pfSense CE

Changes in this version of pfSense CE software.

Aliases / Tables

  • Fixed: Firewall rules fail to load when a URL table alias file does not exist #13068

  • Added: Type column on Alias lists #13245

  • Fixed: Static ARP entries are not configured at boot #14374

  • Fixed: Firewall rules are not displayed properly when they reference a URL table alias and its file does not exist #14574


  • Added: Option to invalidate GUI login session if the client address changes #14265

Backup / Restore

  • Changed: Increase timeout for password entry when restoring an encrypted configuration via ECL #14769


  • Added: Prevent CARP status/maintenance mode from being erroneously toggled #13804

  • Fixed: IPsec restart in CARP event scripts does not check VIP properly and never runs #14738

Captive Portal

  • Fixed: Captive Portal incorrectly allows leading zeroes on voucher roll numbers #14325

  • Fixed: Link to view Captive Portal custom HTML page content does not work #14598


  • Fixed: Cannot validate Certificates against Certificate Revocation Lists for Intermediate Certificate Authorities #9889

  • Added: Improve System menu behavior for Certificate Manager privileges #14347

  • Fixed: CA and Certificate renewal page does not properly list some SHA1 certificates as being weak #14678

Console Menu

  • Fixed: PHP shell script pfanchordrill shows duplicate anchor content #14637


  • Added: Introduce Kea DHCP as an alternative DHCP server for IPv4 and IPv6 #6960

DNS Resolver

  • Added: Unbound Advanced Settings entry for sock-queue-timeout #14731

  • Changed: Update Unbound to 1.18.0_1 to address looping UDP retries when ENOBUFS is returned #14980


  • Fixed: System Information widget does not properly form list of active hardware crypto algorithms #14417

  • Fixed: Gateway widget tooltip incorrectly indicates some gateways as being default #14542


  • Fixed: diag_edit.php warning is not cleared after picking non-directory to load #7589

  • Changed: Combining Interface and Rule ID state table filter fields returns no results #14399

  • Fixed: Improve error handling in status.php #14513

  • Added: Status output plugin hook for packages to include their own data #14777

Dynamic DNS

  • Added: Include hostname being updated in Dynamic DNS notifications #9504

  • Added: Dynamic DNS support for Porkbun #14402

  • Fixed: PHP error with Dynamic DNS provider #14649

  • Fixed: List of Dynamic DNS types with split host+domain name is missing several providers #14783

  • Fixed: Correct name of Gandi LiveDNS #14784

  • Fixed: Multi-WAN Dynamic DNS does not fail over when preferred WAN loses link #14829


  • Fixed: Misleading error message when adding/editing static routes which use a gateway on a disabled interface #8846

  • Fixed: Cannot select IP Alias VIP with CARP VIP parent in Virtual IP drop-down on Gateway Groups #14524

  • Fixed: A default route can remain after setting the default gateway to None #14717

Hardware / Drivers

  • Fixed: Unnecessary delay when querying ixgbe(4) interfaces with SFP ports #13911

  • Added: Options to control Intel Speed Shift #14047

  • Fixed: Cavium qlnxe / if_qlnxe driver is not present #14534

  • Fixed: bnxt(4) driver errors #14569

  • Added: QAT 200xx devices are not recognized as supported #14844

IGMP Proxy

  • Fixed: Input validation error when saving IGMP Proxy settings #14301

  • Fixed: IGMP Proxy cannot start on VirtIO (vtnet) interfaces #14665


  • Changed: Clarify that the IPsec keep alive check option ignores Child SA Start Action #12762

  • Fixed: PHP error in status_ipsec.php after removing active IPsec tunnel configuration #14525

  • Fixed: Multi-WAN IPsec does not fail over when preferred WAN loses link #14626

  • Added: Show IPsec phase 1 authentication type in Mode column of tunnel list #14726

  • Fixed: IPsec rejects certificate without any SANs #14831

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: IPv6 neighbor discovery protocol (NDP) fails in some cases #13423


  • Fixed: GIF-based interface MTU is assigned to parent interface on boot when parent interface is a LAGG #13218

  • Fixed: Cannot add a QinQ interface to a bridge #14377

  • Fixed: find_interface_ipv6_ll() can return a VIP instead of the interface address #14392

  • Fixed: Interface value is not properly validated when submitted on interfaces_gif_edit.php and interfaces_gre_edit.php #14549

  • Fixed: Primary interface address is incorrectly set to the last address on the interface #14623

  • Fixed: Link loss causes interfaces configured as Track Interface for IPv6 to lose their IPv4 addresses #14756

  • Changed: Eliminate direct config access in interfaces.php #14790


  • Fixed: Log rotation is not active if the configuration contains an empty <syslog> section or if that section is not present #14517

  • Fixed: Per-log settings for file size and retention count are not honored #14545

  • Added: Improve SCTP support in filterlog #14667


  • Added: Allow SMTP notifications from non-root processes #14337

  • Fixed: PHP error when failing to write config.cache #14432


  • Fixed: OpenVPN can select the wrong interface IP address when multiple addresses are present #14646

  • Changed: Prevent weak SHA1 certificates from being used with OpenVPN clients and servers #14677

  • Changed: Check for deprecated OpenVPN encryption and digest options on upgrade #14686

  • Changed: Update OpenVPN to 2.6.7 #14985

Operating System

  • Added: Method for users to customize shell initialization behavior #14746

  • Changed: Automatically configure PF states hash table size #14750

  • Fixed: Panic when pfsync attempts to synchronize states between hosts with different rulesets #14804

PHP Interpreter

  • Added: Option to configure a custom value for the PHP memory limit #13377

PPP Interfaces

  • Fixed: PPP interface default username/password are not being populated from provider data on interfaces.php and interfaces_ppps_edit.php #14544

  • Fixed: getserviceproviders.php does not always validate value of $connection, displays without encoding #14547

PPPoE Server

  • Fixed: PPPoE Server address input validation is incorrectly allowing IPv6 #13903

Packet Capture

  • Added: Change default match modifier from “all of” to “any of” #14650

  • Fixed: packet_capture.php uses count and length values in command execution without validation or encoding #14809

Rules / NAT

  • Added: Support interface macros in Outbound NAT rules #3288

  • Fixed: Negating <interface> net when a VIP exists on the interface results in unintended behavior #6799

  • Added: Option to wait for interface selection before displaying firewall rules #13124

  • Added: Support interface groups in firewall rule source/destination fields #14448

  • Fixed: “Convert interface definitions” option is not respected when bulk copying rules #14576

  • Fixed: Rule separators are ordered incorrectly after removing rules in certain positions #14619

  • Fixed: Rule separators are hidden when their index is greater than the number of rules #14621

  • Added: Extend support for SCTP in firewall and NAT rules #14640

  • Fixed: Separators get shifted when copying firewall rules between interfaces #14691

  • Fixed: ctype_digit() returns unexpected result for values <= 255 which can break some validation functions/usages #14702

System Logs

  • Fixed: status_logs_filter_dynamic.php does not encode value of interfacefilter in raw mode #14548

Traffic Graphs

  • Fixed: PHP Error when viewing Traffic Graphs in iftop mode #14500

  • Fixed: Traffic graph filters apply incorrectly #14892

Traffic Shaper (ALTQ)

  • Fixed: Kernel panic when using traffic shaping on a PPPoE interface #14497


  • Fixed: Some functions fail if the Language does not exactly match an available Locale #13776


  • Fixed: Remove broken from UPnP STUN server list #14673


  • Fixed: Update check in GUI does not always honor the configured proxy settings #14609

User Manager / Privileges

  • Fixed: Copy function for User Manager Groups does not work for first group in list #14695

Web Interface

  • Fixed: Refactor IPsec code using config access functions #13704

  • Fixed: PHP error in CSRF Magic from invalid time value #14394

  • Fixed: Breadcrumb path missing on system_register.php #14462

  • Changed: Prevent weak SHA1 certificates from being used with GUI and Captive Portal #14672

  • Fixed: status_carp.php and diag_dump_states.php unresponsive with large state tables #14758

  • Fixed: Logo text is partially rendered when using Compact-RED theme on CE #14807

  • Fixed: GUI TCP port is not updated in the configuration when saving with the field empty to remove an existing value #14820


  • Fixed: PHP error in handle_wireless_post() when toggling some wireless interface options #14579