pfSense Plus

Aliases / Tables

  • Fixed: Error loading rules when URL Table Ports content is empty #4893

  • Fixed: Mixed use of aliases in a port range produces unloadable ruleset #11818

  • Fixed: Unable to create nested URL aliases #11863

  • Fixed: Creating or editing aliases fails with multiple hosts separated by spaces #12124

  • Fixed: When attempting to delete an in-use alias, input validation only prints the first item using the alias in the error message #12177


  • Changed: Use SHA-512 for user password hashes #10298

Backup / Restore

  • Fixed: Output from reboot process is printed on Backup & Restore page when restoring a configuration file #11909

  • Fixed: Custom value for AutoConfigBackup schedule Hours is not shown when loading the settings page #11946

  • Fixed: Viewing an AutoConfigBackup entry takes approximately 60 seconds to completely load #12247

Build / Release

  • Changed: Remove deprecated libzmq code and references #12060


  • Fixed: Cannot enter persistent CARP maintenance mode when CARP is disabled #11727

  • Fixed: When a CARP VIP VHID change is synchronized to a secondary node, the CARP VIP is removed from the interface and the old VHIDs remain active #12202

  • Fixed: Changing VHID on CARP VIP does not update VHID of related IP Alias VIPs #12227

Captive Portal

  • Fixed: Vouchers may expire too early when using RAM disks #11894

  • Fixed: Incorrect variable substitution in captive portal error page #11902

  • Fixed: Clicking “logout” on portal page does not function when logout popup is disabled #12138


  • Fixed: Certificate Revocation tab does not list active users of CRL entries #11831

  • Fixed: Certificate manager reports CA as in use by an LDAP server when LDAP is not configured for TLS #11922

  • Fixed: Certificate Manager performs redundant escaping of special characters in certificate DN fields #12034

  • Fixed: Certificate Manager shows incorrect DN for imported entries with UTF-8 encoding #12041

Console Menu

  • Fixed: Cannot configure WAN IP address with /32 CIDR mask via console menu #11581


  • Added: Support for UEFI HTTP Boot option in DHCPv4 Server #11659

  • Fixed: DHCPv4 server configuration does not include ARM TFTP filenames #11905

  • Fixed: ARM 32/64 network boot options are not parsed on Static DHCP Mapping page #12216


  • Fixed: DHCPv6 Server should not offer configuration options for unsupported PPPoE Server interfaces #12277

DHCP Relay

  • Fixed: PHP error if no DHCPv6 Relay interfaces are selected #11969

DNS Resolver

  • Fixed: Unbound crashes with signal 11 when reloading #11316

  • Fixed: Unbound fails to start if its configuration references a python script which does not exist #12274


  • Fixed: System Information widget unnecessarily polls data for hidden items #12241

  • Fixed: IPsec widget generates errors if no tunnels are defined #12337

  • Added: Disks dashboard widget to replace Disk Usage section of System Information widget #12349


  • Fixed: State table content on diag_dump_states.php does not sort properly #11852

  • Changed: Hide “Reboot and run a filesystem check” for ZFS systems #11983

  • Fixed: “GoTo line #” function does not work on diag_edit.php #12050

  • Fixed: Sanitize WireGuard private and pre-shared keys in status output #12256

  • Added: Include firewall rules from packages which failed to load in status output #12269

Dynamic DNS

  • Added: Option to set interval of forced Dynamic DNS updates #9092

  • Added: Support DNS Made Easy authentication without a username #9341

  • Fixed: RFC 2136 Dynamic DNS client uses IPv6 alias VIP instead of Track IPv6 address for AAAA records #11816

  • Added: New Dynamic DNS Provider: Strato #11978

  • Fixed: Dynamic DNS cache expiration time check calculation method may cause update to happen on the wrong day #12007

  • Fixed: incorrectly encodes Dynamic DNS update credentials #12021

  • Added: New Dynamic DNS Provider: deSEC #12086

  • Added: Support Check IP services which return bare IP address values #12194

  • Fixed: Yandex Dynamic DNS client does not set the PddToken value #12331


  • Fixed: Duplicate comconsole_port lines in /boot/loader.conf #11653

  • Changed: Upgrade to pkg 1.17.x #12171


  • Fixed: Default IPv4 gateway may be set to IPv6 gateway value in certain cases #12282

High Availability

  • Fixed: Incorrect RADVD log message on HA event #11966


  • Fixed: Disconnected IPsec phase 2 entries are not shown in IPsec status #6275

  • Fixed: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded #7801

  • Fixed: EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes #11447

  • Fixed: Incorrect phase 2 entry removed when deleting multiple items consecutively #11552

  • Fixed: strongSwan configuration contains incorrect structure for mobile pool DNS records #11891

  • Fixed: IPsec status tunnel descriptions are incorrect #11910

  • Changed: PC/SC Smart Card Daemon pcscd running on all devices at all times, should be optional #11933

  • Fixed: IPsec status fails when many tunnels are connected #11951

  • Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967

  • Fixed: Mobile IPsec NAT/BINAT entries missing from firewall rules #12023

  • Fixed: Applying IPsec settings for many tunnels is slow or times out #12026

  • Fixed: Gateway alarm always triggers IPsec restart #12039

  • Changed: Improve IPsec identifier settings #12044

  • Fixed: IPsec status IKE disconnect button drops all connections for the IKE ID, not a specific IKE SA ID #12052

  • Fixed: Tunnels with conflicting REQID values can lead to multiple identical Child SA entries #12155

  • Added: IPsec keep alive option to initiate phase 2 without using ICMP #12169

  • Added: Add connect/disconnect buttons to IPsec dashboard widget #12181

  • Fixed: IPsec status shows connect buttons while tunnel is connecting #12189

  • Fixed: IPsec writes CRL files when tunnel does not use certificates #12195

  • Fixed: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available #12196

  • Fixed: Mobile IPsec phase 1 should not display “Gateway duplicates” option #12197

  • Fixed: Disabling an IPsec phase 1 entry does not disable related phase 2 entries #12198

  • Fixed: Disabled IPsec VTI interfaces are always created #12212

  • Fixed: IPsec bypass rules display help text under each entry #12236

  • Fixed: IPsec phase 1 entry with as its remote gateway does not receive correct automatic firewall rules #12262

  • Changed: Update “IPsec Filter Mode” option values and help text to reflect that VTI mode also helps transport mode (e.g. GRE) #12289

  • Fixed: IPsec manual initiation and termination should use a timeout value or forced actions #12298

  • Fixed: IPsec tunnels using a gateway group do not get reloaded in some cases #12315

  • Fixed: IPsec Phase 2 entry incorrectly orders proposals in AH mode #12323

  • Fixed: Hash algorithm GUI options are disabled after switching a phase 2 entry to AH mode #12324

  • Fixed: IPsec VTI interface remote endpoint is not resolved the correct way #12328

IPv6 Router Advertisements (RADVD)

  • Fixed: “Default preferred lifetime” router advertisement validation check uses incorrect variable #12159

  • Fixed: IPv6 RA DNSSL lifetime is too short, not compliant with RFC 8106 #12173

  • Fixed: Default IPv6 router advertisement intervals and lifetime are too low #12280


  • Fixed: GRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot #6507

  • Fixed: Interface column empty in list of GIF tunnels when using IP Alias on CARP VIP as Interface #11337

  • Fixed: QinQ using OpenVPN ovpn interface as a parent is not configured at boot time #11662

  • Fixed: VLAN and QinQ edit pages allows selecting incompatible OpenVPN tun interfaces #11675

  • Fixed: Advanced DHCP client configuration “Protocol timing” help text is in the wrong location #11926

  • Added: VLAN list sorting #11968

  • Fixed: Boot messages contain entries about configuring LAGG/VLAN/QinQ interfaces even when no entries of those types are configured #12002

  • Fixed: Input validation incorrectly rejects a second IPv4-only GRE tunnel #12049

  • Fixed: Interface assignment mismatch is not detected if VLAN-only parent interface is removed #12170

  • Fixed: IPv6 DNS servers from dynamic sources are not listed on status_interfaces.php #12252

  • Fixed: IPv6 gateway for an interface is not shown on status_interfaces.php if the interface does not also have an IPv4 gateway #12253


  • Fixed: Kernel panic during L2TP retransmit #9058

  • Fixed: FQDN L2TP server address is only resolved at boot #12072


  • Fixed: Logging configuration added by a package is not removed on uninstall #11846

  • Fixed: Remote log server input validation allows invalid values #12000

  • Added: Disable log compression on new installations when /var/log is a ZFS dataset with compression enabled #12011

  • Changed: Improve log settings help text for file size, compression, and retention count #12012

  • Added: Create a log entry when a configuration change occurs #12118


  • Added: Support SHA-256 hash NTP authentication #12213


  • Added: Option to suppress expiration notifications for revoked certificates #12109


  • Added: Support aliases in OpenVPN local/remote/tunnel network fields #2668

  • Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684

  • Fixed: OpenVPN client certificate validation with OCSP always fails #11829

  • Added: Option to validate OpenVPN peer TLS certificate key usage #11865

  • Added: Log external IP address of OpenVPN clients on connect and disconnect #11935

  • Fixed: DNS Resolver does not add PTR record for OpenVPN clients #11938

  • Fixed: OpenVPN IPv6 tunnel network is not validated properly #11999

  • Fixed: OpenVPN RADIUS-based firewall rules use incorrect port ranges #12020

  • Fixed: Incorrect OpenVPN Client Export help link #12022

  • Fixed: OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses #12076

  • Fixed: Prevent using OpenVPN “Exit Notify” option with point-to-point modes #12102

  • Fixed: OpenVPN Wizard configuration missing recently added default values #12172

  • Fixed: OpenVPN does not clean up previous CA and CRL files #12192

  • Changed: Move “Description” option on OpenVPN server and client pages to top of the page, show internal instance ID #12218

  • Fixed: Prevent using OpenVPN “Inactive” option with point-to-point modes #12219

  • Fixed: Configuration files are not deleted after disabling an OpenVPN instance #12223

  • Fixed: OpenVPN page allows to delete/disable instance with an assigned interface #12224

  • Fixed: OpenVPN status incorrect for TAP servers without a defined tunnel network #12232

  • Fixed: OpenVPN client connect/disconnect scripts are not used in Remote Access (SSL/TLS) mode #12238

Operating System

  • Changed: Ensure /usr/local/sbin/ scripts use full path to executable files #11985

  • Fixed: Update NGINX to address CVE-2021-23017 #12061

  • Added: Suppress kernel messages for lo0 configuration during boot #12094

  • Changed: Convert RAM disks to tmpfs #12145

PHP Interpreter

  • Fixed: PHP exits with signal 11 on SG-3100 when calling PCRE functions #11466

PPP Interfaces

  • Fixed: PPP interfaces lose the description field in ifconfig output when restarted #11959

Package System

  • Fixed: Package <plugins> and <tabs> content missing from configuration in some cases #11290

  • Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105

RRD Graphs

  • Added: Graph for hardware temperature readings #9297

Rules / NAT

  • Added: IPv6 support in easyrule CLI script #11439

  • Fixed: NAT rule overlap detection is inconsistent #11734

  • Fixed: Input validation not working for 1:1 NAT entries using an alias as a destination #11923

  • Fixed: easyrule script does not function properly #12151

  • Fixed: IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ::/0 #12164

  • Fixed: 1:1 NAT rule with internal IP address of “Any” results in an invalid firewall rule #12168

  • Fixed: Firewall rule tabs load slowly when many rules on the tab utilize gateways #12174

  • Fixed: VIP network addresses are not expanded on Port Forward rules #12233

  • Fixed: Duplicating a Port Forward does not copy “Filter Rule Association” values of “None” or “Pass” #12272


  • Fixed: System attempts to stop inactive services at shutdown #12001

  • Fixed: System attempts to start inactive services at boot #12038

Traffic Shaper (ALTQ)

  • Fixed: Panic when using CBQ traffic shaping #11470


  • Added: UPnP/NAT-PMP STUN configuration options #10587


  • Changed: pfSense-upgrade should reinstall all packages on new version upgrades #12235

User Manager / Privileges

  • Added: Copy button for group entries in the User Manager #12226

Web Interface

  • Changed: Update font formats to WOFF2 #11507

  • Fixed: Notifications page cannot be saved without configuring or disabling SMTP #12107

  • Changed: Convert help shortcut links to server-side redirects #12314


  • Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453

  • Fixed: Interfaces page does not show Wireless EAP client options #12239


  • Added: XMLRPC synchronization for DHCP relay settings #11957

  • Changed: XMLRPC client improvements #12051

  • Fixed: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync #12075