messages for lo0 configuration during boot #12094

  • Changed: Convert RAM disks to tmpfs #12145

  • Changed: Improve uses of grep which utilize user-supplied patterns #12265

  • Fixed: Update mpd5 to address vulnerabilities in < 5.9_2 #12373

  • Fixed: Update python to address vulnerabilities < 3.8.12 #12374

  • Fixed: Multiple cURL Vulnerabilities #12434

  • Changed: Add note in log settings that disabling logging also disables sshguard login protection #12511

  • Fixed: Kernel panic in nd6_dad_timer() #12548

PHP Interpreter

  • Fixed: diag_dump_states.php no longer filters by rule ID #12605

PPP Interfaces

  • Fixed: PPP interfaces lose the description field in ifconfig output when restarted #11959

PPPoE Server

  • Added: Option to select PPPoE Server authentication protocol #12438

Package System

  • Fixed: Package <plugins> and <tabs> content missing from configuration in some cases #11290

  • Added: Add librdkafka package to the pfSense package repository #12290

  • Fixed: PHP error on pkg_mgr_install.php when multiple instances are running #12713

  • Fixed: Potential XSS in pkg.php via pkg_filter #12725

RRD Graphs

  • Added: Graph for hardware temperature readings #9297


  • Fixed: Static routes using aliases are not automatically updated when alias content changes #7547

  • Fixed: Input validation does not prevent removing a gateway used by a DNS server #8390

  • Fixed: Kernel route table entries are removed if they match disabled static route entries #10706

  • Fixed: Modifying static routes results in a logged error, changes are not reflected in routing table #11599

  • Added: Require user to manually apply changes after altering static route entries #11895

  • Fixed: Route data collection method on diag_routes.php has multiple issues #12257

Rules / NAT

  • Added: IPv6 support in easyrule CLI script #11439

  • Fixed: NAT rule overlap detection is inconsistent #11734

  • Fixed: Input validation not working for 1:1 NAT entries using an alias as a destination #11923

  • Fixed: easyrule script does not function properly #12151

  • Fixed: IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ::/0 #12164

  • Fixed: 1:1 NAT rule with internal IP address of “Any” results in an invalid firewall rule #12168

  • Fixed: Firewall rule tabs load slowly when many rules on the tab utilize gateways #12174

  • Fixed: VIP network addresses are not expanded on Port Forward rules #12233

  • Fixed: Duplicating a Port Forward does not copy “Filter Rule Association” values of “None” or “Pass” #12272

  • Added: Display default “Reflection Timeout” value on system_advanced_firewall.php #12318

  • Fixed: NAT rule overlap detection does not check special networks #12361

  • Fixed: Input validation prevents creating 1:1 NAT rules on OpenVPN #12408

  • Fixed: 1:1 NAT edit page lists incorrect entries in the Destination field #12410

  • Added: Icon for traffic direction on floating rules tab #12433

  • Fixed: Port forward rules are not created for special networks (pppoe, openvpn) #12452

  • Fixed: Automatic outbound NAT for reflection does not support IPv6 #12500

  • Fixed: Interface group name starting with a digit creates invalid XML for rule separators #12529

  • Added: Change Gateway/Group name in firewall rule list to clickable link to edit page for the entry #12555

  • Fixed: Automatic rule tracker IDs incorrect after multiple filter reloads #12588

  • Fixed: PHP error when clicking Delete on Outbound NAT with no rules selected #12694


  • Added: IPv6 support for base system SNMP service #12325


  • Fixed: System attempts to stop inactive services at shutdown #12001

  • Fixed: System attempts to start inactive services at boot #12038

Traffic Shaper (ALTQ)

  • Added: IPv6 support in the Traffic Shaper Wizard #4769

  • Fixed: Panic when using CBQ traffic shaping #11470

  • Added: Allow Chelsio T6 CXGBE (cc) drivers to be used for ALTQ traffic shaping #12499

  • Changed: Traffic shaper wizard default bandwidth type should be Mbit/s #12501

Traffic Shaper (Limiters)

  • Fixed: Unable to delete limiter referenced in filter rules #12503

  • Fixed: Kernel panic when using fq_pie limiter scheduler #12622


  • Added: UPnP/NAT-PMP STUN configuration options #10587


  • Changed: pfSense-upgrade should reinstall all packages on new version upgrades #12235

User Manager / Privileges

  • Added: Copy button for group entries in the User Manager #12226

Virtual IP Addresses

  • Fixed: Validation when deleting a VIP does not check if the VIP is used by IPsec phase 1 entries #12356

  • Fixed: Validation when deleting a VIP does not prevent deleting a CARP VIP used as a parent for an IP Aliases VIP #12362

Wake on LAN

  • Added: Wake on LAN button to wake all devices #12480

Web Interface

  • Changed: Update font formats to WOFF2 #11507

  • Fixed: DHCP Leases page and ARP table page fail to load if DNS is not available #11512

  • Fixed: Notifications page cannot be saved without configuring or disabling SMTP #12107

  • Changed: Convert help shortcut links to server-side redirects #12314

  • Fixed: Help text for RAM disk settings does not mention Captive Portal data #12389

  • Fixed: Input validation error can unintentionally result in removal of PPP type interface settings #12498


  • Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453

  • Fixed: Interfaces page does not show Wireless EAP client options #12239


  • Fixed: XMLRPC sync results in an error when a failover peer IP address is specified in DHCP server settings for an unconfigured interface #10955

  • Added: XMLRPC synchronization for DHCP relay settings #11957

  • Changed: XMLRPC client improvements #12051

  • Fixed: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync #12075