version 24.03 New Features and Changes
pfsense plus version 24.03.01 release notes
Ordering, Import permit, Gov Custom Declaration, CE, 3C certificate, Setup, installation, implementation, IDS, IPS, autosense/autodefense by Hong Kong and China Partner. Tops Communications Ltd., Tel: +852.2312 0878
ZFS Boot Environment Space Usage
Before attempting the upgrade, check the list of current ZFS Boot Environments
(System > Boot Environments) and clean up any older entries to ensure they
do not consume space which may be needed during the upgrade.
See Check and Clean Up ZFS Boot Environments for details.
Low Memory Hardware and AWS/Azure Instances
Hardware with 1 GiB or less available memory may have issues upgrading
depending on which features, services, or packages are running. This includes
some Netgate hardware such as the Netgate 1100 when running with ZFS and/or
certain services/packages. For the best chance of success in these cases,
temporarily disable any non-critical services before starting the upgrade.
pfSense Plus software can no longer run on AWS “.nano” size instances as they
lack sufficient RAM to upgrade properly. Attempting to upgrade a “.nano”
instance to pfSense Plus software version 24.03 will fail before the upgrade is
performed. Migrate the instance to a “.micro” or larger size before
attempting to upgrade, or redeploy instead.
Similar to the above, pfSense Plus software can no longer run on Azure A0
instances. Migrate to instances with more memory.
Netgate 3100 (32-Bit ARM) Limitations
Support for the EOL Netgate 3100 device architecture, armv7
, is being phased
out upstream in FreeBSD. While this release still contains base system
functionality for the Netgate 3100, several packages are unavailable as they can
no longer build for that architecture. The list of packages unavailable for the
Netgate 3100 now also includes Suricata, Squid, and squidGuard.
Users who wish to continue using those packages on a Netgate 3100 should not
upgrade to this release.
General
pfSense Plus software version 24.03 makes sure the user changes the admin
account password in the user manager away from the default value. It also
ensures that the password is not set to the same value as the username. This
validation happens during the setup wizard for new installations, on login and
loading any GUI page for existing users, and at the console/shell menu.
Most users will not notice any difference since they have likely changed their
admin
account password to a secure custom value in the past.
Resetting the password via the console menu now prompts the user to set a
custom password rather than using a default value.
Note
These restrictions apply to all accounts. Users are also prevented from
changing passwords to problematic values.
The default State Policy has been changed from Floating to Interface
Bound for increased security. However, Interface Bound states may have
issues in certain cases with IPsec VTI, Multi-WAN policy routing
(route-to
), reply-to
, as well as with High Availability state
synchronization (pfsync) on non-identical hardware.
The default policy can be toggled back to Floating using the State
Policy option under System > Advanced on the Firewall & NAT tab.
There is also an option to override this behavior on a per-rule basis in the
advanced options when editing a firewall rule.
This release adds support for Packet Flow Data export via pflow
in PF.
This feature natively exports NetFlow/IPFIX flow data to an external
collector.
This release includes support for enhanced gateway recovery “fail back” by
optionally clearing states from lower tier gateways when a more preferred
gateway recovers.
This version requires an updated boot loader, which is automatically handled
by the upgrade process for nearly all cases. However, there may be some edge
cases where the automatic update does not update the loader currently used by
the device. For example, if there are multiple unmirrored disks and the
BIOS/EFI Firmware is not booting from the disk containing the updated loader,
but an older unrelated installation on a separate disk. One particular case
where this can happen is when there is a previous installation to MMC which
has been followed by an installation to an add-on SSD without clearing the MMC
contents.
In these cases the best practice is to wipe the unused disk so it cannot
interfere. See Troubleshooting Multiple Disks for details.
Minor Revision
Devices running pfSense Plus software version 24.03 may be seeing a “24.03_1”
update available which is a very minor revision made to address a missing
dependency on 64-bit ARM devices (https://redmine.pfsense.org/issues/15433). The
revision is kept the same on all platforms for consistency.
Upgrading to this version is safe, but not necessary at this time unless users
are running on 64-bit ARM devices and want access to S.M.A.R.T. disk data (e.g.
Netgate 2100 devices which have an add-on SSD).
Using the GUI or pfSense-upgrade from the console or shell to upgrade from 24.03
to 24.03_1, the device will want to reboot, but in this case that is
unnecessary. However, doing so is harmless except for the minimal downtime
involved in the reboot during that upgrade process.
Manually updating from the shell via pkg update; pkg upgrade
will
pull in the new revision and fixed dependency as needed. Run those commands from
a shell prompt and confirm that the proposed changes are OK. No additional
action is necessary.
Devices which have not yet upgraded to 24.03 or those installed fresh via the
Online Network Installer will obtain the latest version automatically and do not
require any additional action after upgrading.
pfSense Plus
Changes in this version of pfSense Plus software.
Auto Configuration Backup
Backup / Restore
Added: Support for CD/DVD drives in the External Configuration Locator (ECL) #14728
Fixed: DHCP leases may not be restored from older configuration backups #15076
Fixed: PHP error when generating a notification after detecting a malformed configuration #15157
Captive Portal
Fixed: Disconnecting a user from Captive Portal may allow previously established connections to continue #13226
Added: Support using a mask to block MAC addresses in Captive Portal #15257
Fixed: Old auto-added MAC addresses are not pruned for non-concurrent Captive Portal sessions #15299
DHCP (IPv4)
Added: Better handling of duplicate IP addresses in static DHCP assignments #13256
Changed: Reduce log spam when deleting a static DHCP entry #13263
Added: Explicitly enable/disable DHCP Dynamic DNS updates in each scope #13894
Fixed: Stale Kea control socket lock file can prevent Kea from starting #14977
Fixed: Kea does not allow FQDNs for NTP servers but input validation does not prevent them from being added #14991
Fixed: Kea DHCP PHP error from WINS server value #14996
Fixed: Kea DHCP sends wrong bootloader file for UEFI #15032
DHCP (IPv6)
Fixed: DHCP6 client does not take any action if the interface IPv6 address changes during renewal #12947
Fixed: Shortcut bar on DHCPv6 leases (status_dhcpv6_leases.php
) navigates to DHCPv4 destinations, not DHCPv6 #15117
Fixed: DHCPv6 settings page “DDNS Reverse” check box not showing current state #15118
DNS Resolver
Fixed: DNS Resolver host overrides ignore all aliases if first entry has a domain set but no hostname #14942
Fixed: Applying interface changes may not update default ACLs for the DNS Resolver #15071
Fixed: Potential local file include vulnerability via DNS Resolver Python Module Script include mechanism #15135
Fixed: Local DNS resolution behavior does not add an IPv6 nameserver #15139
Changed: Upgrade Unbound to >= 1.19.1 #15256
Diagnostics
Changed: Add ZFS Boot Environment list to status output #15164
Added: Add Kea information to status.php
#14953
Fixed: crash_reporter.php
displays PHP Error log without encoding #15264
Added: Add EFI boot information to status.php
#15297
Added: Add loader.conf.lua
contents to status.php
#15298
Fixed: Errors in status.php
IPsec sections when IPsec is not configured #15310
Gateways
Fixed: Killing states on downed gateways breaks when Skip rules when gateway is down
is enabled #15223
Fixed: Killing states on downed gateways breaks for static interface configurations #15225
Fixed: Removing a gateway group used as the default gateway results in no default route #15248
Hardware / Drivers
Fixed: Newer variant models within the PC Engines APU2 platform are not recognized, causing garbled early serial console output #13498
Added: Recognize QAT 4xxx devices in System Information Widget #15233
IPsec
Added: Group-based Mobile IPsec Virtual Address Pool assignment via RADIUS #13227
Fixed: MSS clamping on VPN traffic does not work on IPsec IPv6 mobile VPNs #14312
Fixed: Large number of IPsec tunnels causes long filter reload times #14893
Fixed: IPsec VTI is not created correctly when using a Phase 2 remote type of Network
#15124
Fixed: Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families #15147
Fixed: Removing an IPsec Phase 1 entry can either remove the
wrong Phase 2 entries or leave orphaned Phase 2 entries in the
configuration #15171
Fixed: Change Mobile IPsec RADIUS accounting to use accounting_requires_vip
so accounting will not activate for non-mobile VPNs #15176
Added: Show interface subnet details in a tooltip on the IPsec Phase 2 list #15245
Fixed: Reordering IPsec Phase 2 entries may result in a malformed configuration #15384
IPv6 Router Advertisements (radvd/rtsold)
Fixed: radvd
service shows as stopped in services list when it should be disabled and hidden from that list #14936
Fixed: Cannot disable Router Advertisements when the interface IPv6 configuration is set to None
#14967
Fixed: Router Advertisement daemon does not prioritize IPv6 GUA over ULA #15057
Interfaces
Fixed: Sending IPv6 traffic on a disabled interface can trigger a kernel panic #14431
Fixed: PHP error in interfaces_qinq_edit.php
when creating a QinQ interface #15181
Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282
Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318
OpenVPN
Added: OpenVPN NBDD server options #13085
Fixed: OpenVPN WINS options may be visible even when NetBIOS is disabled #13087
Fixed: Some OpenVPN NetBIOS settings are kept even when NetBIOS is disabled #13089
Fixed: OpenVPN NetBIOS Node Type and Scope ID options are not pushed to clients #13090
Fixed: openvpn.auth-user.php
gets stuck at 100% CPU usage when RADIUS authentication times out #14386
Fixed: OpenVPN forms invalid route
statements for empty local networks #14919
Fixed: OpenVPN Wizard fails when a VIP is used #15148
Changed: Remove deprecated OpenVPN hardware crypto engine option #15188
Operating System
Added: Operating System support for PF pflow
packet data flow export #15038
Fixed: /etc/rc.local
script content is executed at login instead of during boot sequence #10980
Fixed: Static ARP assignments lose permanent
flag in ARP table #14970
Fixed: Permissions on tmpfs RAM disk for /var
are too lenient #15054
Fixed: pfctl
is unable to retrieve state creator list in certain circumstances #15108
Fixed: loader.conf
may be missing loader_conf_files
so loader.conf.lua
may not be parsed #15288
PHP Interpreter
Fixed: Extensions directory is not set in rc.php_ini_setup
#14488
Fixed: check_dnsavailable()
failing even when DNS is available #15127
Fixed: PHP error display formatting issues #15263
Rules / NAT
Added: GUI to configure Packet Flow Data (pflow
) export #15039
Added: Kill states using the pre-NAT address #11556
Changed: Add global option to set default PF State Policy (if-bound vs floating) #15173
Added: Add per-rule option to set PF State Policy (if-bound vs floating) #15183
Fixed: Outbound NAT rules using an alias without a matching address family create unexpected PF rules #15197
Fixed: Advanced rule options tooltip does not show negated Tag option #15214
Added: Show details of system aliases in tooltip on firewall and NAT rule lists #15234
Fixed: Egress states remain when killing states for scheduled rules #15252
Traffic Shaper (Limiters)
Fixed: Packets are passed through dummynet twice when using route-to
leading to half the expected bandwidth #14854
Fixed: Fragmented packets delayed by limiters are lost #15156
Fixed: Reply traffic on a secondary WAN may be dropped when passed through dummynet #15363
Web Interface
Added: Overflow scrolling for top navigation drop-down menus in Fixed mode #7943
Fixed: Some messages presented to users contain relative links to
pages which may be invalid when triggered from certain packages #13413
Changed: Update vendor files #13537
Fixed: status_interfaces.php
is missing several values for SFP modules #15112
Changed: Remove jquery-treegrid
unit testing files #15265
Added: 50x and 404 error handling to GUI web server configuration #15322