2.5.1 2.5.x Maintenance release 79% 67 issues (27 closed — 40 open) Related issues Bug #3709: Disabled static route entries trigger 'route delete' error at boot Bug #4521: OpenVPN authentication and certificate validation fail due to size of data passed through ``fcgicli`` Bug #11104: OpenVPN does not start with several authentication sources selected Bug #11105: IPv6 RA RDNSS lifetime is too short, not compliant with RFC 8106 Bug #11382: OpenVPN client configuration page displays Shared Key option when set for SSL/TLS Bug #11383: pfSense Proxy Authentication not working Bug #11403: DNS Resolver does not add a ``local-zone`` type for ``ip6.arpa`` domain override Bug #11409: IPv4 MSS value is incorrectly applied to IPv6 packets Bug #11425: XMLRPC error with Captive Portal and CARP failover when GUI is on non-standard port Bug #11428: CPU details are incorrect in the System Information widget after resetting log files Bug #11446: Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses Bug #11448: Incorrect order of ``route-nopull`` option in OpenVPN client-specific override configuration Bug #11454: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information Bug #11464: Requests to ``ews.netgate.com`` do not honor proxy configuration Bug #11474: Broken help link on IPsec Advanced Settings tab Bug #11476: Telegram and Pushover notification API calls do not respect proxy configuration Bug #11483: Installer does not add required module to loader.conf when using ZFS Bug #11488: IPsec tunnel definitions have ``pools =`` entry in ``swanctl.conf`` with no value Bug #11489: Invalid certificate data can cause a PHP error Bug #11514: Renewing a self-signed CA or certificate does not update the serial number Bug #11547: DNS Resolver does not bind to an interface when it recovers from a down state Bug #11554: Selected Data Encryption Algorithms list items reset when an input validation error occurs Bug #11559: OpenVPN does not start with a long list of Data Encryption Algorithms Bug #11569: ACLs generated from RADIUS reply attributes have incorrect syntax Bug #11578: Error when removing automatic DNS server route Bug #11602: Delayed packet transmission in cxgbe driver can lead to latency and reduced performance Bug #11617: Unexpected Operator error on console at boot with ZFS and RAM Disks Bug #11624: Typo on Router Advertisements page Bug #11638: PHP error in logs from XMLRPC if no sections are selected to sync Bug #11639: Entries from rotated log files may be displayed out of order when log display includes contents from multiple files Bug #11643: IPsec tunnel does not function when configured on a 6RD interface Bug #11644: Unreachable LDAP server for SSH auth causes boot process to stop at at 'Synchronizing user settings' and no user can login over SSH Bug #11652: Unable to renew a certificate without a SAN Bug #11654: Certificates with escaped x509 characters display the escaped version when renewing Bug #11674: OpenVPN binds to all interfaces when configured on a 6RD interface Bug #11705: Creating a certificate while creating a user does not fully configure the certificate properly Bug #11706: Renewing a certificate without a ``type`` value assumes a server certificate Bug #11713: Error when deleting IPv6 link-local routes Feature #7077: Display negotiated data encryption algorithm in OpenVPN connection status Todo #11755: Upgrade OpenSSL to 1.1.1k
2.6.0 Next release 51% 38 issues (8 closed — 30 open) Related issues Bug #5135: interface_has_gateway returns true for DHCP where it doesn't assign gateway Bug #11091: Interfaces set as disabled in the configuration have an UP status in the operating system at boot Bug #11296: When WAN gateway is down, I can still access/ping stuff that is set "static route" thru the primary WAN Bug #11387: Interface page displays 'MAC Address' field for incompatible interfaces. Bug #11429: System Log / Settings form activates "Reset Log Files" button on enter Bug #11609: CLI configuration without IPv6 leaves RA enabled. Bug #11636: Unused Limiters with a schedule creates cron job Bug #11658: Ambiguous text in help and input validation error for system domain name Bug #11667: Forced dynDNS update after 25 days removed wildcard domain (Includes fix) Bug #11678: Certificate Manger does not reflect Unbound as a cert user Bug #11688: Disabling all interfaces associated with a floating rule causes pfSense to generate bad pf rules Bug #11692: PPPoE IPv6 gateway set as default even when IPv6 default gateway is set to "None" Bug #11727: Cannot enter CARP persistent maintenance mode if CARP is disabled Bug #11781: Disable DNSSEC option for dnsmasq Feature #2358: NAT64 Support Feature #2400: WPA Enterprise with identity/password Feature #2668: Allow aliases to be used in OpenVPN local/remote/tunnel network fields Feature #6626: Allow IPv6 firewall entries with dynamic PD prefix + static host address Feature #7842: Add DynamicDNS Provider - Mythic-Beasts Feature #11125: RTL8153 Support Needed Feature #11140: Allow to use OpenVPN provided DNS servers Feature #11164: Prevent setting a load-balance gateway group as default. Feature #11228: Replace WebGUI HTTP links to HTTPS Feature #11293: one.com DynDNS provider support Feature #11294: Yandex PDD DynDNS support Feature #11358: add NIC.RU DDNS support Feature #11380: pfSsh.php script to modify Alias Feature #11390: Authentication Servers copy button Feature #11395: Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering Feature #11402: Xen console support Feature #11420: Add Gandi LiveDNS IPv6 Support Feature #11440: Expand collapsed sections by clicking anywhere on header Feature #11521: Add 'explicit-exit-notify' option to OpenVPN client config Feature #11576: Add IPsec GUI option to control Child SA "start_action" Feature #11596: Cisco AVPair {clientipv6} template Todo #11426: Deprecate old crypto hardware which is not viable on modern systems
pfSense Plus - 21.02.2 Plus maintenance release 100% 4 issues (4 closed — 0 open) Related issues pfSense Plus - Feature #10804: Interface Status page information for switch uplinks may be replaced by switch port data when media state monitoring is set
CE-Next The next release of pfSense software (CE) 13% 94 issues (1 closed — 93 open) Related issues Bug #1819: DNS Resolver Not Registering DHCP Server Specified Domain Name Bug #5413: Incorrect Handling of Unbound Resolver [service restarts, cache loss, DNS service interruption] Bug #6333: Bootup starts/restarts dpinger multiple times Bug #6507: GRE tunnel on dynamic IPv6 interface not brought up during boot Bug #7389: Limiter does not work with transparent proxy Bug #7801: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded Bug #8100: pfsync Initially Deletes States on Primary for Connections Established through Secondary Bug #8192: dpinger - Change in ISP link-local IPv6 address drops connectivity Bug #8263: Cannot create a nonlinear `Link Share` service curve because of: "the sum of the child bandwidth higher than parent" Bug #8611: unable to receive IPv6 RA's on SG-1000, default route lost Bug #8815: IPv4 addresses disappear from interfaces when link is lost Bug #8964: IPsec async cryptography advanced setting - TCP traffic not passing through Bug #9058: crash in l2tp retransmit Bug #9136: IPv6 Tracking Interfaces Lose IPv6 Address in Certain Cases Bug #9296: Rule / Alias FQDN-Resolution broken Bug #9349: IPSec service start/stop/restart fails after settings change Bug #9384: devd putting "$" before variable contents when using single quotes Bug #9887: Rule separator positions change when deleting multiple rules Bug #10513: State issues with policy routing and HA failover Bug #10530: Convert config version to be based on product version Bug #10690: Not possible to make UFS install on ZFS formatted drive Bug #10708: ZFS bootpool boot symlink issue Bug #10875: PPP periodic reset does not fully restore gateway group round-robin functionality Bug #10892: Large number of VLAN/LANs make floating rules are to read Bug #11082: HA setup restarts all OpenVPN instances on the secondary after making any change on the primary Bug #11110: Backup file should be checked before restoring a specific area Bug #11141: OpenVPN Wizard doesn't show gateway groups Bug #11226: IPSec VTI P2 traffic selectors default to address when defined as a network. Bug #11229: Harmless error when enabling traffic shaper Bug #11299: Remove unused L2TP VPN files Bug #11335: Spoofing the MAC on a LAGG interface does not work for some NIC types. Bug #11416: OpenVPN IPv4 Tunnel Network check Bug #11430: PHP console spam after Assigning Interfaces Bug #11456: pfSense Unbound Python Integration - Dev mount Bug #11503: Using multiple authentication backends on an OpenVPN server fails Bug #11539: Mobile IPsec "split_include" value of 0.0.0.0/0 causes some clients to fail Bug #11541: OpenVPN status does not work properly when set to TCP and Concurrent Connections = 1 Bug #11548: "rule expands to no valid combination" error from port forward automatic rule mixing IPv4 and IPv6 elements Bug #11552: IPSec VPN Web Interface - Incorrect phase 2 entry being deleted on second delete Bug #11575: OpenVPN clients cannot pass traffic when reconnecting using the same source port Bug #11581: Cannot set /32 WAN IP via console Bug #11651: WebGUI error when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only IKEv1 P1 Bug #11662: QinQ using OpenVPN ``ovpn`` interface as a parent is not configured at boot time Bug #11675: VLANs and QinQs edit pages allows to select OpenVPN TUN interfaces Bug #11684: add the "explicit-exit-notify" option as a default for OpenVPN Server instances Bug #11685: PHP error if PHP_error.log file is too large Bug #11698: Invalid PPPoE custom reset crontab entry Bug #11699: OpenVPN doesn't cleanup parsed Cisco-AVPair rules on non-graceful disconnect Bug #11700: OpenVPN doesn't kill IPv6 client states on disconnect Bug #11704: OpenVPN DNS records not deleted after reboot Bug #11718: XMLRPC Client does not honor its default timeout value Bug #11725: Error when setting queue limit on CODELQ limiter Bug #11734: NAT rule overlap detection is inconsistent Bug #11748: Automatic restore of previous backup config.xml when detecting invalid configuration files should check multiple backups Bug #11754: DynDNS - Digital Ocean help text is no longer valid Bug #11762: Invalid combinations of TCP flag matching options cause ``pfctl`` parser error Bug #11764: IPv6 link local gateway default status not indicated in GUI Bug #11765: Invalid HTML encoding in modal Notices window Bug #11767: OpenVPN Client Export - Certificate Password is not sanitized from status_output Bug #11769: Captive Portal RADIUS MAC Secret is not sanitized Bug #11792: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled Feature #855: More flexible options for state killing based on WAN status Feature #2386: Bridge member that is not an assigned interface Feature #4405: Traffic shaping doesn't work when applied to a bridge interface Feature #4881: allow dynamic IPs-nets for NPt Feature #7727: uPnP fails to properly give out subsequent reservations when multiple gaming systems are playing the same game/using the same port. Feature #8794: NTP authentiction Feature #10811: AutoConfigBackup should randomize scheduled backups. Feature #11103: radvd: use virtual link local IP as source address in HA setups Feature #11118: Backup and Restore SSH Host Key(s) Feature #11211: Allow Setting RADIUS Timeout for EAP-RADIUS Feature #11264: Captiveportal : Redirect back to Login Page on Logout Feature #11406: MTU on L2TP VPN server Feature #11439: IPv6 support in easyrule CLI script Feature #11589: Fix iftop experimental traffic fetcher, unify and improve output style Todo #10464: Disallow package updates when a system update is available Todo #11507: Update font formats to woff2 Todo #11518: Move custom IPSEC NAT-T port settings to Advanced Options
Future Items for an indeterminate later release 7% 146 issues (6 closed — 140 open) Related issues Bug #1675: Captive portal logout problems with pop-up blockers. Bug #3132: Gateway events for IPv6 affect IPv4 services and vice versa Bug #4154: RADIUS authentication not working over IPv6 Bug #4406: ALTQ problems with wireless cloned interfaces Bug #4479: Firewall rules won't match GRE interface after applying IPSEC transport encryption on GRE tunnel Bug #4716: "DNS Resolver" lacks SOA for ".local" domain setups Bug #5367: Safari repeatedly tries to reload dashboard Bug #5786: Check WebConfigurator port for conflicts Bug #6167: IPsec IPComp not working Bug #6186: race conditions in service startup Bug #6696: Add configure link to Status > Queues error message if traffic shaping not configured Bug #6880: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients Bug #7082: pkg_edit.php - impossible to use default_value with rowhelperfield Bug #7138: Pfsense wide dhcpv6 client doesn't recognise ifid statement Bug #7195: pkg_edit.php - <checkenablefields> tag has no effect on fields other than checkbox/input Bug #7222: Encryption No Longer Enforced for Email Notifications Bug #7288: The field 'Distinguished name Organization' contains invalid characters Bug #7841: CARP Sync Issue - when no internet on standby Bug #8013: IPsec MSS clamping value shared for IPv4 and IPv6 Bug #8179: Incorrect reverse DNS zone in DHCP server config for non-octet-aligned subnet mask Bug #8502: main (top) menu items do not drop down in some cases Bug #8576: pfSense stops passing traffic after some time when using Outbound NAT pool w/ Sticky Address Bug #8614: Cannot remove Additional BOOTP/DHCP Options Bug #8818: Thermal Sensor Bug #8820: System/Advanced/Misc - "Do not kill connections when schedule expires" UN-checked still leaves existing connections open. Bug #9344: OpenVPN click NCP Algorithms will always go to DH Parameters website(in Chinese-Taiwan) Bug #9353: PHPSession errors from limited access to dashboard and widgets Bug #9755: package description wrong link https://www.freshports.org/security/openvpn-client-export Bug #10310: Systems with low RAM and several packages may temporarily fail to load large tables after an upgrade Bug #10352: RADIUS authentication fails with MSCHAPv1 or MSCHAPv2 when passwords contain international characters Bug #11093: ral(4) driver non-functional in arm64 Bug #11285: Kernel crash on ALTQ-enabled wg interfaces Bug #11339: Odd console output when WireGuard is running Bug #11352: CTF types > 2^15 in the pfSense kernel config results in DTrace failing Bug #11407: Removing a WireGuard tunnel in a middle position can break Add button behavior Bug #11418: 'NAT-T: Force' is broken for IPv6 IPsec Bug #11437: WireGuard group is not printed in the interface column of the NAT rule list Bug #11450: Problem with IPv6 netmask /128 in WireGuard Bug #11465: Input validation does not prevent multiple conflicting WireGuard peers on a single tunnel from attempting to act as default route Bug #11473: System Activity shows invalid data on SG-3100 Bug #11482: WireGuard interfaces do not always have proper MTU applied Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peers Bug #11502: WireGuard ``matchaddr failed`` kernel messages in system log Bug #11538: WireGuard Panic Bug #11585: WireGuard kernel panic when changing peer port on assigned WireGuard interface Bug #11586: WireGuard panic when saving many times in a row Bug #11587: WireGuard interfaces do not have data on traffic graphs Bug #11600: WireGuard interfaces should have MSS clamping enabled by default Bug #11613: Pushing WireGuard traffic out a specific GW using static routes requires a reboot to revert. Bug #11618: WireGuard using incorrect IPv6 tunnel address prefix length Bug #11679: Policy-based Routing (outbound) and port forwarding (inbound) "selectively" working through WG tunnel Bug #11691: WireGuard MSS Clamping and TCP traffic issues after reboot. Feature #84: Nightly Filter Summary E-Mail Feature #96: Add "All local networks" to source and destination drop down boxen in firewall rules Feature #286: Backup/restore users individually Feature #290: Add Multi-WAN awareness to UPnP Feature #521: Group manager Assigned Permissions Feature #701: Interface groups with NAT Feature #746: Add interface group to source/dest drop downs Feature #946: Allow aliases to be used to define IPsec phase 2 networks Feature #1257: Handle encypted CA/Certificate private keys Feature #1268: Allow mass renewing of certs Feature #1337: VLANs with different MAC address than parent interface Feature #1831: Captive portal IPv6 support Feature #1979: Add some default read-only system aliases Feature #2024: RRD Graphs for packages Feature #2479: Allow reordering of the traffic graphs on the dashboard Feature #2593: sync NTPD, SNMP config between HA members Feature #2676: Reply-to option in firewall rule Feature #2965: Mac Firewalling Feature #3115: Traffic shaping for multi WAN Feature #3185: Accommodate a DHCPv6 failover-like mechanism Feature #3377: OAuth2 authentication in captive portal Feature #3652: OpenVPN - Dynamic IPv6 Tunnel Network Feature #3696: Multiple items backup/restore Feature #3697: New backup/restore area: Certificates Feature #3882: Add OUI database to the base system, remove dependency on nmap Feature #4098: Add option to force a password change on login Feature #4195: Aliases: sections Feature #4234: allow for strict user <> cn validation of mobile ipsec users when using rsa+xauth Feature #4259: Port forward NAT rules with "any" protocol Feature #4632: Support for Multipath TCP (MPTCP) Feature #4724: Captive Portal Status Add Client Hostname Feature #4776: Add 802.1x dynamic vlan support Feature #5307: Add logarithmic scale option to RRD graphs Feature #5510: Need a simple way to enable/disable package-installed services Feature #5619: Curl with ARES support Feature #5735: Automaticaly add DHCP leases to alias list or make it readable in selected fields Feature #5835: Improve OpenVPN client gateway detection in edge cases where the remote does not send gateway information Feature #5950: DHCPv6 Server support for PD of PD-obtained networks Feature #6457: Allow ability to configure AWS EC2 AMI via userdata Feature #6728: Route53 API mod and Geolocation Feature #6742: OAuth2 authentication for OpenVPN (and for FreeRadius) Feature #6960: Consider replacing ISC DHCP server with KEA DHCP Feature #7078: Allow reordering of client specific overrides in OpenVPN Feature #7181: Add Top and Add Bottom on Seperator Feature #7182: Break up System Widget on the Dashboard Feature #7244: Publish pfsense as a Vagrant Basebox Feature #7260: Source OS / p0f Database Missing Modern Operating Systems Feature #7416: Dhclient does not support supersede statement for option 54 Feature #7783: Support for hosting VMs on pfSense using bhyve Feature #7847: USB NIC not loading (TP-Link UE300 RTL8153) Feature #7852: Add views support to Unbound GUI Feature #8316: expiration date when creating new rules Feature #8346: Let pFSense act as an IPSec XAuth VPN Client Feature #8474: Easier Conversion to HA Pair from Existing Non-HA Firewall Feature #8694: Client CA Auth for PFSense WebGui Feature #8712: QOS on ipsec links Feature #8775: Use SRV record for LDAP Authentication Feature #8861: Show more detail on status_interfaces.php Feature #8879: DHCP options ADD force options Feature #9297: Log and Graph Temperatures Feature #9536: Support dynamic prefix in DHCPv6 Server Feature #9544: Enable RADIX_MPATH Feature #9574: Show changelog at package upgrade Feature #9680: Seperate DHCP Server and relay per interface Feature #9717: Search box for pfsense ? Feature #9718: Make diag_states_summary table sortable Feature #9942: Give pfSense the possibility to change the keyboard Layout for console users Feature #10204: Possible clarification of Track IPv6 Interface Subnet ID Feature #10223: Add the ability to create additional loopback interfaces Feature #10250: DHCP lease view by interface Feature #10467: Email alert functionality for system health Feature #10987: Add support for secure boot Feature #11056: Add option to disable flow-control on interfaces in GUI Feature #11270: Consider integrating Nebula mesh VPN Feature #11302: WireGuard XMLRPC sync Feature #11324: Separate syslog "Remote log servers" Parameters Feature #11369: add Enabling IPv6 Source Address Validation support Feature #11374: WireGuard Status in GUI Feature #11498: WireGuard does not pass multicast traffic to peer Feature #11588: Automatically suggest next IP address in Wireguard interface subnet when creating a peer Feature #11604: WireGuard Dynamic Listen Port Randomization Feature #11659: Support for UEFI HTTP Boot option in dhcpd config Todo #32: PPPoE Server users integration with user manager Todo #33: L2TP users integration with user manager Todo #1521: Investigate FreeBSD route metric support for future versions Todo #5902: Use a common place for default values Todo #6647: Enable Additional Security Headers Todo #6697: White squares around the numeric values in the Status / Queues page Todo #6727: Missing file apple-touch-icon-precomposed.png ? Todo #11280: Add WireGuard to ALTQ list
pfSense Packages - Future Scheduled for an unspecified future version, typically not the next one 0% 5 issues (0 closed — 5 open) Related issues pfSense Packages - Bug #7267: Status Traffic Totals - Stacked Bar - Scale not high enough pfSense Packages - Bug #10791: Valid (vlan)interfaces do not get vif reporting "Invalid phyint address" pfSense Packages - Feature #11178: Filer do not ask what to do with previous filename pfSense Packages - Feature #11752: WireGuard as a Package pfSense Packages - Feature #11798: HA Sync for FRR config
pfSense Plus - Plus-Next The next release of pfSense Plus software 33% 3 issues (0 closed — 3 open) Related issues Bug #10955: XMLRPC sync errors when failover peer IP is specified in DHCP server settings pfSense Plus - Bug #11653: duplicate comconsole_port="0x2F8" lines in loader.conf pfSense Plus - Bug #11673: Thermal Sensors Non-functional on SG-3100