pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Firewall rules fail to load when a URL table alias file does not exist #13068

  • Added: Type column on Alias lists #13245

  • Fixed: Static ARP entries are not configured at boot #14374

  • Fixed: Firewall rules are not displayed properly when they reference a URL table alias and its file does not exist #14574


  • Added: Option to invalidate GUI login session if the client address changes #14265

Backup / Restore

  • Changed: Increase timeout for password entry when restoring an encrypted configuration via ECL #14769


  • Added: Add unicast CARP indication and peer address to CARP status #14348

  • Fixed: Adding an IP Alias VIP using a unicast CARP VIP as its parent changes the CARP VIP to multicast at the OS level #14586

  • Added: Prevent CARP status/maintenance mode from being erroneously toggled #13804

  • Fixed: IPsec restart in CARP event scripts does not check VIP properly and never runs #14738

Captive Portal

  • Fixed: Captive Portal incorrectly allows leading zeroes on voucher roll numbers #14325

  • Fixed: Link to view Captive Portal custom HTML page content does not work #14598


  • Fixed: Cannot validate Certificates against Certificate Revocation Lists for Intermediate Certificate Authorities #9889

  • Added: Improve System menu behavior for Certificate Manager privileges #14347

  • Fixed: CA and Certificate renewal page does not properly list some SHA1 certificates as being weak #14678

Configuration Upgrade

  • Fixed: PHP Error in upgrade216_ipsec_create_vtimap() #14400

Console Menu

  • Fixed: Serial console output fails to render properly in certain cases on 4100, 6100, and 8200. #13455

  • Fixed: PHP shell script pfanchordrill shows duplicate anchor content #14637


  • Added: Introduce Kea DHCP as an alternative DHCP server for IPv4 and IPv6 #6960

DNS Resolver

  • Fixed: DNS Resolver experiences intermittent resolution failures with SSL over TLS due to ASLR #14056

  • Added: Unbound Advanced Settings entry for sock-queue-timeout #14731

  • Changed: Update Unbound to 1.18.0 #14732


  • Fixed: System Information widget does not properly form list of active hardware crypto algorithms #14417

  • Fixed: Gateway widget tooltip incorrectly indicates some gateways as being default #14542


  • Fixed: diag_edit.php warning is not cleared after picking non-directory to load #7589

  • Changed: Combining Interface and Rule ID state table filter fields returns no results #14399

  • Fixed: Improve error handling in status.php #14513

  • Added: Status output plugin hook for packages to include their own data #14777

Dynamic DNS

  • Added: Include hostname being updated in Dynamic DNS notifications #9504

  • Added: Dynamic DNS support for Porkbun #14402

  • Fixed: PHP error with Dynamic DNS provider #14649

  • Fixed: List of Dynamic DNS types with split host+domain name is missing several providers #14783

  • Fixed: Correct name of Gandi LiveDNS #14784

  • Fixed: Multi-WAN Dynamic DNS does not fail over when preferred WAN loses link #14829


  • Fixed: Kernel textdumps are not recovered properly on systems with multiple swap partitions #14767


  • Fixed: Misleading error message when adding/editing static routes which use a gateway on a disabled interface #8846

  • Fixed: Cannot select IP Alias VIP with CARP VIP parent in Virtual IP drop-down on Gateway Groups #14524

  • Fixed: A default route can remain after setting the default gateway to None #14717

Hardware / Drivers

  • Fixed: Unnecessary delay when querying ixgbe(4) interfaces with SFP ports #13911

  • Added: Options to control Intel Speed Shift #14047

  • Fixed: Cavium qlnxe / if_qlnxe driver is not present #14534

  • Fixed: bnxt(4) driver errors #14569

  • Added: QAT 200xx devices are not recognized as supported #14844

IGMP Proxy

  • Fixed: Kernel panic when running IGMP Proxy: Sleeping thread owns a non-sleepable lock #12079

  • Fixed: Input validation error when saving IGMP Proxy settings #14301

  • Fixed: IGMP Proxy cannot start on VirtIO (vtnet) interfaces #14665


  • Changed: Clarify that the IPsec keep alive check option ignores Child SA Start Action #12762

  • Fixed: PHP error in status_ipsec.php after removing active IPsec tunnel configuration #14525

  • Fixed: Multi-WAN IPsec does not fail over when preferred WAN loses link #14626

  • Added: Show IPsec phase 1 authentication type in Mode column of tunnel list #14726

  • Fixed: IPsec rejects certificate without any SANs #14831

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: IPv6 neighbor discovery protocol (NDP) fails in some cases #13423


  • Fixed: GIF-based interface MTU is assigned to parent interface on boot when parent interface is a LAGG #13218

  • Fixed: Cannot add a QinQ interface to a bridge #14377

  • Fixed: find_interface_ipv6_ll() can return a VIP instead of the interface address #14392

  • Fixed: Interface value is not properly validated when submitted on interfaces_gif_edit.php and interfaces_gre_edit.php #14549

  • Fixed: Primary interface address is incorrectly set to the last address on the interface #14623

  • Fixed: Link loss causes interfaces configured as Track Interface for IPv6 to lose their IPv4 addresses #14756

  • Changed: Eliminate direct config access in interfaces.php #14790


  • Fixed: Log rotation is not active if the configuration contains an empty <syslog> section or if that section is not present #14517

  • Fixed: Per-log settings for file size and retention count are not honored #14545

  • Added: Improve SCTP support in filterlog #14667


  • Added: Allow SMTP notifications from non-root processes #14337

  • Fixed: PHP error when failing to write config.cache #14432


  • Fixed: DCO OpenVPN server bound to Localhost does not pass traffic as expected #14682

  • Fixed: Rapidly clicking certain options on OpenVPN Client Overrides can cause hide/show field behavior to invert #13088

  • Fixed: OpenVPN can select the wrong interface IP address when multiple addresses are present #14646

  • Changed: Prevent weak SHA1 certificates from being used with OpenVPN clients and servers #14677

  • Changed: Check for deprecated OpenVPN encryption and digest options on upgrade #14686

Operating System

  • Fixed: Error when deleting ZFS Boot Environment created from duplicate of non-default entry #13348

  • Fixed: Console and system log may contain unnecessary Netlink debug messages from IPsec #14370

  • Added: Support receiving EAPOL frames on VLAN 0 in wpa_supplicant #14457

  • Changed: Automatically configure PF states hash table size #14750

  • Fixed: Panic when pfsync attempts to synchronize states between hosts with different rulesets #14804

PHP Interpreter

  • Added: Option to configure a custom value for the PHP memory limit #13377

  • Fixed: URL scheme is not properly validated in some cases #14356

PPP Interfaces

  • Fixed: PPP interface default username/password are not being populated from provider data on interfaces.php and interfaces_ppps_edit.php #14544

  • Fixed: getserviceproviders.php does not always validate value of $connection, displays without encoding #14547

PPPoE Server

  • Fixed: PPPoE Server address input validation is incorrectly allowing IPv6 #13903

Packet Capture

  • Added: Change default match modifier from “all of” to “any of” #14650

  • Fixed: packet_capture.php uses count and length values in command execution without validation or encoding #14809

Rules / NAT

  • Fixed: Ethernet rules using (self) as a source or destination make the ruleset fail to load #14478

  • Fixed: Ethernet rule Action field hint text lists “reject” option which is not compatible with Ethernet rules #14515

  • Fixed: Changes in Ethernet ruleset can lead to incorrect rule and separator order #14705

  • Added: Support interface macros in Outbound NAT rules #3288

  • Fixed: Negating <interface> net when a VIP exists on the interface results in unintended behavior #6799

  • Added: Option to wait for interface selection before displaying firewall rules #13124

  • Fixed: Default tab on firewall_rules.php is not selected if the configuration has no WAN interface #14345

  • Added: Support interface groups in firewall rule source/destination fields #14448

  • Fixed: “Convert interface definitions” option is not respected when bulk copying rules #14576

  • Fixed: Rule separators are ordered incorrectly after removing rules in certain positions #14619

  • Fixed: Rule separators are hidden when their index is greater than the number of rules #14621

  • Added: Extend support for SCTP in firewall and NAT rules #14640

  • Fixed: Separators get shifted when copying firewall rules between interfaces #14691

  • Fixed: ctype_digit() returns unexpected result for values <= 255 which can break some validation functions/usages #14702

System Logs

  • Fixed: Firewall log parser does not handle SCTP log entries #13940

  • Fixed: status_logs_filter_dynamic.php does not encode value of interfacefilter in raw mode #14548

Traffic Graphs

  • Fixed: PHP Error when viewing Traffic Graphs in iftop mode #14500

Traffic Shaper (ALTQ)

  • Added: Include ixv in ALTQ capable NIC list #14408

  • Fixed: Kernel panic when using traffic shaping on a PPPoE interface #14497

Traffic Shaper (Limiters)

  • Fixed: Limiters have no effect on upload traffic passed by policy routing rules #14039


  • Fixed: Some functions fail if the Language does not exactly match an available Locale #13776

  • Fixed: Polish translation contains an invalid sprintf() format in the text for firewall_nat_out_edit.php #13946


  • Changed: Update miniupnpd to 2.3.3 #14307

  • Fixed: Remove broken from UPnP STUN server list #14673


  • Fixed: Update check in GUI does not always honor the configured proxy settings #14609

User Manager / Privileges

  • Fixed: Copy function for User Manager Groups does not work for first group in list #14695

Web Interface

  • Changed: GUI pages should use POST for AJAX calls, not GET #12431

  • Fixed: Refactor IPsec code using config access functions #13704

  • Fixed: PHP error in CSRF Magic from invalid time value #14394

  • Fixed: Breadcrumb path missing on system_register.php #14462

  • Changed: Prevent weak SHA1 certificates from being used with GUI and Captive Portal #14672

  • Fixed: status_carp.php and diag_dump_states.php unresponsive with large state tables #14758

  • Fixed: GUI TCP port is not updated in the configuration when saving with the field empty to remove an existing value #14820


  • Fixed: PHP error in handle_wireless_post() when toggling some wireless interface options #14579