pfSense Plus¶
Changes in this version of pfSense Plus software.
Aliases / Tables¶
Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296
Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708
Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282
Added: Specify CA trust store location when downloading and validating URL alias content #13367
Fixed: Invalid alias name can still be used by code attempting to validate URL table content #13425
Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration #13538
Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned when deleting an in-use alias #13539
Authentication¶
Fixed: Google LDAP connections fail due to lack of SNI for TLS 1.3 #11626
Fixed: RADIUS authentication attempts no longer send RADIUS NAS IP attribute #13356
Fixed: Unable to set web interface session timeout to
0
(i.e. never expire) #13561Fixed: Extra remote address information can confuse
sshguard
#13574Changed: Improve LDAP debugging #13718
Auto Configuration Backup¶
Backup / Restore¶
Fixed: Multiple
<sshdata>
or<rrddata>
sections inconfig.xml
lead to an XML parsing error during restore #13132Fixed: Attempting to restore a 0 byte
config.xml
prints an error that the file cannot be read #13289Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861
Fixed: RRD restore process does not sanitize filenames from backup XML #13935
Build / Release¶
Changed: Disable
pkg
compatibility flag which createstxz
file extension symbolic links #12782
Captive Portal¶
Fixed: Traffic passed by Captive Portal cannot use limiter queues on other rules #13148
Fixed: Voucher CSV output has leading space before voucher code #13272
Fixed: Error
dummynet: bad switch 21!
when using Captive Portal with Limiters #13290Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323
Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391
Fixed: Custom logo or background image is created with two dots (
..
) before the file extension #13396Fixed: Captive Portal does not keep track of client data usage #13418
Fixed: All Captive Portal users are given the same limiter pipe pair #13488
Fixed: Captive Portal blocked MAC addresses are not blocked #13747
Fixed: Rules for authenticated Captive Portal users are not removed when a zone is disabled #13756
Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838
Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853
Certificates¶
Fixed: CA path is not defined when using
curl
in the shell #12737Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm #13257
Fixed: Input validation is not rejecting invalid description characters when editing a CA or Certificate #13387
Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424
Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437
Configuration Backend¶
Fixed: Input validation is checking RAM disk sizes when they are inactive #13479
DHCP (IPv4)¶
Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345
Changed: Clean up DHCP Server option language #13250
Added: Input validation for numbered DHCP options in static mappings #13584
Fixed: DHCP server “Disable Ping Check” option does not store value on save #13748
DHCP (IPv6)¶
Fixed:
dhcp6c
is not restarted when applying settings when multiple WANs are configured for DHCP6 #13253Fixed: Advanced DHCP6 client settings only work for a single interface #13462
Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is reloaded #13594
Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633
DNS Forwarder¶
Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901
DNS Resolver¶
Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624
Fixed: Unbound crashes with signal 11 when reloading #11316
Fixed: DNS Resolver is restarted during every
rc.newwanip
event even for interfaces not used in the resolver #12612Fixed: DNS resolver does not update its configuration or reload during link down events #13254
Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is enabled #13393
Fixed: Incorrect word in “Network Interfaces” help text on
services_unbound.php
#13453Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867
Changed: Update Unbound to 1.17.1 #13893
Dashboard¶
Diagnostics¶
Fixed: File browser on
diag_edit.php
does not encode filenames before display #13262Fixed: Neighbor hostnames in the NDP Table on
diag_ndp.php
are always empty #13318Fixed:
status.php
uses<name>
component of/tmp/rules.packages.<name>
filenames in shell command without encoding #13426Changed: Add multicast group membership (
ifmcstat
) tostatus.php
#13731
Dynamic DNS¶
FilterDNS¶
Fixed: Resolve interval for
filterdns
may not match the configured value #13067
FreeBSD¶
Gateway Monitoring¶
Gateways¶
Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected #13228
Hardware / Drivers¶
IPsec¶
Fixed:
filterdns
does not monitor remote IPsec gateways for IPv6 address changes #12645Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373
Changed: Information box on
status_ipsec.php
says “IPsec not enabled” even when a tunnel is established #13398Fixed: Incorrect quoting of Split DNS attribute value in
strongswan.conf
#13579Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647
Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing) #13648
Interfaces¶
Fixed: Primary interface address is not always used when VIPs are present #11545
Added: Support for VLAN
0
#12070Fixed: Bridges with QinQ interfaces not properly set up at boot #13225
Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493
Changed: Clean up obsolete code in
pfSense-dhclient-script
#13501Fixed: Assigned bridge interfaces are not configured at boot #13666
Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675
OpenVPN¶
Fixed: OpenVPN DCO panics with short UDP packets #13338
Fixed: OpenVPN crashes after reaching the configured concurrent connection limit #13355
Fixed: Traffic to OpenVPN DCO RA clients above the first available tunnel IP address is incorrectly routed #13358
Added: Support for ChaCha20-Poly1305 and AES-128-GCM encryption with OpenVPN DCO #13649
Fixed: GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30) #13664
Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to display #13243
Operating System¶
Fixed: Entries for
net.link.ifqmaxlen
duplicated in/boot/loader.conf
#13280Fixed:
vmstat -m
value fortemp
is accounted for incorrectly, resulting in underflows #13316Fixed: Memory leak in PF when retrieving Ethernet rules #13525
Changed: Update Python 3.9.15 to 3.9.16 in base system #13865
Changed: Add Python 3.11.1 to base system #13866
PHP Interpreter¶
PPP Interfaces¶
Routing¶
Added: Enable
ROUTE_MPATH
multipath routing #9544
Rules / NAT¶
Fixed: Rule separator positions change when deleting multiple rules #9887
Fixed: User is forced to pick an NPt destination IPv6 prefix length even when choosing a drop-down entry which contains a defined prefix length #13240
Fixed: The
negate_networks
table is duplicated inrules.debug
#13308Fixed: Each line in the NPt destination IPv6 prefix list also contains the network of the previous line when multiple choices are present #13310
Fixed: Using the copy (not clone) function on firewall rules unintentionally converts interface
address
to interfacenet
#13364Fixed: PF can fail to load a new ruleset #13408
Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420
Fixed:
easyrule
CLI script has multiple bugs and undesirable behaviors #13445Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505
Fixed: Copying multiple rules at the same time results in new rules with duplicate tracker IDs #13507
Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545
Fixed: Error creating port forward rule with port alias #13601
Traffic Shaper (ALTQ)¶
Added: ALTQ GUI support for Broadcom Netextreme II (
bxe
) interfaces #13304
UPnP/NAT-PMP¶
Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500
User Manager / Privileges¶
Fixed: RADIUS authentication not working over IPv6 #4154
Web Interface¶
Fixed: Unnecessary link tag in login page #7996
Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists #11730
Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without making changes #12960
Changed: Spelling and typo corrections #13357
Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390
Fixed: Input validation on
system_advanced_firewall.inc
uses incorrect variable references for some fields #13436Changed: Update external HTTPS/HTTP links #13440
Fixed: Table row selection has poor contrast in Dark theme #13448
Fixed: Changing the GUI port does not redirect the browser to the new port on save #13591