pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296

  • Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708

  • Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282

  • Added: Specify CA trust store location when downloading and validating URL alias content #13367

  • Fixed: Invalid alias name can still be used by code attempting to validate URL table content #13425

  • Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration #13538

  • Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned when deleting an in-use alias #13539


  • Fixed: Google LDAP connections fail due to lack of SNI for TLS 1.3 #11626

  • Fixed: RADIUS authentication attempts no longer send RADIUS NAS IP attribute #13356

  • Fixed: Unable to set web interface session timeout to 0 (i.e. never expire) #13561

  • Fixed: Extra remote address information can confuse sshguard #13574

  • Changed: Improve LDAP debugging #13718

Auto Configuration Backup

  • Added: Option to list AutoConfigBackup entries in “reverse” order (newest at top) #11266

  • Added: Support for international characters in the AutoConfigBackup Hint/Identifier field #13388

Backup / Restore

  • Fixed: Multiple <sshdata> or <rrddata> sections in config.xml lead to an XML parsing error during restore #13132

  • Fixed: Attempting to restore a 0 byte config.xml prints an error that the file cannot be read #13289

  • Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861

  • Fixed: RRD restore process does not sanitize filenames from backup XML #13935

Build / Release

  • Changed: Disable pkg compatibility flag which creates txz file extension symbolic links #12782

Captive Portal

  • Fixed: Traffic passed by Captive Portal cannot use limiter queues on other rules #13148

  • Fixed: Voucher CSV output has leading space before voucher code #13272

  • Fixed: Error dummynet: bad switch 21! when using Captive Portal with Limiters #13290

  • Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323

  • Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391

  • Fixed: Custom logo or background image is created with two dots (..) before the file extension #13396

  • Fixed: Captive Portal does not keep track of client data usage #13418

  • Fixed: All Captive Portal users are given the same limiter pipe pair #13488

  • Fixed: Captive Portal blocked MAC addresses are not blocked #13747

  • Fixed: Rules for authenticated Captive Portal users are not removed when a zone is disabled #13756

  • Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838

  • Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853


  • Fixed: CA path is not defined when using curl in the shell #12737

  • Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm #13257

  • Fixed: Input validation is not rejecting invalid description characters when editing a CA or Certificate #13387

  • Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424

  • Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437

Configuration Backend

  • Fixed: Input validation is checking RAM disk sizes when they are inactive #13479

Console Menu

  • Fixed: Changing an interface IP address and gateway at the console does not save the new gateway if one already exists for the interface #12632

  • Fixed: Hidden menu option 100 incorrectly handles HTTPS detection #13258


  • Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345

  • Changed: Clean up DHCP Server option language #13250

  • Added: Input validation for numbered DHCP options in static mappings #13584

  • Fixed: DHCP server “Disable Ping Check” option does not store value on save #13748


  • Fixed: dhcp6c is not restarted when applying settings when multiple WANs are configured for DHCP6 #13253

  • Fixed: Advanced DHCP6 client settings only work for a single interface #13462

  • Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is reloaded #13594

  • Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633

DNS Forwarder

  • Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901

DNS Resolver

  • Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624

  • Fixed: Unbound crashes with signal 11 when reloading #11316

  • Fixed: DNS Resolver is restarted during every rc.newwanip event even for interfaces not used in the resolver #12612

  • Fixed: DNS resolver does not update its configuration or reload during link down events #13254

  • Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is enabled #13393

  • Fixed: Incorrect word in “Network Interfaces” help text on services_unbound.php #13453

  • Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867

  • Changed: Update Unbound to 1.17.1 #13893


  • Fixed: QAT detection on dashboard is incorrect if the driver does not attach #13674

  • Fixed: APU1 hardware is not properly identified with current BIOS versions #13471


  • Fixed: File browser on diag_edit.php does not encode filenames before display #13262

  • Fixed: Neighbor hostnames in the NDP Table on diag_ndp.php are always empty #13318

  • Fixed: status.php uses <name> component of /tmp/rules.packages.<name> filenames in shell command without encoding #13426

  • Changed: Add multicast group membership (ifmcstat) to status.php #13731

Dynamic DNS

  • Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816

  • Fixed: DigitalOcean Dynamic DNS update fails with a “bad request” error #13167

  • Fixed: Dynv6 Dynamic DNS client does not check the response code when updating #13298

  • Fixed: DNSExit Dynamic DNS updates no longer work #13303


  • Fixed: Resolve interval for filterdns may not match the configured value #13067


  • Fixed: Cannot set EFI console as primary console when using both EFI and Serial #13080

  • Fixed: CVE-2022-23093 / #13716

Gateway Monitoring

  • Fixed: Marking a gateway as down does not affect IPsec entries using gateway groups #13076

  • Fixed: Incorrect function parameters for get_dpinger_status() call in #13295


  • Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected #13228

Hardware / Drivers

  • Fixed: Software VLAN tagging does not work on ixgbe(4) interfaces #13381

  • Fixed: Intel i226 network interfaces do not honor a manually selected link speed #13529

  • Fixed: UDP checksum errors with ixgbe interfaces #13883


  • Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645

  • Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373

  • Changed: Information box on status_ipsec.php says “IPsec not enabled” even when a tunnel is established #13398

  • Fixed: Incorrect quoting of Split DNS attribute value in strongswan.conf #13579

  • Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647

  • Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing) #13648


  • Fixed: Primary interface address is not always used when VIPs are present #11545

  • Added: Support for VLAN 0 #12070

  • Fixed: Bridges with QinQ interfaces not properly set up at boot #13225

  • Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493

  • Changed: Clean up obsolete code in pfSense-dhclient-script #13501

  • Fixed: Assigned bridge interfaces are not configured at boot #13666

  • Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675


  • Fixed: OpenVPN DCO panics with short UDP packets #13338

  • Fixed: OpenVPN crashes after reaching the configured concurrent connection limit #13355

  • Fixed: Traffic to OpenVPN DCO RA clients above the first available tunnel IP address is incorrectly routed #13358

  • Added: Support for ChaCha20-Poly1305 and AES-128-GCM encryption with OpenVPN DCO #13649

  • Fixed: GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30) #13664

  • Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to display #13243

Operating System

  • Fixed: Entries for duplicated in /boot/loader.conf #13280

  • Fixed: vmstat -m value for temp is accounted for incorrectly, resulting in underflows #13316

  • Fixed: Memory leak in PF when retrieving Ethernet rules #13525

  • Changed: Update Python 3.9.15 to 3.9.16 in base system #13865

  • Changed: Add Python 3.11.1 to base system #13866

PHP Interpreter

  • Added: Upgrade PHP from 7.4 to 8.1 #13446

  • Fixed: fcgicli fails to write packets with nvpair values that exceed 128 bytes #13638

PPP Interfaces

  • Fixed: Services are not restarted when PPP interfaces connect #12811

  • Fixed: PPP interface custom reset date/time Hour and Minute fields do not properly handle 0 value #13307


  • Added: Enable ROUTE_MPATH multipath routing #9544

Rules / NAT

  • Fixed: Rule separator positions change when deleting multiple rules #9887

  • Fixed: User is forced to pick an NPt destination IPv6 prefix length even when choosing a drop-down entry which contains a defined prefix length #13240

  • Fixed: The negate_networks table is duplicated in rules.debug #13308

  • Fixed: Each line in the NPt destination IPv6 prefix list also contains the network of the previous line when multiple choices are present #13310

  • Fixed: Using the copy (not clone) function on firewall rules unintentionally converts interface address to interface net #13364

  • Fixed: PF can fail to load a new ruleset #13408

  • Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420

  • Fixed: easyrule CLI script has multiple bugs and undesirable behaviors #13445

  • Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505

  • Fixed: Copying multiple rules at the same time results in new rules with duplicate tracker IDs #13507

  • Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545

  • Fixed: Error creating port forward rule with port alias #13601

Traffic Shaper (ALTQ)

  • Added: ALTQ GUI support for Broadcom Netextreme II (bxe) interfaces #13304


  • Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500

User Manager / Privileges

  • Fixed: RADIUS authentication not working over IPv6 #4154

Web Interface

  • Fixed: Unnecessary link tag in login page #7996

  • Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists #11730

  • Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without making changes #12960

  • Changed: Spelling and typo corrections #13357

  • Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390

  • Fixed: Input validation on uses incorrect variable references for some fields #13436

  • Changed: Update external HTTPS/HTTP links #13440

  • Fixed: Table row selection has poor contrast in Dark theme #13448

  • Fixed: Changing the GUI port does not redirect the browser to the new port on save #13591