2.4 New Features and Changes

From PFSenseDocs
Jump to: navigation, search
Important30.png WARNING Important30.png
This release is still under development and this list of changes is a work in progress and subject to change.

Operating System / Architecture changes

  • Upgrade of base OS to FreeBSD 11.0-RELEASE-p?
  • Added support for the SG-1000 ARM-based system
  • 32-bit support has been deprecated and removed -- There are no images available for 32-bit (x86/i386) Intel architecture systems
  • NanoBSD has been deprecated and removed -- There are no images available for NanoBSD, use a full install instead
    • Work is in progress to investigate the possibility of upgrading 64-bit NanoBSD installs in-place to a full install
  • Started using the FreeBSD installer instead of the old style installer (installation procedures have all changed)
  • The installer now supports UEFI #4044
  • The installer now supports ZFS
  • Fixed issues with major version base upgrades via pkg
  • Changed cryptodev to load as a kernel module #5976

Security / Errata

  • Converted various parts of the GUI to use POST instead of GET when performing actions that change the firewall state (e.g. delete or enable/disable an item) to avoid potential issues with cross-site request forgery and unintentional repeating of actions #4083

Known Issues

The following issues are known regressions from previous versions that are still in progress:

  • Captive Portal is missing a mixed table with IP and MAC addresses, which means it cannot send MAC address as username to RADIUS
  • Captive Portal is missing statistics, so RADIUS accounting will not receive data


  • Misc code cleanup, removal of patches that were no longer necessary or were inefficient
  • Replaced multiple local copies of PHP PEAR libraries with updated copies using their official sources #3734
    • Notably, local static copies were replaced by their FreeBSD ports counterparts: pear, pear-XML_RPC2, pear-Net_IPv6, pear-Crypt_CHAP, pear-Mail, pear-Net_Growl
    • Code that relied on the old files was updated to use the current or replaced versions
  • Removed all references to GLXSB (it was 32-bit only) #6755
  • Removed all code in the builder and pfSense for handling the NanoBSD platform
  • Removed all calls to conf_mount_rw / conf_mount_ro, since they were only required for NanoBSD


  • FreeBSD 11 contains an updated 802.11 stack with numerous improvements
  • Wireless interfaces must be created on the Wireless tab under Interfaces > (assign) before they can be assigned #6770

Firewall / Rules / NAT / Aliases

  • Fixed issues with synproxy rules on a WAN/LAN style bridge #6769
  • Fixed issues with limiters on rules that utilize NAT #4326
  • Fixed issues with limiters used in conjuction with a transparent proxy or other local redirect rule #7050
  • Fixed expansion of "Other" type VIP subnet entries in NAT destination drop-down selections #6094
  • Fixed NAT rules so that when a port forward is disabled, its associated firewall rule is also disabled #6472
  • Fixed handling of "URL Table (IPs)" and "URL (IPs)" when the file is hosted a server using HTTPS with a self-signed certificate #4766
  • Show firewall rule descriptions in a column when viewing the log on new installs, upgrades retain their existing setting #7323
  • Fixed firewall states showing a negative value for total bytes processed #7075

Traffic Shaping

  • Added extra warnings to traffic shaping pages when the firewall has no interfaces capable of using ALTQ shaping #7032
  • Fixed handling removal of shaping rules when deleting an interface #7231


  • Upgraded OpenVPN to 2.4.0. #7054
    • This is a significant upgrade which includes support for a wide variety of new features, including AEAD ciphers such as AES-GCM.
    • AES-GCM can be accelerated by AES-NI, and is supported in SSL/TLS modes (not shared key) #7068
    • Added support for TLS Encryption as an optional TLS Key usage type. This encrypts the control channel, providing privacy and protocol obfuscation #7071
    • Added ECDH options to OpenVPN server and client options ("ECDH Only" choice for DH, ECDH Curve selection) #7063
    • Restructured the compression options to include LZ4 support and the new "compress" directive which replaces "comp-lzo" which has been deprecated. The old options remain for now, but are labeled "Legacy" #7064
    • Changed protocol selection for OpenVPN clients and servers because OpenVPN 2.4 treats "udp" and "tcp" as dual stack now #7062
      • Added "multihome" option in relevant protocol cases so OpenVPN will reply back using the address used to receive a packet #7062
    • Changed the DNS Server fields in the OpenVPN server options so they can define either IPv4 or IPv6 DNS servers to push to clients #7061
    • Added IPv6 support to status_openvpn.php and the OpenVPN widget #2766
    • Removed uses of the deprecated "tun-ipv6" OpenVPN directive, OpenVPN now always assumes IPv6 is enabled #7054
    • Replaced uses of the deprecated "client-cert-not-required" directive with its functional replacement "verify-client-cert none" #7073
    • Added support for Negotiable Crypto Parameters (NCP) to control automatic cipher selection between clients and servers #7072
    • NOTE: OpenVPN 2.4 handles CRL verification differently than previous versions, passing through validation to the library rather than handling it internally. This can cause some certificates to fail validation that may have passed previously. In particular, if a certificate is removed from a CRL, it may still fail validation until all copies of the CRL have been rewritten.
  • Improved the help text on OpenVPN Client-Specific Overrides #7053
  • Fixed issues with OpenVPN clients on dynamic or tunneled IPv6 interfaces (e.g. GIF) #6663
  • Added locking to prevent issues with OpenVPN instance startup #6132
  • Check OpenVPN server/client option visibility changes per mode #7331 #7451


  • Upgraded strongSwan to version 5.5.2
  • Changed the default strongSwan logging levels such that IKE SA, IKE Child SA, and Configuration Backend all default to "Diag" #7007

Certificate Management

  • Added a check to ensure that the public key of the Certificate matches its private key when importing Certificate Authority and Certificate entries to prevent mismatching keys from being imported #6953
  • Fixed error handling when creating a Certificate from the User Management section, failed actions will no longer fail silently #6953
  • Fixed handling of Certificates generated from an imported CA when no starting serial number was set #6952
  • Fixed handling of Certificate Authority deletion so that it does not remove associated certificates #6947
  • Added "in-use" testing for Certificate Authority entries and disabled the delete action for CAs which are actively in use #6947
  • Fixed choosing an existing user certificate when adding a certificate to an existing user #7297
  • Added the ability for the certificate manager to sign a CSR using an internal CA #7383

Dynamic DNS

  • Fixed response parsing for DNSimple Dynamic DNS #6874
  • Fixed handling of password in Dynamic DNS entries to allow special characters #6688
  • Changed CloudFlare and GratisDNS to use separate hostname and domain entry to handle TLDs with multiple components #6778
  • Fixed the Save and Force Update button for RFC2136 Dynamic DNS #7291
  • Fixed RFC2136 Dynamnic DNS updates at boot time #7295

DHCP Server / Relay

  • Fixed handling of DHCPv6 lease status when there are no leases #6717
  • Fixed issues with DHCP Relay not working #6658
  • Added input validation to prevent the DHCP server from being configured on interfaces that do not have enough addresses for clients (/31, /32) #6930
  • Fixed issues with the DHCP Relay options display getting out of sync with checkbox settings #7155
  • Fixed static DHCP lease edits updating BIND zones #3710


  • Fixed static ARP handling when creating or editing DHCP static mappings #6821
  • Added error checking for static ARP entries to ensure both an IP address and MAC address are entered, and to ensure that both exist before an entry is applied #6969
  • Improved the detail displayed on the ARP table view #6822

Captive Portal

  • Rewrote Captive Portal to work without the multi-instance IPFW patches


  • Switched to pear-XML_RPC2 and removed the outdated static client files
  • Fixed handling of XMLRPC sync using a username other than "admin" #809


  • Removed "route change" patches and updated code that relied on the deprecated behavior #6828
  • Fixed handling of default routes when a default gateway is removed or disabled #6659
  • Fixed discovery of IPv6 gateway for assigned OpenVPN interfaces #6016
  • Fixed issues with a missing default gateway/route on certain PPPoE links after reconnect or IP address change #6495

Interfaces / Virtual IP Addresses

  • Removed Device Polling as it was no longer useful #7021
  • Improved stability of the igb(4) driver #7149 #7166
  • Fixed handling of rc.newwanipv6 when run from dhcp6c so it only runs when required and not for any change #7145
  • Fixed handling of SIGTERM and SIGKILL in dhcp6c #7185
  • Fixed dhcp6c not starting until an RA is received #5993
  • Fixed a PPP service name error with certain providers, such as T-Mobile #6890
  • Fixed 3G service status so it does not report misleading information #4287


  • Added support for the ntpd "pool" directive to make better use of servers in NTP pools #5985
  • Fixed time display on the NTP widget to show server time #7245
  • Added support for NTP to process PGRMF NMEA sentences (Garmin-specific) #7193

User Management / Authentication

  • Fixed delays during bootup when LDAP is enabled for user authentication #6367
  • Added privileges to control which users can view and/or clear notices #7051
  • Added an authentication cache mechanism for GUI authentication from a remote server (e.g. LDAP, RADIUS) so the authentication is checked periodically (default: 30s) instead of on each page load #7097
  • Added protocol selection (PAP, MD5-CHAP, MS-CHAPv1 and MS-CHAPv2) to RADIUS authentication server options #7111


  • Fixed issues with snort, squid/clamav, and squidGuard when /var is in a RAM disk #6878
  • Fixed handling of custom_php_deinstall_command during post-deinstall of a package #7401

Console / Menu

  • Added options to the console reboot menu selection to reboot into single user mode or run filesystem checks #6639

OS Upgrade

  • Fixed issues when upgrading to 2.4 with a stale package .inc that caused a PHP error #6920
  • Changed the upgrade script to use reroot instead of reboot for updates that do not include a new Kernel #6045


  • Added a workaround to prevent the hostres module from being used with bsnmpd on VMware Virtual Machines that have a cd0 device, which caused 100% CPU usage #6882


  • Converted all mpd-based features (e.g. PPPoE and L2TP server) to MPD5 if they used an older version #4706
  • Removed unused and non-functional SMART service handling and e-mail configuration #6393
  • Fixed IGMP Proxy failing to recognize an upstream interface #6099


  • Completed work to mark required fields on GUI pages #7160
  • Fixed long hostnames overlapping the "time" title in the monitoring graphs #6138
  • Added filters to more dashboard widgets #7122


  • Fixed loading issues with PHP extensions #6628
  • Removed symbolic links for configuration files that redirected items from /etc/ to /var/etc/ #5538
  • Added the ability to filter Packet Captures by MAC address #6743
  • Updated status.php with new info and changed its output organization #7047
  • Fixed a problem where a proxy defined for use by the firewall could not use HTTPS when using proxy authentication #6949
  • Improved RAM disk backups and file management #7098
  • Changed the way RAM disk contents are handled when enabled #5897
  • Fixed a problem with the traffic graphs not respecting the theme colors #6746
  • Fixed a problem where the DNS Search Domain List was not being populated into radvd.conf #7081
  • Changed various support functions to better facilitate translation to additional languages
  • Fixed interface name display on the Router Advertisement configuration page #7133
  • Fixed various issues with handling of unusually formatted, but valid, IPv6 addresses #7147
  • Improved error handling when a client is logged when it attempts to poll data via rrd_fetch_json.php #6748
  • Fixed various issues when the configuration backup count was set to 0 (disabled) #7273
  • Added URL fingerprinting to JavaScript and CSS file references to improve client-side behavior when files change between versions #7251
  • Fixed handling of "0" for the number of backups to retain in the configuration history #7273