pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Renaming an alias does not update the alias names in static routes and OpenVPN instances #12727

  • Added: Retain descriptions when exporting and importing aliases #12842


  • Added: GUI option to select the user password hashing algorithm #12855

  • Fixed: LDAP setup does not display ‘Global Root CA List’ option unless another CA also exists #13185

Backup / Restore

  • Changed: Comply with current iteration standards when encrypting and decrypting configuration files #12556

  • Added: Support encrypted config.xml files when restoring via ECL #12685

  • Added: Notify user if AutoConfigBackup is unable to successfully upload a backup #12724

  • Added: Ability to sort AutoConfigBackup entries #12773

  • Fixed: PHP error when upgrading from before configuration revision 21.6, ipsec_create_vtimap() is undefined #13097

  • Added: Option to restore dashboard widget layout #13125

  • Fixed: PHP error restoring DHCP lease data on fresh installation: #13157


  • Changed: Reorganize CARP status page #12701

  • Fixed: CARP event storm when leaving persistent CARP maintenance mode. #12961

Captive Portal

  • Fixed: Allowed IP/Hostname “Direction” option is never used #12649

  • Fixed: nginx logs an error that the port is already in use when restarting Captive Portal services #12651

  • Fixed: Value of net.inet.ip.dummynet.* OIDs in sysctl are ignored #12733

  • Fixed: Only TCP traffic is passed outbound though IPFW #12834

  • Changed: Transition Captive Portal from IPFW to PF #13100


  • Added: Option to retain the existing serial number when renewing a CA or certificate #13010

Configuration Backend

  • Added: Move command line history to a GUI option stored in config.xml rather than a manual flag file #12675

  • Added: Eliminate duplicate shell commands from history file #12741

Configuration Upgrade

  • Added: Playback script to perform a configuration upgrade on an arbitrary config.xml file #12973

Console Menu

  • Added: Warn the user if they attempt to disable SSH from the menu while connected through SSH #13103


  • Fixed: Disabling DHCP Server RRD statistics does not work #12710

  • Fixed: HTTPClient option not sent when using UEFI HTTP Boot #12892

  • Fixed: HTTPClient option does not work for static mappings #12896

  • Fixed: DHCP “Ignore denied clients” option with MAC Deny list set causes DHCP server to not start #12923

  • Fixed: DHCP network boot filename can be incorrectly placed in DHCP Pool Options #12986

  • Added: Relax DHCP maximum lease time input validation #13118

  • Fixed: DHCP lease list displays wrong interface name in the “Leases in Use” summary if DHCP settings for a disabled interface remain in the configuration #13127


  • Fixed: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients #6880

  • Fixed: DHCPv6 server does not skip interfaces configured with invalid ranges #12527

  • Fixed: RADVD can be started on both HA nodes when configured with an IPv6 link-local address #12582

  • Fixed: Uninitialized array in array_remove_duplicates() #12749

DNS Forwarder

  • Fixed: DNS Forwarder creates a loop when “Use local DNS, ignore remote DNS servers” is selected #12902

  • Fixed: DNS Forwarder custom options may fail after save/restore when options are only separated by newline #13105

DNS Resolver

  • Fixed: DNS Resolver does not restart during link up/down events on a static IP address interface #12613

  • Added: Automatically create DNS Resolver ACLs for OpenVPN CSO entries #12636

  • Fixed: DNS Resolver help text for System Domain Local Zone Type option refers users to unbound.conf(5) man page instead of pfSense docs #12781

  • Fixed: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access #12985

  • Fixed: DNS Resolver ACLs are not updated when OpenVPN networks change #12991

  • Added: DNS Resolver option to keep probing when servers are down #13023


  • Fixed: Firewall log widget action icon features stop working when new log entries are added dynamically #6253

  • Added: Show Inactive for Hardware Crypto output instead of empty field on System Information dashboard widget when nothing can be accelerated #12714


  • Fixed: diag_pftop.php does not fully encode output #12915

Dynamic DNS

  • Fixed: Dynamic DNS custom IPv6 service fails on 6rd tunnels #12590

  • Fixed: GleSYS Dynamic DNS responses are not parsed properly #12672

  • Added: IPv6 support for DNSimple Dynamic DNS #12744

  • Fixed: Input validation prevents configuring wildcard Dynamic DNS records on GoDaddy #12750

  • Added: Support wildcard Dynamic DNS records on DigitalOcean #12752

  • Fixed: Google Domains Dynamic DNS responses are not parsed properly #12754

  • Fixed: Input validation prevents configuring wildcard Dynamic DNS records on Google Domains #12761

  • Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816

  • Fixed: Clicking Save & Force Update on a Dynamic DNS entry results in a GUI timeout #12870

Gateway Monitoring

  • Fixed: Gateway monitoring should mark gateway as “offline” on PPPoE parent interface disconnect #12633

  • Added: Option to disable auto-addition of static routes for dpinger #12687

  • Changed: Update dpinger to 3.2 #12881


  • Fixed: fixup_default_gateway() should not remove a default gateway managed by a dynamic routing daemon #11692

  • Fixed: IPv6 link local gateway default status not indicated in GUI #11764

  • Fixed: IPv6 gateway group using link local addresses incorrectly logs a gateway change because it not including interface scope properly #12721

  • Added: Retain knowledge of previous dynamic gateway IP address when interface is down #12931

Hardware / Drivers

  • Added: Chelsio TOE support using the t4_tom module #9091

  • Fixed: Hyper-V RSC support in hn(4) driver is enabled by default and results in very low throughput #12873

High Availability

  • Added: Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings #12702

IGMP Proxy

  • Fixed: IGMP Proxy server is restarted during every rc.newwanip event #12609


  • Added: Option to choose default tab in IPsec status Dashboard widget #2456

  • Fixed: IPsec VTI phase 2 traffic selectors default to address when defined as a network #11226

  • Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645

  • Fixed: Disallow remote gateway of for VTI mode #12723

  • Fixed: VTI gateway status stuck as “pending” after reboot #12763

  • Changed: Update strongSwan #12934

  • Fixed: ESP description in IPsec phase 2 proposal help text is ambiguous #12953

  • Fixed: IKEv2 Mobile IPsec clients do not receive INTERNAL_DNS_DOMAIN (value 25) attribute #12975

  • Added: GUI option for IPsec dns-interval setting #13057

  • Fixed: Delete function for IPsec SAD entries on status_ipsec_sad.php does not work #13071

  • Fixed: Mobile IPsec clients cannot be manually disconnected from IPsec status screen #13131


  • Fixed: Support encrypted config.xml files when restoring during install #12691

  • Added: Recover existing SSH keys during installation #12809


  • Added: Show SFP module details on status_interfaces.php #8861

  • Added: Improved support for USB interfaces that may not always be present #9393

  • Fixed: PPPoE WAN IP address different than expected when set static by ISP #11629

  • Fixed: devd is not configured to act on USB interface attach/detach events #12606

  • Changed: Restart services on interface changes #12619

  • Fixed: Interface status “Total Interrupts” display is non-functional #12735

  • Fixed: L2TP/PPTP interface assignment page loses some values after input validation error #12780

  • Fixed: Link-Local IPv6 address on WAN with MAC spoofing changes if there is an IP Alias on WAN #12790

  • Fixed: Link-local address does not reset after removing MAC address spoofing #12794

  • Fixed: Disabled Captive Portal configuration prevents adding an interface to a bridge #12866

  • Fixed: The ruleset is not regenerated after assigning an interface #12949


  • Fixed: L2TP MPD configuration is not updated when a dynamic WAN IP address changes #13066

  • Fixed: L2TP stays bound to previous IP address after static IP address change #13082

  • Fixed: Static routes to destinations at L2TP clients are not re-added after a client reconnects #13099

LAGG Interfaces

  • Added: GUI option to configure layers for LACP hash #12819


  • Fixed: Slack notification options only allow `` -`` as a special character in channel names #13083


  • Fixed: OpenVPN IPv4 Tunnel Network incorrectly allows hostnames #11416

  • Fixed: OpenVPN stays bound to previous IP address after interface changes #11864

  • Added: OpenVPN option to limit concurrent connections per user #12267

  • Fixed: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases #12332

  • Added: Use deferred client connections in OpenVPN #12407

  • Fixed: OpenVPN re-synchronization also synchronizes override entries unnecessarily in some cases #12628

  • Fixed: Automatic filter reload with OpenVPN client gateway uplink happens too soon or not at all #12771

  • Fixed: PHP error when terminating OpenVPN sessions via the dashboard widget #12817

  • Fixed: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases #12884

  • Fixed: GUI does not reject an invalid OpenVPN tap mode configuration with an empty tunnel network “Bridge DHCP” disabled #12887

  • Fixed: FQDN in network alias is omitted from OpenVPN networks list #12925

  • Changed: Warn about OpenVPN shared key deprecation #12981

  • Fixed: OpenVPN remote_cert_tls option does not behave correctly when enabled and later disabled #13056

  • Fixed: Gateway events for IPv6 affect IPv4 OpenVPN instances and vice versa #13061

  • Fixed: OpenVPN client tls-client/client configuration directive not handled properly #13116

  • Changed: OpenVPN status page improvements #13129

  • Fixed: OpenVPN client-connect file contains topology #13133

  • Fixed: Per-user route files are not removed from /tmp when they are no longer needed #13145

  • Fixed: OpenVPN override IPv4 tunnel network field changing value improperly #13274

Operating System

  • Fixed: pf hostid value is handled inconsistently #12703

  • Fixed: Some sysctl OIDs in loader.conf.local are silently removed #12862

  • Fixed: Output from pfctl -vvsr does not include ridentifier value in the expected location #12868

PPP Interfaces

  • Fixed: PPPoE WANs fail to reconnect after parameter negotiation failure #13092

PPPoE Server

  • Fixed: PPPoE server panics with multiple client connections #13210

Package System

  • Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105

  • Fixed: Packages with custom internal_name values do not reinstall properly when restoring a backup #12766

  • Fixed: write_rcfile() does not create rc_restart() entry #13004

Packet Capture

  • Added: Button to clear previous packet capture data #12968


  • Fixed: Setting a default gateway of “None” does not remove the default gateway from the routing table #12536

  • Fixed: Cannot remove IPv6 static routes #12728

  • Fixed: Explicit PPPoE disconnect of a WAN Gateway Group member may not restore a default route. #13048

Rules / NAT

  • Added: Toggle button to disable/enable multiple firewall rules #2505

  • Added: Port forward NAT rules with “any” protocol #4259

  • Added: Allow NPt to use dynamic IPv6 networks #4881

  • Added: Button to copy rules from one interface to another #8365

  • Fixed: Automatic Outbound NAT mode can create incorrect rules in some cases #11984

  • Added: Utilize new pfctl abilities to kill states #12092

  • Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode #12319

  • Added: Allow the selection of “any” interface in floating rules #12392

  • Fixed: Applying firewall rule changes does not clear dirty flag for aliases subsystem #12678

  • Fixed: Automatic Outbound NAT rules do not include OpenVPN CSO entries #12792

  • Fixed: Error loading ruleset due to illegal TOS value #12803

  • Fixed: High latency and packet loss during a filter reload #12827

  • Fixed: On startup “No routing address with matching address” might appear #12847

  • Fixed: Some action buttons are always active for firewall rules, even if no rules are selected #12871

  • Added: Toggle button to disable/enable multiple entries on NAT pages #12879

  • Fixed: Delete button is always active for NAT rules, even if no rules are selected #12957

  • Fixed: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet #13012

  • Fixed: NAT generates duplicate no nat on rules for port forwards with a destination of Any #13015

  • Fixed: Input validation requires a gateway for floating match out rules #13027

  • Fixed: Empty negate_networks table breaks policy routing rules #13049

  • Fixed: The negate_networks table is not updated when an OpenVPN server is deleted #13055

  • Added: Allow auto prefix with manual prefix-length in NPt #13070

  • Fixed: Info icon on firewall_nat_out.php is incorrectly placed in manual outbound NAT mode #13164

  • Fixed: Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule #13171

  • Fixed: Incorrect usage of DSCP hex value #13178


  • Fixed: SNMP daemon is restarted during every rc.newwanip event #12611


  • Fixed: NTP service is not listed on status_services.php unless config.xml contains NTP configuration data #12775

  • Fixed: Stale sshdkeys.dirty lock file prevents generating SSH server keys #13139

Traffic Shaper (ALTQ)

  • Changed: Remove code references to unused reset parameter from traffic shaper pages #13042

Traffic Shaper (Limiters)

  • Fixed: Incorrect ICMP reply when using limiters #9263

  • Fixed: Pie and fq_pie are missing options and do not handle floating point number input correctly #12003

  • Fixed: Utilize dnctl(8) to apply limiter changes without a filter reload #12579

  • Fixed: Traffic routed through DUMMYNET by PF fails when IPFW is enabled #12954

Traffic Shaper Wizards

  • Fixed: Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server #12937

  • Fixed: Traffic shaper wizard rewrites Mbits to Kbits #13086


  • Added: uPnP fails to properly give out subsequent reservations when multiple gaming systems are playing the same game/using the same port. #7727

  • Changed: Reorganize UPnP options #12624


  • Fixed: Many exec() functions do not use full path to executable files #11941


  • Fixed: Upgrade does not work when using only IPv6 DNS servers #13162

User Manager / Privileges

  • Fixed: Icon missing for user manager entries with a scope other than “user” #13174

Web Interface

  • Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141

  • Fixed: Zero-value prefix IPv6 addresses are mishandled #12440

  • Added: Option to filter state table contents by rule ID #12616

  • Fixed: Changing RAM disk size does not prompt to reboot #12876

  • Fixed: Input validation for IPv6 addresses allows invalid address compression in some cases #13069

  • Added: Trim whitespace from MAC addresses in user input #13109


  • Fixed: Wireless interface WPA configuration fields are always visible #12998

  • Fixed: Duplicate wireless interfaces are created at boot #12999


  • Fixed: Deleting a user on the primary node does not delete its home directory on secondary node during XMLRPC sync #12940