pfSense CE¶
Changes in this version of pfSense CE software.
Aliases / Tables¶
Authentication¶
Auto Configuration Backup¶
Fixed: Long configuration revision reasons can cause AutoConfigBackup upload to fail #12249
Fixed:
services_acb_settings.php
does not fully validate value offrequency
, uses value without encoding #15224Fixed: Special characters in the ACB configuration change description can cause PHP errors #15711
Fixed: AutoConfigBackup tries to upload backups before the system has finished booting #15718
Fixed: AutoConfigBackup scheduled backups always upload even when the configuration has not changed #16010
Fixed: AutoConfigBackup remote revision timestamps may not be unique due to batch uploads #16011
Fixed: “Reset” button on AutoConfigBackup Restore tab does not submit the form #16012
Changed: AutoConfigBackup code cleanup and GUI refresh #16013
Added: Download function for AutoConfigBackup entries #16014
Added: Method to change the AutoConfigBackup device key #16015
Backup / Restore¶
Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728
Fixed: DHCP leases may not be restored from older configuration backups #15076
Fixed: PHP error when generating a notification after detecting a malformed configuration #15157
Fixed: Skip Packages option for Configuration Backups fails with large configurations #15624
CARP¶
Fixed: HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address #14026
Captive Portal¶
Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226
Added: Support using a mask to block MAC addresses in Captive Portal #15257
Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299
Fixed: Captive Portal logo fails to load after authenticated redirect #15404
Fixed: Captive Portal zones can fail to start due to ID conflict #15772
Fixed: PHP error in Captive Portal with undefined zone interface list #15907
Fixed: Captive Portal service management via
pfSsh.php svc
fails when the zone name contains uppercase letters #16030Fixed: Creating a Captive Portal zone with uppercase letters overwrites existing zones of the same name #16032
Certificates¶
Configuration Backend¶
Fixed: System proxy credentials with certain characters may fail to authenticate #15565
DHCP (IPv4)¶
Added: Settings tab for global Kea DHCP server options #5080
Added: Better handling of duplicate IP addresses in static DHCP assignments #13256
Changed: Reduce log spam when deleting a static DHCP entry #13263
Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894
Fixed: Kea fails to restart due to race between process termination and startup #14977
Fixed: Kea does not allow FQDNs for NTP servers but input validation does not prevent them from being added #14991
Fixed: Kea DHCP PHP error from WINS server value #14996
Fixed: Kea DHCP sends wrong bootloader file for UEFI #15032
Fixed: Kea will not start with identical MAC address filters on multiple interfaces #15130
Added: Kea DHCP Custom Configuration Support (IPv4 and IPv6) #15321
Fixed: Changes in Kea DHCP interface pools may invalidate lease database content #15328
Fixed: Kea fails to start if DHCP pool configuration contains default lease time or max lease time #15332
Added: Kea High Availability Support (IPv4 and IPv6) #15575
Added: Kea DNS Resolver (Unbound) Integration (IPv4 and IPv6) #15651
Added: Kea Static ARP Support (IPv4 only) #15654
Fixed: IPv4 DHCP client responses may be routed unexpectedly out unrelated WANs #15702
Added: Kea DHCP lease database RAM disk support (IPv4 and IPv6) #15828
Fixed: Kea can unintentionally attempt to spawn multiple processes and fail #16019
DHCP (IPv6)¶
Fixed: Old IPv6 addresses may continue to be used after DHCP or RA changes #12947
Fixed: Shortcut bar on DHCPv6 leases (
status_dhcpv6_leases.php
) navigates to DHCPv4 destinations, not DHCPv6 #15117Fixed: DHCPv6 settings page “DDNS Reverse” check box not showing current state #15118
Added: Kea DHCPv6 Prefix Delegation Support (IPv6 Only) #15652
DNS Forwarder¶
DNS Resolver¶
Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942
Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071
Fixed: Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism #15135
Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139
Changed: Update Unbound to 1.22.0 #15483
Fixed: Automatic EDNS value may be lower than expected #15704
Fixed: Unbound configuration file contains Localhost address in forwarding mode with TLS enabled #15722
Fixed:
unbound-checkconf
fails with python mode enabled #15723
Dashboard¶
Fixed: Firewall Logs Dashboard Widget is slow and may fail to update #12673
Added: Improve Thermal Sensors Dashboard widget readability #13520
Fixed: Traffic Graph widget displays bandwidth usage values which are half the actual usage amount #14933
Fixed: Firewall Logs Dashboard widget update interval does not behave as expected #15373
Added: Show current boot method in System Information Dashboard widget #15422
Fixed: Incorrect icon on collapsed dashboard widgets #15439
Fixed: Dashboard widgets refresh at unintended intervals #15725
Changed: Improve Thermal Sensors Dashboard widget refresh code #15728
Fixed: Session cookie warnings #15729
Fixed: Clicking the picture widget image downloads the image with an invalid filename instead of showing it inline #15767
Changed: Improve the system load impact from Dashboard widgets #15969
Diagnostics¶
Added: Add Kea information to
status.php
#14953Fixed: Adding Wake-On-LAN entry from ARP table view can incorrectly include OEM text in MAC address field #15162
Fixed:
crash_reporter.php
displays PHP Error log without encoding #15264Added: Add EFI boot information to
status.php
#15297Added: Add
loader.conf.lua
contents tostatus.php
#15298Fixed: Errors in
status.php
IPsec sections when IPsec is not configured #15310Fixed: Sanitize RFC 2136 Dynamic DNS update keys in
status.php
output #15490Fixed: File browser on
diag_edit.php
does not encode directory names before display #15525Fixed: State table entries printed on
diag_dump_states.php
may contain an unexpected interface #15657Fixed: PHP error from invalid IPv6 address on
diagnostics_ping.php
#16005Fixed: Cannot kill states using the post-NAT address #16047
Dynamic DNS¶
Added: Enable
@
support for Azure in Dynamic DNS #10000Added: Improve Dynamic DNS client IPv6 support #11177
Added: Per-instance options to control Dynamic DNS client Check IP Service behavior #14067
Added: Enable
@
support for name.com in Dynamic DNS #14289Fixed: Dynamic DNS uses the default gateway interface instead of the specified interface #14605
Changed: Update Gandi LiveDNS service with API changes #15258
Changed: Update Dynamic DNS API URL for porkbun.com #15779
Fixed: Dynamic DNS attempts to resolve entries with disabled interfaces #15802
Fixed: RFC 2136 Dynamic DNS cannot update AAAA records over IPv6 #16028
Fixed: Dynamic DNS IP address may not be updated after changing the interface of a Dynamic DNS entry #16046
FreeBSD¶
Fixed: Kernel panic in HA nodes when under high load #15413
Gateway Monitoring¶
Gateways¶
Fixed: Killing states on downed gateways breaks when
Skip rules when gateway is down
is enabled #15223Fixed: Killing states on downed gateways breaks for static interface configurations #15225
Fixed: Removing a gateway group used as the default gateway results in no default route #15248
Changed: Clarify descriptions for gateway recovery options #15429
Fixed: Saving an IPv6 gateway overrides the IPv4 gateway #15589
Fixed: No default route after boot #15791
Hardware / Drivers¶
High Availability¶
Fixed: Removing a route from the High Availability primary node does not remove the entry from the routing table on the secondary node #15795
IGMP Proxy¶
IPsec¶
Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312
Fixed: Large number of IPsec tunnels causes long filter reload times #14893
Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of
Network
#15124Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147
Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171
Fixed: Change Mobile IPsec RADIUS accounting to use
accounting_requires_vip
so accounting will not activate for non-mobile VPNs #15176Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245
Fixed: Reordering IPsec Phase 2 entries may result in a malformed configuration #15384
Fixed: Input validation for duplicate remote gateways does not work when using the duplicate P1 button #15598
Fixed: Mobile IPsec does not automatically switch to failover gateway #15685
Fixed: Mobile IPsec sends incorrect DNS attribute IDs #15755
Fixed: Firewall generates invalid rules for IPsec tunnels with descriptions containing special symbols #16095
IPv6 Router Advertisements (radvd/rtsold)¶
Fixed: Non Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD #12581
Fixed: Incorrect warning from
radvd
aboutAdvRDNSSLifetime
value #12938Fixed:
radvd
service shows as stopped in services list when it should be disabled and hidden from that list #14936Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to
None
#14967Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057
Added: PREF64 support in Router Advertisements #15808
Fixed: Routing Advertisements daemon fails to start when configured with more than 3 RDNSS entries in a prefix #15876
Installer¶
Interfaces¶
Fixed: Adding MSS and MTU values on a LAGG VLAN interface breaks connectivity #14083
Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431
Fixed: PHP error in
interfaces_qinq_edit.php
when creating a QinQ interface #15181Fixed: PHP error when applying interface settings if the
/tmp/.interfaces.apply
file is present but empty #15423Added: Use natural sorting when sorting interfaces #15437
Fixed: OpenVPN QinQ interface creation fails #15692
Fixed: Interface group members are not validated on load/save on
interfaces_groups_edit.php
, and are printed without encoding oninterfaces_groups.php
#15778Fixed: Config access error with null static routes #16104
Fixed: Config access error after changing an interface from DHCP to Static #16105
LAGG Interfaces¶
Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453
Logging¶
Multi-WAN¶
Added: Ability to selectively kill states on gateway recovery #855
NTPD¶
Added: NTP authentication support #8794
OpenVPN¶
Added: More GUI options for OpenVPN Client-Specific Overrides #12522
Added: OpenVPN NBDD server options #13085
Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087
Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089
Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090
Fixed:
openvpn.auth-user.php
gets stuck at 100% CPU usage when RADIUS authentication times out #14386Fixed: OpenVPN forms invalid
route
statements for empty local networks #14919Fixed: PHP error with OpenVPN server certificate verification if the certificate has multiple
CN
attributes #15133Fixed: OpenVPN Wizard fails when a VIP is used #15148
Changed: Remove deprecated OpenVPN hardware crypto engine option #15188
Operating System¶
Fixed:
/etc/rc.local
script content is executed at login instead of during boot sequence #10980Fixed: Values obtained from
sysctl
are sometimes unexpectedly empty, leading to PHP and other math errors #14648Fixed: Static ARP assignments lose
permanent
flag in ARP table #14970Fixed: Permissions on tmpfs RAM disk for
/var
are too lenient #15054Fixed:
pfctl
is unable to retrieve state creator list in certain circumstances #15108Fixed:
loader.conf
may be missingloader_conf_files
soloader.conf.lua
may not be parsed #15288Fixed: Proxy variables in
crontab
contents are improperly formatted #15502Fixed:
resizewin
occasionally gets fed a spurious line feed over certain serial console+client combinations #15777Fixed: Panic accessing
sysctl
OIDnet.inet.ip.nhdispatch
with an INVARIANTS kernel #16081
PHP Interpreter¶
Fixed: Cookie named
id
prevents some forms from being loaded or saved properly #11268Fixed: Extensions directory is not set in
rc.php_ini_setup
#14488Changed: Update PHP to 8.3.x #15053
Fixed:
check_dnsavailable()
failing even when DNS is available #15127Fixed: PHP error display formatting issues #15263
Fixed: Memory leak in pfSense module function
pfSense_get_ifaddrs()
#15471
PPP Interfaces¶
Package System¶
Added: Allow overriding text scrolling during package install/uninstall #15022
Fixed: Extra space in
pkg
configuration fileFreeBSD.conf
#15069Fixed: Updates fail against an authenticated upstream proxy #15094
Fixed: Package navigation menus can be duplicated when reinstalling the package #15700
Fixed: The package
post-install
script does not run with a system upgrade on ZFS #16057Changed:
pkg
no longer supports settingALTABI
manually at run-time #16060
Packet Capture¶
Routing¶
Rules / NAT¶
Added: NAT64 support #2358
Added: Kill states using the pre-NAT address #11556
Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173
Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183
Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197
Fixed: Advanced rule options tooltip does not show negated Tag option #15214
Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234
Fixed: Egress states remain when killing states for scheduled rules #15252
Fixed: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on
enc0
interface #15430Fixed: Per-rule byte counter values lost across a filter reload #15516
Fixed: Separator positions are incorrect when copying interface group rules #15537
Added: GUI options to change default SCTP state timeouts #15661
Fixed: Setting the Port Forward interface to an interface group selects an invalid destination #15671
Fixed: SCTP states not purged causing subsequent SCTP INIT to be blocked #15924
Fixed: Incorrect rule may be opened for editing after rule order has changed #15935
Fixed: Deleting or adding a firewall rule may result in an unexpected rule order #16076
Fixed: Input validation prevents creating port forwards for the same port using a different address family #16130
S.M.A.R.T.¶
Changed: Query for SMART data only on root disk devices #15586
SNMP¶
Fixed: File descriptor leak in
bsnmpd
#15481
Services¶
Fixed: NTP option “DNS Resolution” has no effect when using NTP pool hostnames #15552
Setup Wizard¶
Changed: Error handling in the Setup Wizard is very user-unfriendly #15302
System Logs¶
Added: Separate IDS/IPS and link-local firewall log entries from default block logging #16092
Traffic Shaper (Limiters)¶
Fixed: Input validation error when applying limiter changes #13158
Fixed: Setting a limiter queue length greater than 100 prevents the limiter from loading #13662
Fixed: Cannot add limiters named
new
#13687Fixed: Packets are passed through dummynet twice when using
route-to
leading to half the expected bandwidth #14854Fixed: Fragmented packets delayed by limiters are lost #15156
Fixed: Reply traffic on a secondary WAN may be dropped when passed through dummynet #15363
Fixed: PHP error when a queue is added with the same name as a limiter #15914
UPnP IGD & PCP¶
Upgrade¶
User Manager / Privileges¶
Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282
Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318
Fixed: CLI password check exits with a write access error when checking is a read-only operation #15442
Fixed: PHP error when a user is denied access to the dashboard #15873
Fixed: Users with Deny Config Write privilege can trigger logging operations #15874
Fixed: Users with Deny Config Write privilege can change their own password #15908
Virtual IP Addresses¶
Web Interface¶
Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943
Added: Custom message text for the login screen #9293
Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413
Changed: Update vendor files #13537
Fixed:
status_interfaces.php
is missing several values for SFP modules #15112Changed: Remove
jquery-treegrid
unit testing files #15265Added: 50x and 404 error handling to GUI web server configuration #15322
Changed: Remove deprecated HTTP/1.0 Pragma header #15781
Changed: Use minified nvd3 vendor files #15782
Changed: Update nginx HTTP2 syntax #15863
Fixed: Incorrect color in button text within disabled rows #15977