pfSense CE

Changes in this version of pfSense CE software.

Aliases / Tables

  • Added: Allow user-defined rules to utilize built-in system aliases #1979

  • Fixed: Interface subnet aliases do not contain IPv6 VIPs #15096

  • Added: System Aliases for various reserved networks #15776

  • Changed: Exclude the WireGuard and Tailscale interface group system aliases from rules #15848

Authentication

  • Fixed: PHP errors in LDAP server prevent it from falling back to Local Database #15122

  • Fixed: GUI logout messages do not use the auth log facility #15719

Auto Configuration Backup

  • Fixed: Long configuration revision reasons can cause AutoConfigBackup upload to fail #12249

  • Fixed: services_acb_settings.php does not fully validate value of frequency, uses value without encoding #15224

  • Fixed: Special characters in the ACB configuration change description can cause PHP errors #15711

  • Fixed: AutoConfigBackup tries to upload backups before the system has finished booting #15718

  • Fixed: AutoConfigBackup scheduled backups always upload even when the configuration has not changed #16010

  • Fixed: AutoConfigBackup remote revision timestamps may not be unique due to batch uploads #16011

  • Fixed: “Reset” button on AutoConfigBackup Restore tab does not submit the form #16012

  • Changed: AutoConfigBackup code cleanup and GUI refresh #16013

  • Added: Download function for AutoConfigBackup entries #16014

  • Added: Method to change the AutoConfigBackup device key #16015

Backup / Restore

  • Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728

  • Fixed: DHCP leases may not be restored from older configuration backups #15076

  • Fixed: PHP error when generating a notification after detecting a malformed configuration #15157

  • Fixed: Skip Packages option for Configuration Backups fails with large configurations #15624

CARP

  • Fixed: HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address #14026

Captive Portal

  • Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226

  • Added: Support using a mask to block MAC addresses in Captive Portal #15257

  • Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299

  • Fixed: Captive Portal logo fails to load after authenticated redirect #15404

  • Fixed: Captive Portal zones can fail to start due to ID conflict #15772

  • Fixed: PHP error in Captive Portal with undefined zone interface list #15907

  • Fixed: Captive Portal service management via pfSsh.php svc fails when the zone name contains uppercase letters #16030

  • Fixed: Creating a Captive Portal zone with uppercase letters overwrites existing zones of the same name #16032

Certificates

  • Fixed: Certificate Manager GUI inconsistency in Revocation tab titles #15454

  • Added: Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical #15818

  • Changed: Additional error handling for invalid certificate configuration #15975

Configuration Backend

  • Fixed: System proxy credentials with certain characters may fail to authenticate #15565

Console Menu

  • Changed: Dynamically adjust the interface name maximum width in the login banner #13268

  • Fixed: Declining to reset the admin account via the console menu still prompts to change the password #15751

DHCP (IPv4)

  • Added: Settings tab for global Kea DHCP server options #5080

  • Added: Better handling of duplicate IP addresses in static DHCP assignments #13256

  • Changed: Reduce log spam when deleting a static DHCP entry #13263

  • Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894

  • Fixed: Kea fails to restart due to race between process termination and startup #14977

  • Fixed: Kea does not allow FQDNs for NTP servers but input validation does not prevent them from being added #14991

  • Fixed: Kea DHCP PHP error from WINS server value #14996

  • Fixed: Kea DHCP sends wrong bootloader file for UEFI #15032

  • Fixed: Kea will not start with identical MAC address filters on multiple interfaces #15130

  • Added: Kea DHCP Custom Configuration Support (IPv4 and IPv6) #15321

  • Fixed: Changes in Kea DHCP interface pools may invalidate lease database content #15328

  • Fixed: Kea fails to start if DHCP pool configuration contains default lease time or max lease time #15332

  • Added: Kea High Availability Support (IPv4 and IPv6) #15575

  • Added: Kea DNS Resolver (Unbound) Integration (IPv4 and IPv6) #15651

  • Added: Kea Static ARP Support (IPv4 only) #15654

  • Fixed: IPv4 DHCP client responses may be routed unexpectedly out unrelated WANs #15702

  • Added: Kea DHCP lease database RAM disk support (IPv4 and IPv6) #15828

  • Fixed: Kea can unintentionally attempt to spawn multiple processes and fail #16019

DHCP (IPv6)

  • Fixed: Old IPv6 addresses may continue to be used after DHCP or RA changes #12947

  • Fixed: Shortcut bar on DHCPv6 leases (status_dhcpv6_leases.php) navigates to DHCPv4 destinations, not DHCPv6 #15117

  • Fixed: DHCPv6 settings page “DDNS Reverse” check box not showing current state #15118

  • Added: Kea DHCPv6 Prefix Delegation Support (IPv6 Only) #15652

DNS Forwarder

  • Added: Option to allow the DNS Forwarder to ignore system DNS servers #14165

  • Fixed: DNS Forwarder ignores “Use remote DNS Servers, ignore local DNS” setting #15434

  • Changed: Update dnsmasq to version 2.90 #15465

DNS Resolver

  • Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942

  • Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071

  • Fixed: Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism #15135

  • Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139

  • Changed: Update Unbound to 1.22.0 #15483

  • Fixed: Automatic EDNS value may be lower than expected #15704

  • Fixed: Unbound configuration file contains Localhost address in forwarding mode with TLS enabled #15722

  • Fixed: unbound-checkconf fails with python mode enabled #15723

Dashboard

  • Fixed: Firewall Logs Dashboard Widget is slow and may fail to update #12673

  • Added: Improve Thermal Sensors Dashboard widget readability #13520

  • Fixed: Traffic Graph widget displays bandwidth usage values which are half the actual usage amount #14933

  • Fixed: Firewall Logs Dashboard widget update interval does not behave as expected #15373

  • Added: Show current boot method in System Information Dashboard widget #15422

  • Fixed: Incorrect icon on collapsed dashboard widgets #15439

  • Fixed: Dashboard widgets refresh at unintended intervals #15725

  • Changed: Improve Thermal Sensors Dashboard widget refresh code #15728

  • Fixed: Session cookie warnings #15729

  • Fixed: Clicking the picture widget image downloads the image with an invalid filename instead of showing it inline #15767

  • Changed: Improve the system load impact from Dashboard widgets #15969

Diagnostics

  • Added: Add Kea information to status.php #14953

  • Fixed: Adding Wake-On-LAN entry from ARP table view can incorrectly include OEM text in MAC address field #15162

  • Fixed: crash_reporter.php displays PHP Error log without encoding #15264

  • Added: Add EFI boot information to status.php #15297

  • Added: Add loader.conf.lua contents to status.php #15298

  • Fixed: Errors in status.php IPsec sections when IPsec is not configured #15310

  • Fixed: Sanitize RFC 2136 Dynamic DNS update keys in status.php output #15490

  • Fixed: File browser on diag_edit.php does not encode directory names before display #15525

  • Fixed: State table entries printed on diag_dump_states.php may contain an unexpected interface #15657

  • Fixed: PHP error from invalid IPv6 address on diagnostics_ping.php #16005

  • Fixed: Cannot kill states using the post-NAT address #16047

Dynamic DNS

  • Added: Enable @ support for Azure in Dynamic DNS #10000

  • Added: Improve Dynamic DNS client IPv6 support #11177

  • Added: Per-instance options to control Dynamic DNS client Check IP Service behavior #14067

  • Added: Enable @ support for name.com in Dynamic DNS #14289

  • Fixed: Dynamic DNS uses the default gateway interface instead of the specified interface #14605

  • Added: Support LuaDNS provider #15089

  • Changed: Update Gandi LiveDNS service with API changes #15258

  • Changed: Update Dynamic DNS API URL for porkbun.com #15779

  • Fixed: Dynamic DNS attempts to resolve entries with disabled interfaces #15802

  • Fixed: RFC 2136 Dynamic DNS cannot update AAAA records over IPv6 #16028

  • Fixed: Dynamic DNS IP address may not be updated after changing the interface of a Dynamic DNS entry #16046

FreeBSD

  • Fixed: Kernel panic in HA nodes when under high load #15413

Gateway Monitoring

  • Fixed: Gateway behavior differs when the gateway does not exist in the configuration #12920

  • Fixed: Gateway monitoring includes disabled gateways #15635

  • Fixed: The monitoring IP address for dynamic gateways may be unexpectedly routed via a different gateway #16069

Gateways

  • Fixed: Killing states on downed gateways breaks when Skip rules when gateway is down is enabled #15223

  • Fixed: Killing states on downed gateways breaks for static interface configurations #15225

  • Fixed: Removing a gateway group used as the default gateway results in no default route #15248

  • Changed: Clarify descriptions for gateway recovery options #15429

  • Fixed: Saving an IPv6 gateway overrides the IPv4 gateway #15589

  • Fixed: No default route after boot #15791

Hardware / Drivers

  • Fixed: Newer variant models within the PC Engines APU2 platform are not recognized, causing garbled early serial console output #13498

  • Added: Recognize QAT 4xxx devices in System Information Widget #15233

High Availability

  • Fixed: Removing a route from the High Availability primary node does not remove the entry from the routing table on the secondary node #15795

IGMP Proxy

  • Fixed: IGMP proxy works intermittently #15043

  • Fixed: Kernel Panic when IGMPProxy gets CIDR Removed #15831

IPsec

  • Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312

  • Fixed: Large number of IPsec tunnels causes long filter reload times #14893

  • Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of Network #15124

  • Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147

  • Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171

  • Fixed: Change Mobile IPsec RADIUS accounting to use accounting_requires_vip so accounting will not activate for non-mobile VPNs #15176

  • Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245

  • Fixed: Reordering IPsec Phase 2 entries may result in a malformed configuration #15384

  • Fixed: Input validation for duplicate remote gateways does not work when using the duplicate P1 button #15598

  • Fixed: Mobile IPsec does not automatically switch to failover gateway #15685

  • Fixed: Mobile IPsec sends incorrect DNS attribute IDs #15755

  • Fixed: Firewall generates invalid rules for IPsec tunnels with descriptions containing special symbols #16095

  • Fixed: IPsec allows deleting P1/P2 entries with an assigned VTI #16158

  • Fixed: IPsec unnecessarily prompts to apply changes after input errors #16162

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Non Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD #12581

  • Fixed: Incorrect warning from radvd about AdvRDNSSLifetime value #12938

  • Fixed: radvd service shows as stopped in services list when it should be disabled and hidden from that list #14936

  • Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to None #14967

  • Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057

  • Added: PREF64 support in Router Advertisements #15808

  • Fixed: Routing Advertisements daemon fails to start when configured with more than 3 RDNSS entries in a prefix #15876

Installer

  • Fixed: Clean installation using Auto (ZFS) + MBR (BIOS) does not boot #14930

  • Fixed: Installing to ZFS mirror does not format or populate EFI partition on additional disks #15083

Interfaces

  • Fixed: Adding MSS and MTU values on a LAGG VLAN interface breaks connectivity #14083

  • Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431

  • Fixed: PHP error in interfaces_qinq_edit.php when creating a QinQ interface #15181

  • Fixed: PHP error when applying interface settings if the /tmp/.interfaces.apply file is present but empty #15423

  • Added: Use natural sorting when sorting interfaces #15437

  • Fixed: OpenVPN QinQ interface creation fails #15692

  • Fixed: Interface group members are not validated on load/save on interfaces_groups_edit.php, and are printed without encoding on interfaces_groups.php #15778

  • Fixed: Config access error with null static routes #16104

  • Fixed: Config access error after changing an interface from DHCP to Static #16105

LAGG Interfaces

  • Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453

Logging

  • Fixed: Restarting the logging daemon during rotation also restarts sshguard, leading to frequent log messages #12747

  • Changed: Remove Time column from OS Boot logs #15106

  • Added: Enhanced firewall log action information display #15415

  • Fixed: PHP error when saving System Log settings #15988

Multi-WAN

  • Added: Ability to selectively kill states on gateway recovery #855

NTPD

  • Added: NTP authentication support #8794

OpenVPN

  • Added: More GUI options for OpenVPN Client-Specific Overrides #12522

  • Added: OpenVPN NBDD server options #13085

  • Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087

  • Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089

  • Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090

  • Fixed: openvpn.auth-user.php gets stuck at 100% CPU usage when RADIUS authentication times out #14386

  • Fixed: OpenVPN forms invalid route statements for empty local networks #14919

  • Fixed: PHP error with OpenVPN server certificate verification if the certificate has multiple CN attributes #15133

  • Fixed: OpenVPN Wizard fails when a VIP is used #15148

  • Changed: Remove deprecated OpenVPN hardware crypto engine option #15188

Operating System

  • Fixed: /etc/rc.local script content is executed at login instead of during boot sequence #10980

  • Fixed: Values obtained from sysctl are sometimes unexpectedly empty, leading to PHP and other math errors #14648

  • Fixed: Static ARP assignments lose permanent flag in ARP table #14970

  • Fixed: Permissions on tmpfs RAM disk for /var are too lenient #15054

  • Fixed: pfctl is unable to retrieve state creator list in certain circumstances #15108

  • Fixed: loader.conf may be missing loader_conf_files so loader.conf.lua may not be parsed #15288

  • Fixed: Proxy variables in crontab contents are improperly formatted #15502

  • Fixed: resizewin occasionally gets fed a spurious line feed over certain serial console+client combinations #15777

  • Fixed: Panic accessing sysctl OID net.inet.ip.nhdispatch with an INVARIANTS kernel #16081

PHP Interpreter

  • Fixed: Cookie named id prevents some forms from being loaded or saved properly #11268

  • Fixed: Extensions directory is not set in rc.php_ini_setup #14488

  • Changed: Update PHP to 8.3.x #15053

  • Fixed: check_dnsavailable() failing even when DNS is available #15127

  • Fixed: PHP error display formatting issues #15263

  • Fixed: Memory leak in pfSense module function pfSense_get_ifaddrs() #15471

PPP Interfaces

  • Fixed: PPPoE WAN loses IPv4 addresses on IPV6CP LayerDown events #16103

  • Added: Support if_pppoe backend for PPPoE WAN interfaces #16134

Package System

  • Added: Allow overriding text scrolling during package install/uninstall #15022

  • Fixed: Extra space in pkg configuration file FreeBSD.conf #15069

  • Fixed: Updates fail against an authenticated upstream proxy #15094

  • Fixed: Package navigation menus can be duplicated when reinstalling the package #15700

  • Fixed: The package post-install script does not run with a system upgrade on ZFS #16057

  • Changed: pkg no longer supports setting ALTABI manually at run-time #16060

Packet Capture

  • Fixed: Unable to perform Packet Captures on a tailscale interface in GUI with default settings #15145

  • Added: Allow filtering packet captures by system-defined protocols #15609

Routing

  • Fixed: ICMPv6 Path MTU Discovery breaks with NPT #14290

  • Fixed: IPsec VTI static routes may not be added after the system boots #15449

  • Fixed: Routes with IPv6 Address as Next Hop for IPv4 Destination Causes Kernel Panic #15601

Rules / NAT

  • Added: NAT64 support #2358

  • Added: Kill states using the pre-NAT address #11556

  • Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173

  • Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183

  • Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197

  • Fixed: Advanced rule options tooltip does not show negated Tag option #15214

  • Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234

  • Fixed: Egress states remain when killing states for scheduled rules #15252

  • Fixed: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on enc0 interface #15430

  • Fixed: Per-rule byte counter values lost across a filter reload #15516

  • Fixed: Separator positions are incorrect when copying interface group rules #15537

  • Added: GUI options to change default SCTP state timeouts #15661

  • Fixed: Setting the Port Forward interface to an interface group selects an invalid destination #15671

  • Fixed: SCTP states not purged causing subsequent SCTP INIT to be blocked #15924

  • Fixed: Incorrect rule may be opened for editing after rule order has changed #15935

  • Fixed: Deleting or adding a firewall rule may result in an unexpected rule order #16076

  • Fixed: Input validation prevents creating port forwards for the same port using a different address family #16130

S.M.A.R.T.

  • Changed: Query for SMART data only on root disk devices #15586

SNMP

  • Fixed: File descriptor leak in bsnmpd #15481

Services

  • Fixed: NTP option “DNS Resolution” has no effect when using NTP pool hostnames #15552

Setup Wizard

  • Changed: Error handling in the Setup Wizard is very user-unfriendly #15302

System Logs

  • Added: Separate IDS/IPS and link-local firewall log entries from default block logging #16092

Traffic Shaper (Limiters)

  • Fixed: Input validation error when applying limiter changes #13158

  • Fixed: Setting a limiter queue length greater than 100 prevents the limiter from loading #13662

  • Fixed: Cannot add limiters named new #13687

  • Fixed: Packets are passed through dummynet twice when using route-to leading to half the expected bandwidth #14854

  • Fixed: Fragmented packets delayed by limiters are lost #15156

  • Fixed: Reply traffic on a secondary WAN may be dropped when passed through dummynet #15363

  • Fixed: PHP error when a queue is added with the same name as a limiter #15914

UPnP IGD & PCP

  • Fixed: Port forward rules created by miniupnpd do not expire #15470

  • Changed: Update UPnP IGD & PCP GUI text #15864

  • Changed: Make the UPnP IGD & PCP STUN port optional #15865

Upgrade

  • Fixed: Upgrading an EFI system installed to ZFS mirror does not upgrade EFI loader on additional disks #15084

  • Changed: Link to release information on the system update page #15953

  • Fixed: Boot loader is not upgraded on UFS installs #16064

User Manager / Privileges

  • Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282

  • Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318

  • Fixed: CLI password check exits with a write access error when checking is a read-only operation #15442

  • Fixed: PHP error when a user is denied access to the dashboard #15873

  • Fixed: Users with Deny Config Write privilege can trigger logging operations #15874

  • Fixed: Users with Deny Config Write privilege can change their own password #15908

Virtual IP Addresses

  • Fixed: choparp service is not stopped after deleting Proxy ARP type Virtual IP addresses #14929

  • Fixed: Network and broadcast address input validation is incorrectly applied to IPv6 VIPs #15361

Web Interface

  • Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943

  • Added: Custom message text for the login screen #9293

  • Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413

  • Changed: Update vendor files #13537

  • Fixed: status_interfaces.php is missing several values for SFP modules #15112

  • Changed: Remove jquery-treegrid unit testing files #15265

  • Added: 50x and 404 error handling to GUI web server configuration #15322

  • Changed: Remove deprecated HTTP/1.0 Pragma header #15781

  • Changed: Use minified nvd3 vendor files #15782

  • Changed: Update nginx HTTP2 syntax #15863

  • Fixed: Incorrect color in button text within disabled rows #15977

XMLRPC

  • Fixed: Secondary node attempts to delete the admins group when synchronizing accounts via XMLRPC #15067

  • Fixed: Changes to the admins user group are not synced to the secondary node #15898