pfSense CE

Changes in this version of pfSense CE software.

Aliases / Tables

• Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296

• Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708

• Fixed: Renaming an alias does not update the alias names in static routes and OpenVPN instances #12727

• Added: Retain descriptions when exporting and importing aliases #12842

• Fixed: Potential XSS from URL and URL Table alias URLs #13060

• Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282

• Added: Specify CA trust store location when downloading and validating URL alias content #13367

• Fixed: Invalid alias name can still be used by code attempting to validate URL table content #13425

• Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration #13538

• Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned when deleting an in-use alias #13539

• Fixed: Using PF reserved keywords for interface descriptions results in an invalid ruleset #14007

• Fixed: Alias list is not sorted #14015

Authentication

• Fixed: User password hashes pseudo-random number generator may return insecure salt value #12801

• Added: GUI option to select the user password hashing algorithm #12855

• Fixed: LDAP setup does not display ‘Global Root CA List’ option unless another CA also exists #13185

• Fixed: Unable to set web interface session timeout to 0 (i.e. never expire) #13561

• Fixed: Extra remote address information can confuse sshguard #13574

• Changed: Improve LDAP debugging #13718

• Added: Option to enable/disable console bell, enabled by default #14002

Auto Configuration Backup

• Added: Option to list AutoConfigBackup entries in “reverse” order (newest at top) #11266

• Added: Support for international characters in the AutoConfigBackup Hint/Identifier field #13388

• Fixed: Auto Config Backup prints a confusing decryption error when using the wrong key #14060

Backup / Restore

• Changed: Comply with current iteration standards when encrypting and decrypting configuration files #12556

• Added: Support encrypted config.xml files when restoring via ECL #12685

• Added: Notify user if AutoConfigBackup is unable to successfully upload a backup #12724

• Added: Ability to sort AutoConfigBackup entries #12773

• Fixed: Sanitize SHA-512 user password hashes in status.php output #12810

• Added: Option to restore dashboard widget layout #13125

• Fixed: PHP error restoring DHCP lease data on fresh installation: #13157

• Fixed: Attempting to restore a 0 byte config.xml prints an error that the file cannot be read #13289

• Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861

• Fixed: RRD restore process does not sanitize filenames from backup XML #13935

Build / Release

• Changed: Disable pkg compatibility flag which creates txz file extension symbolic links #12782

CARP

• Fixed: CARP VIPs can become master too early at boot time #2218

• Changed: Reorganize CARP status page #12701

• Fixed: CARP event storm when leaving persistent CARP maintenance mode #12961

Captive Portal

• Fixed: Allowed IP/Hostname “Direction” option is never used #12649

• Fixed: nginx logs an error that the port is already in use when restarting Captive Portal services #12651

• Fixed: Value of net.inet.ip.dummynet.* OIDs in sysctl are ignored #12733

• Fixed: Only TCP traffic is passed outbound through IPFW #12834

• Changed: Transition Captive Portal from IPFW to PF #13100

• Fixed: Voucher CSV output has leading space before voucher code #13272

• Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323

• Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391

• Fixed: Custom logo or background image is created with two dots (..) before the file extension #13396

• Fixed: Captive Portal does not keep track of client data usage #13418

• Fixed: All Captive Portal users are given the same limiter pipe pair #13488

• Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838

• Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853

Certificates

• Fixed: CA path is not defined when using curl in the shell #12737

• Added: Option to retain the existing serial number when renewing a CA or certificate #13010

• Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm #13257

• Fixed: Input validation is not rejecting invalid description characters when editing a CA or Certificate #13387

• Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424

• Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437

• Fixed: Some blank SAN fields are not ignored when creating a certificate #14124

• Added: Ability to edit Certificate Revocation List properties #14185

• Changed: Add note to inform the user that the “Next Certificate Serial” value is ignored when the “Randomize Serial” option is enabled #14188

Configuration Backend

• Added: Move command line history to a GUI option stored in config.xml rather than a manual flag file #12675

• Added: Eliminate duplicate shell commands from history file #12741

• Fixed: Input validation is checking RAM disk sizes when they are inactive #13479

Configuration Upgrade

• Added: Playback script to perform a configuration upgrade on an arbitrary config.xml file #12973

• Fixed: PHP Error in upgrade216_ipsec_create_vtimap() #14400

Console Menu

• Fixed: Changing an interface IP address and gateway at the console does not save the new gateway if one already exists for the interface #12632

• Added: Warn the user if they attempt to disable SSH from the menu while connected through SSH #13103

• Fixed: Hidden menu option 100 incorrectly handles HTTPS detection #13258

DHCP (IPv4)

• Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345

• Fixed: Disabling DHCP Server RRD statistics does not work #12710

• Fixed: HTTPClient option not sent when using UEFI HTTP Boot #12892

• Fixed: HTTPClient option does not work for static mappings #12896

• Fixed: DHCP “Ignore denied clients” option with MAC Deny list set causes DHCP server to not start #12923

• Added: Relax DHCP maximum lease time input validation #13118

• Fixed: DHCP lease list displays wrong interface name in the “Leases in Use” summary if DHCP settings for a disabled interface remain in the configuration #13127

• Changed: Clean up DHCP Server option language #13250

• Fixed: DHCP Server generates an invalid configuration for static mappings when defining network booting and UEFI HTTPBoot URL #13573

• Added: Input validation for numbered DHCP options in static mappings #13584

• Fixed: DHCP Server page does not properly select a default interface tab if neither WAN nor LAN are capable of being DHCP servers #14115

DHCP (IPv6)

• Fixed: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients #6880

• Fixed: DHCPv6 server does not skip interfaces configured with invalid ranges #12527

• Fixed: RADVD can be started on both HA nodes when configured with an IPv6 link-local address #12582

• Fixed: Uninitialized array in array_remove_duplicates() #12749

• Fixed: Advanced DHCP6 client settings only work for a single interface #13462

• Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is reloaded #13594

• Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633

DNS Forwarder

• Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901

• Fixed: DNS Forwarder creates a loop when “Use local DNS, ignore remote DNS servers” is selected #12902

• Fixed: DNS Forwarder custom options may fail after save/restore when options are only separated by newline #13105

• Fixed: DNS Forwarder (dnsmasq) is using an invalid combination of options when “Query DNS servers sequentially” is enabled #13655

DNS Resolver

• Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624

• Fixed: Unbound crashes with signal 11 when reloading #11316

• Fixed: DNS Resolver is restarted during every rc.newwanip event even for interfaces not used in the resolver #12612

• Fixed: DNS Resolver does not restart during link up/down events on a static IP address interface #12613

• Added: Automatically create DNS Resolver ACLs for OpenVPN CSO entries #12636

• Fixed: DNS Resolver help text for System Domain Local Zone Type option refers users to unbound.conf(5) man page instead of pfSense docs #12781

• Fixed: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access #12985

• Fixed: DNS Resolver ACLs are not updated when OpenVPN networks change #12991

• Added: DNS Resolver option to keep probing when servers are down #13023

• Fixed: DNS resolver does not update its configuration or reload during link down events #13254

• Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is enabled #13393

• Fixed: Incorrect word in “Network Interfaces” help text on services_unbound.php #13453

• Fixed: DNS Resolver does not generate automatic ACLs for IPv6 when Network Interfaces is set to “All” #13851

• Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867

• Changed: Update Unbound to 1.17.1 #13893

• Fixed: DNS Resolver experiences intermittent resolution failures with SSL over TLS due to ASLR #14056

• Fixed: Setting system DNS servers can incorrectly modify routes for interface addresses #14288

• Fixed: Discrepancy in “TTL for Host Cache Entries” Description #14358

Dashboard

• Fixed: Firewall log widget action icon features stop working when new log entries are added dynamically #6253

• Added: Show Inactive for Hardware Crypto output instead of empty field on System Information dashboard widget when nothing can be accelerated #12714

• Fixed: Uptime displays plural seconds for multiple minutes in the System Information Dashboard widget #14176

• Added: Support for Intel PCH temperature values in thermal sensors #14255

Diagnostics

• Fixed: diag_pftop.php does not fully encode output #12915

• Fixed: File browser on diag_edit.php does not encode filenames before display #13262

• Fixed: Neighbor hostnames in the NDP Table on diag_ndp.php are always empty #13318

• Fixed: status.php uses <name> component of /tmp/rules.packages.<name> filenames in shell command without encoding #13426

• Changed: Add multicast group membership (ifmcstat) to status.php #13731

• Changed: Add more disk information to status output #14103

Dynamic DNS

• Fixed: Dynamic DNS custom IPv6 service fails on 6rd tunnels #12590

• Fixed: GleSYS Dynamic DNS responses are not parsed properly #12672

• Added: IPv6 support for DNSimple Dynamic DNS #12744

• Fixed: Input validation prevents configuring wildcard Dynamic DNS records on GoDaddy #12750

• Added: Support wildcard Dynamic DNS records on DigitalOcean #12752

• Fixed: Google Domains Dynamic DNS responses are not parsed properly #12754

• Fixed: Input validation prevents configuring wildcard Dynamic DNS records on Google Domains #12761

• Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816

• Fixed: Clicking Save & Force Update on a Dynamic DNS entry results in a GUI timeout #12870

• Fixed: DigitalOcean Dynamic DNS update fails with a “bad request” error #13167

• Fixed: Dynv6 Dynamic DNS client does not check the response code when updating #13298

• Fixed: DNSExit Dynamic DNS updates no longer work #13303

• Changed: Improve DynDNS help text readability #14186

FilterDNS

• Fixed: Resolve interval for filterdns may not match the configured value #13067

FreeBSD

• Fixed: Cannot set EFI console as primary console when using both EFI and Serial #13080

• Fixed: CVE-2022-23093 / FreeBSD-SA-22:15.ping #13716

• Changed: Update Time Zone data to 2023c or later #14209

Gateway Monitoring

• Fixed: Gateway monitoring should mark gateway as “offline” on PPPoE parent interface disconnect #12633

• Added: Option to disable auto-addition of static routes for dpinger #12687

• Changed: Update dpinger to 3.2 #12881

• Fixed: Marking a gateway as down does not affect IPsec entries using gateway groups #13076

• Fixed: Incorrect function parameters for get_dpinger_status() call in gwlb.inc #13295

Gateways

• Fixed: fixup_default_gateway() should not remove a default gateway managed by a dynamic routing daemon #11692

• Fixed: IPv6 link local gateway default status not indicated in GUI #11764

• Fixed: IPv6 gateway group using link local addresses incorrectly logs a gateway change because it not including interface scope properly #12721

• Added: Retain knowledge of previous dynamic gateway IP address when interface is down #12931

• Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected #13228

• Fixed: Gateway popup in firewall rule list does not indicate current gateway status #14327

Hardware / Drivers

• Added: Chelsio TOE support using the t4_tom module #9091

• Fixed: Intel e1000 driver (em, igb) cannot pass packets tagged with VLAN 0 #12821

• Fixed: Hyper-V RSC support in hn(4) driver is enabled by default and results in very low throughput #12873

• Fixed: Malicious Driver Detection event on ixl(4) driver #13003

• Fixed: UDP checksum errors with ixgbe interfaces #13883

High Availability

• Added: Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings #12702

IGMP Proxy

• Fixed: IGMP Proxy server is restarted during every rc.newwanip event #12609

IPsec

• Added: Option to choose default tab in IPsec status Dashboard widget #2456

• Fixed: IPsec VTI phase 2 traffic selectors default to address when defined as a network #11226

• Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645

• Fixed: Disallow remote gateway of 0.0.0.0 for VTI mode #12723

• Fixed: VTI gateway status stuck as “pending” after reboot #12763

• Fixed: ESP description in IPsec phase 2 proposal help text is ambiguous #12953

• Fixed: IKEv2 Mobile IPsec clients do not receive INTERNAL_DNS_DOMAIN (value 25) attribute #12975

• Fixed: Deadlock in Charon VICI interface #13014

• Added: GUI option for IPsec dns-interval setting #13057

• Fixed: Delete function for IPsec SAD entries on status_ipsec_sad.php does not work #13071

• Fixed: Mobile IPsec clients cannot be manually disconnected from IPsec status screen #13131

• Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373

• Changed: Information box on status_ipsec.php says “IPsec not enabled” even when a tunnel is established #13398

• Fixed: Incorrect quoting of Split DNS attribute value in strongswan.conf #13579

• Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647

• Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing) #13648

• Fixed: Reassembled packets received on a VTI are not forwarded #14396

Installer

• Fixed: Support encrypted config.xml files when restoring during install #12691

• Added: Recover existing SSH keys during installation #12809

Interfaces

• Added: Show SFP module details on status_interfaces.php #8861

• Added: Improved support for USB interfaces that may not always be present #9393

• Fixed: Primary interface address is not always used when VIPs are present #11545

• Fixed: PPPoE WAN IP address different than expected when set static by ISP #11629

• Added: Support for VLAN 0 #12070

• Fixed: devd is not configured to act on USB interface attach/detach events #12606

• Changed: Restart services on interface changes #12619

• Fixed: Interface status “Total Interrupts” display is non-functional #12735

• Fixed: L2TP/PPTP interface assignment page loses some values after input validation error #12780

• Fixed: Link-Local IPv6 address on WAN with MAC spoofing changes if there is an IP Alias on WAN #12790

• Fixed: Link-local address does not reset after removing MAC address spoofing #12794

• Fixed: Disabled Captive Portal configuration prevents adding an interface to a bridge #12866

• Fixed: The ruleset is not regenerated after assigning an interface #12949

• Fixed: Bridges with QinQ interfaces not properly set up at boot #13225

• Changed: Start rtsold immediately after dhcp6c sends a request #13492

• Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493

• Changed: Clean up obsolete code in pfSense-dhclient-script #13501

• Fixed: DHCP client can fail permanently if an interface is down at boot #13671

• Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675

• Changed: Trim blank characters from static IP address fields on the Interface configuration page #13959

• Fixed: Bridge interface is not properly validated when submitted on interfaces_bridge_edit.php #14052

L2TP

• Fixed: L2TP MPD configuration is not updated when a dynamic WAN IP address changes #13066

• Fixed: L2TP stays bound to previous IP address after static IP address change #13082

• Fixed: Static routes to destinations at L2TP clients are not re-added after a client reconnects #13099

LAGG Interfaces

• Added: GUI option to configure layers for LACP hash #12819

Logging

• Added: Option to control log level of authentication messages in system logs (“Emergency” vs “Notice” level) #12464

Notifications

• Fixed: Slack notification options only allow - as a special character in channel names #13083

• Fixed: Identical SMTP notifications repeat in an infinite loop under certain conditions #14031

• Fixed: Notices incorrectly set system LEDs on hardware with less than three LEDs #14482

OpenVPN

• Fixed: OpenVPN IPv4 Tunnel Network incorrectly allows hostnames #11416

• Fixed: OpenVPN stays bound to previous IP address after interface changes #11864

• Added: OpenVPN option to limit concurrent connections per user #12267

• Fixed: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases #12332

• Added: Use deferred client connections in OpenVPN #12407

• Fixed: OpenVPN re-synchronization also synchronizes override entries unnecessarily in some cases #12628

• Fixed: Automatic filter reload with OpenVPN client gateway uplink happens too soon or not at all #12771

• Fixed: PHP error when terminating OpenVPN sessions via the dashboard widget #12817

• Fixed: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases #12884

• Fixed: GUI does not reject an invalid OpenVPN tap mode configuration with an empty tunnel network “Bridge DHCP” disabled #12887

• Fixed: FQDN in network alias is omitted from OpenVPN networks list #12925

• Changed: Warn about OpenVPN shared key deprecation #12981

• Fixed: OpenVPN remote_cert_tls option does not behave correctly when enabled and later disabled #13056

• Fixed: Gateway events for IPv6 affect IPv4 OpenVPN instances and vice versa #13061

• Fixed: OpenVPN Client Overrides: properly hide/show form fields #13088

• Fixed: OpenVPN client tls-client/client configuration directive not handled properly #13116

• Changed: OpenVPN status page improvements #13129

• Fixed: OpenVPN client-connect file contains topology #13133

• Fixed: Per-user route files are not removed from /tmp when they are no longer needed #13145

• Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to display #13243

• Fixed: OpenVPN override IPv4 tunnel network field changing value improperly #13274

• Changed: Update OpenVPN Wizard to match current certificate and OpenVPN options #14183

• Changed: Remove deprecated NCP enable/disable toggle from OpenVPN #14201

Operating System

• Fixed: pf hostid value is handled inconsistently #12703

• Fixed: Some sysctl OIDs in loader.conf.local are silently removed #12862

• Fixed: Output from pfctl -vvsr does not include ridentifier value in the expected location #12868

• Changed: Update memory graphs to account for changes in memory reporting #14011

• Fixed: Netlink debug messages from IPsec #14370

• Added: wpa_supplicant: add VLAN 0 support #14457

PHP Interpreter

• Added: Upgrade PHP from 7.4 to 8.1 #13446

• Fixed: fcgicli fails to write packets with nvpair values that exceed 128 bytes #13638

• Changed: Update PHP to 8.2.6 #14027

PPP Interfaces

• Fixed: Services are not restarted when PPP interfaces connect #12811

• Fixed: PPPoE WANs fail to reconnect after parameter negotiation failure #13092

• Fixed: PPP interface custom reset date/time Hour and Minute fields do not properly handle 0 value #13307

• Fixed: IPv6 does not work on secondary PPPoE WAN #13939

PPPoE Server

• Fixed: PPPoE server panics with multiple client connections #13210

Package System

• Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105

• Fixed: Packages with custom internal_name values do not reinstall properly when restoring a backup #12766

• Fixed: write_rcfile() does not create rc_restart() entry #13004

• Added: Package plugin hook for web server configuration stanzas #13054

Packet Capture

• Added: Button to clear previous packet capture data #12968

• Added: Packet Capture GUI with granular control #13382

Routing

• Added: Enable ROUTE_MPATH multipath routing #9544

• Fixed: Setting a default gateway of “None” does not remove the default gateway from the routing table #12536

• Fixed: Cannot remove IPv6 static routes #12728

• Fixed: Explicit PPPoE disconnect of a WAN Gateway Group member may not restore a default route #13048

Rules / NAT

• Added: Toggle button to disable/enable multiple firewall rules #2505

• Added: Port forward NAT rules with “any” protocol #4259

• Added: Allow NPt to use dynamic IPv6 networks #4881

• Added: Button to copy rules from one interface to another #8365

• Fixed: Rule separator positions change when deleting multiple rules #9887

• Fixed: Automatic Outbound NAT mode can create incorrect rules in some cases #11984

• Added: Utilize new pfctl abilities to kill states #12092

• Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode #12319

• Added: Allow the selection of “any” interface in floating rules #12392

• Fixed: Applying firewall rule changes does not clear dirty flag for aliases subsystem #12678

• Fixed: Automatic Outbound NAT rules do not include OpenVPN CSO entries #12792

• Fixed: Error loading ruleset due to illegal TOS value #12803

• Fixed: High latency and packet loss during a filter reload #12827

• Fixed: On startup “No routing address with matching address” might appear #12847

• Added: Toggle button to disable/enable multiple entries on NAT pages #12879

• Fixed: Delete button is always active for NAT rules, even if no rules are selected #12957

• Fixed: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet #13012

• Fixed: NAT generates duplicate no nat on rules for port forwards with a destination of Any #13015

• Fixed: Input validation requires a gateway for floating match out rules #13027

• Fixed: Empty negate_networks table breaks policy routing rules #13049

• Fixed: The negate_networks table is not updated when an OpenVPN server is deleted #13055

• Added: Allow auto prefix with manual prefix-length in NPt #13070

• Fixed: Info icon on firewall_nat_out.php is incorrectly placed in manual outbound NAT mode #13164

• Fixed: Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule #13171

• Fixed: Incorrect usage of DSCP hex value #13178

• Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420

• Fixed: easyrule CLI script has multiple bugs and undesirable behaviors #13445

• Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505

• Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545

• Fixed: The “Kill States” button does not work consistently #14091

• Changed: Match upstream changes in PF syntax to disable fragment disassembly #14098

• Fixed: Associated firewall rule for NAT port forward does not inherit nosync property, gets synchronized #14335

• Fixed: Default tab on firewall_rules.php is not selected if the configuration has no WAN interface #14345

• Fixed: Outbound NAT rule input validation error when attempting to manually specify “Other Subnet” with a valid address #14354

• Fixed: Enable IPv6 over IPv4 tunneling option results in invalid PF rule #14415

SNMP

• Fixed: SNMP daemon is restarted during every rc.newwanip event #12611

Services

• Fixed: NTP service is not listed on status_services.php unless config.xml contains NTP configuration data #12775

Setup Wizard

• Changed: Update firewall host and domain fields in the Setup Wizard to match the description and warning text from system.php #14250

System Logs

• Fixed: Firewall log parser does not handle SCTP log entries #13940

Traffic Shaper (ALTQ)

• Changed: Remove code references to unused reset parameter from traffic shaper pages #13042

• Added: ALTQ GUI support for Broadcom Netextreme II (bxe) interfaces #13304

• Added: Include ixv in ALTQ capable NIC list #14408

Traffic Shaper (Limiters)

• Fixed: Incorrect ICMP reply when using limiters #9263

• Fixed: Pie and fq_pie are missing options and do not handle floating point number input correctly #12003

• Fixed: Utilize dnctl(8) to apply limiter changes without a filter reload #12579

• Fixed: Traffic routed through DUMMYNET by PF fails when IPFW is enabled #12954

• Fixed: Traffic shaped by limiters is dropped when routed to a GIF gateway #14055

Traffic Shaper Wizards

• Fixed: Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server #12937

Translations

• Fixed: Polish translation contains an invalid sprintf() format in the text for firewall_nat_out_edit.php #13946

UPnP/NAT-PMP

• Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500

• Added: uPnP fails to properly give out subsequent reservations when multiple gaming systems are playing the same game/using the same port #7727

• Changed: Reorganize UPnP options #12624

• Changed: Update miniupnpd to 2.3.3 #14307

Unknown

• Fixed: Many exec() functions do not use full path to executable files #11941

• Fixed: URL scheme is not properly validated in some cases #14356

Upgrade

• Fixed: Upgrade does not work when using only IPv6 DNS servers #13162

• Fixed: pfSense-boot can fail to copy the EFI bootloader #14045

User Manager / Privileges

• Added: Support for RADIUS authentication over IPv6 #4154

• Fixed: Icon missing for user manager entries with a scope other than “user” #13174

Virtual IP Addresses

• Fixed: Firewall rules are not reloaded when removing a VIP, outdated rules/entries remain active #13908

Web Interface

• Fixed: Unnecessary link tag in login page #7996

• Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists #11730

• Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141

• Changed: GUI pages should use POST for AJAX calls, not GET #12431

• Fixed: Zero-value prefix IPv6 addresses are mishandled #12440

• Added: Option to filter state table contents by rule ID #12616

• Fixed: Changing RAM disk size does not prompt to reboot #12876

• Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without making changes #12960

• Fixed: Input validation for IPv6 addresses allows invalid address compression in some cases #13069

• Added: Trim whitespace from MAC addresses in user input #13109

• Changed: Spelling and typo corrections #13357

• Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390

• Fixed: Input validation on system_advanced_firewall.inc uses incorrect variable references for some fields #13436

• Changed: Update external HTTPS/HTTP links #13440

• Fixed: Table row selection has poor contrast in Dark theme #13448

• Added: Support for iwlwifi wireless interfaces #14050

Wireless

• Fixed: Wireless interface WPA configuration fields are always visible #12998

• Fixed: Duplicate wireless interfaces are created at boot #12999

XMLRPC

• Fixed: Deleting a user on the primary node does not delete its home directory on secondary node during XMLRPC sync #12940

• Fixed: Filter/NAT rules configured with “No XMLRPC Sync” enabled are still synchronized #14316