2.4.5 New Features and Changes¶

pfSense® software version 2.4.5 contains a variety of bug fixes and maintenance updates.

Warning

Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are in effect.

During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.

Tip

For those who have not yet updated to 2.4.4-p3 or 2.4.4, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

Operating System / Architecture changes¶

Base OS upgraded to FreeBSD 11.3-STABLE@r357046
PHP upgraded to 7.2.29

Security / Errata¶

Fixed dependency issues with pfSense-upgrade which may have caused it not to update itself properly #10303

Tip

If the update check fails, or the update does not complete, run pkg install -y pfSense-upgrade to ensure that pfSense-upgrade is present.
Added encoding to the hostname in services_acb.php #9584
Added encoding to error output in services_captiveportal_mac.php #9609
Improved Picture Widget input validation #9610 #9731 #9804
Added a fsck run with -z for UFS filesystems on upgrade to address FreeBSD-SA-19:10.ufs #9612
Fixed format of XMLRPC auth error to match GUI auth error #9782
Added a custom CSRF Error page with warnings and confirmation prompts before resubmitting potentially harmful data #9799
Fixed Status_Monitoring rrd_fetch_json.php error encoding #9601
Fixed encoding of the user full name on system_usermanager_addprivs.php #10324
Fixed input validation and output encoding of host on diag_ping.php #10355
Addressed FreeBSD Security Advisories & Errata Notices

Aliases/Tables¶

Fixed an issue when resolving FQDN entries in aliases where some entries could be missing #9296
Improved URL Table aliases to support FQDNs which return muliple entries #8531
Added a function to download the contents of an individual alias #9816

Authentication¶

Added exception handling to authentication attempts #9150

Backup/Restore¶

Added a special string (NoReMoTeBaCkUp) that when used in write_config() descriptions will prevent a remote backup #9693
Removed legacy AutoConfigBackup options (there were no more active accounts using the retired legacy service) #9687 #9785
Added CDATA protection to the encryption_password XML tag, which allows international characters to be used in that field #7186
Added CDATA escape to more auth-related fields #9327
Ensured that kern.cam.boot_delay is set for new installations and upgrades so that USB devices are properly initialized in time for configuration restore in the installer and ECL to function #9533

Captive Portal¶

Fixed Captive Portal vouchers shortcut links #9722
Changed Captive Portal redirect page selection order #9819
Fixed a rare and intermittent issue where users could encounter an nginx error when restarting Captive Portal instances #10159

Certificates¶

Added sorting and search/filtering to Certificate Authority & Certificate manager #9412
Corrected wording of CA/Cert CN input validation #9234
Fixed certificate Descriptive Name field behavior when adding a user certificate #9719
Added clientAuth EKU to Server type certificates #9868
Reduced the default GUI web server certificate lifetime to 398 days to prevent errors on Apple platforms #9825

Dashboard¶

Added option to disable PTI display in System Information widget #9323

DHCP¶

Fixed incorrect expansion of Dynamic DNS advanced options on the DHCPv6 Server page #9448
Changed DHCP relay backend code to determine and specify separate upstream and downstream interface lists #9466
Prevented OpenVPN interfaces from being used by DHCP relay, since that type of interface is not compatible #8443
Added an option to disable ping check in dhcpd #9285
Fixed Show all configured leases so it is persistent after deleting a DHCP lease #9133
Added search/filter to DHCP/DHCPv6 leases #9791
Improved DHCP client handling of timeout conditions and script failures #9267

Diagnostics¶

Fixed a PHP warning in diag_dump_states.php #9780
Fixed reverse lookup of IPv6 addresses on diag_dns.php #9543
Fixed diag_system_activity.php to use batch mode for top so it displays process list w/o terminal, and increased amount of output displayed #9522
Added search/filter ARP table and NDP status #9791

DNS¶

Added 127.0.0.0/8 to the DNS Resolver private-address list for DNS rebinding protection #9708
Fixed CIDR selection issues with /32 entries in DNS Resolver Access List entries #9586
Fixed an issue saving DNS over TLS hostnames on systems with only one gateway #9898
Fixed an issue where manually configured DNS servers may not have been active if “allow override” was disabled and they were also assigned dynamically #9963
Added DNS Resolver (Unbound) Python Integration #9251

Dynamic DNS¶

Fixed Dynamic DNS class constructor name #9779
Fixed errors in DNSimple Dynamic DNS #9580
Fixed handling of wildcard (*) hostname entries in Cloudflare Dynamic DNS #9361
Added support for AAAA records to Digital Ocean Dynamic DNS #9280
Fixed issues with Digital Ocean Dynamic DNS handling of empty hostnames #9602
Cleaned up whitespace issues in Azure Dynamic DNS backend code #9271
Added support for Linode Dynamic DNS #9268
Fixed issues with IPv6 on Azure Dynamic DNS #9248
Fixed handling of wildcards in Route53 Dynamic DNS #9053
Fixed handling of wildcards in Loopia Dynamic DNS #8014
Fixed CloudFlare Dynamic DNS processing when proxied is enabled #9362
Fixed CloudFlare Dynamic DNS “Invalid TTL” error due to CloudFlare API update #10196
Changed hostname to optional for DNS-O-Matic Dynamic DNS #7601
Added support for Gandi LiveDNS Dynamic DNS #9452

Gateways¶

Corrected PHP errors when marking gateways down in certain edge cases #9851

Interfaces¶

Added more prefix delegation size entries to selection list on interfaces.php #9590
Added initialization to the VLAN array in console setup #9582
Fixed issues with Netgate & hardware model detection which caused problems with default interface mappings #8051
Fixed issues with display of previously-entered IP address values on interfaces_ppps_edit.php #9741
Added a confirmation prompt to disconnect/release actions on status_interfaces.php #9911
Added drivers for Mellanox mlx4 and mlx5 network interface cards #7537

IPsec¶

Fixed IPsec VTI interface creation logic #9781
Added GUI option for IPsec P2/Child SA close action #9767
Added IPsec DH and PFS groups 25, 26, and 27 #9757
Added 25519 curve-based IPsec DH and PFS group 31 #9531
Enabled NAT-T controls for IKEv2 #9695
Improved handling of IPsec restarts breaking VTI routing #9668
Fixed input validation that incorrectly prevented deleting IPsec P2 entries in some cases with VTI #9258
Fixed IPsec keyid identifier handling #9243
Fixed IPsec VTI MTU boot-time configuration #9111
Escape Windows domain backslash in IPsec widget #9747
Fixed VTI IPv6 address handling #9801
Fixed Child SA button JS hide on status_ipsec.php, along with other cosmetic improvements #8847
Added Connect Children button to status_ipsec.php to connect when IKE (Phase 1) is up but Child SAs (Phase 2 entries) are not #9954
Fixed IPsec Phase 2 Remote Network field show/hide when changing between Phase 2 modes #9720
Fixed IPsec configuration generation so that encryption options for every P2 on a given P1 are not duplicated on each P2 #6263
Fixed a PHP error in IPsec package plugin hook processing #10217

Load Balancer¶

Fixed a PHP when processing services when the configuration does not contain Load Balancer entries #10308

Logging¶

Moved igmpproxy logs to routing.log #10139
Moved igmpproxy verbose logging option to services_igmpproxy.php (formerly at status_logs_settings.php) #10139
Updated sshguard and fixed a log processing regression #9971
Fixed PHP errors in filter log processing when entries contain an invalid port #10255

Monitoring¶

Fixed custom view titles being forced to lower case #9681
Fixed packet graph scaling #9807
Fixed a PHP error in RRD processing of ALTQ data #10248

Notifications¶

Fixed SMTP notification password being unintentionally changed when testing SMTP settings #9684
Reduced frequency of GEOM rebuild notifications #9256

NTPD¶

Added validation to ensure NTP values are treated as numbers before use #9558
Changed the default NTP pool server to 2.<domain> so that it can use IPv6 #9931
Improved handling of errors on the NTP status page to work/fail gracefully with custom ACLs for localhost in place #9829

OpenVPN¶

Fixed JavaScript issue when selecting multiple OpenVPN NCP algorithms #9756
Fixed OpenVPN wizard so it does not show DH parameter lengths that are not available #9748
Fixed issues with OpenVPN resynchronizing when running on a gateway group #9595
Added an option to set the OpenVPN TLS Key Direction #9030
Added GUI options to configure OpenVPN keepalive parameters #3473
Fixed instances of hidden invalid OpenVPN options affecting save operations #9674
Added a copy action to OpenVPN pages #5851
Improved sorting of bytes sent/receives on OpenVPN status page #7359
Fixed visibility of the OpenVPN ‘interface’ option when multihome is selected #7840
Reduced the OpenVPN server certificate lifetime to 398 days in the wizard to prevent errors on Apple platforms #9825
Added input validation to prevent OpenVPN tunnel network reuse #3244
Added Exit Notify to OpenVPN servers/client options #9078

Operating System¶

Fixed serial console terminal size issues #9569
Added the strings binary to base builds for troubleshooting #7791
Changed UFS filesystem defaults to noatime on new installations #9483
Fixed an issue where the IP header checksum was incorrect when reassembling packet fragments to a link with a different MTU #10189

Packet Capture¶

Changed Packet Capture GUI to allow multiple TCP/UDP ports to be specified #9766
Added start time to Packet Capture display #9831
Added OSPF/OSPFv3 to Packet Capture protocols #9905
Fixed Packet Capture to match both IPv4+IPv6 CARP when that protocol is selected #9867
Fixed Packet Capture for the pfsync protocol #10183

Routing¶

Fixed (Default) designation on routes to match the default route in the OS #9292
Fixed static routes remaining in routing table after removal #9969

Rules / NAT¶

Fixed state kill ordering in rc.newwanip #4674
Added the ability to search firewall logs by tracking ID #8703
Added GUI option to disable default blocking of APIPA networks #9966
Added more common ports to the firewall rule drop-down list #10166
Added input validation to prevent selecting !* (“not any”) in source or destination #10168
Fixed invalid rules generated when using NAT reflection with a negated destination #10246

S.M.A.R.T.¶

Updated the SMART page with new capabilities #9367

SNMP¶

Fixed SNMP sysDescr contents to include hostname and patch version #9218

Traffic Shaping / Limiters¶

Added input validation for Limiter delay values #9921
Fixed the queue statistics parser to handle large values #9938

Translations¶

Fixed an issue with international characters in configuration descriptions, which led to failures in certain cases, such as failing to set Manual Outbound NAT when the Language was set to pt_BR #6195
Fixed a PHP error on system_advanced_admin.php when the language was set to French #10331

Upgrade / Installation¶

Revised update check to provide a more consistent version string in JSON format #9778
Disabled serial console on VGA memstick images #9488
Fixed a PHP error when upgrading older configurations from revision 14.4 to 14.5 #9840

UPnP¶

Fixed display of active UPnP sessions when configured with an alternate external address #9961

User Manager / Privileges¶

Added input validation to prevent changing the authentication server name #9692
Added privilege to manage integrated switches #9620
Fixed privilege matching to handle JS anchor links #9550
Removed wildcards incorrectly used in isAllowedPage() #9541
- This issue could prevent a user in the admins group from reaching certain pages such as the User Manager.
Improved Deny Config Write privilege handling in the User & Group Manager #9259
Fixed input validation of group name sizes to allow longer remote groups #3792
Fixed handling of L2TP and PPPoE user passwords containing invalid characters #10275

Web Interface¶

Corrected input validation for firewall rule VLAN priority/set #9763
Restricted Thoth tests to arm64 in status.php NG 2569
Added kernel memory usage to status.php output #9705
Redacted several additional fields in status.php output #9784 #9729 #9728 #9727 #9694 #9736 #9764
Fixed a potential source of PHP errors when saving per-log settings #9540
Added GUI components for MDS mitigation #9532
Fixed integrated switch LAGG member editing on switch_ports.php #9447
Fixed wizard.php selection option size attribute handling #8907
Fixed platform detection for certain C2558/C2758 systems #6846
Set autocomplete=new-password for forms containing authentication fields to help prevent browser auto-fill from completing irrelevant fields #9864
Fixed processing of shortcuts for XML-based packages #9770
Updated jQuery #9407
Improved consistency of SSL/TLS references throughout the GUI #10172
Updated various help references and links to use the pfSense book instead of external resources #10135 #10184

XMLRPC¶

Fixed removal of the last ALTQ traffic shaping entry from the target system when performing an XMLRPC sync #9469
Fixed removal of the last limiter entry from the target system when performing an XMLRPC sync #9468