pfSense Plus¶
Changes in this version of pfSense Plus software.
Aliases / Tables¶
Authentication¶
Backup / Restore¶
Changed: Comply with current iteration standards when encrypting and decrypting configuration files #12556
Added: Support encrypted
config.xml
files when restoring via ECL #12685Added: Notify user if AutoConfigBackup is unable to successfully upload a backup #12724
Added: Ability to sort AutoConfigBackup entries #12773
Fixed: PHP error when upgrading from before configuration revision 21.6,
ipsec_create_vtimap()
is undefined #13097Added: Option to restore dashboard widget layout #13125
Fixed: PHP error restoring DHCP lease data on fresh installation: #13157
CARP¶
Captive Portal¶
Fixed: Allowed IP/Hostname “Direction” option is never used #12649
Fixed:
nginx
logs an error that the port is already in use when restarting Captive Portal services #12651Fixed: Value of
net.inet.ip.dummynet.*
OIDs insysctl
are ignored #12733Fixed: Only TCP traffic is passed outbound though IPFW #12834
Changed: Transition Captive Portal from IPFW to PF #13100
Certificates¶
Added: Option to retain the existing serial number when renewing a CA or certificate #13010
Configuration Backend¶
Configuration Upgrade¶
Added: Playback script to perform a configuration upgrade on an arbitrary
config.xml
file #12973
DHCP (IPv4)¶
Fixed: Disabling DHCP Server RRD statistics does not work #12710
Fixed:
HTTPClient
option not sent when using UEFI HTTP Boot #12892Fixed:
HTTPClient
option does not work for static mappings #12896Fixed: DHCP “Ignore denied clients” option with MAC Deny list set causes DHCP server to not start #12923
Fixed: DHCP network boot filename can be incorrectly placed in DHCP Pool Options #12986
Added: Relax DHCP maximum lease time input validation #13118
Fixed: DHCP lease list displays wrong interface name in the “Leases in Use” summary if DHCP settings for a disabled interface remain in the configuration #13127
DHCP (IPv6)¶
Fixed: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients #6880
Fixed: DHCPv6 server does not skip interfaces configured with invalid ranges #12527
Fixed: RADVD can be started on both HA nodes when configured with an IPv6 link-local address #12582
Fixed: Uninitialized array in
array_remove_duplicates()
#12749
DNS Forwarder¶
DNS Resolver¶
Fixed: DNS Resolver does not restart during link up/down events on a static IP address interface #12613
Added: Automatically create DNS Resolver ACLs for OpenVPN CSO entries #12636
Fixed: DNS Resolver help text for System Domain Local Zone Type option refers users to
unbound.conf(5)
man page instead of pfSense docs #12781Fixed: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access #12985
Fixed: DNS Resolver ACLs are not updated when OpenVPN networks change #12991
Added: DNS Resolver option to keep probing when servers are down #13023
Dashboard¶
Diagnostics¶
Fixed:
diag_pftop.php
does not fully encode output #12915
Dynamic DNS¶
Fixed: Dynamic DNS custom IPv6 service fails on 6rd tunnels #12590
Fixed: GleSYS Dynamic DNS responses are not parsed properly #12672
Added: IPv6 support for DNSimple Dynamic DNS #12744
Fixed: Input validation prevents configuring wildcard Dynamic DNS records on GoDaddy #12750
Added: Support wildcard Dynamic DNS records on DigitalOcean #12752
Fixed: Google Domains Dynamic DNS responses are not parsed properly #12754
Fixed: Input validation prevents configuring wildcard Dynamic DNS records on Google Domains #12761
Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816
Fixed: Clicking Save & Force Update on a Dynamic DNS entry results in a GUI timeout #12870
Gateway Monitoring¶
Gateways¶
Fixed:
fixup_default_gateway()
should not remove a default gateway managed by a dynamic routing daemon #11692Fixed: IPv6 link local gateway default status not indicated in GUI #11764
Fixed: IPv6 gateway group using link local addresses incorrectly logs a gateway change because it not including interface scope properly #12721
Added: Retain knowledge of previous dynamic gateway IP address when interface is down #12931
Hardware / Drivers¶
High Availability¶
Added: Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings #12702
IGMP Proxy¶
Fixed: IGMP Proxy server is restarted during every
rc.newwanip
event #12609
IPsec¶
Added: Option to choose default tab in IPsec status Dashboard widget #2456
Fixed: IPsec VTI phase 2 traffic selectors default to address when defined as a network #11226
Fixed:
filterdns
does not monitor remote IPsec gateways for IPv6 address changes #12645Fixed: Disallow remote gateway of
0.0.0.0
for VTI mode #12723Fixed: VTI gateway status stuck as “pending” after reboot #12763
Changed: Update strongSwan #12934
Fixed: ESP description in IPsec phase 2 proposal help text is ambiguous #12953
Fixed: IKEv2 Mobile IPsec clients do not receive
INTERNAL_DNS_DOMAIN
(value25
) attribute #12975Added: GUI option for IPsec
dns-interval
setting #13057Fixed: Delete function for IPsec SAD entries on
status_ipsec_sad.php
does not work #13071Fixed: Mobile IPsec clients cannot be manually disconnected from IPsec status screen #13131
Installer¶
Interfaces¶
Added: Show SFP module details on
status_interfaces.php
#8861Added: Improved support for USB interfaces that may not always be present #9393
Fixed: PPPoE WAN IP address different than expected when set static by ISP #11629
Fixed:
devd
is not configured to act on USB interface attach/detach events #12606Changed: Restart services on interface changes #12619
Fixed: Interface status “Total Interrupts” display is non-functional #12735
Fixed: L2TP/PPTP interface assignment page loses some values after input validation error #12780
Fixed: Link-Local IPv6 address on WAN with MAC spoofing changes if there is an IP Alias on WAN #12790
Fixed: Link-local address does not reset after removing MAC address spoofing #12794
Fixed: Disabled Captive Portal configuration prevents adding an interface to a bridge #12866
Fixed: The ruleset is not regenerated after assigning an interface #12949
L2TP¶
LAGG Interfaces¶
Added: GUI option to configure layers for LACP hash #12819
Notifications¶
Fixed: Slack notification options only allow `` -`` as a special character in channel names #13083
OpenVPN¶
Fixed: OpenVPN IPv4 Tunnel Network incorrectly allows hostnames #11416
Fixed: OpenVPN stays bound to previous IP address after interface changes #11864
Added: OpenVPN option to limit concurrent connections per user #12267
Fixed: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases #12332
Added: Use deferred client connections in OpenVPN #12407
Fixed: OpenVPN re-synchronization also synchronizes override entries unnecessarily in some cases #12628
Fixed: Automatic filter reload with OpenVPN client gateway uplink happens too soon or not at all #12771
Fixed: PHP error when terminating OpenVPN sessions via the dashboard widget #12817
Fixed: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases #12884
Fixed: GUI does not reject an invalid OpenVPN tap mode configuration with an empty tunnel network “Bridge DHCP” disabled #12887
Fixed: FQDN in network alias is omitted from OpenVPN networks list #12925
Changed: Warn about OpenVPN shared key deprecation #12981
Fixed: OpenVPN
remote_cert_tls
option does not behave correctly when enabled and later disabled #13056Fixed: Gateway events for IPv6 affect IPv4 OpenVPN instances and vice versa #13061
Fixed: OpenVPN client
tls-client
/client
configuration directive not handled properly #13116Changed: OpenVPN status page improvements #13129
Fixed: OpenVPN
client-connect
file containstopology
#13133Fixed: Per-user
route
files are not removed from/tmp
when they are no longer needed #13145Fixed: OpenVPN override IPv4 tunnel network field changing value improperly #13274
Operating System¶
PPP Interfaces¶
Fixed: PPPoE WANs fail to reconnect after parameter negotiation failure #13092
PPPoE Server¶
Fixed: PPPoE server panics with multiple client connections #13210
Package System¶
Packet Capture¶
Added: Button to clear previous packet capture data #12968
Routing¶
Rules / NAT¶
Added: Toggle button to disable/enable multiple firewall rules #2505
Added: Port forward NAT rules with “any” protocol #4259
Added: Allow NPt to use dynamic IPv6 networks #4881
Added: Button to copy rules from one interface to another #8365
Fixed: Automatic Outbound NAT mode can create incorrect rules in some cases #11984
Added: Utilize new
pfctl
abilities to kill states #12092Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode #12319
Added: Allow the selection of “any” interface in floating rules #12392
Fixed: Applying firewall rule changes does not clear dirty flag for aliases subsystem #12678
Fixed: Automatic Outbound NAT rules do not include OpenVPN CSO entries #12792
Fixed: Error loading ruleset due to illegal TOS value #12803
Fixed: High latency and packet loss during a filter reload #12827
Fixed: On startup “No routing address with matching address” might appear #12847
Fixed: Some action buttons are always active for firewall rules, even if no rules are selected #12871
Added: Toggle button to disable/enable multiple entries on NAT pages #12879
Fixed: Delete button is always active for NAT rules, even if no rules are selected #12957
Fixed: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet #13012
Fixed: NAT generates duplicate
no nat on
rules for port forwards with a destination ofAny
#13015Fixed: Input validation requires a gateway for floating
match out
rules #13027Fixed: Empty
negate_networks
table breaks policy routing rules #13049Fixed: The
negate_networks
table is not updated when an OpenVPN server is deleted #13055Added: Allow auto prefix with manual prefix-length in NPt #13070
Fixed: Info icon on
firewall_nat_out.php
is incorrectly placed in manual outbound NAT mode #13164Fixed: Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule #13171
Fixed: Incorrect usage of DSCP hex value #13178
SNMP¶
Fixed: SNMP daemon is restarted during every
rc.newwanip
event #12611
Services¶
Traffic Shaper (ALTQ)¶
Changed: Remove code references to unused
reset
parameter from traffic shaper pages #13042
Traffic Shaper (Limiters)¶
Fixed: Incorrect ICMP reply when using limiters #9263
Fixed: Pie and
fq_pie
are missing options and do not handle floating point number input correctly #12003Fixed: Utilize
dnctl(8)
to apply limiter changes without a filter reload #12579Fixed: Traffic routed through DUMMYNET by PF fails when IPFW is enabled #12954
Traffic Shaper Wizards¶
UPnP/NAT-PMP¶
Unknown¶
Fixed: Many
exec()
functions do not use full path to executable files #11941
Upgrade¶
Fixed: Upgrade does not work when using only IPv6 DNS servers #13162
User Manager / Privileges¶
Fixed: Icon missing for user manager entries with a scope other than “user” #13174
Web Interface¶
Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141
Fixed: Zero-value prefix IPv6 addresses are mishandled #12440
Added: Option to filter state table contents by rule ID #12616
Fixed: Changing RAM disk size does not prompt to reboot #12876
Fixed: Input validation for IPv6 addresses allows invalid address compression in some cases #13069
Added: Trim whitespace from MAC addresses in user input #13109
Wireless¶
XMLRPC¶
Fixed: Deleting a user on the primary node does not delete its home directory on secondary node during XMLRPC sync #12940