pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

  • Fixed: Interface subnet aliases do not contain IPv6 VIPs #15096


  • Changed: Prevent usage of the default password in User Manager accounts #15266

  • Fixed: PHP errors in LDAP server prevent it from falling back to Local Database #15122

Backup / Restore

  • Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728

  • Fixed: DHCP leases may not be restored from older configuration backups #15076

Captive Portal

  • Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226

  • Added: Support using a mask to block MAC addresses in Captive Portal #15257

  • Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299

Console Menu

  • Changed: Dynamically adjust the interface name maximum width in the login banner #13268


  • Added: Better handling of duplicate IP addresses in static DHCP assignments #13256

  • Changed: Reduce log spam when deleting a static DHCP entry #13263

  • Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894


  • Fixed: DHCP6 client does not take any action if the interface IPv6 address changes during renewal #12947

  • Fixed: Shortcut bar on DHCPv6 leases (status_dhcpv6_leases.php) navigates to DHCPv4 destinations, not DHCPv6 #15117

DNS Forwarder

  • Added: Option to allow the DNS Forwarder to ignore system DNS servers #14165

DNS Resolver

  • Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942

  • Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071

  • Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139

  • Changed: Upgrade Unbound to >= 1.19.1 #15256


  • Fixed: Firewall Logs Widget fails to update at intervals below 5 seconds. #12673


  • Changed: Add ZFS Boot Environment list to status output #15164

  • Added: Add Kea information to status.php #14953

  • Added: Add EFI boot information to status.php #15297

  • Added: Add loader.conf.lua contents to status.php #15298

  • Fixed: Errors in status.php IPsec sections when IPsec is not configured #15310

Gateway Monitoring

  • Fixed: Gateway behavior differs when the gateway does not exist in the configuration #12920


  • Fixed: Killing states on downed gateways breaks when Skip rules when gateway is down is enabled #15223

  • Fixed: Killing states on downed gateways breaks for static interface configurations #15225

  • Fixed: Removing a gateway group used as the default gateway results in no default route #15248

Hardware / Drivers

  • Fixed: Newer variant models within the PC Engines APU2 platform are not recognized, causing garbled early serial console output #13498

  • Added: Recognize QAT 4xxx devices in System Information Widget #15233

IGMP Proxy

  • Fixed: IGMP proxy works intermittently #15043


  • Added: Group-based Mobile IPsec Virtual Address Pool assignment via RADIUS #13227

  • Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312

  • Fixed: Large number of IPsec tunnels causes long filter reload times #14893

  • Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of Network #15124

  • Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147

  • Fixed: Removing an IPsec Phase 1 entry can either remove the wrong Phase 2 entries or leave orphaned Phase 2 entries in the configuration #15171

  • Fixed: Change Mobile IPsec RADIUS accounting to use accounting_requires_vip so accounting will not activate for non-mobile VPNs #15176

  • Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to None #14967

  • Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057


  • Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431

  • Fixed: PHP error in interfaces_qinq_edit.php when creating a QinQ interface #15181

  • Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282

  • Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318

LAGG Interfaces

  • Fixed: Reconfiguring a parent LAGG interface breaks its VLANs #9453


  • Changed: Remove Time column from OS Boot logs #15106


  • Added: Ability to selectively kill states on gateway recovery #855


  • Added: OpenVPN NBDD server options #13085

  • Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087

  • Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089

  • Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090

  • Fixed: openvpn.auth-user.php gets stuck at 100% CPU usage when RADIUS authentication times out #14386

  • Fixed: OpenVPN forms invalid route statements for empty local networks #14919

  • Fixed: OpenVPN Wizard fails when a VIP is used #15148

  • Changed: Remove deprecated OpenVPN hardware crypto engine option #15188

Operating System

  • Added: Operating System support for PF pflow packet data flow export #15038

  • Fixed: /etc/rc.local script content is executed at login instead of during boot sequence #10980

  • Fixed: Static ARP assignments lose permanent flag in ARP table #14970

  • Fixed: Permissions on tmpfs RAM disk for /var are too lenient #15054

  • Fixed: pfctl is unable to retrieve state creator list in certain circumstances #15108

  • Fixed: loader.conf may be missing loader_conf_files so loader.conf.lua may not be parsed #15288

PHP Interpreter

  • Fixed: Extensions directory is not set in rc.php_ini_setup #14488

  • Fixed: check_dnsavailable() failing even when DNS is available #15127

Package System

  • Fixed: Extra space in pkg configuration file FreeBSD.conf #15069


  • Fixed: ICMPv6 Path MTU Discovery breaks with NPT #14290

Rules / NAT

  • Added: GUI to configure Packet Flow Data (pflow) export #15039

  • Added: Kill states using the pre-NAT address #11556

  • Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173

  • Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183

  • Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197

  • Fixed: Advanced rule options tooltip does not show negated Tag option #15214

  • Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234

  • Fixed: Egress states remain when killing states for scheduled rules #15252

Setup Wizard

  • Changed: Error handling in the Setup Wizard is very user-unfriendly #15302

Traffic Shaper (Limiters)

  • Fixed: Packets are passed through dummynet twice when using route-to leading to half the expected bandwidth #14854

  • Fixed: Fragmented packets delayed by limiters are lost #15156

Virtual IP Addresses

  • Fixed: choparp service is not stopped after deleting Proxy ARP type Virtual IP addresses #14929

Web Interface

  • Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943

  • Fixed: Some messages presented to users contain relative links to pages which may be invalid when triggered from certain packages #13413

  • Changed: Update vendor files #13537

  • Fixed: status_interfaces.php is missing several values for SFP modules #15112

  • Added: 50x and 404 error handling to GUI web server configuration #15322


  • Fixed: Secondary node attempts to delete the admins group when synchronizing accounts via XMLRPC #15067