pfSense CE

Changes in this version of pfSense CE software.

Aliases / Tables

  • Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296

  • Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708

  • Fixed: Renaming an alias does not update the alias names in static routes and OpenVPN instances #12727

  • Added: Retain descriptions when exporting and importing aliases #12842

  • Fixed: Potential XSS from URL and URL Table alias URLs #13060

  • Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282

  • Added: Specify CA trust store location when downloading and validating URL alias content #13367

  • Fixed: Invalid alias name can still be used by code attempting to validate URL table content #13425

  • Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration #13538

  • Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned when deleting an in-use alias #13539

  • Fixed: Using PF reserved keywords for interface descriptions results in an invalid ruleset #14007

  • Fixed: Alias list is not sorted #14015


  • Fixed: User password hashes pseudo-random number generator may return insecure salt value #12801

  • Added: GUI option to select the user password hashing algorithm #12855

  • Fixed: LDAP setup does not display ‘Global Root CA List’ option unless another CA also exists #13185

  • Fixed: Unable to set web interface session timeout to 0 (i.e. never expire) #13561

  • Fixed: Extra remote address information can confuse sshguard #13574

  • Changed: Improve LDAP debugging #13718

  • Added: Option to enable/disable console bell, enabled by default #14002

Auto Configuration Backup

  • Added: Option to list AutoConfigBackup entries in “reverse” order (newest at top) #11266

  • Added: Support for international characters in the AutoConfigBackup Hint/Identifier field #13388

  • Fixed: Auto Config Backup prints a confusing decryption error when using the wrong key #14060

Backup / Restore

  • Changed: Comply with current iteration standards when encrypting and decrypting configuration files #12556

  • Added: Support encrypted config.xml files when restoring via ECL #12685

  • Added: Notify user if AutoConfigBackup is unable to successfully upload a backup #12724

  • Added: Ability to sort AutoConfigBackup entries #12773

  • Fixed: Sanitize SHA-512 user password hashes in status.php output #12810

  • Added: Option to restore dashboard widget layout #13125

  • Fixed: PHP error restoring DHCP lease data on fresh installation: #13157

  • Fixed: Attempting to restore a 0 byte config.xml prints an error that the file cannot be read #13289

  • Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861

  • Fixed: RRD restore process does not sanitize filenames from backup XML #13935

Build / Release

  • Changed: Disable pkg compatibility flag which creates txz file extension symbolic links #12782


  • Fixed: CARP VIPs can become master too early at boot time #2218

  • Changed: Reorganize CARP status page #12701

  • Fixed: CARP event storm when leaving persistent CARP maintenance mode #12961

Captive Portal

  • Fixed: Allowed IP/Hostname “Direction” option is never used #12649

  • Fixed: nginx logs an error that the port is already in use when restarting Captive Portal services #12651

  • Fixed: Value of net.inet.ip.dummynet.* OIDs in sysctl are ignored #12733

  • Fixed: Only TCP traffic is passed outbound through IPFW #12834

  • Changed: Transition Captive Portal from IPFW to PF #13100

  • Fixed: Voucher CSV output has leading space before voucher code #13272

  • Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323

  • Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391

  • Fixed: Custom logo or background image is created with two dots (..) before the file extension #13396

  • Fixed: Captive Portal does not keep track of client data usage #13418

  • Fixed: All Captive Portal users are given the same limiter pipe pair #13488

  • Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838

  • Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853


  • Fixed: CA path is not defined when using curl in the shell #12737

  • Added: Option to retain the existing serial number when renewing a CA or certificate #13010

  • Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm #13257

  • Fixed: Input validation is not rejecting invalid description characters when editing a CA or Certificate #13387

  • Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424

  • Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437

  • Fixed: Some blank SAN fields are not ignored when creating a certificate #14124

  • Added: Ability to edit Certificate Revocation List properties #14185

  • Changed: Add note to inform the user that the “Next Certificate Serial” value is ignored when the “Randomize Serial” option is enabled #14188

Configuration Backend

  • Added: Move command line history to a GUI option stored in config.xml rather than a manual flag file #12675

  • Added: Eliminate duplicate shell commands from history file #12741

  • Fixed: Input validation is checking RAM disk sizes when they are inactive #13479

Configuration Upgrade

  • Added: Playback script to perform a configuration upgrade on an arbitrary config.xml file #12973

  • Fixed: PHP Error in upgrade216_ipsec_create_vtimap() #14400

Console Menu

  • Fixed: Changing an interface IP address and gateway at the console does not save the new gateway if one already exists for the interface #12632

  • Added: Warn the user if they attempt to disable SSH from the menu while connected through SSH #13103

  • Fixed: Hidden menu option 100 incorrectly handles HTTPS detection #13258


  • Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345

  • Fixed: Disabling DHCP Server RRD statistics does not work #12710

  • Fixed: HTTPClient option not sent when using UEFI HTTP Boot #12892

  • Fixed: HTTPClient option does not work for static mappings #12896

  • Fixed: DHCP “Ignore denied clients” option with MAC Deny list set causes DHCP server to not start #12923

  • Added: Relax DHCP maximum lease time input validation #13118

  • Fixed: DHCP lease list displays wrong interface name in the “Leases in Use” summary if DHCP settings for a disabled interface remain in the configuration #13127

  • Changed: Clean up DHCP Server option language #13250

  • Fixed: DHCP Server generates an invalid configuration for static mappings when defining network booting and UEFI HTTPBoot URL #13573

  • Added: Input validation for numbered DHCP options in static mappings #13584

  • Fixed: DHCP Server page does not properly select a default interface tab if neither WAN nor LAN are capable of being DHCP servers #14115


  • Fixed: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients #6880

  • Fixed: DHCPv6 server does not skip interfaces configured with invalid ranges #12527

  • Fixed: RADVD can be started on both HA nodes when configured with an IPv6 link-local address #12582

  • Fixed: Uninitialized array in array_remove_duplicates() #12749

  • Fixed: Advanced DHCP6 client settings only work for a single interface #13462

  • Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is reloaded #13594

  • Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633

DNS Forwarder

  • Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901

  • Fixed: DNS Forwarder creates a loop when “Use local DNS, ignore remote DNS servers” is selected #12902

  • Fixed: DNS Forwarder custom options may fail after save/restore when options are only separated by newline #13105

  • Fixed: DNS Forwarder (dnsmasq) is using an invalid combination of options when “Query DNS servers sequentially” is enabled #13655

DNS Resolver

  • Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624

  • Fixed: Unbound crashes with signal 11 when reloading #11316

  • Fixed: DNS Resolver is restarted during every rc.newwanip event even for interfaces not used in the resolver #12612

  • Fixed: DNS Resolver does not restart during link up/down events on a static IP address interface #12613

  • Added: Automatically create DNS Resolver ACLs for OpenVPN CSO entries #12636

  • Fixed: DNS Resolver help text for System Domain Local Zone Type option refers users to unbound.conf(5) man page instead of pfSense docs #12781

  • Fixed: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access #12985

  • Fixed: DNS Resolver ACLs are not updated when OpenVPN networks change #12991

  • Added: DNS Resolver option to keep probing when servers are down #13023

  • Fixed: DNS resolver does not update its configuration or reload during link down events #13254

  • Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is enabled #13393

  • Fixed: Incorrect word in “Network Interfaces” help text on services_unbound.php #13453

  • Fixed: DNS Resolver does not generate automatic ACLs for IPv6 when Network Interfaces is set to “All” #13851

  • Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867

  • Changed: Update Unbound to 1.17.1 #13893

  • Fixed: DNS Resolver experiences intermittent resolution failures with SSL over TLS due to ASLR #14056

  • Fixed: Setting system DNS servers can incorrectly modify routes for interface addresses #14288

  • Fixed: Discrepancy in “TTL for Host Cache Entries” Description #14358


  • Fixed: Firewall log widget action icon features stop working when new log entries are added dynamically #6253

  • Added: Show Inactive for Hardware Crypto output instead of empty field on System Information dashboard widget when nothing can be accelerated #12714

  • Fixed: Uptime displays plural seconds for multiple minutes in the System Information Dashboard widget #14176

  • Added: Support for Intel PCH temperature values in thermal sensors #14255


  • Fixed: diag_pftop.php does not fully encode output #12915

  • Fixed: File browser on diag_edit.php does not encode filenames before display #13262

  • Fixed: Neighbor hostnames in the NDP Table on diag_ndp.php are always empty #13318

  • Fixed: status.php uses <name> component of /tmp/rules.packages.<name> filenames in shell command without encoding #13426

  • Changed: Add multicast group membership (ifmcstat) to status.php #13731

  • Changed: Add more disk information to status output #14103

Dynamic DNS

  • Fixed: Dynamic DNS custom IPv6 service fails on 6rd tunnels #12590

  • Fixed: GleSYS Dynamic DNS responses are not parsed properly #12672

  • Added: IPv6 support for DNSimple Dynamic DNS #12744

  • Fixed: Input validation prevents configuring wildcard Dynamic DNS records on GoDaddy #12750

  • Added: Support wildcard Dynamic DNS records on DigitalOcean #12752

  • Fixed: Google Domains Dynamic DNS responses are not parsed properly #12754

  • Fixed: Input validation prevents configuring wildcard Dynamic DNS records on Google Domains #12761

  • Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816

  • Fixed: Clicking Save & Force Update on a Dynamic DNS entry results in a GUI timeout #12870

  • Fixed: DigitalOcean Dynamic DNS update fails with a “bad request” error #13167

  • Fixed: Dynv6 Dynamic DNS client does not check the response code when updating #13298

  • Fixed: DNSExit Dynamic DNS updates no longer work #13303

  • Changed: Improve DynDNS help text readability #14186


  • Fixed: Resolve interval for filterdns may not match the configured value #13067


  • Fixed: Cannot set EFI console as primary console when using both EFI and Serial #13080

  • Fixed: CVE-2022-23093 / #13716

  • Changed: Update Time Zone data to 2023c or later #14209

Gateway Monitoring

  • Fixed: Gateway monitoring should mark gateway as “offline” on PPPoE parent interface disconnect #12633

  • Added: Option to disable auto-addition of static routes for dpinger #12687

  • Changed: Update dpinger to 3.2 #12881

  • Fixed: Marking a gateway as down does not affect IPsec entries using gateway groups #13076

  • Fixed: Incorrect function parameters for get_dpinger_status() call in #13295


  • Fixed: fixup_default_gateway() should not remove a default gateway managed by a dynamic routing daemon #11692

  • Fixed: IPv6 link local gateway default status not indicated in GUI #11764

  • Fixed: IPv6 gateway group using link local addresses incorrectly logs a gateway change because it not including interface scope properly #12721

  • Added: Retain knowledge of previous dynamic gateway IP address when interface is down #12931

  • Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected #13228

  • Fixed: Gateway popup in firewall rule list does not indicate current gateway status #14327

Hardware / Drivers

  • Added: Chelsio TOE support using the t4_tom module #9091

  • Fixed: Intel e1000 driver (em, igb) cannot pass packets tagged with VLAN 0 #12821

  • Fixed: Hyper-V RSC support in hn(4) driver is enabled by default and results in very low throughput #12873

  • Fixed: Malicious Driver Detection event on ixl(4) driver #13003

  • Fixed: UDP checksum errors with ixgbe interfaces #13883

High Availability

  • Added: Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings #12702

IGMP Proxy

  • Fixed: IGMP Proxy server is restarted during every rc.newwanip event #12609


  • Added: Option to choose default tab in IPsec status Dashboard widget #2456

  • Fixed: IPsec VTI phase 2 traffic selectors default to address when defined as a network #11226

  • Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645

  • Fixed: Disallow remote gateway of for VTI mode #12723

  • Fixed: VTI gateway status stuck as “pending” after reboot #12763

  • Fixed: ESP description in IPsec phase 2 proposal help text is ambiguous #12953

  • Fixed: IKEv2 Mobile IPsec clients do not receive INTERNAL_DNS_DOMAIN (value 25) attribute #12975

  • Fixed: Deadlock in Charon VICI interface #13014

  • Added: GUI option for IPsec dns-interval setting #13057

  • Fixed: Delete function for IPsec SAD entries on status_ipsec_sad.php does not work #13071

  • Fixed: Mobile IPsec clients cannot be manually disconnected from IPsec status screen #13131

  • Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373

  • Changed: Information box on status_ipsec.php says “IPsec not enabled” even when a tunnel is established #13398

  • Fixed: Incorrect quoting of Split DNS attribute value in strongswan.conf #13579

  • Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647

  • Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing) #13648

  • Fixed: Reassembled packets received on a VTI are not forwarded #14396


  • Fixed: Support encrypted config.xml files when restoring during install #12691

  • Added: Recover existing SSH keys during installation #12809


  • Added: Show SFP module details on status_interfaces.php #8861

  • Added: Improved support for USB interfaces that may not always be present #9393

  • Fixed: Primary interface address is not always used when VIPs are present #11545

  • Fixed: PPPoE WAN IP address different than expected when set static by ISP #11629

  • Added: Support for VLAN 0 #12070

  • Fixed: devd is not configured to act on USB interface attach/detach events #12606

  • Changed: Restart services on interface changes #12619

  • Fixed: Interface status “Total Interrupts” display is non-functional #12735

  • Fixed: L2TP/PPTP interface assignment page loses some values after input validation error #12780

  • Fixed: Link-Local IPv6 address on WAN with MAC spoofing changes if there is an IP Alias on WAN #12790

  • Fixed: Link-local address does not reset after removing MAC address spoofing #12794

  • Fixed: Disabled Captive Portal configuration prevents adding an interface to a bridge #12866

  • Fixed: The ruleset is not regenerated after assigning an interface #12949

  • Fixed: Bridges with QinQ interfaces not properly set up at boot #13225

  • Changed: Start rtsold immediately after dhcp6c sends a request #13492

  • Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493

  • Changed: Clean up obsolete code in pfSense-dhclient-script #13501

  • Fixed: DHCP client can fail permanently if an interface is down at boot #13671

  • Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675

  • Changed: Trim blank characters from static IP address fields on the Interface configuration page #13959

  • Fixed: Bridge interface is not properly validated when submitted on interfaces_bridge_edit.php #14052


  • Fixed: L2TP MPD configuration is not updated when a dynamic WAN IP address changes #13066

  • Fixed: L2TP stays bound to previous IP address after static IP address change #13082

  • Fixed: Static routes to destinations at L2TP clients are not re-added after a client reconnects #13099

LAGG Interfaces

  • Added: GUI option to configure layers for LACP hash #12819


  • Added: Option to control log level of authentication messages in system logs (“Emergency” vs “Notice” level) #12464


  • Fixed: Slack notification options only allow - as a special character in channel names #13083

  • Fixed: Identical SMTP notifications repeat in an infinite loop under certain conditions #14031

  • Fixed: Notices incorrectly set system LEDs on hardware with less than three LEDs #14482


  • Fixed: OpenVPN IPv4 Tunnel Network incorrectly allows hostnames #11416

  • Fixed: OpenVPN stays bound to previous IP address after interface changes #11864

  • Added: OpenVPN option to limit concurrent connections per user #12267

  • Fixed: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases #12332

  • Added: Use deferred client connections in OpenVPN #12407

  • Fixed: OpenVPN re-synchronization also synchronizes override entries unnecessarily in some cases #12628

  • Fixed: Automatic filter reload with OpenVPN client gateway uplink happens too soon or not at all #12771

  • Fixed: PHP error when terminating OpenVPN sessions via the dashboard widget #12817

  • Fixed: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases #12884

  • Fixed: GUI does not reject an invalid OpenVPN tap mode configuration with an empty tunnel network “Bridge DHCP” disabled #12887

  • Fixed: FQDN in network alias is omitted from OpenVPN networks list #12925

  • Changed: Warn about OpenVPN shared key deprecation #12981

  • Fixed: OpenVPN remote_cert_tls option does not behave correctly when enabled and later disabled #13056

  • Fixed: Gateway events for IPv6 affect IPv4 OpenVPN instances and vice versa #13061

  • Fixed: OpenVPN Client Overrides: properly hide/show form fields #13088

  • Fixed: OpenVPN client tls-client/client configuration directive not handled properly #13116

  • Changed: OpenVPN status page improvements #13129

  • Fixed: OpenVPN client-connect file contains topology #13133

  • Fixed: Per-user route files are not removed from /tmp when they are no longer needed #13145

  • Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to display #13243

  • Fixed: OpenVPN override IPv4 tunnel network field changing value improperly #13274

  • Changed: Update OpenVPN Wizard to match current certificate and OpenVPN options #14183

  • Changed: Remove deprecated NCP enable/disable toggle from OpenVPN #14201

Operating System

  • Fixed: pf hostid value is handled inconsistently #12703

  • Fixed: Some sysctl OIDs in loader.conf.local are silently removed #12862

  • Fixed: Output from pfctl -vvsr does not include ridentifier value in the expected location #12868

  • Changed: Update memory graphs to account for changes in memory reporting #14011

  • Fixed: Netlink debug messages from IPsec #14370

  • Added: wpa_supplicant: add VLAN 0 support #14457

PHP Interpreter

  • Added: Upgrade PHP from 7.4 to 8.1 #13446

  • Fixed: fcgicli fails to write packets with nvpair values that exceed 128 bytes #13638

  • Changed: Update PHP to 8.2.6 #14027

PPP Interfaces

  • Fixed: Services are not restarted when PPP interfaces connect #12811

  • Fixed: PPPoE WANs fail to reconnect after parameter negotiation failure #13092

  • Fixed: PPP interface custom reset date/time Hour and Minute fields do not properly handle 0 value #13307

  • Fixed: IPv6 does not work on secondary PPPoE WAN #13939

PPPoE Server

  • Fixed: PPPoE server panics with multiple client connections #13210

Package System

  • Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105

  • Fixed: Packages with custom internal_name values do not reinstall properly when restoring a backup #12766

  • Fixed: write_rcfile() does not create rc_restart() entry #13004

  • Added: Package plugin hook for web server configuration stanzas #13054

Packet Capture

  • Added: Button to clear previous packet capture data #12968

  • Added: Packet Capture GUI with granular control #13382


  • Added: Enable ROUTE_MPATH multipath routing #9544

  • Fixed: Setting a default gateway of “None” does not remove the default gateway from the routing table #12536

  • Fixed: Cannot remove IPv6 static routes #12728

  • Fixed: Explicit PPPoE disconnect of a WAN Gateway Group member may not restore a default route #13048

Rules / NAT

  • Added: Toggle button to disable/enable multiple firewall rules #2505

  • Added: Port forward NAT rules with “any” protocol #4259

  • Added: Allow NPt to use dynamic IPv6 networks #4881

  • Added: Button to copy rules from one interface to another #8365

  • Fixed: Rule separator positions change when deleting multiple rules #9887

  • Fixed: Automatic Outbound NAT mode can create incorrect rules in some cases #11984

  • Added: Utilize new pfctl abilities to kill states #12092

  • Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode #12319

  • Added: Allow the selection of “any” interface in floating rules #12392

  • Fixed: Applying firewall rule changes does not clear dirty flag for aliases subsystem #12678

  • Fixed: Automatic Outbound NAT rules do not include OpenVPN CSO entries #12792

  • Fixed: Error loading ruleset due to illegal TOS value #12803

  • Fixed: High latency and packet loss during a filter reload #12827

  • Fixed: On startup “No routing address with matching address” might appear #12847

  • Added: Toggle button to disable/enable multiple entries on NAT pages #12879

  • Fixed: Delete button is always active for NAT rules, even if no rules are selected #12957

  • Fixed: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet #13012

  • Fixed: NAT generates duplicate no nat on rules for port forwards with a destination of Any #13015

  • Fixed: Input validation requires a gateway for floating match out rules #13027

  • Fixed: Empty negate_networks table breaks policy routing rules #13049

  • Fixed: The negate_networks table is not updated when an OpenVPN server is deleted #13055

  • Added: Allow auto prefix with manual prefix-length in NPt #13070

  • Fixed: Info icon on firewall_nat_out.php is incorrectly placed in manual outbound NAT mode #13164

  • Fixed: Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule #13171

  • Fixed: Incorrect usage of DSCP hex value #13178

  • Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420

  • Fixed: easyrule CLI script has multiple bugs and undesirable behaviors #13445

  • Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505

  • Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545

  • Fixed: The “Kill States” button does not work consistently #14091

  • Changed: Match upstream changes in PF syntax to disable fragment disassembly #14098

  • Fixed: Associated firewall rule for NAT port forward does not inherit nosync property, gets synchronized #14335

  • Fixed: Default tab on firewall_rules.php is not selected if the configuration has no WAN interface #14345

  • Fixed: Outbound NAT rule input validation error when attempting to manually specify “Other Subnet” with a valid address #14354

  • Fixed: Enable IPv6 over IPv4 tunneling option results in invalid PF rule #14415


  • Fixed: SNMP daemon is restarted during every rc.newwanip event #12611


  • Fixed: NTP service is not listed on status_services.php unless config.xml contains NTP configuration data #12775

Setup Wizard

  • Changed: Update firewall host and domain fields in the Setup Wizard to match the description and warning text from system.php #14250

System Logs

  • Fixed: Firewall log parser does not handle SCTP log entries #13940

Traffic Shaper (ALTQ)

  • Changed: Remove code references to unused reset parameter from traffic shaper pages #13042

  • Added: ALTQ GUI support for Broadcom Netextreme II (bxe) interfaces #13304

  • Added: Include ixv in ALTQ capable NIC list #14408

Traffic Shaper (Limiters)

  • Fixed: Incorrect ICMP reply when using limiters #9263

  • Fixed: Pie and fq_pie are missing options and do not handle floating point number input correctly #12003

  • Fixed: Utilize dnctl(8) to apply limiter changes without a filter reload #12579

  • Fixed: Traffic routed through DUMMYNET by PF fails when IPFW is enabled #12954

  • Fixed: Traffic shaped by limiters is dropped when routed to a GIF gateway #14055

Traffic Shaper Wizards

  • Fixed: Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server #12937


  • Fixed: Polish translation contains an invalid sprintf() format in the text for firewall_nat_out_edit.php #13946


  • Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500

  • Added: uPnP fails to properly give out subsequent reservations when multiple gaming systems are playing the same game/using the same port #7727

  • Changed: Reorganize UPnP options #12624

  • Changed: Update miniupnpd to 2.3.3 #14307


  • Fixed: Many exec() functions do not use full path to executable files #11941

  • Fixed: URL scheme is not properly validated in some cases #14356


  • Fixed: Upgrade does not work when using only IPv6 DNS servers #13162

  • Fixed: pfSense-boot can fail to copy the EFI bootloader #14045

User Manager / Privileges

  • Added: Support for RADIUS authentication over IPv6 #4154

  • Fixed: Icon missing for user manager entries with a scope other than “user” #13174

Virtual IP Addresses

  • Fixed: Firewall rules are not reloaded when removing a VIP, outdated rules/entries remain active #13908

Web Interface

  • Fixed: Unnecessary link tag in login page #7996

  • Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists #11730

  • Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141

  • Changed: GUI pages should use POST for AJAX calls, not GET #12431

  • Fixed: Zero-value prefix IPv6 addresses are mishandled #12440

  • Added: Option to filter state table contents by rule ID #12616

  • Fixed: Changing RAM disk size does not prompt to reboot #12876

  • Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without making changes #12960

  • Fixed: Input validation for IPv6 addresses allows invalid address compression in some cases #13069

  • Added: Trim whitespace from MAC addresses in user input #13109

  • Changed: Spelling and typo corrections #13357

  • Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390

  • Fixed: Input validation on uses incorrect variable references for some fields #13436

  • Changed: Update external HTTPS/HTTP links #13440

  • Fixed: Table row selection has poor contrast in Dark theme #13448

  • Added: Support for iwlwifi wireless interfaces #14050


  • Fixed: Wireless interface WPA configuration fields are always visible #12998

  • Fixed: Duplicate wireless interfaces are created at boot #12999


  • Fixed: Deleting a user on the primary node does not delete its home directory on secondary node during XMLRPC sync #12940

  • Fixed: Filter/NAT rules configured with “No XMLRPC Sync” enabled are still synchronized #14316