the-pfsense-documentation.pdf

The pfSense Documentation
© 2023 Electric Sheep Fencing LLC and Rubicon
Communications LLC
Netgate
Feb 07, 2023

CONTENTS
1 Preface 2
2 Introduction 4
3 Releases 12
4 Product Manuals 248
5 Networking Concepts 249
6 Hardware 263
7 Installing and Upgrading 282
8 Configuration 329
9 Backup and Recovery 384
10 Interface Types and Configuration 412
11 User Management and Authentication 438
12 Certificate Management 454
13 Firewall 473
14 Network Address Translation 524
15 Routing 552
16 Bridging 564
17 Virtual LANs (VLANs) 576
18 Multiple WAN Connections 584
19 Virtual Private Networks 603
20 L2TP VPN 713
21 Services 717
22 DHCP 763
i

23 DNS 765
24 Traffic Shaper 771
25 Captive Portal 789
26 High Availability 810
27 System Monitoring 824
28 Diagnostics 911
29 Packages 938
30 Virtualization 1101
31 Wireless 1103
32 Cellular Wireless 1124
33 Troubleshooting 1132
34 pfSense® software Configuration Recipes 1246
35 Menu Guide 1586
36 Glossary of Terms 1593
37 Development 1594
38 References 1634
39 Licensing 1656
40 Configuration Recipes 2096
41 Additional Commercial Resources 2097
Index 2098
ii

The pfSense Documentation, © 2023 Electric Sheep Fencing LLC and Rubicon Communications
LLC
Thoroughly detailed information and continually updated instructions on how to best operate pfSense® software.
CONTENTS 1

CHAPTER
ONE
PREFACE
1.1 Acknowledgements
This documentation, and the pfSense® project itself, would not be possible without a great team of developers, con-
tributors, customers, and a wonderful community. The project has received code contributions from several hundred
individuals. Thousands more have done their part supporting the project by helping others on the forum, social media,
and other platforms. And even more have contributed by purchasing hardware, support, and services. Our thanks go
out to everyone who has done their part to make the project the great success it has become.
1.1.1 pfSense Developers
The current active pfSense software development team includes the following members (in alphabetical order by
surname):
• Glen Barber
• Renato Botelho do Couto
• Leon Dang
• Brad Davis
• Peter Grehan
• Mateusz Guzik
• Reid Linnemann
• Christian McDonald
• Kris Molinari
• Jim Pingle
• Kristof Provost
• Luiz Otavio O Souza
• Steve Wheeler
We also want to give thanks to former project members, significant community contributors, and all FreeBSD devel-
opers who have assisted considerably with pfSense project development. Their time and effort throughout the last 15
years is meaningful and we appreciate their contributions.
2

LLC
1.2 Feedback
The publisher and authors encourage feedback for this documentation and the pfSense® software distribution. Please
send suggestions, criticism and/or praise using the feedback forms at the bottom of each page.
For general feedback related to the pfSense project, please post to the forum. Links to these resources can be found at
https://www.netgate.com/support/contact-support.
Welcome to The pfSense Documentation, written by the pfSense® project team and including contributions from
community members.
This set of documents covers topics ranging from the installation process and basic configuration to advanced net-
working and firewalling using this popular open source firewall and router software distribution.
This is designed to be a friendly guide to common networking and security tasks along with a thorough reference for
the capabilities of pfSense software. These documents cover the following topics (and more!):
• An introduction to pfSense software and its features.
• Firewall design and hardware planning.
• Installing and upgrading pfSense software.
• Using the web-based configuration interface.
• Backing up and restoring the firewall configuration.
• Firewalling fundamentals including defining and troubleshooting rules.
• Port forwarding and Network Address Translation (NAT).
• General networking and routing configuration.
• Virtual LANs (VLANs), Multi-WAN, and Bridging.
• Virtual Private Networks using IPsec and OpenVPN.
• Traffic shaping using ALTQ or Limiters.
• Wireless networking configuration.
• Captive Portal setup.
• High Availability using redundant firewalls.
• Various network-related services.
• Firewall monitoring, logging, traffic analysis, sniffing, packet capturing, and troubleshooting.
• Software package and third-party software installations.
There is also a Menu Guide with all standard menu choices available in the pfSense software GUI.
1.2. Feedback 3

CHAPTER
TWO
INTRODUCTION
2.1 What does pfSense stand for/mean?
The early tag line for the pfSense open source project was “making sense of pf”, referring to the packet filter technology
at the core of the project.
PF in FreeBSD can perform many of the basic packet filtering and QoS firewall tasks that pfSense software provides,
however, pfSense software makes it easier to manage, monitor, and maintain. It accomplishes this by layering an easy
to use GUI and customized services on top of the operating system and relevant packages, resulting in a complete
firewall/router/VPN solution that is capable of much more than the sum of the underlying components.
2.2 Why FreeBSD?
Numerous factors came under consideration when choosing a base operating system for the project. This section
outlines the primary reasons for selecting FreeBSD.
2.2.1 Wireless Support
Wireless support is a key feature for some users. In 2004, wireless support in OpenBSD was very limited compared
to FreeBSD. OpenBSD did not support drivers or security protocols and offered no plans for their implementation. To
this day, FreeBSD surpasses the wireless capabilities of OpenBSD.
2.2.2 Network Performance
Network performance in FreeBSD is significantly better than that of OpenBSD. For small to mid-sized deployments,
this generally does not matter; upper scalability is the primary issue in OpenBSD. One pfSense® developer managing
several hundred OpenBSD firewalls using pf was forced to switch his high load systems to pf on FreeBSD to handle
the high packets per second rate required by portions of his network. The network performance in OpenBSD has
improved since 2004, but limitations still exist.
Multi-processor support for pf in FreeBSD allows for greater scalability and is utilized by pfSense software as seen in
this network performance analysis: https://github.com/gvnn3/netperf/blob/master/Documentation/netperf.pdf.
4

LLC
2.2.3 Familiarity and ease of fork
The code for m0n0wall was based on FreeBSD, and pfSense software forked from m0n0wall. Changing the base
operating system would require prohibitively large modifications and could have introduced limitations from other
operating systems, requiring features to be removed or altered.
2.2.4 Alternative Operating System Support
There are no plans to support any other base operating systems at this time.
2.3 Common Deployments
pfSense® software can meet the needs of nearly any type and size of network environment, from a SOHO to datacenter
environments. This section outlines the most common deployments.
2.3.1 Perimeter Firewall
The most common deployment of pfSense software is a perimeter firewall. pfSense software accommodates networks
requiring multiple Internet connections, multiple LAN networks, and multiple DMZ networks. BGP (Border Gateway
Protocol), connection redundancy, and load balancing capabilities are configurable as well.
See also:
These advanced features are further described in Routing and Multiple WAN Connections.
2.3.2 LAN or WAN Router
pfSense software configured as a LAN or WAN router and perimeter firewall is a common deployment in small
networks. LAN and WAN routing are separate roles in larger networks.
LAN Router
pfSense software is a proven solution for connecting multiple internal network segments. This is most commonly
deployed with VLANs configured with 802.1Q trunking, described more in Virtual LANs (VLANs). Multiple Ethernet
interfaces are also used in some environments. High-volume LAN traffic environments with fewer filtering require-
ments may need layer 3 switches or ASIC-based routers instead.
WAN Router
pfSense software is a great solution for Internet Service Providers. It offers all the functionality required by most
networks at a much lower price point than other commercial offerings.
2.3. Common Deployments 5

LLC
2.3.3 Special Purpose Appliances
pfSense software can be utilized for less common deployment scenarios as a stand-alone appliance. Examples include:
VPN appliance, Sniffer appliance, and DHCP server appliance.
VPN Appliance
pfSense software installed as a separate Virtual Private Network appliance adds VPN capabilities without disrupting
the existing firewall infrastructure, and includes multiple VPN protocols.
Sniffer Appliance
pfSense software offers a web interface for the tcpdump packet analyzer. The captured .cap files are downloaded
and analyzed in Wireshark.
See also:
For more information on using the packet capture features, see Packet Capturing.
DHCP Server Appliance
pfSense software can be deployed strictly as a Dynamic Host Configuration Protocol server, however, there are limi-
tations of the pfSense software GUI for advanced configuration of the ISC DHCP daemon.
See also:
For more information on configuring the DHCP service on pfSense, see DHCP.
2.4 Interface Naming Terminology
All interfaces on pfSense® software can be assigned any name desired, but they all start with default names: WAN,
LAN, and OPT.
2.4.1 WAN
Short for Wide Area Network, WAN is the untrusted public network outside of the firewall. In other words, the WAN
interface is the firewall’s connection to the Internet or other upstream network. In a multi-WAN deployment, WAN is
the first or primary Internet connection.
At a minimum, the firewall must have one interface, and that is WAN.
2.4.2 LAN
Short for Local Area Network, LAN is commonly the private side of a firewall. It typically utilizes a private IP address
scheme for local clients. In small deployments, LAN is typically the only internal interface.
2.4. Interface Naming Terminology 6

LLC
2.4.3 OPT
OPT or Optional interfaces refer to any additional interfaces other than WAN and LAN. OPT interfaces can be addi-
tional LAN segments, WAN connections, DMZ segments, interconnections to other private networks, and so on.
2.4.4 DMZ
Short for the military term demilitarized zone, DMZ refers to the buffer between a protected area and a war zone.
In networking, it is an area where public servers are reachable from the Internet via the WAN but isolated from the
LAN. The DMZ keeps the systems in other segments from being endangered if the network is compromised, while
also protecting hosts in the DMZ from other local segments and the Internet in general.
Warning: Some companies misuse the term “DMZ” in their firewall products as a reference to 1:1 NAT on the
WAN IP address which exposes a host on the LAN. For more information, see 1:1 NAT on the WAN IP, aka “DMZ”
on Linksys.
2.4.5 FreeBSD interface naming
The name of a FreeBSD interface starts with the name of its network driver. It is then followed by a number starting
at 0 that increases incrementally by one for each additional interface sharing that driver. For example, a common
driver used by Intel gigabit network interface cards is igb. The first such card in a firewall will be igb0, the second
is igb1, and so on. Other common driver names include cxl (Chelsio 10G), em (Also Intel 1G), ix (Intel 10G),
bge (various Broadcom chipsets), amongst numerous others. If a system mixes an Intel card and a Chelsio card, the
interfaces will be igb0 and cxl0 respectively.
See also:
Interface assignments and naming are further covered in Installing and Upgrading.
2.5 Finding Information and Getting Help
This section offers guidance on finding information in this documentation, on pfSense® software in general, as well
as providing further resources.
2.5.1 Finding Information
The search function on the documentation is the easiest way to find information on a specific topic. The most common
features and deployments of pfSense software are covered in this documentation. When reading the HTML version of
the documentation, the search function is in the upper left of the page. When reading an eBook style copy, consult the
documentation for the book reader software for information on how to search.
There is a wealth of additional information and user experiences available on the various Netgate websites. The best
way to search the sites is a Google search appending site:netgate.com to the query. This will search the website,
forum, documentation, etc. which are all official sources of information.
2.5. Finding Information and Getting Help 7

LLC
2.5.2 Getting Help
A help icon is available on almost every page, , and links to the associated page in documentation.
Netgate offers several other ways to get help with pfSense software, including the Netgate Forum and this documen-
tation. There is also a pfSense subreddit where community members can assist each other. More information can be
found on the Netgate website at Obtaining Support. Many of these links are reachable from the Help menu in the GUI.
2.6 Comparison to Commercial Alternatives
The question of security and support vs. commercial alternatives comes up from time to time. The history of this
project since its inception in 2004 proves we’re as secure as any, and better than many, commercial alternatives. The
experiences of our customers proves not only can we match the service of any commercial firewall vendor, we exceed
it. This page serves to debunk the common myths when comparing to commercial alternatives.
2.6.1 “Hardware” firewalls are better myth
Commercial firewall companies’ marketing departments have done a fine job ingraining the myth of “hardware fire-
walls” into some people’s minds. The reality is there is no such thing as a “hardware firewall.” All firewalls are
hardware that runs software. Most commercial firewalls are based on BSD (same as pfSense®) or Linux. Numerous
commercial firewalls run many of the same underlying software programs that pfSense software uses. Many com-
mercial alternatives run on x86 hardware that’s no different from what people use for pfSense software. In fact many
people have loaded pfSense software on hardware that used to run their commercial firewall, including Watchguard,
Nortel, Barracuda and more.
2.6.2 Open source is insecure myth
Some people are of the mindset that because the source is open, it’s insecure because everyone can see how it works.
Anyone who has paid any attention to security over the past 20 years knows the absurdity of that statement. No
software relies on the obscurity of source code for security. If there was any truth in that, Microsoft Windows would
be the most secure OS ever created, when the reality is all of the open source operating systems (all the BSDs and
Linux) have security track records that are worlds better than Windows’. History proves the same applies to any
software. Internet Explorer is continually hit with major security holes that many times take weeks to patch while
they’re being exploited in the wild, while open source browsers Firefox, Chrome and others have had significantly
better security track records.
The widespread UPnP vulnerabilities announced in 2013 affecting over 300 commercial products is another good
example. The vendors of hundreds of commercial products made extremely basic security mistakes, shipping with
absurdly insecure defaults, and shipping outdated software. That’s never been an issue with pfSense software. That’s
only one example of where pfSense software has done a better job than many commercial vendors.
2.6. Comparison to Commercial Alternatives 8

LLC
2.6.3 Commercial alternatives have better support myth
With some open source projects, it’s true that a user is stuck if they need help. Netgate offers commercial support for
pfSense software, Netgate TAC, that rivals anything other commercial vendor offers.
2.7 Can pfSense software meet regulatory requirements
Prospective pfSense® users commonly inquire about the ability to meet security requirements applicable to their
specific environments. Some of those include PCI, SOX, GLBA, HIPAA, amongst numerous other similar regulations
for publicly traded companies, financial institutions, healthcare institutions, and others.
There are numerous companies in many regulated industries using pfSense software that pass their audits with no
problems, including all of the aforementioned regulations/standards amongst others. However it’s important to keep
in mind that a firewall is a small portion of the security infrastructure, and those regulations are more about policies,
procedures, and configuration than the actual products being used.
So yes, pfSense software can meet regulatory requirements, but that is dependent on configuration, policies, pro-
cedures, amongst other things - there is no compliance silver bullet. There may be circumstances specific to one
company that make another product a better fit for compliance (or other) reasons, but that’s true of all commercial and
open source solutions, there is no one product that is a perfect fit for everyone.
2.8 Can I sell pfSense software
Many consulting companies offer solutions based on pfSense® software to their customers. A business or individ-
ual can load pfSense software for themselves, friends, relatives, employers, and, yes, even customers, so long as
the Trademark Guidelines and Apache 2.0 license requirements as detailed on the website are obeyed by all parties
involved.
What can not be offered is a commercial redistribution of pfSense® software, for example the guidelines do not permit
someone to offer “Installation of pfSense® software” as a service or to sell a device pre-loaded with pfSense® software
to customers without the prior express written permission of ESF pursuant to the trademark policy.
Example 1 A consultant may offer firewall services (e.g. “Fred’s Firewalls”), without mentioning pfSense® software
or using the logo in their advertising, marketing material, and so on. They can install pfSense® software and
manage it for their customers.
Example 2 Fred’s Firewalls may make a customized distribution pfSense® software with their own name and logo
used in place of the pfSense marks. They can use the pfSense marks to truthfully describe the origin of the
software, such as “Fred’s Firewall software is derived from the pfSense CE source code.” Even though Fred’s
Firewall is based on pfSense® software, it cannot be referred to as “pfSense® software” since it has been
modified.
Example 3 Fred’s Firewalls may sell their customized firewall distribution pre-loaded on systems to customers, so
long as the relationship to pfSense software is clearly stated.
The Apache 2.0 license only applies to the software and not the pfSense name and logo, which are trademarks and
may not be used without a license. Reading and understanding the trademark policy document is required before one
considers selling pfSense software.
2.7. Can pfSense software meet regulatory requirements 9

LLC
2.8.1 Contributing Back to the Project
We ask anyone profiting by using pfSense software to contribute to the project in some fashion. Ideally with the level
of contributions from a business or individual corresponding to the amount of financial gain received from use of
pfSense software. Many paths exist for resellers and consultants to contribute. For the long term success of the project
this support is critically important.
• Purchase hardware and merchandise from the Netgate Store.
• Become a Netgate Partner to resell Netgate hardware pre-loaded with pfSense software.
• Development contributions - Dedicate a portion of internal developers’ time to open source development.
• Help with support and documentation - Assisting users on the forum and mailing list, or contributing documen-
tation changes, aides the overall project.
• Support subscription via Netgate TAC Having direct access to our team for any questions or deployment assis-
tance helps ensure success.
2.8.2 Using the pfSense Name and Logo
The “pfSense” name and logo are trademarks of Electric Sheep Fencing, LLC.
The pfSense software source code is open source and covered by the Apache 2.0 license. That license only covers the
source code and not our name and trademarks, which have restricted usage.
We think it is great that people want to promote and support the pfSense project. At the same time, we also need to
verify that what is referred to as “pfSense” is a genuine instance of pfSense software and not modified in any way.
• The pfSense name and logo MAY NOT be used physically on a hardware device.
– For example: A sticker, badge, etching, or similar rendering of the pfSense name or logo is NOT allowed.
• The pfSense logo MAY NOT be used on marketing materials or in other ways without a license, including
references on websites.
• The pfSense name MAY be used to describe the case that a product is based on a pfSense distribution, but
the designated product name may not include pfSense or a derivative. Basically stating facts regarding product
origin is acceptable. Anything that implies that a product is endorsed by or made by ESF or the pfSense project
is not allowed.
Examples:
– “Blahsoft Fireblah based on pfSense software” – Acceptable
– “Blahsoft pfSense Firewall” – NOT Allowed
• ONLY an UNMODIFIED version of pfSense software can still be called “pfSense software”.
– If the source code has been changed, compiled/rebuilt separately, included extra file installations such as
themes or add-on scripts, or any other customizations, it can not be called “pfSense software”, it must be
called something else.
– Trademark protection aside, this requirement preserves the integrity and reputation of the pfSense project.
It also prevents unverified changes that may be questionably implemented from being attributed to pfSense.
• If a pfSense distribution is modified, the resulting software CANNOT be called “pfSense” or anything similar.
The new name must be distinct from pfSense. Trademark law does not allow use of names or trademarks that are
confusingly similar to the pfSense Marks. This means, among other things, that law forbids using a variation
of the pfSense Marks, their phonetic equivalents, mimicry, wordplay, or abbreviation with respect to similar
or related projects, products, or services (for example, “pfSense Lifestyle,” “PFsense Community,” “pf-Sense
Sensibility,” “pfSensor”, etc., all infringe on ESF’s rights).
2.8. Can I sell pfSense software 10

LLC
Examples:
– “pfSomething”, or “somethingSense” – INFRINGING references
– “ExampleWall”, “FireWidget” – NON-Infringing references
• The “pfSense” name MAY NOT be used in a company name or similar. A company CANNOT be named “pf-
Sense Support, Ltd” or “pfSense Experts, LLC”, or use it in a domain name or subdomain reference. However,
the company can state support for pfSense software, offer training for pfSense software, etc.
• There MUST be a distinction between a company name and pfSense or Electric Sheep Fencing, LLC. No
relationship or endorsement can be stated or implied between the two companies, unless we have explicitly
licensed and agreed to such a statement.
The pfSense® Project is a free open source customized distribution of FreeBSD tailored for use as a firewall and router
entirely managed by an easy-to-use web interface. This web interface is known as the web-based GUI configurator,
or WebGUI for short. No FreeBSD knowledge is required to deploy and use pfSense software. In fact, the majority
of users have never used FreeBSD outside of pfSense software. In addition to being a powerful, flexible firewalling
and routing platform, pfSense software includes a long list of related features. The pfSense software package system
allows further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense
software is a popular project with millions of downloads since its inception and hundreds of thousands of active
installations. It has been proven successful in countless installations ranging from single computer protection in small
home networks to thousands of network devices in large corporations, universities and other organizations.
To download the latest version, see previous versions, or to upgrade follow the guides located on the pfSense down-
loads page.
2.9 Project Inception
pfSense software was forked from the m0n0wall open source project in 2004. m0n0wall was focused specifically
on providing a firewall/router for embedded devices and was sized for limited hardware resources. Initially pfSense
software aimed at providing a firewall/router solution with an expanded set of capabilities on larger PC and server style
hardware. pfSense software has continued to evolve over time, providing firewall, router, VPN, IDS/IPS, and more
capabilities that work well on hardware from small home office size devices to large service provider size servers.
2.9. Project Inception 11

CHAPTER
THREE
RELEASES
This section contains information about past and present release of pfSense® software. This includes release notes
and detailed version information.
• General Release Information
• Current and Upcoming Supported Releases
– pfSense Plus Software
– pfSense CE Software
• Older/Unsupported Releases
– pfSense Plus Software
– pfSense CE Software
3.1 General Release Information
3.1.1 Versions of pfSense software and FreeBSD
The tables in this document contain detailed information on pfSense® software releases.
Versions are grouped up by major/minor number changes so they are easier to locate. The most recent versions are
listed first, and the rest are in descending order by release date.
• pfSense Plus software
• pfSense CE software
• Legend
• Understanding pfSense Plus and CE software version numbers
12

LLC
pfSense Plus software
23.x
Version Support Released Config Rev FreeBSD Version Branch
23.01 TBD 22.8 14.0-CURRENT@aec9453fec7 plus-RELENG_23_01
22.x
22.05.1 2022-12-06 22.7 12.3-STABLE@5f81a4619dcf plus-RELENG_22_05_1
22.05 2022-06-26 22.7 12.3-STABLE@5f81a4619dcf plus-RELENG_22_05
22.01 2022-02-14 22.2 12.3-STABLE@ef1e43df92c6 plus-RELENG_22_01
21.x
21.05.2 2021-10-26 21.7 12.2-STABLE@424f6363927 plus-RELENG_21_05_2
21.05.1 2021-08-05 21.7 12.2-STABLE@424f6363927 plus-RELENG_21_05_1
21.05 2021-06-02 21.7 12.2-STABLE@424f6363927 plus-RELENG_21_05
21.02.2 2021-04-13 21.5 12.2-STABLE@f4d0bc6aa6b plus-RELENG_21_02_2
21.02-p1 2021-02-25 21.4 12.2-STABLE@f4d0bc6aa6b plus-RELENG_21_02
21.02 2021-02-17 21.4 12.2-STABLE@f4d0bc6aa6b plus-RELENG_21_02
3.1. General Release Information 13

LLC
pfSense CE software
2.7.x
2.7.0 TBD 22.8 14.0-CURRENT@aec9453fec7 RELENG_2_7_0
2.6.x
2.6.0 2022-02-14 22.2 12.3-STABLE@ef1e43df92c6 RELENG_2_6_0
2.5.x
2.5.2 2021-07-07 21.7 12.2-STABLE@f4d0bc6aa6b RELENG_2_5_2

LLC
2.4.x
2.4.5-p1 2020-06-09 19.1 11.3-STABLE@r357046 RELENG_2_4_5
2.4.5 2020-03-26 19.1 11.3-STABLE@r357046 RELENG_2_4_5
2.4.4-p3 2019-05-20 19.1 11.2-RELEASE-p10 RELENG_2_4_4
2.4.4 2018-09-24 18.8 11.2-RELEASE-p3 RELENG_2_4_4
2.4.3 2018-03-29 17.9 11.1-RELEASE-p7 RELENG_2_4_3
2.4.2 2017-11-20 17.3 11.1-RELEASE-p4 RELENG_2_4_2
2.4.1 2017-10-24 17.3 11.1-RELEASE-p2 RELENG_2_4_1
2.4 2017-10-12 17.0 11.1-RELEASE-p1 RELENG_2_4_0

LLC
2.3.x
2.3.5 2017-10-31 15.8 10.3-RELEASE-p20 RELENG_2_3_5
2.3.4 2017-05-04 15.8 10.3-RELEASE-p19 RELENG_2_3_4
2.3.3 2017-02-20 15.8 10.3-RELEASE-p16 RELENG_2_3_3
2.3.2 2016-07-19 15.5 10.3-RELEASE-p5 RELENG_2_3_2
2.3.1 2016-05-18 15.4 10.3-RELEASE-p3 RELENG_2_3_1
2.3 2016-04-12 15.0 10.3-RELEASE RELENG_2_3_0
2.2.x
2.2.6 2015-12-21 12.0 10.1-RELEASE-p25 RELENG_2_2
2.2.5 2015-11-05 12.0 10.1-RELEASE-p24 RELENG_2_2
2.2.4 2015-07-26 11.9 10.1-RELEASE-p15 RELENG_2_2
2.2.3 2015-06-24 11.7 10.1-RELEASE-p13 RELENG_2_2
2.2.2 2015-04-15 11.7 10.1-RELEASE-p9 RELENG_2_2
2.2.1 2015-03-17 11.7 10.1-RELEASE-p6 RELENG_2_2
2.2 2015-01-23 11.6 10.1-RELEASE-p4 RELENG_2_2

LLC
2.1.x
2.1.5 2014-08-27 10.1 8.3-RELEASE-p16 RELENG_2_1
2.1.4 2014-06-25 10.1 8.3-RELEASE-p16 RELENG_2_1
2.1.3 2014-05-02 10.1 8.3-RELEASE-p16 RELENG_2_1
2.1.2 2014-04-10 10.1 8.3-RELEASE-p14 RELENG_2_1
2.1.1 2014-04-04 10.1 8.3-RELEASE-p14 RELENG_2_1
2.1 2013-09-15 9.8 8.3-RELEASE-p11 RELENG_2_1
2.0.x
2.0.3 2013-04-15 8.0 8.1-RELEASE-p13 RELENG_2_0
2.0.2 2012-12-21 8.0 8.1-RELEASE-p13 RELENG_2_0
2.0.1 2011-12-20 8.0 8.1-RELEASE-p6 RELENG_2_0
2.0 2011-09-17 8.0 8.1-RELEASE-p4 RELENG_2_0
1.2.x
1.2.3 2009-12-10 3.0 7.2-RELEASE-p5 RELENG_1_2
1.2.2 2009-01-09 3.0 7.0-RELEASE-p8 RELENG_1_2
1.2.1 2008-12-26 3.0 7.0-RELEASE-p7 RELENG_1_2
1.2 2008-02-25 3.0 6.2-RELEASE-p11 RELENG_1_2

LLC
Legend
Version The pfSense Plus or CE software version number. When possible, the version number links to
the release notes detailing what was changed in that particular release.
See also:
See Understanding pfSense Plus and CE software version numbers later in this document for an
explanation of the version number formats.
Support The support status.
Current supported release
Previous unsupported release
Future release
TBD To Be Determined, not yet known.
Released The date a specific version of pfSense software was released to the public.
Config Rev The internal config.xml revision number, which indicates changes to the configuration
format that may make a configuration file incompatible with older versions.
FreeBSD Version Each version of pfSense software is based on a specific version of FreeBSD. The
underlying FreeBSD version is listed for each corresponding version of pfSense software.
Branch A link to the pfSense software source code branch used to build a specific release.
Understanding pfSense Plus and CE software version numbers
pfSense Plus and CE software utilize different version number formats. This makes it easier to distinguish between
them and also makes it clear that the releases do not necessarily happen at the same time, even if they share a common
code base.
pfSense Plus software version numbers use the format <year>.<month>.<patch> where the <patch> suffix
is omitted when the value is 0. This version numbering scheme follows the format used by TNSR software, also
produced by Netgate, which in turn is modeled after the version format used by the Linux Foundation FD.io project.
This change happened at the start of 2021 when the name changed from “pfSense Factory Edition” to “pfSense Plus”.
pfSense CE software version numbers use the format <major>.<minor>.<patch>, and each component is
present even if the value is 0. This version numbering scheme is similar to the format used by FreeBSD software. In
the past, this format was also used for releases of pfSense Factory Edition software before it was renamed to pfSense
Plus.

LLC
3.2 Current and Upcoming Supported Releases
3.2.1 pfSense Plus Software
23.01 New Features and Changes
This is a regularly scheduled software release including new features and bug fixes.
General
• PHP has been upgraded from 7.4 to 8.1
• The base operating system has been upgraded to FreeBSD 14-CURRENT
Warning: As a part of the FreeBSD upgrade this version removes several deprecated IPsec algorithms:
– 3DES Encryption
– Blowfish Encryption
– CAST 128 Encryption
– MD5 HMAC Authentication
The best practice is to reconfigure tunnels using better encryption and test them before performing an upgrade
to ensure a smoother transition.
On upgrade, IPsec tunnels will be adjusted to remove any deprecated algorithms from their configuration.
The upgrade process will disable tunnels if they have no valid encryption or authentication options remain-
ing. The upgrade process will notify the user of any changes it makes.
This change only affects IPsec and not other uses of these algorithms. For example, BGP can still use
TCP-MD5 authentication.
• A long-standing difficult-to-reproduce crash in Unbound during reloading has been addressed. Christian Mc-
Donald tracked it down the source of the Unbound SIGHUP crashes to a reference counting bug within the
MaxMindDB Python module. Both a patch to MaxMind and a port revision to FreeBSD ports were submitted
and accepted, and the fix will be included in the 23.01 release. It is now safe again to enable DHCP registration
alongside Unbound Python mode in pfBlockerNG.
• In addition to the Unbound crash, Christian also identified a memory leak with DHCP registration and Un-
bound Python mode (#10624). This is largely mitigated by updates to Python and related libraries, but there is
additional ongoing work to resolve it further for future release.
• Due to #13507, batch copying rules between interfaces on a previous release may have created multiple rules
with the same internal tracker ID. This issue has been corrected, but any rules with duplicate IDs must be
corrected manually (e.g. by deleting and re-copying or re-creating the rules).
• The pfBlockerNG package has been updated to match pfBlockerNG-devel. After upgrade it is safe to uninstall
pfBlockerNG-devel (keeping settings) and install pfBlockerNG instead.
Note: On systems using ZFS, the first boot post-upgrade will appear to have higher than normal memory usage due
to the large volume of filesystem activity that takes place during the upgrade process. This is harmless, however. This
is due to ZFS ARC memory usage, which it will yield as needed if other processes require more memory. Rebooting
the firewall after the upgrade completes will return the reported memory usage to a normal level.
3.2. Current and Upcoming Supported Releases 19

LLC
Errata/Known Hardware Issues
• The Netgate 1000 does not function on FreeBSD 14 and as a consequence it is unable to upgrade to this release.
Attempting to check for updates on a Netgate 1000 device will print a notification to this effect. No other
models are impacted.
• The PCI bus in the Netgate 1100 and Netgate 2100 models does not currently function on 23.01. This was
never an advertised feature, though some users have taken advantage of it in the past. If a device relies on the
PCI bus, such as an add-on Wireless card, then consider the impact of upgrading to 23.01 where that will not be
available (NG 9622).
• Devices based on “ADI” or “RCC” hardware, such as the 4860, 8860, and potentially other similar models,
may have issues with the ichsmb0 and/or ehci0 devices encountering an interrupt loop, leading to higher
than usual CPU usage (NG 8916). This can typically be worked around by disabling the affected device. For
example, by placing the following in /boot/loader.conf.local:
hint.ichsmb.0.disabled=1
This does not affect the 2220, 2440 or XG-2758.
• There have been a small number of reports that pfSense Plus software version 23.01 installations using ZFS
will not boot in Hyper-V, though it works OK for others (#13895). Test in a lab or non-production environment
before attempting to deploy this version. In some cases removing the optical drive from the VM settings before
upgrading has allowed it to boot successfully.
• Azure instances now use Gen2 and currently do not have a functional serial console, developers are working to
address this in the next release.
• Devices using the i915 video driver require manual changes because FreeBSD moved the driver from the kernel
to a package. In most cases this driver is not necessary, but it can be helpful on some platforms for HDMI
hotplug support.
To continue using the driver on 23.01, after the upgrade completes run pkg install -y drm-510-kmod
from a shell. Then add the following line to /boot/loader.conf.local:
kld_list="i915kms"
Reboot the firewall after making the changes to activate the driver.
• There have been a small number of reports on non-Netgate hardware that accessing the GUI of a pfSense Plus
software installation over IPsec can trigger a kernel panic. Developers have not yet been able to reproduce
the crash, but there is a workaround for users encountering this problem: Create a system tunable entry to set
kern.ipc.mb_use_ext_pgs=0. See #13938 for details and alternate workarounds.
• Some devices have an issue with the serial console display of password protected consoles and other aspects
of the boot process, such as Boot Environment selection. The features may not render properly, but are still
functional. This is not a regression in 23.01 as it also happened on 22.05.x. This has been reported on Netgate
4100, Netgate 6100, and Netgate 8200 models. See #13455 for more information.
• Suricata has an issue processing passlist entries containing /31 subnets. Developers have a fix prepared for
testing which will be added to the package shortly after 23.01 releases. See #13920 for details.

LLC
pfSense Plus
Changes in this version of pfSense Plus software.
Aliases / Tables
• Fixed: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries #9296
• Fixed: Alias with non-resolving FQDN entry breaks underlying PF table #12708
• Fixed: Alias content is sometimes incomplete if the firewall cannot resolve an FQDN in the alias #13282
• Added: Specify CA trust store location when downloading and validating URL alias content #13367
• Fixed: Deleting an alias marks the subsystem as unclean but also unconditionally reloads the filter configuration
#13538
• Fixed: Missing descriptions for referrers to firewall aliases cause empty strings for references to be returned
when deleting an in-use alias #13539
Authentication
• Fixed: Google LDAP connections fail due to lack of SNI for TLS 1.3 #11626
• Fixed: RADIUS authentication attempts no longer send RADIUS NAS IP attribute #13356
• Fixed: Unable to set web interface session timeout to 0 (i.e. never expire) #13561
• Changed: Improve LDAP debugging #13718
Auto Configuration Backup
• Added: Option to list AutoConfigBackup entries in “reverse” order (newest at top) #11266
• Added: Support for international characters in the AutoConfigBackup Hint/Identifier field #13388
Backup / Restore
• Fixed: Multiple <sshdata> or <rrddata> sections in config.xml lead to an XML parsing error during
restore #13132
• Fixed: Attempting to restore a 0 byte config.xml prints an error that the file cannot be read #13289
• Fixed: Configuration history restores revision no matter which option is clicked in confirmation dialog #13861
• Fixed: RRD restore process does not sanitize filenames from backup XML #13935

LLC
Build / Release
• Changed: Disable pkg compatibility flag which creates txz file extension symbolic links #12782
Captive Portal
• Fixed: Traffic passed by Captive Portal cannot use limiter queues on other rules #13148
• Fixed: Voucher CSV output has leading space before voucher code #13272
• Fixed: Error dummynet: bad switch 21! when using Captive Portal with Limiters #13290
• Fixed: Captive Portal breaks policy based routing for MAC address bypass clients #13323
• Fixed: Multiple Captive Portal interfaces do not properly form the list of portal IP addresses #13391
• Fixed: Custom logo or background image is created with two dots (..) before the file extension #13396
• Fixed: Captive Portal does not keep track of client data usage #13418
• Fixed: All Captive Portal users are given the same limiter pipe pair #13488
• Fixed: Captive Portal blocked MAC addresses are not blocked #13747
• Fixed: Rules for authenticated Captive Portal users are not removed when a zone is disabled #13756
• Fixed: Captive Portal RADIUS start/stop accounting does not reset counters at each accounting start #13838
• Fixed: Captive Portal does not apply RADIUS bandwidth limits to user pipes #13853
Certificates
• Fixed: CA path is not defined when using curl in the shell #12737
• Fixed: Exporting a PKCS#12 file from the certificate manager does not use the intended encryption algorithm
#13257
• Fixed: CRL expiration date with default lifetime is too long, goes past UTCTime limit #13424
• Fixed: ECDSA certificate renewal causes digest algorithm to be reset to SHA1 #13437
Configuration Backend
• Fixed: Input validation is checking RAM disk sizes when they are inactive #13479
Console Menu
• Fixed: Changing an interface IP address and gateway at the console does not save the new gateway if one already
exists for the interface #12632
• Fixed: Hidden menu option 100 incorrectly handles HTTPS detection #13258

LLC
DHCP (IPv4)
• Added: Improve distinction between online and idle/offline entries in DHCP lease list #10345
• Changed: Clean up DHCP Server option language #13250
• Added: Input validation for numbered DHCP options in static mappings #13584
• Fixed: DHCP server “Disable Ping Check” option does not store value on save #13748
DHCP (IPv6)
• Fixed: dhcp6c is not restarted when applying settings when multiple WANs are configured for DHCP6 #13253
• Fixed: Advanced DHCP6 client settings only work for a single interface #13462
• Fixed: “Provide DNS servers to DHCPv6 clients” setting does not reflect a changed value until the page is
reloaded #13594
• Fixed: DHCPv6 rules are not created for interfaces with static IPv6 #13633
DNS Forwarder
• Fixed: DNS Forwarder refuses valid retries from clients in certain cases #12901
DNS Resolver
• Fixed: Memory leak in Unbound with Python module and DHCP lease registration active #10624
• Fixed: Unbound crashes with signal 11 when reloading #11316
• Fixed: DNS Resolver is restarted during every rc.newwanip event even for interfaces not used in the resolver
#12612
• Fixed: DNS resolver does not update its configuration or reload during link down events #13254
• Fixed: DNS Resolver responds with unexpected source address when the DNS over TLS server function is
enabled #13393
• Fixed: Incorrect word in “Network Interfaces” help text on services_unbound.php #13453
• Changed: Update Unbound to use Python 3.11 instead of Python 3.9 #13867
• Changed: Update Unbound to 1.17.1 #13893
Dashboard
• Fixed: QAT detection on dashboard is incorrect if the driver does not attach #13674
• Fixed: APU1 hardware is not properly identified with current BIOS versions #13471

LLC
Diagnostics
• Fixed: Neighbor hostnames in the NDP Table on diag_ndp.php are always empty #13318
• Changed: Add multicast group membership (ifmcstat) to status.php #13731
Dynamic DNS
• Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816
• Fixed: DigitalOcean Dynamic DNS update fails with a “bad request” error #13167
• Fixed: Dynv6 Dynamic DNS client does not check the response code when updating #13298
• Fixed: DNSExit Dynamic DNS updates no longer work #13303
FilterDNS
• Fixed: Resolve interval for filterdns may not match the configured value #13067
FreeBSD
• Fixed: Cannot set EFI console as primary console when using both EFI and Serial #13080
• Fixed: CVE-2022-23093 / FreeBSD-SA-22:15.ping #13716
Gateway Monitoring
• Fixed: Marking a gateway as down does not affect IPsec entries using gateway groups #13076
• Fixed: Incorrect function parameters for get_dpinger_status() call in gwlb.inc #13295
Gateways
• Fixed: Recovering interface gateway may not be added back into gateway groups and rules when expected
#13228
Hardware / Drivers
• Fixed: Software VLAN tagging does not work on ixgbe(4) interfaces #13381
• Fixed: Intel i226 network interfaces do not honor a manually selected link speed #13529

LLC
IPsec
• Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645
• Fixed: IPsec rejects certificates if any SAN is wildcard rather than rejecting when all SANs are wildcard #13373
• Changed: Information box on status_ipsec.php says “IPsec not enabled” even when a tunnel is estab-
lished #13398
• Fixed: Incorrect quoting of Split DNS attribute value in strongswan.conf #13579
• Added: Support for ChaCha20-Poly1305 encryption with IPsec #13647
• Changed: Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5
HMAC/Hashing) #13648
Interfaces
• Fixed: Primary interface address is not always used when VIPs are present #11545
• Added: Support for VLAN 0 #12070
• Fixed: Bridges with QinQ interfaces not properly set up at boot #13225
• Fixed: Several advanced DHCP6 client options do not inform the user when rejecting invalid input #13493
• Changed: Clean up obsolete code in pfSense-dhclient-script #13501
• Fixed: Assigned bridge interfaces are not configured at boot #13666
• Fixed: Code that sets IPv6 MTU can unintentionally act on IPv4 addresses #13675
OpenVPN
• Fixed: OpenVPN DCO panics with short UDP packets #13338
• Fixed: OpenVPN crashes after reaching the configured concurrent connection limit #13355
• Fixed: Traffic to OpenVPN DCO RA clients above the first available tunnel IP address is incorrectly routed
#13358
• Added: Support for ChaCha20-Poly1305 and AES-128-GCM encryption with OpenVPN DCO #13649
• Fixed: GUI allows configuring OpenVPN DCO with incompatible options (TCP, compression, TAP, net30)
#13664
• Fixed: OpenVPN status for multi-user VPN shows info icon to display RADIUS rules when there are none to
display #13243
Operating System
• Fixed: Entries for net.link.ifqmaxlen duplicated in /boot/loader.conf #13280
• Fixed: vmstat -m value for temp is accounted for incorrectly, resulting in underflows #13316
• Fixed: Memory leak in PF when retrieving Ethernet rules #13525
• Changed: Update Python 3.9.15 to 3.9.16 in base system #13865
• Changed: Add Python 3.11.1 to base system #13866

LLC
PHP Interpreter
• Added: Upgrade PHP from 7.4 to 8.1 #13446
• Fixed: fcgicli fails to write packets with nvpair values that exceed 128 bytes #13638
PPP Interfaces
• Fixed: Services are not restarted when PPP interfaces connect #12811
• Fixed: PPP interface custom reset date/time Hour and Minute fields do not properly handle 0 value #13307
Routing
• Added: Enable ROUTE_MPATH multipath routing #9544
Rules / NAT
• Fixed: Rule separator positions change when deleting multiple rules #9887
• Fixed: User is forced to pick an NPt destination IPv6 prefix length even when choosing a drop-down entry
which contains a defined prefix length #13240
• Fixed: The negate_networks table is duplicated in rules.debug #13308
• Fixed: Each line in the NPt destination IPv6 prefix list also contains the network of the previous line when
multiple choices are present #13310
• Fixed: Using the copy (not clone) function on firewall rules unintentionally converts interface address to
interface net #13364
• Fixed: PF can fail to load a new ruleset #13408
• Fixed: TCP traffic sourced from the firewall can only use the default gateway #13420
• Fixed: easyrule CLI script has multiple bugs and undesirable behaviors #13445
• Changed: Correct DHCP client rule descriptions in the generated firewall ruleset #13505
• Fixed: Copying multiple rules at the same time results in new rules with duplicate tracker IDs #13507
• Fixed: Toggling NAT rules using the button method does not enable/disable corresponding firewall rules #13545
• Fixed: Error creating port forward rule with port alias #13601
Traffic Shaper (ALTQ)
• Added: ALTQ GUI support for Broadcom Netextreme II (bxe) interfaces #13304

LLC
UPnP/NAT-PMP
• Fixed: UPnP/NAT-PMP status page does not display all port mappings #4500
User Manager / Privileges
• Fixed: RADIUS authentication not working over IPv6 #4154
Web Interface
• Fixed: Unnecessary link tag in login page #7996
• Fixed: “Dark” theme does not sufficiently distinguish between selected and deselected elements in option lists
#11730
• Fixed: VGA install defaults to serial as primary console when loading/saving admin GUI settings without
making changes #12960
• Changed: Spelling and typo corrections #13357
• Fixed: “Dark” theme uses the same colors for disabled and enabled input fields #13390
• Fixed: Input validation on system_advanced_firewall.inc uses incorrect variable references for some
fields #13436
• Changed: Update external HTTPS/HTTP links #13440
• Fixed: Table row selection has poor contrast in Dark theme #13448
• Fixed: Changing the GUI port does not redirect the browser to the new port on save #13591
22.05/22.05.1 New Features and Changes
Version 22.05.1
pfSense Plus software version 22.05.1 is a special patch release which adds hardware support for the Netgate 8200 as
well as built-in dynamic repository support.
Important: The majority of pfSense Plus users will not need to run this version unless directed to do so by Netgate
TAC. This limited patch release is not currently offered as an upgrade from 22.05.
Version 22.05
This is a regularly scheduled release of pfSense® Plus software including new features and bug fixes.

LLC
General
• Added: OpenVPN Data Channel Offload (DCO) support (Plus only)
Warning: OpenVPN DCO is considered experimental at this time.
While testing has been successful in many scenarios during development, there is still a potential for instability or
undesirable behavior. Additionally, some OpenVPN features and use cases are still not compatible with DCO. See
Limitations for a list of known DCO limitations.
If a problem occurs with DCO, start a thread on the Netgate Forum to discuss and diagnose the issue.
• Added: ZFS Boot Environment (BE) snapshots support (Plus only)
• Changed: Captive Portal and Limiters now use only PF and not IPFW (Plus and CE)
pfSense Plus
Changes in this version of pfSense Plus software.
Aliases / Tables
• Fixed: Renaming an alias does not update the alias names in static routes and OpenVPN instances #12727
• Added: Retain descriptions when exporting and importing aliases #12842
Authentication
• Added: GUI option to select the user password hashing algorithm #12855
• Fixed: LDAP setup does not display ‘Global Root CA List’ option unless another CA also exists #13185
Backup / Restore
• Changed: Comply with current iteration standards when encrypting and decrypting configuration files #12556
• Added: Support encrypted config.xml files when restoring via ECL #12685
• Added: Notify user if AutoConfigBackup is unable to successfully upload a backup #12724
• Added: Ability to sort AutoConfigBackup entries #12773
• Fixed: PHP error when upgrading from before configuration revision 21.6, ipsec_create_vtimap() is
undefined #13097
• Added: Option to restore dashboard widget layout #13125
• Fixed: PHP error restoring DHCP lease data on fresh installation: #13157

LLC
CARP
• Changed: Reorganize CARP status page #12701
• Fixed: CARP event storm when leaving persistent CARP maintenance mode. #12961
Captive Portal
• Fixed: Allowed IP/Hostname “Direction” option is never used #12649
• Fixed: nginx logs an error that the port is already in use when restarting Captive Portal services #12651
• Fixed: Value of net.inet.ip.dummynet.* OIDs in sysctl are ignored #12733
• Fixed: Only TCP traffic is passed outbound though IPFW #12834
• Changed: Transition Captive Portal from IPFW to PF #13100
Certificates
• Added: Option to retain the existing serial number when renewing a CA or certificate #13010
• Added: Move command line history to a GUI option stored in config.xml rather than a manual flag file
#12675
• Added: Eliminate duplicate shell commands from history file #12741
Configuration Upgrade
• Added: Playback script to perform a configuration upgrade on an arbitrary config.xml file #12973
Console Menu
• Added: Warn the user if they attempt to disable SSH from the menu while connected through SSH #13103
DHCP (IPv4)
• Fixed: Disabling DHCP Server RRD statistics does not work #12710
• Fixed: HTTPClient option not sent when using UEFI HTTP Boot #12892
• Fixed: HTTPClient option does not work for static mappings #12896
• Fixed: DHCP “Ignore denied clients” option with MAC Deny list set causes DHCP server to not start #12923
• Fixed: DHCP network boot filename can be incorrectly placed in DHCP Pool Options #12986
• Added: Relax DHCP maximum lease time input validation #13118
• Fixed: DHCP lease list displays wrong interface name in the “Leases in Use” summary if DHCP settings for a
disabled interface remain in the configuration #13127

LLC
DHCP (IPv6)
• Fixed: Multiple DHCP6 WAN connections leads to multiple dhcp6c clients #6880
• Fixed: DHCPv6 server does not skip interfaces configured with invalid ranges #12527
• Fixed: RADVD can be started on both HA nodes when configured with an IPv6 link-local address #12582
• Fixed: Uninitialized array in array_remove_duplicates() #12749
DNS Forwarder
• Fixed: DNS Forwarder creates a loop when “Use local DNS, ignore remote DNS servers” is selected #12902
• Fixed: DNS Forwarder custom options may fail after save/restore when options are only separated by newline
#13105
DNS Resolver
• Fixed: DNS Resolver does not restart during link up/down events on a static IP address interface #12613
• Added: Automatically create DNS Resolver ACLs for OpenVPN CSO entries #12636
• Fixed: DNS Resolver help text for System Domain Local Zone Type option refers users to unbound.
conf(5) man page instead of pfSense docs #12781
• Fixed: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay
of ~2 minutes if the firewall does not have Internet access #12985
• Fixed: DNS Resolver ACLs are not updated when OpenVPN networks change #12991
• Added: DNS Resolver option to keep probing when servers are down #13023
Dashboard
• Fixed: Firewall log widget action icon features stop working when new log entries are added dynamically #6253
• Added: Show Inactive for Hardware Crypto output instead of empty field on System Information dashboard
widget when nothing can be accelerated #12714
Diagnostics
• Fixed: diag_pftop.php does not fully encode output #12915
Dynamic DNS
• Fixed: Dynamic DNS custom IPv6 service fails on 6rd tunnels #12590
• Fixed: GleSYS Dynamic DNS responses are not parsed properly #12672
• Added: IPv6 support for DNSimple Dynamic DNS #12744
• Fixed: Input validation prevents configuring wildcard Dynamic DNS records on GoDaddy #12750
• Added: Support wildcard Dynamic DNS records on DigitalOcean #12752

LLC
• Fixed: Google Domains Dynamic DNS responses are not parsed properly #12754
• Fixed: Input validation prevents configuring wildcard Dynamic DNS records on Google Domains #12761
• Fixed: Namecheap Dynamic DNS responses are not parsed properly #12816
• Fixed: Clicking Save & Force Update on a Dynamic DNS entry results in a GUI timeout #12870
Gateway Monitoring
• Fixed: Gateway monitoring should mark gateway as “offline” on PPPoE parent interface disconnect #12633
• Added: Option to disable auto-addition of static routes for dpinger #12687
• Changed: Update dpinger to 3.2 #12881
Gateways
• Fixed: fixup_default_gateway() should not remove a default gateway managed by a dynamic routing
daemon #11692
• Fixed: IPv6 link local gateway default status not indicated in GUI #11764
• Fixed: IPv6 gateway group using link local addresses incorrectly logs a gateway change because it not including
interface scope properly #12721
• Added: Retain knowledge of previous dynamic gateway IP address when interface is down #12931
Hardware / Drivers
• Added: Chelsio TOE support using the t4_tom module #9091
• Fixed: Hyper-V RSC support in hn(4) driver is enabled by default and results in very low throughput #12873
High Availability
• Added: Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings
#12702
IGMP Proxy
• Fixed: IGMP Proxy server is restarted during every rc.newwanip event #12609
IPsec
• Added: Option to choose default tab in IPsec status Dashboard widget #2456
• Fixed: IPsec VTI phase 2 traffic selectors default to address when defined as a network #11226
• Fixed: filterdns does not monitor remote IPsec gateways for IPv6 address changes #12645
• Fixed: Disallow remote gateway of 0.0.0.0 for VTI mode #12723
• Fixed: VTI gateway status stuck as “pending” after reboot #12763

LLC
• Changed: Update strongSwan #12934
• Fixed: ESP description in IPsec phase 2 proposal help text is ambiguous #12953
• Fixed: IKEv2 Mobile IPsec clients do not receive INTERNAL_DNS_DOMAIN (value 25) attribute #12975
• Added: GUI option for IPsec dns-interval setting #13057
• Fixed: Delete function for IPsec SAD entries on status_ipsec_sad.php does not work #13071
• Fixed: Mobile IPsec clients cannot be manually disconnected from IPsec status screen #13131
Installer
• Fixed: Support encrypted config.xml files when restoring during install #12691
• Added: Recover existing SSH keys during installation #12809
Interfaces
• Added: Show SFP module details on status_interfaces.php #8861
• Added: Improved support for USB interfaces that may not always be present #9393
• Fixed: PPPoE WAN IP address different than expected when set static by ISP #11629
• Fixed: devd is not configured to act on USB interface attach/detach events #12606
• Changed: Restart services on interface changes #12619
• Fixed: Interface status “Total Interrupts” display is non-functional #12735
• Fixed: L2TP/PPTP interface assignment page loses some values after input validation error #12780
• Fixed: Link-Local IPv6 address on WAN with MAC spoofing changes if there is an IP Alias on WAN #12790
• Fixed: Link-local address does not reset after removing MAC address spoofing #12794
• Fixed: Disabled Captive Portal configuration prevents adding an interface to a bridge #12866
• Fixed: The ruleset is not regenerated after assigning an interface #12949
L2TP
• Fixed: L2TP MPD configuration is not updated when a dynamic WAN IP address changes #13066
• Fixed: L2TP stays bound to previous IP address after static IP address change #13082
• Fixed: Static routes to destinations at L2TP clients are not re-added after a client reconnects #13099

LLC
LAGG Interfaces
• Added: GUI option to configure layers for LACP hash #12819
Notifications
• Fixed: Slack notification options only allow `` -`` as a special character in channel names #13083
OpenVPN
• Fixed: OpenVPN IPv4 Tunnel Network incorrectly allows hostnames #11416
• Fixed: OpenVPN stays bound to previous IP address after interface changes #11864
• Added: OpenVPN option to limit concurrent connections per user #12267
• Fixed: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases #12332
• Added: Use deferred client connections in OpenVPN #12407
• Fixed: OpenVPN re-synchronization also synchronizes override entries unnecessarily in some cases #12628
• Fixed: Automatic filter reload with OpenVPN client gateway uplink happens too soon or not at all #12771
• Fixed: PHP error when terminating OpenVPN sessions via the dashboard widget #12817
• Fixed: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases
#12884
• Fixed: GUI does not reject an invalid OpenVPN tap mode configuration with an empty tunnel network “Bridge
DHCP” disabled #12887
• Fixed: FQDN in network alias is omitted from OpenVPN networks list #12925
• Changed: Warn about OpenVPN shared key deprecation #12981
• Fixed: OpenVPN remote_cert_tls option does not behave correctly when enabled and later disabled
#13056
• Fixed: Gateway events for IPv6 affect IPv4 OpenVPN instances and vice versa #13061
• Fixed: OpenVPN client tls-client/client configuration directive not handled properly #13116
• Changed: OpenVPN status page improvements #13129
• Fixed: OpenVPN client-connect file contains topology #13133
• Fixed: Per-user route files are not removed from /tmp when they are no longer needed #13145
• Fixed: OpenVPN override IPv4 tunnel network field changing value improperly #13274

LLC
Operating System
• Fixed: pf hostid value is handled inconsistently #12703
• Fixed: Some sysctl OIDs in loader.conf.local are silently removed #12862
• Fixed: Output from pfctl -vvsr does not include ridentifier value in the expected location #12868
PPP Interfaces
• Fixed: PPPoE WANs fail to reconnect after parameter negotiation failure #13092
PPPoE Server
• Fixed: PPPoE server panics with multiple client connections #13210
Package System
• Fixed: Packages are not automatically reinstalled when restoring configuration using the installer #12105
• Fixed: Packages with custom internal_name values do not reinstall properly when restoring a backup
#12766
• Fixed: write_rcfile() does not create rc_restart() entry #13004
Packet Capture
• Added: Button to clear previous packet capture data #12968
Routing
• Fixed: Setting a default gateway of “None” does not remove the default gateway from the routing table #12536
• Fixed: Cannot remove IPv6 static routes #12728
• Fixed: Explicit PPPoE disconnect of a WAN Gateway Group member may not restore a default route. #13048
Rules / NAT
• Added: Toggle button to disable/enable multiple firewall rules #2505
• Added: Port forward NAT rules with “any” protocol #4259
• Added: Allow NPt to use dynamic IPv6 networks #4881
• Added: Button to copy rules from one interface to another #8365
• Fixed: Automatic Outbound NAT mode can create incorrect rules in some cases #11984
• Added: Utilize new pfctl abilities to kill states #12092
• Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode
#12319

LLC
• Added: Allow the selection of “any” interface in floating rules #12392
• Fixed: Applying firewall rule changes does not clear dirty flag for aliases subsystem #12678
• Fixed: Automatic Outbound NAT rules do not include OpenVPN CSO entries #12792
• Fixed: Error loading ruleset due to illegal TOS value #12803
• Fixed: High latency and packet loss during a filter reload #12827
• Fixed: On startup “No routing address with matching address” might appear #12847
• Fixed: Some action buttons are always active for firewall rules, even if no rules are selected #12871
• Added: Toggle button to disable/enable multiple entries on NAT pages #12879
• Fixed: Delete button is always active for NAT rules, even if no rules are selected #12957
• Fixed: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same
subnet #13012
• Fixed: NAT generates duplicate no nat on rules for port forwards with a destination of Any #13015
• Fixed: Input validation requires a gateway for floating match out rules #13027
• Fixed: Empty negate_networks table breaks policy routing rules #13049
• Fixed: The negate_networks table is not updated when an OpenVPN server is deleted #13055
• Added: Allow auto prefix with manual prefix-length in NPt #13070
• Fixed: Info icon on firewall_nat_out.php is incorrectly placed in manual outbound NAT mode #13164
• Fixed: Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule
#13171
• Fixed: Incorrect usage of DSCP hex value #13178
SNMP
• Fixed: SNMP daemon is restarted during every rc.newwanip event #12611
Services
• Fixed: NTP service is not listed on status_services.php unless config.xml contains NTP configura-
tion data #12775
• Fixed: Stale sshdkeys.dirty lock file prevents generating SSH server keys #13139
• Changed: Remove code references to unused reset parameter from traffic shaper pages #13042

LLC
Traffic Shaper (Limiters)
• Fixed: Incorrect ICMP reply when using limiters #9263
• Fixed: Pie and fq_pie are missing options and do not handle floating point number input correctly #12003
• Fixed: Utilize dnctl(8) to apply limiter changes without a filter reload #12579
• Fixed: Traffic routed through DUMMYNET by PF fails when IPFW is enabled #12954
Traffic Shaper Wizards
• Fixed: Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server
#12937
• Fixed: Traffic shaper wizard rewrites Mbits to Kbits #13086
UPnP/NAT-PMP
• Added: uPnP fails to properly give out subsequent reservations when multiple gaming systems are playing the
same game/using the same port. #7727
• Changed: Reorganize UPnP options #12624
Unknown
• Fixed: Many exec() functions do not use full path to executable files #11941
Upgrade
• Fixed: Upgrade does not work when using only IPv6 DNS servers #13162
• Fixed: Icon missing for user manager entries with a scope other than “user” #13174
Web Interface
• Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141
• Fixed: Zero-value prefix IPv6 addresses are mishandled #12440
• Added: Option to filter state table contents by rule ID #12616
• Fixed: Changing RAM disk size does not prompt to reboot #12876
• Fixed: Input validation for IPv6 addresses allows invalid address compression in some cases #13069
• Added: Trim whitespace from MAC addresses in user input #13109

LLC
Wireless
• Fixed: Wireless interface WPA configuration fields are always visible #12998
• Fixed: Duplicate wireless interfaces are created at boot #12999
XMLRPC
• Fixed: Deleting a user on the primary node does not delete its home directory on secondary node during XML-
RPC sync #12940
22.01/2.6.0 New Features and Changes
This is a regularly scheduled release of pfSense® CE and pfSense Plus software including new features, additional
hardware support, and bug fixes.
Warning: When upgrading to pfSense Plus 22.01 and later versions, the pfSense-upgrade process will
forcefully reinstall all operating system packages and add-on packages to ensure a consistent state and package set.
This may increase the time the upgrade will take to download and install.
Security
This release includes corrections for the following vulnerabilities in pfSense software:
• pfSense-SA-22_01.webgui (File overwrite in services_ntpd_gps.php, #12191)
• pfSense-SA-22_02.webgui (Potential vulnerabilities with route collection on diag_routes.php , #12257)
• pfSense-SA-22_03.webgui (Potential vulnerabilities in OpenVPN form validation, #12677)
• pfSense-SA-22_04.webgui (XSS in pkg.php, #12725)
Errata
• There is a patch available to improve NAT behavior for UPnP and multiple game consoles or clients playing the
same game but the fix was discovered too late for it to be included in 22.01/2.6.0.
For additional details and instructions on how to apply the patch, see Redmine issue #7727 note #74 and #75,
the Github commit, and the forum thread for testing feedback.
General
• This release contains several significant changes to IPsec for stability and performance. Read the IPsec section
of this document carefully.
Warning: IPsec VTI interface names have changed in this release. Configurations will be updated auto-
matically where possible to use the new names.
Check the interface names of assigned VTI instances under Interfaces > Assignments to ensure they are
correct after the upgrade completes.

LLC
If any third party software configurations or other manual changes referenced the old IPsec VTI interface
names directly (e.g. ipsecNNNN) they must be updated to the new format.
• ZFS is now the default filesystem for new installations of pfSense Plus and pfSense CE software on all platforms
which support booting from ZFS.
– It is not possible to change from UFS to ZFS in place, a reinstallation of pfSense Plus or CE is required to
migrate from UFS use ZFS.
– The ZFS pool name and datasets have also been updated and optimized. Users who were already using
ZFS may want to reinstall as well to ensure they have the most optimal disk layout.
– pfSense Plus software has a new ZFS dashboard widget to track the status of disks using ZFS.
• Log Compression for rotation of System Logs is now disabled by default for new ZFS installations as ZFS
performs its own compression.
Tip: The best practice is to disable Log Compression for rotation of System Logs manually for not only
existing ZFS installations, but also for any system with slower CPUs. This setting can be changed under Status
> System Logs on the Settings tab.
• The default password hash format in the User Manager has been changed from bcrypt to SHA-512. New users
created in the User Manager will have their password stored as a SHA-512 hash. Existing user passwords will
be changed to SHA-512 next time their password is changed.
Note: User Manager passwords are only stored as a hash, thus existing users cannot be automatically changed
to the new format. To convert a user password from an older hash format, change the password for the user in
the User Manager.
• The firewall now bootstraps its clock at boot in multiple ways, one of which utilizes multiple NTP servers
with static IP addresses from Google Public NTP. This avoids a chicken-and-egg problem where the firewall
cannot resolve NTP servers because DNSSEC, which is enabled by default, cannot function when the clock is
inaccurate. The firewall performs this sync once per boot before it starts the NTP daemon.
Note: This behavior can easily be changed or disabled. See Changing Clock Bootstrap Behavior.
• Several areas of the documentation have been rewritten and updated for these releases. Notably, the IPsec and
OpenVPN sections have been updated significantly including all of the related configuration recipes.
pfSense Plus
PHP Interpreter
• Fixed: PHP exits with signal 11 on SG-3100 when calling PCRE functions #11466

LLC
pfSense CE
Aliases / Tables
• Fixed: Error loading rules when URL Table Ports content is empty #4893
• Fixed: Mixed use of aliases in a port range produces unloadable ruleset #11818
• Fixed: Unable to create nested URL aliases #11863
• Fixed: Creating or editing aliases fails with multiple hosts separated by spaces #12124
• Fixed: When attempting to delete an in-use alias, input validation only prints the first item using the alias in the
error message #12177
Authentication
• Changed: Use SHA-512 for user password hashes #10298
• Fixed: Deny SSH access for admin and root users when the admin GUI account is disabled #12346
Backup / Restore
• Fixed: Restoring from AutoConfigBackup presents reboot type selection option then reboots automatically
#10662
• Added: Backup and restore SSH host key(s) #11118
• Fixed: Output from reboot process is printed on Backup & Restore page when restoring a configuration file
#11909
• Fixed: Custom value for AutoConfigBackup schedule Hours is not shown when loading the settings page
#11946
• Added: AutoConfigBackup performance improvements #12193
• Fixed: Viewing an AutoConfigBackup entry takes approximately 60 seconds to completely load #12247
• Changed: Explicitly state where AutoConfigBackup stores encrypted backup data #12296
Build / Release
• Changed: Remove deprecated libzmq code and references #12060
CARP
• Fixed: Cannot enter persistent CARP maintenance mode when CARP is disabled #11727
• Fixed: When a CARP VIP VHID change is synchronized to a secondary node, the CARP VIP is removed from
the interface and the old VHIDs remain active #12202
• Fixed: Changing VHID on CARP VIP does not update VHID of related IP Alias VIPs #12227
• Fixed: rc.carpmaster only sends notifications via SMTP #12584

LLC
Captive Portal
• Fixed: Vouchers may expire too early when using RAM disks #11894
• Fixed: Incorrect variable substitution in captive portal error page #11902
• Fixed: Clicking “logout” on portal page does not function when logout popup is disabled #12138
• Fixed: Captive Portal database and ipfw rules are out of sync after unclean shutdown #12355
• Fixed: Captive Portal input validation for “After authentication Redirection URL” and “Blocked MAC address
redirect URL” is swapped #12388
• Fixed: Captive Portal online user statistics data is not cleared on unclean shutdown #12455
Certificates
• Fixed: Certificate Revocation tab does not list active users of CRL entries #11831
• Fixed: Certificate manager reports CA as in use by an LDAP server when LDAP is not configured for TLS
#11922
• Fixed: Certificate Manager performs redundant escaping of special characters in certificate DN fields #12034
• Added: Input validation to prevent unsupported UTF-8 characters from being used in certificate subject compo-
nents #12035
• Fixed: Certificate Manager shows incorrect DN for imported entries with UTF-8 encoding #12041
Console Menu
• Fixed: Cannot configure WAN IP address with /32 CIDR mask via console menu #11581
• Changed: Suppress kernel messages when loading dummynet and thermal sensor modules #12454
DHCP (IPv4)
• Added: DHCPv4 client does not support supersede statement for option 54 #7416
• Added: Support for UEFI HTTP Boot option in DHCPv4 Server #11659
• Fixed: DHCPv4 server configuration does not include ARM TFTP filenames #11905
• Fixed: ARM 32/64 network boot options are not parsed on Static DHCP Mapping page #12216
DHCP (IPv6)
• Fixed: DHCPv6 Server should not offer configuration options for unsupported PPPoE Server interfaces #12277

LLC
DHCP Relay
• Fixed: PHP error if no DHCPv6 Relay interfaces are selected #11969
DNS Resolver
• Fixed: Unbound crashes with signal 11 when reloading #11316
• Fixed: Unbound fails to start if its configuration references a python script which does not exist #12274
• Fixed: Unbound falls back to using all outgoing network interfaces if manually selected outgoing interface(s)
are unavailable #12460
Dashboard
• Fixed: System Information widget unnecessarily polls data for hidden items #12241
• Fixed: IPsec widget generates errors if no tunnels are defined #12337
• Fixed: IPsec widget treats phase 1 in “connecting” state as connected #12347
• Added: Disks dashboard widget to replace Disk Usage section of System Information widget #12349
• Fixed: Thermal Sensors Dashboard widget filter for negative values refers to invalid variable #12470
Diagnostics
• Fixed: State table content on diag_dump_states.php does not sort properly #11852
• Changed: Hide “Reboot and run a filesystem check” for ZFS systems #11983
• Fixed: “GoTo line #” function does not work on diag_edit.php #12050
• Fixed: Sanitize WireGuard private and pre-shared keys in status output #12256
• Added: Include firewall rules from packages which failed to load in status output #12269
• Added: Include firewall rules generated from OpenVPN RADIUS ACL entries in status output #12316
• Fixed: ARP table interface column empty for entries on unassigned interfaces #12698
Dynamic DNS
• Added: Option to set interval of forced Dynamic DNS updates #9092
• Added: Support DNS Made Easy authentication without a username #9341
• Fixed: RFC 2136 Dynamic DNS client uses IPv6 alias VIP instead of Track IPv6 address for AAAA records
#11816
• Added: New Dynamic DNS Provider: Strato #11978
• Fixed: Dynamic DNS cache expiration time check calculation method may cause update to happen on the wrong
day #12007
• Fixed: NoIP.com incorrectly encodes Dynamic DNS update credentials #12021
• Added: New Dynamic DNS Provider: deSEC #12086

LLC
• Added: Support Check IP services which return bare IP address values #12194
• Fixed: Yandex Dynamic DNS client does not set the PddToken value #12331
• Added: Dynamic DNS client proxy support #12342
• Fixed: Update Dynamic DNS code for one.com to use their new login process #12352
• Fixed: Dynamic DNS updates do not respect certificate authority trust store #12589
• Fixed: Dynamic DNS client updates using a private IP address when it cannot determine the public IP address
#12617
• Fixed: Dynamic DNS may not use the correct interface when updating during failover #12631
FreeBSD
• Fixed: Duplicate comconsole_port lines in /boot/loader.conf #11653
• Changed: Upgrade to pkg 1.17.x #12171
Gateways
• Added: Support DNS server gateway selection on system.php for multiple gateways not assigned to inter-
faces #12116
• Fixed: Default IPv4 gateway may be set to IPv6 gateway value in certain cases #12282
Hardware / Drivers
• Added: Support for network interfaces using the qlnxe driver #11750
High Availability
• Fixed: Incorrect RADVD log message on HA event #11966
IGMP Proxy
• Added: Support 0 CIDR mask for IGMP Proxy networks #7749
IPsec
• Fixed: Disconnected IPsec phase 2 entries are not shown in IPsec status #6275
• Fixed: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded #7801
• Fixed: EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration
attributes #11447
• Fixed: Incorrect phase 2 entry removed when deleting multiple items consecutively #11552
• Fixed: strongSwan configuration contains incorrect structure for mobile pool DNS records #11891
• Fixed: IPsec status tunnel descriptions are incorrect #11910

LLC
• Changed: PC/SC Smart Card Daemon pcscd running on all devices at all times, should be optional #11933
• Fixed: IPsec status fails when many tunnels are connected #11951
• Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967
• Fixed: Mobile IPsec NAT/BINAT entries missing from firewall rules #12023
• Fixed: Applying IPsec settings for many tunnels is slow or times out #12026
• Fixed: Gateway alarm always triggers IPsec restart #12039
• Changed: Improve IPsec identifier settings #12044
• Fixed: IPsec status IKE disconnect button drops all connections for the IKE ID, not a specific IKE SA ID
#12052
• Fixed: Tunnels with conflicting REQID values can lead to multiple identical Child SA entries #12155
• Added: IPsec keep alive option to initiate phase 2 without using ICMP #12169
• Added: Add connect/disconnect buttons to IPsec dashboard widget #12181
• Added: GUI options to configure IKE retransmission behavior #12184
• Fixed: IPsec status shows connect buttons while tunnel is connecting #12189
• Fixed: IPsec writes CRL files when tunnel does not use certificates #12195
• Fixed: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers
available #12196
• Fixed: Mobile IPsec phase 1 should not display “Gateway duplicates” option #12197
• Fixed: Disabling an IPsec phase 1 entry does not disable related phase 2 entries #12198
• Fixed: Disabled IPsec VTI interfaces are always created #12212
• Fixed: IPsec bypass rules display help text under each entry #12236
• Fixed: IPsec phase 1 entry with 0.0.0.0 as its remote gateway does not receive correct automatic firewall
rules #12262
• Changed: Update “IPsec Filter Mode” option values and help text to reflect that VTI mode also helps transport
mode (e.g. GRE) #12289
• Fixed: IPsec manual initiation and termination should use a timeout value or forced actions #12298
• Fixed: IPsec tunnels using a gateway group do not get reloaded in some cases #12315
• Fixed: IPsec Phase 2 entry incorrectly orders proposals in AH mode #12323
• Fixed: Hash algorithm GUI options are disabled after switching a phase 2 entry to AH mode #12324
• Fixed: IPsec VTI interface remote endpoint is not resolved the correct way #12328
• Fixed: Incorrect label for IPsec DH group 32 #12350
• Added: Distinguish between policy-based and route-based entries on IPsec status SPD tab #12397
• Fixed: Console boot output includes Configuring IPsec VTI interfaces when no VTI interfaces
are configured #12419
• Changed: Add IPsec phase 2 BINAT subnet size input validation #12430
• Fixed: IPsec initiates on HA backup node when a tunnel interface is set to a gateway group #12566
• Fixed: IPsec Mobile Client RADIUS Advanced parameters are not reset to default values when disabled #12575

LLC
IPv6 Router Advertisements (RADVD)
• Fixed: radvd only responds to the first Router Solicitation received after each multicast Router Advertisement
#10304
• Fixed: “Default preferred lifetime” router advertisement validation check uses incorrect variable #12159
• Fixed: IPv6 RA DNSSL lifetime is too short, not compliant with RFC 8106 #12173
• Fixed: Default IPv6 router advertisement intervals and lifetime are too low #12280
• Fixed: “Default preferred lifetime” field for IPv6 RA does not have input validation #12439
• Fixed: IPv6 interface prefix change not reflected in RADVD configuration #12604
• Fixed: Router Advertisement DNS search domain from one interface may unintentionally be used by other
interfaces #12626
Installer
• Added: Restore RRD and extra data from configuration backups when restoring during installation #12518
• Fixed: Minnowboard Turbo cannot boot a clean install #12707
Interfaces
• Fixed: GRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot #6507
• Fixed: Interface column empty in list of GIF tunnels when using IP Alias on CARP VIP as Interface #11337
• Fixed: QinQ using OpenVPN ovpn interface as a parent is not configured at boot time #11662
• Fixed: VLAN and QinQ edit pages allows selecting incompatible OpenVPN tun interfaces #11675
• Fixed: Advanced DHCP client configuration “Protocol timing” help text is in the wrong location #11926
• Added: VLAN list sorting #11968
• Fixed: Boot messages contain entries about configuring LAGG/VLAN/QinQ interfaces even when no entries of
those types are configured #12002
• Fixed: Input validation incorrectly rejects a second IPv4-only GRE tunnel #12049
• Fixed: Interface assignment mismatch is not detected if VLAN-only parent interface is removed #12170
• Fixed: IPv6 DNS servers from dynamic sources are not listed on status_interfaces.php #12252
• Fixed: IPv6 gateway for an interface is not shown on status_interfaces.php if the interface does not
also have an IPv4 gateway #12253
• Fixed: Remove subnet overlap check on LAN interfaces when using 6rd #12371
• Fixed: “6RD Prefix” field does not have input validation #12435
• Fixed: Trying to delete an assigned PPPoE interface fails without printing an error message #12514

LLC
L2TP
• Fixed: Kernel panic during L2TP retransmit #9058
• Fixed: FQDN L2TP server address is only resolved at boot #12072
Logging
• Fixed: Logging configuration added by a package is not removed on uninstall #11846
• Fixed: Remote log server input validation allows invalid values #12000
• Added: Disable log compression on new installations when /var/log is a ZFS dataset with compression
enabled #12011
• Changed: Improve log settings help text for file size, compression, and retention count #12012
• Added: Create a log entry when a configuration change occurs #12118
• Fixed: Rotation settings for individual log files do not take effect after saving #12366
NTPD
• Added: Poll Interval For GPS and PPS #9439
• Added: Support for NTP Peer mode #11496
• Fixed: File overwrite in services_ntpd_gps.php via gpsport parameter #12191
• Added: Support SHA-256 hash NTP authentication #12213
• Fixed: ZFS installations without an RTC battery boot with clock at BIOS/EFI default value because they do not
receive initial clock value from filesystem data #12769
Notifications
• Added: Option to suppress expiration notifications for revoked certificates #12109
• Added: Support for Slack notifications #12291
• Added: Send notification for halt, reboot, and reroot events #12441
• Fixed: rc.notify_message only sends notifications via SMTP #12585
OpenVPN
• Added: Support aliases in OpenVPN local/remote/tunnel network fields #2668
• Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684
• Fixed: OpenVPN client certificate validation with OCSP always fails #11829
• Added: Option to validate OpenVPN peer TLS certificate key usage #11865
• Added: Log external IP address of OpenVPN clients on connect and disconnect #11935
• Fixed: DNS Resolver does not add PTR record for OpenVPN clients #11938
• Fixed: OpenVPN IPv6 tunnel network is not validated properly #11999

LLC
• Fixed: OpenVPN RADIUS-based firewall rules use incorrect port ranges #12020
• Fixed: Incorrect OpenVPN Client Export help link #12022
• Fixed: OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses
#12076
• Fixed: Prevent using OpenVPN “Exit Notify” option with point-to-point modes #12102
• Fixed: OpenVPN Wizard configuration missing recently added default values #12172
• Fixed: OpenVPN does not clean up previous CA and CRL files #12192
• Changed: Move “Description” option on OpenVPN server and client pages to top of the page, show internal
instance ID #12218
• Fixed: Prevent using OpenVPN “Inactive” option with point-to-point modes #12219
• Fixed: Configuration files are not deleted after disabling an OpenVPN instance #12223
• Fixed: OpenVPN page allows to delete/disable instance with an assigned interface #12224
• Fixed: OpenVPN status incorrect for TAP servers without a defined tunnel network #12232
• Fixed: OpenVPN client connect/disconnect scripts are not used in Remote Access (SSL/TLS) mode #12238
• Added: Pop-up window to view firewall rules generated from RADIUS ACL entries on the OpenVPN status
page #12321
• Added: Support OpenVPN client-kill to terminate remote clients instead of clearing their session #12416
• Fixed: Set OpenVPN Gateway Creation value to “Both” by default for new instances #12448
• Fixed: OpenVPN form validation issues #12677
Operating System
• Changed: Ensure /usr/local/sbin/ scripts use full path to executable files #11985
• Fixed: Update NGINX to address CVE-2021-23017 #12061
• Added: Suppress kernel messages for lo0 configuration during boot #12094
• Changed: Convert RAM disks to tmpfs #12145
• Changed: Improve uses of grep which utilize user-supplied patterns #12265
• Fixed: Update mpd5 to address vulnerabilities in < 5.9_2 #12373
• Fixed: Update python to address vulnerabilities < 3.8.12 #12374
• Fixed: Multiple cURL Vulnerabilities #12434
• Changed: Add note in log settings that disabling logging also disables sshguard login protection #12511
• Fixed: Kernel panic in nd6_dad_timer() #12548

LLC
PHP Interpreter
• Fixed: diag_dump_states.php no longer filters by rule ID #12605
PPP Interfaces
• Fixed: PPP interfaces lose the description field in ifconfig output when restarted #11959
PPPoE Server
• Added: Option to select PPPoE Server authentication protocol #12438
Package System
• Fixed: Package <plugins> and <tabs> content missing from configuration in some cases #11290
• Added: Add librdkafka package to the pfSense package repository #12290
• Fixed: PHP error on pkg_mgr_install.php when multiple instances are running #12713
• Fixed: Potential XSS in pkg.php via pkg_filter #12725
RRD Graphs
• Added: Graph for hardware temperature readings #9297
Routing
• Fixed: Static routes using aliases are not automatically updated when alias content changes #7547
• Fixed: Input validation does not prevent removing a gateway used by a DNS server #8390
• Fixed: Kernel route table entries are removed if they match disabled static route entries #10706
• Fixed: Modifying static routes results in a logged error, changes are not reflected in routing table #11599
• Added: Require user to manually apply changes after altering static route entries #11895
• Fixed: Route data collection method on diag_routes.php has multiple issues #12257
Rules / NAT
• Added: IPv6 support in easyrule CLI script #11439
• Fixed: NAT rule overlap detection is inconsistent #11734
• Fixed: Input validation not working for 1:1 NAT entries using an alias as a destination #11923
• Fixed: easyrule script does not function properly #12151
• Fixed: IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ::/0
#12164
• Fixed: 1:1 NAT rule with internal IP address of “Any” results in an invalid firewall rule #12168

LLC
• Fixed: Firewall rule tabs load slowly when many rules on the tab utilize gateways #12174
• Fixed: VIP network addresses are not expanded on Port Forward rules #12233
• Fixed: Duplicating a Port Forward does not copy “Filter Rule Association” values of “None” or “Pass” #12272
• Added: Display default “Reflection Timeout” value on system_advanced_firewall.php #12318
• Fixed: NAT rule overlap detection does not check special networks #12361
• Fixed: Input validation prevents creating 1:1 NAT rules on OpenVPN #12408
• Fixed: 1:1 NAT edit page lists incorrect entries in the Destination field #12410
• Added: Icon for traffic direction on floating rules tab #12433
• Fixed: Port forward rules are not created for special networks (pppoe, openvpn) #12452
• Fixed: Automatic outbound NAT for reflection does not support IPv6 #12500
• Fixed: Interface group name starting with a digit creates invalid XML for rule separators #12529
• Added: Change Gateway/Group name in firewall rule list to clickable link to edit page for the entry #12555
• Fixed: Automatic rule tracker IDs incorrect after multiple filter reloads #12588
• Fixed: PHP error when clicking Delete on Outbound NAT with no rules selected #12694
SNMP
• Added: IPv6 support for base system SNMP service #12325
Services
• Fixed: System attempts to stop inactive services at shutdown #12001
• Fixed: System attempts to start inactive services at boot #12038
• Added: IPv6 support in the Traffic Shaper Wizard #4769
• Fixed: Panic when using CBQ traffic shaping #11470
• Added: Allow Chelsio T6 CXGBE (cc) drivers to be used for ALTQ traffic shaping #12499
• Changed: Traffic shaper wizard default bandwidth type should be Mbit/s #12501
• Fixed: Unable to delete limiter referenced in filter rules #12503
• Fixed: Kernel panic when using fq_pie limiter scheduler #12622

LLC
UPnP/NAT-PMP
• Added: UPnP/NAT-PMP STUN configuration options #10587
Upgrade
• Changed: pfSense-upgrade should reinstall all packages on new version upgrades #12235
• Added: Copy button for group entries in the User Manager #12226
Virtual IP Addresses
• Fixed: Validation when deleting a VIP does not check if the VIP is used by IPsec phase 1 entries #12356
• Fixed: Validation when deleting a VIP does not prevent deleting a CARP VIP used as a parent for an IP Aliases
VIP #12362
Wake on LAN
• Added: Wake on LAN button to wake all devices #12480
Web Interface
• Changed: Update font formats to WOFF2 #11507
• Fixed: DHCP Leases page and ARP table page fail to load if DNS is not available #11512
• Fixed: Notifications page cannot be saved without configuring or disabling SMTP #12107
• Changed: Convert help shortcut links to server-side redirects #12314
• Fixed: Help text for RAM disk settings does not mention Captive Portal data #12389
• Fixed: Input validation error can unintentionally result in removal of PPP type interface settings #12498
Wireless
• Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453
• Fixed: Interfaces page does not show Wireless EAP client options #12239

LLC
XMLRPC
• Fixed: XMLRPC sync results in an error when a failover peer IP address is specified in DHCP server settings
for an unconfigured interface #10955
• Added: XMLRPC synchronization for DHCP relay settings #11957
• Changed: XMLRPC client improvements #12051
• Fixed: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync #12075
21.05.2 New Features and Changes
This is a maintenance release of pfSense® Plus software. pfSense Plus software version 21.05.2 corrects an issue with
the pre-installed Netgate Firmware Upgrade package on Netgate 6100 hardware devices.
In certain circumstances the pre-installed Netgate Firmware Upgrade package could have incorrectly offered to down-
grade the firmware when the hardware shipped from the factory with a newer firmware version than the copy contained
within the 21.05.1 installation image.
The pfSense Plus software version number was increased for all models of Netgate hardware for consistency, but there
are no functional changes for other hardware platforms. Upgrading a device in the field to 21.05.2 is not necessary at
this time, but users may do so if they wish.
3.2.2 pfSense CE Software
This is a regularly scheduled software release including new features and bug fixes.
Known Issues / Errata
• Dynamic DNS incorrectly encodes NoIP update credentials #12021
Security
This release includes corrections for the following vulnerabilities in pfSense® software:
• pfSense-SA-21_02.captiveportal (XSS in Captive Portal client login page, #11843)
General
• Added: WireGuard experimental add-on package

LLC
pfSense CE
Aliases / Tables
• Added: PHP shell playback script to modify Alias contents #11380
Authentication
• Added: Copy button for Authentication Server entries #11390
Backup / Restore
• Added: Randomize time of scheduled AutoConfigBackup runs #10811
• Fixed: Automated corruption recovery from cached config.xml backup files should check multiple backups
#11748
• Fixed: AutoConfigBackup schedule custom hour value lost on page load #11946
Captive Portal
• Added: Redirect Captive Portal users to login page after they logout #11264
• Fixed: Captive Portal post-auth redirect is not properly respected #11842
• Fixed: Potential XSS vulnerability in Captive Portal redirurl handling #11843
Certificates
• Fixed: Certificate Manager does not report Unbound as using a certificate #11678
• Fixed: PHP error on certificate list due to unreadable private key #11859
• Fixed: Export P12 icon is missing if certificate is not locally renewable #11884
• Fixed: PHP error in upgrade_212_to_213() when upgrading certain IPsec tunnels #11801
Console Menu
• Changed: Allow reroot on ZFS from console and GUI reboot menu entries #11914

LLC
DHCP (IPv6)
• Fixed: dhcp6withoutra_script.sh does not get executed when advanced options are set #11883
DNS Forwarder
• Fixed: Disable DNSSEC option for dnsmasq #11781
• Fixed: Update dnsmasq to 2.85 to fix CVE-2021-3448 #11866
DNS Resolver
• Fixed: Unbound Python Integration repeatedly mounts dev without unmounting #11456
• Fixed: Stale hostname registration data for OpenVPN clients is not deleted from the DNS Resolver configuration
at boot #11704
• Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x #11915
Dashboard
• Fixed: Thermal sensors widget no longer shows values from certain hardware #11787
• Fixed: IPsec Dashboard widget only displays first P2 subnet when using a single traffic selector #11893
• Fixed: Editing widgets on Dashboard causes a PHP Warning #11939
Diagnostics
• Fixed: ARP Table populates hostname values using expired DHCP lease data #11510
• Fixed: Sanitize OpenVPN Client Export certificate password in status output #11767
• Fixed: Sanitize Captive Portal RADIUS MAC secret in status output #11769
• Fixed: MAC address OEM information missing from ARP table #11819
• Fixed: State table content on diag_dump_states.php does not sort properly #11852
Dynamic DNS
• Added: New Dynamic DNS Provider: Mythic-Beasts #7842
• Added: New Dynamic DNS Provider: one.com #11293
• Added: New Dynamic DNS Provider: Yandex PDD #11294
• Added: New Dynamic DNS Provider: NIC.RU #11358
• Added: New Dynamic DNS Provider: Gandi LiveDNS IPv6 #11420
• Fixed: Automatic 25-day forced Dynamic DNS update removes wildcard domain #11667
• Fixed: Digital Ocean Dynamic DNS help text is incorrect #11754
• Fixed: NoIP.com Dynamic DNS update failure is not detected properly #11815

LLC
• Fixed: Dynamic DNS edit page incorrectly hides username field when switching away from Digital Ocean
#11840
Gateways
• Added: Input validation to prevent setting a load balancing gateway group as default #11164
Hardware / Drivers
• Changed: Deprecate old cryptographic accelerator hardware which is not viable on modern systems #11426
• Fixed: Using SHA1 or SHA256 with AES-NI may fail if AES-NI attempts to accelerate hashing #11524
High Availability
• Fixed: Incorrect RADVD log message on HA event #11966
IGMP Proxy
• Fixed: IGMP Proxy restarts unnecessarily after IPv6 gateway events #11904
IPsec
• Added: GUI option to set RADIUS Timeout for EAP-RADIUS #11211
• Added: Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering #11395
• Changed: Move custom IPsec NAT-T port settings to Advanced Options #11518
• Fixed: strongSwan configuration always contains user EAP/PSK values #11564
• Added: IPsec GUI option to control Child SA start_action #11576
• Fixed: Error when adding both IPv4 and IPv6 P2 under an IPv4 or IPv6 only IKEv1 P1 #11651
• Fixed: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled #11792
• Fixed: IPsec VTI interface names are not properly formed for more than 32 interfaces #11794
• Fixed: Applying IPsec settings for more than ~30 tunnels times out PHP #11795
• Fixed: ipsec_vti() does not skip disabled VTI entries #11832
• Fixed: IPsec GUI allows creating multiple identical Phase 1 entries when using FQDN for remote gateway
#11912
• Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967

LLC
• Added: Use virtual link local IP address as RA source address for HA environments #11103
• Added: Shortcut buttons for service control and logs on RADVD configuration #11911
• Fixed: RADVD breaks on SIGHUP #11913
Interfaces
• Fixed: DHCP interfaces are always treated as having a gateway, even if one is not assigned by the upstream
DHCP server #5135
• Fixed: Interfaces page displays MAC Address field for interfaces which do not support L2 #11387
• Fixed: CLI interface configuration without IPv6 leaves RA enabled #11609
• Fixed: Incomplete PPPoE custom reset values lead to invalid cron entry #11698
• Fixed: Error when changing MTU if the interface is used for both IPv4 and IPv6 default routes #11855
• Added: VLAN list sorting #11968
L2TP
• Fixed: Unused L2TP VPN files are not removed when the service is disabled #11299
• Added: GUI option to set MTU for L2TP VPN server #11406
NTPD
• Fixed: NTP widget displays incorrect status #11495
• Fixed: NTP authentication input validation rejects valid keys #11850
Notifications
• Fixed: Invalid HTML encoding in modal Notices window #11765
OpenVPN
• Added: Allow the firewall to use DNS servers provided to an OpenVPN client instance #11140
• Fixed: OpenVPN Wizard does not support gateway groups #11141
• Added: Set Explicit Exit Notify to 1 by default for new OpenVPN client instances #11521
• Added: Support for Cisco AVPair {clientipv6} template in firewall rules returns by RADIUS #11596
• Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684
• Fixed: OpenVPN does not clean up parsed Cisco-AVPair rules on non-graceful disconnect #11699
• Fixed: OpenVPN does not kill IPv6 client states on disconnect #11700
• Fixed: OpenVPN client starts when CARP VIP is in BACKUP status when bound to Virtual IP aliased to CARP
VIP #11793

LLC
• Fixed: Certificate validation with OCSP always fails in openvpn.tls-verify.php #11830
• Changed: Update OpenVPN to 2.5.2 #11844
• Fixed: OpenVPN client startup error if IPv6 Tunnel Network is defined in TAP mode #11869
Operating System
• Added: Kernel modules for alternate congestion control algorithms #7092
• Added: Kernel module for RTL8153 driver #11125
• Added: Xen console support #11402
• Fixed: Unquoted variable in dot.tcshrc can cause proxy password to be printed #11867
Routing
• Fixed: IPv4 link-local (169.254.x.x) gateway does not function #11806
Rules / NAT
• Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address #6626
• Fixed: Disabling all interfaces associated with a floating rule causes the firewall to generate an incorrect pf rule
#11688
• Fixed: Input validation prevents creating 1:1 NAT rules on IPsec #11751
• Fixed: Invalid combinations of TCP flag matching options cause pfctl parser error #11762
• Fixed: Port forward rules only function through the default gateway interface, reply-to does not work for
Multi-WAN (CE Only) #11805
• Fixed: Error loading rules in certain cases where an interface is temporarily without an address #11861
• Fixed: NAT 1:1 fail to validate aliases #11923
• Fixed: Harmless error when enabling traffic shaper #11229
• Fixed: Segmentation fault when loading ALTQ traffic shaping rules using FAIRQ #11550
• Fixed: Unused Limiter entries with schedules create unnecessary cron jobs #11636
• Fixed: Error when setting queue limit on CODELQ limiter #11725

LLC
Upgrade
• Fixed: Language presented to user during upgrade is misleading #11897
Web Interface
• Added: Replace HTTP links with HTTPS in the GUI #11228
• Fixed: Ambiguous text in help and input validation error for system domain name #11658
• Fixed: PHP error if PHP_error.log file is too large #11685
• Fixed: RAM Disk Settings shows Kernel Memory at 0 Kb and does not allow the user to create RAM disks
#11702
• Fixed: HTTP Referer error message text is incorrect #11873
• Fixed: Missing /0 subnet when cloning repeatable CIDR mask controls #11880
• Fixed: Update NGINX to address CVE-2021-23017 #12061
WireGuard
• Fixed: Ignore WireGuard configurations under <installedpackages></installedpackages>
#11808
Wireless
• Added: GUI options for WPA Enterprise with identity/password #2400
• Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453
XMLRPC
• Fixed: XMLRPC synchronization restarts all OpenVPN instances on the secondary node when making any
change on the primary node #11082
• Fixed: XMLRPC Client does not honor its default timeout value #11718
3.3 Older/Unsupported Releases
3.3.1 pfSense Plus Software
This is a maintenance release including bug fixes for issues affecting pfSense® Plus software version 21.05.
3.3. Older/Unsupported Releases 56

LLC
Security
• Additional corrections for pfSense-SA-21_02.captiveportal (XSS in Captive Portal client login page, #11843)
General
pfSense Plus
FreeBSD
• Fixed: 32-bit ARM performance regression #12200
Operating System
• Changed: Native hardware package builds for 32-bit ARM #12201
PHP Interpreter
• Changed: Disable PCRE JIT to work around PHP PCRE crashes on multi-core 32-bit ARM systems #12004
Routing
• Fixed: Static routes may not be in routing table when expected #11986
This is a regularly scheduled software release of pfSense® Plus software including new features, additional hardware
support, and bug fixes.
Security
• pfSense-SA-21_02.captiveportal (XSS in Captive Portal client login page, #11843)
General
• Added: WireGuard experimental add-on package
• Added: OpenVPN client import add-on package
• Fixed: ix(4) driver fails to attach if a broken or unsupported SFP module (e.g. incompatible media type) is
present at boot time [NG 1586]
• Fixed: IP Address ranges do not work in aliases on 32-bit ARM [NG 5445]

LLC
pfSense Plus
Aliases / Tables
• Added: PHP shell playback script to modify Alias contents #11380
Authentication
• Added: Copy button for Authentication Server entries #11390
Backup / Restore
• Added: Randomize time of scheduled AutoConfigBackup runs #10811
• Fixed: Automated corruption recovery from cached config.xml backup files should check multiple backups
#11748
Captive Portal
• Added: Redirect Captive Portal users to login page after they logout #11264
• Fixed: Captive Portal post-auth redirect is not properly respected #11842
• Fixed: Potential XSS vulnerability in Captive Portal redirurl handling #11843
Certificates
• Fixed: Certificate Manager does not report Unbound as using a certificate #11678
• Fixed: PHP error on certificate list due to unreadable private key #11859
• Fixed: Export P12 icon is missing if certificate is not locally renewable #11884
• Fixed: PHP error in upgrade_212_to_213() when upgrading certain IPsec tunnels #11801
Console Menu
• Changed: Allow reroot on ZFS from console and GUI reboot menu entries #11914

LLC
DHCP (IPv6)
• Fixed: dhcp6withoutra_script.sh does not get executed when advanced options are set #11883
DNS Forwarder
• Fixed: Disable DNSSEC option for dnsmasq #11781
• Fixed: Update dnsmasq to 2.85 to fix CVE-2021-3448 #11866
DNS Resolver
• Fixed: Unbound Python Integration repeatedly mounts dev without unmounting #11456
• Fixed: Stale hostname registration data for OpenVPN clients is not deleted from the DNS Resolver configuration
at boot #11704
• Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x #11915
Dashboard
• Fixed: Thermal sensors widget no longer shows values from certain hardware #11787
• Fixed: IPsec Dashboard widget only displays first P2 subnet when using a single traffic selector #11893
• Fixed: Editing widgets on Dashboard causes a PHP Warning #11939
Diagnostics
• Fixed: ARP Table populates hostname values using expired DHCP lease data #11510
• Fixed: Sanitize OpenVPN Client Export certificate password in status output #11767
• Fixed: Sanitize Captive Portal RADIUS MAC secret in status output #11769
• Fixed: MAC address OEM information missing from ARP table #11819
Dynamic DNS
• Added: New Dynamic DNS Provider: Mythic-Beasts #7842
• Added: New Dynamic DNS Provider: one.com #11293
• Added: New Dynamic DNS Provider: Yandex PDD #11294
• Added: New Dynamic DNS Provider: NIC.RU #11358
• Added: New Dynamic DNS Provider: Gandi LiveDNS IPv6 #11420
• Fixed: Automatic 25-day forced Dynamic DNS update removes wildcard domain #11667
• Fixed: Digital Ocean Dynamic DNS help text is incorrect #11754
• Fixed: NoIP.com Dynamic DNS update failure is not detected properly #11815
• Fixed: Dynamic DNS edit page incorrectly hides username field when switching away from Digital Ocean
#11840

LLC
Gateways
• Added: Input validation to prevent setting a load balancing gateway group as default #11164
Hardware / Drivers
• Changed: Deprecate old cryptographic accelerator hardware which is not viable on modern systems #11426
• Fixed: Using SHA1 or SHA256 with AES-NI may fail if AES-NI attempts to accelerate hashing #11524
IGMP Proxy
• Fixed: IGMP Proxy restarts unnecessarily after IPv6 gateway events #11904
IPsec
• Added: GUI option to set RADIUS Timeout for EAP-RADIUS #11211
• Added: Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering #11395
• Changed: Move custom IPsec NAT-T port settings to Advanced Options #11518
• Fixed: strongSwan configuration always contains user EAP/PSK values #11564
• Added: IPsec GUI option to control Child SA start_action #11576
• Fixed: Error when adding both IPv4 and IPv6 P2 under an IPv4 or IPv6 only IKEv1 P1 #11651
• Fixed: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled #11792
• Fixed: IPsec VTI interface names are not properly formed for more than 32 interfaces #11794
• Fixed: Applying IPsec settings for more than ~30 tunnels times out PHP #11795
• Fixed: ipsec_vti() does not skip disabled VTI entries #11832
• Fixed: IPsec GUI allows creating multiple identical Phase 1 entries when using FQDN for remote gateway
#11912
• Added: Use virtual link local IP address as RA source address for HA environments #11103
• Added: Shortcut buttons for service control and logs on RADVD configuration #11911
• Fixed: RADVD breaks on SIGHUP #11913

LLC
Interfaces
• Fixed: DHCP interfaces are always treated as having a gateway, even if one is not assigned by the upstream
DHCP server #5135
• Fixed: Interfaces page displays MAC Address field for interfaces which do not support L2 #11387
• Fixed: CLI interface configuration without IPv6 leaves RA enabled #11609
• Fixed: Incomplete PPPoE custom reset values lead to invalid cron entry #11698
• Fixed: Error when changing MTU if the interface is used for both IPv4 and IPv6 default routes #11855
L2TP
• Fixed: Unused L2TP VPN files are not removed when the service is disabled #11299
• Added: GUI option to set MTU for L2TP VPN server #11406
NTPD
• Fixed: NTP widget displays incorrect status #11495
• Fixed: NTP authentication input validation rejects valid keys #11850
Notifications
• Fixed: Invalid HTML encoding in modal Notices window #11765
OpenVPN
• Added: Allow the firewall to use DNS servers provided to an OpenVPN client instance #11140
• Fixed: OpenVPN Wizard does not support gateway groups #11141
• Added: Set Explicit Exit Notify to 1 by default for new OpenVPN client instances #11521
• Added: Support for Cisco AVPair {clientipv6} template in firewall rules returns by RADIUS #11596
• Fixed: OpenVPN does not clean up parsed Cisco-AVPair rules on non-graceful disconnect #11699
• Fixed: OpenVPN does not kill IPv6 client states on disconnect #11700
• Fixed: OpenVPN client starts when CARP VIP is in BACKUP status when bound to Virtual IP aliased to CARP
VIP #11793
• Fixed: Certificate validation with OCSP always fails in openvpn.tls-verify.php #11830
• Changed: Update OpenVPN to 2.5.2 #11844
• Fixed: OpenVPN client startup error if IPv6 Tunnel Network is defined in TAP mode #11869

LLC
Operating System
• Added: Kernel modules for alternate congestion control algorithms #7092
• Added: Kernel module for RTL8153 driver #11125
• Added: Xen console support #11402
• Fixed: Unquoted variable in dot.tcshrc can cause proxy password to be printed #11867
Routing
• Fixed: Static route targets may still reachable via default route when the gateway they should route through is
down #11296
• Fixed: IPv4 link-local (169.254.x.x) gateway does not function #11806
Rules / NAT
• Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address #6626
• Fixed: Disabling all interfaces associated with a floating rule causes the firewall to generate an incorrect pf rule
#11688
• Fixed: Input validation prevents creating 1:1 NAT rules on IPsec #11751
• Fixed: Invalid combinations of TCP flag matching options cause pfctl parser error #11762
• Fixed: Error loading rules in certain cases where an interface is temporarily without an address #11861
• Fixed: Harmless error when enabling traffic shaper #11229
• Fixed: Segmentation fault when loading ALTQ traffic shaping rules using FAIRQ #11550
• Fixed: Unused Limiter entries with schedules create unnecessary cron jobs #11636
• Fixed: Error when setting queue limit on CODELQ limiter #11725
Upgrade
• Fixed: Language presented to user during upgrade is misleading #11897

LLC
Web Interface
• Added: Replace HTTP links with HTTPS in the GUI #11228
• Fixed: Ambiguous text in help and input validation error for system domain name #11658
• Fixed: PHP error if PHP_error.log file is too large #11685
• Fixed: RAM Disk Settings shows Kernel Memory at 0 Kb and does not allow the user to create RAM disks
#11702
• Fixed: HTTP Referer error message text is incorrect #11873
• Fixed: Missing /0 subnet when cloning repeatable CIDR mask controls #11880
WireGuard
• Fixed: Ignore WireGuard configurations under <installedpackages></installedpackages>
#11808
Wireless
• Added: GUI options for WPA Enterprise with identity/password #2400
XMLRPC
• Fixed: XMLRPC synchronization restarts all OpenVPN instances on the secondary node when making any
change on the primary node #11082
• Fixed: XMLRPC Client does not honor its default timeout value #11718
21.02.2/2.5.1 New Features and Changes
pfSense® Plus software version 21.02.2 and pfSense CE software version 2.5.1 are maintenance releases to address
recently identified issues.
Warning: WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense
CE 2.5.0, when it was removed from FreeBSD.
If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are
removed. For more details, see the Release Notes
WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later ver-
sions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.
Note: The WireGuard package is still under active development. Follow the development progress on the developer’s
YouTube channel

LLC
Tip: To remove WireGuard tunnels, navigate to VPN > WireGuard and click the delete button for each tunnel.
When the page displays No WireGuard tunnels have been configured., the upgrade can proceed.
Note: This pfSense Plus software version contains all of the items noted below for pfSense CE as well.
Tip: For those who have not yet updated to 2.4.5-p1, consult the previous release notes and blog posts for those
releases to read all important information and warnings before proceeding.
• There is an issue in this release with port forwarding on pfSense CE software installations with multiple WANs,
see #11805 for details.
• There is an issue with AES-NI hash acceleration for SHA1 and SHA-256. If the AES-NI driver detects a system
capable of accelerating SHA1 or SHA-256 and the firewall attempts to utilize one of those hashes, the affected
operation may fail. This affects IPsec and OpenVPN, among other uses. pfSense Plus users can change to QAT
acceleration on supported hardware instead. In cases where QAT is unavailable, change to AES-GCM, change
to a different unaccelerated hash (e.g. SHA-512), or disable AES-NI. See #11524 for details.
• There is a similar issue which affects SafeXcel SHA1 and SHA2 hash acceleration on SG-1100 and SG-2100.
On that hardware, change to an AEAD cipher such as AES-GCM or switch to an unaccelerated hash. This issue
is being tracked internally on NG #6005
• The FRR package on pfSense Plus 21.02 and pfSense CE 2.5.0 and later no longer exchanges routes with BGP
peers by default without being explicitly allowed to do so. This is more secure behavior but requires a manual
change. To replicate the previous behavior, use ONE of the following workarounds:
– Navigate to Services > FRR BGP on the Advanced tab and check Disable eBGP Require Policy, then
Save.
– Instead of disabling the policy check, create route maps which match and allow expected incoming and
outgoing routes explicitly. This is the most secure method. See Peer Filtering and BGP Example Configu-
ration for more information.
– Manually create a route map to permit all routes (Name: allow-all, Action: Permit, Sequence: 100),
then set that route map on BGP neighbors for inbound and outbound peer filtering. This can be used as a
placeholder for later migration to more secure route map filtering.
Security
• pfSense-SA-21_01.webgui (XSS in Wake on LAN, #11616)

LLC
General
pfSense Plus
Certificates
• Fixed: CA and certificate validity end dates after 2038 are not handled properly on 32-bit ARM #11504
Interfaces
• Added: Interface Status page information for switch uplinks may be replaced by switch port data when media
state monitoring is set #10804
Rules / NAT
• Fixed: State matching problem with reponses to packets arriving on non-default WANs #11436
Upgrade
• Fixed: LEDs do not indicate available upgrade status #11689
pfSense CE
Aliases / Tables
• Fixed: Alias name change is not reflected in firewall rules #11568
Authentication
• Fixed: Unreachable LDAP server for SSH auth causes boot process to stop at ‘Synchronizing user settings’ and
no user can login over SSH #11644
Certificates
• Fixed: Invalid certificate data can cause a PHP error #11489
• Fixed: Renewing a self-signed CA or certificate does not update the serial number #11514
• Fixed: Unable to renew a certificate without a SAN #11652
• Fixed: Certificates with escaped x509 characters display the escaped version when renewing #11654
• Fixed: Creating a certificate while creating a user does not fully configure the certificate properly #11705
• Fixed: Renewing a certificate without a type value assumes a server certificate #11706

LLC
DNS Resolver
• Fixed: DNS Resolver does not add a local-zone type for ip6.arpa domain override #11403
• Fixed: DNS Resolver does not bind to an interface when it recovers from a down state #11547
Dashboard
• Fixed: CPU details are incorrect in the System Information widget after resetting log files #11428
• Fixed: Disabling ‘State Table Size’ in the System Information widget prevents other data from being displayed
#11443
Gateway Monitoring
• Fixed: Automatic default gateway mode does not select expected entries #11729
Gateways
• Fixed: Gateways with “Use non-local gateway” set are not added to routing table #11433
IPsec
• Fixed: IPsec status incorrect for entries using expanded IKE connection numbers #11435
• Fixed: Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in swanctl.conf
secrets #11442
• Fixed: Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses
#11446
• Fixed: Broken help link on IPsec Advanced Settings tab #11474
• Fixed: Connect and disconnect buttons on the IPsec status page do not work for all tunnels #11486
• Fixed: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in swanctl.
conf #11487
• Fixed: IPsec tunnel definitions have pools = entry in swanctl.conf with no value #11488
• Fixed: Mobile IPsec broken when using strict certificate revocation list checking #11526
• Fixed: IPsec VTI tunnel between IPv6 peers may not configure correctly #11537
• Fixed: IPsec peer ID of “Any” does not generate a proper remote definition or related secrets #11555
• Fixed: IPsec tunnel does not function when configured on a 6RD interface #11643

LLC
• Fixed: IPv6 RA RDNSS lifetime is too short, not compliant with RFC 8106 #11105
Installer
• Fixed: Installer does not add required module to loader.conf when using ZFS #11483
Interfaces
• Fixed: IPv4 MSS value is incorrectly applied to IPv6 packets #11409
• Fixed: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway informa-
tion #11454
• Fixed: Delayed packet transmission in cxgbe driver can lead to latency and reduced performance #11602
• Fixed: DHCP6 interfaces are reconfigured multiple times at boot when more than one interface is set to Track
#11633
Logging
• Fixed: Entries from rotated log files may be displayed out of order when log display includes contents from
multiple files #11639
Notifications
• Fixed: Telegram and Pushover notification API calls do not respect proxy configuration #11476
OpenVPN
• Fixed: OpenVPN authentication and certificate validation fail due to size of data passed through fcgicli
#4521
• Added: Display negotiated data encryption algorithm in OpenVPN connection status #7077
• Fixed: OpenVPN does not start with several authentication sources selected #11104
• Fixed: OpenVPN client configuration page displays Shared Key option when set for SSL/TLS #11382
• Fixed: Incorrect order of route-nopull option in OpenVPN client-specific override configuration #11448
• Fixed: OpenVPN using the wrong OpenSSL command to list digest algorithms #11500
• Fixed: Selected Data Encryption Algorithms list items reset when an input validation error occurs #11554
• Fixed: OpenVPN does not start with a long list of Data Encryption Algorithms #11559
• Fixed: ACLs generated from RADIUS reply attributes do not parse {clientip} macro #11561
• Fixed: ACLs generated from RADIUS reply attributes have incorrect syntax #11569
• Fixed: OpenVPN binds to all interfaces when configured on a 6RD interface #11674

LLC
Operating System
• Fixed: Unexpected Operator error on console at boot with ZFS and RAM Disks #11617
• Changed: Upgrade OpenSSL to 1.1.1k #11755
Routing
• Fixed: Disabled static route entries trigger ‘route delete’ error at boot #3709
• Fixed: Route tables with many entries can lead to PHP errors and timeouts when looking up routes #11475
• Fixed: Error when removing automatic DNS server route #11578
• Fixed: IPv6 routes with a prefix length of 128 result in an invalid route table entry #11594
• Fixed: Error when deleting IPv6 link-local routes #11713
Rules / NAT
• Fixed: Saved state timeout values not loaded into GUI fields on system_advanced_firewall.php #11565
• Fixed: Firewall rule schedule cannot be changed #11747
Upgrade
• Fixed: pfSense Proxy Authentication not working #11383
Wake on LAN
• Fixed: Potential stored XSS vulnerability in services_wol.php #11616
Web Interface
• Fixed: Requests to ews.netgate.com do not honor proxy configuration #11464
XMLRPC
• Fixed: XMLRPC error with Captive Portal and CARP failover when GUI is on non-standard port #11425
• Fixed: Incorrect DHCP failover IP address configured on peer after XMLRPC sync #11519
• Fixed: PHP error in logs from XMLRPC if no sections are selected to sync #11638

LLC
21.02/21.02-p1/2.5.0 New Features and Changes
pfSense® Plus software version 21.02 and pfSense Community Edition (CE) software version 2.5.0 include a major OS
version upgrade, a kernel WireGuard implementation, OpenSSL upgrades, VPN and related security improvements,
plus numerous other bug fixes and new features.
Warning: The original plan was to include a RESTCONF API in pfSense® Plus software version 21.02 and
pfSense software version 2.5.0, which for security reasons would have required hardware AES-NI or equiva-
lent cryptographic accelerator support. Plans have since changed, and these versions do not contain the planned
RESTCONF API, thus pfSense® Plus software version 21.02 and pfSense Community Edition (CE) software
version 2.5.0 DO NOT require AES-NI.
pfSense Plus
Version 21.02 is the first release of pfSense Plus software, formerly known as Factory Edition. For more details about
the distinctions between pfSense Plus and pfSense CE, read the pfSense Plus Announcement. Customers running the
Factory Edition of pfSense software version 2.4.5-p1 and older can upgrade in-place automatically to pfSense Plus
software version 21.02 as with any other previous upgrade.
In this version, the changes in pfSense Plus software and pfSense CE software are roughly the same, with a few notable
exceptions which are only available in pfSense Plus software:
• Support for Intel® QuickAssist Technology, also known as QAT.
– QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accel-
erate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.
– Supported hardware includes many Intel-based systems sold by Netgate (e.g. XG-7100, SG-5100) and
add-on cards.
– From the FreeBSD man page:
* The qat driver supports the QAT devices integrated with Atom C2000 and C3000 and Xeon C620
and D-1500 chipsets, and the Intel QAT Adapter 8950.
* It can accelerate AES in CBC, CTR, XTS (except for the C2000) and GCM modes, and can perform
authenticated encryption combining the CBC, CTR and XTS modes with SHA1-HMAC and SHA2-
HMAC. The qat driver can also compute SHA1 and SHA2 digests.
• Improved SafeXcel cryptographic accelerator support for SG-2100 and SG-1100 which can improve IPsec per-
formance.
– From the FreeBSD man page:
* The driver can accelerate the following AES modes: AES-CBC, AES-CTR, AES-XTS, AES-GCM,
AES-CCM
* The driver also implements SHA1 and SHA2 transforms, and can combine AES-CBC and AES-CTR
with SHA1-HMAC and SHA2-HMAC for encrypt-then-authenticate operations.
• Updated IPsec profile export
– Exports Apple profiles compatible with current iOS and macOS versions

LLC
– New export function for Windows clients to configure tunnels using PowerShell
Version 21.02-p1
pfSense Plus software version 21.02-p1 is a special patch release to address a kernel problem affecting the SG-3100
which caused system instability (#11444). No additional fixes are present in the 21.02-p1 release.
See the detailed bug analysis blog post for more details.
Operating System / Architecture changes
• Base OS upgraded to FreeBSD 12.2-STABLE
• OpenSSL upgraded to 1.1.1i-freebsd
• PHP upgraded to 7.4 #9365 #10659
• Python upgraded to 3.7 #9360
• Deprecated the built-in relayd Load Balancer #9386
– relayd does not function with OpenSSL 1.1.x
– The relayd FreeBSD port has been changed to require libressl – There is no apparent sign of work to
make it compatible with OpenSSL 1.1.x
– The HAProxy package may be used in its place; It is a much more robust and more feature-complete load
balancer and reverse proxy
– For more information on implementing HAProxy, see HAProxy package and the Hangout
• There is an issue in this release with port forwarding on pfSense Plus software installations with multiple WANs,
which has been resolved in the 21.02.2 patch release, see #11436 for details.
• There is an issue with AES-NI hash acceleration for SHA1 and SHA-256. If the AES-NI driver detects a system
capable of accelerating SHA1 or SHA-256 and the firewall attempts to utilize one of those hashes, the affected
operation may fail. This affects IPsec and OpenVPN, among other uses. pfSense Plus users can change to QAT
acceleration on supported hardware instead. In cases where QAT is unavailable, change to AES-GCM, change
to a different unaccelerated hash (e.g. SHA-512), or disable AES-NI. See #11524 for details.
• There is a similar issue which affects SafeXcel SHA1 and SHA2 hash acceleration on SG-1100 and SG-2100.
On that hardware, change to an AEAD cipher such as AES-GCM or switch to an unaccelerated hash. This issue
is being tracked internally on NG #6005
• The FRR package on pfSense Plus 21.02 and pfSense CE 2.5.0 and later no longer exchanges routes with BGP
peers by default without being explicitly allowed to do so. This is more secure behavior but requires a manual
change. To replicate the previous behavior, use ONE of the following workarounds:
– Navigate to Services > FRR BGP on the Advanced tab and check Disable eBGP Require Policy, then
Save.
– Instead of disabling the policy check, create route maps which match and allow expected incoming and
outgoing routes explicitly. This is the most secure method. See Peer Filtering and BGP Example Configu-
ration for more information.

LLC
– Manually create a route map to permit all routes (Name: allow-all, Action: Permit, Sequence: 100),
then set that route map on BGP neighbors for inbound and outbound peer filtering. This can be used as a
placeholder for later migration to more secure route map filtering.
Warning: See the FreeBSD 12.0 Release Notes for information on deprecated hardware drivers that may impact
firewalls upgrading to pfSense software version 2.5.0. Some of these were renamed or folded into other drivers,
others have been removed, and more are slated for removal in FreeBSD 13 in the future.
Aliases/Tables
• Fixed aliases to allow IPv6 prefix entries which end in IPv4 addresses (e.g. x:x:x:x:x:x:d.d.d.d from
RFC 4291 section 2.2.2) #10694
• Fixed a PHP error processing aliases when the configuration contains no aliases section #9936
• Fixed URL-based Alias only storing last-most entry in the configuration #9074
• Fixed an issue with PF tables remaining active after they had been deleted #9790
• Added Internationalized domain names support for aliases #7255
• Added the ability to copy an existing alias when creating a new entry #6908
• Fixed handling of URL-based aliases containing multiple URLs #11256
Authentication
• Added RADIUS authentication for SSH users #10545
• Added LDAP authentication for SSH users #8698
• Added option to control behavior of unauthenticated LDAP binds #9909
• Converted LDAP TLS setup from environment variables to LDAP_OPT_X_TLS_* options #9417
• Set RADIUS NAS Identifier to include webConfigurator and the firewall hostname when logging in the
GUI #9209
• Added LDAP extended query for groups in RFC2307 containers #9527
• Fixed errors when using RADIUS for GUI authentication while the WAN is down #11109
Backup/Restore
• Changed crypt_data() to use stronger key derivation #9421
• Updated crypt_data() syntax for OpenSSL 1.1.x #9420 #10178
• Disabled AutoConfigBackup manual backups when AutoConfigBackup is disabled #9785
• Improved error handling when attempting to restore encrypted and otherwise invalid configurations which result
in errors (e.g. wrong encryption passphrase, malformed XML) #10179
• Added option to include the DHCP v4/v6 leases database in config.xml backups #10910
• Added option to include the Captive Portal database in config.xml backups #10868
• Added option to include the Captive Portal used MACs database in config.xml backups #10856

LLC
• Added option to prevent all extra data from being added to config.xml backups #10914
• Added password confirmation when encrypting a config.xml backup #10301
• Added support for GPT partitioned drives to the External Configuration Locator #9097
• Added support for Limiters to the Traffic Shaper backup and restore area option #4763
• Added option to backup Dynamic DNS area #3559
• Fixed restoration of active voucher data from backup #3128
Captive Portal
• Improved XMLRPC sync of Captive Portal database information #97
• Changed Captive Portal vouchers to use phpseclib so it can generate keys natively in PHP, and to work
around OpenSSL deprecating key sizes needed for vouchers #9443
• Added trim() to the submitted username, so that spaces before/after in input do not cause authentication
errors #9274
• Optimized Captive Portal authentication attempts when using multiple authentication servers #9255
• Fixed Captive Portal session timeout values for RADIUS users who do not have a timeout returned from the
server #9208
• Changed Captive Portal so that users no longer get disconnected when changes are made to Captive Portal
settings #8616
• Added an option so that Captive Portals may choose to remove or retain logins across reboot #5644
• Fixed deletion of related files when removing a Captive Portal zone #10891
• Fixed XMLRPC sync of Captive Portal used MACs database #10857
• Added validation of Captive Portal zone names to prevent using reserved words #10798
• Added support for IDN hostnames to Captive Portal Allowed Hostnames tab #10747
• Improved Captive Portal Allowed Hostnames so it supports multiple DNS records in responses #10724
• Fixed retention of automatic pass-through MAC entries when using Captive Portal Vouchers #9933
• Fixed Captive Portal Bandwidth per-user bandwidth limit values being applied when disabled #9437 #9311
• Changed handling of voucher logins with Concurrent Login option so that new logins are prevented rather than
removing old sessions #9432 #2146
• Changed XMLRPC behavior to not remove zones from secondary node when disabling Captive Portal #9303
• Fixed XMLRPC sync failing to propagate voucher roll option changes to the secondary node #8809
• Fixed XMLRPC sync failing to create Captive Portal voucher files on secondary node #8807
• Fixed Captive Portal + Bridge interface validation #6528
• Added support for masking of Captive Portal pass-thru MACs #2424
• Added support for pre-filling voucher codes via URL parameters, so they can be used via QR code #1984

LLC
Certificates
• Fixed OCSP stapling detection for OpenSSL 1.1.x #9408
• Fixed GUI detection of revoked status for certificates issued and revoked by an intermediate CA #9924
• Removed PKCS#12 export links for entries which cannot be exported in that format (e.g. no private key) #10284
• Added an option to globally trust local CA manager entries #4068
• Added support for randomized certificate serial numbers when creating or signing certificates with local internal
CAs #9883
• Added validation for CA/CRL serial numbers #9883 #9869
• Added support for importing ECDSA keys in certificates and when completing signing requests #9745
• Added support for creating and signing certificates using ECDSA keys #9843 #10658
• Added detailed certificate information block to the CA list, using code shared with the Certificate list #9856
• Added Certificate Lifetime to certificate information block #7332
• Added CA validity checks when attempting to pre-fill certificate fields from a CA #3956
• Added a daily certificate expiration check and notice, with settings to control its behavior and notifications
(Default: 27 days) #7332
• Added functionality to import certificates without private keys (e.g. PKCS#11) #9834
• Added functionality to upload a PKCS#12 file to import a certificate #8645
• Added CA/Certificate renewal functionality #9842
– This allows a CA or certificate to be renewed using its current settings (or a more secure profile), replacing
the entry with a fresh one, and optionally retaining the existing key.
• Added an “Edit” screen for Certificate entries
– This view allows editing the Certificate Descriptive name field #7861
– This view also adds a (not stored) password field and buttons for exporting encrypted private keys and
PKCS#12 archives #1192
• Improved default GUI certificate strength and handling of weak values #9825
– Reduced the default GUI web server certificate lifetime to 398 days to prevent errors on Apple plat-
forms #9825
– Added notes on CA/Cert pages about using potentially insecure parameter choices
– Added visible warnings on CA/Cert pages if parameters are known to be insecure or not recommended
• Revamped CRL management to be easier to use and more capable
– Added the ability to revoke certificates by serial number #9869
– Added the ability to revoke multiple entries at a time #3258
– Decluttered the main CRL list screen
– Moved to a single CRL create control to the bottom under the list rather than multiple buttons
• Optimized CA/Cert/CRL code in various ways, including:
– Actions are now performed by refid rather than array index, which is more accurate and not as
prone to being affected by parallel changes
– Improved configuration change descriptions as shown in the GUI and configuration history/backups

LLC
– Miscellaneous style and code re-use improvements
– Changed CA/Cert date calculations to use a more accurate method, which ensures accuracy on ARM
past the 2038 date barrier #9899
• Changed error handling on boot error ‘XML configuration file not found’ so the user is given an opportunity to
fix the problem manually #10556
• Retired m0n0wall configuration upgrade support #10997
Console Menu
• Fixed rc.initial execution of rc.local.running #10978
• Fixed rc.initial handling of -c commands with arguments #10603
• Fixed console menu display of subnet masks for DHCP interfaces #10740
Dashboard
• Added PPP uptime to the Dashboard Interfaces Widget #9426
• Improved long description truncation behavior in the services status widget #10795
• Fixed Dashboard traffic graph widget display of bandwidth units (b/s vs. B/s) #9072
• Added adaptive state timeout indication to the state table usage meter #7016
• Fixed Thermal Sensors dashboard widget showing invalid sensors #10963
• Added default route indicator to Gateways widget #11057
• Added hardware interface name as a tooltip on Interfaces widget entries #11041
DHCP (IPv4)
• Fixed handling of spaces in DHCP lease hostnames by dhcpleases #9758
• Fixed DHCP leases hostname parsing problems which prevented some hostnames from being displayed in the
GUI #3500
• Added OMAPI settings to the DHCP Server #7304
• Increased number of NTP servers sent via DHCP to 3 #9661
• Added an option to prevent known DHCP clients from obtaining addresses on any interface (e.g. known clients
may only obtain an address from the interface where the entry is defined) #1605
• Added count of static mappings to list when editing DHCP settings for an interface #9282
• Fixed handling of client identifiers on static mappings containing double quotes #10295
• Added ARM32/64 network booting support to the DHCP Server #10374

LLC
• Increased the number of NTP servers for DHCP Static Mappings #10333
• Fix DHCP Dynamic DNS handling of per-host zone and key options from static mappings #10224
• Added per-host custom BOOTP/DHCP Options to static mappings #8990
• Added a button to clear all DHCP leases #7406
• Fixed ARPA zone declaration formatting in DHCP server configuration file #11224
DHCP (IPv6)
• Added options to disable pushing IPv6 DNS servers to clients via DHCP6 #9302
• Fixed DHCPv6 domain search list #10200
• Fixed validation to allow omission of DHCPv6 range for use with stateless DHCP #9596
• Fixed issues creating IPv6 Static Mappings #7443
• Fixed DHCPv6 merging an IPv6 prefix with the input submitted in DNS servers field when using Track Interface
#7384
• Fixed prefix delegation not being requested if no interfaces were set to track6 #11005
• Fixed DHCPv6 Dynamic DNS domain key name validation #10844
• Fixed line formatting issues in the DHCPv6 configuration file #10675
• Fixed prefix not being included in the DNS entry registered by DHCPv6 #8156
• Fixed DHCPv6 static mapping changes requiring a restart of the DNS resolver to activate #10882
• Fixed issues running DHCPv6 on certain types of tracked interfaces (e.g. bridges, VLANs) #3965
• Fixed issues with WAN not renewing IPv6 address after an upstream failure #10966
DHCP Relay
• Fixed DHCP Relay validation to allow OpenVPN TAP interfaces #10711
• Fixed inconsistent validation behavior for DHCP relay and bridges #7778
Diagnostics
• Added Reroot and Reboot with Filesystem Check options to GUI Reboot page #9771
• Added option to control wait time between ICMP echo request (ping) packets diag_ping.php #9862
• Improved data sanitization in status.php #10946 #10944 Sanitize MaxMind GeoIP key #10797 #10569 #10794
• Added config history list to status.php #10696
• Added DNS Resolver configuration to status.php #10635
• Added L2TP VPN configuration to status.php #10583
• Changed pftop page to hide filtering controls for views which do not support filtering #10625
• Added support for IDN hostnames to DNS Lookup, Ping, and Traceroute #10538
• Fixed diag_dns.php link to Ping passing incorrect parameters #10537

LLC
• Added a button to clear the NDP cache #10975
• Added a button to clear the ARP cache #4038
• Fixed hostname being ignored when DNS Lookup calculates response time #11018
• Fixed Kill States button on diag_dump_states.php when used with CIDR-masked subnets #9270
DNS Forwarder
• Updated dnsmasq to 2.84 #11278
DNS Resolver
• Added IPv6 OpenVPN client addresses resolution to the DNS Resolver #8624
• Added DNS64 options to the DNS Resolver #10274
• Added support for multiple IP addresses in a DNS Resolver Host Override entry #10896
• Fixed DNS Resolver restart commands to work around potential environment issues #10781
• Fixed saving DNS Resolver ACL entries when using a non-English translation #10742
• Added support for IDN symbols in DNS Resolver ACL entries #10730
• Added Aggressive NSEC option to the DNS Resolver #10449
• Fixed DNS Resolver unintentionally retaining DHCP registration entries after disabling that feature #8981
• Fixed DNS Resolver restarting on every OpenVPN client connection when registering clients in DNS #11129
• Fixed issues with the DNS Resolver not starting when bound to disabled interfaces or interfaces without carrier
#11087
• Fixed DNS Resolver custom TLS listen port being ignored #11051
• Improved formatting and ordering of items in the DNS Resolver access list configuration file #11309
Dynamic DNS
• Fixed Dynamic DNS Dashboard Widget address parsing for entries with split hostname/domain (e.g.
Namecheap) #9564
• Added support for new CloudFlare Dynamic DNS API tokens #9639
• Added IPv6 support to No-IP Dynamic DNS #10256
• Fixed issues with Hover Dynamic DNS #10241
• Updated Cloudflare Dynamic DNS to query Zone ID with token #10992
• Added support for IPv6 to easyDNS Dynamic DNS #10972
• Added support for Domeneshop Dynamic DNS #10826
• Added Zone option to RFC 2136 Dynamic DNS #10684
• Updated FreeDNS Dynamic DNS to use their v2 API #10617
• Fixed DigitalOcean Dynamic DNS processing of zones with multiple pages of records #10592
• Improved Dynamic DNS Logging #10459

LLC
• Added support for dynv6.com Dynamic DNS #9642
• Fixed handling of Dynamic DNS AAAA records on 6rd tunnel interfaces bound to PPPoE interfaces #9641
• Added a button to duplicate Dynamic DNS entries #8952
• Fixed Dynamic DNS update for HE.net Tunnelbroker always setting IP address of the default WAN interface
#11024
• Updated HE.net Tunnelbroker Dynamic DNS to use their current API #11037
• Added support for Wildcard A records for Gandi Dynamic DNS #11159
• Updated No-IP Dynamic DNS to use a newer API #6638
• Fixed Namecheap Dynamic DNS error code checking #5308
• Improved color blind accessibility of Dynamic DNS status #3229
Gateways
• Added support for obtaining a gateway via DHCP which is outside of the interface subnet #7380
• Added validation to prevent using descriptions on interfaces which would cause gateway names to exceeded the
maximum allowed length #9401
• Added tooltip text to icons on the Gateways #10719
• Fixed issues with dpinger failing to update IPv6 gateway address on DHCPv6 WAN interfaces #8136
Hardware / Drivers
• Added bnxt driver for Broadcom NetXtreme interfaces #9155
• Added iOS/Android/Generic USB tethering driver #7467
IGMP Proxy
• Added input validation for IGMP Proxy settings #7163
Installer
• Created separate Auto (UFS) UEFI and Auto (UFS) BIOS installation options to avoid problems on hardware
which boots differently on USB and non-USB disks #8638
• Fixed reinstalling with UFS on a ZFS formatted drive #10690
• Fixed platform detection for MBT-4220 and MBT-2220 on newer BIOS revisions #9242
• Fixed an issue with shutting down instead of rebooting after installing using ZFS #7307

LLC
Interfaces
• Added support for using IPv4 and IPv6 addresses on GRE interfaces at the same time #10392
• Added a check to disable Hardware Checksum Offloading in environments with interfaces which do not support
it (e.g. vtnet, ena) #10723
• Changed the way interface VLAN support is detected so it does not rely on the VLANMTU flag #9548
• Added a PHP shell playback script restartallwan which restarts all WAN-type interfaces #9688
• Changed assignment of the fe80::1:1 default IPv6 link-local LAN address so it does not remove existing
entries, which could cause problems such as Unbound failing to start #9998
• Added automatic MTU adjustment for GRE interfaces using IPsec as a transport #10222
• Fixed SLAAC interface selection when using IPv6 on a link which also uses PPP #9324
• Added GUI interface descriptions to Operating System interfaces #1557
• Added the ability to assign virtual type interfaces (IPsec, OpenVPN, GIF, GRE, etc) during console interface
assignment #10947
• Fixed TSO not being disabled in some cases #10836
• Fixed group name length input validation #10835
• Improved interface caching for environments with many interfaces #10680
• Fixed fe80::1:1 being added to interfaces without track6 #10661
• Added a check to prevent stf (6RD/6to4) interfaces from being used as parent interfaces #10626
• Fixed redundant disabling of static ARP at boot before it could be enabled #10589
• Fixed initialization of bridges which include a GIF interface at boot #10524
• Fixed problems with post-install interface changes not being retained if the user did not complete the wizard
#10383
• Fixed inefficiencies when applying settings to a VLAN parent interface #9154
• Fixed interface MTU setting not being applied to all IPv6 routes #6868
• Fixed handling of MTU setting for 6rd and 6to4 interfaces #6377
• Fixed IPv6 IP Alias preventing Track Interface from working with DHCPv6 and RA #5999
• Changed DHCP interface renewal behavior to not restart services if the IP address did not change #11142
• Fixed an error when changing bridge STP settings #11122
• Added a binary package with updated Realtek interface drivers #11079
• Improved link state visibility on Status > Interfaces #11045
• Removed VTI interfaces from Interface Group selection since they do not currently function in this manner
#11134
• Fixed issues with IPv6 on top of IPv4 PPPoE placing default route on incorrect interface #9324

LLC
IPsec
• Added 25519 curve-based IPsec DH and PFS groups 31 and 32 #9531
• Enabled the strongSwan PKCS#11 plugin #6775
• Added support for ECDSA certificates to IPsec for IKE #4991
• Renamed IPsec “RSA” options to “Certificate” since both RSA and ECDSA certificates are now supported, and
it is also easier for users to recognize #9903
• Converted IPsec configuration code from ipsec.conf ipsec/stroke style to swanctl.conf
swanctl/vici style #9603
– Split up much of the single large IPsec configuration function into multiple functions as appropriate.
– Optimized code along the way, including reducing code duplication and finding ways to generalize func-
tions to support future expansion.
– For IKEv1 and IKEv2 with Split Connections enabled, P2 settings are properly respected for each individ-
ual P2, such as separate encryption algorithms #6263
* N.B.: In rare cases this may expose a previous misconfiguration which allowed a Phase 2 SA to
connect with improper settings, for example if a required encryption algorithm was enabled on one
P2 but not another.
– New GUI option under VPN > IPsec, Mobile Clients tab to enable RADIUS Accounting which was
previously on by default. This is now disabled by default as RADIUS accounting data will be sent for
every tunnel, not only mobile clients, and if the accounting data fails to reach the RADIUS server, tunnels
may be disconnected.
– Additional developer & advanced user notes:
* For those who may have scripts which touched files in /var/etc/ipsec, note that the structure of
this directory has changed to the new swanctl layout.
* Any usage of /usr/local/sbin/ipsec or the stroke plugin must also be changed to /usr/
local/sbin/swanctl and VICI. Note that some commands have no direct equivalents, but the
same or better information is available in other ways.
* IPsec start/stop/reload functions now use /usr/local/sbin/strongswanrc
* IPsec-related functions were converged into ipsec.inc, removed from vpn.inc, and renamed
from vpn_ipsec_<name> to ipsec_<name>
– Reworked how reauthentication and rekey behavior functions, giving more control to the user compared
to previous options #9983
• Reformatted status_ipsec.php to include more available information (rekey timer, encryption key size,
IKE SPIs, ports) #9979
• Added support for PKCS#11 authentication (e.g. hardware tokens such as Yubikey) for IPsec #9878
• Fixed usage of Hash Algorithm on child ESP/AH proposals using AEAD ciphers #9726
• Added support for IPsec remote gateway entries using FQDNs which resolve to IPv6 addresses #9405
• Added manual selection of Pseudo-Random Function (PRF) for use with AEAD ciphers #9309
• Added support for using per-user addresses from RADIUS and falling back to a local pool otherwise #8160
• Added an option which allows multiple tunnels to use the same remote peer in certain situations (read warnings
on the option before use) #10214

LLC
• Improved visible distinction of online/offline mobile IPsec users in the IPsec status and dashboard widget
#10340
• Added options to change the IPsec NAT-T ports (local and remote) #10870
• Improved boot-time initialization of IPsec VTI interfaces #10842
• Added support for limiting IPsec VPN access by RADIUS user group #10748
• Changed IPsec to share the same RADIUS Cisco-AVPair parser code as OpenVPN for Xauth users #10469
• Fixed handling of IPsec VTI interfaces in environments with large numbers of IPsec tunnels #9592
• Added IPsec Advanced option to control maximum allowed Parallel P2 Rekey exchanges #9331
• Fixed issues with bringing up new Phase 2 entries on IPsec tunnels with “Split connections” enabled #8472
• Fixed issues where, in rare cases, IPsec tunnels would not reconnect until the firewall was rebooted #8015
• Improved the Remote Gateway field description for IPsec Phase 1 entries to indicate that 0.0.0.0 is allowed
#7095
• Fixed issues with IKEv2 IPsec tunnels with multiple phase 2 entries combining traffic selectors in unexpected
ways (set “Split Connections” to isolate them) #6324
• Added options to create IPsec bypass rules which prevent specific source and destination network pairs from
entering policy-based IPsec tunnels #3329
• Documented settings which work around SA duplication issues experienced by users in certain cases #10176
• Improved IPsec GUI options for P1/P2 SA expiration and replacement to help prevent SA duplication #11219
• Fixed a PHP error in mobile IPsec input validation #11212
• Added validation to prevent unsupported wildcard certificates from being selected for use with IPsec #11297
• Fixed Router Advertisement configuration missing information in Unmanaged mode #9710
• Fixed Router Advertisement lifetime input validation #10709
L2TP
• Fixed L2TP secret using an empty value after removing it from the GUI #10710
• Fixed L2TP input validation to allow leaving the remote address field blank when assigning addresses from
RADIUS #7562
• Fixed inefficiencies in the initial L2TP reconfiguration process #7558
• Fixed L2TP Server and Client both using l2tpX for interface names #11006
• Fixed static routes on L2TP interfaces not being reapplied when reconnecting #10407
• Fixed L2TP server being restarted when making user account changes #11059

LLC
LAGG Interfaces
• Improved Interface Status and Widget information for LAGG #9187
• Fixed route for GIF/GRE peer when using VLAN on LAGG #10623
• Added option to toggle LACP PDU transmission fast timeout #10504
• Fixed LAGG member interface events causing filter reloads #10365
• Fixed issues with LAGG interface MTU being incorrectly applied to VLAN subinterfaces #8585
• Added option to control the master interface for LAGG in Failover mode #1019
Logging
• Changed system logging to use plain text logging and log rotation, the old binary clog format has been depre-
cated #8350
• Updated default log size (512k + rotated copies), default lines to display (500, was 50), and max line limits
(200k, up from 2k) #9734
• Added log tabs for nginx, userlog, utx/lastlog, and some other previously hidden logs #9714
• Relocated Package Logs into a tab under System Logs and standardized display/filtering of package logs #9714
• Added GUI options to control log rotation #9711
• Added code for packages to set their own log rotation parameters #9712
• Removed the redundant nginx-error.log file #7198
• Fixed some instances where logs were mixed into the wrong log files/tabs (Captive Por-
tal/DHCP/squid/php/others) #1375
• Reorganized/restructured several log tabs #9714
• Added a dedicated authentication log #9754
• Added an option for RFC 5424 format log messages which have RFC 3339 timestamps #9808
• Fixed an issue where a firewall log entry for loopback source/destination occasionally reported 127.0.0.1 as
127.0.01 #10776
• Fixed issues with syslogd using an old IP address after an interface IP address change #9660
• Added watchfrr to routing log #11207
Multi-WAN
• Fixed Gateways being removed from routing groups based on low alert thresholds #10546
• Fixed a possible race condition in gateway group fail-over causing unexpected behavior #9450
• Fixed a load balancing failure when one gateway had a weight of 1 and another gateway had a weight >1 #6025

LLC
NAT Reflection
• Fixed port forwards where the destination is a network alias creating invalid refection rules if multiple subnets
are in that alias #7614
Notifications
• Deprecated & Removed Growl Notifications #8821
• Added a daily certificate expiration notification with settings to control its behavior #7332
• Fixed input validation of SMTP notification settings #8522
• Added support for sending notifications via Pushover API #10495
• Added support for sending notifications via Telegram #10354
• Fixed a PHP error when SMTP notifications fail #11063
NTPD
• Added GUI options for NTP sync/poll intervals #6787
• Added validation to prevent using noselect and noserve with pools #9830
• Added feature to automatically detect GPS baud rate #7284
• Fixed status and widget display of long hostnames and stratum #10307
• Fixed handling of the checkbox options on NTP servers #10276
• Updated GPS initialization commands for Garmin devices #10327
• Added an option to limit NTP pool server usage #10323
• Added option to force IPv4/IPv6 DNS resolution for NTP servers #10322
• Added support for NTP server authentication #8794
• Added an option to disable NTP #3567
• Added units to the NTP status page #2850
OpenVPN
• Updated OpenVPN to 2.5.0 #11020
– The default compression behavior has changed for security reasons. Incoming packets will be decom-
pressed, outgoing packets will not be compressed. There is a GUI control to alter this behavior.
– Data cipher negotiation (Formerly known as Negotiable Cryptographic Parameters, or NCP) is now com-
pulsory. Disabling negotiation has been deprecated. The option is still present in the GUI, but negotiation
will be unilaterally enabled on upgrade. The upgrade process will attempt to use the expected data encryp-
tion algorithms before and after the upgrade completes, but in some cases more secure algorithms may be
enabled as well. #10919
We strongly encourage using AEAD ciphers such as AES-GCM, future versions of OpenVPN will require
them and will not have configurable cipher lists.
• Added connection count to OpenVPN status and widget #9788

LLC
• Enabled the OpenVPN x509-alt-username build option #9884
• Restructured the OpenVPN settings directory layout
– Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to /var/etc/openvpn/
<mode><id>/<x>
* This keeps all settings for each client and server in a clean structure
• Moved to CApath style CA structure for OpenVPN CA/CRL usage #9915
• Added support for OCSP verification of client certificates #7767
• Fixed a potential race condition in OpenVPN client ACLs obtained via RADIUS #9206
• Added support for more protocols (IP, ICMP), ports, and a template variable ({clientip}) in OpenVPN
client ACLs obtained via RADIUS #9206
• Added the ability to register OpenVPN Remote Access (User Auth) clients in the DNS Resolver #10999
• Fixed an issue where duplicating an OpenVPN instance did not copy the password #10703
• Fixed issues with OpenVPN TCP clients failing to start #10650
• Added support for IPv6 OpenVPN ACLs obtained via RADIUS #10454
• Fixed validation to enforce OpenVPN client password usage when setting a username, to prevent a missing
password from interrupting the boot process #10409
• Enabled asynchronous push in OpenVPN binary #10273
• Added OpenVPN client-specific override option to ignore routes pushed by the server (“push-reset”) #9702
• Clarified behavior of OpenVPN server option for Duplicate Connections #10363
Operating System
• Fixed a network performance regression in the fast forwarding path with IP redirects enabled NG4965
• Fixed double ZFS entries in loader.conf #10375
• Added a method to enable persistent command history in the shell #11029
• Changed the default domain name of the firewall from .localdomain to .home.arpa #10533
Package System
• Disabled spell checking on package upgrade progress textarea #10637
• Fixed issues with package upgrade or reinstall hanging indefinitely #10610
• Fixed description used for buttons when editing packages #11208
• Deprecated the following packages: OpenBGPd, Quagga_OSPF, routed, blinkled, and gwled

LLC
PPP Interfaces
• Fixed issues with PPPoE over a VLAN failing to reconnect #9148
• Enabled selection of QinQ interfaces for use with PPP #9472
• Added option to set Host-Uniq value for PPPoE #10597
• Fixed incorrect interface assignment after switching from PPPoE #10240
• Fixed IPv6 not being disabled in mpd.conf when the IPv6 GUI option is set to ‘disabled’ #7386
• Fixed PPPoE interface errors due to MTU settings #11035
PPPoE Server
• Fixed PPPoE server ignoring secondary RADIUS Server #10926
• Fixed PPPoE server Accounting updates option #10869
• Removed unnecessary restarts of the PPPoE server when adding/modifying users #10318
• Added input validation to prevent enabling the PPPoE server on a PPPoE client interface #4510
Routing
• Fixed automatic static routes set for DNS gateway bindings not being removed when no longer necessary #8922
• Fixed missing tooltip text for icons on the Static Routes Page #10889
RRD Graphs
• Fixed RRD graph handling of NTP graph data with negative freq values #6503
• Fixed RRD graph creation for interfaces using CODELQ #6277
Rules / NAT
• Added the ability to configure negated tagging, to match packets which do not contain a given tag #10186
• Added support for IPv6 Port Forwards #10984
• Fixed handling of IPv6 NPt rules on 6rd WAN interfaces #10757
• Fixed 1:1 NAT issue when internal interface has VIPs #10752
• Fixed policy routing rules not being written correctly for a down gateway #10716
• Added EoIP to firewall rule Protocol list #10698
• Fixed separator bars on floating rules not covering the full table width #10667
• Fixed 1:1 NAT for IPv6 applying wrong subnet mask to “Single Host” #7742
• Added validation to prevent accidentally overlapping NPt networks and interface networks #7741
• Added support for dynamic interface addresses in 1:1 NAT rules #7705
• Added default values of TCP and UDP timeouts to the GUI #7362

LLC
• Fixed handling of IPv6 floating rules on 6rd interfaces #7142
• Fixed firewall rules for “PPPoE clients” only including the first PPPoE server instance #6598
• Fixed duplicated tracker IDs on block private networks rules #6030
• Fixed reply-to on rules for PPPoE WANs with IPv6 SLAAC #5258
• Added gateway/group IP addresses to mouseover on rules #885
• Fixed formatting of floating rules with large numbers interfaces #10892
• Fixed form rendering issues with Port Forward Address Fields in Safari #10674
• Fixed firewall ruleset failing to load at boot when new ruleset would be invalid #6028
• Fixed an issue adding or deleting separator bars when no rules are present #10827
S.M.A.R.T.
• Updated S.M.A.R.T. Page with new capabilities #9367
SNMP
• Fixed SNMP reporting incorrect speed for switch uplink interface on Netgate SG-3100 #10793
• Fixed SNMP input validation to require the Host Resources module when the PF module is also enabled #10471
Traffic Graphs
• Changed the Traffic Graph page from rate to iftop which brings IPv6 support and various other improve-
ments #3334
• Changed default ALTQ queue bandwidth type to Mbit/s #10988
• Updated traffic shaper wizard settings for XBox and Wii ports #10837
• Added Broadcom NetXtreme to ALTQ-capable list #10762
• Added ALTQ support to the ix(4) driver #7378
• Fixed deletion of associated shaper queues when deleting an interface #3488
• Fixed ALTQ root queue bandwidth calculation #3381
• Fixed input validation for amount of queues supported by ALTQ schedulers #1353
• Added Google Stadia port range to the traffic shaper wizard #10743
• Fixed PHP errors in the traffic shaper wizard #10660
• Fixed ALTQ on hn(4) interfaces #8954

LLC
• Fixed issues with net.inet.ip.dummynet.* tunables being ignored #10780
• Fixed issues with renaming limiters removing them from firewall rules #3924
• Fixed mask options not applying to sched limiter #10838
• Changed default Limiter queue bandwidth type to Mbit/s #10727
Translations
• Added Italian translation #9716
Upgrade
• Fixed issues with checking for updates from the GUI behind a proxy with authentication #9478
• Changed phrasing of message indicating the firewall is rebooting to upgrade #10387
• Fixed issues with the GUI incorrectly reporting “The system is on the latest version” #8870
UPnP
• Improved handling of UPnP with multiple gaming systems #7727
• Added menu entry for User Password Manager if the user does not have permission to reach the User Manager
#9428
• Improved consistency of SSL/TLS references in LDAP authentication servers #10172
• Fixed irrelevant output being printed to users with ssh_tunnel_shell #9260
• Fixed theme not being applied to LDAP test results modal #7912
• Changed to more secure default values for certificates created through the user manager #11167
• Changed SSL/TLS LDAP authentication implementation to improve handling of multiple secure LDAP
(SSL/TLS or STARTTLS) servers used at the same time #10704
• Fixed a problem with PID file handling for the proxy ARP daemon #7379
• Fixed IP Alias VIPs on PPPoE interfaces #7132

LLC
Web Interface
• Updated JQuery to address multiple issues #10676
• Updated Bootstrap to 3.4.1 #9892
• Updated Font-Awesome to v5 #9052
• Increased the number of colors available for the login screen #9706
• Added TLS 1.3 to GUI and Captive Portal web server configuration, and removed older versions (TLS 1.0
removed from Captive Portal, TLS 1.1 removed from GUI) #9607
• Fixed empty lines in various forms throughout the GUI #9449
• Improved validation of FQDNs #9023
• Added CHACHA20-POLY1305 to nginx cipher list #9896
• Fixed Setup Wizard input validation to allow Primary/Secondary DNS Server field to remain empty #10982
• Fixed Setup Wizard input validation for IPv6 DNS Servers #10720
• Added an option to omit DNS Servers from resolv.conf #10931
• Fixed the icon area within buttons not being clickable #10846
• Fixed visibility issues with multiple selection form control in the pfsense-BETA-dark theme #10705
• Updated documentation links in the GUI #10481
• Fixed netmask/prefix form control incorrectly resetting to 128/32 #10433
• Updated Help shortcut links #10135
• Improved handling of multiple login form submissions to avoid a potential CSRF error #9855
• Fixed reboot message when changing the Hardware Checksum Offloading setting #3031
• Added support for new site icons requested by current versions of Safari #11068
• Added descriptions to all write_config() calls #204
WireGuard
• Added kernel-based WireGuard VPN implementation #8786
Wireless
• Added support for the athp(4) wireless interface driver #9538 #9600
• Added support for the ral(4) wireless interface driver to arm64 #10934
• Added support for the rtwn(4) wireless interface driver #10639
• Added support for selecting 802.11n channel width (HT) #10678

LLC
Development
• Added a “periodic” style framework to allow for daily/weekly/monthly tasks from the base system or packages
by way of plugin calls #7332
• Added a central file download function for internal use throughout the GUI
• Added TCP_RFC7413 in kernel, required for the BIND package #7293
XMLRPC
• Fixed XMLRPC synchronization of admin authorized keys for the admin user #9539
• Added option to synchronize changes for the account used for XMLRPC sync #9622
• Fixed XMLRPC synchronization for firewall rule descriptions with special characters #1478
• Fixed Incorrect synchronize IP address value causing XMLRPC errors #11017
3.3.2 pfSense CE Software
2.4.5-p1 New Features and Changes
pfSense® software version 2.4.5-p1 addresses performance, security, and other miscellaneous issues found in 2.4.5.
Warning: Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are
in effect.
During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and
avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related
issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of
the issue may not be possible while travel restrictions related to COVID-19 are in effect.
Note: Upgrading to pfSense software version 2.4.5-p1 requires pfSense-upgrade version 0.70 or later. Most
installations will automatically pick up the new version and upgrade normally. If this does not happen automatically
and the upgrade to version 2.4.5-p1 is not offered, use the following procedure:
• Navigate to System > Updates
• Set Branch to Previous stable version
• Wait a few moments for the upgrade check to complete
• Optional: Confirm that the latest version of pfSense-upgrade is present (version >= 0.70) using pkg-static
info -x pfSense-upgrade.
If the correct version is not present, wait a bit longer and check again as that package may be updating in the
background.
• Set Branch to Latest stable version

LLC
• Wait a few moments for the upgrade check to complete
At this point, the upgrade check should see 2.4.5-p1 and the upgrade can proceed.
Note: pfSense software version 2.4.5-p1 includes pkg version 1.13.x which introduces a new metadata version. Most
installations will automatically pick up the new version and upgrade normally. In certain cases, especially coming from
much older versions, the pkg utility may require a manual update before it can correctly process the new metadata.
The pkg utility can be upgraded manually with the following command run from an ssh or console shell:
# pkg-static bootstrap -f
See Repository Metadata Version Errors for more details.
Security / Errata
• Addressed an issue with large pf tables causing system instability and high CPU usage during filter reload
events #10414
• Fixed an issue with sshguard which could prevent it from protecting against brute force logins #10488
• Updated unbound to address CVE-2020-12662 and CVE-2020-12663 #10576
• Updated json-c to address CVE-2020-12762 #10609
• Addressed FreeBSD Security Advisories & Errata Notices including:
– FreeBSD-SA-20:10.ipfw
– FreeBSD-SA-20:12.libalias
– FreeBSD-SA-20:13.libalias
– FreeBSD-SA-20:15.cryptodev
Aliases / Tables
• Fixed handling of URL/URL table aliases with IDN hostnames #10321
Authentication
• Fixed handling of misconfigured groups which prevented the admin user from making configuration changes
#10492
• Fixed a potential temporary privilege downgrade when deleting an account #9259

LLC
Backup / Restore
• Fixed handling of redundant/extraneous RRD tags when making configuration backups #10508
CARP
• Fixed handling of IPv6 CARP VIPs with non-significant zeros during XMLRPC sync #6579
Certificates
• Fixed a bug which prevented the user from removing a CA private key when editing #10509
• Fixed a PHP error during upgrade from <2.4.3 with empty tags in the IPsec configuration #10458
Console Menu
• Changed the naming convention of gateways created at the console to be the same as those created in the GUI
#10264
DHCP (IPv6)
• Added default value placeholders to some DHCPv6 RA configuration options #10448
• Fixed DHCPv6 service Dynamic DNS errors #10346
• Fixed rc.newwanipv6 being called for Request messages which dhcp6c should have discarded #9634
• Added dashed DUID support to DHCPv6 static mappings #2568
DHCP Relay
• Fixed DHCP Relay handling of scenarios where a target server may be on the same interface as some clients
#10416
• Excluded unsupported interface types from DHCP Relay #10341
DHCP Server
• Fixed DHCPv6 static entries not being updated on external Dynamic DNS servers #10412
• Fixed DHCPv6 domain-search list not being sent to clients #10200
• Fixed DHCP Server not accepting IPv6 addresses for Dynamic DNS servers #6600

LLC
Diagnostics
• Several improvements and items added to status.php diagnostic output #10455 #10424 #10423 #10350 #10349
#10568
• Fixed Require State Filter setting on diag_states.php breaking filter rule link to associated states #10359
DNS Resolver
• Fixed IPsec and OpenVPN IPv6 tunnel network/pool prefixes not being added to automatic DNS Resolver ACLs
#10460
• Fixed EDNS buffer size values to prepare for 2020 DNS flag day #10293
• Fixed DNS Resolver handling of entries from DHCP server which contain a trailing dot in domain names #8054
Dynamic DNS
• Fixed DigitalOcean Dynamic DNS client handling of IPv6 addresses #10390
• Fixed DNSExit update URL #9632
Hardware / Drivers
• Added support for iwm devices #7725
Note: This device only supports Station mode. It does not support acting as an access point.
• Added ng_etf module to armv6 and aarch64 kernels #10463
• Added QLogic 10G driver (qlxgb/qla80xx) #9891
• Added virtio_console to the kernel #9985
IPsec
• Fixed selection of IPsec VTI Phase 2 local network address/mask values #10418
• Fixed saving IPsec connection breaking FRR BGP on VTI interfaces #10351
• Updated DH group warnings to say that group 5 is also weak #10221
• Fixed disabling IPsec Phase 1 with a VTI Phase 2 #10190
• Fixed disabled IPsec Phase 2 entries being unintentionally included in vpn_networks table #7622

LLC
L2TP
• Changed L2TP mpd.secret handling so that the server is not restarted after adding/modifying L2TP users
#4866
• Fixed handling of L2TP usernames containing a realm separator (@) #9828
• Fixed Shared Secret handling in L2TP #10531 #10527
Limiters
• Fixed input validation of limiters with ECN #10211
• Fixed bogus extra warning dialog on when deleting limiters #9334
Notifications
• Fixed SMTP notification SSL validation to respect the user-selected behavior #10317
NTPD
• Added localhost to NTP Interface selection options #10348
OpenVPN
• Fixed OpenVPN remote statement protocol handling #10368
• Added option to configure OpenVPN username as common name behavior #8289
Operating System
• Fixed handling of RAM disk sizes not accounting for existing disk usage when calculating available kernel
memory, which could prevent saving #10420
• Updated pkg to 1.13.x #10564
• Fixed problems preventing the Netgate Coreboot Package from updating Coreboot properly #10573
Packages
• Fixed handling of FreeRADIUS passwords containing non-XML-safe characters #4497
• Fixed handling of Squid LDAP search filters containing an accent #7654
• Fixed issues preventing FRR from working on certain platforms such as SG-1100 (arm64/aarch64) #10444
• Fixed issues preventing Suricata from working on certain platforms such as SG-1100 (arm64/aarch64) #10228

LLC
Rules / NAT
• Fixed Duplicate Outbound NAT entries from L2TP server addresses #10247
• Fixed Outbound NAT rules for mobile IPsec users with per-user addresses defined #9320
• Fixed IPv6 IP Alias VIPs not being added to Interface Network macros #8256
• Fixed Destination port range “Any” in Port Forward rules #7704
• Fixed display of interfaces on the Floating rules list #4629
• Fixed rule description validation to reject #10542
• Fixed setting NAT reflection timeout values #10591
Translations
• Fixed language selection for Chinese (Taiwan) / HK Translations #10525
Services
• Fixed is_process_running() handling of empty process, which could lead to an error when using the
CLI to query the status of a service which does not exist #10540
Web Interface
• Fixed dark theme auto-complete popup field having dark text on dark background #10499
• Fixed using special characters in Schedule descriptions #10305
• Fixed WebGUI main page loading very slowly when there is no Internet connectivity #8987
pfSense® software version 2.4.5 contains a variety of bug fixes and maintenance updates.
Warning: Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are
in effect.
During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and
avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related
issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of
the issue may not be possible while travel restrictions related to COVID-19 are in effect.

LLC
• Base OS upgraded to FreeBSD 11.3-STABLE@r357046
• PHP upgraded to 7.2.29
Security / Errata
• Fixed dependency issues with pfSense-upgrade which may have caused it not to update itself properly
#10303
Tip: If the update check fails, or the update does not complete, run pkg install -y
pfSense-upgrade to ensure that pfSense-upgrade is present.
• Added encoding to the hostname in services_acb.php #9584
• Added encoding to error output in services_captiveportal_mac.php #9609
• Improved Picture Widget input validation #9610 #9731 #9804
• Added a fsck run with -z for UFS filesystems on upgrade to address FreeBSD-SA-19:10.ufs #9612
• Fixed format of XMLRPC auth error to match GUI auth error #9782
• Added a custom CSRF Error page with warnings and confirmation prompts before resubmitting potentially
harmful data #9799
• Fixed Status_Monitoring rrd_fetch_json.php error encoding #9601
• Fixed encoding of the user full name on system_usermanager_addprivs.php #10324
• Fixed input validation and output encoding of host on diag_ping.php #10355
• Addressed FreeBSD Security Advisories & Errata Notices
– FreeBSD-SA-20:05.if_oce_ioctl
– FreeBSD-SA-20:04.tcp
– FreeBSD-SA-19:24.mqueuefs
– FreeBSD-SA-19:23.midi
– FreeBSD-SA-19:22.mbuf
– FreeBSD-SA-19:21.bhyve
– FreeBSD-SA-19:20.bsnmp
– FreeBSD-SA-19:19.mldv2
– FreeBSD-SA-19:18.bzip2
– FreeBSD-SA-19:17.fd
– FreeBSD-SA-19:16.bhyve
– FreeBSD-SA-19:15.mqueuefs
– FreeBSD-SA-19:14.freebsd32
– FreeBSD-SA-19:13.pts
– FreeBSD-SA-19:12.telnet

LLC
– FreeBSD-SA-19:11.cd_ioctl
– FreeBSD-SA-19:10.ufs
– FreeBSD-SA-19:09.iconv
– FreeBSD-SA-19:08.rack
– FreeBSD-EN-20:06.ipv6
– FreeBSD-EN-20:04.pfctl
– FreeBSD-EN-19:18.tzdata
– FreeBSD-EN-19:17.ipfw
– FreeBSD-EN-19:16.bhyve
– FreeBSD-EN-19:15.libunwind
– FreeBSD-EN-19:14.epoch
– FreeBSD-EN-19:13.mds
– FreeBSD-EN-19:11.net
Aliases/Tables
• Fixed an issue when resolving FQDN entries in aliases where some entries could be missing #9296
• Improved URL Table aliases to support FQDNs which return muliple entries #8531
• Added a function to download the contents of an individual alias #9816
Authentication
• Added exception handling to authentication attempts #9150
Backup/Restore
• Added a special string (NoReMoTeBaCkUp) that when used in write_config() descriptions will prevent
a remote backup #9693
• Removed legacy AutoConfigBackup options (there were no more active accounts using the retired legacy ser-
vice) #9687 #9785
• Added CDATA protection to the encryption_password XML tag, which allows international characters
to be used in that field #7186
• Added CDATA escape to more auth-related fields #9327
• Ensured that kern.cam.boot_delay is set for new installations and upgrades so that USB devices are
properly initialized in time for configuration restore in the installer and ECL to function #9533

LLC
Captive Portal
• Fixed Captive Portal vouchers shortcut links #9722
• Changed Captive Portal redirect page selection order #9819
• Fixed a rare and intermittent issue where users could encounter an nginx error when restarting Captive Portal
instances #10159
Certificates
• Added sorting and search/filtering to Certificate Authority & Certificate manager #9412
• Corrected wording of CA/Cert CN input validation #9234
• Fixed certificate Descriptive Name field behavior when adding a user certificate #9719
• Added clientAuth EKU to Server type certificates #9868
• Reduced the default GUI web server certificate lifetime to 398 days to prevent errors on Apple platforms #9825
Dashboard
• Added option to disable PTI display in System Information widget #9323
DHCP
• Fixed incorrect expansion of Dynamic DNS advanced options on the DHCPv6 Server page #9448
• Changed DHCP relay backend code to determine and specify separate upstream and downstream interface lists
#9466
• Prevented OpenVPN interfaces from being used by DHCP relay, since that type of interface is not compatible
#8443
• Added an option to disable ping check in dhcpd #9285
• Fixed Show all configured leases so it is persistent after deleting a DHCP lease #9133
• Added search/filter to DHCP/DHCPv6 leases #9791
• Improved DHCP client handling of timeout conditions and script failures #9267
Diagnostics
• Fixed a PHP warning in diag_dump_states.php #9780
• Fixed reverse lookup of IPv6 addresses on diag_dns.php #9543
• Fixed diag_system_activity.php to use batch mode for top so it displays process list w/o terminal, and increased
amount of output displayed #9522
• Added search/filter ARP table and NDP status #9791

LLC
DNS
• Added 127.0.0.0/8 to the DNS Resolver private-address list for DNS rebinding protection #9708
• Fixed CIDR selection issues with /32 entries in DNS Resolver Access List entries #9586
• Fixed an issue saving DNS over TLS hostnames on systems with only one gateway #9898
• Fixed an issue where manually configured DNS servers may not have been active if “allow override” was
disabled and they were also assigned dynamically #9963
• Added DNS Resolver (Unbound) Python Integration #9251
Dynamic DNS
• Fixed Dynamic DNS class constructor name #9779
• Fixed errors in DNSimple Dynamic DNS #9580
• Fixed handling of wildcard (*) hostname entries in Cloudflare Dynamic DNS #9361
• Added support for AAAA records to Digital Ocean Dynamic DNS #9280
• Fixed issues with Digital Ocean Dynamic DNS handling of empty hostnames #9602
• Cleaned up whitespace issues in Azure Dynamic DNS backend code #9271
• Added support for Linode Dynamic DNS #9268
• Fixed issues with IPv6 on Azure Dynamic DNS #9248
• Fixed handling of wildcards in Route53 Dynamic DNS #9053
• Fixed handling of wildcards in Loopia Dynamic DNS #8014
• Fixed CloudFlare Dynamic DNS processing when proxied is enabled #9362
• Fixed CloudFlare Dynamic DNS “Invalid TTL” error due to CloudFlare API update #10196
• Changed hostname to optional for DNS-O-Matic Dynamic DNS #7601
• Added support for Gandi LiveDNS Dynamic DNS #9452
Gateways
• Corrected PHP errors when marking gateways down in certain edge cases #9851
Interfaces
• Added more prefix delegation size entries to selection list on interfaces.php #9590
• Added initialization to the VLAN array in console setup #9582
• Fixed issues with Netgate & hardware model detection which caused problems with default interface mappings
#8051
• Fixed issues with display of previously-entered IP address values on interfaces_ppps_edit.php #9741
• Added a confirmation prompt to disconnect/release actions on status_interfaces.php #9911
• Added drivers for Mellanox mlx4 and mlx5 network interface cards #7537

LLC
IPsec
• Fixed IPsec VTI interface creation logic #9781
• Added GUI option for IPsec P2/Child SA close action #9767
• Added IPsec DH and PFS groups 25, 26, and 27 #9757
• Added 25519 curve-based IPsec DH and PFS group 31 #9531
• Enabled NAT-T controls for IKEv2 #9695
• Improved handling of IPsec restarts breaking VTI routing #9668
• Fixed input validation that incorrectly prevented deleting IPsec P2 entries in some cases with VTI #9258
• Fixed IPsec keyid identifier handling #9243
• Fixed IPsec VTI MTU boot-time configuration #9111
• Escape Windows domain backslash in IPsec widget #9747
• Fixed VTI IPv6 address handling #9801
• Fixed Child SA button JS hide on status_ipsec.php, along with other cosmetic improvements #8847
• Added Connect Children button to status_ipsec.php to connect when IKE (Phase 1) is up but Child SAs (Phase
2 entries) are not #9954
• Fixed IPsec Phase 2 Remote Network field show/hide when changing between Phase 2 modes #9720
• Fixed IPsec configuration generation so that encryption options for every P2 on a given P1 are not duplicated on
each P2 #6263
• Fixed a PHP error in IPsec package plugin hook processing #10217
Load Balancer
• Fixed a PHP when processing services when the configuration does not contain Load Balancer entries #10308
Logging
• Moved igmpproxy logs to routing.log #10139
• Moved igmpproxy verbose logging option to services_igmpproxy.php (formerly at
status_logs_settings.php) #10139
• Updated sshguard and fixed a log processing regression #9971
• Fixed PHP errors in filter log processing when entries contain an invalid port #10255

LLC
Monitoring
• Fixed custom view titles being forced to lower case #9681
• Fixed packet graph scaling #9807
• Fixed a PHP error in RRD processing of ALTQ data #10248
Notifications
• Fixed SMTP notification password being unintentionally changed when testing SMTP settings #9684
• Reduced frequency of GEOM rebuild notifications #9256
NTPD
• Added validation to ensure NTP values are treated as numbers before use #9558
• Changed the default NTP pool server to 2.<domain> so that it can use IPv6 #9931
• Improved handling of errors on the NTP status page to work/fail gracefully with custom ACLs for localhost in
place #9829
OpenVPN
• Fixed JavaScript issue when selecting multiple OpenVPN NCP algorithms #9756
• Fixed OpenVPN wizard so it does not show DH parameter lengths that are not available #9748
• Fixed issues with OpenVPN resynchronizing when running on a gateway group #9595
• Added an option to set the OpenVPN TLS Key Direction #9030
• Added GUI options to configure OpenVPN keepalive parameters #3473
• Fixed instances of hidden invalid OpenVPN options affecting save operations #9674
• Added a copy action to OpenVPN pages #5851
• Improved sorting of bytes sent/receives on OpenVPN status page #7359
• Fixed visibility of the OpenVPN ‘interface’ option when multihome is selected #7840
• Reduced the OpenVPN server certificate lifetime to 398 days in the wizard to prevent errors on Apple platforms
#9825
• Added input validation to prevent OpenVPN tunnel network reuse #3244
• Added Exit Notify to OpenVPN servers/client options #9078

LLC
Operating System
• Fixed serial console terminal size issues #9569
• Added the strings binary to base builds for troubleshooting #7791
• Changed UFS filesystem defaults to noatime on new installations #9483
• Fixed an issue where the IP header checksum was incorrect when reassembling packet fragments to a link with
a different MTU #10189
Packet Capture
• Changed Packet Capture GUI to allow multiple TCP/UDP ports to be specified #9766
• Added start time to Packet Capture display #9831
• Added OSPF/OSPFv3 to Packet Capture protocols #9905
• Fixed Packet Capture to match both IPv4+IPv6 CARP when that protocol is selected #9867
• Fixed Packet Capture for the pfsync protocol #10183
Routing
• Fixed (Default) designation on routes to match the default route in the OS #9292
• Fixed static routes remaining in routing table after removal #9969
Rules / NAT
• Fixed state kill ordering in rc.newwanip #4674
• Added the ability to search firewall logs by tracking ID #8703
• Added GUI option to disable default blocking of APIPA networks #9966
• Added more common ports to the firewall rule drop-down list #10166
• Added input validation to prevent selecting !* (“not any”) in source or destination #10168
• Fixed invalid rules generated when using NAT reflection with a negated destination #10246
S.M.A.R.T.
• Updated the SMART page with new capabilities #9367

LLC
SNMP
• Fixed SNMP sysDescr contents to include hostname and patch version #9218
Traffic Shaping / Limiters
• Added input validation for Limiter delay values #9921
• Fixed the queue statistics parser to handle large values #9938
Translations
• Fixed an issue with international characters in configuration descriptions, which led to failures in certain cases,
such as failing to set Manual Outbound NAT when the Language was set to pt_BR #6195
• Fixed a PHP error on system_advanced_admin.php when the language was set to French #10331
Upgrade / Installation
• Revised update check to provide a more consistent version string in JSON format #9778
• Disabled serial console on VGA memstick images #9488
• Fixed a PHP error when upgrading older configurations from revision 14.4 to 14.5 #9840
UPnP
• Fixed display of active UPnP sessions when configured with an alternate external address #9961
• Added input validation to prevent changing the authentication server name #9692
• Added privilege to manage integrated switches #9620
• Fixed privilege matching to handle JS anchor links #9550
• Removed wildcards incorrectly used in isAllowedPage() #9541
– This issue could prevent a user in the admins group from reaching certain pages such as the User Manager.
• Improved Deny Config Write privilege handling in the User & Group Manager #9259
• Fixed input validation of group name sizes to allow longer remote groups #3792
• Fixed handling of L2TP and PPPoE user passwords containing invalid characters #10275

LLC
Web Interface
• Corrected input validation for firewall rule VLAN priority/set #9763
• Restricted Thoth tests to arm64 in status.php NG 2569
• Added kernel memory usage to status.php output #9705
• Redacted several additional fields in status.php output #9784 #9729 #9728 #9727 #9694 #9736 #9764
• Fixed a potential source of PHP errors when saving per-log settings #9540
• Added GUI components for MDS mitigation #9532
• Fixed integrated switch LAGG member editing on switch_ports.php #9447
• Fixed wizard.php selection option size attribute handling #8907
• Fixed platform detection for certain C2558/C2758 systems #6846
• Set autocomplete=new-password for forms containing authentication fields to help prevent browser
auto-fill from completing irrelevant fields #9864
• Fixed processing of shortcuts for XML-based packages #9770
• Updated jQuery #9407
• Improved consistency of SSL/TLS references throughout the GUI #10172
• Updated various help references and links to use the pfSense book instead of external resources #10135 #10184
XMLRPC
• Fixed removal of the last ALTQ traffic shaping entry from the target system when performing an XMLRPC sync
#9469
• Fixed removal of the last limiter entry from the target system when performing an XMLRPC sync #9468
pfSense® software version 2.4.4-p3 addresses security and other issues found in 2.4.4-p2.
Warning: The upcoming pfSense release version 2.5.0 deprecates the built-in load balancer, and all related code
has been removed as it is not compatible with FreeBSD 12. Plan migrations to alternate solutions such as the
HAProxy package now.
See the 2.5.0 release notes for more information.

LLC
Security / Errata
• Changed sshguard to block both ssh and the GUI using a single table, and removed the unnecessary manual
scheduled table expiration pfSense-SA-19_02.sshguard #9223
• Fixed potential XSS vectors
– pfSense-SA-19_01.webgui : Fixed potential XSS vectors in system_advanced_admin.php, in-
terfaces_assign.php, firewall_rules_edit.php, firewall_shaper.php, services_igmpproxy_edit.php, ser-
vices_ntpd_gps.php and diag_traceroute.php #9294
– pfSense-SA-19_03.webgui : Fixed potential XSS vector in status_filter_reload.php #9499
– pfSense-SA-19_04.webgui : Fixed potential XSS vector in the WOL widget #9507
– pfSense-SA-19_05.webgui : Fixed potential XSS vector in services_acb.php #9508
• Fixed privilege issues
– pfSense-SA-19_06.webgui : Restrict edit access to OpenVPN-related advanced settings, and added new
privilege to delegate edit permissions #9511
– pfSense-SA-19_07.webgui : Strengthen widget privilege matching to avoid a potential privilege bypass
for users granted access to widgets #9512
– pfSense-SA-19_08.webgui : Strengthen path privilege check to avoid a potential directory-traversal-like
bypass method #9513
– Added privileges for Auto Config Backup pages #9519
– Updated privileges: Added misc missing pages, removed obsolete pages
• Addressed FreeBSD Security Advisories:
– FreeBSD-SA-19:03.wpa
– FreeBSD-SA-19:04.ntp
– FreeBSD-SA-19:05.pf
– FreeBSD-SA-19:06.pf
– FreeBSD-SA-19:07.mds
• Added DNS over TLS host verification #8602
– Configure hostnames for DNS over TLS servers under System > General
• sqlite updates #9205
Backup / Restore
• Fixed issues with output buffering causing configuration backup download failures #9390
• Fixed automatic package reinstallation after restoring config.xml from the installer #9214
• Force <enableserial> when restoring a backup on a device with serial only console

LLC
Certificates
• Added missing countries from CA list on certificate pages #9308
• Fixed an error when adding a new user and choosing to generate a certificate #9317
DNS
• Fixed input validation on diag_dns.php to allow a trailing dot on hostnames #9276
• Removed non-functional tools links from diag_dns.php #9275
• Fixed rewriting of the DNS Resolver file remotecontrol.conf if it is present but empty #9470
Firewall Rules / NAT / Aliases
• Fixed intermittent pf errors when NAT reflection is enabled #9446
• Fixed reserved pf keyword matching when creating and editing aliases #9231
• Fixed duplicate entries showing on diag_tables.php from lockout tables #9359
• Fixed a PHP error deleting an imported NAT rule with no firewall rules present #9193
• Do not show scheduler icon when scheduler tag is empty
Gateways / Routing
• Fixed issues with the default IPv4 gateway set to a group failing after restart #9004
Interfaces
• Fixed PHP error from interface groups when editing QinQ entries
IPsec
• Fixed IPsec Phase 1 entries on upgrade to have their protocol field populated properly #9207
Operating System
• Fixed support for ZFS encrypted+mirrored swap #9281
• Fixed problems saving crash dumps when /var is a RAM disk #9409

LLC
Traffic Shaping
• Fixed a PHP error when loading a limiter that does not exist #9313
• Fixed limiter selection validation
• Fixed Queues menu items ending with “:” in certain languages #8970
WebGUI
• Numerous optimizations and improvements for status.php diagnostics output #9290
• Fixed a PHP error on system_advanced_network.php when disabling “IPv6 over IPv4 Tunneling” #9264
• Improved handling of large captures on diag_packet_capture.php and disabled viewing of captures larger than
50MiB. #9239
• Added hostname to login page title if the user has enabled Show hostname on login banner #9096
• Centralized the list of country codes used by multiple areas #9308
• Updated translation files
XMLRPC
• Clarified conditions for synchronizing certificates in HA Sync options #9283
pfSense® software version 2.4.4-p2 adds support for new Netgate hardware and corrects issues found with 2.4.4-p1.
Warning: For those who have not yet updated to 2.4.4-p1 or 2.4.4, consult the release notes and blog posts for
those releases to read all important information and warnings before proceeding.
Miscellaneous
• Hardware support/improvements for Netgate products
• Fixed swap slice labeling in MBR mode and changed the way swap is located at boot time to detect and work
around incorrect fstab swap labels created by the installer #9182
• Fixed handling of IPv6 name servers with nginx when using a certificate that requires OCSP stapling #9160
• Fixed handling of NPt rules using a /128 prefix #9163
• Fixed a PHP error in the Setup Wizard when dealing with static gateways #9170
• Updated Dynamic DNS to accommodate recent changes in the Digital Ocean API #9171
• Fixed OpenVPN RADIUS authentication use of calling_station_id #9178
• Fixed input validation that rejected certain valid hash algorithms when signing a CSR #9180
• Removed obsolete and unused OLSRD code #9117

LLC
pfSense® software version 2.4.4-p1 corrects issues found with 2.4.4-RELEASE.
Security / Errata
• FreeBSD Errata Notice FreeBSD-EN-18:09.ip: IP fragment remediation causes IPv6 fragment reassembly fail-
ure #8934
• FreeBSD Errata Notice FreeBSD-EN-18:10.syscall NULL pointer dereference in freebsd4_getfsstat system call
(CVE-2018-17154)
• FreeBSD Errata Notice FreeBSD-EN-18:11.listen Denial of service in listen syscall over IPv6 socket (CVE-
2018-6925)
• FreeBSD Errata Notice FreeBSD-EN-18:12.mem Small kernel memory disclosures in two system calls (CVE-
2018-17155)
• Fixed a potential authenticated command injection issue with PowerD settings pfSense-SA-18_09.webgui #9061
• Fixed handling of privileges on the All group that were previously ignored #9051
Warning: Check the privileges on the All group before upgrading to avoid unintended privileges for
accounts being respected that were not honored before
Certificates
• Fixed CRL lifetime errors due to 2038 rollover on 32-bit ARM platforms #9098
• Fixed date display of CA/Certificate validity ending dates after 2038 rollover on 32-bit ARM platforms #9100
• Fixed PHP errors when creating certificate entries #9099
DNS
• Updated Unbound to 1.8.1 to address issues with memory leaks, especially in DNS over TLS support #9059
• Fixed issues with the DNS search domain for the firewall being omitted from resolv.conf in certain cases
#9056
• Fixed PHP errors in the DNS Forwarder #8967
Dynamic DNS
• Fixed an issue with FreeDNS Dynamic DNS sending an IP address with an update #8924
• Fixed issues with Custom (v6) Dynamic DNS logging a hostname error #8977

LLC
DHCP Server
• Fixed issues with DHCPv6 network boot settings #8949
Routing/Gateways
• Reduced the logging output of gateway change events #8914
• Fixed an issue with dpinger PID files causing it to get stuck in Pending status #8921
• Fixed display of a configured gateway monitor IP address when gateway monitoring is disabled #8953
• Fixed issues with double quotes in gateway descriptions causing a blank gateway drop-down on firewall rules
#8962
• Fixed an issue where the default gateway was lost in certain cases with HA after a CARP VIP status transition
#8465
IPsec
• Updated strongSwan to 5.7.1 #8898
• Added 0.0.0.0/0 to both sides of an IPsec VTI P2 to allow connections with third-party routed IPsec imple-
mentations that require its presence #8859
• Fixed boot-time handling of IPsec VTI static routes #9116
• Fixed IKEv2 EAP Identity/Client ID matching so that it is strictly performed, to avoid users getting incorrect
per-user settings #9055
• Fixed handling of RADIUS server names containing a . in the IPsec configuration with strongSwan 5.7.1 #9106
• Updated AWS IPsec wizard to use EC2 instance profiles and security groups, and switched the wizard from
OpenBGPD to FRR
Interfaces/VIPs
• Fixed issues with DHCP client MTU causing interface configure loops when advanced options are present #8507
• Fixed issues with the Hyper-V hn(4) driver and ALTQ #8954
• Fixed issues with Hyper-V hn(4) interfaces dropping UDP6 traffic when transmit checksums were enabled
#9019
• Fixed an issue with IGMP proxy failing to start on PPPoE interfaces #8935
• Fixed an issue with IPv6 Transmit checksums not being disabled when hardware checksums were set to be
disabled #8980
• Updated mpd to 5.8_8 to address issues with Orange MTU #8995
• Fixed PPPoE service name checks to allow : and other alphanumeric characters #9002
• Fixed PHP errors when creating QinQ entries #9109
• Fixed the MAC address shown when editing a LAGG entry to always show the hardware MAC for each NIC
and not the currently active address, which is no longer accurate for LAGG members #8937
• Fixed a PHP error when setting an interface address to act as a DHCP server from the console, when no other
DHCP servers are already configured #9144

LLC
• Fixed a situation where editing a VLAN interface caused all other VLAN interfaces with the same parent to be
reconfigured, which led to several other issues #9115
Warning: Editing a VLAN parent interface can still cause problems. If this becomes an issue on a firewall,
consider moving from using the untagged parent to having that traffic be tagged so that the parent interface
is not assigned or in use. #9154
Known issues include:
– PPPoE instances on VLANs will not reconnect after the interface is reconfigured #9148
– VLAN interfaces that use IPv6 tracking may lose their addresses #9136
Hardware/Platform
• Fixed handling of EFI console when a device boots from UEFI, where vidconsole is not valid #8978
• Fixed PHP errors in switch configuration on platforms including integrated switches
• Added support for SG-5100 hardware watchdog
Note: Enable the Watchdog daemon under System > Advanced on the Miscellaneous tab, and then reboot
and enable it in the BIOS with a timeout longer than the timeout configured in the GUI.
User Management / Authentication
• Fixed handling of privileges on the All group that were previously ignored #9051
Warning: Check the privileges on the All group before upgrading to avoid unintended privileges for
accounts being respected that were not honored before
• Added GUI options to control sshguard sensitivity and whitelisting to allow users to fine-tune the behavior
of the brute force login protection #8864
• Added an option to enable SSH agent forwarding (disabled by default) #8590
• Fixed inconsistencies with ssh settings in the configuration #8974
• Fixed PHP errors with ssh settings #8606
• Added support for LDAP client certificates on authentication servers (Factory only) #9007
• Fixed an issue with Local Database authentication when using non-English languages in certain cases, such as
with Captive Portal #9086

LLC
Captive Portal
• Fixed Captive Portal RADIUS NAS Identifier default values to include the zone name #8998
• Restored the ability to set a custom NAS Identifier on Captive Portal RADIUS settings #8998
• Fixed issues with Captive Portal logout popup #9010
• Fixed handling of the login page displayed when RADIUS MAC Authentication fails #9032
• Fixed username sent in RADIUS accounting with MAC-based authentication #9131
• Fixed an issue with the blocked MAC address redirect URL #9114
WebGUI / Dashboard
• Fixed nginx restart handling when toggling GUI web server options under System > Advanced, Admin
Access tab
• Fixed empty crash reports after upgrade #8915
• Added CDATA protection to common name fields so they can safely contain international characters #9006
Firewall Rules / Aliases / NAT
• The filterdns daemon has been rewritten, solving a number of issues with the old implementation, includ-
ing:
– Fixes filterdns triggering every 16 seconds even when DNS records have not changed #7143
– Fixes invalid FQDN entries in aliases causing an alias table to fail silently #8001
– Fixes filterdns failing on a regular basis #8758
• Fixed /etc/rc.kill_states not correctly parsing pfctl output #8554
• Fixed formatting of alias names to still wrap but not replace underscores #8893
• Fixed PHP errors from filter_rules_sort() when a configuration contains no rules #8993
• Fixed PHP errors when creating schedules #9009
• Fixed PHP errors when creating entries on NAT pages #9080
• Fixed PHP errors from easyrule when no aliases are present #9119
• Fixed “Drag to reorder” description in rule list when rule drag-and-drop is disabled #9128
Traffic Shaping (ALTQ/Limiters)
• Fixed issues with Limiter queue display on upgraded configurations #8956
• Fixed the default limiter scheduler to match previous version (WF2Q+) #8973
• Added scheduler information to the limiter information page #8973

LLC
Packages
• Fixed issues with package installation causing problems when crossing major PHP versions #8938
• Fixed PHP errors when installing packages #9067
Backup/Restore
• Added schedule (cron) support to AutoConfigBackup #8947
• Fixed issues with AutoConfigBackup restoring a configuration from a different host #8901
• Fixed the AutoConfigBackup menu from the deprecated package still showing when the package is no longer
present #8959
• Fixed an issue with Reinstall Packages hanging when run from Diagnostics > Backup & Restore #8933
• Fixed issues with multiple <rrddata> tags in config.xml #8994
• Fixed a race condition in package operations after a configuration restore that could lead to no packages being
reinstalled #9045
• Fixed issues with the External Config Locator not finding a config.xml in /config #9066
• Fixed an issue where packages may not be reinstalled during a configuration restore performed immediately
after a fresh install #9071
• Fixed a stream_select() error when restoring packages #9102
Wake on LAN
• Fixed issues with ordering of entries in Wake on LAN #8926
• Added top control buttons to Wake on LAN for Add and Wake all Devices when there are more than 25 entries
#8943
NTP
• Fixed issues with NTP status when using noquery in the default permissions along with a specific ACL for
localhost #7609
Logging / Notifications
• Fixed an issue with log file sizes >= 2^32/2 #9081
• Fixed PHP errors when saving log settings #9095
• Added a checkbox to disable TLS certificate verification for SMTP notifications #9001

LLC
Install/Upgrade
• Added a FAT partition to the installer memstick to make it easier to restore a config.xml file during the
install process. Also includes a copy of the license and a README. #9104
• Fixed PHP errors in upgrade code for IPsec #9083
Miscellaneous
• Fixed HTTPS proxy authentication support for connections on the firewall itself #9029
• Clarified wording of Kernel PTI options on System > Advanced, Miscellaneous tab #9026
• Added a Save button to Status > Traffic Graphs to store default settings to use when loading the page #8976
• Added support for nvme controllers to the S.M.A.R.T. diagnostics page #9042
Significant Changes
OS Upgrade Base Operating System upgraded to FreeBSD 11.2-RELEASE-p3. As a part of moving to
FreeBSD 11.2, new hardware support is included for C3000-based hardware.
PHP 7.2 PHP upgraded to 7.2, which required numerous changes to syntax throughout the source code
and packages.
Routed IPsec (VTI) Routed IPsec is now possible using FreeBSD if_ipsec(4) Virtual Tunnel In-
terfaces (VTI). #8544 (See also: Routed IPsec (VTI))
IPsec Speed Improvements The new Asynchronous Cryptography option under the IPsec Advanced
Settings tab can dramatically improve IPsec performance on multi-core hardware #8772
Default Gateway Group The default gateway may now be configured using a Gateway Group setup for
failover (each gateway on a different tier), which replaces Default Gateway Switching. #8187
Limiter AQM/Queue Schedulers Limiters now include support for several Active Queue Management
(AQM) methods and Queue Scheduler configurations such as FQ_CODEL. #6620 (See also: pf-
Sense PR #3941)
Certificate Subject Requirements The Certificate Manager and OpenVPN wizard now only require the
Common Name to be set, and all other fields are optional. #8381
AutoConfigBackup is free! AutoConfigBackup now integrated and free for all to use. (See also: Using
the AutoConfigBackup Service)
DNS over TLS The DNS Resolver now includes support for DNS over TLS as both a client and a server,
including for domain overrides. #8388 #8030 #8431
Captive Portal Authentication Captive Portal authentication is now integrated with the User Manager
system. Captive Portal instances may now use RADIUS, LDAP, or Local Authentication like other
integrated services. The firewall will migrate existing Captive Portal RADIUS settings to the User
Manager automatically on upgrade.
Captive Portal HTML Design and Usability The default Captive Portal page has been redesigned.
Controls have also been added which allow for the logo and background images and Terms of Ser-
vice text to be customized without editing and uploading custom HTML code. #8793

LLC
Integrated Switch Improvements Netgate devices with integrated switches such as the SG-3100 and
XG-7100 can now configure per-port speed and duplex settings, discrete port configuration inter-
faces can now be tied to switch ports for up/down status, and LAGG support is also now available
(Load Balance mode only)
Security
• FreeBSD SA for CVE-2018-6922: Resource exhaustion in TCP reassembly FreeBSD-SA-18:08.tcp
• FreeBSD SA for CVE-2018-3620, CVE-2018-3646: L1 Terminal Fault (L1TF) Kernel Information Disclosure
FreeBSD-SA-18:09.l1tf
• FreeBSD SA for CVE-2018-6923: Resource exhaustion in IP fragment reassembly FreeBSD-SA-18:10.ip
• FreeBSD SA for CVE-2018-14526: Unauthenticated EAPOL-Key Decryption Vulnerability FreeBSD-SA-
18:11.hostapd
• FreeBSD SA for CVE-2018-6924: Improper ELF header parsing FreeBSD-SA-18:12.elf
• FreeBSD errata notice for LazyFPU remediation causing potential data corruption FreeBSD-EN-18:08.lazyfpu
• Fixed a potential XSS vulnerability via GUI rule separators pfSense-SA-18_06.webgui #8654
• Fixed a potential XSS via custom GUI/dashboard settings pfSense-SA-18_07.webgui #8726
• Fixed a potential authenticated ACE vulnerability pfSense-SA-18_08.webgui #8843
• Upgraded strongSwan to 5.6.3 to address a buffer underflow leading to denial of service (CVE-2018-5388)
#8746
• Updated default cryptographic settings for OpenVPN, IPsec, and Certificates #8594
• Changed the included DH groups to those defined in RFC 7919 #8582
• Added stronger IPsec Pre-Shared Key usage warnings, and a button to generate a secure PSK #8667
• Disabled OpenVPN compression by default on new instances for security reasons due to VORACLE – Users
should strongly consider disabling compression on OpenVPN instances if they pass unencrypted data such as
HTTP to arbitrary Internet sites #8788
• Patched OpenSSH for CVE-2018-15473, username enumeration/disclosure through malformed packets.
• Changed from sshlockout_pf to sshguard for monitoring failed logins and locking out offenders, this
allows the lockout to work on IPv4 and IPv6 and also terminates states when adding offenders to the block list
#7694 #7695
Errata
Warning: Third party packages from alternate repositories are causing problems for users with the upgrade
process and also with post-upgrade behavior. These packages have never been supported, and had to be manually
added by users outside of the GUI.
Due to the major changes required for FreeBSD 11.2 and PHP 7.2, third party packages from alternate repositories
cannot be present during the upgrade. There is no way to predict if a third party package supports the new version
or will cause the upgrade itself to fail.
The upgrade process will automatically remove pfSense-pkg-* packages installed from alternate repositories.
After the upgrade completes, the user can reinstall these packages. Packages from alternate repositories will not
appear in the Installed Packages list in the GUI, and must be entirely managed in the command line.

LLC
This change does not affect packages installed from the official pfSense® package repository.
• Removed options for the deprecated FEC LAGG Protocol #8734
Certificates
• Changed the Certificate Manager and OpenVPN wizard to only require the Common Name for the CA/Cert
subject #8381
• Updated default cryptographic settings Certificates #8594
• Added support for OCSP Must-Staple certificates in the GUI (and ACME package) #8418
• Changed CRL support from using an abandoned PHP OpenSSL module patch to a pure PHP implementation
compatible with PHP 7.2 #8762
• Fixed issues with several areas not properly parsing CA fields properly when they were not in the expected order
#8801
• Changed the default CA and Certificate create action from “Import...” to “Create an internal...” #8851
DNS
• Added DNS over TLS for upstream forwarders to the DNS Resolver #8388
• Added DNS over TLS server support to the DNS Resolver #8030
• Added DNS over TLS options for DNS Resolver Domain Override #8431
• Fixed editing DNS Resolver ACLs in non-English languages #8539
• Added a DNS Resolver status page #8430
• Clarified that “Register DHCP leases in the DNS Resolver” only works for IPv4 addresses #8592
• Added IPv6 representation of IPv4 addresses in DNS Resolver DNS Rebinding checks #8750
• Fixed disabling the DHCP Server on interfaces when the DNS Resolver DHCP Registration option is enabled
(Only one enabled interface is required) #8120
• Added advanced option for qname-minimization to the DNS Resolver #8028
• Fixed an issue with IDs when editing or deleting DNS Forwarder host override entries #8767
Dynamic DNS
• Added Dynamic DNS client for DigitalOcean DNS #8478
• Fixed Dynamic DNS clients usage of custom check IP services #8664
• Added Dynamic DNS client for Azure #7769
• Updated DNSimple Dynamic DNS client to use DNSimple API v2 #8071
• Fixed handling of username and password fields for custom Dynamic DNS entries #8782

LLC
Routing/Gateways
• Added the ability to set a Gateway Group as the default gateway. #3781 #8187
• Extended the maximum Gateway monitoring Probe Interval #8593
• Fixed handling of Gateway Group Trigger Level #8586
• Fixed inconsistency in display and usage of units for Gateway latency #8477
• Upgraded FRR to 5.0.1 for compatibility with FreeBSD 11.2 #8449
• Fixed FRR BGP MD5 support #8407
• Fixed handling of Router Advertisement preferences #6237
IPsec
• Added routed IPsec using FreeBSD if_ipsec(4) VTI #8544
• Added a GUI option to the IPsec Advanced Settings tab for Asynchronous Cryptography which can dramati-
cally improve IPsec crypto operation performance on multi-core hardware #8772
• Added IPsec identifiers to Status > IPsec #8598
• Fixed a JavaScript variable issue in IPsec IKE Phase 1 causing the Key Length field to be blank in some browsers
such as IE #8543
• Added IPsec mobile client options to configure different (virtual) IP addresses per user #8292
• Added IPsec mobile client options to configure different DNS servers per user #8644
• Updated default cryptographic settings for IPsec #8594
• Changed the default behavior of an IPsec Phase 1 to rekey as needed #8540
• Fixed handling of per-user IPsec rules from an authentication server #8765
• Added warnings and hints to IPsec encryption and hash choices about potentially insecure selections #8766
• Fixed an issue with handling IP Alias VIPs with CARP parent after an interface up/down event #8768
OpenVPN
• Disabled compression by default for new OpenVPN client and server instances for security reasons #8788
• Changed OpenVPN Authentication to use an asynchronous authentication plugin which avoids stalling server
traffic during the authentication process, especially noticeable on down/broken authentication servers #7905
• Fixed display of Bridge Route Gateway options on OpenVPN tap bridge servers #8658
• Fixed handling of LDAP fields in the OpenVPN wizard and brought the options in line with current LDAP
server options #8605
• Updated default cryptographic settings for OpenVPN #8594
• Added missing OpenVPN compression options (stub-v2 and plain compress) #8788

LLC
DHCP Server
• Fixed validation of custom DHCP options #8534
• Fixed a situation where DHCPv6 was configured for LAN when the LAN interface was not assigned #8048
• Fixed an issue with XMLRPC synchronization of DHCP static mappings #8721
Interfaces / VIPs
• Removed IPv4 and IPv6 settings from the Interface configuration for assigned OpenVPN/GIF/GRE/Routed
IPsec instances, since the IP addresses are managed by the parent config not interfaces.php #8687
• Fixed an HTTP_REFERER issue when changing the LAN IP address in the Setup Wizard #8524
• Fixed an HTTP_REFERER issue when changing an interface IP address while accessing the GUI from the same
interface #8822
• Fixed handling of the FreeBSD 11.2-BETA dhclient MTU value #8507
• Added PPPoE multi-link over single link to allow users with a supported provider to have a larger MTU #8737
• Fixed a PPPoE MTU issue with ORANGE FR #8595
• Fixed QinQ interface assignment #8446
• Fixed radvd/IPv6 when using a LAN bridge #8429
• Fixed deleting IP Alias VIPs outside an interface subnet where a gateway exists in the same subnet #4438
• Fixed handling of IP Alias and CARP VIP subnet mask/prefix autodetection #8741
• Fixed a panic in IPv6 fragment logging #8499
• Fixed handling of DHCP option 77 in the DHCP client #7425
• Fixed deleting Interface Group members which are disabled #8800
• Fixed MAC address spoofing for bridge interfaces #8138
• Fixed an issue with string termination when creating interfaces through the pfSense PHP module #8683
• Fixed an issue where changing a LAGG could cause a VLAN using that LAGG as a parent interface to lose its
association with the LAGG #8527
Integrated Switches
• Added GUI controls to configure LAGG on integrated switch ports (Load Balance mode only)
• Added GUI controls to configure Speed/Duplex for switch ports on integrated switches
• Added the ability to tie the status of an assigned VLAN interface to a switch port for integrated switches
• Added Switch Status to status.php for platforms with a switch #8525
• Fixed an issue switching between Port VLAN and 802.1q VLAN mode on integrated switches #8422
• Fixed an SNMP error on hardware with integrated switches #8600
• Added Preserve Switch Configuration option when restoring config.xml to keep the current active switch
settings instead of those from the imported configuration to help with hardware transitions

LLC
Hardware/Platform
• Added support for the new SG-5100
• Fixed an issue with ARM hardware not completely halting when shut down (SG-3100 and SG-1000)
• Fixed HDMI hotplug issues on Minnowboard Turbot hardware (MBT-2220 and MBT-4220)
• Fixed SG-1000 autonegotiation for 10baseT speed and duplex #7532
• Added a visible warning to the user when default password has not been changed #8596
• Fixed configuration descriptions user management operations and added logging #8548
• Fixed escaping of LDAP search parameters #8626
• Fixed an OS issue with adding a group to a user when creating the user #8553
• Fixed handling of LDAP bind credentials #8583
• Removed some legacy code from auth.inc #8742
• Fixed Group selections after an input error in the User Manager #8622
• Fixed inconsistent usage of sshdkeyonly in system_advanced_admin.php #8403
• Added SSH configuration option to require both Key and Username+Password authentication at the same time
#8402
• Replaced radius.inc by pear-Auth_RADIUS #7024
• Fixed synchronization of User Manager group scope and operating system groups #7013
• Fixed logging and display of GUI user authentication source IP address when the user logs in through a proxy
#8813
• Fixed logging and display of GUI user authentication sources to show what source authorized the login (e.g.
LDAP, RADIUS, Local, Fallback) #8816
Captive Portal
• Integrated Captive Portal authentication into the User Manager to enable support for LDAP #5112
• Updated Captive Portal HTML/CSS to a modern design and added controls to customize images and ToS without
uploading custom HTML #8793
• Fixed deleting Allowed Hostnames and Allowed IP Addresses entries in Captive Portal when a zone is disabled
#8530
• Added support for setting Captive Portal traffic quotas #8202
• Added display of a custom username when Captive Portal is set to None for the authentication type #8361
• Changed handling of Called-Station-Id/Calling-Station ID to send a MAC address instead of IP address when
using RADIUS authentication #4294
• Changed to a standardized NAS-Identifier when using RADIUS authentication #3686
• Corrected accounting updates not being sent when expected #8655
• Fixed an issue with XMLRPC synchronization of Captive Portal settings #8806

LLC
WebGUI / Dashboard
• Enabled HTTP2 for the Web GUI server #8552
• Updated the text and links in the HTML footer #8733
• Fixed display of available swap with multiple swap disks in the System Information Dashboard widget #8587
• Updated text in the Setup Wizard #8753
• Moved the simplepie RSS reader code to a FreeBSD port for easier updates #6998
• Fixed handling of the Inverse option in the Traffic Graphs Dashboard Widget #8367
• Fixed issues with the GUI following upgrade progress #8519
• Added a line to display the current GUI user viewing the Dashboard in the System Information Widget #8817
Firewall Rules / NAT / Shaping
• Added CoDel, FQ-CoDel, PIE and FQ-PIE AQMs to limiters #6620
• Fixed firewall ruleset errors related to VIPs and outbound rules #8518 #8408
• Added validation for IPv6 NPt input #8575
• Fixed a race condition in NAT reflection filter rules that could lead to a ruleset load failure #8604
• Fixed viewing the list of Port Forwards when a user only has the “WebCfg - Firewall: NAT: Port Forward”
privilege #8563
• Fixed an issue with default field selection when editing Firewall Rules #8597
• Added code to prevent nested alias loops #8101
• Added interface groups support for NAT rules #1933
• Fixed a case where invalid IPv6 NAT rules could be generated #8437
• Fixed a case where IPv6 Neighbor Discovery and other similar valid messages sent from the unspecified address
(::) were not allowed by default #8791
• Added Select All functionality to firewall and NAT rules #8812
• Fixed IPv6 address form field format tooltip #8834
Packages
• Fixed situation where the firewall would get stuck attempting to reinstall packages after restoring a configuration
when there is no Internet connection #7604
• Added a new tag for package services, <starts_on_sync/>, to allow packages to declare that they start
themselves during the sync process, which lets packages opt out of a (second) forced start at boot and during
interface events #8850
See also: #8620

LLC
Miscellaneous
• Fixed display of stored Load Balancer custom settings #8704
• Fixed handling of loader.conf and loader.conf.local so it will not remove customized options that
override defaults #8571
• Fixed the restoration process for a config.xml from USB during install to remove RRD data so that the data
does not indefinitely stay in config.xml #7634
• Fixed handling of special characters in L2TP user passwords #7623
• Fixed handling of sample bounds with custom timer periods on Status > Monitoring #6477
• Changed the crash reporter so that users can download the reports locally rather than submitting to a server
#8764
• Added more redacted XML tags to status.php #8819
• Changed status.php to use ifconfig -va to show more detail, including attached SFP devices with certain
network interface drivers #8860
New features and changes for this release of pfSense® software:
Security / Errata
• FreeBSD SA for CVE-2018-8897 FreeBSD-SA-18:06.debugreg
• FreeBSD EN for CVE-2018-6920 and CVE-2018-6921 FreeBSD-EN-18:05.mem
• Fixed a potential LFI in pkg_mgr_install.php pfSense-SA-18_04.webgui #8485
• Fixed a potential XSS in pkg_mgr_install.php pfSense-SA-18_05.webgui #8486
Misc
• Added a check to avoid creating route-to rules for proxy ARP addresses
• Corrected alias name input validation text referring to well-known and registered ports #8409
• Corrected the list of pf reserved keywords to prevent aliases from using invalid custom names #8445
• Fixed an issue with Captive Portal access rules being left behind on disconnect #8441
• Fixed an issue with pressing Enter in the filter field of diag_pftop.php #8494
• Fixed an issue with invalid rules generated due to the presence of IPv6 Alias VIPs #8408
• Fixed an issue with IPsec mobile Pre-Shared Keys and iOS devices #8426
• Fixed an issue with selecting a gateway when switching a firewall rule away from IPv4+IPv6 mode #8447
• Fixed firewall rules generated by the OpenVPN wizard #8391
• Fixed handling of OpenVPN RADIUS attribute firewall rules #8480
• Fixed handling of XMLRPC user/group synchronization when that section is disabled on the primary #8450
• Fixed input validation to allow named services to be used in firewall rules rather than numbers alone #8410

LLC
• Fixed issues with IP alias VIPs on Localhost at boot time #8393
• Increased the default Firewall Maximum Table Entries value to 400000 to cope with the increased size of the
IPv6 bogon address lists #8417
• Updated SimplePie RSS to 1.5.1 #8423
• Added more fields to the list that status.php uses to redact private information #8394
Security / Errata
• FreeBSD SA for CVE-2018-8897 FreeBSD-SA-18:06.debugreg
• FreeBSD EN for CVE-2018-6920 and CVE-2018-6921 FreeBSD-EN-18:05.mem
• Fixed a potential XSS vector in RRD error output encoding #8269 pfSense-SA-18_01.packages
• Fixed a potential XSS vector in diag_system_activity.php output encoding #8300 pfSense-SA-18_02.webgui
• Fixed a potential LFI in pkg_mgr_install.php #8485 pfSense-SA-18_04.webgui
• Fixed a potential XSS in pkg_mgr_install.php #8486 pfSense-SA-18_05.webgui
• Changed sshd to use delayed compression #8245
• Added encoding for firewall schedule range descriptions #8259
Misc
• Added an option to disable HSTS for the GUI web server #6650
• Added filtering to pfTop page
• Added ospf6d to the routing log
• Change get_interface_subnet() to use configured value if available
• Corrected sethelp call on firewall_rules_edit.php #8242
• Fixed an issue with selecting a gateway when switching a firewall rule away from IPv4+IPv6 mode #8447
• Fixed an issue with the address family selection for remote syslog servers using IPv6 #8323
• Fixed a problem when IPsec bypasslan was enabled while the LAN interface is disabled or doesn’t have an IP
address #8239
• Fixed config.xml corruption handling
• Fixed input validation for Certificate SAN values to disallow IP addresses for FQDN/Hostname entries`#8275
<https://redmine.pfsense.org/issues/8275>`__
• Fixed issues with OpenVPN when using a /31 IPv4 Tunnel Network #8261
• Fixed NTP Status server time for zones with minute offsets (fractions of an hour) #8129
• Fixed selection of IPv6 gateways when creating a new firewall rule #8053
• Fixed various pf “busy” errors when the ruleset is reloaded

LLC
• Improved handling of aliases that mix IP addresses and FQDNs #8290
• Improved update repository controls
• Increased the default Firewall Maximum Table Entries value to 400000 to cope with the increased size of the
IPv6 bogon address lists #8417
Security / Errata
• FreeBSD-SA-18:01.ipsec
• Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc
• IBRS mitigation for Spectre V2 (requires updated CPU microcode) FreeBSD-SA-
18:03.speculative_execution.asc
• Added a CPU Microcode update mechanism (cpuctl module, sysutils/devcpu-data port)
• Imported a FreeBSD patch to fix boot issues when running as a hypervisor guest on AMD Family 15h processors
(FreeBSD PR #213155)
• Added validation for RRD parameters to ensure passed filenames are valid #8269
• Fixed a potential XSS vector in RRD error output encoding #8269 pfSense-SA-18_01.packages Fixed a potential
XSS vector in diag_system_activity.php output encoding #8300 pfSense-SA-18_02.webgui
• Fixed a potential XSS vector in traffic_graphs.widget.php settings #8302 pfSense-SA-18_03.webgui
• Fixed a potential CSRF issue in service control request processing #8296
• Enabled CSRF protection for all dashboard widgets #8301
• Added encoding for firewall schedule range descriptions #8259
• Changed sshd to use delayed compression #8245
• Increased PHP-FPM resources on systems with over 1GB RAM to improve performance #8125
• Imported a netstat fix for ARM platforms to improve performance and reduce CPU usage, especially on the
Dashboard #8237
• Fixed a memory leak in the pfSense_getall_interface_addresses() function in the pfSense PHP module #8249
• Hardware support for the XG-7100, including:
– C3000 NIC support (factory installations only)
– C3000 SoC support (factory installations only)
– Marvell 88E6190 switch support (factory installations only)

LLC
Traffic Shaping / Limiters
• Fixed hangs due to Limiters and pfsync in HA #4310
• Added the Chelsio cxl driver to the list of ALTQ capable interfaces #7607
• Fixed an issue with limiters that had fractional bandwidth values #8091
• Changed status_queues.php to provide ‘realtime’ statistics #8185
IPsec
• Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections
to either address family #6886
• Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and
DH groups #8186
• Fixed a problem when IPsec bypasslan was enabled while the LAN interface is disabled or doesn’t have an IP
address #8239
• Added IPv6 LAN Network to the IPsec LAN bypass list #8321
OpenVPN
• Fixed an error message encountered by a few users when manually killing OpenVPN connections #8266
• Added an OpenVPN tap bridge configuration option to push the bridged interface address to clients as a route-
gateway for routes/redirects #8267
• Added an option to the DNS Resolver which allows registering the CN of OpenVPN clients as hostnames #6847
• Added an option to OpenVPN clients and servers to suppress creation of IPv4 or IPv6 gateway addresses for an
interface #6848
• Fixed issues with OpenVPN when using a /31 IPv4 Tunnel Network #8261
• Updated the OpenVPN wizard with the current UDP and TCP protocol selections #8298 Added the interface
for a VPN to the OpenVPN client and server list screens
Notifications
• Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short
amount of time #4031
• Added a notification when the firewall boot sequence is complete #7643

LLC
Dashboard
• Fixed issues with the IPsec dashboard widget causes GUI failure #6318
• Changed the Dynamic DNS Widget so it shows the description of custom entries to identify them #7843
• Fixed a reference to deprecated updateGatewayDisplays() function in the Gateways dashboard widget #8303
• Added a setting to the temperature widget to display readings in Fahrenheit 8205
• Changed the picture widget so the picture is stored on the firewall filesystem and not in config.xml to reduce the
size of backup data #8371
– On upgrade, pictures will be moved out of config.xml, so backup this file separately if it is important
DHCP
• Added an option to the DHCP Server Dynamic DNS configuration to set the server key algorithm #6621
• Added DDNS Client Updates option to DHCPv4 #7131
• Fixed handling of the DHCPv6 DDNS reverse zone key #6319
• Fixed DHCPv4 static mappings so that multiple MAC for same DHCP address or hostname are allowed`#8220
<https://redmine.pfsense.org/issues/8220>`__
• Fixed a potential issue in detecting primary/secondary node in a failover configuration
• Improved DHCP relay destination interface discovery
• Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database #7413
Dynamic DNS
• Added an option for RFC 2136 Dynamic DNS server key algorithm #8244
• Added an option for RFC 2136 source address used to send updates #8278
• Fixed issues with Dynamic DNS updates using a gateway group when the primary route is down #8333
• Added GoDaddy Dynamic DNS provider
Interfaces / VIPs
• Fixed issues on assign_interfaces.php with large numbers of interfaces #6400
• Fixed handling of CARP VIPs on disabled interfaces at boot time #6677
• Fixed issues with radvd being enabled on a disconnected interface #6974
• Fixed issues with rtsold on VLAN interfaces #7412
• Fixed issues with dhcp6c lock files after unclean shutdown when using “Do not wait for an RA” on IPv6 WAN
interface #8106
• Added a feature to allow pppoe on a CARP VIP so it will only be active on whichever node is master #8184
• Fixed an error when editing PPP interfaces on a system with no VIPs #8322
• Added VLAN priority tagging for DHCPv6 client requests #8200
• Added support for configuring the DUID type for an IPv6 interfaces #8191

LLC
• Allow custom INIT string for PPP modem SIM Pin and APN settings
• Added an indicator for disabled interfaces on status_interfaces.php
• Fixed an issue with the PPP linkup and linkdown scripts and cellular modems
• Fixed an issue where the combination of CARP with bridging could lead to a deadlock #8056
Packages
• Fixed reinstall process for missing packages #8183
Captive Portal
• Fixed Pass-through MAC automatic additions so it does not add duplicate entries #8226
• Fixed a missing global definition in Captive Portal pass-through MAC removal #8238
• Fixed Captive Portal voucher sync errors when vouchers are expired or disconnected while the secondary node
is master #8317
• Fixed Captive Portal voucher synchronization between HA nodes #7972
Certificates
• Fixed automatic SAN handling when the CN of a certificate contains a space #8252
• Fixed input validation for Certificate SAN values to disallow IP addresses for FQDN/Hostname entries #8275
Gateways/Routing
• Fixed handling of the Router Lifetime value on services_router_advertisements.php so it allows a value of 0
#7502
• Added ospf6d to the routing log
• Allow recursive aliases to be used with static routes
Rules/NAT
• Fixed various pf “busy” errors when the ruleset is reloaded
• Fixed issues with editing firewall rules in non-English languages that contain single quotes in translated strings
#8219
• Added an option to disable drag-and-drop of firewall and NAT rules
• Added a check to prevent 1:1 NAT rules with missing information from being added to the ruleset
• Added firewall rule tracking ID to rule list (in counter tooltip) and firewall rule edit page #8348
• Fixed cases where automatic or scripted rules were not getting tracking IDs #8353
• Added a check to prevent automatic outbound firewall rules with missing information from being added to the
ruleset #8360

LLC
Users/Authentication
• Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes
#7469
• Fixed an issue where a user with no privileges could not logout #8297
• Increased maximum username length from 16 to 32 characters to catch up to the current allowed length in
FreeBSD
• Fixed required field markings on LDAP authentication server configuration fields #8337
• Fixed display of the LDAP host when testing the GUI authentication source #8338
Misc
• Fixed NTP Status server time for zones with minute offsets (fractions of an hour) #8129
• Added support for custom shutdown scripts in /usr/local/etc/rc.d #8182
• Fixed a references to an undefined function while restoring a config.xml file from an older version #8231
• Added support to diag_packet_capture.php to capture traffic on the loopback interface #8257
• Fixed an issue with the RAM disk warning pop-up appearing when no changes were made #8268
• Fixed an issue with the address family selection for remote syslog servers using IPv6 #8323
• Silenced warnings from sysctl that otherwise went to stderr
• Added a disk size check to ZFS to prevent it from being used on disk which are too small to contain the OS and
swap space #7308
• Added a check to prevent pfSense-upgrade from running as a non-root user #7762
• Added an option to disable the IGMP Proxy service #8356
• Fixed an issue with package handling when restoring a configuration that contains a branch configuration that is
not valid for the target system version #8208
Security / Errata
• Updated OpenSSL to address CVE-2017-3737 and CVE-2017-3738 FreeBSD-SA-17:12.openssl
• Fixed a potential authenticated command execution issue in certificate data handling #8153 pfSense-SA-
17_10.packages.asc
• Fixed a potential XSS issue in status_filter_reload.php #8143 pfSense-SA-17_11.packages.asc

LLC
Misc
• Fixed an issue with the subnet mask not being preserved properly when editing existing 1:1 NAT entries #8112
• Fixed an indexing issue when deleting Host Override entries from the DNS Forwarder #8159
• Fixed logging for L2TP and PPPoE server login/logout events #8164
• Removed ix from the ALTQ interface list since ALTQ support for the ix driver is not currently viable #7378
• Fixed a premature session timeout issue on pages which update exclusively using AJAX, such as sta-
tus_graph.php #8116
• Fixed ping_hosts.sh so it does not unnecessarily run a CARP check when there are no IPsec hosts to ping #8172
• Fixed a missing global variable declaration in interface IP address detection
• Fixed issues with local authentication when using translated languages
Security / Errata
• Updated to OpenSSL 1.0.2m to address CVE-2017-3736 and CVE-2017-3735
• FreeBSD-SA-17:10.kldstat
• FreeBSD-SA-17:08.ptrace
• Fixed a potential XSS vector in status_monitoring.php #8037 pfSense-SA-17_07.packages.asc
• Fixed a potential XSS vector in diag_dns.php #7999 pfSense-SA-17_08.webgui.asc
• Fixed a potential XSS vector on index.php via widget sequence parameters #8000 pfSense-SA-
17_09.webgui.asc
• Fixed a potential XSS in the widgetkey parameter of multi-instance dashboard widgets #7998 pfSense-SA-
17_09.webgui.asc
• Fixed a potential clickjacking issue in the CSRF error page
Interfaces
• Fixed PPP interfaces with a VLAN parent when using the new VLAN names #7981
• Fixed issues with QinQ interfaces failing to show as active #7942
• Fixed a panic/crash when disabling a LAGG interface #7940
• Fixed issues with LAGG interfaces losing their MAC address #7928
• Fixed a crash in radvd on SG-3100 (ARM) #8022
• Fixed an issue with UDP packet drops on SG-1000 #7426
• Added an interface to manage the built-in switch on the SG-3100 Trimmed more characters off the interface
description to avoid console menu output line wrapping on a VGA console
• Fixed handling of the VIP uniqueid parameter when changing VIP types

LLC
• Fixed PPP link parameter field display when a VLAN parent interface was selected #8098
Operating System
• Fixed issues resulting from having a manually configured filesystem layout with a separate /usr slice #8065
• Fixed issues updating ZFS systems created ZFS using an MBR partition scheme (empty /boot due to bootpool
not being imported) #8063
• Fixed issues with BGP sessions utilizing MD5 TCP signatures in routing daemon packages #7969
• Updated dpinger to 3.0
• Enhanced the update repository selection choices and methods
• Updated the system tunables that tell the OS not harvest data from interrupts, point-to-point interfaces and
Ethernet devices to reflect the new name/format for FreeBSD 11
• Changed ruleset processing so that it retries if another process is in the middle of an update, rather than present-
ing an error to the user
• Fixed some UEFI boot issues on various platforms
Certificates
• Fixed invalid entries in /etc/ssl/openssl.cnf (only affected non-standard usage of openssl in the cli/shell) #8059
• Fixed LDAP authentication when the server uses a globally trusted root CA (new CA selection for “Global Root
CA List”) #8044
• Fixed issues creating a certificate with a wildcard CN/SAN #7994
• Added validation to the Certificate Manager to prevent importing a non-certificate authority certificate into the
CA tab #7885
IPsec
• Fixed a problem using IPsec CA certificates when the subject contains multiple RDNs of the same type #7929
• Fixed an issue with enabling IPsec mobile client support in translated languages #8043
• Fixed issues with IPsec status display/output, including multiple entries (one disconnected, one connected)
#8003
• Fixed display of multiple connected mobile IPsec clients #7856
• Fixed display of child SA entries #7856

LLC
OpenVPN
• Added an option for OpenVPN servers to utilize “redirect-gateway ipv6” to act as the default gateway for
connecting VPN clients with IPv6, similar to “redirect-gateway def1” for IPv4. #8082
• Fixed the OpenVPN Client Certificate Revocation List option #8088
Traffic Shaping
• Fixed an error when configuring a limiter over 2Gb/s (new max is 4Gb/s) #7979
• Fixed issues with bridge network interfaces not supporting ALTQ #7936
• Fixed issues with vtnet network interfaces not supporting ALTQ #7594
• Fixed an issue with Status > Queues failing to display statistics for VLAN interfaces #8007
• Fixed an issue with traffic shaping queues not allowing the total of all child queues to be 100% #7786
• Fixed an issue with limiters given invalid fractional/non-integer values from limiter entries or passed to Captive
Portal from RADIUS #8097
Rules/NAT
• Fixed selection of IPv6 gateways when creating a new firewall rule #8053
• Fixed errors on the Port Forward configuration page resulting from stale/non-pfSense cookie/query data #8039
• Fixed setting VLAN Priority via firewall rules #7973
XMLRPC
• Fixed a problem with XMLRPC synchronization when the synchronization user has a password containing
spaces #8032
• Fixed XMLRPC Issues with Captive Portal vouchers #8079
WebGUI
• Added an option to disable HSTS for the GUI web server #6650
• Changed the GUI web service to block direct download of .inc files #8005
• Fixed sorting of Services on the dashboard widget and Services Status page #8069
• Fixed an input issue where static IPv6 entries allowed invalid input for address fields #8024
• Fixed a JavaScript syntax error in traffic graphs when invalid data is encountered (e.g. user was logged out or
session cleared) #7990
• Fixed sampling errors in Traffic Graphs #7966
• Fixed a JavaScript error on Status > Monitoring #7961
• Fixed a display issue with empty tables on Internet Explorer 11 #7978
• Changed configuration processing to use an exception rather than die() when it detects a corrupted configuration
• Added filtering to the pfTop page

LLC
• Added a means for packages to display a modal to the user (e.g. reboot required before package can be used)
Dashboard
• Fixed display of available updates on the Installed Packages Dashboard widget #8035
• Fixed a font issue in the Support Dashboard widget #7980
• Fixed formatting of disk slices/partitions in the System Information Dashboard widget
• Fixed an issue with the Pictures widget when there is no valid picture saved #7896
Packages
• Fixed display of packages which have been removed from the repository in the Package Manager #7946
• Fixed an issue displaying locally installed packages when the remote package repository is unavailable #7917
Misc
• Fixed interface binding in ntpd so it does not erroneously listen on all interfaces #8046
• Fixed a problem where restarting the syslogd service would make sshlockout_pf process orphans #7984
• Added support for the ClouDNS dynamic DNS provider #7823
• Fixed an issue in the User and Group Manager pages when operating on entries immediately after deleting an
entry #7733
• Changed the setup wizard so it skips interface configuration when run on an AWS EC2 Instance #6459
• Fixed an IGMP Proxy issue with All-multicast mode on SG-1000 #7710
Security / Errata
• Fixes for the set of WPA2 Key Reinstallation Attack issues commonly known as KRACK #7951
• Changed upgrade handling to use the pkg-static binary to prevent errors when moving to new major FreeBSD
version Fixed a VT console race condition panic at boot on VMware platforms (especially ESXi 6.5.0U1) #7925
• Fixed a bsnmpd problem that causes it to use all available CPU and RAM with the hostres module in cases
where disk drives are present without media inserted #6882
• Fixed an upgrade problem due to FreeBSD 11 removing legacy ada aliases, which caused some older installs to
fail when mounting root post-upgrade #7937
• Changed the boot-time fsck process the ensure the disk is mounted read-only before running fsck in the preen
mode.

LLC
Known Issues
• The VLAN changes mentioned in the Interfaces section may prevent PPP sessions from working on VLANs in
some cases, see #7981
Interfaces
• Changed the VLAN interface names to use the ‘dotted’ format of FreeBSD, which is shorter and helps to keep
the interface name smaller than the limit (16) This fixes the 4 digit VLAN issues when the NIC name is 6 bytes
long.
• Improved the ‘Assign Interfaces’ console process to automatically stop when there are no more interfaces to
assign
• Improved the ‘Set interface IP address’ console process to accept ‘IP/mask’ notation
• Fixed wireless client interfaces so they do not reconfigure wireless on a link up event, or else they can get stuck
in a loop #7960
• Fixed setting VLAN Priority in VLAN interface configuration #7748
Dashboard
• Fixed a problem with the Picture Dashboard widget when it does not have a picture defined #7896
• Fixed time display for UTC in the NTP Dashboard Widget #7714
• Fixed an IPsec widget error when it would get back null data after a session ended #6318
• Improved error checking to prevent dashboard widget parsing errors
DNS
• Added an option for the DNS Resolver (Unbound) to serve expired records from the cache after their TTL
expires which can improve speed in some cases #7814
• Fixed the DNS Resolver (Unbound) to allow snoop from localhost by default, otherwise “dig +trace” or “drill
-T” queries from the firewall itself fail #7884
XMLRPC
• Fixed XMLRPC Sync to prevent a lock that would never be unlocked
• Fixed XMLRPC sync to ensure a proper empty array is returned instead of NULL, so that the last item of a
section can be removed without error #7953

LLC
Misc
• Fixed Captive Portal voucher test and expire pages #7939
• Added UEFI 32 and UEFI 64 filenames defined inside a pool to dhcpd.conf #7949
• Fixed operation of the “Reset All States on WAN IP Change” GUI setting #7921
• Changed OpenVPN to retry client auth when it fails by default (auth-retry nointeract) #7506
• Changed the Cryptographic Accelerator module options to allow both the AES-NI and Crypto modules to be
loaded at the same time #7810
• Added URL fingerprinting to the login page CSS
• Added the device serial/id to the console and SSH menu banner #7968
• Fixed “Unknown Step Values” in certain RRD graph cases #6860
Warning: 32-bit support has been deprecated and removed – There are no images available for 32-bit
(x86/i386) Intel architecture systems
Warning: NanoBSD has been deprecated and removed – There are no images available for NanoBSD, use a
full install instead
• Upgrade of base OS to FreeBSD 11.1-RELEASE-p1
• Added support for Netgate ARM-based systems such as the SG-1000
• Started using the FreeBSD installer instead of the old style installer (installation procedures have all changed)
– The installer now supports UEFI #4044
– If the new installer image will not boot on a specific piece of hardware, see Troubleshooting Boot Issues
– The installer now supports ZFS
– Added support to the new installer to copy an existing config.xml off an MS DOS formatted USB drive
(formerly known as “PFI”) #7689
– Added support to the new installer to optionally recover config.xml off an existing installation drive (works
with UFS and ZFS) #7708
• Fixed issues with major version base upgrades via pkg
• Changed cryptodev to load as a kernel module #5976

LLC
Security / Errata
• Converted various parts of the GUI to use POST instead of GET when performing actions that change the
firewall state (e.g. delete or enable/disable an item) to avoid potential issues with cross-site request forgery and
unintentional repeating of actions #4083
• FreeBSD 11.1 includes MAP_GUARD protection to protect against attacks such as Stack Clash
• pfSense-SA-17_07.packages
• A number of base system packages have been updated to address security issues, including dnsmasq, perl,
cURL, and others.
Firmware Branch Behavior / Upgrading From Snapshots
• To control how a firewall obtains updates, visit System > Update, Update Settings tab
Known Issues
• Some systems may not be able to boot 2.4 installation images, for example, due to UEFI compatibility changes.
These are primarily BIOS issues and not issues with the installer images. Upgrading from 2.3.x should still
work on affected hardware.
• Users with ESXi or VMware Workstation may experience a boot-time crash during hardware detection, due to a
race condition in the FreeBSD VT console code. This crash is infrequent and does not affect most users or most
boot attempts, but since it is a race condition it can manifest randomly. To avoid the crash, configure the VM to
use the syscons console rather than vt by editing /boot/loader.conf.local and adding this line:
kern.vty=sc
Cleanup
• Misc code cleanup, removal of patches that were no longer necessary or were inefficient
• Replaced multiple local copies of PHP PEAR libraries with updated copies using their official sources #3734
– Notably, local static copies were replaced by their FreeBSD ports counterparts: pear, pear-XML_RPC2,
pear-Net_IPv6, pear-Crypt_CHAP, pear-Mail, pear-Net_Growl
– Code that relied on the old files was updated to use the current or replaced versions
• Removed all references to GLXSB (it was 32-bit only) #6755
• Removed all code in the builder and pfSense for handling the NanoBSD platform
• Removed all calls to conf_mount_rw / conf_mount_ro, since they were only required for NanoBSD
• Improved help text in various parts of the GUI

LLC
Wireless
• FreeBSD 11 contains an updated 802.11 stack with numerous improvements
Warning: Wireless interfaces must be created on the Wireless tab under Interfaces > Assignments before they
can be assigned! #6770
Firewall / Rules / NAT / Aliases
• Fixed issues with synproxy rules on a WAN/LAN style bridge #6769
• Fixed issues with limiters on rules that utilize NAT #4326
• Fixed issues with limiters used in conjunction with a transparent proxy or other local redirect rule #7050
• Fixed expansion of “Other” type VIP subnet entries in NAT destination drop-down selections #6094
• Fixed NAT rules so that when a port forward is disabled, its associated firewall rule is also disabled #6472
• Fixed handling of “URL Table (IPs)” and “URL (IPs)” when the file is hosted a server using HTTPS with a
self-signed certificate #4766
• Show firewall rule descriptions in a column when viewing the log on new installs, upgrades retain their existing
setting #7323
• Fixed firewall states showing a negative value for total bytes processed #7075
• Fixed handling of Port Forwards so they do not make up new destination information when a configured against
a DHCP interface that does not currently have an address
• Fixed VLAN Priority pf syntax #7744
• Fixed a problem where pf scrub did not properly re-fragment unusual but valid IPv6 fragments, resulting in
overlapping fragments #7485
• Fixed confirmation prompt handling when deleting a firewall state from diag_dump_states.php #7827
• Changed display of 1:1 NAT rules to match other firewall pages #7728
Traffic Shaping
• Added extra warnings to traffic shaping pages when the firewall has no interfaces capable of using ALTQ shaping
#7032
• Fixed handling removal of shaping rules when deleting an interface #7231
• Added upgrade code to work around broken shaper rules from older wizard code #7434
• Fixed the Traffic Shaper so it shows interface names for disabled interfaces, rather than an ‘empty’ placeholder.
• Fixed handling of the priority field for different ALTQ shaper types

LLC
OpenVPN
• Upgraded OpenVPN to 2.4.x. #7054
– This is a significant upgrade which includes support for a wide variety of new features, including AEAD
ciphers such as AES-GCM.
– AES-GCM can be accelerated by AES-NI, and is supported in SSL/TLS modes (not shared key) #7068
– Added support for TLS Encryption as an optional TLS Key usage type. This encrypts the control channel,
providing privacy and protocol obfuscation #7071
– Added ECDH options to OpenVPN server and client options (“ECDH Only” choice for DH, ECDH Curve
selection) #7063
– Restructured the compression options to include LZ4 support and the new “compress” directive which
replaces “comp-lzo” which has been deprecated. The old options remain for now, but are labeled “Legacy”
#7064
– Changed protocol selection for OpenVPN clients and servers because OpenVPN 2.4 treats “udp” and “tcp”
as dual stack now #7062
* Added “multihome” option in relevant protocol cases so OpenVPN will reply back using the address
used to receive a packet #7062
– Changed the DNS Server fields in the OpenVPN server options so they can define either IPv4 or IPv6 DNS
servers to push to clients`#7061 <https://redmine.pfsense.org/issues/7061>`__
– Added IPv6 support to status_openvpn.php and the OpenVPN widget #2766
– Removed uses of the deprecated “tun-ipv6” OpenVPN directive, OpenVPN now always assumes IPv6 is
enabled #7054
– Replaced uses of the deprecated “client-cert-not-required” directive with its functional replacement
“verify-client-cert none” #7073
– Added support for Negotiable Crypto Parameters (NCP) to control automatic cipher selection between
clients and servers #7072
Note: OpenVPN 2.4 handles CRL verification differently than previous versions, passing through validation
to the library rather than handling it internally. This can cause some certificates to fail validation that may have
passed previously. In particular, if a certificate is removed from a CRL, it may still fail validation until all copies
of the CRL have been rewritten.
• Improved the help text on OpenVPN Client-Specific Overrides #7053
• Fixed issues with OpenVPN clients on dynamic or tunneled IPv6 interfaces (e.g. GIF) #6663
• Added locking to prevent issues with OpenVPN instance startup #6132
• Check OpenVPN server/client option visibility changes per mode #7331 #7451
• Added an OpenVPN GUI option for “fast-io” to clients and servers #7507
• Added an OpenVPN GUI Option for “sndbuf” and “rcvbuf”, using the same value for both #7507
• Removed references to the defunct OpenVPN client manager port #7568
• Removed references to unused “Address Pool” setting in OpenVPN #7567
• Fixed OpenVPN server port validation to disallow “0”, while still allowing it for a client port, which is the same
meaning as blank/empty #7565

LLC
• Fixed OpenVPN help text for route_no_exec #7575
• Fixed description of the address assignment behavior for Tunnel Network fields in OpenVPN clients and servers
#7573
• Remove the GUI option for “resolv-retry infinite” from OpenVPN, it is always enabled #7572
• Fixed the OpenVPN wizard so it better handles a user choosing a different type of authentication server than a
previous run of the wizard #7569
• Fixed OpenVPN Auth Digest Algorithm selection so it does not use duplicate/alias names in the list, and added
upgrade code to fix existing entries on upgrade so they use the actual digest name and not an alias #7685
• Fixed show/hide behavior of fields on vpn_openvpn_client.php in chrome #7451
• Changed OpenVPN wizard certificate input validation and encoding so it matches the standards of the current
certificate manager #7854
• Fixed the OpenVPN wizard so it creates an OpenVPN server instance using current proper defaults #7864
IPsec
• Upgraded strongSwan to version 5.6.0
• Changed the default strongSwan logging levels such that IKE SA, IKE Child SA, and Configuration Backend
all default to “Diag” #7007
• Added an option to set the Rekey Margin for IPsec tunnels in the Phase 1 settings
• Added RADIUS accounting support for mobile IPsec when accounting is enabled on the Authentication Server
entry
• Added checks to prevent simultaneous/repeated calling of vpn_ipsec_configure() by /etc/rc.newipsecdns
• Added DH Groups 22, 23, 24 to IPsec Phase 2 selection for compatibility, but they should not normally be used
for security reasons #6967
Certificate Management
• Added a check to ensure that the public key of the Certificate matches its private key when importing Certificate
Authority and Certificate entries to prevent mismatching keys from being imported #6953
• Fixed error handling when creating a Certificate from the User Management section, failed actions will no longer
fail silently #6953
• Fixed handling of Certificates generated from an imported CA when no starting serial number was set #6952
• Fixed handling of Certificate Authority deletion so that it does not remove associated certificates #6947
• Added “in-use” testing for Certificate Authority entries and disabled the delete action for CAs which are actively
in use #6947
• Fixed choosing an existing user certificate when adding a certificate to an existing user #7297
• Added the ability for the certificate manager to sign a CSR using an internal CA #7383
• Added the ability to set the certificate type and SAN attributes in a Certificate Signing Request #7527
• Restructured how certificate types and SANs are handled in the cert manager when making a Cert/CSR/Signing,
so each section can properly use the controls #7527 #7677
It is now possible to add SANs and EKUs to certificates when signing using the certificate manager

LLC
Note: Attributes such as SANs and KU/EKU cannot be copied from a CSR when signing due to a deficiency
in OpenSSL’s x509 functions (they do not support “copy_extensions” at this time); These attributes must be
specified manually when signing
• Fixed “server” certificate detection to key off of the EKU For “TLS Web Server Authentication” since nsCert-
Type has been deprecated
• Added SAN, KU, and EKU information in an info block for each entry in the certificate list #7505
• Added the ability to use a wider range of characters in certificate fields as laid out by RFC 4514 #7540
• Added a useful error message when there is no private CA with which to create a new user certificate from
within the user manager #7585
• Fixed the User Manager so it adds the username as the first SAN when making a user certificate at the same
time a user is created #7666
• Added another possible Certificate Signing Request Armor string when validating on import #7383
Dynamic DNS
• Fixed response parsing for DNSimple Dynamic DNS #6874
• Fixed handling of password in Dynamic DNS entries to allow special characters #6688
• Changed CloudFlare and GratisDNS to use separate hostname and domain entry to handle TLDs with multiple
components #6778
• Fixed the Save and Force Update button for RFC2136 Dynamic DNS #7291
• Fixed RFC2136 Dynamnic DNS updates at boot time #7295
• Added the ‘local’ directive to RFC2136 Dynamic DNS so updates are sourced correctly #7446
• Fixed options text and display for IPv4 DNS and Verify SSL on Dynamic DNS clients #7588
• Fixed issues with Dynamic DNS entries utilizing gateway groups for their interface #7719
• Added DreamHost Dynamic DNS support #7321
DHCP Server / Relay
• Fixed handling of DHCPv6 lease status when there are no leases #6717
• Fixed issues with DHCP Relay not working #6658
• Added input validation to prevent the DHCP server from being configured on interfaces that do not have enough
addresses for clients (/31, /32) #6930
• Fixed issues with the DHCP Relay options display getting out of sync with checkbox settings #7155
• Fixed static DHCP lease edits updating BIND zones #3710
• Fixed checks for DHCP Relay when editing additional DHCP pools
• Fixed handling of forced Dynamic DNS hostnames for DHCPv6 static mappings #7324

LLC
ARP / NDP
• Fixed static ARP handling when creating or editing DHCP static mappings #6821
• Added error checking for static ARP entries to ensure both an IP address and MAC address are entered, and to
ensure that both exist before an entry is applied #6969
• Improved the detail displayed on the ARP table view #6822
• Added an expiration field to the NDP list
Captive Portal
• Adapted Captive Portal to work without multi-instance ipfw patches #6606
• Fixed Captive Portal instances to select “No Authentication” for a zone by default, since it is the default behavior
#7591
• Fixed links to the Captive Portal MAC management page so they include the zone name #7591
XMLRPC
• Switched to pear-XML_RPC2 and removed the outdated static client files
• Fixed handling of XMLRPC sync using a username other than “admin” #809
Routing/Gateways
• Removed “route change” patches and updated code that relied on the deprecated behavior #6828
• Fixed handling of default routes when a default gateway is removed or disabled #6659
• Fixed discovery of IPv6 gateway for assigned OpenVPN interfaces #6016
• Fixed issues with a missing default gateway/route on certain PPPoE links after reconnect or IP address change
#6495
• Fixed some ‘route: writing to routing socket: Invalid argument’ warnings during boot time
• Added a log message for gateway events that shows that an alarm was raised/cleared
• Added a check to not run dpinger when an IPv6 address has the tentative flag even after the timeout
• Added a delay to allow dpinger time to properly initialize before using results
Interfaces / Virtual IP Addresses
• Removed Device Polling as it was no longer useful #7021
• Improved stability of the igb(4) driver #7149 #7166
• Fixed handling of rc.newwanipv6 when run from dhcp6c so it only runs when required and not for any change
#7145
• Fixed handling of SIGTERM and SIGKILL in dhcp6c #7185
• Fixed dhcp6c not starting until an RA is received #5993
• Fixed a PPP service name error with certain providers, such as T-Mobile #6890

LLC
• Fixed 3G service status so it does not report misleading information #4287
• Added support for the IPv6 AUTO_LINKLOCAL flag on bridge interfaces
• Disabled DAD on stf interfaces to fix problems with dpinger
• Added an option to use static IPv6 over an IPv4 PPP parent (e.g. PPPoE) #7598
• Removed unused WINS code for L2TP #7559
• Improved L2TP Server DNS input validation #7560
• Added a test to disable internal L2TP users when activating RADIUS, to follow the behavior stated in the GUI
#7561
• Fixed L2TP section log shortcut #7564
• Fixed upgrade handling of wireless interfaces #7809
NTP
• Added support for the ntpd “pool” directive to make better use of servers in NTP pools #5985
• Fixed time display on the NTP widget to show server time #7245
• Added support for NTP to process PGRMF NMEA sentences (Garmin-specific) #7193
• Added an absolute offset statistic to NTP monitoring graph display #7548
• Fixed delays during bootup when LDAP is enabled for user authentication #6367
• Added privileges to control which users can view and/or clear notices #7051
• Added an authentication cache mechanism for GUI authentication from a remote server (e.g. LDAP, RADIUS)
so the authentication is checked periodically (default: 30s) instead of on each page load #7097
• Added protocol selection (PAP, MD5-CHAP, MS-CHAPv1 and MS-CHAPv2) to RADIUS authentication server
options #7111
• Added the username to the page to display when adding user privileges #7586
• Standardized privilege page and sorting between users and groups #7587
• Added a log message if a user tries to save the configuration but has the ‘deny config write’ permission
• Added “auth_check” type of simple test that a page can use to verify a user is logged in and has access, using
less cpu, which is better for AJAX data polling
• Fixed certificate chain verification issues with LDAP authentication using intermediate CAs #7830
• Fixed PHP errors when STARTTLS fails for LDAP authentication

LLC
Packages
• Fixed issues with snort, squid/clamav, and squidGuard when /var is in a RAM disk #6878
• Fixed handling of custom_php_deinstall_command during post-deinstall of a package #7401
• Changed package related calls to get_pkg_info() to use the new pkg metadata mechanism
Console / Menu
• Added options to the console reboot menu selection to reboot into single user mode or run filesystem checks
#6639
OS Upgrade
• Fixed issues when upgrading to 2.4 with a stale package .inc that caused a PHP error #6920
• Changed the upgrade script to use reroot instead of reboot for updates that do not include a new Kernel #6045
SNMP
• Added a workaround to prevent the hostres module from being used with bsnmpd on VMware Virtual Machines
that have a cd0 device, which caused 100% CPU usage #6882
Services
• Converted all mpd-based features (e.g. PPPoE and L2TP server) to MPD5 if they used an older version #4706
• Removed unused and non-functional SMART service handling and e-mail configuration #6393
• Fixed IGMP Proxy failing to recognize an upstream interface #6099
WebGUI
• Added support for multiple languages, currently that list includes:
– US English (Default), Bosnian, Chinese (Simplified, China), Chinese (Taiwan), Dutch, German, Norwe-
gian Bokmal, Polish, Portuguese (Brazil), Russian, Spanish, Spanish (Argentina)
• Changed the design of the login page for the WebGUI to a more modern style, with several color choices
available
• Added URL fingerprinting to JavaScript and CSS file references to improve client-side behavior when files
change between versions #7251
• Updated Logo to the new logo and made it a vectorized SVG image for better scaling
• Updated favicon to the new logo and added multiple sizes for different platforms
• Completed work to mark required fields on GUI pages #7160
• Fixed long hostnames overlapping the “time” title in the monitoring graphs #6138
• Fixed CIDR/Prefix selector handling for IPv4/IPv6 #7625
• Removed the Gold menu

LLC
• Fixed handling of info block content inside tables #7504
• Improved handling of PHP errors for user-entered PHP code on diag_command.php
• Fixed alignment of the IPv6 over IPv4 input fields #7128
• Optimized retrieval of Traffic Graph data to reduce spikes in the graphs and load on the firewall
• Fixed a problem with the traffic graphs not respecting the theme colors #6746
• Revised setup wizard wording and links
Dashboard
• Rewrote Dashboard AJAX updating in a centralized and optimized way to reduce load, improve accuracy, and
increase speed
• Added a new Customer Support dashboard widget, enabled by default and on upgrade
• Changed the way AJAX updates are handled on the Dashboard widgets to improve efficiency and fix issues with
some widgets refreshing in a timely manner
• Added filters to more dashboard widgets #7122
• Added customization for dashboard widget names
• Fixed Interface Statistics dashboard widget issues with interfaces in a “down” state
• Fixed formatting issues with the Interface Statistics dashboard widget #7501
• Added the ability to place multiple copies of widgets on the dashboard, optional for each widget
• Added a line to display detected CPU cryptographic hardware, such as AES-NI, in the System Information
dashboard widget even if the module isn’t loaded #7529
• Fixed CPU package/core count displayed on the System Information dashboard widget
• Changed how pkg metadata is handled to reduce the load on the Dashboard and reduce unnecessary calls to the
pkg server for the System Information dashboard widget update check, and for the Installed Packages dashboard
widget
• Changed CPU usage calculation in the System Information dashboard widget to avoid sleep() in an AJAX call
• Fixed the IPsec widget tunnel status to handle newer strongSwan childid format #7499
• Fixed error when saving Wake on LAN dashboard widget without any WoL entries
• Fixed a problem where traffic could be counted twice in traffic graphs #7751
• Fixed a problem with the Installed Packages dashboard widget when no packages are installed #7811
• Changed date formats of some fields on the Dashboard to be more consistent #7805
• Added an option to the Interface Statistics dashboard widget to rotate the table (put interfaces in rows instead of
columns) to improve the display on firewalls with numerous interfaces #7501

LLC
pftop
• Removed the “size” option from pftop as it had no effect, use the “bytes” option instead #7579
• Removed the ‘peak’ and ‘rate’ views for pftop since they only work in interactive mode with cached data, not
batch mode which is used by the WebGUI #7580
• Fixed path to an old copy of the pftop WebGUI page in obsolete list #7581
DNS
• Changed /etc/hosts such that the FQDN is listed first, except for localhost, so that dnsmasq will properly reverse
resolve hostnames #7771
• Fixed a problem where the DNS Search Domain List was not being populated into radvd.conf #7081
• Enabled Python support for Unbound #7549
• Added a control to disable automatically added host entries in Unbound
• Changed the way unbound is started at boot time on systems with DHCP6 WANs
Misc
• Added hardware support and detection for new Netgate models
• Changed the User Agent passed to outbound requests from pfSense to include more accurate host information
• Added the User Agent to the request data when updating the Bogons list
• Fixed growl and SMTP notifications so performing a test saves first, so the new settings are used as expected
#7577
• Fixed loading issues with PHP extensions #6628
• Removed symbolic links for configuration files that redirected items from /etc/ to /var/etc/ #5538
• Added the ability to filter Packet Captures by MAC address #6743
• Updated status.php with new info and changed its output organization #7047
• Fixed a problem where a proxy defined for use by the firewall could not use HTTPS when using proxy authen-
tication #6949
• Improved RAM disk backups and file management #7098
• Changed the way RAM disk contents are handled when enabled #5897
• Changed various support functions to better facilitate translation to additional languages
• Fixed interface name display on the Router Advertisement configuration page #7133
• Fixed various issues with handling of unusually formatted, but valid, IPv6 addresses #7147
• Improved error handling when a client is logged when it attempts to poll data via rrd_fetch_json.php #6748
• Fixed various issues when the configuration backup count was set to 0 (disabled) #7273
• Fixed handling of “0” for the number of backups to retain in the configuration history #7273
• Fixed an issue with long configuration change descriptions leading to wrapping issues in certain cases such as
AutoConfigBackup #6363

LLC
• Fixed an issue with installing packages from a backup when restoring using the External Configuration Locater
on the first boot post-install #7914
Security / Errata
• Updated OpenSSL to address CVE-2017-3737 and CVE-2017-3738 FreeBSD-SA-17:12.openssl
• Fixed a potential authenticated command execution issue in certificate data handling #8153 pfSense-SA-
17_10.packages.asc
• Fixed a potential clickjacking issue in the CSRF error page
• Fixed a potential XSS issue in status_filter_reload.php #8143 pfSense-SA-17_11.packages.asc
Misc
• Fixed an issue in the User and Group Manager pages when operating on entries immediately after deleting an
entry #7733
• Fixed sorting of Services on the dashboard widget and Services Status page #8069
• Fixed display of available updates on the Installed Packages Dashboard widget #8035
• Fixed display of packages which have been removed from the repository in the Package Manager #7946
• Fixed the OpenVPN Client Certificate Revocation List option #8088
• Fixed an issue with the Pictures widget when there is no valid picture saved #7896
• Fixed an indexing issue when deleting Host Override entries from the DNS Forwarder #8159
• Fixed a premature session timeout issue on pages which update exclusively using AJAX, such as sta-
tus_graph.php #8116
• Fixed ping_hosts.sh so it does not unnecessarily run a CARP check when there are no IPsec hosts to ping #8172
• Fixed a missing global variable declaration in interface IP address detection
The pfSense® software version 2.3.x release is a Security and Errata maintenance release. 2.4.x is the primary stable
supported branch. If the firewall hardware is capable of running 2.4.x, consider upgrading to that release instead.
Updating to 2.3.5 from 2.3.4 on an amd64 installation that could otherwise use 2.4.x requires configuring the firewall
to stay on 2.3.x as follows:
• Navigate to System > Update, Update Settings tab
• Set Branch to Security / Errata Only
• Navigate back to the Update tab to see the latest 2.3.x update
If the update system offers an upgrade to 2.3.5 but the upgrade will not proceed, ensure the firewall has correct versions
of the repository configuration and upgrade script for 2.3.x by running the following commands from the console or
shell:

LLC
pkg install -fy pfSense-repo pfSense-upgrade
Firewalls running 32-bit (i386) installations of pfSense software do not need to take any special actions to remain on
2.3.x as they are unable to run later versions.
• Upgrade of base OS to FreeBSD 10.3-RELEASE-p20
• Fixed issues with major version base upgrades via pkg
Security / Errata
• Fixes for the set of WPA2 Key Reinstallation Attack issues commonly known as KRACK in wpa_supplicant
and hostapd (FreeBSD-SA-17:07.wpa)
• A number of base system packages have been updated to address security issues, including dnsmasq, perl,
cURL, and others.
Interfaces
• Added support for the IPv6 AUTO_LINKLOCAL flag on bridge interfaces
• Added an option to use static IPv6 over an IPv4 PPP parent (e.g. PPPoE) #7598
• Added IPv6 Prefix Delegation interface selection
• Improved input validation for GIF interfaces #7789
Dashboard
• Rewrote Dashboard AJAX updating in a centralized and optimized way to reduce load, improve accuracy, and
increase speed
• Added a new Customer Support dashboard widget, enabled by default and on upgrade
• Changed the way AJAX updates are handled on the Dashboard widgets to improve efficiency and fix issues with
some widgets refreshing in a timely manner
• Changed how pkg metadata is handled to reduce the load on the Dashboard and reduce unnecessary calls to the
pkg server for the System Information dashboard widget update check, and for the Installed Packages dashboard
widget
• Improved error checking to prevent dashboard widget parsing errors
• Fixed a variable conflict in the NTP Status Dashboard widget #7795
• Fixed a problem with the Picture Dashboard widget when it does not have a picture defined #7896
• Changed IPsec Dashboard Widget tunnel status to handle newer strongSwan childid format #7499
• Fixed time display for UTC in the NTP Dashboard Widget #7714

LLC
WebGUI
• Changed the design of the login page for the WebGUI to a more modern style, with several color choices
available
• Added URL fingerprinting to JavaScript and CSS file references to improve client-side behavior when files
change between versions #7251
• Updated Logo to the new logo and made it a vectorized SVG image for better scaling
• Updated favicon to the new logo and added multiple sizes for different platforms
• Added an option for sorting the Interfaces menu by description
• Added “auth_check” type of simple test that a page can use to verify a user is logged in and has access, using
less cpu, which is better for AJAX data polling
• Improved handling of PHP errors for user-entered PHP code on diag_command.php
• Changed Interfaces menu “(Assign)” to “Assignments” and added support for menu divider bars
• Fixed automatic selection of ‘128’ as prefix/mask for IPv6 address fields #7625
• Replaced Math.trunc with Math.floor to make IE properly handle traffic graphs #7804
• Changed nginx configuration so it does not allow direct download of .inc files #8005
• Fixed hostname input handling on diag_dns.php
Gateways
• Added a delay to allow dpinger time to properly initialize before using results
• Added a log message when gateway alarms are raised/cleared to show the parameters that triggered the alarm
• Reset All States on WAN IP Change option #1629
Rules/NAT/Shaper
• Fixed handling of Port Forwards so they do not make up new destination information when a configured against
a DHCP interface that does not currently have an address
• Fixed ALTQ Traffic Shaper PRIQ priority number validation
IPsec
• Added an option to set the Rekey Margin for IPsec tunnels in the Phase 1 settings
• Added RADIUS accounting support for mobile IPsec when accounting is enabled on the Authentication Server
entry
• Added checks to prevent simultaneous/repeated calling of vpn_ipsec_configure() by /etc/rc.newipsecdns

LLC
Misc
• Fixed an issue with installing packages from a backup when restoring using the External Configuration Locater
on the first boot post-install #7914
• Fixed handling of forced Dynamic DNS hostnames for DHCPv6 static mappings #7324
• Fixed several issues with cron job updating and removal
• Added the device serial/id to the console and SSH menu banner #7968
• Changed /etc/hosts such that the FQDN is listed first, except for localhost, so that dnsmasq will properly reverse
resolve hostnames #7771
The pfSense® software version 2.3.4-p1 errata release is a minor release after 2.3.4 and contains beneficial security
and bug fixes.
Security / Errata
• pfSense Security Advisories
– pfSense-SA-17_05.webgui:
* Fixed a potential XSS issue in the diag_edit.php file browser #7650
* Fixed a potential XSS in handling of the ‘type’ parameter on diag_table.php #7652
* Fixed validation and a potential XSS in interface names on firewall_nat_edit.php #7651
– pfSense-SA-17_06.webgui:
* Added a warning screen to the GUI and prevent access if the client IP address is currently in the
lockout table, and also remove the client’s connection states #7693
Bug Fixes
Captive Portal
• Fixed Captive Portal RADIUS Authentication to only cache credentials when required to perform reauthentica-
tion #7528
• Restored the captive portal feature to view the captive portal page directly from the portal web server as an
additional button #7646

LLC
Dynamic DNS
• Fixed issues with wildcard CNAME records disappearing from Loopia when doing a DNS update
• Fixed issues with CloudFlare Dynamic DNS
• Fixed Hover Dynamic DNS updates so they Verify the SSL Peer
Logging
• Added syslogd service definition to enable status display and control #4382
• Fixed issues with syslogd stopping when installing or uninstalling some packages #7256
• Fixed issues with CARP status display overmatching some VIP numbers #7638
• Fixed pid file handling for choparp (Proxy ARP Daemon)
• Added the ability to sort the Virtual IP address list
DNS
• Fixed diag_dns.php so it will not create an empty alias if name does not resolve
• Fixed diag_dns.php to not show Add Alias if the user does not have privileges to add an alais
• Fixed diag_dns.php to change the update alias button text after adding an alias
• Fixed diag_dns.php to disable the Add Alias button when the host field is changed
• Fixed calls to unbound-control to have the full configuration path specified so they do not fail #7667
• Fixed handling of “redirect” zone entries in the DNS Resolver so they do not produce invalid zones #7690
• Changed the way the DNS Resolver code writes out host entries, so the zones are more well-formed #7690
• Changed the way the DNS Resolver process (unbound) is stopped, to allow it to exit cleanly. #7326
Interfaces
• Fixed DHCPv6 to request a prefix delegation even if no interfaces are set to track6 #4544
• Updated handling of original MAC address retention for interfaces with spoofed MACs
• Fixed an array handling problem when working with gateway entries on the Interface configuration page #7659
• Fixed handling of MSS clamping values for PPPoE/L2TP/PPTP WANs #7675

LLC
DHCP
• Fixed an issue where some DHCP Lease information was encoded twice with htmlentities/htmlspecialchars
• Fixed an issue where in some edge cases, a variable was not properly set in a loop, leading to a previous value
being reused
Misc
• Removed “/usr/local/share/examples” from obsolete files list, some packages rely on the files being there
• Added a few more items to status.php for support purposes, such as a download button, socket buffer info, and
the netgate ID
• Fixed status.php to redact BGP MD5 password/key in output #7642
• Fixed OpenVPN to use is_numeric() to make sure $prefix is not 0
• Changed the “Rule Information” section so it is consistent between firewall and NAT rule pages
• Fixed APU2 detection for devices running coreboot v4.x
• Fixed the tunable description for net.inet.ip.random_id #6087
• Fixed some outdated links for help and support
• Fixed some issues with empty config tags in packages #7624
• Fixed issues with entry IDs after deleting Authentication Server instances #7682
Security / Errata
• Updated base OS to FreeBSD 10.3-RELEASE-p19
• FreeBSD/ports Security Advisories
– Updated ntpd to 4.2.8p10_2 FreeBSD-SA-17:03.ntp.asc
– Updated cURL to 7.54.0 ( CVE-2017-7407, CVE-2017-7468 )
– Updated libevent to 2.1.8 ( CVE-2016-10197, CVE-2016-10196, CVE-2016-10195 )
• pfSense® Software Advisories
– Fixed encoding of displayed values from DHCP leases to prevent a badly formatted DHCP lease hostname
from causing a potential XSS #7497 (pfSense-SA-17_04.webgui)
• See the Certificates section below for an important note about GUI certificate errors on Chrome 58 and later

LLC
Certificates
• Improved certificate generation to always include the CN as the first Subject Alternative Name (SAN), which
fixes issues with Chrome 58+ #7496
To work around an error with the firewall GUI certificate on Chrome 58+, take one of the following actions:
– Generate and activate a new GUI certificate automatically, from the console/shell: pfSsh.php playback
generateguicert
– Utilize the ACME package to generate a trusted certificate for the GUI via Let’s Encrypt
– Create a own new CA/Server certificate and use that for the GUI
• Fixed linking of a certificates to its CA after submitting the signed version of a CSR #7512
Firewall Rules/NAT/Shaper
• Fixed restarting the Load Balancer (relayd) clearing system tables/aliases #7396
• Fixed ruleset generation to notify when an unresolvable alias is encountered by the parser #7421
• Fixed handling of a rule using an empty port alias #7428
• Fixed the traffic shaping wizard handling of SMB rules in Raise/Lower Other Protocols, it was producing an
invalid rule #7434
• Fixed handling of alias renaming after input validation #7473
• Fixed handling of long rule descriptions #7294
Dashboard
• Improved formatting in the gateways widget by reducing the numeric precision of displayed values #6841
• Fixed the NTP widget to show the server time instead of client time #7245
• Added a “None” option to Widgets with filtering options #7318
• Added PPPoE uptime display on the Interfaces dashboard widget #6032
• Added filters to more dashboard widgets #7122
• Added BIOS information to the System Information widget
• Added Netgate Unique ID to the System Information widget
Note: This identifier for support services is only displayed on the Dashboard for information purposes and
is not transmitted anywhere automatically by default. In the future, customers can use this identifier when
requesting support information from Netgate staff or systems.

LLC
Configuration
• Fixed issues restoring a configuration containing packages when the firewall does not have Internet connectivity
#6594
• Fixed factory reset when Captive Portal has Vouchers enabled #7508
• Cleaned up unused code in diag_backup.php
Interfaces
• Changed interface handling so it retains the original vendor MAC address at power up when spoofing, so it can
be restored without a reboot #7011
• Fixed interface assignment of QinQ interfaces #4669
• Fixed errors in PPP service provider selection when a country without providers is selected #7399
• Fixed input handling when editing static IP address fields on interfaces #7493
• Added the ability for DHCP Client WANs to specify a list of IP addresses from which to reject leases #7510
User Manager / Authentication
• Added a warning to system_authservers.php to warn that RADIUS does not work with IPv6 #4154
• Added a status icon to the User Manager to show if a user is enabled or disabled #7517
General GUI
• Added navigation links to breadcrumbs #7099
• Improved service name support and error handling in pfSenseHelpers.js #7445
DHCP
• Changed dhcpleases so it does not start when DHCP Relay is enabled #6750
• Fixed checks for DHCP Relay being enabled/disabled so they are skipped when editing an additional pool
ARP / NDP
• Added the ability to delete NDP entries #7513
• Added expiration field to NDP listing #7514

LLC
Misc
• Fixed DNS issues when upgrading NanoBSD #7345
• Fixed the Reset Demotion Status for CARP to function when the demotion value is negative #7424
• Fixed editing of Host Overrides in the DNS Resolver/Forwarder pages #7435
• Fixed service handling (start/stop/restart) for Captive Portal #7444
• Fixed display of the ALTQ “queue” view in pfTop due to recent changes in the pfTop port #7461
• Added support for the Dynamic DNS Client Hover #7511
• Fixed UTF-8 handling in Base64 decoding on diag_edit.php
• Fixed handling of traffic graph data irregularities #7515
• Added visual separation to the legend on the installed packages list #7203
• Changed SMTP and Growl notification test to use the new, unsaved settings #7516
The pfSense® software version 2.3.3-p1 errata release is a minor release after 2.3.3 and contains beneficial security
and bug fixes.
Security / Errata
• Updated to FreeBSD 10.3-RELEASE-p17
– FreeBSD-SA-17:02.openssl (CVE-2016-7055, CVE-2017-3731, CVE-2017-3732)
• Upgraded cURL to 7.53.0 (CVE-2017-2629)
Bug Fixes
• Fixed issues with the upgrade check seeing the version of pfSense-upgrade instead of pfSense in some circum-
stances. #7343
• Fixed handling of domain-only (@ record) updates for CloudFlare Dynamic DNS #7357
• Fixed a problem with the Dynamic DNS Widget where RFC2136 entries showed an incorrect status #7290
• Fixed Dynamic DNS status widget formatting for medium with browser window #7301
• Fixed a problem with HTML tags showing in certificate description drop-down lists in the Certificate Manager
#7296
• Fixed an error loading some older rules with ICMP types #7299
• Fixed display of selected ICMP types for old rules without an ipprotocol option set #7300
• Fixed Log widget filter interface selection with custom interface descriptions #7306
• Fixed the widget Filter All button so it does not affect all widgets #7317
• Fixed the password reset script so it resets the expiration date for the admin account when run, to avoid the user
still being locked out #7354

LLC
• Fixed the password reset script so it properly handles the case when the admin account has been removed from
config.xml #7354
• Fixed input validation of TCP State Timeout on firewall rules so it is not arbitrarily limited to a maximum of
3600 seconds #7356
• Fixed console settings for XG-1540/XG-1541 to use the correct default console #7358
• Fixed initial setup handling of VLAN interfaces when they were assigned at the console before running the
Setup Wizard #7364
• Fixed display of OpenSSL and input errors when working in the Certificate Manager #7370
• Fixed Captive Portal “disconnect all” button
• Fixed pkg handling timeouts #6594
• Updated blog URL in the RSS widget
• Removed whirlpool from the list of CA/certificate digest algorithms since it does not work #7370
Security / Errata
– FreeBSD Security Advisories
* FreeBSD-SA-16:29.bspatch
* FreeBSD-SA-16:31.libarchive
* FreeBSD-SA-16:33.openssh
* FreeBSD-SA-16:35.openssl
* FreeBSD-SA-16:37.libc
* FreeBSD-SA-16:38.bhyve
* FreeBSD-SA-16:39.ntp
* FreeBSD-SA-17:01.openssh
– FreeBSD Errata Notices
* FreeBSD-EN-16:17.vm
* FreeBSD-EN-16:18.loader
– pfSense-SA-17_01.webgui
* Fixed validation and encoding on Captive Portal status pages #7019
* Fixed update_config_field() in wizard.php so it does not pass user input through eval() #7230
* Added encoding for ‘from’ and ‘to’ before output on pkg_mgr_install.php #7225
* Added encoding for the contents of pkg_filter before output #7227

LLC
* Converted easyrule.php to use a confirmation landing page so that the parameters can be submitted
via POST #7228
• Updated numerous third-party libraries and supporting programs
• Changed behavior of fsck during bootup to improve filesystem stability #6340
• Added protection to /etc/ttys to prevent corruption or missing lines
Known Issues
• The Captive Portal Disconnect All Users button does not fully disconnect all users PR#3565
• RFC 2136 Dynamic DNS Entries will show red on the Dashboard widget even when correctly updated #7290
• Firewall rules without an IP protocol set in the configuration which also have an ICMP type set may not load or
display correctly. #7299 #7300
General Info
• Added Packages: tinc, cellular, LCDproc, TFTP Server
• Fixed numerous typos and wording issues
• Added marking for required fields on various pages #7083
• Input validation fixes on various pages
• Cleaned up some unneeded files/pages/functions
• Fixed broken/outdated links
OpenVPN
• Changed OpenVPN RADIUS authentication to send proper NAS-Port-Type, NAS-Port, and NAS-Identifier
values #6609
• Added compression option to handle connecting to OpenVPN peers which do not have LZO compiled into their
OpenVPN executable #6739
• Added a workaround to block outside DNS on Windows 10 OpenVPN clients to prevent DNS leaks #6719
• Improved OpenVPN server handling when using CARP VIPs in Gateway Groups
• Improved handling of chained/intermediate CAs in OpenVPN #2800
• Changed OpenVPN widget so it updates dynamically #6723
• Adapted the encryption cipher list to the new output format in OpenVPN 2.3.12, also now displays key and
block lengths #6849
• Changed OpenVPN server list to display more information
• Improved error message to explicitly state allowable characters for certificate fields in the OpenVPN wizard
#6432
• Fixed handling of OpenVPN authentication when the backend server name contains special characters (e.g. ‘&’)
#7002
• Fixed saving an OpenVPN instance on a DHCP interface that does not currently have an IP address #7031

LLC
• Added an IPv6 Tunnel Network field to OpenVPN Client-Specific Overrides #7053
• Fixed changing between tun and tap mode for OpenVPN Clients
• Changed OpenVPN startup to avoid overwriting its configuration, and to wait for its PID file to be written
• Fixed OpenVPN binding to an IP Alias VIP #7136
• Fixed display of disabled OpenVPN clients #7180
• Fixed handling of “redirect-gateway” in Client-Specific Overrides #6633
IPsec
• Clarified IPsec Key Exchange Version drop-down to specify IKEv1/IKEv2 #6898
• Fixed handling of static routes for IPsec peers on tunnels bound to IP Aliases VIPs with CARP parents
• Fixed MSS clamping for mobile IPsec clients #7005
• Added IPsec to the State Table interface list
Interfaces
• Fixed handling of LAGG MTU when child QinQ interfaces are present #6227
• Improved behavior when using DHCP before RA #5993
• Added the ability to send a DHCP Release from Status > Interfaces, rather than only stopping dhclient
• Fixed issues adding/editing QinQ entries
• Fixed input validation of QinQ entries
• Fixed validation to prevent an interface, interface group, and alias from using the same name #6976
• Updated interface group name validation rules to match limits of the operating system
• Prevented interface group names, interface names, and aliases from starting with pkg_ to reserve it for packages
use (e.g. tinc) #7173
• Added validation to prevent Interface Group Names from containing a dash #7173
• Added validation to prevent Interface Groups from being renamed to an existing name #7183
• Fixed issues with Interface Statistics widget display #7134
• Fixes for interfaces_ppps_edit.php to fix MTU validation, interface friendly names, advanced options expansion
• Changed linkup event handling to ignore events for interfaces that are member of bridges which have no IP
address configured
• Fixed input validation for L2TP and PPTP WAN type interfaces #6732
• Added validation to prevent adding duplicate gateways from the Interface configuration page
• Fixed handling of IPv6 checksum options for “Disable hardware checksum offload” #5321
• Fixed handling of the confirmation dialog when deleting a VLAN #6916
• Fixed handling of wireless MAC address spoofing
• Fixed wireless channel changing #6833
• Improved labels and help text for IPv6 tunneling options

LLC
• Added the ability for an L2TP or PPTP WAN to use a hostname for the remote gateway #6899
Certificate Management
• Added missing recommended key lengths and digests to certificate manager
• Fixed CRL editing so that certificates already contained the CRL are not displayed
Users / Authentication / Privileges
• Fixed SSH Keyboard-Interactive authentication #6963
• Added STARTTLS to LDAP Authentication Server Configuration
• Improved WebGUI usability when a remote LDAP server is not available
• Fixed issues with local_sync_accounts failing during boot when using an LDAP server on a non-local network
or hostname #6857
• Fixed port build options for scponly #7012
• Fixed notifications so that the Mark All as Read button is not shown to users who do not have sufficient privileges
to use it #3454
• Added privileges to control display of notices #7051
• Standardized privilege name capitalization
• Fixed issues with low-privilege users accessing Help pages #7139 #7140
• Added a privilege for UPnP & NAT-PMP configuration #7141
• Simplified tcsh prompt and changed the prompt so it respects default terminal colors
Firewall / Rules / NAT / Aliases / States
• Fixed restoring rule type selection after input errors while saving firewall rules
• Fixed a copy/paste error in variable test when validating firewall rule ports.
• Corrected the descriptions and behavior of the Adaptive Start and Adaptive End settings for firewall state han-
dling
• Fixed display of the number of states in the Firewall Rules page
• Moved “Any” to top of protocol list in firewall rules
• Fixed issues with hidden fields on firewall_rules_edit.php #7057
• Fixed issues with moving rules that required scrolling while dragging #6895
• Enhanced ICMP type handling in rules
• Fixed issues when hovering the mouse pointer over aliases on disabled rules making the hint difficult to read
#6448
• Fixed handling of firewall rule separators when a NAT associated rule is deleted #6676
• Added field to specify source-hash key for outbound NAT rules
• Fixed issues with Firewall > NAT > Edit forgetting destination type selection when input errors occur #6224

LLC
• Removed “self” as a destination from NAT 1:1 rules
• Fixed NAT rules so that when a port forward is disabled, its associated firewall rule is also disabled #6472
• Fixed 1:1 NAT address family validation #6927
• Fixed problems with nested aliases containing FQDNs #6982
• Changed the Status > Filter Reload page so it shows the entire filter reload progress, rather than only the last
state #6931
• Fixed labels on diag_states_summary.php #6711
• Fixed initial state of confirmation checkboxes on diag_resetstate.php
• Changed Diag > States so it can optionally require a filter before displaying states, to improve handling with
large state tables #7069
Traffic Shaping
• Added Chelsio network cards (cxl) to the list of drivers that are capable of using ALTQ #6830
• Fixed the traffic shaper wizard so it uses whole numbers instead of decimals #6779
HA / CARP
• Fixed issues when XMLRPC synchronizes IP Alias type Virtual IP addresses bound to Localhost #7010
• Fixed a bug where the CARP VIP status was incorrect when the interface has more than one CARP VIP
DHCP/DHCPv6 Server / Router Advertisements
• Updated the ISC DHCP Daemon to fix issues with missing hostnames in leases, and removed workarounds that
are no longer needed #6840
• Fixed reversed behavior of “Change DHCPv6 display lease time from UTC to local time” #6640
• Fixed incorrect index for edit action on DHCP Leases #7233
• Added an option to force a Dynamic DNS hostname in DHCP/DHCP6 Server settings
• Changed DHCP lease times to always display in 24-hour clock format
• Added an option to allow BOOTP to be specifically disabled in the DHCP Server settings #4351
• Fixed validation to allow URLs for TFTP Server in DHCP Server settings #6634
• Improve dhcpd and dhcpleases reload handling
• Fixed DHCP NTP Server form validation to allow hyphens #6806
• Fixed restore of DHCP6 leases on full install when using MFS /var
• Fixed a problem with the DHCP range being reset if the Setup Wizard was re-run when a custom DHCP range
already exists #4820
• Fixed issues with DHCP traffic being blocked with DHCP Relay enabled #6996
• Changed the DHCP/DHCPv6 server GUI so it can be configured (but not run) while DHCP Relay is enabled
#6997
• Added Client ID to DHCP Leases display, if present

LLC
• Added Client ID to DHCP Mapping list, if present
• Disabled DHCP server on interfaces with subnet >= 31 #6930
• Changed DHCP6 client to allow a prefix size of /59
• Changed DHCP6 server to allow a prefix size of /59 and /61
• Added new “Ignore client identifiers” option to DHCP Server
• Fixed handling of DNS entries for IPv6 static mappings when using delegated prefixes #6768
• Improved the help text for Router Advertisement configuration #6889
DNS / Resolver / Forwarder
• Allow a variable number of DNS servers #5549
• Changed interface boxes in the DNS Resolver so they can be resized
• Fixed sorting of DNS Forwarder hosts and domains in config.xml #6903
• Fixed DNS Resolver (unbound) logging after clearing logs #6915
• Added support for “deny_non_local” and “refuse_non_local” ACLs in the DNS Resolver #6914
• Fixed DNS Server Gateway validation
• Changed behavior of DNS Resolver overrides to only add FQDN entries, not short hostnames #6064
• Fixed issues with DNS Resolver Host Overrides not being updated properly #6712
NTP / GPS
• Fixed display of Prefer/No Select checkboxes invisible when adding entries in NTP Server settings #6788
• Fixed handling of NTP IPv6 restrict clauses
• Fixed setting default NTP access restrictions when there are no custom restrictions #6454
• Fixed NTP status widget IPv6 address handling so addresses are not truncated #4815
• Fixed the NTP Orphan Mode stratum field #7034
• Fixed issues with NTP GPS status
• Fixed a case that could result in an empty ‘restrict’ line in the NTP configuration #7110
• Added a limit for NTP time source fields so they cannot exceed the maximum number saved to configuration
#7164
• Fixed display and behavior issues with NTP ACLs #6984
• Improved parsing of GPS initialization and output, and add support for more GPS output formats and extended
status
• Added an autocorrect tool for checksums on GPS initialization commands #7159

LLC
Captive Portal
• Changed Captive Portal MACs page to be sortable #6786
• Fixed handling of Captive Portal user bandwidth set to 0 #6872
• Changed Captive portal to send “Admin Reset” as termination cause when disconnecting a user from the We-
bGUI
• Added option to Captive Portal to include idle time in total session time
• Fix bandwidth limitation settings in Captive Portal MAC passthrough
• Fixed links to view current Captive Portal page for all interfaces #6391
• Converted Captive Portal active sessions to a sortable table
• Added code to hide the client MAC address column in Captive Portal status when MAC filtering is disabled,
rather than displaying an empty column
• Added popup with session details to the Captive Portal active sessions list on the status page
• Added button to disconnect all Captive Portal users
• Worked around race condition between captiveportal_disconnect_all() and captiveportal_prune_old()
• Added locking to avoid race conditions between rc.prunecaptiveportal and captiveportal_disconnect_all()
• Reworked logging and RADIUS accounting when disabling a Captive Portal zone or rebooting
• Increased speed of captiveportal_disconnect_all()
Dynamic DNS
• Added the ability to change the URL queried by Dynamic DNS entries to check the external IP address (Services
> Dynamic DNS, Check IP Services tab) #6591
• Added support for All-Inkl Dynamic DNS provider
• Added support for duiadns.net Dynamic DNS provider
• Added support for CloudFlare Proxy to Dynamic DNS
• Added Cloudflare Dynamic DNS IPv6 support #6623
• Fixed status checking on Dynamic DNS (RFC2136), updates were always considered successful even on failure
#6357
• Fixed handling of multiple RFC2136 entries #6153
• Fixed links in RFC2136 entries in the Dynamic DNS widget #7126
• Fixed HTTP header processing for Dynamic DNS updates
• Fixed handling of custom IPv6 Dynamic DNS in the widget #6922
• Changed Cloudflare and Gratis plus Dynamic DNS to store passwords in base64
• Updated Route 53 Dynamic DNS to fix several reported issues #3973 #6751 #5054
• Fixed handling of ZoneEdit Dynamic DNS when used with a CARP VIP #6992
• Removed excess loops from the Dynamic DNS Widget

LLC
Gateways / Routing
• Added the ability to disable gateway monitoring actions without disabling gateway monitoring #3151
• Changed gateway notifications to notify by email and syslog when a gateway goes up or down
• Improved gateway notification mechanisms
• Fixed handling of deleting or disabling static default gateways so they are properly removed from the routing
table #6659
• Fixed L2TP WAN dynamic gateway naming #6980
• Fixed status display for unmonitored gateways
• Fixed static blackhole route handling
• Fixed handling of long hostnames on Diagnostics > Routes #6869
• Corrected behavior of disabled static routes #3560
• Created a PHP Shell playback script to view the gateway status from the shell and status output #7046
Notifications
• Fixed SMTP settings test so it properly displays results
• Fixed validation of secure SMTP Connection Modes (SSL/TLS and STARTTLS are mutually exclusive)
• Removed validation of password mismatches when SMTP or Growl notifications are disabled #7129
• Changed format of file_notice() alerts in webgui for easier reading
Graphs / Monitoring
• Changed traffic graphs to use d3.js (Dashboard and Status > Traffic Graphs)
• Moved export button to heading for Status > Monitoring page
• Moved graph labels so long hostnames do not overlap as easily #6138
• Improved error checking in case JSON isn’t returned when building graphs #6748
• Added a missing RRD step value to lookup table #6860
• Added support for multiple views in Status > Monitoring graphs (Adds tab shortcuts to different graph views)
• Added a per-view “Refresh Interval” option to Status > Monitoring graphs
• Fixed fix null acronyms and axis label for queues/queuedrops graph in Status > Monitoring
• Enabled Area and Bar graph types for Status > Monitoring graphs

LLC
WebGUI
• Added an option to allow display of the firewall hostname on the login page
• Added filtering to widgets where appropriate
• Standardized PHP memory limit configuration
• Fixed formatting issues with the Installed Packages widget #6601
• Improved Compact-RED theme
• Changed service running/stopped icons
• Fixed issues with JavaScript confirmation prompts missing words (e.g. “Are you sure you wish to?”) #6972
• Fixed issues with packages that toggle visibility of advanced options areas #7100
• Removed the crash reporter link from the dashboard when a user does not have crash_reporter page access
#7043
• Fixed display of Package installation message #7226
• Fixed “” tag processing in package XML handling
• Fixed inconsistent handling of empty/null configuration settings in config.xml #6893
Logging
• Increased filtering tail limit for logging to ensure enough entries will be displayed #6652
• Added a means for packages to request a syslogd socket inside a chroot environment #4898
• Added BIND logging to proper facility #5524
• Improved handling of the TFTP Proxy/xinetd process when it is disabled, to reduce log messages #6308
Misc
• Updated simplepie (RSS Parsing library) to 1.4.3
• Fixed storing of IPv6 addresses so they are always saved in lower case #6864
• Fixed bsnmpd “printcap” log errors #6838
• Fixed a foreach error when restoring a configuration without packages
• Fixed handling of signal traps in the console menu #6741
• Fixed “Goto line #” action on diag_edit.php so pressing the enter key also activates the function
• Changed the PHP Execute feature of Diagnostics > Command so that it does not generate a crash report from a
syntax error #6702
• Added enable link to Status > UPnP & NAT-PMP error message if disabled #6689
• Changed the time zone help text to clarify and warn against the use of the Etc time zones that use POSIX style
signs, which are the opposite of what most users expect #7089
• Added validation to prevent duplicate Wake on LAN entries
• Fixed permissions on /var/tmp when /var is a RAM disk #7120
• Added a fallback for get_pkg_info() to use pkg info if there is no local copy of the repository catalog

LLC
• Removed spurious output from the PHP Shell executable when running a playback script from a command
prompt #7045
• Updated status.php with new info and changed its output organization #7246
2.3.2 Update 1
• FreeBSD-SA-16:26.openssl - Multiple vulnerabilities in OpenSSL. The only significant impact on pfSense®
software is OCSP for HAproxy and FreeRADIUS.
• Several HyperV-related Errata in FreeBSD 10.3, FreeBSD-EN-16:10 through 16:16. See
https://www.freebsd.org/relnotes/10-STABLE/errata/errata.html for details.
• Several built-in packages and libraries have been updated, including:
– PHP to 5.6.26
– libidn to 1.33
– curl to 7.50.3
– libxml2 to 2.9.4
• The hardware serial number is now displayed in the system information widget, or a host UUID if a serial
number is not found. This is for display purposes and facilitates users seeking support in identifying their
hardware.
• Added encoding to the ‘zone’ parameter on Captive Portal pages.
• Added output encoding to diag_dns.php for results returned from DNS. #6737
• Worked around a Chrome bug with regular expression parsing of escaped characters within character sets. Fixes
“Please match the requested format” on recent Chrome versions. #6762
• Fixed DHCPv6 server time format option #6640
• Fixed /usr/bin/install missing from new installations. #6643
• Increased filtering tail limit for logging so searching will locate sufficient entries. #6652
• Cleaned up Installed Packages widget and HTML. #6601
• Fixed widget settings corruption when creating new settings. #6669
• Fixed various typos and wording errors.
• Removed defunct links to the devwiki site. Everything is on https://www.netgate.com/docs/pfsense/ now.
• Added a field to CA/Cert pages for OU, which is required by some external CAs and users. #6672
• Fixed a redundant HTTP “User-Agent” string in DynDNS updates.
• Fixed the font for sortable tables.
• Added a check to verify if an interface is active in a gateway group before updating dynamic DNS.
• Fixed wording of the “Reject leases from” option for a DHCP interface (it can only take addresses, not subnets.)
#6646
• Fixed error reporting for SMTP settings test.
• Fixed saving of country, provider, and plan values for PPP interfaces
• Fixed checking of invalid “Go To Line” numbers on diag_edit.php. #6704

LLC
• Fixed off-by-one error with “Rows to Display” on diag_routes.php. #6705
• Fixed description of the filter box on diag_routes.php to reflect that all fields are searchable. #6706
• Fixed description of the box for the file to edit on diag_edit.php. #6703
• Fixed description of the main panel on diag_resetstate.php. #6709
• Fixed warning dialog when a box is unchecked on diag_resetstate.php. #6710
• Fixed log shortcut for DHCP6 areas. #6700
• Fixed the network delete button showing when only one row was present on services_unbound_acls.php #6716
• Fixed disappearing help text on repeatable rows when the last row is deleted. #6716
• Fixed dynamic DNS domain for static map DHCP entries
• Added control to set dashboard widget refresh period
• Added “-C /dev/null” to the dnsmasq command line parameters to avoid it picking up an incorrect default
configuration which would override our options. #6730
• Added “-l” to traceroute6 to show both IP Addresses and Hostnames when resolving hops on
diag_traceroute.php. #6715
• Added note about max ttl/hop limit in source comment on diag_traceroute.php.
• Clarified language on diag_tables.php. #6713
• Cleaned up the text on diag_sockets.php. #6708
• Fixed display of VLAN interface names during console assignment. #6724
• Fixed domain-name-servers option showing twice in pools when set manually.
• Fixed handling of DHCP options in pools other than the main range. #6720
• Fixed missing hostnames in some cases with dhcpdv6. #6589
• Improved pidfile handling for dhcpleases.
• Added checks to prevent accessing an undefined offset in IPv6.inc.
• Fixed the display of the alias popup and edit options on source and destination for both the address and port on
outbound NAT.
• Fixed handling of backup config count. #6771
• Removed some dangling PPTP references that are no longer relevant.
• Fixed up/caught up remote syslog areas. Added “routing”, “ntpd”, “ppp”, “resolver”, fixed “vpn” to include all
VPN areas (IPsec, OpenVPN, L2TP, PPPoE Server). #6780
• Fixed missing checkboxes in some cases when adding rows on services_ntpd.php. #6788
• Revised service running/stopped icons.
• Added a check to CRL management to remove certificates from the drop-down list that are already contained in
the CRL being edited.
• Fixed rule separators moving when multiple firewall rules are deleted at the same time. #6801

LLC
SSH Daemon
Note: The ssh host keys were made more secure, and if a client remembers an older, weaker key, the ssh client may
refuse to connect. Remove the older key and then make the ssh client learn the new key.
• Changed sshd to use stronger Key Exchange algorithms and disabled some older, weaker algorithms. Clients
may need to be updated to handle the new Key Exchange methods.
Currently allowed Key Exchange Algorithms: curve25519-sha256@libssh.org,
diffie-hellman-group-exchange-sha256
• Removed the ECDSA host key from the sshd configuration
• Added ED25519 host key to the sshd configuration
• Changed the list of available ciphers.
Current allowed ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
• Changed the list of available Message Authentication Code methods,
Current MAC list: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,
hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
Backup/Restore
• Don’t allow applying changes on interface mismatch post-config restore until the reassignment is saved. #6613
Dashboard
• Dashboard now has per-user configuration options, documented in User Manager. #6388
DHCP Server
• Disabled dhcp-cache-threshold to avoid bug in ISC dhcpd 4.3.x omitting client-hostname from leases file, which
makes dynamic hostname registration fail in some edge cases. #6589
• Note that DDNS key must be HMAC-MD5. #6622

LLC
DHCP Relay
• Imported fix for dhcrelay relaying requests on the interface where the target DHCP server resides. #6355
Dynamic DNS
• Allow * for hostname with Namecheap. #6260
Interfaces
• Fix “can’t assign requested address” during boot with track6 interfaces. #6317
• Remove deprecated link options from GRE and gif. #6586, #6587
• Obey “Reject leases from” when DHCP “Advanced options” is checked. #6595
• Protect enclosed delimiters in DHCP client advanced configuration, so commas can be used there. #6548
• Fix default route on PPPoE interfaces missing in some edge cases. #6495
IPsec
• strongSwan upgraded to 5.5.0.
• Include aggressive in ipsec.conf where IKE mode auto is selected. #6513
Gateway Monitoring
• Fixed “socket name too large” making gateway monitoring fail on long interface names and IPv6 addresses.
#6505
Limiters
• Set pipe_slot_limit automatically to maximum configured qlimit value. #6553
Monitoring
• Fixed no data periods being reported as 0, skewing averages. #6334
• Fix tooltip showing as “none” for some values. #6044
• Fix saving of some default configuration options. #6402
• Fix X axis ticks not responding to resolution for custom time periods. #6464

LLC
OpenVPN
• Re-sync client specific configurations after save of OpenVPN server instances to ensure their settings reflect the
current server configuration. #6139
Operating System
• Fixed pf fragment states not being purged, triggering “PF frag entries limit reached”. #6499
• Set core file location so they can’t end up in /var/run and exhaust its available space. #6510
• Fixed “runtime went backwards” log spam in Hyper-V. #6446
• Fixed traceroute6 hang with non-responding hop in path. #3069
• Added symlink /var/run/dmesg.boot for vm-bhyve. #6573
• Set net.isr.dispatch=direct on 32 bit systems with IPsec enabled to prevent crash when accessing services on the
host itself via VPN. #4754
Router Advertisements
• Added configuration fields for minimum and maximum router advertisement intervals and router lifetime. #6533
Routing
• Fixed static routes with IPv6 link local target router to include interface scope. #6506
Rules / NAT
• Fixed “PPPoE Clients” placeholder in rules and NAT, and ruleset error when using floating rules specifying
PPPoE server. #6597
• Fixed failure to load ruleset with URL Table aliases where empty file specified. #6181
• Fixed TFTP proxy with xinetd. #6315
Upgrade
• Fixed nanobsd upgrade failures where DNS Forwarder/Resolver not bound to localhost. #6557
Virtual IPs
• Fixed performance problems with large numbers of virtual IPs. #6515
• Fixed PHP memory exhaustion on CARP status page with large state tables. #6364

LLC
Web Interface
• Added sorting to DHCP static mappings table. #6504
• Fixed file upload of NTP leap seconds. #6590
• Added IPv6 support to diag_dns.php. #6561
• Added IPv6 support to filter logs reverse lookup. #6585
• Package system - retain field data on input error. #6577
• Fixed multiple IPv6 input validation issues allowing invalid IPv6 IPs. #6551, #6552
• Fixed some DHCPv6 leases missing from GUI leases display. #6543
• Fixed state killing for ‘in’ direction and states with translated destination. #6530, #6531
• Restore input validation of captive portal zone names to prevent invalid XML. #6514
• Replaced calendar date picker in the user manager with one that works in browsers other than Chrome and
Opera. #6516
• Restored proxy port field to OpenVPN client. #6372
• Clarify description of ports aliases. #6523
• Fixed translation output where gettext passed an empty string. #6394
• Fixed speed selection for 9600 in NTP GPS configuration. #6416
• Only allow IPv6 IPs on NPT screen. #6498
• Add alias import support for networks and ports. #6582
• Fixed sortable table header wrap oddities. #6074
• Clean up Network Booting section of DHCP Server screen. #6050
• Fix “UNKNOWN” links in package manager. #6617
• Fix missing bandwidth field for traffic shaper CBQ queues. #6437
UPnP
• UPnP presentation URL and model number now configurable. #6002
User Manager
• Prohibit admins from deleting their own accounts in the user manager. #6450

LLC
Other
• Added PHP shell sessions to enable and disable persistent CARP maintenance mode. “playback enablecarp-
maint” and “playback disablecarpmaint”. #6560
• Exposed serial console configuration for nanobsd VGA. #6291
Security/Errata
• FreeBSD Security Advisories
– FreeBSD-SA-16:17 OpenSSL
– FreeBSD-SA-16:18 atkbd
– FreeBSD-SA-16:19 sendmsg
• OpenVPN upgraded from 2.3.10 to 2.3.11. Fixes two potential security issues.
– OpenVPN 2.3.11 Change Log
– pfSense-SA-16_04.filterlog
– 2.3.1 update 1 patches pfSense-SA-16_05.webgui.
Config Upgrade
• Fixed config upgrade for CARP VIPs on gateway groups, GRE and gif for uniqid format. #6222
• Fixed config upgrade for IP aliases with CARP IP parent. #6164
• Correct OpenVPN topology config upgrade to retain 2.2.x and prior net30 topology. #6140
• Correct and adjust apinger parameters to dpinger parameters automatically on upgrade. #6142
Gateways
• Fix static route for IPv6 monitor IP with link-local gateway. #6353
• Fix default gateway switching with IPv6 and link-local gateways. #6258
OS / Backend
• NanoBSD is now permanent read-write, to avoid issues with slow rw->ro mount times and systems getting stuck
read-only mounted. #6184
• Systems using a RAM disk for /var/ have their alias tables backed up and restored during bootup. #6189
• Set console settings (serial configuration, password protection, etc.) post-upgrade. #6120
• Ensure package repo is updated with latest metadata when checking for latest version. #6115
• Display consistent firmware version on dashboard and in update checker. #6320

LLC
• Correct description of update branch options. #6136
• Prevent update checking failures from killing webGUI. #6177
• Make pkg use configured proxy server settings where they exist. #6149
Web GUI
• Fix row delete button on unsaved aliases, NTP, UPnP and other screens. #6101
• Captive portal MAC passthrough credits waiting period box restored. #6290
• Outbound NAT edit screen destination field alias auto-completion restored. #6287
• Captive portal allowed IPs direction selection on edit fixed. #6267
• Restored input validation on port forwards to prohibit IPv6. #6265
• Restored input validation on firewall rules to prohibit IPv6 IPs in IPv4 rules and vice versa. #6211
• Fixed PHP error on edit of PPP interfaces. #6264
• Fixed radio button placement on gateways dashboard widget settings. #6259
• Fixed display post-refresh of system information dashboard widget. #6251
• Restored in/out bytes counters on Status>Interfaces. #6244
• Correctly show and hide OpenVPN topology field as applicable. #6236 #6214
• Correct voucher character set input validation. #6231
• Disable background update checking on dashboard update check is disabled. #6212
• Restore input validation of IP address family and rule type, verifying IPv6 IPs with IPv6 rules, and IPv4 for
IPv4 rules. #6218
• Add validation of address family and protocol combinations on packet capture page. #6219
• Add validation of IP aliases with CARP parent interfaces to ensure matching address family. #6218
• Restore GET parameters on status_graph.php. #6192
• Fixed PHP error on input validation failure with floating rules in some cases. #6175
• Use CDATA for firewall rule separator descriptions so non-English characters work. #6174
• Fix port forward edit destination field filling when virtual IPs configured. #6173
• Fix load balancer monitor edit. #6171
• Restore “none” in load balancer fall-back pool. #6170
• Restore use of aliases in load balancer. #6169
• Fix duplicate for load balancer pools and virtual servers. #6168
• Restore description field on lagg edit page. #6163
• Fix saving of bogons update frequency. #6162
• Restore description field on captive portal IP passthrough. #6161
• Fix saving of sticky connections timeout field. #6146
• Show all restore areas in backup/restore screen. #6144
• Fix moving of rule separator before saving. #6128

LLC
• Use consistent up and down arrow formats on dashboard widgets. #6123
• Fix typo on OpenVPN server description. #6102
• Fix missing string on notification “mark as read” button. #6104
• Fix firewall rule separator positioning with easy rule addition. #6105
• Prevent closing of info box on monitoring page. #6106
• Add custom date range option to monitoring page. Use infoblock on IPsec PSK screen. #6107
• Fixed loss of “Do not NAT” enable on edit on outbound NAT. #6112
• Correct label of 1:1 NAT edit screen. #6114
• Add AJAX updates to NTP status page. #6117
• Fix button spacing on Edit File and Command pages. #5995
• Fix specification of port in DNS Resolver domain overrides. #6091
• Fix moving of multiple items to bottom of list on firewall, NAT and IPsec screens. #6092
• Fix setup wizard with only WAN assigned and using static IP. #6093
• Remove logo from wizard since it’s now redundant. #6095
• Fix gateway widget cut-off with 3 column dashboard. #6096
• Fixed force update on RFC 2136 DDNS. https://redmine.pfsense.org/issues/6359
• Fix reboot prompt when changing RAM disk setting and encountering an input error. #6349
• Fix highlighted tab when editing IPsec mobile P1. #6341
• Fix selection of configured speed and duplex on interface page. #6331
• Fix division by zero in status_queues.php. #6329
• Fix alignment issues in forms. #6327
• Fix entry of CIDR range in host aliases for conversion to IPs. #6322
• Allow use of # and ! again in DNS Forwarder domain overrides. #6310
• Restored hostname infobox in menu bar. #6306
• Fixed editing and deleting of additional DHCP pools. #6303
• Fixed requests to diag_system_activity.php piling up on slow systems. #6166
Interfaces
• Unset LAN DHCPv6/RA configuration if LAN interface is removed. #6152

LLC
IPsec
• Fix starting of strongswan twice. #6160
DNS Resolver
• Switched domain overrides from stub-zone to forward-zone so domain overrides don’t require the target server
provide recursion. #6065
• Allow adding 0.0.0.0/0 to access lists. #6073
• Added 100,000 and 200,000 options for Unbound cache limit. #6230
• Fix Unbound startup where both DNS Forwarder and Resolver are enabled. #6354
DHCP Server
• Hostnames now allowed for NTP servers. #6239
IPsec
• Fixed LAN interfaces stopping functioning when IPsec is in use. #6296
• Mobile PSK matching issue with multiple PSKs fixed. #6286
• leftsendcert=always specified for all RSA types. #6082
• rc.newipsecdns fixed to check correct enabled status. #6351
Notifications
• Fixed growl notifications to unresolvable hostname generating crash report. #6187
• Fixed growl notification test with no password. #6221
Captive Portal
• Fixed error handling captive portal username with single quote. #6203
• Fixed issues with mixed-case zone names. #6278
OpenVPN
• Prevent leading space in tunnel network configuration causing invalid configuration. #6198

LLC
User Manager
• Fix RADIUS login with attribute class (25) when the server returns multiple attribute entries with different data.
#6086
• Honor deny config write for RADIUS users. #6088
Package System
• Uninstall all packages pre-upgrade from <= 2.2.x to 2.3 to avoid problems from old packages. Reinstall them
post-upgrade. #6137
• Fix reinstall of renamed packages post-upgrade to 2.3. #6118
• Fix package reinstallation getting stuck in loop when there is no Internet connectivity post-upgrade. #6180
Other
• Removed lua support from nginx to not deprecate old CPUs lacking CMOV support. #6185
• Added validation to console menu interface assignment to prevent creating duplicate VLANs. #6183
• Blacklisted S.M.A.R.T. options with Hyper-V to prevent crash. #6147
• Silence SSH host key log spam. #6143
• Fix order of gateway and gateway group name in gateway down log message. #6134
• Allow use of @ in hostname field for Namecheap DDNS. #6122
• Fix console error where $nat_if_list isn’t an array. #6307
• Include patch number in version display. #6309
• Fix pw groupdel error in log during boot. #6352
• Fixed stale xmlrpc.lock preventing config sync from functioning. #6328
• Fixed failed chown on startup with /var as a RAM disk. #6131
• Crash reporter now ignores warnings in release versions. #6178
• Fixed crash reporter to show full PHP warnings in development versions. #6097
Update 1
2.3.1 update 1 (2.3.1_1) was released on May 25, 2016 with the following fixes/changes since 2.3.1-RELEASE.
• Security issue pfSense-SA-16_05.webgui patched.
• Lowered default LDAP timeout from 25 seconds to 5 seconds. #6367
• Fixed handling of IPsec negotiation mode with IKE version set to auto. #6360
• Increase PHP’s memory limit to 512 MB on 64 bit versions to better accommodate systems with a large number
of active states. #6364
• Set request_terminate_timeout the same as max_execution_time to prevent many possible circumstances of “504
gateway error” from occurring. #6396
• Fix use of URL IP type aliases in firewall rules. #6403

LLC
• Fix show/hide fields Javascript in Chrome on macOS. #6401
• Fixed save of “IPv6 over IPv4 Tunneling” address on System>Advanced, Networking. #6381
Update 2 through 4
These were internal-only versions that weren’t publicly-released.
Update 5
2.3.1 update 5 (2.3.1_5) was released on June 16, 2016 with the following fixes/changes since 2.3.1_1.
• Fixed command injection vulnerability in auth.inc via User Manager. #6475
• Fixed command injection vulnerability in pkg_mgr_install.php id parameter. #6474
• Upgraded PHP to 5.6.22
• Fixed Captive Portal redirect hangs caused by longer keepalive_timeout in nginx. #6421
• Fixed DDNS PTR zone in dhcpd.conf with third octet of 0. #6413
• Fixed save and reset buttons on load balancer status page. #6254
• Fixed schedule editing on firewall rules page. #6428
• Allow “-” character in TFTP server field on DHCP Server page. #6433
• Allow “-” and “_” characters in system tunables. #6438
• Fixed changing of link type on PPPs edit screen. #6439
• Fixed setting of “RADIUS issued IPs” on L2TP page. #6440
• Restored apply changes button for interface mismatch post-config restore. #6460
• Fixed display of Outbound NAT port aliases. #6463
• Fixed schedule edit allowing invalid time range. #6468
Security/Errata
• FreeBSD Security Advisories:
– FreeBSD-SA-16:01.sctp
– FreeBSD-SA-16:07.openssh
– FreeBSD-SA-16:11.openssl
– FreeBSD-SA-16:15.sysarch
• pfSense® Security Advisories:

LLC
Several obsolete items were removed from this release. The items are noted again in the sections below, but worth
emphasizing:
• The PPTP VPN Server has been completely removed. The protocol has been broken for over three years.
The PPTP WAN client remains for use with ISPs still using PPTP.
• Layer 7 classification support has been removed from the traffic shaper.
It was rarely used, had been broken for all of 2.2.x, had absurdly high CPU usage, and snort filters better/faster
• WEP support has been removed from Wireless interfaces. #5123
No reason to still be using this in this day and age. If it is still needed, use external AP.
• Single DES support has been removed from IPsec (3DES remains).
It should not be used, it is not secure.
• 1GB NanoBSD images have been removed, as they were not large enough to proper accommodate the system
and upgrade data. The supported sizes for NanoBSD images are now 2GB and 4GB.
• The default system password hash has been changed to bcrypt. Current passwords will continue to work.
Existing users need to reset their password to convert to the new hash. More info below under “Authentication”.
#4120
• The LiveCD platform has been removed. The ISO is a bootable installer, as always, but it cannot run a live
system.
– The installer ISO image is now named “pfSense–RELEASE-.iso”, with the .iso extension signifying the
type of image it is (optical media installer).
– For the very few people who were still using LiveCD, if the hardware can boot from USB, install to a
USB thumb drive and run from it instead. If the options to keep /var and /tmp in RAM are active, and no
packages are installed, the net result should be similar but ultimately more functional.
Dashboard/Widgets/GUI
• Converted GUI to the Bootstrap framework, completely new look
• Changed the GUI and Captive Portal web server to nginx; removed lighttpd. #5719
• Cleaned up a lot of GUI code, option text, etc
• TLS v1.0 disabled for the GUI. #5984
• Removed old style themes, introduced new CSS-based themes
• Refactored JavaScript and CSS, moved included items to more convenient locations
• Added more AJAX updating in widgets and other places
• Changed to more intuitive and modern icons and action buttons rather than the old confusing icon set (now using
font-awesome icons)
• Changed log display to be more consistent (single page for most logs, common filtering options)
• Removed obsolete fifolog support. It was never used or fully implemented, and had no GUI option.
• Improved notices in the GUI
• Made breadcrumbs and page title handling more consistent

LLC
• Added an option to have the top menu follows the user when scrolling
• Renamed several GUI file names to match menu structure. #5628
• Fixed AES-NI hardware display in the system information widget. #4911
• Added widescreen support to the Dashboard. #5195
• Improved password field handling security. Stored passwords are not presented back to the user in HTML. A
masked value is returned instead. All password fields have also been changed to require confirmation.
• Many pages have been reworked for improved internationalization
• Changed info box functions, removed print_info_box_np, now print_info_box and print_apply_box are used to
print appropriate boxes without problematic automatic detection
• Moved RRD graphs to Status > Monitoring #5498
• Changed RRD GUI interface to D3 rather than using the RRD graph command, so that a newer rrdtool base
could be used with minimal added dependencies. #5498
• Monitor IP added to gateways widget. #4782
• Increased max_input_vars from 1000 to 5000 to accommodate larger aliases. #4780
• Fixed NTP RRD graphs to accommodate negative values. #4423
OS/Backend
• Moved to a FreeBSD 10.3-RELEASE base
• Added tryforward() support to get (nearly all of) the performance of fastforward with IPsec enabled
• Overhauled the build system
– Eliminated the -tools repository
– Removed Patches, changes are now applied a vendor branch of FreeBSD
– Rewrote/changed the build scripts significantly
– Moved the new build scripts to the main pfSense repository
• PHP Upgraded to 5.6
• Replaced pecl-APC with opcache. #4744
• Added support for -c parameters to /etc/rc.initial. #4422
• Added optional package for kernel debug symbols. #5330
• Rewrote system_set_harddisk_standby() for the current CAM-based ATA stack. #4569
• Fixed a Panic/Crash with “sbflush_internal: cc 4294967166 || mb 0 || mbcnt 0”. #4689
• Fixed a kernel panic with AES-NI. #4702
• Updated AES-GCM/AES-NI bits from FreeBSD -HEAD. #4841
• Removed zoneinfo.tgz file for Time Zones, move to the same format as FreeBSD. #4726
• Fixed tcpdump with zerocopy enabled (net.bpf.zerocopy_enable=1). #5257
• Added ability to disable PV disks and NICs on Xen. #5452
• Removed the built-in but unused MySQL PHP modules and added them to the pkg server instead. They may be
added as package dependencies or manually installed as needed.

LLC
• Followed FreeBSD (r294560) in ceasing generation of rsa1 and dsa ssh server host keys by default
• Removed support for nanobsd images < 2GB #5836
• Overhauled IP address handling code in various parts of the system
• scponly package is included by default. #5190
• Shortened F1 boot prompt delay on nanobsd. #3426
Packages
Note: The list of available packages in pfSense 2.3 has been significantly trimmed. Netgate has removed packages
that have been deprecated upstream, no longer have an active maintainer, or were never stable.
• Removed use of PBI-based packages, moved to pkg(ng)
• Fixed installation and handling of packages to use pkg, now works identically in the GUI and shell/console
• Changed packages to use the FreeBSD ports format/layout to work with pkg
• XMLRPC calls for package information and installation have been removed, replaced with native pkg functions.
#4575
• Added support for packages to be (re)built automatically by Poudriere
• Added search capability to Available Packages list to filter packages by keywords. #5324
• Fixed the version comparison code in the Package manager. #4924
• Added support for tags in listtopic fields for use by packages
• Factory reset now completely uninstalls packages. #5829
• Improved handling of package install post-upgrade. #3597
System Updates
• Major changes to update management
• Removed “full update” or “full slice” upgrade for systems on 2.3 to later versions
These files will remain available for use by older versions updating to 2.3.
• The “Full Backup” feature has been deprecated.
• Changed system updates to be handled via pkg
• Changed Base, kernel, and standard pre-installed binares to packages
• Removed “Firmware” nomenclature, now only referred to as “Update”
• Fixed updating of base to work the same from the console or the GUI
• Added preliminary support for restarting system services without rebooting in cases when the base is updated
but the kernel is the same.

LLC
Gateways/Routing
• Replaced apinger with dpinger(!). #5624
– This fixes many gateway monitoring related issues, including incorrect latency and loss in various edge
cases.
– Eliminates status file race conditions that caused update failures on services bound to gateway groups in
some edge cases. #5180 and #3818 among others.
– Fixed gateway monitoring startup at boot time with assigned OpenVPN interfaces. #4587
– Check gateway monitor settings after upgrade, dpinger has different options than apinger.
• Added code to allow gateways outside of an interface subnet. #972
• Corrected “State Killing on Gateway Failure” description. #4709
• Fixed disabling of a static route set to use a disabled gateway. #4813
• Added standard deviation to gateway status and widget
• Fixed dynamic gateway logic to prevent GIF/GRE from making dummy/unusable gateways that show up for
monitoring/routing/etc #5766
• Changed static routes handling for DNS servers so they are removed when a gateway is disabled #4921
• Increased gateway weight limit from 5 to 30. #5843
• Fixed issues with PPP type WANs and the Default Gateway Switching option. #1837
• Fixed dynamic gateway handling for OpenVPN tap clients. #5981
• Fixed display of full interface name in Diagnostics>Routes. #5484
Rules/NAT/pf
• Added drag-and-drop rule reordering for firewall and NAT rules.
• Fixed a situation where pf drops IPv6 packets with fragment header followed by a last fragment only. #2762
• Fixed “LAN network” in v6 rules not working when a link-local address is assigned to LAN. #3656
• Added reordering for 1:1 NAT rules. #3888
• Improved handling of firewall rule tracker IDs for port forward associated rules
• Added support for a separator bar in firewall and NAT rules for use as a visual reference. #5373
• Standardized the NPt options in the GUI so their options and appearance are more similar to 1:1 NAT
• Added a “no binat” checkbox to 1:1 NAT screen for exclusions. #3887
• Limited pfsync syncpeer to IPv4 since it does not support IPv6 #4648
• Changed the default CARP pass rules to use “no state” to avoid issues with broken L2 gear that duplicates
packets #5800
• Added sorting to Alias lists #4195
• Added a hit counter to the firewall rule display with states and bandwidth consumed by packets matching rules.
• Fixed issues with the DNS Forwarder and DNS Resolver being enabled concurrently (on different ports) in an
HA environment #5882
• Added a visual indication in the rule list for floating rules with the “quick” property set #5860

LLC
• Improved state display on Diagnostics > States, now shows packets and bytes for each state
• Fixed aliases containing both FQDNs and IPv6 subnets. #5872
• Fixed removal of downloaded URL table alias contents when alias is deleted. #5856
• Significantly improved validation of downloaded data for URL Table aliases. #5848
• Fixed possibilities for creating an invalid ruleset with missing URL Table Ports aliases. #5845
• Fixed filterdns issues with significant system clock time jumps. #4166
• Added firewall rules hit counter. #3504
Interfaces/VIPs
• Fixed pfSense_getall_interface_addresses truncating IPv6 link local IP addresses. #4062
• Add GUI setting for VLANs PCP. #4133
• Fixed GRE interfaces failing to have a RUNNING state after reboot. #4191
• Fixed setting non-default MTUs in some edge cases. #4397
• Added input validation on bridges to prevent adding the same interface to multiple bridges. #4595
• Fixed CARP not working under bhyve. #4623
• Improved input validation for 6RD, GRE and gif interfaces, helping prevent invalid configurations.
• Changed input validation to allow /31 to be used for CARP VIPs since that is now supported and works in
FreeBSD. #5533
• Added debug logging option for DHCP6 client. #4534
• Fixed cases where DHCP6 client (dhcp6c) was being launched multiple times in some circumstances. #5621
• Upgraded dhcp6c. #5734
• Upgraded DHCP client to ISC dhcpd 4.3.3P1.
• Fixed applying of non-default MTU on gif interfaces post-boot with dynamic IP WANs. #5842
• Added support for PPPoE with MTU/MRU > 1492, RFC 4638. #4542
• Fixed issues with link cycling on some Intel 10G ix NICs #5913
• Corrected ALTQ test to show that ix/ixgbe NICs are capable of traffic shaping. #5923
• Improved handling of default interface assignment for some hardware. #4535
• Corrected input validation for invalid IPv6 IPs with leading or trailing colon. #6024
• Fixed orphaning of VLANs on lagg interfaces after editing the lagg. #6014
• Fixed loss of some dhcpleases and dhcpleases6 logs. #5968
• Fixed adding of routes immediately post-reboot for delegated IPv6 prefixes to sub-routers. #5957
• Fixes to DHCPv6 leases status page and prefixes.php. #5944 #4206
• Fixed loss of IPv6 IP on track6 interfaces when saving and applying changes on that interface. #5945
• Fixed incorrect interface mismatch prompt post-config restore when using VLANs on lagg. #5892
• Added support for multiple span interfaces on bridges. #5871
• Prevent naming conflicts between interfaces and interface groups. #5795

LLC
• Prevent naming conflicts between interfaces and aliases. #5778
• Fixed use of IP aliases with GRE tunnels. #4450
• Fixed application of bridge advanced options after interface added to bridge. #4312
• Set MTU back to default after clearing the field. #3926
• Fixed IPv6 IP aliases on CARP IPs. #3716
• Fixed IP alias on CARP IPs where IP alias above CARP parent in list. #3257
• Fixed modifying unassigned VLAN interfaces changing assigned VLAN. #3209
Authentication
• Fixed the WebGUI becoming slow or unusable when an LDAP server used for GUI auth is unreachable. #3383
• Fixed a problem with using ‘local’ as the name of an authentication server ‘Descriptive Name’. #4469
• Fixed default Auth Server selection on system_usermanager_settings.php. #5440
• Added support for bcrypt as a passwd hash and enabled it as the system default #4120
• Replaced the default passwd hash for root/admin using bcrypt (blowfish).
– Existing user passwords will continue to work in their existing format until the user’s password is changed.
– User passwords cannot be automatically converted as they are not stored plain text. To convert the pass-
word hash of an existing user to bcrypt, edit the user and change their password.
• Added the ability to filter privileges when adding them to a user or group, to make finding them easier.
• Fixed updating of group file for renamed groups. #6013
• Fixed handling of groups with spaces in their names. Local group names can no longer contain spaces. New
group scope option “Remote” added for LDAP and RADIUS use where spaces in group names are valid. #6012
• Added support for RFC2307 style LDAP groups. #4923
Services
• Fixed handling of the SNMP Bind Interface. #3883
• Fixed ntpd crashes on 32 bit with dynamic WAN reconnections and OpenVPN client configured. #4155
• Fixed a kernel panic with APU and SNMP with mibII. #4403
• Updated igmpproxy to the latest version. #4672
The old version had some custom patches, so be wary of behavior changes
• Added encoding for DHCP/DHCPv6 server additional BOOTP text options to preserve data when stored in
XML #5623
• Fixed duplication action for Load Balancer Monitor entries #4441
• Upgraded DHCP Server and Relay to ISC dhcpd 4.3.3P1
• Added statistics gathering for DHCP Server leases. #5387
• Fixed DDNS key issues with DHCP and DHCPv6 Server enabled on multiple interfaces. #5603
• Added custom ACLs for NTP (restrictions by network) #4463

LLC
• Prevent starting of radvd in circumstances where it shouldn’t. #5812
• Added description column to DHCP leases status screen. #5729
• inetd replaced with xinetd (used for proxy mode NAT reflection and TFTP proxy). #5707
• DHCP lease counters added to Status>DHCP Leases. #5186
• Allow configuration of RAs when DHCPv6 Relay is enabled. #6063
• Fixed DHCPv6 Server’s DDNS. #4675
• DHCP Server menu item now defaults to the first interface with an enabled DHCP Server instance. #4647
• Allow configuring DHCPv6 and RAs on track6 interfaces. #3029
• Fixed RADIUS NAS IP in PPPoE server. #185
• Deprecated ntpdate_sync_once.sh, replacing with ntpd -g. #6053
DNS
• Fixed Unbound IPv6 link local handling. #4021
• Added validation for advanced configuration directives in Unbound. #4411
• Upgraded dnsmasq to 2.76.0test8 to fix crashes in 2.75. #5341
• Fixed Unbound binding to IP alias virtual IPs. #5464
• Changed Namecheap dynamic DNS to use separate hostname and domain name fields #4366
• Added Multi-WAN support to RFC 2136 Dynamic DNS.
• Added RFC 2136 support to the Dynamic DNS widget
• Added input validation to prevent the same DNS server from being added multiple times on System > General
#5915
• Fixed CloudFlare dynamic DNS to not configure ‘proxiable’ and ‘proxied’ parameters. #6005
• Fixed dnsmasq host overrides when both DNS Forwarder and Resolver are enabled. #5883
• Added RFC 2136 dynamic DNS to dashboard widget. #5862
• Added multi-WAN support to RFC 2136 dynamic DNS client. #5862
• Don’t specify 127.0.0.0/8 IPs as forward-addr in Unbound configuration. #5750
• Added input validation to require configured DNS servers before enabling Resolver’s forwarding mode. #4747
• Added Google Domains DDNS support. #4322
• Added DNS Made Easy DDNS support. #1258
• Allow @ in Dynamic DNS hostnames. #3900
• Improve IPv6 link local handling in DNS Resolver and Forwarder so it works across configuration restores and
with HA config sync. #3802

LLC
IPsec
• Upgraded to strongSwan 5.4.0.
• Fixed multiple possibilities for IPsec status hangs. #5520
• Revised handling of IPsec reloading when strongswan.conf is changed. #4353
• Fixed problems with the search domain in IPsec mobile clients. #4418
• Added support for elliptic curve for IPsec on webconfigurator. #4683
• Added input validation for authentication backend when using EAP-RADIUS with IKEv2 Mobile IPsec. #5219
• Fixed unit display on IPsec status pages for time and data to be more human-friendly. #5364
• Removed support for single DES from IPsec #5543 (3DES Remains)
• Removed global IPsec disable flag as it is no longer necessary. On upgrade, if the IPsec enable box was
unchecked, all Phase 1 entries are disabled individually instead.
• Changed IPsec ‘up’ commands to start in the backgound so they are non-blocking #5882
• Disabled the strongSwan unity plugin by default, and improved the method used to disable the plugin #4178
• Removed unnecessary and troublesome ‘pass out’ rules for mobile IPsec #5819
• Fixed “no valid leases object found” log spam with IPsec dashboard widget. #5855
• Fixed automatically added WAN rules (UDP 500, 4500, ESP) when using IPsec with IP aliases. #5500
• Fixed IKEv2 to Cisco ASA resulting in traffic selector mismatch when initiated by traffic. #4719
• Added “split connections” option to phase 1 for IKEv2 for interoperability with third party devices that do not
support multiple traffic selectors on one child SA (Cisco ASA, others). #4704
• Added dynamic AJAX update to status_ipsec.php. #6049
OpenVPN
• Changed the default behavior of the OpenVPN server to use topology subnet, not net30. #5526
• Changed Client-Specific Overrides so they can be set to apply to specific servers rather than being globally set.
#5526
• Fixed OpenVPN Server validation of self-signed certificates with a depth of 2. #4329
• Fixed overwriting of custom /etc/dh-parameters.* on upgrade. #4816
• Fixed invalid rules generated with some AVPair-defined ACLs. #5451
• Improved display of server certificates on OpenVPN servers to help avoid users incorrectly picking user certifi-
cates for servers. #5602
• Fixed OpenVPN client specification of auth-user-pass in shared key modes where it’s not valid. #5941
• Fixed problems with OpenVPN and some use of special characters in the username or password. #4605

LLC
MPD/PPP VPN/Services
• Removed PPTP Server. #4226
• Add MS-CHAPv2 option to L2TP Configuration. #4732
• Fixed editing of multiple PPPoE connections with dial on demand enabled changing the port assignment. #4378
• Added a user login count option to the PPPoE server
UPnP/NAT-PMP
• Enabled port-in-use checking in miniupnpd. #4320
• Enabled IPv6 for miniupnpd. #4321
• Set secure_mode=yes in miniupnpd configuration #5627
Wireless
• Removed WEP. #5123
• Improved default settings for Wireless interfaces
Captive Portal
• Fixed Captive Portal to support more than 120 VLAN interfaces. #4150
• Added an option in Captive Portal for FreeRADIUS-friendly stop/start RADIUS accounting updates that solves
problems with user session time limits. #2164
• Fixed selection of RADIUS NAS IP with VIPs when editing Captive Portal zone. #5656
Traffic Shaping
• Fixed CODELQ scheduler defaults. #4692
• Removed Layer 7 classification support from the traffic shaper #5508
• Relaxed the shaper wizard interface validation when there are no interfaces with gateways selected #4524
• Fixed traffic shaper failure with “bandwidth for q... higher than interface” in some edge cases. #5721
Misc
• Allow wildcards in Certificate Subject Alternative Names. #3733
• Removed the “Certificate Authority” option on the Certificates tab of the Cert Manager when creating a Cer-
tificate. To make a Certificate Authority, use the CAs tab instead. #5924
• Adapted gitsync to new repo structure. #4999
• Changed the packet capture output in the GUI so that when the protocol is set for CARP, tcpdump interprets it
as CARP for more accurate output
• Added pfsync protocol option to packet capture page. #5866

LLC
• Added “GoTo line #” control to Diagnostics > Edit File
• Corrected help in pfSsh.php to properly reflect how recording works
• Fixed validation of playback file passed to pfSsh.php #5657
• Fixed disabling of filter.log logging where local logging is disabled. #6018
• Updated included software on licenses.php page. #5903
• Internationalization improvements. #5777
• Fixed use of IP aliases on Test Port page. #5185
• Fixed key map, screen map and font selection in installer. #4387
• Prevent deletion of certificates in use by packages. #4142
Update Patches
This section lists the changes contained in patch updates post-release.
2.3_1
The 2.3_1 update upgrades NTP to fix FreeBSD security advisory SA-16:16.ntp. The only change is upgrading ntpd
from 4.2.8p6 to 4.2.8p7.
Security/Errata Notices
– FreeBSD-SA-15:26.openssl Multiple vulnerabilities in OpenSSL
• Updated to strongSwan 5.3.5
– Includes fix for CVE-2015-8023 authentication bypass vulnerability in the eap-mschapv2 plugin.
• pfSense-SA-15_09.webgui: Local File Inclusion Vulnerability in the pfSense® WebGUI
• pfSense-SA-15_10.captiveportal: SQL Injection Vulnerability in the pfSense captive portal logout
• pfSense-SA-15_11.webgui: Multiple XSS and CSRF Vulnerabilities in the pfSense WebGUI
Logging
• Fixed log duplication for some log entries. #5606

LLC
IPsec
• strongSwan 5.3.5 update fixes several bugs.
Config sync
• Fixed config synchronization failure in some circumstances. #5509
Captive Portal
• Fixed captive portal database handling issue that could reset database instead of waiting for lock to clear. #5622
• Fixed problem with 0 byte files in captive portal file manager. #5642
– FreeBSD-SA-15:14.bsdpatch:
– FreeBSD-SA-15:16.openssh:
– FreeBSD-SA-15:18.bsdpatch:
– FreeBSD-SA-15:20.expat:
– FreeBSD-SA-15:21.amd64:
– FreeBSD-SA-15:22.openssh:
• pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense® WebGUI
The complete list of affected pages and fields is listed in the linked SA.
• Updated strongSwan to 5.3.3
• Updated PHP to 5.5.30
• Updated miniupnpd to 1.9.20150721 to address a potential vulnerability in miniupnpd.
User Management/Authentication
• Added support for GUI auth from RADIUS to obtain group names from the RADIUS reply attribute “Class” as
a string (local groups must exist, similar to LDAP). #935
• Added an LDAP server timeout field to address GUI access issues when the LDAP server is down/unreachable.
#3383
• Added support for LDAP RFC 2307 style group membership. #4923
• Worked around a chicken-and-egg problem in user syncing which was preventing users from using ssh the first
time the account was saved. #5152

LLC
• Prevent deletion of system users and groups by authenticated, authorized users using manually crafted POSTs.
#5294
OpenVPN
• Fixed an incorrect netmask being sent to OpenVPN clients with static IP addresses set in RADIUS. #5129
• Changed the calculation of the OpenVPN point-to-point server IP address obtained from RADIUS to be consis-
tent with CSC/Overrides (Server should be one IP address below the Client)
IPsec
• strongSwan upgraded to 5.3.3. strongSwan’s change log
• Fixed missing DH group 22-24. #4918
• Fixed handling of IPv4 IPsec Phase 1 endpoints that resolve to an IPv6 address. #4147 (Fixed by strongSwan
update to 5.3.3)
• Brought back “auto” IKE version and fixed problems with its previous implementation.
• Pre-shared keys configured as “any” under VPN>IPsec, Pre-Shared Keys tab are added as %any to ipsec.secrets
now, as described in the note on the page. #5246
• Resolved memory leak by switching printf hooks to vstr. #5149
• Change to vstr to fix memory leak broke SMP status plugin. Switched to vici for status output.
• ID selectors omitted from ipsec.secrets for mobile PSK+XAuth configurations. Fixes pre-shared key mis-
matches with Apple iOS Cisco IPsec and other mobile clients. #5245
• Fixed logging default settings and ability to set logging to silent. #5340
• Logging settings applied correctly on clean start and stop/start of service. #5242
• Remove deleted CAs, certificates and CRLs from strongswan configuration. #5238
• Prevent over-matching of auto-added firewall rules for mobile IPsec configurations. #5211
• Added IPv6 virtual address pool support for mobile. #5284
• Allow both IPv4 and IPv6 in phase 2 entries on a single phase 1 when using IKEv2. #5305
• Omit NAT rules for disabled phase 1 and 2 configurations. #5320
• Only display certificate authority field for methods where it’s relevant. #5323
• Only write out CA certificates for those specified in a Phase 1 configuration. #5243
• Fixed Hybrid RSA + xauth. #5207
• Fixed configuration of split tunnel attribute. #5327
• Specify rightca in ipsec.conf where relevant. #5241
• Specify leftsendcert=always in ipsec.conf for mobile profiles using IKEv2 to better accommodate iOS and
macOS manual configurations. #5353
• Fix IKEv2 mobile client pool status display with small number of active leases

LLC
Rules/NAT
• Fixed handling of url_port alias types when processing items that should be handled by filterdns. #4888
• Fixed handling of line endings when parsing a URL table ports file.
• Fixed handling of empty bogon lists on NanoBSD.
• Fixed handling of 6rd rules so they are only added when there is an IPv4 IP defined for the gateway, otherwise
the ruleset ends up invalid. #4935
• Added support for port ranges on Outbound NAT. #5156
• Added a check to prevent renaming an alias to an existing name. #5162
• Improved the fix for increasing the “self” table size in pf.
• Imported fixes from FreeBSD for a situation that could result in a panic/crash due to source address limits in pf
rules (“pf_hashsrc: unknown address family 0”). #4874
Captive Portal
• Implemented an alternate method to find VIP targets that should be allowed for Captive Portal. #4903
• Improved handling of the captive portal database files for zones in cases when the database files may be corrupt
or unreadable. #4904
• Improved handling of vouchers that are too short. In certain cases they were not being properly rejected. #4985
• Fixed handling of voucher database files, initializing the database properly when necessary. #5113
• Fixed loading of allowed hostnames at boot time. #4746, #5345
Packages
• Fixed handling of package install errors and connect timeouts during the install process. #4884
• Improved package version comparison. #4924
• Fixed an issue with package editing where the default value was not being populated for new fields.
• Fixed removal of syslog.conf entries during package uninstall #5210
DHCP
• Fixed handling of DHCP pools that are out of range, preventing them from creating an invalid dhcpd configura-
tion. #4878
• Added support for UEFI network booting with arch 00:09. #5046
• Fixed a situation where dhcpleases could miss updates for hostnames in the leases file, delaying functional
hostname resolution of new and updated DHCP leases. #4931
• Automatically add firewall rules to permit DHCP traffic when DHCP Relay is enabled, matching the behavior
for DHCP Server. #4558

LLC
Interfaces
• Fixed identification of IPv6 interfaces with PPP-type interfaces and DHCP6 #3670
• Removed “Could not find gateway for interface...” log messages as they were largely useless. #4102
• Added OpenVPN interfaces to the list of available interfaces when reassignment is necessary during config.xml
restoration.
• Fixed interface assignment menus running off VGA screen.
• Fixed preservation of MLPPP settings when saving interface settings. #4568
• Correct handling of SLAAC, DHCP6 and DHCP-PD with PPP interfaces. #5297
Dynamic DNS
• Fixed Cloudflare support for Dynamic DNS updates.
• Fixed GratisDNS support for hosts without subdomains.
• Disabled DHS provider. It had never worked.
• Fixed IPv4 dynamic DNS registrations on dual stack hosts to providers with AAAA records. #3858
• Update Dynamic DNS using gateway groups upon enable and disable of gateways. #5214
• Fixed Dynamic DNS using gateway groups specifying a CARP IP. #4990
Misc
• Fixed the configuration version comparison in XMLRPC sync to prevent more invalid synchronization cases.
#4902
• Cleaned up old unused platforms referenced in a few areas of the code that were no longer relevant.
• Fixed killing of individual states in cases when the source and destination were reversed. #4907
• Fixed killing of individual states for IPv6. #4906
• Changed the “enableallowallwan” script to also allow bogons, which makes the use of RFC 5735 / RFC 6890
test networks easier in lab environments.
• Fixed handling of VIPs in source address selection for Diagnostics > Test Port. #4986
• Updated status.php to include more information. #5304
• Fixed handling of the description in Traffic Shaping.
• Fixed pfSense base version comparison. #4925
• Fixed handling of multiple notices in the same second. #4879
• Removed the routed service as it is being handled by the package.
• Set MIME type for SVG in lighttpd configuration.
• Improved handling of the cron service reconfiguration process.
• Added option to display monitor IP on Gateways widget #4782
• Added “Description” as a display option on Traffic Graphs. #4783
• Fixed handling of L2TP server interface selection. #4830

LLC
• Added /usr/bin/dc back into the build. #5111
• Fixed a crash/panic “Sleeping thread owns a non-sleepable lock” in ARP code when using Proxy ARP type
VIPs. #4685
• Added support for Sierra Wireless 7355. #4863
• Updated time zones. #5254
• Added fsync of Unbound’s root.key to ensure the file isn’t corrupted if power is lost shortly after writing of the
file. Code added to detect corrupt root.key and delete and recreate it. #5334
• Fix changing outbound NAT modes and uploading/downloading files on exec.php with non-English languages.
#5342, #5343
• Associate intermediate internal CA certificates with the signing CA. #5313
• pfSense-SA-15_07.webgui: Multiple Stored XSS Vulnerabilities in the pfSense® WebGUI
The complete list of affected pages and fields is listed in the linked SA.
• FreeBSD-SA-15:13.tcp:
• Further fixes for file corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
– Fixed pw in FreeBSD to address passwd/group corruption
– Fixed config.xml writing to use fsync properly to avoid cases when it could end up empty. #4803
– Removed the ‘sync’ option from filesystems for new full installs and full upgrades now that the real fix is
in place.
– Removed softupdates and journaling (AKA SU+J) from NanoBSD, they remain on full installs. #4822
Note: The forcesync patch for #2401 is still considered harmful to the filesystem and has been kept out. As
such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and
to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis
using the option on Diagnostics > NanoBSD. With the other above changes, risk is minimal. The best practice
is to replace the affected CF/SD media by a new, faster card as soon as possible. #4814
• Upgraded PHP to 5.5.27 to address CVE-2015-3152 #4832
• Lowered SSH LoginGraceTime from 2 minutes to 30 seconds to mitigate the impact of MaxAuthTries bypass
bug.
Note: Sshlockout will lock out offending IP addresses in all past, current and future versions. #4875

LLC
Certificates
• Changed the built-in certificate manager to specify keyUsage and extendedKeyUsage in certificates. Windows
will now correctly function with IKEv2 using certificates from the built-in certificate manager without disabling
EKU. #4580
Note: This change applies only to new certificates, created on 2.2.4 or newer, and the CN of the certificate must
match the hostname or IP address to which clients connect.
• Added authorityKeyIdentifier to CRLs generated by the built-in certificate manager. (strongSwan requires it to
match.) #4860
IPsec
• Fixed non-GCM AES modes with AES-NI enabled. #4791
• Fixed issues with keyid and some mobile IPsec identifiers. #4811 #4806
• Fixed includes so PHP shell session restartipsec script works.
• Fix dashboard hardware crypto display where AES-NI is enabled. #4809
• Fixed issues with IPsec with certificates/ASN1.DN. #4792 #4794
• Added code to write out CRLs from the built-in certificate manager for use by strongSwan.
• Added option for enabling Strict CRL Checking (strictcrlpolicy in strongSwan config).
• Fixed saving Advanced IPsec options before IPsec is enabled.
• Changed LAN bypass to be from “LAN subnet” to “LAN subnet” rather than from “LAN subnet” to “LAN
address” to allow it to work for VIPs on the interface.
• Remove “Auto” key exchange option, and change upgraded configurations to IKEv2. #4873
• Specify rightid for mobile IPsec non-PSK configurations. Add peer ID option “any” for excluding peer identifier
checks for mobile IPsec circumstances where peer ID matching is impossible or undesirable.
OpenVPN
• Fixed handling of OpenVPN automatic stop/start when bound to gateway groups using CARP VIPs. #4854
DHCP
• Fixed issues with IPv6 Prefix Delegation caused by an invalid prefix/subnet check added to the ISC DHCP
daemon. Reported upstream and patched the checks out in FreeBSD ports. #4829

LLC
DNS Resolver
• Changed Unbound to use interface-automatic where interface list is empty so it replies correctly in a default HA
configuration. #4807
• Fixed selection of a CARP VIP for outgoing interface. #4852
• Fixed some inconsistencies in text across the GUI in places that specified DNS Forwarder vs. Resolver. #4551
Load Balancer
• Improved handling of port ranges in relayd. #4810
• Fixed references to Load Balancer Virtual Server redirect_mode.
Traffic Shaping
• Fixed adding of VoIP rules from traffic shaper wizard where IP/alias was not specified. #4838
• Fixed default CoDel values.
• Corrected inverted target/interval values for CoDel.
Rules/NAT/Aliases
• Fixed a foreach() error when saving an empty alias.
• Fixed input validation on Alias import page.
• Fixed inconsistencies in descriptions in Alias editing for URL Table aliases.
• Added labels to more default firewall rules.
• Avoid an error loading the rules with a numeric hostname in an alias.
Misc
• Removed unnecessary deletion of rc.conf; Added an empty rc.conf with a note.
• Removed a check for a QinQ interface existing when deleting. The check unnecessarily made QinQ un-deletable
where the parent interface no longer existed.
• Fixed GratisDNS support.
• Fixed glob for serial devices to match more accurately.
• Fixed a foreach() warning when editing PPP entries.
• Fixed GRE and GIF interface input validation so required fields and descriptions match.
• Changed the behavior of Cancel buttons to be consistent (return to referring page).
• Fixed display of advanced DHCP settings when present.
• Removed old, unused NetUtils.js.
• Retain /usr/bin/fsync from FreeBSD in images.
• Added “netstat -ni” to /status.php output.

LLC
• Fixed a typo in upgrade code for Captive Portal.
• Fixed limiter upgrade code to allocate pipe numbers even if no rules are present.
• Fixed upgrade code to remove old CA/Cert config entries that were moved/relocated.
• pfSense-SA-15_06.webgui: Multiple XSS Vulnerabilities in the pfSense® WebGUI
The complete list of affected pages and fields is very large and all are listed in the linked SA.
• FreeBSD-SA-15:10.openssl:
• Fixes for filesystem corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
– Changed new filesystems to use the ‘sync’ option to avoid loss of data.
– Added upgrade code to activate the ‘sync’ option on the root slice for existing installations.
– Changed new filesystems to use softupdates and journaling (AKA SU+J).
– Changed the way fsck is handled at boot time:
* Followed best practice of using fsck from FreeBSD rc.d/fsck script. (Run preen mode first and later
try forcefully fixing issues.)
* Added as much information during boot on the status of the filesystem as possible.
* Changed fsck to run with -C flag and always in foreground during boot to prevent issues that might
schedule background mode.
Note: The forcesync patch for #2401 was considered harmful to the filesystem and removed. As such, there
may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser
extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the
option on Diagnostics > NanoBSD.
Rules/Aliases/NAT
• Fixed a problem with more than 64 IP addresses in the “self” table in pf.
• Fixed issues with FQDNs in aliases causing static entries to be lost. #4296
• Added the tracker ID rule number lookup to dynamic firewall log. #4730
• Fixed alias rename and delete not being propagated to outbound NAT. #4701
• Fixed tracker IDs of policy route negation rules which had been duplicating the tracker ID of the rule they were
based upon. This confused the log parser and displayed the negation rule rather than the actual rule. #4651
• Fixed logging of passed IGMP traffic when the rule is not set to log. #4383
• Fixed a situation where a combination of L2TP, overlapping subnets, port forwards and NAT reflection could
cause an invalid ruleset. #4772
• Added a GUI field to control the size of the pf fragment limit #4775

LLC
IPsec
• Updated strongSwan to 5.3.2. #4750
• Integrated a patch from https://wiki.strongSwan.org/issues/951 to solve IPsec SA rekey issues on
strongSwan+FreeBSD. #4686
• Added patches from FreeBSD PR 200282 to help address IPsec rekey issues.
• Backported FreeBSD r283146 and patch from FreeBSD PR 192774 to address PF_KEY ACQUIRE missing
port and protocol information.
• Added reply-to/route-to rules for mobile-ipsec. #4235
• Removed the manual specification of reqid in the IPsec configuration because strongSwan 5.3.0 has fixed issues
with its handling, which caused the existing code to misbehave. #4665
• Fixed the display and behavior of the LAN bypass option for IPsec. #4655
• Fixed IPsec LAN bypass toggling every time save is pressed. #4640
• Changed how charon is started and restarted to fix a various issues with IPsec configuration reloading. #4268
• Added new modes for IPsec Phase 1 according to RFC 5903 (Ecliptic Curve groups). #4260
• Implemented the “make before break” feature available in strongSwan 5.3.0, which is useful for IKEv2. #4626
• Fixed vpn_ipsec_configure so it always performs a filter reload to ensure the ruleset is updated where necessary
in every IPsec change scenario. #4631
• Added support for EAP-RADIUS to IKEv2 Mobile Clients. #4614
• Fixed a panic/crash when accessing services on the firewall over mobile IPsec on 32-bit installations (set
net.inet.ipsec.directdispatch=0 on i386). #4537
• Fixed an issue with FQDN hosts and PSKs. #4785
OpenVPN
• Added a space to the OpenVPN TLS Verify script to avoid appended parameters appearing the same as existing
parameters.
• Fixed get_interface_ip() to return the IP address correctly for gateway groups specifying a VIP, which fixed
OpenVPN clients not working with gateway groups specifying VIPs. #4661
• Changed the OpenVPN client settings to allow just one of either the username or password to be specified.
#3633
• Fixed OpenVPN servers listening on an associated IPv6 addresses.
Captive Portal
• Fixed filterdns to use the proper API for ipfw changes on FreeBSD 10.1+ to correct captive portal allowed
hostnames not being loaded into tables at boot time. #4746
• Fixed Captive Portal RADIUS accounting. #4131
• Fixed Captive Portal Idle-Timeout causing a value of 2147483647 for acctsessiontime. #4652
• Fixed disconnection of active voucher users, and corrected disconnection of users especially when triggered via
XMLRPC. #4625

LLC
Operating System
• Fixed both the kernel and choparp to better handle I/O and prevent issues in the way it handles BPF, which can
contribute to a panic when using Proxy ARP VIPs. #4685
• Merged a patch that avoids a panic on sockbuf module. #4689
• Fixed AESNI to be SMP friendly to avoid various decryption errors and possible encryption mistakes. Also
present critical_enter/critical_exit to avoid preemption of the currentrunning thread which should fix panics.
#4702
• Updated time zone data from FreeBSD 10.1-RELEASE. #4459
• Fixed creation of /var/spool/lock on NanoBSD at boot time. #4532
• Removed boot_serial=’yes’ from loader.conf when serial is disabled. #4617
• Fixed an issue where mtree would fail during an upgrade from a previous version of FreeBSD when moving to
2.2.x. #4653
Interfaces/NIC Drivers
• Added support for Sierra Wireless MC7354.
• Added support for Intel X552, ixgbe changes from stable/10, and moved altq changes for ixgbe to the large
ixgbe patch.
• Enabled ix/ixv/ixl modules in the kernel
• Fixed duplication of statistics on vlan(4) interfaces for outgoing bytes #3314
• Fixed updating wireless statistics so that the output bytes are not always zero. #4028
• Added a patch from FreeBSD PR 200722 for mpd5 to preventing it from printing a warning when renaming an
interface to an existing name.
• Fixed SLAAC/DHCPv6 handling for cases where the global SLAAC IPv6 address might be present when using
DHCPv6. #4483
• Corrected descriptions on Key Rotation and Master Key Regeneration for wireless interfaces.
• Removed the “insert my MAC” feature from interfaces.php.
• Defined $var_path as a global key since it is being used in interfaces.inc, but it was not declared.
• Fixed issues setting the MTU on certain interfaces. #4397
Packages
• Fixed various issues with PBI generation.
• Synchronized and cleaned up various pfPorts, eliminated several that had changes pushed back into FreeBSD
ports.
• Fixed an issue where rebuild_package_binaries_pbi.php could fail due to missing build files. #4600
• Backported patches from FreeBSD stable/10 to fix a crash when stopping squid. #4592
• Fixed pfflowd to use the correct version for parsing the new pfsync header and corrected the pfsync version
check. #4304
• Updated pkg_edit.php with fixes for usecolspan2 and combinedfields.

LLC
• Fixed pagination on pkg.php.
• Fixed boot-time log file initialization for package logs. #4603
DHCP/RA
• Clarified that DNS Forwarder and Resolver both apply in DHCP/DHCPv6 and router advertisements. #3730
• Removed unnecessary filtering on the DHCP static mappings table.
• Added appropriate RA Flags for “Stateless DHCP”.
• Added error checking to avoid warnings about DHCP relay during boot.
• Fixed hostname validation for static DHCP leases such that only fully qualified hostnames must be unique, not
only short names.
• Fixed adding DHCP static mappings from the DHCP leases view to non-default pools. #4649
• Stopped invalid DHCP settings from being applied when input errors exist.
• Removed DHCP static lease overlap cleanup and its associated function and killing of the DHCP daemon.
This behavior could cause problems with failover scenarios, especially when adding/editing/removing static
mappings.
Web GUI
• Fixed language selection. #4705
• Changes to status.php to make it easier to gather and submit support information:
– Added sanitization of OpenVPN static/tls keys to status.php.
– Cleaned up, organized, and expanded the info presented by status.php.
– Changed status.php to additionally save the output to individual
– text files and compress them into a .tgz for later download.
• Fixed setup wizard LAN DHCP pool calculation to avoid an invalid pool.
• Improved the setup wizard hostname check. #4712
• Fixed some minor text issues in wizards.
• Changed the wizard to use the current WAN gateway name rather than assuming the name. #4713
• Updated and corrected the wireless status flags and capabilities list. There are many more possible flags, now
documented at Wireless Status.
• Added a fall back to look up local user privileges and groups if the groups could not be found from LDAP and
there is a local user.
• Fixed Crash Reporter submissions when symlinks were present as part of crash report, which would fail to save
the report on the server. #4650
• Set a user agent for the Crash Reporter.
• Cleaned up code logic in status_upnp.php.

LLC
CARP
• Changed CARP so that it does not trigger a carp demotion taskqueue if the value is 0, which can cause the
cluster to misbehave.
• Fixed issues for CARP+Bridges where pfSense would crash or freeze. #4607
• Fixed the CARP plugin call for packages. The “interface” parameter was coming through as NULL during
CARP events.
• Added INIT event for CARP in devd.conf as an alternate for ‘backup’, otherwise scripts would not take down
services during a MASTER->INIT transition. (e.g. interface unplug, link loss)
• Fixed NTP so that it properly uses selected CARP IP addresses. #4370
• Fixed CARP packet flow after initial interface creation. #4633
Traffic Shaper/Limiters
• Fixed limiters when used with IPv6. #2526
• Corrected handling of NAT when RDR/BINAT is applied on packet and it is being sent to limiters. #4596
DNS
• Consistently handle clear_subsystem_dirty after an Unbound restart.
• Added a call to clear_subsystem_dirty(‘staticmaps’) when using Unbound, otherwise DHCP static mappings
would not fully apply when Unbound was in use. #4678
• Fixed an Unbound warning when “dnsallowoverride” was off and port forwarding was on. #4682
• Re-enabled verification for selfhost DynDNS since their chain issue has been resolved. #4545
Misc
• Updated PHP to 5.5.26
• Fixed various issues in the installer for GEOM mirrors (mirror slice detection, gmirror cleanup on non-clean
disks.) #4658
• Fixed new user creation to use skel as the source of new user files rather than copying from the home directory
of root.
• Changed growl so it will not be called if the configured address isn’t an IP address or resolvable hostname. This
avoids 1 minute timeout delay in fsockopen in growl.class. This change cuts that down to about a 20 second
timeout. #4739
• Added a reboot after restoring a full backup in the GUI. #4107
• Deprecated /usr/local/bin/3gstat as it was no longer used. It was replaced by 3gstats.php long ago.
• Started using the “host!” flag when setting CURLOPT_INTERFACE, as recommended by the CURL documen-
tation.
• Started passing the interface to CURLOPT_INTERFACE instead of the IP address, also started using the “if!”
flag to avoid CURL trying to resolve the interface name.
• Fixed NTP serial configuration to setup the serial port before attempting to configure a GPS unit.

LLC
• Cleaned up various HTML/XHTML issues.
• Fixed a check for deleting a VIP when in use by OpenVPN.
• Fixed issues with backup/restore of a config.xml breaking the serial console on ADI installs. #4720
• Fixed several issues with boot speed when WAN was disconnected. #4442
• Removed some unused/obsolete files.
• FreeBSD-SA-15:09.ipv6:
• FreeBSD-SA-15:06.openssl:
Rules / NAT
• Added hidden config option to disable blocking of link-local IPv4 (169.254.0.0/16) for the rare instances where
it’s required. Not recommended, violates RFC 3927.
• Fixed invalid ruleset generation when using port forwards with destination “any” on a DHCP client WAN-type
interface, have pure NAT mode reflection enabled, and have the interface with link up but unable to reach a
DHCP server for an extended period. #4564
• Allow the use of version IPv4+IPv6 on firewall rules without restrictions on protocol. The former restrictions
date back to earlier base software versions, and are no longer applicable.
• Omit route-to from rules specifying a specific gateway when that gateway is forced down. #4566
• Use the subnet address when forming rules for networks, rather than the interface IP address
• Added SCTP to the protocol drop-down for firewall rules
IPsec
• Enforce disabling of “prefer old SAs” option.Having this option enabled will cause connectivity problems after
rekeying in many circumstances. Upgrading to 2.2.2 will fix this.
• strongSwan upgraded to 5.3.0
• Don’t apply mobile IPsec phase 2 PFS configuration to non-mobile IPsec. #4538
• Correct applying of uniqueid configuration. #4359
• Bring back automatic exclusion of LAN subnet to LAN IP for scenarios where remote IPsec overlaps with local
LAN subnet. #4504
• Enable ike_name for daemon logging, adding connection identifiers to IPsec logs that can be correlated to output
of ‘ipsec statusall’ (GUI log viewer integration to come).

LLC
DNS Forwarder/Resolver
• Fix DNS registration of hostname “0” #4573
• Domain overrides to multiple server IPs are possible in DNS Resolver. Add message noting this, and how to
achieve it. #4350
• Always configure user-specified DNS servers in the Unbound configuration, to make its behavior consistent
with dnsmasq
• Only list nameservers once in resolv.conf
Wireless
• Atheros wireless driver updated to latest from FreeBSD 11-CURRENT. Not many changes since 2.2.1-
RELEASE. #4582
• Wireless cards removed from ALTQ-capable interfaces (traffic shaper capability) since that isn’t supported at
the moment. #4406
• New option “auto” added for Standard. This omits configuring mode with ifconfig, which currently can trigger
driver problems that don’t exist when not specified. Standard “auto” is preferred, and possibly required, for BSS
and IBSS wireless modes with Atheros cards (at a minimum, potentially others).
IPv6
• Make sure ‘DHCPv6 Prefix Delegation size’ is provided if ‘Send IPv6 prefix hint’ flag is checked to avoid
generating invalid dhcp6c configuration file.
• DHCPv6 Relay fixed. #4572
• Allow “0” for id-assoc na ID, id-assoc pd ID, sla-id and sla-len DHCP6 configuration options. #4547
• Fix the use of multiple prefixes in IPv6 router advertisements. #4468
Other
• Clean up logic in OpenVPN resync code. Discussion here and additional change here.
• SSL certificate validation disabled for selfhost - their certificate chain had a problem that made OpenSSL fail
verification, making the service non-functional. #4545 The provider fixed the issue after 2.2.2-RELEASE, so
verification has been re-enabled for 2.2.3 and newer.
• Fix error in traffic shaping wizard. #4529
• Fix broken image path. #4530
• A variety of minor text clean up in web interface.
• Remove some code no longer used in a few places.
• Clean up of code path when adding a new user. #4620
• Make sure RRD backup is not restored when /var memory disk is not in use. #4531
• Show friendly name of the interface on custom RRD graph drop-down selection
• PHP upgraded to 5.5.23
• Prevent a user from adding a VLAN using the invalid ID “0”

LLC
• Cleanup display of times in DHCP leases
• Use the correct field for voucher “expired” and “no access” messages
• Fix traffic shaper wizard bandwidth input validation calculations https://redmine.pfsense.org/issues/4259
• Changed Diagnostics > Sockets to display sockets bound to localhost
• Allow single interface bridges, useful for span ports and when migrating interfaces to a bridge
• pfSense-SA-15_02.igmp: Integer overflow in IGMP protocol (FreeBSD-SA-15:04.igmp)
• pfSense-SA-15_04.webgui: Arbitrary file deletion vulnerability in the pfSense WebGUI
• FreeBSD-EN-15:01.vt: vt(4) crash with improper ioctl parameters
• FreeBSD-EN-15:02.openssl.asc: Update to include reliability fixes from OpenSSL
Potentially Relevant
The following updates are included from upstream in FreeBSD, but are not directly relevant. Neither pfSense software
nor its packages include SCTP services, but such services may have been manually added by the user.
• FreeBSD-SA-15:02.kmem: SCTP SCTP_SS_VALUE kernel memory corruption and disclosure
• FreeBSD-SA-15:03.sctp: SCTP stream reset vulnerability
Not Relevant
• OpenSSL “FREAK” vulnerability:
– Does not affect the web server configuration on the firewall as it does not have export ciphers enabled.
– pfSense 2.2 already included OpenSSL 1.0.1k which addressed the client-side vulnerability.
– If packages include a web server or similar component, such as a proxy, an improper user configuration
may be affected. Consult the package documentation or forum for details.
Known Issues
• Some cases remain where filterdns does not properly handle hostnames in multiple aliases properly. Most of the
cases have been fixed, so the situation is better than 2.2-RELEASE, but it is not 100% resolved. See issue #4296
for details. Placing hostname aliases into a separate alias so they are not mixed with static entries effectively
works around the issue.

LLC
General
• Updated the default SSL cipher list to be stronger, obsoletes the need for a “BEAST protection” option #4230
• Fixed gen_subnet_max returning an incorrect result on 32 bit (i386) versions, which in turn fixed Wake on LAN
and other areas on 32 bit (i386) versions. #4318
• Fixed crash on boot with some hardware, caused by gpioapu on systems where smbios.system.product is null.
Mostly seemed to be the recycled Watchguard users affected by this issue. #4363
• Updated ufslabels.sh to handle a wider variety of disk layouts.
• Added a choice of SMTP authentication protocols for notifications, Office365 mail support. #4176
• Removed latin-1 encoding of RSS feed to fix display issues of RSS items.
• Fixed an issue where the GUI setting for PAP or CHAP in L2TP Server was not being respected.
• Fixed changing source tracking value separate from changing the Sticky option.
• Added input validation to force a minimum 100000 byte log file size to prevent undersizing the logs.
• Added more cleanup to the Restart PHP-FPM console menu action.
• Removed PTR records for aliases in host overrides.
• Fixed diag_arp.php to allow underscore in resolved host names.
• Fixed an issue in DHCP settings where the “add routers” value was not being preserved across a loop for each
interface.
• Added capability to handle reverse lookup domain overrides.
• Fixed issues with NTP RRD graph state changes.
• Added input validation to require RADIUS protocol and server IP address/host in Captive Portal when RADIUS
authentication is selected. #4384
• Fixed swap size calculation in the installer to avoid creating improperly sized partitions in systems with lots of
RAM but not much disk space.
• Fixed test for comconsole when matching for enabling serial console. #4464
• Updated pfSense PHP shell help to current configuration structure. #4492
• Fixed switching from a PPP type WAN to “None” or “DHCP”.
• Disables SNMP hostres module on APU boards due to crashes. #4403
• Removed -U from mtree call used to restore files permissions as it was breaking symlinks on upgrade. #4328
• Added input validation for Wireless configurations to prevent problematic combinations of settings. #4178
• Improved handling of FQDN entries in aliases with filterdns, but not 100% resolved. #4296
• Fixed various typo, style, and formatting issues.

LLC
Rules / NAT
• Fixed ordering of DHCPv6 client and bogon rules so the bogon rules can’t block DHCPv6 requests. #3395
• Fixed a bug where applying NAT changes in Hyper-V could break the running NAT configuration. #4445
• Fixed a bug where marking a packet with only a number resulted in a broken rule. #4274
• Fixed DSCP choices that were non-functional and resulted in a broken ruleset. #4302
• Fixed PHP memory exhaustion on NAT pages with VIP ranges on a 32 bit (i386) versions. #4317 (Related to
#4318)
• Fixed input validation on Outbound NAT to accept a port range. #4300
• Removed Carrier-Grade NAT subnet from “Block private networks” as it was in 2.0.x and earlier releases since
it specifically notes RFC 1918 and CGN is more closely related to bogon networks. #4379
• Removed code that set adaptive.start and end to 0, now they are left at their defaults (60% and 120% of the state
limit, respectively) if not user-overridden.
• Added configuration options for state timeout values under System>Advanced, Firewall/NAT. #4509
IPsec
• Added MOBIKE control, now disabled by default. #3979
• Fixed page rendering so MOBIKE is only shown with IKEv2 selected, NAT-T only shown with IKEv1 selected.
• Removed Prefer older IPsec SAs option from the GUI, and existing configurations with it enabled will not have
that setting applied. #4349
• Added input validation to prevent use of AES key lengths larger than 128-bit when the glxsb cryptographic
accelerator is enabled. #4361
• Added an option for an IPsec tunnel to act as a responder only. #4360
• Added a filter reload when IPsec is disabled. #4245
• Fixed RSA cert handling in IPsec to use double quotes on asn1dn specification so it is properly interpreted by
strongSwan. #4275
• Added an option to allow controlling unique ID handling in IPsec advanced settings. #4359
• Fixed restartipsec command line script.
• Fixed handling of IPsec with Gateway Groups #4482
• Added a workaround to disable the strongSwan Unity plugin. #4178
• Added error logging when an IPsec Phase 1 cannot be located.

LLC
OpenVPN
• Added encoding for username and password to avoid issues with special characters. #4340
• Fixed issues with OpenVPN TLS and authentication scripts. #4329
• Fixed issues with handling of the Authentication Mode if the user changes the value after changing other in-
compatible settings.
DNS Resolver
• Upgraded to Unbound 1.5.3.
• Added correct scaling of rrset-cache-size in unbound.conf. #4367
• Added support for 0x20 DNS random bit. #4205
• Changed DNS Resolver default values to be a bit more strict: Enable Hide Identity, Hide Version, Harden
DNSSEC data.
• Force harden glue configuration option, and remove GUI control of that option. Problem with Unbound pre-
1.5.2 means in 2.2-RELEASE, having this option enabled, and DNSSEC disabled, could lead to DNS cache
poisoning. #4402
• Added a check to test if Unbound is enabled and using the same port before allowing dnsmasq to be enabled.
#4332
• Removed hard-coded value for harden-referral-path. #4399
Logging
• Fixed GUI log parser handling for IGMP log entries. #4343
• Fixed syslogd issues where the daemon stopped and failed to restart during boot in some cases. #4393
Traffic Shaping
• Fixed input validation errors in the Traffic Shaper wizard due to old data not being cleared. #4333
• Fixed handling of Upstream SIP Server in the Traffic Shaper wizard. #4314, #4427
• Fixed crash when using limiters and pfsync. #4310
• Fixed limiters used with IPv6. #2526
IPv6
• Fixed calculation of the 6rd default gateway honoring netmasks other than /32.
• Fixed recording of the IPv6 interface’s new IP address and do not issue commands that cannot succeed. #3669
• Fixed not being able to save custom and custom-v6 DynDNS entries.
• Added IPv6 IP addresses to /etc/hosts in the same manner IPv4 IP addresses are added. #4395
• Fix computation of the displayed DHCPv6 range start to be consistent with the actual check.
• Added dhcp6.name-servers option with DHCPD-PD regardless of PD length.

LLC
• Fixed Net_IPv6::compress() to properly handle all-zeros address.
• Enabled UnicastOnly in radvd for ovpnX interfaces. #4455
• Removed requesting a prefix delegation when there are no tracking interfaces setup to use it. #4436
• Added code to destroy stf interface when a 6rd or 6to4 tunnel is disabled. #4471
VIP/CARP
• Added input validation to prevent the VIP “interfaces” from being assigned since they are just an identification
of the VIP for tracking and not actual interfaces. #4389
• Fixed functions to properly return the VIP subnet now that the CARP might not match its parent interface subnet.
#4390
• Fixed a bug that caused the status icon from previous CARP VIP to be shown in cases where the IP address was
not present on an interface.
• Changed the carp demotion factors slightly to avoid CARP transitions that are most likely unnecessary. (Do not
demote on NIC send errors or pfsync errors)
• Expanded the CARP demotion error
• Added button to reset demotion status
• Fixed handling of IP Alias deletion from a secondary node using XMLRPC configuration sync #4446
Misc Binary/OS Changes
• Upgraded PHP to 5.5.22.
• Re-enabled Suhosin in PHP.
• Updated 802.11 code and Atheros wireless driver from FreeBSD 11-CURRENT
• Added patch to fix crash with Ralink wireless cards in access point mode. #4117
• Added athstats, cryptostats and cryptodev back. #4239
• Fixed AESNI module checks when used inside a virtual machine.
Special Notes
Due to CSS and JavaScript changes, forcing the browser to clear its cache or reload the pages after an update is advised.
This is especially true if any cosmetic anomalies are observed, such as alignment problems or spurious bits of text in
widgets.

LLC
Security Fixes
• Update to openssl 1.0.1k to address FreeBSD SA-15:01
• Multiple XSS vulnerabilities in web interface pfSense-SA-15_01
• OpenVPN update for CVE-2014-8104
• NTP update FreeBSD-SA-14:31.ntp though these circumstances don’t seem to impact pfSense® software.
Default Configuration Changes
• DNS Resolver (unbound) enabled for new installs. #3396
• DNS Forwarder (dnsmasq) disabled for new installs. #3396
• Change default NICs from vr to em – vr is on the way out and em is the most common NIC in use today.
• Default config.xml has been cleaned up. Outdated comments have been removed that used to loosely document
the config file, but had been neglected for quite some time and aren’t all that useful anyway.
• Default sysctls have moved out of config.xml and now reside in globals.inc to reduce the size of config.xml
• Default sysctl values do not need to be set in config.xml. The default values are obtained from sysctl now. Also
to reduce config.xml size.
• Tracking IDs added to default rules
Security Enhancements
• Verify SSL certificates for HTTPS URLs
• Detect if an unofficial package repository is in use and warn the user. Warning is displayed on the dashboard
and package management pages. #484
• Check and verify the package server’s SSL certificate if using HTTPS. #484
• For dyndns providers that support HTTPS, use it when performing updates.
• Replaced lots of GET actions with POST actions in various places in the GUI as they were touched.
• Update jquery to 1.11.1
• Remove almost all calls to history.back() and make Cancel button back to HTTP_REFERER
• Hide FreeBSD version from sshd banner. #3840
• Disable SSLv3 in lighttpd
• Disable RC4 ciphers in lighttpd
• Teach the certificate generation code how to make a self-signed certificate, and change the GUI cert generation
code to use it.
Also, move the GUI cert generation code to its own function so we can add a GUI option to regenerate
it later. Also use some more sane defaults for the contents of the default self-signed certificate’s fields
so it will be more unique and less likely to trigger problems in browser certificate storage handling.
• Add command line script to generate and activate a new GUI certificate (generateguicert)
• Catch some more sensitive information when sanitizing the contents of config.xml output on /status.php.

LLC
OS Changes
• Updated base OS to FreeBSD 10.1-RELEASE
• PHP backend switched from FastCGI to PHP-FPM
• PHP Moved to 5.5
• Migrate captive portal code to SQLite3 PHP module
• Fix some lingering call-time pass-by-reference instances that fail on PHP 5.5
• Default serial speed is now 115200 #3715
• Sync gettytab and etc/ttys with FreeBSD 10-STABLE and reduce customizations
• Log pfSense version to syslog after bootup
• Set the sysctl net.inet.icmp.reply_from_interface to 1 to use the incoming interface to send ICMP replies. #3666
• Switched the hash method in pf to XXHASH for speed improvements
DNS
• Imported Unbound for use as the default DNS Resolver. The old dnsmasq DNS Forwarder is available as a
non-default option. Upgraded systems will retain existing settings.
• Various changes to Unbound and supporting programs to complete its integration.
• Removal of bind from FreeBSD base necessitated the switch to alternate programs for DNS utilities (e.g. drill
for dig, different nsupdate)
• AJAX DNS updates for firewall logs (when clicked)
• Make sure that the DNS Forwarder/Resolver is always capable of accepting queries on localhost before using it
as a DNS server.
• If localhost is configured to be included in resolv.conf, force its selection in Unbound. The resolv.conf logic
prevents that from being a problem, but users don’t seem to realize they have to pick that to use Unbound for
the host itself.
• IPv6 support in Unbound
• Check port of dnsmasq/unbound and skip 127.0.0.1 in resolv.conf if not port 53. #4022
• Add a note to the wizard about the DNS Resolver ignoring manual name servers by default. (They are still used
as secondary/tertiary servers for the firewall itself, however)
• Domain and search should not both be defined in resolv.conf per FreeBSD man page and handbook (only the
latter is actually used). Only search is set now.

LLC
CARP
• Changes to CARP for new FreeBSD 10 CARP system
• Provide a way to ‘permanently’ set CARP to ‘maintenance mode’ (advskew 254) persisting through a reboot.
• Key off net.inet.carp.demotion and display a warning to the user if the system has self-demoted its CARP status.
• Allow CARP IP address to be outside interface and alias subnets
Interfaces
• Implement an option to allow using the IPv4 connectivity interface for sending the dhcpv6 information. Usually
useful for PPP[oE] type links and some ISPs
• Add gre and gif checks for IPv4 function interface_has_gateway($friendly), like they are already for IPv6
• Do not allow the user to set IPs for GRE interfaces on interface edit page. #3575
• On interfaces_assign.php, let user select network port to add instead of picking the first available #3846
• When changing an existing VIP, use previous configured interface for checking, this fixes the issue that happens
when trying to change a VIP to a new interface. #3807
• Validate the GIF interface MTU (must be something between 1280 and 8192) #3927
• Properly set MTU for lagg(4) interface #3922
• Fix formatting of the Interfaces Widget on the Dashboard. #3937
• Don’t allow interface descriptions that are strictly numbers as that generates an invalid ruleset. #4005
• Disable delete_old_states in dhclient-script. rc.newwanip handles this correctly in 2.2, and this killed states in
multiple circumstances where that isn’t necessary nor desirable.
• Do not unset configuration values from PPP config if not needed. #3727
• Overhaul handling of flags for hardware offloading and make it work correctly for system_advanced page set-
tings. Lagg is still a special case that may require a reboot initially to apply. #1047
• Don’t try to launch 3gstats unless it’s on a valid device.
• Updated list of mobile service providers
Gateways/Routing
• Add an option to force a gateway to be down. #2847
• List GWGs in Interface to send DynDNS update from
• Allow reordering, batch delete, and disable of static routes
• Option to disable a gateway added
• Check gateway for IPv6 also for reply-to rules.
• Fix issue where ICMP6 messages sometimes have the wrong source IP address when a monitor IP address has
been set #3607
• Improve look of gateways widget
• Provide a toggle for apinger debug messages to be logged to syslog

LLC
• Setting an interface IP to 0.0.0.0 with mask 0.0.0.0 overwrites the default route with that interface’s link route.
Follow FreeBSD 10.1 and use a /8 mask instead. #3941
• Use static route with -iface option for PPPoE to help when more than one PPPoE connection has the same
gateway. #4040
• net.inet6.ip6.rfc6204w3 needs to be 1 for dhcpv6 to work correctly. #3361
• Add a route debug option to log info about route commands executed (where those aren’t already logged) to
help with troubleshooting various routing scenarios.
• Make sure srcip and target have scope when link-local addresses are used in apinger. #3969
• Properly generate and use the default gw for 6rd.
Firewall Rules
• Custom logging daemon that provides easy-to-parse output on a single line
• Persistent tracking ID for firewall rules so that logs may always be traced back to their corresponding rules
• Removed settings for maximum tables and maximum table entries since pf on FreeBSD 10 does not have any
limits for these.
• Expose all p0f OS types that it supports so that subtypes of various Operating Systems can be detected (e.g.
blocking Windows XP)
• The “(self)” concept of “Any IP address on this firewall” is now a choice for firewall rule destination (and
floating rule source for out direction rules), port forward destination, and outbound NAT source.
• Can now optionally log default pass rules as well as default block rules
• Add IP alias subnets to interface subnet macro on GUI. #983
• Adjust states summary for new pfctl -ss output. #2121
• Add a more obvious note on group rules about how they do not work as expected for WANs
• Block IPv4 link-local/APIPA 169.254.0.0/16. #2073
Note: Per RFC 3927, hosts “MUST NOT send the packet to any router for forwarding”, and “any network
device receiving such a packet MUST NOT forward it”. FreeBSD won’t route it (route-to can override in
some circumstances), so it can’t be in use as a real network anywhere with the possible exception of local-only
networks. Unlikely any such situation exists anywhere
• Fix JavaScript confirmation dialog for EasyRule.
• Use ‘clog -f /var/log/filter.log’ to view firewall log entries from the console so they are displayed in the new
format.
• Set MSS clamping on VPNs in both directions rather than requiring it be set on both ends.
• Add option to kill all states on IP change, currently a hidden option for more testing. #1629
• Kill states associated with the old WAN IP when WAN IP has changed. #1629

LLC
NAT
• Hybrid outbound NAT style that allows the user to keep the existing automatic behavior but layer manual rules
on top of it.
• Option to disable outbound NAT without disabling pf
• Display networks used in automatic outbound NAT when using that mode
• Allow reordering, batch delete, and disable of 1:1 NAT rules
• Take virtual IPs into consideration for automatic outbound NAT rules #983
• Outbound NAT can apply to any type of interface, make WAN-type specific reference generic
Aliases
• Allow individual line descriptions on alias bulk import
• Implement URL Table aliases for ports
• Optimizations for URL table aliases to use less memory and be more robust in general
• Alias name cannot have more than 31 chars, add maxlength to the field as an extra check. #3827
• Prevent Internal Server Error if an IP range is entered backwards.
• Expand range or subnet entered into a host type alias.
• Warn that IPv6 address ranges are not supported in aliases.
• When an alias contain hosts, add IPs and networks to filterdns too, otherwise the ruleset ends up with a pre-
defined and non-persistent table. #3939
Dashboard & General GUI
• Various fixes for XHTML compliance
• Various fixes for typos
• Add a setting to allow the user to specify the clog file size so more (or less) entries may be kept in the raw logs.
• Add an option for users to be able to adjust how many configuration revisions are kept in the local backup cache.
• Show backup file size in config history.
• Display pfSense interface name on status interfaces
• Dashboard cleanups/fixes for jQuery
• Add “pfsense_ng_fs” full screen/widescreen theme
• GUI redirect works on both IPv4 and IPv6 #3437
• Disk usage section of the System Information widget now shows all UFS, ZFS, and cd9660 filesystems, not just
the root (/) slice, and also indicates if they are a RAM disk.
• Add a message about premium content to the setup wizard and add a link in the menu to the signup page.
• Add pages missing from the Status > Traffic Graph privilege that are required for the full page to load
• Fix traffic graph widget default autoscale
• Be more strict on user and group removal to avoid removing accidentally removing additional users #3856

LLC
• Add an option to restart php-fpm from console
• Add .inc file for gmirror status widget to give it a better title and link to the management page.
• Allow the Virtual IP list table to be sorted (cosmetic only)
Translations
• Change default charset on pages to utf-8
• Updates to pt_BR translation
• Added Japanese translation
• Added Turkish translation
• Fixes for gettext
Captive Portal
• Add a way to download CP portal, error and logout html pages. #3339
• Add an option to restore default logout/error/portal custom pages on Captive Portal. #3362
• For more than 100 MAC pass-through entries create pipes in line with the rules file to speedup the process.
#3932
• Zone backend changed from text-based (e.g. “cpzone”) to using the zone id (e.g. “2”) for specifying the context.
• ipfw_context has been removed. To list zones, use “ipfw zone list”
• Default lighttpd daemon port for a Captive Portal zone is based on the zone ID. For example, zone ID 2 uses
port 8002. There may not be a daemon on port 8000.
IPsec
• IPsec backend changed from racoon to strongSwan
• IKEv2 settings have been enabled in the GUI
• Default IPsec configuration settings for newly created site to site configurations updated to use main mode and
AES 256 on both phase 1 and 2.
• IPsec status page and dashboard widget changes to accommodate different output from strongSwan
• Move the IPsec settings from System > Advanced, Misc tab to “Advanced Settings” tab under VPN > IPsec.
• It is now possible to configure L2TP/IPsec
• Add AES-GCM and AES-XCBC to the list of available IPsec algorithms and hashes, respectively. Expand P1
DH groups up to 24.
• Allow hash algorithms to be empty for phase 2 where the encryption is AES-GCM
• Allow to reorder IPsec Phase 1 and Phase 2 items, remove multiple P1/P2 items, toggle enable/disable status of
P1/P2 items #3328
• Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all
cases
• Do not accept non-ASCII characters on IPsec PSK #3931

LLC
• Fix ping_hosts.sh to not ping IPsec if CARP is in backup.
• Allow accept_unencrypted_mainmode_messages to be enabled for IPsec if needed.
• Check that subnet masks are equal when choosing binat type for IPsec to avoid errors on ruleset. #3198
• Change NAT Traversal options as strongSwan only has two options: force or auto.
• Don’t allow P2 local+remote network combinations that overlap with interface+remote-gateway of the P1.
#3812
OpenVPN
• Allow entering OpenVPN client credentials in the GUI
• Add fields for local (push route) and remote (iroute) network definitions in an OpenVPN client-specific override
entry.
• Change OpenVPN compression settings to cover the full range of allowed settings on OpenVPN (unset, off,
on, adaptive) rather than a simple off/on switch that either doesn’t set the value or enables it with adaptive
(OpenVPN’s default).
• Add an Authentication Digest Algorithm drop-down to OpenVPN server/client and to the wizard (SHA1 is the
default since that is OpenVPN’s default)
• Add option to specify client management port for OpenVPN client export use
• Ensure e-mail address carries over from the CA screen to the Cert screen in the OpenVPN wizard.
• Allow the user to select “None” for OpenVPN client certificate, so long as they supply an auth user/pass. #3633
• Byte counts on OpenVPN status are now human readable rather than huge unformatted numbers.
• OpenVPN instances have new options: “Disable IPv6”, route-nopull, route-noexec, verb selector
• Use stronger defaults in the OpenVPN wizard.
• Fix ovpn-linkup for tun + topology subnet case setting router as ifconfig_local envvar when route_vpn_gateway
and ifconfig_remote are both not defined. #3968
DHCP
• Add code for UEFI booting and DHCP
• Advanced RFC 2136 configuration for DHCPd service
• Add ability to not supply a DHCP gateway to clients
• Allow defining DHCP static mappings using dhcp-client-identifier
• Do not call write_config() when Applying Changes on DHCP settings #3797

LLC
Packages
• Package signing to ensure validity/authenticity
• Single package manifest (XML) file rather than one per architecture
• Various improvements to PBI setup/structure from upstream (PC BSD)
• Added the capability for package hooks in /etc/rc.carpmaster and /etc/rc.carpbackup
• Split package category display into separate tabs for categories, and provide an “All” tab
• Move the fetching of a package’s config file and additional files to separate functions.
• Clarify logs generated by newwanip(v6) when restarting packages, it’s not only IP changes that end up here (by
design).
• When reinstalling a package, try to start it after the install completes.
Dynamic DNS
• Added support for DynDNS Provider “City Network”
• Added support for DynDNS Provider “OVH DynHOST”
• Added support for DynDNS Provider “GratisDNS”
• Added support for DynDNS Provider “Euro DNS”
• Added support for DynDNS Provider “CloudFlare”
• Add support for custom IPv6 DDNS.
• Add backend support for HE.net AAAA record updates.
• Add additional options to Custom DynDNS
• Allow hostname to start with ‘@.’ for namecheap #3568
• Do not disable certificate verification in DynDNS. Proper CA certificates are now in place to validate SSL in
these cases.
• “+” is a valid character in some dynamic DNS providers’ usernames. #3912
GEOM Mirrors (gmirror)
• New gmirror library to perform various gmirror tasks and get information, using some of the former widget
logic to start.
• Added a Diag > GEOM Mirrors page that displays information about existing mirrors and performs various
management tasks.
• Also included is a notification setup. Mirror status is polled every 60 seconds, and if any aspect of the mirror
changes, notifications are issued that alert in the GUI and by SMTP, etc.
Warning: If a manual gmirror configuration was performed post-install and not using the pfSense software
installer gmirror option before install, there is a chance that the mirror will not function on pfSense software version
2.2 because the manual post-install method did not create a completely proper mirror setup. If the upgraded mirror
does not function on 2.2, the following /boot/loader.conf.local entry may be used to work around the
integrity check that would otherwise fail:

LLC
kern.geom.part.check_integrity=0
If one of these configurations is present, the best practice is backing up the configuration and reinstalling using the
built-in gmirror option in the pfSense software installer.
Traffic Shaping
• Fix DSCP values and provide a config upgrade to fix values stored in config.xml. #3688
• Remove ‘multi lan/single wan’ and ‘multi wan/single lan’ traffic shaper wizards, multi lan/wan can be used to
replace any of them.
• Only show the correct type of interfaces (LAN/WAN) on traffic shaper wizards #3535
• Shaper wizard will automatically attempt to guess the correct number of WANs and LANs.
• Updated and expanded traffic shaping for games, game consoles, and other applications.
• Allow up to 2900 limiters. This was set to 30. #3213
• Fix logic to find available next number for limiters and queues. #3998
• Add vmx and hn to list of ALTQ capable interfaces.
• Remove the “Limiter burst” parameter as it currently doesn’t work with dummynet in pf.
Misc
• Cleaned up various older files/scripts that were no longer being used
• Dropped all support for cvsup. cvs is dead, long live svn and git.
• Optimizations/changes to the XML Parsing code
• NTP updates to handle a wider ranges of GPS devices and more NTP options
• Move to zerocopy_enable for bpf to optimize logging which uses bpf interface. This should increase the general
performance since pflog is always enabled.
• Add sshd service to list (if enabled)
• Add a “status” subcommand to the svc php shell script.
• When using the reset webConfigurator password option on the console, if authentication server is not Local
Database, ask user if they want to revert back to it. #3341
• Fix interface selections on UPnP to show the customized descriptions entered by the user. While here, add an
external interface selection knob. Fixes #3141
• Layer 7 Pattern: EAOrigin.pat
• Layer 7 Pattern: SWF (Flash)
• Remove some old obsolete code that referred to the now-defunct “embedded” platform that was replaced with
NanoBSD back in 1.2.x.
• Sometimes fsck requires a second run, teach rc script to call it more than once when it’s necessary
• Add column for internal port on UPnP status page
• Make listening on interface rather than IP optional for UPnP

LLC
• Use interface name for miniupnpd rather than IPv4 address #3874
• Packet Capture: Host field supports rudimentary boolean logic.
• Packet Capture: Protocol, host, and port now support negation.
• Added interface column to Diagnostics > States
• Change is_port() to only validate a single port, is_portrange() for specific cases. #3857
• Fix guess_interface_from_ip() to account for differences in netstat output. #3853
• Fix Certificate Authority SAN name handling #3347
• Add a basic command line password reset script.
• Use configured proxy URL/port for downloading bogon list. Does not use credentials. #3789
• Underscores are valid characters in domains. #3219
• Let user decide to proceed with upgrade when sha256 fails to download. #3576
• Remove the command number shown in the shell prompt.
• Use a better method of finding disks for SMART.
• Process obsolete files in shell script instead of PHP.
• Do not allow FQDN in fields that should only accept a hostname.
• Set proxy environment variables on interactive shell and also on crontab so that they may be used by all scripts.
#3789
• Add input checkboxes to remove multiple users and groups
• Make sure an empty group or user is not created when editing
• Update URLs in help.php.
• Change wording at the end of the wizard to remove “donate” since that is no longer an option.
• Put the booting signal in globals.inc since it makes all the other scripts detect we are booting. Otherwise separate
PHP instances will not detect that. rc.bootup clears this flag so all should work correctly
• Force serial console when it was selected by the installer. #4009
• Wait 10 minutes before retrying bogon fetch on soft failures to avoid us getting DoSed if something is wrong
there (like someone’s system can’t validate the cert)
• Use IPv4 for ntpq if IPv6 is not allowed
HEADS UP for Xen Users
The FreeBSD 10.1 base used by pfSense 2.2 includes PVHVM drivers for Xen in the kernel. This can cause Xen
to automatically change the disk and network device names during an upgrade to pfSense 2.2, which the hypervisor
should not do but does anyway.
The disk change can be worked around by running /usr/local/sbin/ufslabels.sh before the upgrade to convert the fstab
to UFS labels rather than disk device names.
The NIC device change issue has no workaround. Manual reassignment is required at this time. Note there have been
performance issues reported in Xen with this NIC device change.

LLC
The pfSense® software version 2.1.5 release follows shortly after 2.1.4 and is primarily a security release.
Security Fixes
• pfSense-SA-14_14.openssl
– See http://www.openssl.org/news/secadv_20140806.txt
– Updated to OpenSSL 0.9.8zb and 1.0.1i
• pfSense-SA-14_15.webgui
Other Fixes
• Handle a missing DHCPD config section properly during a configuration upgrade
• Fix a regression that broke CARP+IP alias VIP functionality
• Fix the Pass, Block, Reject and Interface filters in the Firewall Logs Widget #3725
• Use HTTPS for dyndns providers that support it
• Avoid resetting the firewall hostname from a WAN DHCP server #3746
• Add missing qlimit keyword in some shaper rules
• Change Cancel button to call history.back() when editing firewall aliases to fix issues with IE 11 #3728
• Allow hostnames in bulk import since they are valid entries in a network type alias
• Fix input validation logic on diag_testport.php, escape more shell arguments for good measure
• Escape the individual dnsmasq advanced/custom options
• Encode the detail field of an alias entry before displaying its contents back to the user
• Encode interface/VIP descriptions before displaying them on the NTP daemon settings, and GIF/GRE interfaces
• Per the dhcpd.conf man page and other documentation from ISC, mclt must not be defined on the secondary
• Shorten the wait at “reload” in startup wizard to 5 seconds from 60
• Do not execute DNS lookups on GET, only pre-fill Host box so the user can press the button to execute
• Turn alias creation links from DNS lookups into submit buttons for POST
• Remove javascript alert DNS resolution action from the firewall log view. It was already removed from 2.2, and
it’s better not to allow a GET action to perform that action
• Require click-through POST confirmation when restoring or deleting a configuration from the backup history
page
• Avoid a “Cannot use string offset as an array” error if the packages section of the config is missing
• Avoid generating an invalid IPsec (racoon) config if the user specified a mobile pool that is too small
• IPsec phase 2 pinghost was not used if the source IP was a virtual IP address #3798
• Move dhcp6c log to dhcpd.log #3799

LLC
• Do not reset source and destination port range values when it’s an associated rule created by NAT port forward.
#3778
• Added filter.so to list of extensions loaded for filter_var() support.
• The pfSense PHP module was setting the subnet mask of lo0 to /0, which could break some routes and cause
other unintended routing side effects.
pfSense® software version 2.1.4 follows very shortly after 2.1.3 and is primarily a security release. Refer to the 2.1.1
release notes, 2.1.2 release notes, and 2.1.3 release notes for other recent changes.
Security Fixes
Packages also had their own independent fixes and need updating. During the firmware update process the packages
will be reinstalled properly. Otherwise, uninstall and then reinstall packages to ensure that the latest version of the
binaries is in use.
Other Fixes
• Patch for Captive Portal pipeno leaking issue which leads to the ‘Maximum login reached’ on Captive Portal.
#3062
• Remove text not relevant to Allowed IPs on the Captive Portal. #3594
• Remove units from burst as it is always specified in bytes. (Per ipfw(8)).
• Add column for internal port on UPnP status page.
• Make listening on interface rather than IP optional for UPnP.
• Fix highlighting of selected rules. #3646
• Add guiconfig to widgets not including it. #3498
• /etc/version_kernel and /etc/version_base no longer exist, use php_uname to get the version for XMLRPC check
instead.
• Fix variable typo. #3669
• Delete all IP Aliases when an interface is disabled. #3650
• Properly handle RRD archive rename during upgrade and squelch errors if it fails.
• Convert protocol ssl:// to https:// when creating HTTP headers for XMLRPC.

LLC
• Show disabled interfaces when they were already part of an interface group. This avoids showing a random
interface instead and letting the user add it by mistake. #3680
• The client-config-dir directive for OpenVPN is also useful when using OpenVPN’s internal DHCP while bridg-
ing, so add it in that case also.
• Use curl instead of fetch to download update files. #3691
• Escape variable before passing to shell from stop_service().
• Add some protection to parameters that come through _GET in service management.
• Escape argument on call to is_process_running, also remove some unnecessary mwexec() calls.
• Do not allow interface group name to be bigger than 15 chars. #3208
• Be more precise to match members of a bridge interface, it should fix #3637
• Do not expire already disabled users, it fixes #3644
• Validate starttime and stoptime format on firewall_schedule_edit.php
• Be more careful with host parameter on diag_dns.php and make sure it’s escaped when call shell functions
• Escape parameters passed to shell_exec() in diag_smart.php and elsewhere
• Make sure variables are escaped/sanitized on status_rrd_graph_img.php
• Replace exec calls to run rm by unlink_if_exists() on status_rrd_graph_img.php
• Replace all `hostname` calls by php_uname(‘n’) on status_rrd_graph_img.php
• Replace all `date` calls by strftime() on status_rrd_graph_img.php
• Add $_gb to collect possibly garbage from exec return on status_rrd_graph_img.php
• Avoid directory traversal in pkg_edit.php when reading package xml files, also check if file exists before try to
read it
• Remove id=0 from miniupnpd menu and shortcut
• Remove . and / from pkg name to avoid directory traversal in pkg_mgr_install.php
• Fix core dump on viewing invalid package log
• Avoid directory traversal on system_firmware_restorefullbackup.php
• Re-generate session ID on a successful login to avoid session fixation
• Protect rssfeed parameters with htmlspecialchars() in rss.widget.php
• Protect servicestatusfilter parameter with htmlspecialchars() in services_status.widget.php
• Always set httponly attribute on cookies
• Set ‘Disable webConfigurator login autocomplete’ as on by default for new installs
• Simplify logic, add some protection to user input parameters on log.widget.php
• Make sure single quotes are encoded and avoid javascript injection on exec.php
• Add missing NAT protocols on firewall_nat_edit.php
• Remove extra data after space in DSCP and fix pf rule syntax. #3688
• Only include a scheduled rule if it is strictly before the end time. #3558

LLC
release notes for changes from 2.1 to 2.1.1 and 2.1.2 release notes for changes from 2.1.1 to 2.1.2.
Security Fixes
• pfSense-SA-14_05.tcp
binaries is in use.
Although these security issues warrant updating as soon as possible, they are of relatively minor impact to the average
user. According to the FreeBSD SA, the TCP flaw is mitigated by scrub in pf which is enabled by default in pfSense.
The OpenSSL flaw is not used by any daemons in the pfSense base system and only certain packages make use of the
affected feature, so the impact there is also minimal.
Other Fixes
• Various fixes to accommodate recent changes/optimizations in the tools repository
• Move clog binary to its proper place in /usr/local/ to respect hier(7)
• Fix remove button on Diagnostics > Tables #3627
• Fix more potential places for interface looping in OpenVPN and with normal interfaces
• Fixes for URL table alias updates (locking, reload)
• Fix IPsec Phase 1 duplication
• Fix ‘add rule on top of the list’ allowing after param to be -1
• Correct Captive Portal redirection URL to unbreak ones passed through Radius attributes and respect user
choices.
• Make miniupnpd listen on interface instead of IP
• Don’t refuse to delete a bridge in the GUI just because its bridge interface doesn’t exist, just log that it doesn’t
exist and don’t attempt to ifconfig destroy it, delete it from config
• Fixes for DynDNS to allow configurable check host.
• Resolver has no option for remote syslog, remove wrong copy/paste that was adding it when apinger was enabled
• Fix typo for GIF tunnels to work over IPv6
• Fix for dhcrelay target using default GW
• List Gateway Groups in Interface to send update from for custom DynDNS entries

LLC
release notes for changes from 2.1 to 2.1.1.
Security Fixes
The Heartbleed OpenSSL bug and another OpenSSL bug were both covered by the following security announcements:
– CVE-2014-0160 (Heartbleed)
– CVE-2014-0076 (ECDSA Flaw)
binaries is in use.
Other Fixes
• On packages that use row_helper, when user clicks on add or delete button the page scrolls to top. #3569
• Correct typo on function name in Captive Portal bandwidth allocation
• Make extra sure that the firewall does not start multiple instances of dhcpleases if, for example, the PID is
stale/invalid and there is still a running instance.
• Fix CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by
uniqid and is not purely numeric. #3591
Security Fixes
• FreeBSD-SA-14:01.bsnmpd / CVE-2014-1452
• FreeBSD-SA-14:02.ntpd / CVE-2013-5211
• FreeBSD-SA-14:03.openssl / CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
• Use HTTPS to get updates. #2952
• Escape necessary chars to avoid XSS injection. #2952
• Add escapeshellarg() calls on more exec parameters.
• Replace some exec() calls by php functions like symlink, copy, unlink, etc.
• Use HTTPS for pfsense.org URLs.
• Protect output to browser by using htmlspecialchars. #3461
• Improve checks for params ‘id’, ‘dup’ and other similar ones to make sure they are numeric integer, also, pass
them through htmlspecialchars before printing.
• Remove special characters that can lead to shell/XSS compromises from submitted input when installing pack-
ages. #3461

LLC
• Ask for validation when real package operation will be done and ask for the operation with POST to get protec-
tion from CSRF. #3460
• Use HTTPS for fetching packages.
Interfaces
• Updated em/igb/ixgb/ixgbe drivers that add support for i210 and i354 NICs and fix issues with ix(4) cards.
• Prevent assigned vlans from having their tag changed.
• Fix ifconfig error on gif in certain cases.
• If rc.newwanip is run on an interface that should not have an IP address, do not take any action. This could lead
to certain interfaces bouncing link if they had no IP address.
• In rc.newwanip, if the interface is configured and not enabled, bail. The firewall does not need to change settings
for disabled interfaces. #3313
• Skip processing in rc.newwanip if the interface has no IP address.
• Fix pkg_edit.php to show interface description instead of interface name
• Make sure vlan interface exist when they are configured #3270
• Limit CIDR choices for IPv4 on GRE interface. #3277
• Do not destroy an interface when it’s being disabled #3350
• Prevent network or broadcast address to be set on interface (console, GUI and wizard). #3196
• Reduce unnecessary operations and other fixes to MTU code. This fixes slow boot times and proper handling of
mtu for VLANs.
• Provide a dynamic gateway for GIF and GRE v6 tunnels so it can be used on firewall rules etc. #3484
• Bring up appropriate interface for GRE/GIF. #3281
• Prevent removing the IP from the underlying GRE interface in the OS when assigning GRE interface and
configuring an IP address. #3280
• When an interface goes down try to shut the RAs and dhcpd6 service on that interface. #2627
• Sync up ALTQ-capable interfaces list
• Trigger rc.newwaipv6 from pppoe when it gets an inet6 configuration
• Update list of mobile service providers.
• Correct check to enable ieee8021x.
Gateways/Routing
• Respect default gateway option when adding a gateway from interfaces page. #3230
• Use a more accurate error message when attempting to add/edit a gateway that does not have an appropriate IP
address for the type. #3282
• Make return_gateways_array() return all disabled gateways when $disabled is true. #3291
• Don’t flush interface cache on each call of the function when looping through all gateways.
• Fix an issue that changes wrong gateway entry when items are hidden

LLC
• Delete static route when monitor IP is removed, also save monitor IP even when it’s disabled
• Return Gateway Group IP protocol version even when no gateway IP can be located.
• Remove broken ‘dynamic6’ gateway, we already have ipprotocol to tell us the IP version, leave it more simple
using only ‘dynamic’
NAT/Firewall Rules/Aliases
• Reload filter rules when activate or deactivate dhcpdv6 #3218
• Make sure no extra spaces end up in the parsed IP in the filter logs as it can lead to issues in other places (Easy
Rule, etc)
• Use (self) rather than any as the destination for the lockout rules
• Use (self) instead of any for web lockout
• Avoid pf table names conflict. #3268
• Fix display of full URL in URL table listing as seen in an Alias popup. #3242
• Make it more explicit that ‘update freq.’ for URL table aliases unit is days
• Fix situation where removing an alias entry and then adding a new one resulted in an entry box with broken
formatting. #3283
• Make sure pf rule labels never have more than 63 chars. #3208
• Rewrite the display_host_results() function to use spaces instead of tabs. It does a much better job of aligning
the fields in each column and works in all the browsers, particularly chrome which doesn’t support the tab
character.
• Handle comma-separated list of remote networks when making vpn_networks table
• Fix rules that pass out traffic for Proxy ARP VIP entries which had incorrect destination #3331
• Load only the options rather than clearing the whole ruleset.
• Validate IP address ranges correctly on Alias Bulk Import
• Fix display of CIDR/Update Freq in Alias Edit
• In the filter log, the protocol might also say “icmpv6” so account for that when making a rule using Easy Rule.
• Move ‘allow dhcpv6 client’ rules above block bogonsv6 ones. #3395
• Only add dhcpv6 client allow rules if ipv6allow is set
• Add all advanced options to rule table hover text.
• Open up Firewall Rules Advanced Options section if any values have been set.
• Validate rule Advanced Options numeric entries properly
• Disable default allow incoming rules for 6to4 and 6rd interfaces. This rule unintentionally allows all services
on the interface.
• Skip OpenVPN interfaces when creating the first set of manual rules to be consistent with the behavior of
Automatic Outbound NAT. #3528
• Try to restore last working ruleset rather than staying without configuration at all if an invalid ruleset is encoun-
tered.
• Fix days and weeks selection on schedules

LLC
• Prevent putting an subnet in the IPv6 address field since it breaks the filter generation process.
• Put a timeout of 30 seconds on the bogon update download. #3412
• Before downloading file to process urltable, there is a random wait time between 5 and 60 seconds. Because of
this, the difference between file mtime and current time can be less than $freq * 86400 and it’ll be skipped. Add
90 seconds (60 of max random wait + 30 to be sure) to avoid skipping a file that should be updated. #3469
• Validate if src OR dst have IP address set when protocol is IPv4+v6. #3499
• Improve data validation to avoid save a host/subnet or a IPv4 with invalid mask. The reported error is on
javascript and only happen on IE8, but this fix will prevent the same issue happening in the future on a different
browser. #3449
Traffic Shaping
• Fixed typo in CoDel wiki link
• Fix codel not being applied on non-priq queue types
• Fix saving and range checking of ‘Packet loss rate’ and ‘Bucket Size’ in limiters.
• Add previously missing DSCP VA.
• Clarify note on limiter queue weight to state that higher values get a larger share.
• Convert mac address to lowercase when saving to avoid duplicates. It fixes #3195
• Include the CP zone in the form parameters if one is defined. Fixes access to concurrent graph on zones other
than the first/default.
• Miscellaneous HTML cleanup
• Fix interface names shown in the traffic graphs widget. #3245
• Send the help links to HTTPS destinations on web servers that support HTTPS.
• Specify favicon in pages directly
• Add some missing privileges to the list. #3279
• Many fixes on privileges. #3216
• Allow setting a default scale type preference for the traffic graphs widget
• Account for a widget being null/not defined, and not just closed/open when deciding if a widget function should
be called. This allows the system information dashboard widgets to update properly.
• Avoid dashboard divide by zero errors
• Detect Zones and Cores for thermal sensors using regex. #3337
• Do not sort users when adding privileges. It’s unnecessary and lead to unintentional edits to the wrong account.
• Add specific privilege for easyrule.
• Return all stats when all or remote is selected on Traffic Graph and make the default query return “Local” traffic.
• Update year, links for 2.1.1.

LLC
Captive Portal
• Fix CP stats generation for concurrent users. #3225
• Remove redundant copies of getNasIP() #3234
• Set default captive portal RADIUS authentication value to radius_protocol during upgrade #3226
• Add Captive Portal Zones privileges definition. #3216
• Prevent a possible division by zero in Captive Portal. #3212
• Fix saving of voucher sync settings
• Reduce the total minutes by the remote minutes used, do not use the value directly. Otherwise the voucher will
be cut short or listed invalid when it otherwise should have time left over.
• Make sure to give the Captive Portal zone a name during the upgrade, or else it comes through with a blank/null
name.
• Properly set zone dedicated rules in the rules/pipes DBs to properly release when a zone is deactivated
• Don’t generate rules for disabled captive portal instances
• Do some more error checking and put secondary radius attributes only if configured on a Captive Portal instance.
• If set use the default bandwidth setting on the Captive Portal even for MAC passthrough.
• Fix various problems with Captive Portal voucher synchronization introduced during conversion to zones.
• Properly compile the Captive Portal database query to insert the values.
• Fix deletion of IPFW rules and pipes for passthru MAC. #3538
• Use the 11th column for the radius context rather than overriding the interim interval field with it. #3447
• Use descr as the field name for voucher description so it gets CDATA protection. #3441
• Consider setting of noconcurrent login for passthrough expiration of users. #3340
• Use the default bandwidth specification if configured even for allowed IP address and hostname.
• Properly detect when there are issues with communicating with syncip and to use the local DB for this. Other-
wise detect if the remote says the voucher is not valid say its not valid.
VPN
• Fix find_service_by_openvpn_vpnid() on OpenVPN Status
• Allow special characters to be used on IPsec mobile login banner. #3247
• Fix cisco-avpair processing for IPsec and OpenVPN, and route processing from avpair replies.
• Fix logic in detecting if OpenVPN resync needed
• Fix vpn_pppoe_get_id and stop duplicating pppoeid for multiple servers. #2286
• Use env var provided by openvpn to determine if it’s tun or tap. #3475
• Add an option to verify IPsec peers_identifier when it’s ASN.1 distinguished name. #2904

LLC
Certificates
• Certificate Manager, for ‘Create an internal Certificate’ use the correct ‘Digest Algorithm’
• OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country
codes.
• Perform a much more accurate comparison between two certificates to determine if they are identical when
checking their revocation status. #3237
• Allow an “empty” CRL to be exported, since this is still a valid action.
• Fixes for “Alternative Names” on certificates.
• Fix issue with CSR generation. #2820
• Increase default openssl to bits 2048.
DHCP
• Optimize DHCPv4 lease display online status for static leases. Do not re-parse complete ARP table for each
lease, as it can be slow with large ARP tables.
• Add upgrade code to change the DHCP next-server value to nextserver since it was renamed sometime in 2.1
but upgrade code didn’t follow.
• Give clients the IPV6 address of the DNS server via DHCPv6 Server
• Check if dhcp start and end addresses are inside interface subnet. #3196
• Remove ‘deny unknown clients’ option from DHCPv6 since it’s not supported. #3364
• Fix DHCP lease time display, strftime already convert it to local timezone, so no need to calc offset
• Use correct parameter (bootfile-url) to configure netboot on DHCPdv6. #3421
• Only use IPv4 DNS servers in IPv4 DHCP configuration. #3483
• Fix PHP error when saving DHCP settings if no manually configured DNS servers exist.
• Send a HUP to dhcp6 to signal a reload. #3514
Load Balancing
• Prevent a Fall Back Pool from being selected when the DNS protocol is in use. If one is present in the config,
ignore it. #3300
• Fix display of pools in the LB status widget and on the LB Virtual Server status.
Time
• Allow multiple valid time servers to be entered in the wizard, as they are allowed under System > General
• Update time zone data to 2013i
• Teach system_timezone_configure() to deal with symlinks to avoid having timezone misconfigured. #3293
• Add ‘limited’ to ntpd restrict list to workaround FreeBSD-SA-14:02.ntpd/CVE-2013-5211. #3384
• Use “disable monitor” in NTP config to mitigate FreeBSD-SA-14:02.ntpd/CVE-2013-5211.

LLC
• Update ntp to ntp-devel for FreeBSD-SA-14:02.ntpd/CVE-2013-5211.
• Avoid placing an empty “interface listen” directive in ntpd.conf.
Misc
• Fix ALIX upgrade crash during RRD processing
• Fix “Could not open shared memory for read 1000” issue on Diagnostics > NanoBSD. #3235
• Fix ufslabels.sh logic to avoid trying to convert slices which are already using appropriate labels. Fixes #3207
• Fix removal of the first cron job entry in the list.
• Remove unused newsyslog cron job from the default configuration and on upgrade.
• Split SSL/TLS into separate checkboxes so that plaintext connections can be made secured by using STARTTLS.
Support for SMTPS connections should probably be done away with in future. #3180
• Add source address selection to syslog settings, so it can work more effectively over a VPN. #355
• Rework the usage of the shell i/o during stop_packages(), fixes the “Syntax error: bad fd number” for the
remaining people who still saw it on shutdown
• Switch to rw mode before file operations on RFC2136 cache. Fixes #3201
• Make the RADIUS settings respect the description of the timeout field. If the timeout value is left blank, use 5
seconds, don’t print an error.
• Call conf_mount_rw before deleting a user. #3294
• Handle the reinstallall case with confirmation. #3548
• Do not list the same CARP ip as an option for its own Interface.
• Accept adding an IP Aliases on top of CARP VIP when the parent interface does have a valid IP address in the
alias subnet.
• Simplify log filtering logic calling grep less times, as done on mail_reports.inc on 2c6efc9.
• Fix console recent config restore, allow restoration of the last backup listed. #3438
• Enhanced validation of general DNS servers and gateways
• Add a mechanism by which the serial port can be forced on always regardless of the config setting. (useful for
nano+vga setups)
• Add a knob to let the user select which console (video or serial) is preferred in cases where there are multiple
consoles present.
• Skip input validation when choosing an existing certificate in the User Manager. #3505
• pfSense_interface_deladdress() only knows how to delete an ip address, not a subnet. #3513
• Make is_linklocal case-insensitive. #3433
• Errors in RRD graph calculations
• Delete /var/crash content when the user clicks ‘No’. #3486
• Make sure filesystem is read-write when operating on groups. #3492
• Fix OpenVPN XML section name for selective configuration backup.
• Remove TRIM_set and TRIM_unset support. This method isn’t very elegant and isn’t necessary in the long run.
It’s better handled during the install process or while booted off other media (e.g. CD or Memstick).

LLC
Security Fixes
Three FreeBSD security advisories are applicable to prior pfSense® software releases. These aren’t remotely ex-
ploitable in and of themselves, but anyone who can execute arbitrary code on the firewall could use one or more of
these to escalate privileges.
• FreeBSD-SA-13:13.nullfs
• FreeBSD-SA-13:12.ifioctl.asc
• FreeBSD-SA-13:09.ip_multicast.asc
IPv6 Support
IPv6 Added to many areas of the GUI. At least the following areas/features are IPv6-enabled. Others may work as
well
• Aliases (Firewall) - Aliases can contain both IPv4 and IPv6, only addresses relevant to a given rule will be used
• CARP RA
• CARP Failover
• DHCP Server w/Prefix Delegation
• SLAAC WAN
• 6to4 WAN
• 6to4 WAN w/Prefix Delegation
• 6rd WAN
• 6rd WAN w/Prefix Delegation
• DHCP6 WAN
• DHCP6 WAN w/Prefix Delegation
• DHCPv6 Relay
• DNS Forwarder
• Firewall Rules
• Gateway Groups/Multi-WAN - See Configuring Multi-WAN for IPv6
• Gateway Status (apinger)
• GIF Tunnels
• GRE Tunnels
• GUI Access
• IPsec
• L2TP
• NPt
• NTP
• OpenVPN

LLC
• Packet Capture
• PPPoE WAN
• Router Advertisements
• Routing
• Server LB
• Static IP
• Syslog (remote)
• Limiters (dummynet pipes)
• Virtual IPs - IP Alias
• Virtual IPs - CARP
• DNS from RA
• Accept RA when forwarding
• Auth via RADIUS
• Auth via LDAP
• XMLRPC Sync
• RRD Graphs
• DHCP Static Mapping - Works by DUID
• DynDNS (HE.net hosted DNS, RFC2136, custom)
• MAC OUI database lookup support for NDP and DHCPv6. (Was already present for DHCP leases and ARP
table) requires the nmap package to be installed to activate
Note: Unlike earlier snapshots, BETA, etc, currently the upgrade does NOT flip the “Allow IPv6” checkbox on
upgrade, to preserve existing behavior. To activate IPv6 traffic, a user will have to flip this setting manually
Packages
• PBI (push button installer) package support - all of a package’s files and dependencies are kept in an isolated
location so packages cannot interfere with one another in the way that was possible on 2.0.x and before using
tbz packages
• RIP (routed) moved to a package
• OLSRD moved to a package
• Unbound moved back to a package (Will try integration again for 2.2)
• Increase the verboseness of the package reinstallation process in the system logs for a post-firmware-update
package reinstallation operation

LLC
OS/Binary/Supporting Program Updates
• Based on FreeBSD 8.3
• Updated Atheros drivers
• OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc
• PHP to 5.3.x
• OpenVPN to 2.3.x
• Added mps kernel module
• Added ahci kernel module
• Updated ixgbe driver
• Many other supporting packages have been updated
• Switch from Prototype to jQuery
• Improved navigation and service status in the GUI (shortcut icons in each section to quickly access config, logs,
status, control services, etc)
• Multiple language support, a mostly-complete translation for Brazilian Portuguese is included
• Read-only privilege to create a user that cannot modify config.xml
• Dashboard update check can be disabled
• Fixed theme inconsistencies between the login form and other parts of the GUI
• Various fixes to pages to reduce potential exposure to certain CSRF/XSS vectors
• Updated CSRF Magic
• Set CSRF Magic token timeout to be the same as the login expiration
• Added IE Mobile for WP8 to list of browsers that get an alternate theme at login
• Truncate service status so long package descriptions cannot break formatting of the status table
• Many fixes to HTML/XHTML to improve rendering and validation
• Added a note to the setup wizard letting the user know that it can be canceled at any time by clicking the logo
image
• Make dashboard update check respect nanobsd-vga #3078
• Firewall Logs Widget filtering and column changes
• Added totals for some dashboard widget meters (memory, swap, disk usage)
• Changed dashboard display for states and mbufs to be meters, and to show usage as a percentage
• Update dashboard mbuf count via AJAX
• Show a count and layout of CPUs in the dashboard if multiple CPUs are detected

LLC
Captive Portal
• Multi instance Captive Portal
• Multiple Captive Portal RADIUS authentication sources (e.g. one for users, one for cards)
• Logic fixes for voucher encryption
• Many optimizations to Captive Portal processing, including a database backend and moving functions to a php
module to improve speed Optional Captive Portal user privilege
• Add checks to make sure CP hard timeout is less than or equal DHCP server default lease time, to avoid issues
with CP sessions being valid for incorrect IPs, and users switching IPs while they should still be connected to
the portal
• Fixes for captive portal voucher syncing on HTTPS with a custom port #3001
• Fixes for custom Captive Portal files leaving symlinks on the filesystem after files were removed
• Added MAC OUI database lookup support to CP status (requires nmap package to be installed)
OS/System Management
• Ability to select serial port speed
• Added a manual way to enable TRIM if someone needs it
• Added a manual way to trigger a fsck on reboot
• AES-NI support (Cryptographic Accelerator feature on new Intel/AMD CPUs) – Still experimental, not sup-
ported by some areas of the OS yet.
• Support for certain thermal sensors via ACPI, coretemp, and amdtemp
• System startup beep can be disabled
• Separate powerd setting for when on battery
• Add optional ability to change the size of RAM disks for /var/ and /tmp/ for systems that have RAM to spare
• Add optional ability for full installs to use RAM disks for /var/ and /tmp/ as is done on NanoBSD. Reduces
overall writes to the media, should be more SSD-friendly
• Use a custom sysDescr for snmp similar to m0n0wall’s format. Fixes #2893
• Added tunable to allow disabling net.inet.udp.checksum - disabling UDP checksums can improve performance,
but can also have negative side effects
• Added an mtree database with the correct default permissions, owner, sha256 sum, and some other information
that is used to verify file permissions post-install and post-upgrade
• APC is not started for PHP unless the system has over 512MB RAM, to reduce memory usage on systems with
low RAM

LLC
Multi-WAN
• DynDNS multi-WAN failover
• IPsec multi-WAN failover
• OpenVPN multi-WAN failover
• Changed descriptions of the values for gateway monitoring
• Display apinger (gateway monitoring daemon) as a service when it is enabled
• Fixes for apinger to reload via SIGHUP properly, to avoid unnecessary restarts and loss of gateway status data
• “State Killing on Gateway Failure” now kills ALL states when a gateway has been detected as down, not just
states on the failing WAN. This is done because otherwise the LAN-side states were not killed before, and thus
some connections would be in limbo, especially SIP.
• Due to the change in its behavior, “State Killing on Gateway Failure” is now disabled by default in new config-
urations and is disabled during upgrade. If the feature is desired, it must be manually re-enabled post-upgrade.
NTP
• NTP daemon now has GPS support
IPsec
• More IPsec hash algorithms and DH key groups added, “base” negotiation mode added
• Mobile IPsec supports separate “split dns” field and doesn’t assume the default domain for split DNS domains
• Properly ignore disabled IPsec phase 2 entries
• NAT before IPsec (1:1 or many:1) outbound
• Set default Proposal Check setting to Obey for mobile IPsec
• LDAP and RADIUS are now possible authentication sources for IPsec mobile xauth
• Delete the SPDs for an old IPsec entry when it is disabled or removed #2719
• Manage active SPDs on CARP secondary during sync #2303
• Add an option to force IPsec to reload on failover, which is needed in some cases for IPsec to fail from one
interface to another. #2896
OpenVPN
• OpenVPN can accept attributes from RADIUS via avpairs for things like inacl, outacl, dns-server, routes
• OpenVPN checkbox for “topology subnet” to use one IP per client in tun mode
• OpenVPN local/remote network boxes can accept multiple comma-separated networks
• OpenVPN status for SSL/TLS server instances can now display the routing table for the VPN instance
• OpenVPN now allows selecting “localhost” as the interface
• Gateways are created for assigned OpenVPN server instances as well as clients
• OpenVPN instances can run on the same port on different interfaces

LLC
• OpenVPN status page now has service controls to show the status of the daemon running each instance, and
allow for stop/start/restart from that page
• Changed wording of the error displayed when a daemon is not running or the management interface of OpenVPN
cannot be reached for an instance
• OpenVPN client-specific Override cleanup fixes
• Fixed double-click to edit of OpenVPN Client-Specific Overrides
NAT/Firewall Rules/Alias
• Aliases separated into tabs for Hosts, Ports, and URLs to improve manageability
• NAT reflection options re-worded to be less confusing
• Adjustable source tracking timeout for Sticky connections
• Firewall rules now support matching on ECE and CWR TCP flags
• Filtering on ECE and CWR TCP flags is now possible
• Added ICMP to protocol list when creating rdr (port forward) rules
• Keep proper positioning of duplicated outbound NAT rules #1118
• When using the + at the top of Outbound NAT rules, add the rule to the top of the list and not the bottom
• Fix ordering of interface group rules in the ruleset #2837
• Track time and user@host which created or updated a firewall, NAT port forward, or outbound NAT rule.
If timestamp records are present, display them at the bottom of the rule page when editing. Have the created
time/user pre-filled for automated rules such as NAT port forward associated rules and the switch from automatic
to manual outbound NAT
• Fix generation of manual outbound NAT rules so that localhost and VPN rules are not unnecessarily duplicated
• Prevent using “block” for an alias name, as it is a pf reserved keyword
• Allow TCP flags to be used on block or reject rules, since they are also valid there
• Updates/fixes to DSCP handling
• Allow advanced options state-related parameters to be used for TCP, UDP, and ICMP – Formerly only allowed
on TCP
• Respect ports found in rules when policy route negation rules are made, #3173
• Do not include disabled OpenVPN networks in generated policy route negation rules
Certificates
• Improved denoting of certificate purposes in the certificate list
• Imported CRLs can be edited and replaced
• Can set digest algorithm for CA/Certs (sha1, sha256, etc)
• Default digest algorithm is now SHA256
• Show CA and certificate start and end dates in the their listings
• Correct tooltip description when adding a certificate #3017

LLC
• Relax input validation on a CA/Cert description since it is only used cosmetically in pfSense and not in the
actual CA/cert subject
• Allow removing blank/empty CA and Cert entries
Logging
• More system log separation, Gateways, Routing, Resolver split into their own tabs
• Firewall logs can now be filtered by many different criteria
• Firewall logs can be sorted by any column
• Firewall logs can optionally show the matching rule description in a separate column or in between rows
• Firewall logs now show an indicator icon if the direction of a log entry is OUT rather than IN
• Add popup DNS resolution method to firewall log view
• Reduced logging output from IGMP proxy
• Reduced logging output from DynDNS
• Relocated filterdns logs to the resolver log file/tab
• Relocated DHCP client logs to the DHCP tab
• Fix system script logging so the correct script filename is printed in the log, rather than omitting the script name
entirely
• Add independent logging choices to disable logging of bogon network rules and private network rules. Add
upgrade code to obey the existing behavior for users (if default block logging was disabled, so is bogon/private
rule blocking)
• Add a checkbox to disable the lighttpd log for people who don’t want their system log full of messages from
lighttpd in some cases where they are filling the log unnecessarily
Notifications
• Add the ability to disable Growl or SMTP notifications but keep their settings intact, so the mail settings can be
used for other purposes (packages, etc)
• Add a test button to selectively test Growl or SMTP notifications without re-saving settings
• Do not automatically generate a test notification on saving notification settings, as there are now individual test
buttons
High Availability (CARP, pfSync, XML-RPC)
• High Availability Synchronization options (Formerly known as “CARP Settings” under Virtual IPs Promoted to
its own menu entry, System > High Avail. Sync
• Ensure that the user does not remove only the last IP alias needed for a CARP VIP in an additional subnet
• Disable pfsync interface when state synchronization is not in use
• Fixed issues with DHCP server config synchronization ordering on secondary nodes #2600
• Restart OpenVPN servers when CARP transitions to master (clients were already restarted), otherwise if CARP
was disabled, the servers would never recover

LLC
• Removed the automatic pfsync rule, since the documentation always recommends adding it manually, and to
add it behind the scenes with no way to block it can be counter-productive (and potentially insecure). If the
documentation was not followed and a pfsync or allow all rule was not added on the sync interface, then
state synchronization may break after this upgrade. Add an appropriate rule to the sync interface and it
will work again.
• Allow XMLRPC to sync IP Alias VIPs set to Localhost for their interface
• In DHCP leases view, use the internal interface name (lan/opt1/etc) for the failover pool name, rather than a
number. In certain cases the number can get out of sync between the two nodes, but the interface names will
always match
• Print the user-configured interface description next to the DHCP failover pool name, rather than only the internal
name (lan/opt1/etc)
• Add option to synchronize authentication servers (RADIUS, LDAP) via XMLRPC
NanoBSD
• Fixes for conf_mount_ro/conf_mount_rw reference checking/locking
• Diag > NanoBSD now has button to switch media between read/write and read-only
• Diag > NanoBSD now has a checkbox option to keep the media read/write
• Fixed an issue with NanoBSD time zones not being properly respected by all processes the first reboot after a
firmware upgrade
DHCP Server
• DHCP can support multiple pools inside a single subnet, with distinct options per pool
• DHCP can allow/deny access to a DHCP pool by partial (or full) MAC address
• DHCP static mappings can have custom settings for gateway, DNS, etc
• DHCP static mappings can optionally have a static ARP entry created
• Fix Dynamic DNS updates from DHCP (ISC changed the config layout and requires zone declarations)
• When crafting DHCP Dynamic DNS zones, do not use invalid DNS servers for the IP type (e.g. skip IPv6 DNS
servers, because the DHCP daemon rejects them)
• Added a config backup section choice for DHCPv6
Traffic Shaper
• Schedules can now be used with limiters
• Traffic shaper queues view updated
• CoDel AQM Shaper Discipline
• Allow PRIQ queues to be deleted. #3037
• Limiters now allow the user to set the mask they want to use, rather than assuming masking will always be
per-IP. This allows per-subnet limits and similar
• Limiters now allow setting masking for IPv6

LLC
• Limiters now allow setting a burst size. This will pass X amount of data (TOTAL, NOT a rate) after an idle
period before enforcing the limit
DNS Forwarder
• In DNS forwarder, DNS query forwarding section with options for sequential and require domain
• Allow a null forwarding server in DNS Forwarder domain overrides to ensure that queries stay local and never
go outside the firewall
• Add DNS Forwarder option to not forward private reverse lookups
• DNS Forwarder domain overrides can now specify a source address for the query, to help resolve hostnames
over VPN tunnels
• DNS Forwarder now can change the port upon which it listens, for better cohabitation with other DNS software
such as tinydns or unbound, if both are needed
• DNS Forwarder now has an option to select the interfaces/IP Addresses upon which it will respond to queries
• DNS Forwarder can now be set to only bind to specific IPv4 IPs (the underlying software, dnsmasq, does not
support selectively binding to IPv6 IPs)
• Improved handling of some dnsmasq custom config options
User Manager
• Configurable RADIUS authentication timeout in User Manager
• Print the error message from LDAP in the log for a bind failure. Helps track down reasons for authentication
failures
• Re-enable admin user if it’s disabled when ‘Reset webConfigurator password’ option is used. Fixes #2877
• Restrict maximum group name length to 16 characters or less (OS restriction)
• Added option to UTF-8 encode LDAP parameters to improve handling of international characters
• CDATA protected LDAP fields in config to avoid invalid XML with international characters
DynDNS
• Fixed handling of DynDNS 25-day update and add ability to configure update interval
• Added DynDNS No-IP Free Account Support
• Add AAAA support to RFC2136 updates
• Add cached IP support to RFC2136, add GUI button to force update for single host
• Fix double click row to edit for RFC2136
• Add option to RFC2136 to find/use the public IP if the interface IP is private. (Off by default to preserve existing
behavior on upgrade)
• Add server IP column and cached IP display to RFC2136 host list
• Include RFC2136 hosts in DNS rebinding checks
• Include both dyndns and RFC2136 hosts in referer check

LLC
Graphs
• Add ability to reverse-resolve IPs on Status > Traffic Graph in the rate table
• Add ability to filter local or remote IPs on Status > Traffic Graph in the rate table
• Change maximum values for RRD throughput to account for 10G links. Previous maximums would have caused
blank spots on the graph during periods of high throughput
• Fixes to RRD data resolution/retention
• Added RRD Graph for mbuf clusters
• Changed default RRD graph colors to be more visually distinct to help avoid ambiguity between multiple values
on the same graph
Misc
• Add option to the packet capture page to control whether or not promiscuous mode is used on the NIC. Certain
drivers have issues with promiscuous mode
• Make parent interface and all VLANs share MTU #2786
• Fix cellular signal strength indicator
• Fix PPP config cleanup when removing an interface #2758
• Disallow adding IP Alias or CARP VIP that would be the network or broadcast address of a subnet
• Diagnostics > Sockets page to show open network sockets on the firewall
• Diagnostics > Test Port page to perform a simple TCP connection test to see if a port is open
• The pftop page has additional options to display more detailed information and sort it
• Fixed conflict between static IP and static route in the same subnet #2039
• Do not apply static ARP entries to disabled interfaces #1988
• Do not allow bridge members to be assigned to itself #1153
• Changed Diag > Ping to use more available source addresses (CARP VIPs, IP Alias VIPs, OpenVPN interfaces,
IPv6 Link-Local IPs)
• Changed Diag > Traceroute to use more available source addresses (CARP VIPs, IP Alias VIPs, OpenVPN
interfaces, IPv6 Link-Local IPs)
• Changed shell prompt to not force background color, to be kinder to those not using black as a background in
their terminal
• Add a field to allow rejecting DHCP leases from a specific upstream DHCP server. #2704
• Updated the help system to handle some recent added files for 2.x and clean out some old/obsolete files
• Allow selecting “Localhost” as an interface for IP Alias VIPs - this way IP Alias VIPs may be used for binding
firewall services (e.g. Proxy, VPN, etc) in routed subnets without burning IPs for CARP unnecessarily
• Updated list of mobile service providers
• Fix max length for wpa passphrase. A 64-char passphrase would be rejected by hostapd and leave an AP in an
open state #3034
• Added MSS clamping to the setup wizard
• Add a setting to configure the filterdns hostname resolution interval (defaults to 300s, 5 minutes)

LLC
• Omit IP mismatch warnings (e.g. behind a port forward, VPN IP, etc) if HTTP_REFERER protection is disabled
• Fixes for selecting/detecting PPP devices such as 3G/4G modems
• Rather than doing auto-detection to find serial PPP devices, use a glob when listing potential PPP serial devices
• Prevent sshlockout from a crash/coredump if a format string like %s is present in the buffer
• Fix SMART to see adaX devices
• Fix SMART interpretation of output from SCSI devices
• Fixed display of user SSH keys when present
• Updated p0f database from FreeBSD
• Fix UPnP Interface name selection to show the configured description entered by the user
• Allow setting the external UPnP interface (must be default route WAN)
• Fix Diag > Tables AJAX fadeOut after deletion for rows with CIDR mask format
• Improve Diagnostics > Routes to fetch output via AJAX and have configurable filtering and sizes. Improves
handling of large routing tables, such as a full BGP feed
• When deleting or renaming a virtual server from the Load Balancer (relayd) manually clean up the NAT rules it
leaves behind to avoid conflicts
• Many, many bug fixes
• Various fixes for typos, formatting, input validation, etc
SH/PHP Shell Scripts
• Git package for gitsync is now pulled in as a pfSense-style PBI package
• Shell scripts added to enable/disable CARP:
pfSsh.php playback enablecarp
pfSsh.php playback disablecarp
• Shell scripts to add and remove packages from the command line:
pfSsh.php playback installpkg "Some Package"
pfSsh.php playback uninstallpkg "Some Package"
pfSsh.php playback listpkg
• Added shell script to remove shaper settings:
pfSsh.php playback removeshaper
• Add shell script to control services from the command line:
pfSsh.php playback svc start <service name>
pfSsh.php playback svc restart <service name>
pfSsh.php playback svc stop <service name>
• Add a simple CLI mail script capable of sending an SMTP message using echo/piped input (uses SMTP notifi-
cation settings for server details):
ifconfig -a | mail.php -s"ifconfig output"

LLC
• Added a script to convert a user’s filesystem from device names to UFS labels, for easier portability in case the
disk device changes names (e.g. adX to adY, adX to daY, or adX to adaX). ONLY FOR FULL INSTALLS.
NanoBSD already uses labels.
/usr/local/sbin/ufslabels.sh
pfSense® software 2.0.3 is a maintenance release with some bug fixes since 2.0.2 release. It is possible to upgrade
from any previous release to 2.0.3.
Because this release shortly followed after 2.0.2, review the 2.0.2 New Features and Changes document as well.
The changelog for pfSense 2.0.3-RELEASE follows.
Security Advisories
• Updated to OpenSSL 0.9.8y to address FreeBSD-SA-13:03
PPP
• Fix obtaining DNS servers from PPP type WANs (PPP, PPPoE, PPTP, L2TP)
Captive Portal
• Fix Captive Portal Redirect URL trimming
• Voucher sync fixes
• Captive portal pruning/locking fixes
• Fix problem with fastcgi crashing
OpenVPN
• Clear the route for an OpenVPN endpoint IP when restarting the VPN, to avoid a situation where a learned route
from OSPF or elsewhere could prevent an instance from restarting properly
• Always clear the OpenVPN route when using shared key, no matter how the tunnel network “CIDR” is set
• Use the actual OpenVPN restart routine when starting/stopping from services rather than killing/restarting man-
ually
• Allow editing an imported CRL, and refresh OpenVPN CRLs when saving. #2652
• Fix interface assignment descriptions when using > 10 OpenVPN instances

LLC
Logging
• Put syslogd into secure mode so it refuses remote syslog messages
• If syslog messages are in the log, and the hostname does not match the firewall, display the supplied hostname
• Fix PPP log display to use the correct log handling method
• Run IPsec logs through htmlspecialchars before display to avoid a potential persistent XSS from racoon log
output (e.g. username)
Traffic Shaper
• Fix editing of traffic shaper default queues. #1995
• Fix wording for VoIP address option in the shaper. Add rule going the other direction to catch connections
initiated both ways
• Use some tweaks to PHP session management to prevent the GUI from blocking additional requests while others
are active
• Remove cmd_chain.inc and preload.php to fix some issues with lighttpd, fastcgi, and resource usage
• Firmware settings manifest (Site list) now bolds and denotes entries that match the current architecture, to help
avoid accidental cross-architecture upgrades
• Add header to DHCP static mappings table
• When performing a factory reset in the GUI, change output style to follow halt.php and reboot.php so the
shutdown output appears in the correct location on the page
• Better validation of parameters passed during S.M.A.R.T. operations for testing HDDs
• Fixed SNMP interface binding glitch (Setting was active but not reflected when viewed in GUI)
• Add a new class called addgatewaybox to make it easier to respect custom themes #2900
Console Menu Changes
• Correct accidental interface assignment changes when changing settings on the console menu
• Console menu option 11 now kills all active PHP processes, kills lighttpd, and then restarts the GUI. This is a
more effective way to restart the GUI since if a PHP process is hung, restarting lighttpd alone will not recover
from that
• Fix port display after LAN IP reset

LLC
Misc Changes
• Change how the listening address is passed to miniupnpd, the old method was resulting in errors for some users
• Fix “out” packet count reporting
• Be a little smarter about the default kernel in rare cases where it cannot determine what was in use
• Pass -S to tcpdump to avoid an increase in memory consumption over time in certain cases
• Minimise rewriting of /etc/gettytab (https://forum.netgate.com/post/51581)
• Make is_pid_running function return more conistent results by using isvalidpid
• Fix ataidle error on systems that have no ATA HDD. #2739
• Update Time Zone database zoneinfo to 2012.j to pick up on recent zone/DST/etc changes
• Fix handling of LDAP certificates, the library no longer properly handles files with spaces in the CA certificate
filename
• Bring in the RCFILEPREFIX as constant fixes from HEAD, since otherwise rc.stop_packages was globbing in
the wrong dir and executing the wrong scripts. Also seems to have fixed the “bad fd” error
• NTP restart fixes
• Gitsync now pulls in git package from pfSense package repository rather than FreeBSD
• Fixed handling of RRD data in config.xml backups when exporting an encrypted config #2836
• Moved apinger status to /var/run instead of /tmp
• Fixes for FTP proxy on non-default gateway WANs
• Fixes for OVA images
• Use new pfSense repository location ( http://github.com/pfsense/pfsense/ )
• Add patch to compensate apinger calculation for down gateways by time taken from other tasks like rrd/status
file/etc
lighttpd changes
• Improve tuning of lighttpd and php processes
• Use separate paths for GUI and Captive Portal fastcgi sockets
• Always make sure php has its own process manager to make lighttpd happy
• Make mod_fastcgi last to have url.rewrite work properly
• Enable mod_evasive if needed for Captive Portal
• Simplify lighttpd config
• Send all lighttpd logs to syslog

LLC
Binary changes
• dnsmasq to 2.65
• rsync to 3.0.9
• links 2.7
• rrdtool to 1.2.30
• PHP to 5.2.17_13
• OpenVPN 2.2 stock again (Removed IPv6 patches since those are only needed on 2.1 now)
• Fix missing “beep” binary on amd64
• Fix potential issue with IPsec routing of client traffic
• Remove lighttpd spawnfcgi dependency
• Add splash device to wrap_vga kernels (It’s in GENERIC so full installs already have it). #2723
filterdns
• Correct an issue with unallocated structure
• Avoid issues with pidfiles being overwritten, lock the file during modifications
• Make filterdns restartable and properly cleanup its tables upon exit or during a reconfiguration
dhcpleases
• Correct use after free and also support hostnames with other DNS suffix
• Reinit on any error rather than just forgetting. Also the difftime checks are done after having complete view, no
need to do them every time
• Typo fixes
• Log that a HUP signal is being sent to the pid file submitted by argument
• Prevent bad parsing of empty hostnames in lease file. Add an f option to run dhcplease in foreground. The only
option needed while in foreground is h parameter and the only usable one as well
pfSense® software 2.0.2 is a maintenance release with some bug and security fixes since 2.0.1 release. It is possible
to upgrade from any previous release to 2.0.2.
What follows is a mostly-complete changelog for pfSense 2.0.2-RELEASE

LLC
FreeBSD Security Advisories
Base OS updated to 8.1-RELEASE-p13 to address the following FreeBSD Security Advisories:
• FreeBSD-SA-12:01.openssl (v1.0/v1.1) http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc
• FreeBSD-SA-12:02.crypt http://security.FreeBSD.org/advisories/FreeBSD-SA-12:02.crypt.asc
• FreeBSD-SA-12:04.sysret (v1.0/v1.1) http://security.FreeBSD.org/advisories/FreeBSD-SA-12:04.sysret.asc
• FreeBSD-SA-12:07.hostapd https://www.freebsd.org/security/advisories/FreeBSD-SA-12:07.hostapd.asc
PPTP
• Added a warning to PPTP VPN configuration page
Warning: PPTP is no longer considered a secure VPN technology because it relies upon MS-CHAPv2
which has been compromised. Be aware that intercepted traffic can be decrypted by a third party, so
it should be considered unencrypted. Migrate to another VPN type such as OpenVPN or IPsec.
More information on this can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807
and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
• Fix reference to PPTP secondary RADIUS server shared secret.
• PPTP upgrade fixes.
NTP Changes
• OpenNTPD was dropped in favor of the ntp.org NTP daemon, used by FreeBSD.
• Status page added (Status > NTP) to show status of clock sync
• NTP logging fixed.
Note: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies. Selective interface
binding may still be used to control which IP addresses will accept traffic, but be aware that the default behavior has
changed.
Dashboard & General GUI Fixes
• Various fixes for typos, wording, and so on.
• Do not redirect on saving services status widget.
• Don’t use $pconfig in widgets, it has unintended side effects.
• Fix display of widgets with configuration controls in IE.
• Changed some padding/margin in the CSS in order to avoid wrapping the menu.
• #2165 Change to embed to prevent IE9 from misbehaving when loading the Traffic Graph page

LLC
OpenVPN Fixes
• Safer for 1.2.3 upgrades to assume OpenVPN interface == any, since 1.2.3 didn’t have a way to bind to an
interface. Otherwise people accepting connections on opt interfaces on 1.2.3 will break on upgrade until the
proper interface is selected in the GUI
• Don’t ignore when multiple OpenVPN DNS, NTP, WINS, etc servers were specified in 1.2.3 when upgrading.
1.2.3 separated by ;, 2.x uses separate vars.
• Fix upgrade code for 1.2.3 with assigned OpenVPN interface.
• Fix LZO setting for Upgraded OpenVPN (was turning compression on even if old config had it disabled.)
• Be more intelligent when managing OpenVPN client connections bound to CARP VIPs. If the interface is
in BACKUP status, do not start the client. Add a section to rc.carpmaster and rc.carpbackup to trigger this
start/stop. If an OpenVPN client is active on both the master and backup system, they will cause conflicting
connections to the server. Servers do not care as they only accept, not initiate.
IPsec fixes
• Only do foreach on IPsec p2’s if it’s actually an array.
• #2201 Don’t let an empty subnet into racoon.conf, it can cause parse errors.
• #2201 Reject an interface without a subnet as a network source in the IPsec Phase 2 GUI.
• Add routes even when IPsec is on WAN, as WAN may not be the default gateway.
• #1986 Revamped IPsec status display and widget to properly account for mobile clients.
• Fixed a bug that caused the IPsec status and widget to display slowly when mobile clients were enabled.
User Manager Fixes
• #2066 Improve adding/removing of users accounts to the underlying OS, especially accounts with a numeric
username.
• Include admin user in bootup account sync
• Fix permission and certificate display for the admin user
• Fix ssh key note to refer to DSA not just RSA since both work.
• “:” chars are invalid in a comment field, filter them out.
• When renaming a user, make sure to remove the previous user or it gets left in /etc/passwd.
• #2326 Do not allow empty passwords since this might cause problems for some authentication servers like
LDAP.

LLC
Captive Portal Fixes
• Take routing table into account when figuring out which IP address to use for talking to CP clients.
• Prevent browser auto-fill username and password on voucher config, as it can interfere with the settings being
properly saved if sync isn’t fully configured, which this can make happen accidentally.
• Correct the Called-Station-Id attribute setting to be the same on STOP/START packets
• Correct the Called-Station-Id attribute setting to be consistent on the data sent
• #2082 Correct the log to display the correct information about an existing session
• #2052 Remove duplicate rule
• Fix which roll to write when writing the active voucher db
• Always load ipfw when enabling CP to ensure the pfil hooks are setup right
• #2378 Fix selection of CP interfaces when using more than 10 opt interfaces.
• Strengthen voucher randomization.
NAT/Firewall Rules/Alias Fixes
• #2327 Respect the value of the per-rule “disable reply-to” checkbox.
• #1882 Fix an invalid pf rule generated from a port forward with dest=any on an interface with ip=none
• #2163 1:1 Reflection fixes for static route subnets and multiple subnets on the same interface.
• Better validation on URL table alias input from downloaded files.
• #2293 Don’t put an extra space after “pass” when assuming it as the default action or later tests will fail to match
this as a pass rule.
• Update help text for Host aliases to indicate FQDNs are allowed.
• #2210 Go back to scrub rather than “scrub in”, the latter breaks MSS clamping for egress traffic
• Fix preservation of the selection of interfaces on input errors for floating rules.
• Fix URL table update frequency box.
• Fix input validation for port forwards, Local Port must be specified.
• Added a setting to increase the maximum number of pf tables, and increased the default to 3000.
• Properly determine active GUI and redirect ports for anti-lockout rule, for display and in the actual rule.
• Handle loading pf limits (timers, states, table/entry limits, etc) in a separate file to avoid a chicken-and-egg
scenario where the limits would never be increased properly.

LLC
Interface/Bridging Fixes
• Correct checking if a gif is part of bridge so that it actually works correctly adding a gif after having created it
on bootup
• Use the latest functions from pfSense module for getting interface list
• Use the latest functions from pfSense module for creating bridges
• Implement is_jumbo_capable in a more performant way. This should help with large number of interfaces
• Since the CARP interface name changed to “vipN” from “carpN”, devd needs to follow that change as well.
• #2242 Show lagg protocol and member interfaces on Status > Interfaces.
• #2212 Correctly stop dhclient process when an interface is changed away from DHCP.
• Fixed 3G SIM PIN usage for Huawei devices
• Properly obey MTU set on Interface page for PPP type WANs.
Other Misc. Fixes
• #2057 Add a checkbox that disables automatically generating negate rules for directly connected networks and
VPNs.
• Mark “Destination server” as a required field for DHCP Relay
• Clarify the potential pitfalls when setting the Frequency Probe and Down parameters.
• Add a PHP Shell shortcut to disable referer check (playback disablereferercheck)
• #2040 Make Wireless Status tables sortable
• #2068 Fix multiple keys in a file for RFC2136 dyndns updates.
• Check to see if the pid file exists before trying to kill a process
• #2144 Be smarter about how to split a Namecheap hostname into host/domain.
• Add a small script to disable APM on ATA drives if they claim to support it. Leaving this on will kill drives
long-term, especially laptop drives, by generating excessive Load Cycles. The APM bit set will persist until the
drive is power cycled, so it’s necessary to run on each boot to be sure.
• #2158 Change SNMP binding option to work on any eligible interface/VIP. If the old bindlan option is there,
assume the lan interface for binding.
• Fix reference to PPTP secondary RADIUS server shared secret.
• PPTP upgrade fixes.
• #2147 Add button to download a .p12 of a cert+key.
• #2233 Carry over the key length on input errors when creating a certificate signing request.
• #2207 Use PHP’s built-in RFC 2822 date format.
• Allow specifying the branch name after the repository URL for gitsync command-line arguments and remove
an unnecessary use of the backtick operator.
• Correct send_multiple_events to conform with new check_reload_status behaviour
• Do not wipe logs on reboot on full install
• Set FCGI_CHILDREN to 0 since it does not make sense for php to manage itself when lighttpd is doing so.
This makes it possible to recover from 550-Internal... error.

LLC
• Support for xmlrpcauthuser and xmlrpcauthpass in $g.
• Fix Layer 7 pattern upload, button text check was incorrect.
• Correct building of traffic shaping queue to not depend on parent mask
• #2239 Add alias support to static routes
• Use !empty instead of isset to prevent accidental deletion of the last used repository URL when firmware update
gitsync settings have been saved without a repository URL.
• Better error handling for crypt_data and also better password argument handling
• Stop service needs to wait for the process to be stopped before trying to restart it.
• Use a better default update url
• Fix missing description in rowhelper for packages.
• #2402, #1564 Move the stop_packages code to a function, and call the function from the shell script, and call
the function directly for a reboot.
• #1917 Fix DHCP domain search list
• Update Time Zone zoneinfo database using latest zones from FreeBSD
• Handle HTTPOnly and Secure flags on cookies
• Fixed notifications for firmware upgrade progress
• Removed an invalid declaration that considered 99.0.0.0/8 a private address.
• Fixed redirect request for IE8/9
• #1049 Fix crashes on NanoBSD during package removal/reinstall. Could result in the GUI being inaccessible
after a firmware update.
• Fix some issues with upgrading NanoBSD+VGA and NanoBSD+VGA Image Generation
• Fix issues upgrading from systems with the old “Uniprocessor” kernel which no longer exists.
• Fix a few potential XSS/CSRF vectors.
• Fixed issue with login page not showing the correct selected theme in certain configurations.
• Fix limiters+multi-wan
Binary/Supporting Program Updates
• Some cleanup to reduce overall image size
• Fixes to ipfw-classifyd file reading and handling
• Updated miniupnpd
• ISC DHCPD 4.2.4-P1
• mdp5 upgraded to 5.6
• pftop updated
• lighttpd updated to 1.4.32, for CVE-2011-4362 and CVE-2012-5533.

LLC
This is a maintenance release with bug and security fixes since 2.0 release. It is possible to upgrade from any previous
release to 2.0.1.
For those who use the built in certificate manager, pay close attention to the notes below on a potential security issue
with those certificates.
Change Log
The following changes were made after 2.0-RELEASE and were included in 2.0.1-RELEASE.
• Improved accuracy of automated state killing in various cases (#1421)
• Various fixes and improvements to relayd
– Added to Status > Services and widget
– Added ability to kill relayd when restarting (#1913)
– Added DNS load balancing
– Moved relayd logs to their own tab
– Fixed default SMTP monitor syntax and other send/expect syntax
• Fixed path to FreeBSD packages repo for 8.1
• Various fixes to syslog:
– Fixed syslogd killing/restarting to improve handling on some systems that were seeing GUI hangs resetting
logs
– Added more options for remote syslog server areas
– Fixed handling of ‘everything’ checkbox
– Moved wireless to its own log file and tab
• Removed/silenced some irrelevant log entries
• Fixed various typos
• Fixes for RRD upgrade/migration and backup (#1758)
• Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
• Fixed policy route negation for VPN networks (#1950)
• Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
• Fixed VoIP rules produced by the traffic shaper wizard (#1948)
• Fixed uname display in System Info widget (#1960)
• Fixed LDAP custom port handling
• Fixed Status > Gateways to show RTT and loss like the widget
• Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
• Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
• Clarified text of serial field when importing a CA (#2031)
• Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)

LLC
• Fixed Captive Portal MAC passthrough rules (#1976)
• Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
• Fixed CARP status widget to properly show “disabled” status.
• Fixed end time of custom timespan RRD graphs (#1990)
• Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
• Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
• Fixed handling of OpenVPN client bandwidth limit option
• Fixed handling of LDAP certificates (#2018, #1052, #1927)
• Enforce validity of RRD graph style
• Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
• Fixed handling of hostnames in DHCP that start with a number (#2020)
• Fixed saving of multiple dynamic gateways (#1993)
• Fixed handling of routing with unmonitored gateways
• Fixed Firewall > Shaper, By Queues view
• Fixed handling of spd.conf with no phase 2’s defined
• Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases,
VIPs, etc)
• Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
• Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
• Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
• Lowered size of CF images again fix newer and ever-shrinking CF cards.
• Clarified text for media selection (#1910)
Notes for certificate generation vulnerability
Certificates generated with the built-in certificate manager in all 2.0 versions prior to 2.0.1 are excessively permissive
for non-CA certificates. These certificates can be used as a certificate authority, meaning a user can use their own
certificate to create chained certificates. The firewall defaults OpenVPN on 2.0.1 and newer versions to not accept
chained certificates, which mitigates this. However, if untrusted users have certificates generated from 2.0 release, the
best practice is to regenerate all certificates and issuing new ones. Certificates generated by easy-rsa and imported
into 2.0 are not affected. If using certificates generated on pfSense® for other purposes, revoke those and issue new
certificates generated on 2.0.1. A CRL must be utilized in that case. To be on the safe side, start from scratch with a
new CA and certificates after deleting all existing ones.

LLC
Upgrade considerations
It is very important to read the Upgrade Guide before performing an upgrade for those still on 1.2.x versions.
This is a partial list of the new features and major changes in the pfSense® software 2.0 release.
Operating System
• Based on FreeBSD 8.1 release.
• i386 and amd64 variants for all install types (full install, nanobsd/embedded, etc.)
• USB memstick installer images available
Interfaces
• GRE tunnels
• GIF tunnels
• 3G support
• Dial up modem support
• Multi-Link PPP (MLPPP) for bonding PPP connections (ISP/upstream must also support MLPPP)
• LAGG Interfaces
• Interface groups
• IP Alias type Virtual IPs
• IP Alias VIPs can be stacked on CARP VIPs to go beyond the 255 VHID limit in deployments that need very
large numbers of CARP VIPs.
• QinQ VLANs
• Can use Block Private Networks / Block Bogon Networks on any interface
• All interfaces are optional except WAN
• All interfaces can be renamed, even LAN/WAN
• Bridging enhancements - can now control all options of if_bridge, and assign bridge interfaces
Gateways/Multi-WAN
• Gateways, including dynamic gateways, are specified under System > Routing
• Gateways can have custom monitor IPs
• Gateways can have a custom weight, allowing load balancing to have ratios between WANs of different speeds
• Gateways can have custom latency, loss, and downtime trigger levels.
• Gateway monitoring via icmp is now configurable.
• Multiple gateways may exist per interface

LLC
• Multi-WAN is now handled via gateway groups
• Gateway groups can include multiple tiers with any number of gateways on each, for complex failover and load
balancing scenarios.
General Web GUI
• Set to HTTPS by default, HTTP redirects to HTTPS port
• Dashboard and widgets added
• System > Advanced screen split into multiple tabs, more options available.
• SMTP email alerts and growl alerts
• New default theme - pfsense_ng
• Some community-contributed themes added
• Contextual help available on every page in the web interface, linking to a webpage containing help and docu-
mentation specific to that page.
• Help menu for quick access to online resources (forum, docs, paid support, etc.)
Aliases
• Aliases may be nested (aliases in aliases)
• Alias autocomplete is no longer case sensitive
• IP Ranges in Aliases
• More Alias entries supported
• Bulk Alias importing
• URL Aliases
• URL Table Aliases - uses a pf persist table for large (40,000+) entry lists
Firewall
• Traffic shaper rewritten - now handles any combination of multi-WAN and multi-LAN interfaces. New wizards
added.
• Layer7 protocol filtering
• EasyRule - add firewall rules from log view (and from console!)
• Floating rules allow adding non-interface specific rules
• Dynamically sized state table based on amount of RAM in the system
• More Advanced firewall rule options
• FTP helper now in kernel
• TFTP proxy
• Schedule rules are handled in pf, so they can use all the rule options.
• State summary view, report shows states grouped by originating IP, destination IP, etc.

LLC
NAT
• All of the NAT screens were updated with additional functionality
• Port forwards can now handle create/update associated firewall rules automatically, instead of just creating
unrelated entries.
• Port forwards can optionally use “rdr pass” so no firewall rule is needed.
• Port forwards can be disabled
• Port forwards can be negated (“no rdr”)
• Port forwards can have source and destination filters
• NAT reflection improvements, including NAT reflection for 1:1 NAT
• Per-entry NAT reflection overrides
• 1:1 NAT rules can specify a source and destination address
• 1:1 NAT page redesigned
• Outbound NAT can now translate to an address pool (Subnet of IPs or an alias of IPs) of multiple external
addresses
• Outbound NAT rules can be specified by protocol
• Outbound NAT rules can use aliases
• Improved generation of outbound NAT rules when switching from automatic to manual.
IPsec
• Multiple IPsec p2’s per p1 (multiple subnets)
• IPsec xauth support
• IPsec transport mode added
• IPsec NAT-T
• Option to push settings such as IP, DNS, etc, to mobile IPsec clients (mod_cfg)
• Mobile IPsec works with iOS and Android (Certain versions, see IPsec Remote Access VPN Example Using
IKEv1 with Xauth)
• More Phase 1/2 options can be configured, including the cipher type/strength
• ipsec-tools version 0.8
User Manager
• New user manager, centralizing the various user configuration screens previously available.
• Per-page user access permissions for administrative users
• Three built-in authentication types - local users, LDAP and RADIUS.
• Authentication diagnostics page

LLC
Certificate Manager
• Certificate manager added, for handling of IPsec, web interface, user, and OpenVPN certificates.
• Handles creation/import of Certificate Authorities, Certificates, Certificate Revocation lists.
• Eliminates the need for using command line tools such as EasyRSA for managing certificates.
OpenVPN
• OpenVPN wizard guides through making a CA/Cert and OpenVPN server, sets up firewall rules, and so on.
Greatly simplifies the process of creating a remote access OpenVPN server.
• OpenVPN filtering - an OpenVPN rules tab is available, so OpenVPN interfaces don’t have to be assigned to
perform filtering.
• OpenVPN client export package - provides a bundled Windows installer with certificates, Viscosity export, and
export of a zip file containing the user’s certificate and configuration files.
• OpenVPN status page with connected client list – can also kill client connections
• User authentication and certificate management
• RADIUS and LDAP authentication support
Captive Portal
• Voucher support added
• Multi-interface capable
• Pass-through MAC bandwidth restrictions
• Custom logout page contents can be uploaded
• Allowed IP addresses bandwidth restrictions
• Allowed IP addresses supports IP subnets
• “Both” direction added to Allowed IP addresses
• Pass-through MAC Auto Entry - upon successful authentication, a pass-through MAC entry can be automatically
added.
• Ability to configure calling station RADIUS attributes
Wireless
• Virtual AP (VAP) support added
• more wireless cards supported with the FreeBSD 8.1 base

LLC
Server Load Balancing
• relayd and its more advanced capabilities replace slbd.
Other
• L2TP VPN added
• DNS lookup page added
• PFTop and Top in GUI - realtime updates
• Config History now includes a diff feature
• Config History has download buttons for prior versions
• Config History has mouseover descriptions
• CLI filter log parser (/usr/local/bin/filterparser)
• Switched to PHP 5.2.x
• IGMP proxy added
• Multiple Dynamic DNS account support, including full multi-WAN support and multi-accounts on each inter-
face.
– DynDNS Account Types supported are:
DNS-O-Matic, DynDNS (dynamic), DynDNS (static), DynDNS (custom), DHS, DyNS, easyDNS, No-IP,
ODS.org, ZoneEdit, Loopia, freeDNS, DNSexit, OpenDNS, Namecheap.com
• More interface types (VPNs, etc) available for packet capture
• DNS Forwarder is used by the firewall itself for DNS resolution (configurable) so the firewall benefits from
faster resolution via multiple concurrent queries, sees all DNS overrides/DHCP registrations, etc.
• DHCP Server can now handle arbitrary numbered options, rather than only options present in the GUI.
• Automatic update now also works for NanoBSD as well as full installs
• More configuration sections can be synchronized via XMLRPC between CARP nodes.

CHAPTER
FOUR
PRODUCT MANUALS
The pfSense Security Gateway Manuals help those who purchased appliances from Netgate get started with a new
device running pfSense® software, or help get it back up and running in the case that something breaks.
Below is a list of active appliances:
• All Manuals
• Amazon AWS
• Microsoft Azure
• Netgate 1100
• Netgate 2100
• Netgate 3100
• Netgate 4100
• Netgate 5100
• Netgate 6100
• Netgate 7100
• Netgate 7100 1U
• Netgate 8200
• Netgate 1537
• Netgate 1541
248

CHAPTER
FIVE
NETWORKING CONCEPTS
5.1 Understanding Public and Private IP Addresses
5.1.1 Private IP Addresses
The network standard RFC 1918 defines reserved IPv4 subnets for use only in private networks (Table RFC 1918
Private IP Address Space). RFC 4193 defines Unique Local Addresses (ULA) for IPv6 (Table RFC 4193 Unique
Local Address Space). In most environments, a private IP subnet from RFC 1918 is chosen and used on all internal
network devices. The devices are then connected to the Internet through a firewall or router implementing Network
Address Translation (NAT) software, such as pfSense® software. IPv6 is fully routed from the internal network
without NAT by Global Unicast Addresses (GUA). NAT will be explained further in Network Address Translation.
Table 1: RFC 1918 Private IP Address Space
CIDR Range IP Address Range
10.0.0.0/8 10.0.0.0 - 10.255.255.255
172.16.0.0/12 172.16.0.0 - 172.31.255.255
192.168.0.0/16 192.168.0.0 - 192.168.255.255
Table 2: RFC 4193 Unique Local Address Space
Prefix IP Address Range
fc00::/7 fc00:: - fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
A complete list of special-use IPv4 networks may be found in RFC 3330. There are private IPv4 addresses, such as
1.0.0.0/8 and 2.0.0.0/8, that have since been allocated to the dwindling IPv4 pool. Use of these addresses are
problematic and not recommended. Also, avoid using 169.254.0.0/16, which according to RFC 3927 is reserved
for “Link-Local” auto configuration . It should not be assigned by DHCP or set manually and routers will not allow
packets from that subnet to traverse outside a specific broadcast domain. There is sufficient address space set aside by
RFC 1918, so there is no need to deviate from the list shown in Table RFC 1918 Private IP Address Space. Improper
addressing will result in network failure and should be corrected.
249

LLC
5.1.2 Public IP Addresses
With the exception of the largest networks, public IP addresses are assigned by Internet Service Providers. Networks
requiring hundreds or thousands of public IP addresses commonly have address space assigned directly from their
Regional Internet Registry (RIR). An RIR is an organization that oversees allocation and registration of public IP
addresses in a designated regions of the world.
Most residential Internet connections are assigned a single public IPv4 address. Most business class connections are
assigned multiple public IP addresses. A single public IP address is adequate in many circumstances and can be used
in conjunction with NAT to connect hundreds of privately addressed systems to the Internet. This documentation will
assist in determining the number of public IP addresses required.
Most IPv6 deployments will give the end user at least a /64 prefix network to use as a routed internal network. For
each site, this is roughly 2 64
IPv6 addresses, or 18 quintillion addresses, fully routed from the Internet with no need
for NAT.
5.1.3 Reserved and Documentation Addresses
In addition to blocks defined in RFC 1918, RFC 5735 describes blocks reserved for other special purposes such as
documentation, testing, and benchmarking. RFC 6598 updates RFC 5735 and defines address space for Carrier-grade
NAT as well. These special networks include:
Table 3: RFC 5735 Reserved Address Space
CIDR Range Purpose
192.0.2.0/24 Documentation and example code
198.18.0.0/25 Benchmarking network devices
100.64.0.0/10 Carrier-grade NAT space
The documentation uses examples with addresses from the above documentation ranges as well as RFC 1918 networks
since they are more familiar to users.
Some find these addresses tempting to use for VPNs or even local networks. Though the best practice is to only use
them for their intended purposes, they are much less likely to be seen “in the wild” than RFC 1918 networks.
5.2 IP Subnetting Concepts
When configuring TCP/IP settings on a device, a subnet mask (Or prefix length for IPv6) must be specified. This
mask enables the device to determine which IP addresses are on the local network, and which must be reached by
a gateway in the routing table. The default LAN IP address of 192.168.1.1 with a mask of 255.255.255.0,
or /24 in CIDR notation has a network address of 192.168.1.0/24. CIDR is discussed in Understanding CIDR
Subnet Mask Notation.
5.2. IP Subnetting Concepts 250

LLC
5.3 IP Address, Subnet and Gateway Configuration
The TCP/IP configuration of a host consists of the address, subnet mask (or prefix length for IPv6) and gateway. A
host identifies which IP addresses are on its local network by using the IP address combined with the subnet mask. A
host sends packets for addresses outside the local network to the host’s configured default gateway which it assumes
will pass the traffic on to the desired destination. An exception to this rule is a static route which instructs a device
to contact specific non-local subnets reachable via locally connected routers. This list of gateways and static routes is
kept on the routing table of each host. To see the routing table used by pfSense® software, see Route Table Contents.
See also:
More information about routing can be found in Routing.
In a typical deployment of pfSense software hosts on the LAN are assigned an IP address, subnet mask and gateway
within the LAN range of the firewall running pfSense software. The LAN IP address on the firewall becomes the
default gateway for hosts on the LAN. For hosts connecting by an interface other than LAN, use the appropriate
configuration for the interface to which the device is connected.
Hosts within a single network communicate directly with each other without involvement from the gateway. This
means that no firewall, including one running pfSense software, can control host-to-host communication within a
network segment. If this functionality is a requirement, hosts must be segmented via the use of multiple switches,
VLANs, or employ equivalent switch functionality like PVLAN.
See also:
VLANs are covered in Virtual LANs (VLANs).
5.4 Understanding CIDR Subnet Mask Notation
pfSense® software uses CIDR (Classless Inter-Domain Routing) notation rather than the common subnet mask 255.
x.x.x when configuring addresses and networks. Refer to the CIDR Subnet Table to find the CIDR equivalent of a
decimal subnet mask.
Table 4: CIDR Subnet Table
Subnet Mask CIDR Prefix Total IP Addresses Usable IP Addresses Number of /24 networks
255.255.255.255 /32 1 1 1/256th
255.255.255.254 /31 2 2* 1/128th
255.255.255.252 /30 4 2 1/64th
255.255.255.248 /29 8 6 1/32nd
255.255.255.240 /28 16 14 1/16th
255.255.255.224 /27 32 30 1/8th
255.255.255.192 /26 64 62 1/4th
255.255.255.128 /25 128 126 1 half
255.255.255.0 /24 256 254 1
255.255.254.0 /23 512 510 2
255.255.252.0 /22 1024 1022 4
255.255.248.0 /21 2048 2046 8
255.255.240.0 /20 4096 4094 16
255.255.224.0 /19 8192 8190 32
255.255.192.0 /18 16,384 16,382 64
255.255.128.0 /17 32,768 32,766 128
255.255.0.0 /16 65,536 65,534 256
continues on next page
5.3. IP Address, Subnet and Gateway Configuration 251

LLC
Table 4 – continued from previous page
Subnet Mask CIDR Prefix Total IP Addresses Usable IP Addresses Number of /24 networks
255.254.0.0 /15 131,072 131,070 512
255.252.0.0 /14 262,144 262,142 1024
255.248.0.0 /13 524,288 524,286 2048
255.240.0.0 /12 1,048,576 1,048,574 4096
255.224.0.0 /11 2,097,152 2,097,150 8192
255.192.0.0 /10 4,194,304 4,194,302 16,384
255.128.0.0 /9 8,388,608 8,388,606 32,768
255.0.0.0 /8 16,777,216 16,777,214 65,536
254.0.0.0 /7 33,554,432 33,554,430 131,072
252.0.0.0 /6 67,108,864 67,108,862 262,144
248.0.0.0 /5 134,217,728 134,217,726 524,288
240.0.0.0 /4 268,435,456 268,435,454 1,048,576
224.0.0.0 /3 536,870,912 536,870,910 2,097,152
192.0.0.0 /2 1,073,741,824 1,073,741,822 4,194,304
128.0.0.0 /1 2,147,483,648 2,147,483,646 8,388,608
0.0.0.0 /0 4,294,967,296 4,294,967,294 16,777,216
Note: The use of /31 networks is a special case defined by RFC 3021 where the two IP addresses in the subnet are
usable for point-to-point links to conserve IPv4 address space. Not all operating systems support RFC 3021, so use it
with caution. On systems that do not support RFC 3021, the subnet is unusable because the only two addresses defined
by the subnet mask are the null route and broadcast and no usable host addresses.
pfSense software supports the use of /31 networks for interfaces and Virtual IP addresses.
5.4.1 Where do CIDR numbers come from?
The CIDR number comes from the number of ones in the subnet mask when converted to binary.
The subnet mask 255.255.255.0 is 11111111.11111111.11111111.00000000 in binary. This adds up
to 24 consecutive ones, or /24 (pronounced “slash twenty four”).
A subnet mask of 255.255.255.192 is 11111111.11111111.11111111.11000000 in binary, or 26 ones,
hence /26.
5.5 CIDR Summarization
In addition to specifying subnet masks, CIDR can also be employed for IP or network summarization purposes. The
“Total IP Addresses” column in CIDR Subnet Table indicates how many addresses are summarized by a given CIDR
mask. For network summarization purposes, the “Number of /24 networks” column is useful. CIDR summarization
can be used in several parts of the pfSense® web interface, including firewall rules, NAT, virtual IPs, IPsec, and static
routes.
IP addresses or networks that can be contained within a single CIDR mask are known as “CIDR summarizable”.
When designing a network, ensure all private IP subnets in use at a particular location are CIDR summarizable. For
example, if three /24 subnets are required at one location, a /22 network subnetted into four /24 networks should
be used. The following table shows the four /24 subnets used with the subnet 10.70.64.0/22.
5.5. CIDR Summarization 252

LLC
Table 5: CIDR Route Summarization
10.70.64.0/22 split into /24 networks
10.70.64.0/24
10.70.65.0/24
10.70.66.0/24
10.70.67.0/24
This keeps routing more manageable for multi-site networks connected to another physical location via the use of a
private WAN circuit or VPN. With CIDR summarizable subnets, one route destination covers all the networks at each
location. Without it, there are several different destination networks per location.
The previous table was developed using a network calculator found at the subnetmask.info website.
The calculator converts from dotted decimal to CIDR mask, and vice versa, as shown in Figure Subnet Mask Converter.
If the CIDR Subnet Table provided in this chapter is not available, this tool can be used to convert a CIDR prefix to
dotted decimal notation. Enter a CIDR prefix or a dotted decimal mask and click the appropriate Calculate button to
find the conversion.
Fig. 1: Subnet Mask Converter
Enter the dotted decimal mask into the Network/Node Calculator section along with one of the /24 networks. Click
Calculate to populate the bottom boxes with the range covered by that particular /24 as demonstrated in Figure
Network/Node Calculator. In this example, the network address is 10.70.64.0/22, and the usable /24 networks
are 64 through 67. The term “Broadcast address” in this table refers the highest address within the range.
Fig. 2: Network/Node Calculator
5.5. CIDR Summarization 253

LLC
5.5.1 Finding a matching CIDR network
IPv4 Ranges in the format of x.x.x.x-y.y.y.y are supported in Aliases. For Network type aliases, an IPv4 range
is automatically converted to the equivalent set of CIDR blocks. For Host type aliases, a range is converted to a list of
IPv4 addresses. See Aliases for more information.
If an exact match isn’t necessary, numbers can be entered into the Network/Node Calculator to approximate the desired
summarization.
5.6 Broadcast Domains
A broadcast domain is the portion of a network sharing the same layer 2 segment. Broadcast messages from hosts are
sent to every port in their broadcast domain, thus hosts inside a broadcast domain can reach each other directly. For
example hosts can use ARP or NDP to locate neighbors within a broadcast domain and communicate directly at layer
2 without involving an intermediate gateway router.
In a network with a single switch without VLANs, the broadcast domain is that entire switch. In a network with
multiple interconnected switches without the use of VLANs, the broadcast domain includes all of those switches.
When using VLANs, each VLAN is typically its own broadcast domain. The exact size of the broadcast domain in
that case varies depending on how many access ports are in the VLAN, along with interconnected switches (trunked,
stacked, etc).
Some switches also support special modes which segment a broadcast domain into multiple smaller isolated broadcast
domains. This is sometimes called “Private VLANs”, and they are typically used for security purposes. In these
modes, hosts can only directly communicate between a specific set of ports, commonly limited to the host and the
gateway for the segment, even if they are a part of a subnet with many other hosts. This is similar in concept to
wireless AP client isolation.
Since broadcast messages are sent to every port in the broadcast domain, large broadcast domains should be avoided
as they are “noisy” and do not scale well. Depending on the type of broadcast messages, some switches can optimize
this behavior but it’s best to plan for the worst case. For example in a network with thousands of ports on a single
broadcast domain, thousands of hosts communicating among each other generate large amounts of broadcast traffic
which is copied everywhere in the broadcast domain. The best practice is to keep each segment as small as possible,
where feasible, to prevent switches and hosts from having to process large amounts of unnecessary broadcast traffic.
A single broadcast domain can contain more than one IPv4 or IPv6 subnet, however, that is generally not considered
good network design. Though it appears on the surface that multiple subnets in the same broadcast domain are separate,
there is no true isolation or security between them. IP subnets should be segregated into different broadcast domains
via the use of separate switches or VLANs. The exception to this is running both IPv4 and IPv6 networks within a
single broadcast domain. This is called dual stack and it is a common and useful technique using both IPv4 and IPv6
connectivity for hosts.
Broadcast domains can be combined by bridging two network interfaces together. In this scenario care must be taken
to avoid switch loops where a switch ends up with a connection back to itself, creating an infinite traffic loop (Bridging
and Layer 2 Loops). Another reason to avoid bridging is that by combining broadcast domains, both networks and
the bridge between them must carry broadcast traffic for every network on the bridge. The increased load, especially
for larger networks, can be significant, especially if broadcast domains are being bridged using a VPN. There are also
proxies for certain protocols which do not combine broadcast domains but yield the same net effect, such as a DHCP
relay which relays DHCP requests into a broadcast domain on another interface.
See also:
• Bridging
• Bridging and Layer 2 Loops
• Virtual LANs (VLANs)
5.6. Broadcast Domains 254

LLC
• Broadcast Domain (Wikipedia)
5.7 IPv6
5.7.1 Basics
IPv6 allows for exponentially more IP address space than IPv4. IPv4 uses a 32-bit address, which allows for 2 32
or
over 4 billion addresses, less if the sizable reserved blocks and IPs burned by subnetting are removed. IPv6 uses a
128-bit address, which is 2 128
or 3.403 x 10 38
IP addresses. The standard size IPv6 subnet defined by the IETF is a
/64, which contains 2 64
IPs, or 18.4 quintillion addresses. The entire IPv4 space can fit inside a typical IPv6 subnet
many times over with room to spare.
One of the more subtle improvements with IPv6 is that no IP addresses are lost to subnetting. With IPv4, two IP
addresses are lost per subnet to account for a null route and broadcast IP address. In IPv6, broadcast is handled via
the same mechanisms used for multicast involving special addresses sent to the entire network segment. Additional
improvements include integrated packet encryption, larger potential packet sizes, and other design elements that make
it easier for routers to manage IPv6 at the packet level.
Unlike IPv4, all packets are routed in IPv6 without NAT. Each IP address is directly accessible by another unless
stopped by a firewall. This can be a very difficult concept to grasp for people who are used to having their LAN exist
with a specific private subnet and then performing NAT to whatever the external address happens to be.
There are fundamental differences in the operation of IPv6 in comparison to IPv4, but mostly they are only that:
differences. Some things are simpler than IPv4, others are slightly more complicated, but for the most part it’s simply
different. Major differences occur at layer 2 (ARP vs. NDP for instance) and layer 3 (IPv4 vs. IPv6 addressing). The
protocols used at higher layers are identical; only the transport mechanism for those protocols has changed. HTTP is
still HTTP, SMTP is still SMTP, etc.
Firewall and VPN Concerns
IPv6 restores true peer-to-peer connectivity originally in place with IPv4 making proper firewall controls even more
important. In IPv4, NAT was misused as an additional firewall control. In IPv6, NAT is removed. Port forwards are
no longer required in IPv6 so remote access will be handled by firewall rules. Care must be taken to ensure encrypted
VPN LAN to LAN traffic is not routed directly to the remote site. See IPv6 VPN and Firewall Rules for a more
in-depth discussion on IPv6 firewall concerns with respect to VPN traffic.
5.7.2 Requirements
IPv6 requires an IPv6-enabled network. IPv6 connectivity delivered directly by an ISP is ideal. Some ISPs deploy
a dual stack configuration in which IPv4 and IPv6 are delivered simultaneously on the same transport. Other ISPs
use tunneling or deployment types to provide IPv6 indirectly. It is also possible to use a third party provider such as
Hurricane Electric’s tunnelbroker service.
In addition to the service, software must also support IPv6. pfSense® software has been IPv6-capable since 2.1-
RELEASE. Client operating systems and applications must also support IPv6. Many common operating systems and
applications support it without problems. Microsoft Windows has supported IPv6 in production-ready state since 2002
though newer versions handle it much better. macOS has supported IPv6 since 2001 with version 10.1 “PUMA”. Both
FreeBSD and Linux support it in the operating system. Most web browsers and mail clients support IPv6, as do recent
versions of other common applications. To ensure reliability, it is always beneficial to employ the latest updates.
Some mobile operating systems have varying levels of support for IPv6. Android and iOS both support IPv6, but
Android only has support for stateless auto configuration for obtaining an IP address on Wi-Fi and not DHCPv6. IPv6
is part of the LTE specifications so any mobile device supporting LTE networks supports IPv6 as well.
5.7. IPv6 255

LLC
5.7.3 IPv6 WAN Types
Details can be found in IPv6 Configuration Types, but some of the most common ways of deploying IPv6 are:
Static Addressing Native and using IPv6 either on its own or in a dual stack configuration alongside
IPv4.
DHCPv6 Address automatically obtained by DHCPv6 to an upstream server. Prefix delegation may also
be used with DHCPv6 to deliver a routed subnet to a DHCPv6 client.
Stateless address auto configuration (SLAAC) Automatically determines the IPv6 address by consult-
ing router advertisement messages and generating an IP address inside a prefix. This is not very
useful for a router, as there is no way to route a network for the “inside” of the firewall. It may be
useful for appliance modes.
6RD Tunnel A method of tunneling IPv6 traffic inside IPv4. This is used by ISPs for rapid IPv6 deploy-
ment.
6to4 Tunnel Similar to 6RD but with different mechanisms and limitations.
GIF Tunnel Not technically a direct WAN type, but commonly used. Customer builds an IPv4 GIF
tunnel to a provider to tunnel IPv6 traffic.
While not technically a WAN type, IPv6 connectivity can also be arranged over a VPN such as IPsec, WireGuard, or
OpenVPN. Most VPNs are capable of carrying IPv4 and IPv6 traffic simultaneously, so they can deliver IPv6 over
IPv4, though with more overhead than a typical tunnel broker that uses GIF. These are good options for a company
that has IPv6 at a datacenter or main office but not at a remote location.
5.7.4 Address Format
An IPv6 address consists of 32 hexadecimal digits, in 8 sections of 4 digits each, separated by colons. It looks
something like this: 1234:5678:90ab:cdef:1234:5678:90ab:cdef
IPv6 addresses have several shortcuts that allow them to be compressed into smaller strings following certain rules.
If there are any leading zeroes in a section, they may be left off.
0001:0001:0001:0001:0001:0001:0001:0001 could be written as 1:1:1:1:1:1:1:1.
Any number of address parts consisting of only zeroes may be compressed by using :: but
this can only be done once in an IPv6 address to avoid ambiguity. A good example of
this is local host, compressing 0000:0000:0000:0000:0000:0000:0000:0001 to ::1.
Any time :: appears in an IPv6 address, the values between are all zeroes. An IP ad-
dress such as fe80:1111:2222:0000:0000:0000:7777:8888, can be represented as
fe80:1111:2222::7777:8888. However, fe80:1111:0000:0000:4444:0000:0000:8888
cannot be shortened using :: more than once. It would either be fe80:1111::4444:0:0:8888 or
fe80:1111:0:0:4444::8888 but it cannot be fe80:1111::4444::8888 because there is no way to tell
how many zeroes have been replaced by either :: operator.
5.7. IPv6 256

LLC
Determining an IPv6 Addressing Scheme
Because of the increased length of the addresses, the vast space provided in even a basic /64 subnet, and the ability to
use hexadecimal digits, there is more freedom to design device network addresses.
On servers using multiple IP address aliases for virtual hosts, jails, etc, a useful addressing scheme is to use the seventh
section of the IPv6 address to denote the server. Then use the eighth section for individual IPv6 aliases. This groups
all of the IPs into a single recognizable host. For example, the server itself would be 2001:db8:1:1::a:1, and
then the first IP alias would be 2001:db8:1:1::a:2, then 2001:db8:1:1::a:3, etc. The next server would
be 2001:db8:1:1::b:1, and repeats the same pattern.
Some administrators like to have fun with their IPv6 addresses by using hexadecimal letters and number/letter equiv-
alents to make words out of their IP addresses. Lists of hexadecimal words around the web can be used to create more
memorable IP addresses such as 2001:db8:1:1::dead:beef.
Decimal vs. Hexadecimal Confusion
Creating consecutive IPv6 addresses with a hexadecimal base may cause confusion. Hexadecimal values are base
16 unlike decimal values which are base 10. For example, the IPv6 address 2001:db8:1:1::9 is followed by
2001:db8:1:1::a, not 2001:db8:1:1::10. By going right to 2001:db8:1:1::10, the values a-f have
been skipped, leaving a gap. Consecutive numbering schemes are not required and their use is left to the discretion of
the network designer. For some, it is psychologically easier to avoid using the hexadecimal digits.
Given that all IPv4 addresses can be expressed in IPv6 format, this issue will arise when designing a dual stack network
that keeps one section of the IPv6 address the same as its IPv4 counterpart.
5.7.5 IPv6 Subnetting
IPv6 subnetting is easier than IPv4. It’s also different. Want to divide or combine a subnet? All that is needed is to
add or chop off digits and adjust the prefix length by a multiple of four. No longer is there a need to calculate subnet
start/end addresses, usable addresses, the null route, or the broadcast address.
IPv4 had a subnet mask (dotted quad notation) that was later replaced by CIDR masking. IPv6 doesn’t have a subnet
mask but instead calls it a Prefix Length, often shortened to “Prefix”. Prefix length and CIDR masking work similarly;
The prefix length denotes how many bits of the address define the network in which it exists. Most commonly the
prefixes used with IPv6 are multiples of four, as seen in Table IPv6 Subnet Table, but they can be any number between
0 and 128.
Using prefix lengths in multiples of four makes it easier for humans to distinguish IPv6 subnets. All that is required to
design a larger or smaller subnet is to adjust the prefix by multiple of four. For reference, see Table IPv6 Subnet Table
listing the possible IPv6 addresses, as well as how many IP addresses are contained inside of each subnet.
Table 6: IPv6 Subnet Table
Prefix Subnet Example Total IP Addresses # of /64 nets
4 x:: 2 124
2 60
8 xx:: 2 120
2 56
12 xxx:: 2 116
2 52
16 xxxx:: 2 112
2 48
20 xxxx:x:: 2 108
2 44
24 xxxx:xx:: 2 104
2 40
28 xxxx:xxx:: 2 100
2 36
32 xxxx:xxxx:: 2 96
4,294,967,296
36 xxxx:xxxx:x:: 2 92
268,435,456
continues on next page
5.7. IPv6 257

LLC
Table 6 – continued from previous page
Prefix Subnet Example Total IP Addresses # of /64 nets
40 xxxx:xxxx:xx:: 2 88
16,777,216
44 xxxx:xxxx:xxx:: 2 84
1,048,576
48 xxxx:xxxx:xxxx:: 2 80
65,536
52 xxxx:xxxx:xxxx:x:: 2 76
4,096
56 xxxx:xxxx:xxxx:xx:: 2 72
256
60 xxxx:xxxx:xxxx:xxx:: 2 68
16
64 xxxx:xxxx:xxxx:xxxx:: 2 64
(18,446,744,073,709,551,616) 1
68 xxxx:xxxx:xxxx:xxxx:x:: 2 60
(1,152,921,504,606,846,976) 0
72 xxxx:xxxx:xxxx:xxxx:xx:: 2 56
(72,057,594,037,927,936) 0
76 xxxx:xxxx:xxxx:xxxx:xxx:: 2 52
(4,503,599,627,370,496) 0
80 xxxx:xxxx:xxxx:xxxx:xxxx:: 2 48
(281,474,976,710,656) 0
84 xxxx:xxxx:xxxx:xxxx:xxxx:x:: 2 44
(17,592,186,044,416) 0
88 xxxx:xxxx:xxxx:xxxx:xxxx:xx:: 2 40
(1,099,511,627,776) 0
92 xxxx:xxxx:xxxx:xxxx:xxxx:xxx:: 2 36
(68,719,476,736) 0
96 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:: 2 32
(4,294,967,296) 0
100 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:x:: 2 28
(268,435,456) 0
104 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx:: 2 24
(16,777,216) 0
108 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxx:: 2 20
(1,048,576) 0
112 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:: 2 16
(65,536) 0
116 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:x:: 2 12
(4,096) 0
120 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx:: 2 8
(256) 0
124 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxx:: 2 4
(16) 0
128 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 2 0
(1) 0
A /64 is a standard size IPv6 subnet as defined by the IETF. It is smallest subnet that can used locally if auto
configuration is desired.
Typically, an ISP assigns a /64 or smaller subnet to establish service on the WAN. An additional network is routed
for LAN use. The size of the allocation depends upon the ISP, but it’s not uncommon to see end users receive at least
a /64 and even up to a /48.
A tunnel service provider such as tunnelbroker.net run by Hurricane Electric will allocate a /48 in addition to a routed
/64 subnet and a /64 interconnect.
Assignments larger than /64 usually adopt the first /64 for LAN and subdivide the rest for requirements such as
VPN tunnel, DMZ, or a guest network.
Special IPv6 Subnets
Special use networks are reserved in IPv6. A full list of these can be found in the Wikipedia IPv6 article. Six examples
of IPv6 special networks and their addresses are shown below in IPv6 Special Networks and Addresses.
Table 7: IPv6 Special Networks and Addresses
Network Purpose
2001:db8::/32 Documentation prefix used for examples
::1 Localhost
fc00::/7 Unique Local Addresses (ULA) - also known as “Private” IPv6 addresses.
fe80::/10 Link Local addresses, only valid inside a single broadcast domain.
2001::/16 Global Unique Addresses (GUA) - Routable IPv6 addresses.
ff00::0/8 Multicast addresses
5.7. IPv6 258

LLC
Neighbor Discovery
IPv4 hosts find each other on a local segment using ARP broadcast messages, but IPv6 hosts find each other by sending
Neighbor Discovery Protocol (NDP) messages. Like ARP, NDP works inside a given broadcast domain to find other
hosts inside of a specific subnet.
By sending special ICMPv6 packets to reserved multicast addresses, NDP handles the tasks of neighbor discovery,
router solicitations, and route redirects similar to IPv4’s ICMP redirects.
pfSense® software automatically adds firewall rules on IPv6 enabled interfaces that permit NDP to function. All
current known neighbors on IPv6 can viewed in the firewall GUI at Diagnostics > NDP Table.
Router Advertisements
IPv6 routers are located through their Router Advertisement (RA) messages instead of by DHCP. IPv6-enabled routers
that support dynamic address assignment are expected to announce themselves on the network to all clients and re-
spond to router solicitations. When acting as a client (WAN interfaces), pfSense software accepts RA messages from
upstream routers. When acting as a router, pfSense software provides RA messages to clients on its internal networks.
See Router Advertisements (Or: “Where is the DHCPv6 gateway option?”) for more details.
Address Allocation
Client addresses can be allocated by static addressing through SLAAC (Router Advertisements (Or: “Where is the
DHCPv6 gateway option?”)), DHCP6 (IPv6 Router Advertisements), or other tunneling methods such as OpenVPN.
DHCP6 Prefix Delegation
DHCP6 Prefix Delegation delivers a routed IPv6 subnet to a DHCP6 client. A WAN type interface can be set to receive
a prefix over DHCP6 (DHCP6, Track Interface). A router functioning at the edge of a large network can provide prefix
delegation to other routers inside the network (DHCPv6 Prefix Delegation).
5.7.6 IPv6 and NAT
Though IPv6 removes most any need for NAT, there are rare situations that call for the use of NAT with IPv6 such as
Multi-WAN for IPv6 on residential or small business networks.
Gone is the traditional type of ugly port translated NAT (PAT) where internal addresses are translated using ports on
a single external IP address. It is replaced by a straight network address translation called Network Prefix Translation
(NPt). This is available in the pfSense® web configurator under Firewall > NAT on the NPt tab. NPt translates one
prefix to another. So 2001:db8:1111:2222::/64 translates to 2001:db8:3333:4444::/64. Though the
prefix changes, the remainder of the address will be identical for a given host on that subnet. For more on NPt, see
IPv6 Network Prefix Translation (NPt).
There is a mechanism built into IPv6 to access IPv4 hosts using a special address notation, such as ::ffff:192.
168.1.1. The behavior of these addresses can vary between OS and application and is unreliable.
5.7. IPv6 259

LLC
5.7.7 IPv6 and pfSense Software
Unless noted otherwise, it safe to assume that IPv6 is supported by pfSense® in a given area or feature.
Some noteworthy areas of pfSense software that do not support IPv6 are: Captive Portal and most DynDNS providers.
Note: On systems upgraded from versions of pfSense software prior to 2.1, IPv6 traffic is blocked by default.
To allow IPv6:
• Navigate to System > Advanced on the Networking tab
• Check Allow IPv6
• Click Save
Packages
Some packages are maintained by the community, so IPv6 support varies. In most cases IPv6 support depends upon
the capabilities of the underlying software. It is safe to assume a package does not support IPv6 unless otherwise
noted. Packages are updated periodically so it is best to test a package to determine if it supports IPv6.
5.7.8 Controlling IPv6 Preference for traffic from the firewall itself
By default, pfSense® software prefers IPv6 when possible. If IPv6 routing is not functional but the system believes it
is, pfSense software may fail to check updates or download packages properly.
To change this behavior, pfSense software provides a method in the GUI to control whether services on the firewall
prefer IPv4 over IPv6:
• Navigate to System > Advanced on the Networking tab
• Check Prefer to use IPv4 even if IPv6 is available
• Click Save
Once the settings have been saved, the firewall itself will prefer IPv4 for outbound communication.
See also:
• Configuring IPv6 Through A Tunnel Broker Service
Around the world, the availability of new IPv4 addresses is declining. The amount of free space varies by region,
but some have already run out of allocations and others are rapidly approaching their limits. As of January 31, 2011,
IANA allocated all of its space to regional internet registries (RIRs). In turn, these RIR allocations have run out in
some locations such as APNIC (Asia/Pacific), RIPE (Europe), and LACNIC (Latin America and Caribbean) for /8
networks. Though some smaller allocations are still available, it is increasingly difficult to obtain new IPv4 address
space in these regions. ARIN (North America) ran out on September 24th, 2015.
To account for this, IPv6 was created as a replacement for IPv4. Available in some forms since the 1990s, factors like
inertia, complexity, and the cost of developing or purchasing compatible routers and software has slowed its uptake
until the last few years. Even then, it’s been rather slow with only 8% of Google users having IPv6 connectivity by
July 2015 and slightly over 40% of users in 2022.
Over the years, support for IPv6 in software, operating systems, and routers has improved so the situation is primed
to get better. Still it is up to ISPs to start delivering IPv6 connectivity to users. It’s a catch-22 situation: Content
providers are slow to provide IPv6 because few users have it. Meanwhile, users don’t have it because there isn’t a lot
5.7. IPv6 260

LLC
of IPv6 content and even less content available only over IPv6. Users don’t know they need it so they don’t demand
the service from their ISPs.
Some providers are experimenting with Carrier Grade NAT (CGN) to stretch their IPv4 networks farther. CGN places
their IPv4 residential customers behind another layer of NAT further breaking protocols that already don’t deal with
one layer of NAT. Mobile data providers have been doing this for some time, but the applications typically found on
mobile devices aren’t affected since they work as if they’re behind a typical SOHO router style NAT. While solving
one problem, it creates others as observed when CGN is used as a firewall’s WAN, when tethering on a PC, or in some
cases attempting to use a traditional IPsec VPN without NAT-T, or PPTP. ISPs employing CGN should be used only if
there is no other choice.
There are many books and web sites available with volumes of in-depth information on IPv6. The Wikipedia article
on IPv6 is a great resource for additional information and links to other sources. It’s worth using as a starting point for
more information on IPv6. There are also many good books on IPv6 available, but be careful to purchase books with
recent revisions. There have been changes to the IPv6 specification over the years and it’s possible that the material
could have changed since the book’s printing.
See also:
Hangouts Archive to view the July 2015 Hangout on IPv6 Basics
This documentation is not an introduction to networks but there are certain networking concepts that need to be
addressed.
Note: Readers without basic fundamental networking knowledge should locate additional introductory material as
this chapter will not adequately provide all necessary information.
IPv6 concepts are introduced later in IPv6. For clarity, traditional IP addresses are referred to as IPv4 addresses.
Except where otherwise noted, most functions will work with either IPv4 or IPv6 addresses. The general term IP
address refers to either IPv4 or IPv6.
5.8 Brief introduction to OSI Model Layers
The OSI model has a network framework consisting of seven layers. These layers are listed in hierarchy from lowest
to highest. A brief overview of each level is outlined below. More information can be found in many networking texts
and on Wikipedia (http://en.wikipedia.org/wiki/OSI_model).
Layer 1 - Physical Refers to either electrical or optical cabling that transports raw data to all the higher
layers.
Layer 2 - Data Link Typically refers to Ethernet or another similar protocol that is being spoken on the
wire. This documentation often refers to layer 2 as meaning the Ethernet switches or other related
topics such as ARP and MAC addresses.
Layer 3 - Network Layer The protocols used to move data along a path from one host to another, such
as IPv4, IPv6, routing, subnets etc.
Layer 4 - Transport Layer Data transfer between users, typically refers to TCP or UDP or other similar
protocols.
Layer 5 - Session Layer Manages connections and sessions (typically referred to as “dialogs”) between
users, and how they connect and disconnect gracefully.
Layer 6 - Presentation Layer Handles any conversions between data formats required by users such as
different character sets, encodings, compression, encryption, etc.
5.8. Brief introduction to OSI Model Layers 261

LLC
Layer 7 - Application Layer Interacts with the user or software application, includes familiar protocols
such as HTTP, SMTP, SIP, etc.
5.8. Brief introduction to OSI Model Layers 262

CHAPTER
SIX
HARDWARE
6.1 Minimum Hardware Requirements
The minimum hardware requirements for pfSense® software on hardware not sold by Netgate are:
• 64-bit amd64 (x86-64) compatible CPU
• 1GB or more RAM
• 8 GB or larger disk drive (SSD, HDD, etc)
• One or more compatible network interface cards
• Bootable USB drive or high capacity optical drive (DVD or BD) for initial installation
Note: The minimum requirements are not suitable for all environments; see Hardware Sizing Guidance for details.
6.2 Hardware Selection
The use of open source operating systems with untested hardware may create hardware/software conflicts. Hardware
Tuning and Troubleshooting offers tips on resolving various issues.
6.2.1 Preventing hardware headaches
Use Genuine Netgate Hardware
The best practice is to use hardware from the Netgate Store. Netgate hardware has been developed to assure that
specific hardware platforms have been thoroughly tested and validated.
263

LLC
Search for the experiences of others
The experiences of others are a valuable source of knowledge which can be found by researching pfSense software
and hardware compatibility online, especially on the Netgate Forum. Reports of failure are not necessarily considered
definitive because problems can arise from a number of issues other than hardware incompatibility.
If the hardware in question is from a major manufacturer, an internet search by make, model, and site:netgate.
com will search the Netgate website for relevant user experiences. Searching for the make, model, and pfSense will
find user experiences on other websites. Repeating the same search with FreeBSD instead of pfSense can also turn
up useful experiences.
6.2.2 Naming Conventions
This documentation refers to the 64-bit hardware architecture as amd64, the architecture designation used by
FreeBSD. Intel adopted the architecture created by AMD for x86-64, thus the name amd64 refers to all x86 64-bit
CPUs.
Netgate sells ARM appliances compatible with its Plus edition of pfSense software. This hardware is based on the
armv6 and armv7 architectures (also called arm) and aarch64 (also called arm64). Items specific to those unique
architectures will be called out as necessary. The generic term ARM may be considered to apply to all of these, but
only for the specific ARM-based appliances sold by Netgate, such as the 2100 and 3100.
6.3 Hardware Sizing Guidance
When sizing hardware for pfSense® software, required throughput and necessary features are the primary factors that
govern hardware selection.
The information on Netgate Store now contains up-to-date specifications and performance data on all hardware sold
by Netgate. The data on the Netgate Store is updated as needed and it is always the most accurate and current source
of performance data.
Tip: Contact Netgate Sales for personalized help in selecting the most suitable model for any implementation.
Estimating throughput of third party / whitebox hardware is difficult and inaccurate. In some cases, ballpark estimates
may be made by comparing hardware specifications with those found on the Netgate Store for comparable models.
6.3.1 Throughput Considerations
In real networks the traffic flow will likely contain packets of varying size, not all maximum size packets, but it
completely depends on the environment and the type of traffic involved. IMIX testing attempts to approximate a
mixture of traffic that more closely resembles real-world environments. Simple IMIX traffic is sets of 7 (40) byte
packets, (4) 576 byte packets, 1 (1500) byte packets, plus Ethernet framing overhead.
Note: The Netgate Store entries for hardware include data for both maximum size packet size (“IPERF3”) as well as
results for IMIX traffic patterns.
As a general reference, table 500,000 PPS Throughput at Various Frame Sizes lists a few common packet sizes and
the throughput achieved at an example rate of 500,000 packets per second.
6.3. Hardware Sizing Guidance 264

LLC
Table 1: 500,000 PPS Throughput at Various Frame Sizes
Frame size Throughput at 500 Kpps
64 bytes 244 Mbps
500 bytes 1.87 Gbps
1000 bytes 3.73 Gbps
1500 bytes 5.59 Gbps
Performance difference by network adapter type
The choice of NIC has a significant impact on performance. Inexpensive, low end cards consume significantly more
CPU than better quality cards such as Intel. The first bottleneck with firewall throughput is the CPU. Throughput
improves significantly by using a better quality NIC with slower CPUs. By contrast, increasing the speed of the CPU
will not proportionally increase the throughput when coupled with a low quality NIC.
6.3.2 Feature Considerations
Features, services and packages enabled on the firewall can lower the total potential throughput as they consume
hardware resources that could otherwise be used to transfer network traffic. This is especially true for packages that
intercept or inspect network traffic, such as Snort or Suricata.
Most base system features do not significantly factor into hardware sizing but a few can potentially have a considerable
impact on hardware utilization.
Large State Tables
Active network connections through the firewall are tracked in the firewall state table. Each connection through the
firewall consumes two states: One entering the firewall and one leaving the firewall. For example, if a firewall must
handle 100,000 simultaneous web server client connections the state table must be able to hold 200,000 states.
See also:
States are covered further in Firewall.
Firewalls in environments which require large numbers of simultaneous states must have sufficient RAM to contain
the state table. Each state takes approximately 1 KB of RAM, which makes calculating the memory requirements
relatively easy. Table Large State Table RAM Consumption provides a guideline for the amount of memory required
for larger state table sizes. This is solely the memory used for the state tracking. The operating system itself along
with other services will require at least 175-256 MB additional RAM and possibly more depending on the features
used.
Table 2: Large State Table RAM Consumption
States Connections RAM Required
100,000 50,000 ~97 MB
500,000 250,000 ~488 MB
1,000,000 500,000 ~976 MB
3,000,000 1,500,000 ~2900 MB
8,000,000 4,000,000 ~7800 MB
It is safer to overestimate the requirements. Based on the information above, a good estimate would be that 100,000
states consume about 100 MB of RAM, or that 1,000,000 states would consume about 1 GB of RAM.
6.3. Hardware Sizing Guidance 265

LLC
VPN (all types)
The question customers typically ask about VPNs is “How many connections can my hardware handle?” That is a
secondary factor in most deployments and is of lesser consideration. That metric is a relic of how other vendors
have licensed VPN capabilities in the past and has no specific direct equivalent in pfSense software. The primary
consideration in hardware sizing for VPN is the potential throughput of VPN traffic.
Encrypting and decrypting network traffic with all types of VPNs is CPU intensive. pfSense software offers several
cipher options for use with IPsec. The various ciphers perform differently and the maximum throughput of a firewall
is dependent on the cipher used and whether or not that cipher can be accelerated by the hardware.
See also:
The Netgate Store contains VPN performance data for each device sold by Netgate using the most optimal cipher for
each device based on its capabilities.
Hardware cryptographic accelerators, such as those found on most Netgate hardware, greatly increase maximum VPN
throughput and largely eliminate the performance difference between accelerated ciphers. For IPsec, ciphers may be
accelerated by onboard cryptographic accelerators. For example, AES-GCM is accelerated by AES-NI and it is faster
not only for that, but because it also does not require a separate authentication algorithm. IPsec also has less per-packet
operating system processing overhead than OpenVPN, so for the time being IPsec will nearly always be faster than
OpenVPN.
Where high VPN throughput is a requirement for a firewall, hardware cryptographic acceleration is of utmost impor-
tance to ensure not only fast transmission speeds but also reduced CPU overhead. The reduction in CPU overhead
means the VPN will not lower the performance of other services on the firewall.
The current best available acceleration is available by using pfSense Plus software on hardware with a QAT device, or
failing that, a CPU which includes AES-NI support combined with AES-GCM in IPsec.
Packages
Certain packages have a significant impact on hardware requirements, and their use must be taken into consideration
when selecting hardware.
Snort/Suricata
Snort and Suricata are pfSense software packages for network intrusion detection. Depending on their configuration,
they can require a significant amount of RAM. 1 GB should be considered a minimum but some configurations may
need 2 GB or more, not counting RAM used by the operating system, firewall states, and other packages.
Suricata is multi-threaded and can potentially take advantage of NETMAP for inline IPS if the hardware offers support.
6.4 Hardware Tuning and Troubleshooting
The underlying operating system beneath pfSense® software can be fine-tuned in several ways. A few of these tunables
are available under Advanced Options (See System Tunables Tab). Others are outlined in the FreeBSD main page
tuning(7).
The default installation includes a well-rounded set of values tuned for good performance without being overly aggres-
sive. There are cases where hardware or drivers necessitate changing values or a specific network workload requires
changes to perform optimally.
The hardware sold in the Netgate Store is tuned further since Netgate has detailed knowledge of the hardware, remov-
ing the need to rely on more general assumptions.
6.4. Hardware Tuning and Troubleshooting 266

LLC
Note: Changes in /boot/loader.conf.local require a firewall reboot to take effect.
• General Issues
– Mbuf Exhaustion
– Disable MSIX
– PPPoE with Multi-Queue NICs
– TSO/LRO
– IP Input Queue (intr_queue)
• Card-Specific Issues
– Broadcom bce(4) Cards
– Broadcom bge(4) Cards
– Chelsio cxgbe(4) Cards
– Intel igb(4) and em(4) Cards
– Intel ix(4) Cards
– VMware vmx(4) Interfaces
– Flow Control
6.4.1 General Issues
Mbuf Exhaustion
A common problem encountered by users of commodity hardware is mbuf exhaustion. To oversimplify, “mbufs” are
network memory buffers; portions of RAM set aside for use by networking for moving data around.
The count of active mbufs is shown on the dashboard and is tracked by a graph under Status > Monitoring.
See also:
For details on mbufs and monitoring mbuf usage, see Mbuf Clusters.
If the firewall runs out of mbufs, it can lead to a kernel panic and reboot under certain network loads that exhaust
all available network memory buffers. In certain cases this condition can also result in expected interfaces not being
initialized and made available by the operating system. This is more common with NICs that use multiple queues or
are otherwise optimized for performance over resource usage.
Additionally, mbuf usage increases when the firewall is using certain features such as Limiters.
To increase the amount of mbufs available, add the following to /boot/loader.conf.local:
kern.ipc.nmbclusters="1000000"
On 64 bit systems with multiple GB of RAM, 1 million (1000000) mbuf clusters is a safe starting point. Should mbuf
clusters become fully allocated, that would consume about 2.3 GB of physical memory:
1000000 memory buffer clusters available × (2048 KB per cluster + 256 bytes per
memory buffer)

LLC
The amount of available clusters can be reduced for systems with low amounts of physical RAM, or increased further
as needed, as long as the value does not exceed available kernel memory.
Some network interfaces may need other similar values raised such as kern.ipc.nmbjumbop. In addition to the
graphs mentioned above, check the output of the command netstat -m to verify if any areas are near exhaustion.
Disable MSIX
Message Signaled Interrupts are an alternative to classic style Interrupts for retrieving data from hardware. Some cards
behave better with MSI, MSIX, or classic style Interrupts, but the card will try the best available choice (MSIX, then
MSI, then Interrupts).
MSIX and MSI can be disabled via loader tunables. Add the following to /boot/loader.conf.local:
hw.pci.enable_msix="0"
hw.pci.enable_msi="0"
To nudge the card to use MSI, disable only MSIX. To nudge the card to use regular Interrupts, disable both MSI and
MSIX.
PPPoE with Multi-Queue NICs
Network cards which support multiple queues rely on hashing to assign traffic to a particular queue. This works well
with IPv4/IPv6 TCP and UDP traffic, for example, but fails with other protocols such as those used for PPPoE.
This can lead to a network card under performing with the default network settings, as noted on #4821 and FreeBSD
PR 203856. This problem primarily affects systems with multiple CPUs and/or CPU cores, as those are the systems
which benefit most from multiple NIC queues.
Adding a System Tunable or loader.conf.local entry for net.isr.dispatch=deferred can lead to
performance gains on affected hardware.
Tuning the values of net.isr.maxthreads and net.isr.numthreads may yield additional performance
gains. Generally these are best left at default values matching the number of CPU cores, but depending on the workload
may work better at lower values.
Warning: In the past, deferred mode has led to issues on 32-bit platforms, such as crashes/panics, especially
with ALTQ. There have been no recent reports, however, so it should be safe on current releases.
TSO/LRO
The settings for Hardware TCP Segmentation Offload (TSO) and Hardware Large Receive Offload (LRO) under
System > Advanced on the Networking tab default to checked (disabled) for good reason. Nearly all hardware/drivers
have issues with these settings, and they can lead to throughput issues. Ensure the options are checked. Sometimes
disabling via sysctl is also necessary.
Add the following to /boot/loader.conf.local:
net.inet.tcp.tso="0"

LLC
IP Input Queue (intr_queue)
This will show the current setting:
sysctl net.inet.ip.intr_queue_maxlen
However, in largely loaded installations this may not be enough. Here is how to check:
sysctl net.inet.ip.intr_queue_drops
If the above shows values above 0, try doubling the current value of net.inet.ip.intr_queue_maxlen.
For example:
sysctl net.inet.ip.intr_queue_maxlen="3000"
Keep performing the above until the point is found where drops are eliminated without any adverse effects.
Afterwards, add an entry under System > Advanced, System Tunables tab to set net.inet.ip.
intr_queue_maxlen to 3000
6.4.2 Card-Specific Issues
Broadcom bce(4) Cards
Several users have noted issues with certain Broadcom network cards, especially those built into Dell hardware. If
bce interfaces are behaving erratically, dropping packets, or causing crashes, then the following tweaks may help.
hw.bce.tso_enable="0"
hw.pci.enable_msix="0"
That will increase the amount of network memory buffers, disable TSO directly, and disable msix.
Packet loss with many (small) UDP packets
If a lot of packet loss is observed with UDP on bce cards, try changing the netisr settings. These can be set as
system tunables under System > Advanced, on the System Tunables tab. On that page, add two new tunables:
net.isr.direct_force="1"
net.isr.direct="1"
Broadcom bge(4) Cards
See above, but change “bce” to “bge” in the setting names.

LLC
Chelsio cxgbe(4) Cards
It is possible to disable the allocation of resources that are not related to the router so that the network adapter can use
its entire set of resources for the corresponding functions:
hw.cxgbe.toecaps_allowed="0"
hw.cxgbe.rdmacaps_allowed="0"
hw.cxgbe.iscsicaps_allowed="0"
hw.cxgbe.fcoecaps_allowed="0"
Intel igb(4) and em(4) Cards
Certain intel igb cards, especially multi-port cards, can easily exhaust mbufs and cause kernel panics. The following
tweak will prevent this from being an issue. Add the following to /boot/loader.conf.local:
That will increase the amount of network memory buffers, allowing the driver enough headroom for its optimal oper-
ation.
Intel ix(4) Cards
In /boot/loader.conf.local:
kern.ipc.nmbjumbop="524288"
As a sysctl (system tunable):
hw.intr_storm_threshold="10000"
VMware vmx(4) Interfaces
VMware VMXNET interfaces support multiple queues when using MSI-X. Multiple queues enable network perfor-
mance to scale with the number of vCPUs and allows for parallel packet processing. Transmit and Receive descriptors
may also be increased to help with throughput.
Edit or create /boot/loader.conf.local and add the following content:
Note: Some options have a separate set of tunables for each individual network interface. In these cases, replace
<id> replace with the device ID such as 0, 1, etc. where the ID number matches the interface number. For example,
tunables for vmx3 are under dev.vmx.3.
hw.pci.honor_msi_blacklist="0"
dev.vmx.<id>.iflib.override_ntxds="0,4096"
dev.vmx.<id>.iflib.override_nrxds="0,2048,0"
Save the file, then reboot and check the change with dmesg | grep -Eiw 'descriptors|queues' at a
command prompt.

LLC
Flow Control
In some circumstances, flow control may need to be disabled. The exact method depends on the hardware involved,
as in the following examples:
These example entries go in /boot/loader.conf.local:
cxgbe(4)
hw.cxgbe.pause_settings="0"
ixgbe(4) (aka ix)
hw.ix.flow_control="0"
These example entries go in System > Advanced, on the System Tunables tab (System Tunables Tab):
Note: Some options have a separate set of tunables for each individual network interface. In these cases, replace
<id> replace with the device ID such as 0, 1, etc. where the ID number matches the interface number. For example,
tunables for igc3 are under dev.igc.3.
igc(4)
dev.igc.<id>.fc="0"
igb(4)
dev.igb.<id>.fc="0"
em(4)
dev.em.<id>.fc="0"
For ix and others, the flow control value can be further tuned:
0 No Flow Control
1 Receive Pause
2 Transmit Pause
3 Full Flow Control, Default
6.5 Console Types
There are two console types available with pfSense® software, VGA and Serial. The active default console depends
on the image/installer used and configuration settings. The difference between the two console types is explained in
more detail below.
6.5. Console Types 271

LLC
6.5.1 VGA Console
The VGA (video) console is a console with a monitor and keyboard. The video console requires hardware with a
connection for a monitor (e.g. HDMI, VGA) and keyboard (USB, PS/2). In some cases a serial BIOS that does VGA
redirection may work.
The VGA console is active by default using the normal memstick installer or ISO.
6.5.2 Serial Console
The serial console uses a serial/COM port to communicate with a serial client. It is primarily intended for systems
without a monitor or keyboard. The serial console can also be used on systems where those are either not available or
not wanted, so long as the hardware has at attached (non-USB) serial port.
The serial console is active by default when installing using the serial memstick and may be enabled under System >
Advanced on VGA images.
Accessing the serial console requires a null modem serial cable attached between the COM1 port on the firewall and a
serial client. A hardware serial port is required on the firewall, but the client may use a USB serial adapter if needed.
Serial clients are quite common, often pre-installed on an operating system or easily available. The free PuTTY client
is the most popular GUI choice. Other choices include GNU screen, tip, cu and minicom.
See also:
See Connect to the Console for details on how to connect to a serial console.
The default speed of the serial port is 115200/8/N/1. The serial port speed may be changed under System >
Advanced.
If the device has a BIOS accessible over serial console, it is also possible that it will not be using the same serial speed
that the OS is using.
The most common serial speeds to try would be: 115200, 38400, and 9600.
If the BIOS serial speed does not match the OS serial speed, the best practice is to adjust one or the other to match, so
that POST messages may be viewed as well as the OS messages without having to adjust the client
6.6 Connect to the Console
A connection to the console on the target hardware is a requirement to run the installer.
6.6.1 Connecting to a VGA Console
For hardware with a VGA console, this is as simple as connecting a monitor and keyboard.
6.6. Connect to the Console 272

LLC
6.6.2 Connecting to a Serial Console
For hardware with a serial console, the process is more involved and requires a client PC with an appropriate port and
terminal software. Follow the instructions below to connect using a serial console.
The instructions in this section cover general serial console topics. Some devices, such as firewalls from the Netgate
Store, require slightly different methods to connect to the serial console. For devices from the Netgate Store, visit the
Netgate Documentation for model-specific serial console instructions.
Serial Console Requirements
Connecting to a serial console on most firewalls requires the correct hardware on every part of the link, including:
• The client PC must have a physical serial port or a USB-to-Serial adapter
• The firewall must have a physical serial port
• A null modem serial cable and/or adapter, or a device-specific serial cable
• A terminal program on the client, such as PuTTY
• The correct serial settings for the client software
For most of the firewalls purchased from the Netgate Store, the only hardware requirement is a USB A to Mini-B
cable. See Netgate Documentation for specifics.
In addition to the proper hardware connection, a serial console client program must also be available on the client PC,
and the serial speed and other settings must be available.
Locating a Serial Port (Server/Firewall)
First, ensure the firewall hardware has a serial port. To use the serial console, the hardware must have a physical serial
port at COM1. Embedded units typically have a DB9 (9-pin) serial port, but some have an RJ45 style console connector
with an adapter cable that ends with a DB9 connector.
Connect a Serial Cable
First, a null modem serial cable must be connected between the firewall and a client PC. Depending on the serial port
and cable being used, a serial cable gender changer may also be necessary to match the available ports.
If a real null modem serial cable is unavailable, a null modem adapter can be used to convert a standard serial cable
into a null modem cable.
If the client PC does not have a physical serial port, use a USB-to-Serial adapter.
Locate the Client Serial Port
On the client PC, the serial port device name must be determined so that the client software can be used on the correct
port.

LLC
Windows
On Windows clients, a physical serial port is typically COM1. With a USB-to-Serial adapter, it may be COM3. Open
Device Manager in Windows and expand Ports (COM & LPT) to find the port assignment.
macOS
On macOS, the name can be tricky for a user to determine since it can vary based several factors. On recent versions
of macOS, the devices are likely to be named /dev/cu.usbserial-<id> where the <id> is an identifier for the
USB serial adapter, such as a serial number.
When in doubt, run ls -l /dev/cu.* from a Terminal prompt to see a list of available USB serial devices and
locate the appropriate one for the hardware. If there are multiple devices, the correct device is likely the one with the
most recent timestamp or highest ID.
Linux
The device associated with a USB-to-Serial adapter is likely to show up as /dev/ttyUSB0. Look for messages
about the device attaching in the system log files or by running dmesg.
Note: If the device does not appear in /dev/, check to see if the device requires additional drivers.
FreeBSD
The device associated with a USB-to-Serial adapter is likely to show up as /dev/cuaU0. Look for messages about
the device attaching in the system log files or by running dmesg.
Determine Serial Console Settings
The settings for the serial port, including the speed, must be known before a client can successfully connect to a serial
console.
Whichever serial client is used, ensure that it is set for the proper Speed (115200), Data Bits (8), Parity (No), and
Stop Bits (1). This is typically written as 115200/8/N/1.
Note: Some hardware defaults to a slower speed. This is relevant to the BIOS and initial output, not to pfSense®
software which defaults to 115200.
Many serial clients default to 9600/8/N/1, so adjusting these settings is required to connect. Use 115200/8/N/1
with pfSense software regardless of the setting of the hardware/BIOS.
For hardware using BIOS serial speeds other than 115200, change the baud rate to 115200 in the BIOS setup so the
BIOS and pfSense software are both accessible with the same settings. Refer to the hardware manual for information
on setting its baud rate.
115200 is the default speed pfSense software uses out of the box, but the serial speed used by pfSense software can
be changed later. See Serial Console Speed.

LLC
Locate a Serial Client
A serial client program must be used on the client PC. The most popular client for Windows is PuTTY, which is
free and works well. PuTTY is also available for Linux and can be installed on macOS using brew. On UNIX and
UNIX-Like operating systems, the screen program is readily available or easily installed and it can also be used to
connect to serial ports from a terminal program or system console.
Windows
PuTTY is the most popular free choice for serial communication on Windows. SecureCRT is another client that works
well.
Warning: Do not use Hyperterminal. Even if it is already present on the client PC, it is unreliable and prone to
formatting incorrectly and losing data.
macOS
On macOS clients, the GNU screen utility is the easiest and most common choice. ZTerm and cu (similar to
FreeBSD) can be used as well.
Linux
On Linux clients, the GNU screen utility is the easiest and most common choice. Programs such as PuTTY,
minicom, or dterm can be used as well.
FreeBSD
On FreeBSD clients, the GNU screen utility is the easiest and most common choice.
As an alternative, use the built-in program tip. Typing tip com1 (Or tip ucom1 if using a USB serial adapter)
will connect to the first serial port. Disconnect by typing ~. at the start of a line.
Start a Serial Client
Now that all of the requirements have been met, it is time to run the serial client.
If the client software is not covered in this section, consult its documentation to determine how to make a serial
connection.

LLC
PuTTY
• Start PuTTY
• Select Serial for the Connection Type
• Enter the serial port device name for Serial Line, e.g. COM3 or /dev/ttyUSB0.
• Enter the appropriate Speed, e.g. 115200
• Click Open
MINICOM
$ minicom -D /dev/ttyUSB0 -R 115200
GNU screen
• Open a terminal / command prompt
• Invoke the screen command using the path to the serial port, for example:
$ sudo screen /dev/ttyUSB0 115200
In some cases there may be a terminal encoding mismatch. If this happens, run screen in UTF-8 mode:
$ sudo screen -U /dev/cu.usbserial-1234 115200
The standard screen controls apply. Press Ctrl-A, to quit, or Ctrl-A, Ctrl- in some cases.
tip
The tip command on FreeBSD consults /etc/remotes and connects to serial ports based on the settings there.
To setup a connection to a USB-to-serial adapter at 115200, add a line such as the following to /etc/remote:
ucom1fast:dv=/dev/cuaU0:br#115200:pa=none:
To access the port, invoke tip:
$ tip ucom1fast
To quit, press Enter, then type ~.. If connected through a terminal ssh client, ~~. may need to be used instead so
that the ssh client itself doesn’t interpret the keys.

LLC
6.7 Cryptographic Accelerator Support
Cryptographic acceleration is available on some platforms, typically on hardware that has it available in the CPU like
AES-NI, or built into the board such as the ones used on Netgate ARM-based systems. Most cryptographic accelerator
hardware supported by FreeBSD will work, provided the drivers are in the kernel or available as loadable modules.
Note: Some modules and hardware are only supported by pfSense® Plus software.
6.7.1 Supported Devices
Currently supported cryptographic accelerator devices include:
AES-NI Supported natively by most modern CPUs.
Intel QuickAssist Technology (QAT) [Plus only] Supported on certain Intel-based platforms such as
select models of c3000 and c2000 SoCs, and also by QAT add-on cards. Present on several Net-
gate hardware models such as the 7100, 6100, 5100, and more.
CESA [Plus only] Present on some ARM platforms such as the Netgate 3100.
SafeXcel [Plus only] Present on some ARM platforms such as the Netgate 2100 and 1100.
Note: For specifics on which hardware accelerators are available on Netgate hardware, and relevant performance
data, visit the Netgate Store.
6.7.2 Activating the Hardware
Some hardware acceleration is active at all times and there is no way to disable it short of removing the crypto card if
it is a hardware add-on. For example, CESA acceleration cannot be disabled because it’s an integrated feature of the
system and the drivers are present the kernel.
Others, such as QAT, AES-NI, or SafeXcel require choosing the appropriate module under System > Advanced on
the Miscellaneous tab (See Cryptographic Hardware). Choose the appropriate module to match the hardware for
Cryptographic Hardware and then Save. The module will be loaded and available immediately.
To deactivate a loaded module, select None for Cryptographic Hardware, Save, and then reboot the system.
6.7.3 Confirming Accelerator Use
Confirming that the cryptographic acceleration device is being used by the firewall can be tricky, depending on the
hardware in question.
Most often the evidence of cryptographic accelerator use is apparent in one or more of the following observations:
• Increased VPN throughput
• Decreased system load (e.g. CPU utilization) for similar levels of VPN throughput
In cases where it is not clear, some cryptographic accelerators show signs of use by checking for interrupt activity on
the device using vmstat -i | grep <name>, where <name> corresponds to the name of the device:
QAT Use the shell command vmstat -i | grep qat
CESA Use the shell command vmstat -i | grep cesa
6.7. Cryptographic Accelerator Support 277

LLC
SafeXcel Use the shell command vmstat -i | grep safexcel
In each of these cases, first check that there is any output at all. If the device has not been used at all since the firewall
last rebooted or loaded the device driver, there will be no output from the command.
Note: To see if the driver is loaded, check kldstat -v | grep <name> to ensure the driver is present, and
check dmesg | grep <name> to see if the device was detected.
If there is output from vmstat -i for the device, check the third entry on the line, which is the total number of
interrupts observed on the device(s). If this number is increasing with VPN activity, the device is being used by the
firewall. For example:
# vmstat -i | grep qat
irq300: qat0 5481147 3
In that output the 5481147 number represents the number of interrupts on the qat0 device. Run the command again
after transferring data across the VPN, and compare the number.
Note: If the command produces no output at all, the device is not being used or the device driver is not loaded.
6.7.4 Verifying Cipher Support
To see a list of engines and associated transforms supported by the hardware and active modules though OpenSSL,
run:
/usr/bin/openssl engine -t -c
Note: That is only for support via OpenSSL. Other areas such as IPsec may support additional methods not listed.
6.7.5 Practical Use
IPsec
IPsec will take advantage of acceleration automatically when an active accelerator supports the cipher chosen for a
tunnel. For QAT and AES-NI, the optimal cipher choice is AES-GCM.
OpenVPN
To take advantage of acceleration in OpenVPN, choose a supported cipher on each end of a given tunnel.
Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI
that works well without using additional modules.
6.7. Cryptographic Accelerator Support 278

LLC
6.8 Disabling Sounds/Beeps
Some hardware has a PC Speaker which can be used as a means of notification. By default, the firewall will play a
tone at startup/shutdown and will emit a beep when a user logs into the GUI. Additionally, some packages are capable
of producing beeps for events.
6.8.1 Disable Startup/Shutdown Tune
The startup and shutdown tunes may be disabled as follows:
• Navigate to System > Advanced, Notifications tab
• Check Disable the startup/shutdown beep
• Click Save
6.8.2 Disable Login Beep
The GUI login beep happens because the GUI login event is recorded by syslog under the LOG_AUTH facility.
Messages in this facility trigger the operating system to generate a beep. To disable the beep, the GUI login messages
must be suppressed as follows:
• Navigate to System > Advanced, Admin Access tab
• Check Disable logging of webConfigurator successful logins
• Click Save
6.8.3 Disable All Sounds
As an alternative, the system bell may be disabled globally:
• Navigate to System > Advanced, System Tunables tab
• Click to create a new tunable entry using the following values:
Tunable kern.vt.enable_bell
Description Control system sounds
Value 0
• Click Save
See also:
• Halting and Powering Off the Firewall
• Rebooting the Firewall
• Network Interface Drivers with ALTQ Traffic Shaping Support
• Troubleshooting Disk and Filesystem Issues
• Troubleshooting Boot Issues
• Troubleshooting DMA and LBA Errors
• Troubleshooting High CPU Load
6.8. Disabling Sounds/Beeps 279

LLC
• Troubleshooting Lost Traffic or Disappearing Packets
• Troubleshooting Unexpected Reboots
The pfSense® software distribution is compatible with most hardware supported by FreeBSD.
Current versions of pfSense software are compatible with 64-bit (amd64, x86-64) architecture hardware and Netgate
ARM-based firewalls.
Alternate hardware architectures such as Raspberry Pi, other Non-Netgate ARM devices, PowerPC, MIPS, SPARC,
etc. are not supported.
6.9 Hardware Compatibility
The best way to ensure that hardware is compatible with pfSense software is to buy hardware from the Netgate Store
that has been tested and known to work well with pfSense software. The hardware in the store is tested with each
release of pfSense software and is tuned for optimal performance.
For home-built solutions, the FreeBSD Hardware Notes for the FreeBSD version used in a given build of pfSense
software is the best resource for determining hardware compatibility. pfSense software version 2.5.2-RELEASE is
based on 12.2-STABLE@f4d0bc6aa6b. Another good resource is the Hardware section of the FreeBSD FAQ.
6.9.1 Network Adapters
A wide variety of wired Ethernet Network Interface Cards (NICs) are supported by FreeBSD, and are thus compatible
with pfSense software. However, not all NICs are created equal. The hardware can vary greatly in quality from one
manufacturer to another.
The best practice is to use Intel NICs because they have solid driver support in FreeBSD and they perform well. Most
hardware sold in the Netgate Store contains Intel NICs.
Of the various other PCIe/PCI cards supported by FreeBSD, some work fine, others may suffer from instability or poor
performance. In some cases, FreeBSD may support a particular NIC but specific implementations of the chipset may
be lower in quality or have poor driver support. When in doubt, search the Netgate Forum for experiences of others
using the same or similar hardware.
When a firewall requires the use of VLANs, select adapters that support VLAN processing in hardware. This is
discussed in Virtual LANs (VLANs).
USB Network Adapters
USB network adapters of any make/model should not be used due to their unreliability and poor performance.
6.9. Hardware Compatibility 280

LLC
Wireless Adapters
Supported wireless adapters and recommendations are covered in Wireless.
6.9. Hardware Compatibility 281

CHAPTER
SEVEN
INSTALLING AND UPGRADING
Hardware from the Netgate Store is pre-loaded with pfSense® Plus software. To reinstall with pfSense CE software or
to install pfSense CE software to other hardware, download an installer image as described in this chapter. To reinstall
pfSense Plus software on Netgate hardware, contact Netgate TAC for installation images.
Warning: Hardware pre-loaded with pfSense software from commercial vendors other than the Netgate Store
or authorized partners must not be trusted. Third parties may have made unauthorized, unknown alterations or
additions to the software. Selling pre-loaded copies of pfSense software is a violation of the Trademark Usage
Guidelines.
If pfSense software was pre-loaded on third party hardware by a vendor, wipe the system and reinstall it with a
genuine copy.
See also:
If something goes wrong during the installation process, see Troubleshooting Installation Issues.
This chapter also covers upgrading pfSense software installations (Upgrade Guide) which keeps them up-to-date with
the latest security, bug fixes, and new features. This includes the new ability to Migrate from pfSense® CE software to
Netgate pfSense Plus software.
7.1 Download Installation Media
Note: Customers who have purchased firewalls pre-loaded with pfSense®
Plus software from the Netgate Store can
get installation images by contacting Netgate TAC. The Netgate Product Manuals contain specific instructions for each
model.
Some Netgate devices can also run Community Edition images, but the pfSense®
Plus images offer the best user
experience.
For other hardware, continue reading.
• Navigate to the download page on pfsense.org in a web browser on a client PC.
• Select an Architecture:
AMD64 (64-bit) For 64-bit x86-64 Intel or AMD hardware.
Netgate ADI For specific firewalls from the Netgate Store, which contain a USB serial console port
on COM2.
• Select an Installer type:
282

LLC
USB Memstick Installer A disk image which can be written to a USB memory stick (memstick)
and booted on the target hardware for installation.
DVD Image (ISO) Installer To install from optical media or for use with IPMI or hypervisors which
can boot from ISO images.
• Select a Console for USB Memstick Installer images:
VGA Installs using a monitor and keyboard connected to the target hardware, or virtual machines
with equivalent components.
Serial Installs using a serial console on COM1 of the target hardware. This option requires a non-
USB hardware console port.
Note: Some hardware contains a usable serial port which is exposed through a special internal
USB/Serial connection and dedicated USB console port. This hardware generally works fine,
and is not the same as a USB/Serial adapter plugged into a USB port, which will not work for
serving a serial console.
• Select a Mirror that is close to the client PC geographically.
• Click Download.
• Copy or download the SHA-256 sum displayed by the page to verify the download.
Tip: To view a listing of all files on the mirror, do not select any options from the drop-down menus except for
Mirror then click Download. Descriptions for the file names are available on the downloads page.
See also:
At any point in the installation if something does not go as described, check Troubleshooting Installation Issues.
7.1.1 Verifying the integrity of the download
The integrity of the installer image can be verified by comparing a computed hash value of the original downloaded
file against a hash computed by Netgate when the files were originally created. The current hashes use SHA-256.
The SHA-256 sum displayed on the download page is the best source, as it is not pulled from the same directory as
the download images. A file containing the SHA-256 sum is also available on the mirrors with the same filename as
the chosen installer image, but ending in .sha256.
Use the accompanying SHA-256 sum from the download site or .sha256 file to verify that the download successfully
completed and is an official release of pfSense software.
Warning: The SHA-256 sums are computed against the compressed versions of the downloaded files. Compare
the hash before decompressing the file.
Hash calculation programs vary by operating system, some common examples include:
Windows
Use a GUI-based hash calculation program such as OpenHashTab to compare the value against the provided hash.
With OpenHashTab installed, right click on the downloaded file to access the File Hashes tab containing the SHA256
hash, among others.
7.1. Download Installation Media 283

LLC
Tip: If a SHA256 hash is not displayed, right click in the hash view and click Settings, then check the box for
SHA256 and click OK.
The SHA256 hash generated in OpenHashTab can be compared with the contents of the .sha256 checksum file.
Note: It is also possible to use the Linux sha256sum command within Windows Subsystem for Linux, Cygwin, or
similar mechanisms.
macOS
Use the shasum command line utility to generate a hash of the downloaded file.
Example:
shasum -a 256 pfSense-CE-2.5.2-RELEASE-amd64.iso.gz
The generated SHA256 hash can be compared with the contents of the .sha256 checksum file.
Linux
Use the sha256sum command line utility to generate a hash of the downloaded file.
sha256sum pfSense-CE-2.5.2-RELEASE-amd64.iso.gz
FreeBSD
Use the sha256 command line utility to generate a hash of the downloaded file.
sha256 pfSense-CE-2.5.2-RELEASE-amd64.iso.gz
7.2 Prepare Installation Media
The installation image downloaded in the previous section must first be transferred to the proper media. The files
cannot be copied to media directly, but must be written using appropriate tools.
The primary difference between the USB memstick and ISO image is in how the images are written to an installation
disk. Both types of images install pfSense® software to a target disk. Another difference is between the console types
for the different USB memstick images. After installation, they each retain their appropriate console settings.
Note: If the target hardware does not have an optical drive and cannot boot from USB, install the software to the
target disk using a different set of hardware. See Alternate Installation Techniques for more information.
7.2. Prepare Installation Media 284

LLC
7.2.1 Decompress the Installation Media
The installation disk image is compressed when downloaded to save bandwidth and storage. Decompress the file
before writing this image to an installation disk.
The .gz extension on the file indicates that the file is compressed with gzip. The image can be decompressed on
Windows using 7-Zip, or on BSD/Linux/Mac with the gunzip or gzip -d commands.
7.2.2 Writing the Install Media
Creating an installation disk requires a different procedure depending on the type of media. Follow the instructions in
the appropriate section for the chosen media type.
Prepare a USB Memstick
Warning: Be extremely careful when writing pfSense® software installation images! If the client PC contains
other hard drives it is possible to select the wrong drive and overwrite a portion of that drive with the installer disk.
This renders the disk completely unreadable except to certain disk recovery programs, if at all.
Using Etcher
The easiest way to create bootable installation media is to use Etcher. Etcher is available on Windows, macOS, and
Linux so the procedure to write an image is the same across each supported platform. Etcher is simple to use, supports
compressed image files, and has several features which help prevent users from making unintentional mistakes in the
process such as selecting the wrong target drive. Additionally, unlike other methods there is no need to perform other
steps before writing the image to prepare the image file or disk.
• Download and install Etcher from https://www.balena.io/etcher/
• Insert a USB flash drive into the client computer
• Start Etcher
Etcher will display its main screen as shown in the following image:

LLC
• Click Flash from file
• Locate and select the installation image file
Tip: Etcher can use compressed images directly, there is no need to manually decompress the image file first.
• Click Select target
• Click the USB flash drive to which Etcher should write the image
Note: Etcher attempts to hide and/or visibly mark potentially dangerous selections such as system drives, the
drive containing the source image, and large drives. This makes it easier to identify the correct selection.

LLC
• Click Select (1) to continue
• Click Flash! to write the image to the target USB flash drive
At this point there may be an authentication or UAC prompt to continue.
Note: Etcher requires elevated privileges to write USB drives. In the majority of cases, Etcher will trigger an
operating system prompt for additional privileges as needed. If it does not, re-run Etcher as an administrator
explicitly.
• Wait for the flash process to complete
If there is an error from Etcher, try another USB flash drive or follow the advice given within Etcher to resolve
the problem.
Warning: After writing the drive, the installation media will contain partitions which cannot be read by
most operating systems. Ignore any operating system warnings about failing to mount the drive or prompts
to format the drive.
• Close Etcher when complete
• Remove the USB flash drive from the client system
The installation media is now ready to use. Proceed to the installation instructions for the operating system.

LLC
Alternate Methods
For other techniques and additional guidance on writing disk images, see the reference document Writing an Installa-
tion Image to Flash Media.
Prepare a DVD
To use an ISO image file containing pfSense® software with an optical disk drive, the ISO image must be burned to a
DVD disc by appropriate writing software.
Since the ISO image is a full-disc image, it must be burned appropriately for image files not as a data DVD containing
the single ISO file. Burning procedures vary by OS and available software.
Decompress the ISO Image
Before the image can be burned, it must be decompressed. The .gz extension on the file indicates that it is compressed
with gzip. This can be decompressed on Windows using 7-Zip, or on BSD/Linux/Mac with the gunzip or gzip
-d commands.
Burn the DVD
Burning in Windows
Windows 7 and later include the ability to burn ISO images natively without extra software. On top of that, virtually
every major DVD burning software package for Windows includes the ability to burn ISO images. Refer to the
documentation for the DVD burning program. A Google search with the name of the burning software and burn
iso also helps locate instructions.
Burning with Windows
To burn a disc image natively in Windows 7 or later:
• Open Windows Explorer and locate the decompressed ISO image file
• Right click the ISO image file
• Click Burn disc image
• Select the appropriate Disc burner drive from the drop-down list
• Insert a blank DVD disc
• Click Burn
Later versions such as Windows 10 also show a Disc Image Tools tab on the ribbon when an ISO image is selected in
Windows Explorer. That tab has a Burn icon that also invokes the same disc burning interface.

LLC
Other Free Burning Software
Other free options for Windows users include ISO Recorder, CDBurnerXP, InfraRecorder and ImgBurn. Before
downloading and installing any program, check its feature list to make sure it is capable of burning an ISO image.
Burning in Linux
Linux distributions such as Ubuntu typically include a GUI DVD burning application that can handle ISO images.
If a DVD burning application is integrated with the window manager, try one of the following:
• Right click on the decompressed ISO image file
• Choose Open With
• Choose Disk image writer
Or:
• Right click on the decompressed ISO image file
• Choose Write disc to
Other popular applications include K3B and Brasero Disc Burner.
If a GUI burning program is not available, it may be possible to burn from the command line.
First, determine the burning device’s SCSI ID/LUN (Logical Unit Number) with the following command:
$ cdrecord --scanbus
scsibus6:
6,0,0 600) 'TSSTcorp' 'CDDVDW SE-S084C ' 'TU00' Removable CD-ROM
Note the SCSI ID/LUN is 6,0,0 in this example.
Burn the image as in the following example, replacing <max speed> with the speed of the burner (e.g. 24) and
<lun> with the SCSI ID/LUN of the recorder:
$ sudo cdrecord --dev=<lun> --speed=<max speed> pfSense-CE-2.4.4-RELEASE-p3-amd64.iso
Burning in FreeBSD
FreeBSD can use the same cdrecord options as Linux above by installing sysutils/cdrtools from ports or
packages, and can also use GUI applications such as K3B or Brasero Disc Burner if they are installed from ports.
See also:
For more information on creating DVDs in FreeBSD, see the DVD burning entry in the FreeBSD Handbook.

LLC
Verify the Disc Content
After writing the disc, verify it was burned properly by viewing the files on the disc. More than 20 folders should
be visible, including bin, boot, cf, conf, and more. If only one large ISO file is visible, the disc was not burned
properly. Repeat the burning steps listed earlier and be sure to burn the ISO file as a DVD image and not as a data file.
7.3 Perform the Installation
This section describes the process of installing pfSense® software to a target drive, such as an SSD or HDD. In a
nutshell, this involves booting from the installation memstick or CD/DVD disc and then completing the installer.
Note: If the installer encounters an error while trying to boot or install from the installation media, see Troubleshoot-
ing Installation Issues.
The following items are requirements to run the installer:
• Download Installation Media
• Prepare Installation Media
• Connect to the Console
See also:
Virtual environments may have additional requirements, see the following documents for examples:
• Virtualizing pfSense Software with VMware vSphere / ESXi
• Virtualizing pfSense Software with Hyper-V
• Virtualizing with Proxmox® VE
See also:
Hangouts Archive also covers a variety of relevant topics.
7.3.1 Booting the Install Media
For USB memstick installations, insert the USB memstick and then power on the target system. The BIOS may require
the disk to be inserted before the hardware boots.
For DVD installations, power on the hardware then place the CD into an optical drive.
pfSense software will begin to boot and will launch the installer automatically.
Specifying Boot Order in BIOS
If the target system will not boot from the USB memstick or CD, the most likely reason is that the given device was
not found early enough in the list of boot media in the BIOS. Many newer motherboards support a one time boot menu
invoked by pressing a key during POST, commonly Esc or F12.
Failing that, change the boot order in the BIOS. First, power on the hardware and enter the BIOS setup. The boot order
option is typically found under a Boot or Boot Priority heading, but it could be anywhere. If support for booting from
a USB or optical drive is not enabled, or has a lower priority than booting from a hard drive containing another OS,
the hardware will not boot from the installer media. Consult the motherboard manual for more detailed information
on altering the boot order.
7.3. Perform the Installation 290

LLC
7.3.2 Installing to the Hard Drive
For USB memsticks with a serial console connection, the first prompt will ask for the terminal type to use for the
installer. For PuTTY or GNU screen, xterm is the best type to use. The following terminal types can be used:
ansi Generic terminal with color coding
vt100 Generic terminal without color, most basic/compatible option, select if no others work
xterm X terminal window. Compatible with most modern clients (e.g. PuTTY, screen)
cons25w FreeBSD console style terminal
For VGA consoles, cons25w is assumed by the installer.
Once the installer launches, navigating its screens is fairly intuitive, and works as follows:
• To select items, use the arrow keys to move the selection focus until the desired item is highlighted.
• For installer screens containing a list, use the up and down arrow keys to highlight entries in the list. Use the
left and right arrow keys to highlight the actions at the bottom of the screen such as Select and Cancel.
• Pressing Enter selects an option and activates the action associated with that option.
Starting the Installer
The installer contents are the same for both console types. The following document walks through the installation
process in its entirety.
Installation Walkthrough
When the installer starts the first screen it presents offers license terms for pfSense® software which the user must
accept before installation.
Read the terms carefully. Use the Page Down and Page Up keys to display additional license text. Press Enter to
Accept the terms and proceed.
Rescue Options
First, the installer prompts to launch rescue options or start the Install process.
Use the arrow keys to select an option, then press Enter. The options on this screen are:
Install Continue installing pfSense software
Rescue Shell Starts a basic shell prompt where advanced users can perform tasks to prepare the hardware
in ways not fully supported by the installer, or to perform diagnostic tests or repairs on the firewall.
Recover config.xml Attempts to recover a pfSense software configuration file from a target disk in the
system. See Recover config.xml From Existing Installation for details.

LLC
Fig. 1: Installer License
Fig. 2: Rescue Options

LLC
Keymap Selection
The Keymap Selection screen selects the keyboard layout used by the installer.
Fig. 3: Keymap Selection
For the majority of users with a standard PC keyboard, press Enter to select Continue with default Keymap. If
the keyboard used for the console has a different layout, such as from countries other than the US, find it in the list
and select it instead. After making a selection, return to the top of the list and either choose Test default keymap or
Continue.
Note: This selection is only for the installer, the value is not retained post-install.
Partition / Filesystem Selection
The Partitioning step selects the filesystem for the firewall’s target disk.
The ZFS filesystem type is more reliable and has more features than UFS, however ZFS can be memory hungry. Either
filesystem will work on hardware with several GB of RAM, but if RAM usage is critical to other tasks that will run on
this firewall, UFS is a more conservative choice. For hardware that requires UEFI, use ZFS.
The optionson this screen work as follows:
Auto (ZFS) Launches the ZFS configuration section of the installer. See ZFS for details.
Auto (UFS) BIOS Automatically creates partitions and formats the disk with UFS and a tradi-
tional/legacy BIOS style boot environment.
Auto (UFS) UEFI Automatically creates partitions and formats the disk with UFS and a UEFI boot en-
vironment.

LLC
Fig. 4: Partitioning
Note: There are occasional incompatibilities between FreeBSD and UEFI implementations. If the
system fails to boot after installing with a UEFI option, configure the hardware for BIOS/legacy
booting and choose that installation option instead.
Manual Manually create partitions and filesystems.
Shell Open a shell prompt to configure disks, partitions, and filesystems by hand.
Note: If installer cannot find any drives, or if it shows incorrect drives, it is possible that the desired drive is attached
to an unsupported controller or a controller set for an unsupported mode in the BIOS. See Troubleshooting Installation
Issues for help.
The process varies slightly depending on the selected filesystem type, so follow the section below that matches the
filesystem type to be used by this firewall.
ZFS
This section describes items specific to ZFS partitioning.
Select Auto (ZFS) from the list (Partitioning) and the installer will present the ZFS configuration screen.

LLC
Fig. 5: ZFS Configuration
Pool Type / Disks
Select Pool Type / Disks and the installer will prompt for the Virtual Device Type. ZFS supports multiple disks in
various ways for redundancy and/or extra capacity. Though using multiple disks with ZFS is software RAID, it is
quite reliable and better than using a single disk.
The available types are:
stripe A single disk, or multiple disks added together to make one larger disk (RAID 0).
Note: For firewalls with a single target disk, this is the correct choice.
mirror Two or more disks that all contain the same content for redundancy. Can keep operating even if
one disk dies. (RAID 1)
raid10 RAID 1+0, n x 2-way mirrors. A combination of stripes and mirrors, which gives redundancy
and extra capacity. Can lose one disk from any pair at any time.
raidzX Single, Double, or Triple redundant RAID. Uses 1, 2, or 3 parity disks with a pool to give extra
capacity and redundancy, so either one, two, or three disks can fail before a pool is compromised.
Though similar to RAID 5 and 6, the RAIDZ design has significant differences.
Select a type and press Enter

LLC
Fig. 6: Virtual Device Type
Select Disks
Next, the installer prompts for which disks it will include in the selected Virtual Device Type.
Use the up and down arrow keys to highlight a disk and Space to select disks. For mirrors or RAID types, select
enough disks to fulfill the requirements for the chosen type.
Warning: Select a disk even if there is only one in the list!
Select OK with the left or right arrow keys.
When complete, the installer will return to the main ZFS configuration screen.
Partition Scheme
Choose an alternate Partition Scheme only if the default, GPT (BIOS) will not work. The possible choices include:
GPT (BIOS) The GUID partition table layout and BIOS booting. Used by most modern x86 hardware.
Note: Try this method first as it is the most widely compatible choice.
GPT (UEFI) GPT with UEFI boot loader.
GPT (BIOS+UEFI) GPT with both BIOS and UEFI booting.
MBR (BIOS) Legacy MBR style partitions with BIOS booting.
GPT + Active (BIOS) GPT with the boot slice set active, with BIOS booting.

LLC
Fig. 7: Example disk selection for ZFS mirror utilizing two disks
GPT + Lenovo Fix (BIOS) GPT with a Lenovo-specific boot fix.
Other Options
The other options on the main ZFS configuration screen can be left at their default values. Certain scenarios may call
for using them, but they are otherwise options.
Pool Name The name of the ZFS pool created by the installer. Leave this at the default value.
Encrypt Disks Enable encryption of the filesystem contents.
Warning: Encrypting disks will prompt for the encryption passphrase at each boot, which
means each boot must be attended at the console.
Swap Size The amount of disk space dedicated to swap space (virtual memory). This is optional. Com-
monly set to 2x the available RAM in the firewall, but with smaller disks that may be too large.
Mirror Swap When using a mirrored Virtual Device Type, this also mirrors the swap space contents
between disks. The default is to consider the swap space on each disk separately. In most cases the
contents of swap are not important enough to warrant mirroring and the degraded performance it
would impose.
Encrypt Swap Encrypts the contents of the swap partitions, in addition to data. This is more secure,
especially if the firewall has particularly sensitive data in memory, but degrades swap performance.

LLC
Finish
To complete the installation:
• Move the selection back to Install
• Highlight Select for the action at the bottom of the screen
• Press Enter to continue.
• Select Yes to confirm the target disk selection, and to acknowledge that the contents of the target disk(s) will be
destroyed.
Fig. 8: ZFS Confirmation
Proceed to Continue with the Install.

LLC
UFS
This section describes items specific to the UFS choices for partitioning.
Select Auto (UFS) BIOS or Auto (UFS) UEFI from the list (Partitioning) depending on the needs of the target system.
Single Disk
If there is only a single disk, the installation will perform the remaining steps automatically, there is nothing more to
do, so proceed to Continue with the Install.
Multiple Disks
If the system has multiple eligible target disks, the installer will prompt to choose the target and other options.
Select Disk
Select the target disk where the installer will write out the pfSense® software, e.g. ada0. The installer will show each
supported hard drive attached to the firewall, along with any supported RAID or gmirror volumes.
Fig. 9: Select Disk
Select Entire Disk when prompted. pfSense software does not support sharing a disk with another operating system.

LLC
Fig. 10: Use the Entire Disk
Partition Scheme
Select the partition scheme to use for the disk:
GPT The GUID partition table layout. Used by most current x86 hardware. May not function on older
hardware/BIOS versions. Try this method first.
BSD BSD Labels without an MBR, which used to be known as “dangerously dedicated mode”. This
method should work on most hardware that cannot use GPT. This was the method used by older
versions of pfSense software.
MBR Select this only if GPT and BSD do not work on a specific piece of hardware.
Others The other choices are not relevant to hardware that is capable of running pfSense software.
Partition Editor
Select Finish to accept the automatic partition layout chosen by the installer, then select Commit to write the partition
layout to the target disk.
Note: The partition sizes and other values can be customized here, but this is rarely necessary or appropriate. For
nearly all installations, the default sizes are correct and optimal.

LLC
Fig. 11: Partition Scheme
Fig. 12: Partition Editor

LLC
Finish
Proceed to Continue with the Install.
Continue with the Install
Sit back, wait, and have a few sips of coffee while the installation process formats the drive(s) and copies pfSense
software files to the target disk(s).
Fig. 13: Partitioning and Formatting
Select No when prompted to make final modifications.
Select Reboot to restart the firewall
Remove the installation media from the firewall during the reboot, when the hardware is starting back up but before it
boots from the disk.
Congratulations, the installation is complete!
pfSense Software Default Configuration
After installation and interface assignment, pfSense software has the following default configuration:
• WAN is configured as an IPv4 DHCP client.
• WAN is configured as an IPv6 DHCP client and will request a prefix delegation.
• LAN is configured with a static IPv4 address of 192.168.1.1/24.
• LAN is configured to use a delegated IPv6 address/prefix obtained by WAN (Track IPv6) if one is available.
• All incoming connections to WAN are blocked by the firewall.

LLC
Fig. 14: Reading install media and copying to target drive
Fig. 15: Prompt for final modifications

LLC
Fig. 16: Prompt to reboot
• All outgoing connections from LAN are allowed by the firewall.
• The firewall performs NAT on IPv4 traffic leaving WAN from the LAN subnet
• The firewall will act as an IPv4 DHCP Server
• The firewall will act as an IPv6 DHCPv6 Server if a prefix delegation was obtained on WAN, and also enables
SLAAC
• The DNS Resolver is enabled so the firewall can accept and respond to DNS queries.
• SSH is disabled.
• WebGUI is running on port 443 using HTTPS.
• Default credentials are set to a username of admin with password pfsense.
7.4 Assign Interfaces
After the installer completes and the firewall reboots, the firewall software looks for network interfaces and attempts
to assign interface mappings automatically.
The automatic interface assignment profiles used by the firewall are:
Netgate Hardware sold with pfSense® Plus Software pfSense Plus software for devices from the Net-
gate Store includes default mappings appropriate to the hardware, which varies depending upon the
hardware ordered with the device. Consult the Netgate Product Manuals for specific details on each
model.
RCC-VE 4860/8860 WAN: igb1, LAN: igb0
RCC-VE 2220/2440 WAN: igb0, LAN: igb1
7.4. Assign Interfaces 304

LLC
APU WAN: re1, LAN: re2
Other Devices For other devices the firewall looks for common interfaces and attempts to assign them
appropriately, for example:
• WAN: igb0, LAN: igb1
• WAN: em0, LAN: em1
• WAN: re1, LAN: re2
If the firewall cannot automatically determine the network interface layout, it will present a prompt for interface
assignment as in Figure Interface Assignment Screen. This is where the network cards installed in the firewall are
given their roles as WAN, LAN, and Optional interfaces (OPT1, OPT2 ... OPTn).
Fig. 17: Interface Assignment Screen
The firewall displays a list of detected network interfaces and their MAC (Media Access Control) addresses, along
with an indication of their link state if that is supported by the network card. The link state is denoted by (up)
appearing after the MAC address if a link is detected on that interface.
Note: The Media Access Control (MAC) address of a network card is a unique identifier assigned to each card, and
no two network cards should have the same MAC address. If a duplicate MAC address is present on a network, either
by chance or by intentional spoofing, all conflicting nodes will experience connectivity problems.
After printing the network interface list, the firewall prompts for VLAN configuration. If VLANs are desired, answer
y, otherwise, type n, then press Enter.
See also:
For information about configuring VLANs, see Virtual LANs (VLANs).
The firewall prompts to set the WAN interface first. As the firewall typically contains more than one network card, a
dilemma may present itself: How to tell which network card is which? If the identity of each card is already known,

LLC
enter the proper device names for each interface. If the difference between network cards is unknown, the easiest way
to figure it out is to use the auto-detection feature.
For automatic interface assignment, follow this procedure:
• Unplug all network cables from the firewall
• Type a and press Enter
• Plug a network cable into the WAN interface of the firewall
• Wait a few moments for the firewall to detect the link up event
• Press Enter
If all went well, the firewall can determine which interface to use for the WAN.
Repeat the same process for the LAN and optional interfaces, if any are necessary. If the firewall prints a message
stating “No link-up detected”, see Manually Assigning Interfaces for more information on sorting out network card
identities.
Once the list of interfaces for the firewall is correct, press Enter at the prompt for additional interfaces. The firewall
will ask Do you want to proceed (y|n)? If the network interface assignment list is correct, type y then press Enter.
If the assignment is incorrect, type n and press Enter to repeat the assignment process.
Note: In addition to the normal routing/firewall mode with multiple interfaces, a firewall may also run in Appliance
Mode where it has only a single interface (WAN). The firewall places the GUI anti-lockout rule on the WAN interface
so a client may access the firewall web interface from that network. The usual routing and NAT functions are not active
in this mode since there is no internal interface or network. This type of configuration is useful for VPN appliances,
DHCP servers, and other stand-alone roles.
7.4.1 Manually Assigning Interfaces
If the auto-detection feature did not work, there is still hope of telling the difference between network cards prior to
installation. One way is by MAC address, which the firewall prints next to the interface names on the assignment
screen:
vmx0 00:0c:29:50:a4:04
vmx1 00:0c:29:50:ec:2f
The MAC address is sometimes printed on a sticker somewhere physically on the network card. For virtualized
systems, the virtual machine configuration usually contains the MAC address for each network card. MAC addresses
are assigned by manufacturer, and there are several online databases which offer reverse lookup functionality for MAC
addresses in order to find the company which made the card: http://www.8086.net/tools/mac/, http://www.coffer.com/
mac_find/, and http://aruljohn.com/mac.pl, among many others.
Network cards of different makes, models, or sometimes chipsets may be detected with different drivers. It may be
possible to tell an Intel-based card using the igb driver apart from a Broadcom card using the bge driver by looking
at the cards themselves and comparing the names printed upon the circuitry.
The probe order of network cards can be unpredictable, depending on how the hardware is designed. In a few cases,
devices with a large number of ports may use different chipsets that probe in different ways, resulting in an unexpected
order. Add-on and Multi-port NICs are generally probed in bus order, but that can vary from board to board. If the
hardware has onboard NICs that are the same brand as an add-in NIC, be aware that some systems will list the onboard
NIC first, and others will not. In cases when the probe order makes multiple NICs of the same type ambiguous, it may
take trial and error to determine the port placements and driver name/number combinations.

LLC
After the network cards have been identified, type the name of each card at the interface assignment screen when
prompted. In the above example, vmx0 will be WAN and vmx1 will be LAN. To assign them these roles, follow this
procedure:
• Type vmx0 and press Enter when prompted for the WAN address
• Type vmx1 and press Enter when prompted for the LAN address
• Press Enter again to stop the assignment process, since this example does not contain any optional interfaces.
• Type y and press Enter to confirm the interface assignments
7.5 Alternate Installation Techniques
This section describes alternate methods of installation that may be easier for certain rare hardware requirements.
7.5.1 Installation with drive in a different machine
If it is difficult or impossible to boot from USB or from a DVD/CD drive to the target hardware, another computer
may be utilized to install pfSense® software on the target hard drive. The drive may then be moved to the original
machine.
After installation, allow the installation machine to restart and power it off once it returns to the BIOS screen. Remove
the hard drive from the installation machine and place it into the target firewall. After boot, the firewall will prompt
for interface assignment and then the rest of the configuration may be performed as usual.
Note: Current versions of pfSense software use techniques such as GPT id, UFS id, and ZFS metadata to mount
disks, so even though the device may appear using a different disk driver on the actual target hardware, the OS will
still be able to locate and mount the appropriate disk.
7.5.2 Installation in VMware with USB Redirection
USB redirection in VMware Player and Workstation can be used to install to a hard drive. Most any USB to SATA/IDE
or similar adapter will work for this purpose. The following instructions are specific to VMware Workstation 12, but
will also work on other recent versions.
• Plug the target drive into the SATA/IDE adapter or SD/CF writer
• Plug the adapter/writer into the client PC
• Open VMware Workstation on the client PC
• Create a VM, which should have USB enabled (It is enabled by default)
• Set the VM to connect the installer ISO image at boot in its virtual CD/DVD drive
• Start the virtual machine
• Press Esc during the VM BIOS screen to load the boot menu
• Find the icon for the USB adapter in the bottom of the VMware window
• Click the icon for the USB adapter
• Click Connect (Disconnect from host)
• Select CD-ROM Drive from the boot menu
7.5. Alternate Installation Techniques 307

LLC
• Continue through the installation the same as a normal, ensure that the correct drive is selected during the
installation process
• Shut down the VM
• Remove the target disk from the client PC
• Attach the target disk to the intended firewall hardware
Older versions of VMware workstation can use automatic USB redirection to accomplish the same goal. Unplug the
USB device, click inside the VM to give it focus, and then plug in the USB device. The VM should attach to the USB
drive.
7.6 Upgrade Guide
pfSense® software can be reliably upgraded from an older release to a current release.
Netgate periodically release new versions that contain new features, updates, bug fixes, and various other changes. In
most cases, updating an installation is easy. If the firewall is updating to a new release that is a only a point release
(e.g 2.x.3 to 2.x.4), the update is typically minor and unlikely to cause problems.
Note: Only the most recent stable release of pfSense is officially supported, so updating is also important to ensure
that any problems encountered may be resolved as needed.
Upgrades use the same software edition that the firewall is currently running. For example, pfSense CE software
installations will upgrade to the latest version of pfSense CE software. pfSense Plus or Factory edition software
will upgrade to the latest version of pfSense Plus software. The only exception to this is when following the special
procedure to Migrate from pfSense® CE software to Netgate pfSense Plus software.
The most common problems encountered during upgrades are hardware-specific regressions from one FreeBSD ver-
sion to another, though those are rare. Updated releases fix more hardware than they break, but regressions are always
possible. Larger jumps, such as from 2.3.x to 2.5.2-RELEASE must be handled with care, and ideally tested on
identical hardware in a test environment prior to use in production.
Warning: Firewalls must be connected to the Internet to update.
7.6.1 Pre-Upgrade Tasks
Make a Backup . . . and a Backup Plan
Before making any modifications to a firewall, the best practice is to make a backup using the WebGUI:
• Navigate to Diagnostics > Backup/Restore
• Set the Backup Area to All in the Backup Configuration section of the page
• Click Download
• Save this file somewhere safe
Keep multiple copies of the backup file in different secure locations. Consider using the free Auto Config Backup ser-
vice (Using the AutoConfigBackup Service). Auto Config Backup can create a manual backup with a note identifying
the change, which is encrypted and stored on Netgate servers.
7.6. Upgrade Guide 308

LLC
Another good practice is to have install media handy for the new release, in case something goes awry and a reinstall
is required. Should that happen, have the backup file on hand and refer to Backup and Recovery.
VM Snapshots
An easy fall-back plan for virtualized firewalls is to take a snapshot of the VM before performing an upgrade. This
way, it can easily roll back to a known-good state if the VM encounters a problem.
Note: Before rolling back a VM due to problems, ensure the hardware compatibility of the VM is current. For
example, on ESX 6.7, ensure the hardware compatibility is set to ESXi 6.7 and later (VM version 14) and update the
VM Guest operating system to match the upgraded OS, such as Other/FreeBSD 11 (64-bit)
Pre-Upgrade Reboot
Reboot the firewall before applying an update. This step is optional, but a best practice.
If the hardware has a problem, such as a disk issue, then performing a reboot before the upgrade will allow that to be
identified early. Otherwise, a hardware issue could be confused with an issue that occurred as a result of the upgrade
process.
There is still a chance that the upgrade could draw out a hardware issue, such as a disk failing from the writes that
happen in the upgrade process, but that is much less common to see in practice.
Packages
Warning: Do not upgrade packages before upgrading pfSense® software. Either remove all packages or
leave the packages alone before running the update.
The safest practice is to remove all packages before upgrading to a new release. The upgrade process will handle
packages automatically, but packages are frequently a source of problems. To ensure a smooth upgrade, note the
installed packages, remove them, perform the upgrade, and then reinstall when the upgrade is complete.
7.6.2 Version-Specific Notes
This document covers specific concerns which must be taken into account by administrators when upgrading pfSense®
software from an older version.
Review sections for each intermediate version between the version running on the firewall and the current release.
• Upgrading from versions older than pfSense Plus 21.02.2 or pfSense CE 2.5.1
• Upgrading from versions older than pfSense 2.5.0
• Upgrading from versions older than pfSense 2.4.5-p1
• Older Version Upgrade Notes

LLC
Upgrading from versions older than pfSense Plus 21.02.2 or pfSense CE 2.5.1
Warning: WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense
CE 2.5.0, when it was removed from FreeBSD.
If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are
removed. For more details, see the Release Notes
WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later ver-
sions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.
Note: The WireGuard package is still under active development. Follow the development progress on the developer’s
YouTube channel
Upgrading from versions older than pfSense 2.5.0
• The built-in relayd load balancer has been deprecated and removed as it does not compile or run on pfSense
2.5.0. A copy of the load balancer configuration will be left in /conf/deprecated_load_balancer.
xml for reference when converting to an alternate solution, such as HAProxy (HAProxy package).
• PHP was migrated from PHP 7.2 to PHP 7.4. A number of PHP errors were fixed along the way but certain
combinations of configuration parameters may result in further errors. Note any problems on the Netgate Forum,
and if possible, try to include relevant portions of config.xml with personal data removed.
• Due to the significant nature of the changes in this version of pfSense software, warnings and error messages,
particularly from PHP and package updates, are likely to occur during the upgrade process. These errors are
primarily seen on the console as the upgrade is applied, but may appear in a crash report once the upgrade
completes. In nearly all cases these errors are a harmless side effect of the changes between FreeBSD 11.2 and
12.x and between PHP 7.2 and PHP 7.4.
• See the FreeBSD 12 Release Notes for information on deprecated hardware drivers that may impact firewalls
upgrading to pfSense version 2.5.0. Some of these were renamed or folded into other drivers, others have been
removed, and more are slated for removal in FreeBSD 13 in the future.
• OpenSSL was upgraded to 1.1.1a as a part of upgrading to FreeBSD 12.0, this will impact all packages which
depend on OpenSSL, especially those not obtained from Netgate. Be aware that this will require obtaining new
versions of such packages after the upgrade.
Upgrading from versions older than pfSense 2.4.5-p1
• Upgrading to pfSense software version 2.4.5-p1 requires pfSense-upgrade version 0.70 or later. Most
installations will automatically pick up the new version and upgrade normally. If this does not happen automat-
ically and the upgrade to version 2.4.5-p1 is not offered, use the following procedure:
– Navigate to System > Updates
– Set Branch to Previous stable version
– Wait a few moments for the upgrade check to complete
– Optional: Confirm that the latest version of pfSense-upgrade is present (version >= 0.70) using
pkg-static info -x pfSense-upgrade.

LLC
If the correct version is not present, wait a bit longer and check again as that package may be updating in
the background.
– Set Branch to Latest stable version
– Wait a few moments for the upgrade check to complete
At this point, the upgrade check should see 2.4.5-p1 and the upgrade can proceed.
• pfSense software version 2.4.5-p1 includes pkg version 1.13.x which introduces a new metadata version. Most
installations will automatically pick up the new version and upgrade normally. In certain cases, especially
coming from much older versions, the pkg utility may require a manual update before it can correctly process
the new metadata.
The pkg utility can be upgraded manually with the following command run from an ssh or console shell:
# pkg-static bootstrap -f
See Repository Metadata Version Errors for more details.
• Third party packages from alternate repositories are causing problems for users with the upgrade process and
also with post-upgrade behavior. These packages have never been supported, and had to be manually added by
users outside of the GUI.
Due to the major changes required for FreeBSD 11.2 and PHP 7.2, third party packages from alternate reposito-
ries cannot be present during the upgrade. There is no way to predict if a third party package supports the new
version or will cause the upgrade itself to fail.
The upgrade process will automatically remove pfSense-pkg-* packages installed from alternate reposito-
ries. After the upgrade completes, the user can reinstall these packages. Packages from alternate repositories
will not appear in the Installed Packages list in the GUI, and must be entirely managed in the command line.
This change does not affect packages installed from the official pfSense package repository.
• Using the AutoConfigBackup Service is integrated into pfSense version 2.4.4 and free for all to use. It is no
longer an add-on package. It is now located under Services > Auto Config Backup.
• PHP was migrated from PHP 5.6 to PHP 7.2. A number of PHP errors were fixed along the way but certain
combinations of configuration parameters may result in further errors. Note any problems on the Netgate Forum
or the pfSense subreddit, and if possible, try to include relevant portions of config.xml with personal data
removed.
• Due to the significant nature of the changes in this version of pfSense software, warnings and error messages,
particularly from PHP and package updates, are likely to occur during the upgrade process. These errors are
primarily seen on the console as the upgrade is applied, but may appear in a crash report once the upgrade
completes. In nearly all cases these errors are a harmless side effect of the changes between FreeBSD 11.1 and
11.2 and between PHP 5.6 and PHP 7.2.
• Gateway handling changes in 2.4.4 may result in different default gateway behavior than previous releases.
Nearly all cases should behave properly, but be aware that it may be necessary to re-select the default gateway
after upgrade.
• The FEC LAGG Protocol is deprecated and its options have been removed #8734
• The login protection daemon was changed from sshlockout_pf to sshguard and the behavior may be
more sensitive in some cases to SSH and GUI login failures. For example, be aware of possible issues where
probes from monitoring systems may end up triggering a block.

LLC
• Major changes to RADIUS for the base system and specifically Captive Portal could lead to behavior changes
in certain cases. Read the release notes and associated bug reports for more details. Note any problems on the
Netgate Forum or the pfSense subreddit.
• A crash report containing no data (empty) may appear after the upgrade completes. See #8915
• Intel Atom systems containing HD Graphics chipsets may experience console problems after the update. Af-
fected systems will boot successfully, but fail to display console output after the boot menu. To fix the problem,
add the following line to /boot/loader.conf.local to use the syscons console type:
kern.vty=sc
– Alternately, try using i915 driver with the standard VT console using these lines in /boot/loader.
conf.local:
i915kms_load="YES"
drm.i915.enable_unsupported=1
Warning: This driver will consume extra bus resources and may cause resource hungry add-on
hardware to fail, such as multi-port network adapters.
– Systems with similar console problems not containing a graphics chip supported by the i915 driver may
need to reinstall 2.4.4 to use a UEFI console.
• An ISP that supplies a bogus interface MTU via DHCP may cause interface problems with certain network
interface types when Advanced Configuration options are present on DHCP interfaces, such as a DHCP WAN.
The typical default case is handled automatically, but advanced options override the corrected default behavior.
To fix the problem, apply the patch from #8507 or add supersede interface-mtu 0 to the Option
modifiers box in the WAN interface advanced DHCP options. If a custom dhclient.conf is in use, add
supersede interface-mtu 0 on a line inside the interface block. See #8507. The Advanced
Configuration case has been corrected for the next release.
• To use ZFS, a reinstall of the operating system is required. It is not possible to upgrade in-place from UFS to
ZFS at this time.
• Wireless interfaces must be created on the Wireless tab under Interfaces > Assignments before they are
available for assignment
• Some hardware devices may not boot 2.4.0 installation images, for example, due to UEFI compatibility changes.
These are primarily BIOS issues and not issues with the installer images. Upgrading in place from 2.3.x typically
allows affected hardware to run version 2.4.
• To upgrade Firewalls in place which are running pfSense software version 2.2.x or earlier, first upgrade the
firewall to pfSense 2.3.4 and then perform an update to pfSense 2.4.x afterward. Alternately, reinstall 2.4.x
directly and restore the configuration.
Warning: When upgrading to 2.4.x from 2.2.x or earlier, remove all packages before attempting the update.
Even when upgrading from 2.3.x this is the best practice to ensure a smooth upgrade process. Package settings are
retained.

LLC
Older Version Upgrade Notes
Versions of pfSense software prior to 2.3 used a different upgrade method. For “full” installations, a tgz file was used
by the firewall to copy in the new files. This method was problematic and is no longer used.
The best practice in these cases is to take a backup and reinstall with a current, supported version of pfSense software.
The following information is for upgrading from outdated and unsupported versions of pfSense software. They may
still be of use to users attempting to upgrade from an older release to a current, supported, release.
When upgrading from a very old release, read every document below that covers versions between the older one being
upgraded and the new version.
Upgrading from versions older than pfSense 2.3
See also:
For information about upgrading to current versions, see Upgrade Guide.
Warning: Uninstalling all packages is required when upgrading from old releases. Packages must be removed
before the upgrade is performed. After the upgrade is complete, packages can be reinstalled. Package configuration
is automatically retained.
See 2.3 New Features and Changes for a larger list of changes.
• Due to the GUI overhaul, older themes have been removed. All previously chosen themes are reset on upgrade
to the default “pfSense” 2.3 theme.
• Status > RRD Graphs moved to Status > Monitoring and has been revamped. The same data, and more, is
still accessible but with a modern interface.
• System > Firmware is now System > Update
• System > Packages is now System > Package Manager
Limiters
• On pfSense® software versions 2.2 and 2.3, limiters cannot be used on firewall rules residing on interfaces
where NAT applies. This limits their use to LAN-type interfaces only, and not WANs, in most circumstances.
This has been fixed on pfSense 2.4. Bug #4326
• On pfSense software versions 2.2 and 2.3, limiters cannot be used where pfsync is enabled. This has been fixed
on pfSense 2.4.3. Bug #4310
NanoBSD
Warning: NanoBSD has been deprecated as of pfSense 2.4.0-RELEASE. This section remains only for users on
i386 hardware with NanoBSD who must upgrade to pfSense 2.3.5-p2.
In most cases, a normal installation may be used in place of NanoBSD. Activating the option to keep /var and
/tmp in RAM can typically yield the same net benefits for older/slower CF and SD media. Firewalls with modern
SSDs should have no concerns with writes.

LLC
1GB NanoBSD images have been removed as they were too small to properly function and upgrade. If a 1GB
NanoBSD image is in use, it cannot be upgraded. It must be re-imaged on a larger card using the 4GB or 2GB
image or converted to a full installation.
Package System
• Due to the package system overhaul, any custom package repository settings are removed so the firewall will
pull package information directly from pfSense servers.
• We highly recommend uninstalling all packages before upgrading.
Removed features that are disabled on upgrade
• Groups with spaces are no longer permitted. They are not allowed at the OS level and were not functioning
properly. On upgrade, such groups are renamed with an underscore (‘_’) in place of a space.
• The “Enable” checkbox for IPsec has been removed. If IPsec was disabled, all Phase 1 entries are disabled
automatically on upgrade.
• The Unity plugin for IPsec has been disabled by default, where it was previously enabled by default. This is
preferable for the vast majority of users, however those using mobile IPsec with IKEv1 may need to enable it
under VPN > IPsec, Advanced tab.
• The apinger daemon for gateway monitoring has been replaced by dpinger. Due to the differences in
settings between the two, many advanced gateway parameters are reset on upgrade.
• The PPTP Server has been removed, if the PPTP server was in use, seek alternate solutions such as IPsec or
OpenVPN. Do not continue to use PPTP.
– The PPTP server settings, firewall rules, and so on have all been removed
– If the “Redirect” PPTP server type was in use, add manual NAT rules for TCP/1723 and GRE to point to
the actual server.
• Layer 7 classification support has been removed and any configuration using L7 is automatically removed on
upgrade.
• WEP support has been removed from Wireless interfaces, and if a wireless interface was using WEP, the inter-
face is deactivated on upgrade.
• Single DES support has been removed from IPsec, if a Phase 1 or Phase 2 entry was using DES, it is deactivated
on upgrade.
– Note: 3DES support is still present. Only the older and insecure, single DES option was removed.
• The Live CD platform has been removed. The ISO is a bootable installer, as always, but it cannot run a live
system.
– For the very few people who were still using Live CD: If the hardware can boot from USB, install to a
USB thumb drive and run from it instead. Use the options to keep /var and /tmp in RAM, and do not
install packages, then net result should be similar but ultimately more functional.
• Some obsolete password hashes, such as nt-hash, are removed from users on upgrade. There was no remaining
code on pfSense that utilized these hashes, so there should be no loss of functionality.
• Support for fifolog was removed, and will revert to clog format on upgrade.
• The net.inet.ip.fastforwarding tunable is no longer present, and is unset on upgrade.

LLC
• Some PHP modules, such as MySQL, were included by default on previous versions but are no longer a part of
the base system on 2.3. They are available as packages that may be installed manually from the shell (e.g. pkg
install php56-mysql)
New features that may require action
• The default system password hash has been changed to bcrypt. Current passwords will continue to work.
Existing users need to reset their password to convert to the new, more secure, hash. #4120
• A new option was added to Captive Portal for FreeRADIUS-friendly stop/start RADIUS accounting updates
that solves problems with user session time limits. If stop/start RADIUS accounting is being used with FreeRA-
DIUS, the new option should be activated manually.
Upgrading from a 2.3 Snapshot
• If a firewall was upgraded to 2.3 before Jan 21, 2016, some files from 2.2.x or earlier packages may still be
left behind that can prevent new packages from installing properly. Run the following command the clean up
outdated symlinks that are not relevant for 2.3:
find / -type l -lname '/usr/pbi/*' -delete
Multi-WAN Weighted Load Balancing
There is a quirk in pf handling of weighted load balancing where Load balancing fails when one gateway has a weight
of 1 and another gateway has a weight >1. Coming from 2.2.x, if this scenario applies, simply double the assigned
weights. For example: WAN1 = 1, WAN2 = 5 on 2.2.x should be WAN1 = 2, WAN2 = 10 on 2.3.
Captive Portal
Due to the change in the web server from lighttpd to nginx, in some cases the portal HTML must be updated to
include the zone parameter. On 2.3.1 and later the web server process attempts to handle this automatically, but it is
best to include the HTML in the portal page directly, inside the form tag:
<input name="zone" type="hidden" value="$PORTAL_ZONE$">
See also:

LLC
Limiters
• On pfSense® software versions 2.2 and 2.3, limiters cannot be used on firewall rules residing on interfaces
where NAT applies. This limits their use to LAN-type interfaces only, and not WANs, in most circumstances.
This has been fixed on pfSense 2.4. Bug #4326
• On pfSense software versions 2.2 and 2.3, limiters cannot be used where pfsync is enabled. This has been fixed
on pfSense 2.4.3. Bug #4310
IPsec Changes
The IPsec daemon was changed from racoon to strongSwan. Existing configurations work the same as always, but
if any unusual configurations are present, take care in testing after the upgrade. Changes in behavior because of
this change may trigger bugs in remote endpoints that weren’t previously an issue. Configurations that were always
technically incorrect may exhibit problems now where they didn’t previously. We have listed the circumstances we
are aware of here, and will expand upon this list if anything new is found.
Problem in racoon with aggressive mode and NAT-D
Those using racoon (pfSense 2.1.x and earlier, among a variety of other similar products) on remote endpoints with
aggressive mode may encounter a bug in racoon related to NAT-D and aggressive mode. Any site to site IPsec VPNs
using aggressive mode with racoon as a remote endpoint should change to main mode to prevent this from being an
issue. Main mode is always preferable for its stronger security.
glxsb Crypto Accelerator Warning
For those using the glxsb crypto accelerator in the ALIX and other devices with Geode CPUs, only AES 128 bit is
supported by those cards. Any key length > 128 bit has never worked, and must not be configured. There appear to be
circumstances where AES on “auto” with racoon preferred 128 bit where strongswan prefers the strongest-available
and is choosing 256 bit, which glxsb breaks. Input validation in 2.2.1 prevents such invalid configurations when adding
configurations or making changes, however existing configurations are not changed. If using glxsb and AES, ensure
both phase 1 and phase 2 configurations all use AES 128 only and never auto.
Mobile client users, verify Local Network
For mobile IPsec clients, clients could pass traffic in certain circumstances without having specified the necessary
matching local network in the mobile phase 2 configuration. The “Local Network” specified in mobile IPsec phase 2
must include all networks mobile clients need to reach. If mobile IPsec clients need to access the Internet via IPsec,
the mobile phase 2 must specify 0.0.0.0/0 as the local network.

LLC
Stricter Phase 1 Identifier Validation
In 2.1.x and earlier versions, racoon could accept mismatched phase 1 identifiers where using IP Address as the
identifier. This is most commonly a problem where one of the endpoints is behind NAT and phase 1 is using My IP
Address and Peer IP Address for identifiers. On the side with the private IP WAN, My IP Address will be its private
WAN IP address. On the opposite end, Peer IP Address will be the public IP address of the opposite side. Hence,
these two values do not match, and should have resulted in a connection failure. racoon would fall back to checking
the source IP address of the initiating host as an identifier, where it found the match. To resolve this issue, change the
phase 1 identifiers so they actually match.
Phase 2 behavior change with incorrect network addresses
In 2.1.x and earlier versions a phase 2 configuration with an incorrect network address would still be presented by
racoon with the corrected network address. e.g. if 192.168.1.1/24 is set in a phase 2, which should be 192.
168.1.0/24, racoon used it as 192.168.1.0/24. In 2.2.x and newer versions, strongswan sends it exactly as
configured. This may result in a phase 2 mismatch where configured with an incorrect network address.
Disk Driver Changes
The disk drivers in FreeBSD changed between the underlying OS versions and now the CAM-based ATA drivers and
AHCI are used by default. As such, ATA disks are labeled as /dev/adaX rather than /dev/adX. The ada driver
for ATA disks and GEOM keeps legacy aliases in place so that old disk references will still work post-upgrade. This
does not always extend to virtualized disk drivers, however (see the Xen note below.). The upgrade process on pfSense
2.3 and 2.4 also attempts to automatically correct for this change.
A manual workaround is also possible. Running /usr/local/sbin/ufslabels.sh before the upgrade will
convert /etc/fstab to UFS labels rather than disk device names bypassing any device name issues that could arise
due to the switch.
There is a chance that the new driver stack will have issues with certain controller/disk combinations that were not
present in prior releases. There may be BIOS changes or other workarounds to help. See Boot Troubleshooting.
The methods used to disable DMA and write caching have both changed on FreeBSD 10.x. For most, disabling these
manually is no longer necessary.
If disabling DMA is necessary, the following may be used in /boot/loader.conf.local:
hint.ata.X.mode=PIO4
Change X to be the ATA controller ID, typically 0 or 1.
If write caching must be disabled, the following may be used in /boot/loader.conf.local:
kern.cam.ada.write_cache=0

LLC
Xen Users
The FreeBSD base used by pfSense 2.2 and later includes PVHVM drivers for Xen in the kernel. This can cause
Xen to automatically change the disk and network device names during an upgrade to pfSense 2.2 or later, which the
Hypervisor should not do but does anyway.
The disk change can be worked around by running /usr/local/sbin/ufslabels.sh before the upgrade to
convert /etc/fstab to UFS labels rather than disk device names.
The NIC device change issue has no workaround. Manual reassignment is required.
vmxnet3 (VMware/ESX) users
Users who manually installed VMware Tools to use vmxnet3 network adapters may encounter an issue with interface
name changes when upgrading to pfSense 2.2 or later, similar to those with Xen mentioned above. In pfSense 2.1.x the
vmxnet3 interfaces were named starting with vmx3f and on pfSense 2.2.x they are vmx using the built-in support.
Manually reassigning the interfaces or correcting them in config.xml followed by a restore is required.
Old/Broken GEOM Mirrors
If a manual gmirror configuration was performed post-install and not using the pfSense installer gmirror option before
install, there is a chance that the mirror will not function on pfSense 2.2 or later because the manual post-install method
did not create a proper mirror setup. If an upgraded mirror does not boot or function on pfSense 2.2 or later, use the
following entry to work around the integrity check that would otherwise fail.
Add the following line to /boot/loader.conf.local:
kern.geom.part.check_integrity=0
If the disks are configured in this way, we strongly recommend backing up the configuration and reinstalling, using
one of the mirrored disk options in the pfSense installer.
CARP Changes
Due to the new CARP subsystem, the old method of having a virtual interface for CARP VIPs is no longer available.
CARP VIPs work more like IP Alias style VIPs, existing directly on the main interface. For most, the changes made
to accommodate this new system will be transparent, but there are some potential issues, such as:
• With no separate interface available, monitoring a CARP VIP status via SNMP is no longer possible.
FTP Proxy
The FTP proxy is not included in pfSense 2.2-RELEASE or later, due to changes in the kernel and state table handling
that made it more difficult to implement. Use of FTP is strongly discouraged as credentials are transmitted insecurely
in plain text. #4210
See FTP without a Proxy for additional information and workarounds.
Another option is the recently added FTP Client Proxy package which leverages in FreeBSD to allow clients on local
interfaces to reach remote FTP servers with active FTP.

LLC
LAGG LACP Behavior Change
LAGG using LACP in FreeBSD 10.0 and newer defaults to “strict mode”, which means the lagg does not come up
unless the attached switch is speaking LACP. This will cause a LAGG to not function after upgrade if the switch is not
using active mode LACP.
To retain the lagg behavior in pfSense 2.1.5 and earlier versions, add a new system tunable under System > Advanced,
System Tunables tab for the following:
net.link.lagg.0.lacp.lacp_strict_mode
With value set to 0.
This can be added before upgrading to 2.2 to ensure the same behavior on first boot after the upgrade. It will result in
a harmless cosmetic error in the logs on 2.1.5 since the value does not exist in that version.
If a firewall has more than one LAGG interface configured, enter a tunable for each instance since that is a per-interface
option. For lagg1, add the following:
net.link.lagg.1.lacp.lacp_strict_mode
Also with the value set to 0.
Intel 10Gbit/s ixgbe/ix users with Unsupported SFP modules
The sysctl to allow unsupported SFP modules changed in FreeBSD between the versions used for pfSense 2.1.x and
2.2.
The old tunable was:
hw.ixgbe.unsupported_sfp=1
This must be changed to:
hw.ix.unsupported_sfp=1
Edit the setting in /boot/loader.conf.local before applying the update and the behavior will be retained.
Layer 7
Layer 7 is deprecated and has been removed. For layer 7 application identification and filtering we recommend using
the Snort IDS/IPS package with OpenAppID detectors and rules.
Microsoft Load Balancing / Open Mesh Traffic
Windows Network Load Balancing and Open Mesh access points can use multicast MAC address destinations which
rely on broken behavior that was incorrectly allowed by default in earlier versions of FreeBSD and pfSense. The fact
it worked before was technically a bug, acting in violation of RFC 1812.
A router MUST not believe any ARP reply that claims that the Link Layer address of another host or
router is a broadcast or multicast address.
The default behavior on pfSense 2.2 is correct, but it may be changed.
If this behavior be required, manually add a tunable as follows:

LLC
• Navigate to System > Advanced, System Tunables tab
• Click
• Enter the following values:
– Tunable: net.link.ether.inet.allow_multicast
– Description: Optional. It would be wise to enter the URL to this note or a similar note.
– Value: 1
• Click Save
See also:
See the HA section at the end of this document for a High Availability-specific pfsync note about pfSense® software
version 2.1 upgrades.
The State Killing on Gateway Failure feature (System > Advanced, Miscellaneous tab) now kills ALL states when
a gateway has been detected as down, not only states on the failing WAN. This is done because otherwise the LAN-
side states were not killed appropriately, and thus some connections would be in limbo, especially SIP. Due to the
change in its behavior, State Killing on Gateway Failure is disabled by default in new configurations and is disabled
during upgrade to pfSense 2.1.x from 2.0.x or before regardless of the user’s previously chosen setting. If the feature
is desired even with its new behavior, it must be manually re-enabled post-upgrade.
The Allow IPv6 checkbox is NOT changed on upgrade unlike it was in early pfSense 2.1 BETA snapshots. This was
changed so that the user’s chosen existing behavior is preserved. To allow IPv6 traffic after an upgrade, the setting
must be changed manually. This setting is located on System > Advanced on the Networking tab. It defaults to
allowed for new configurations.
Changes to policy route negation between pfSense 2.0.x and 2.1 may result in local/private traffic hitting policy routing
rules that would not have happened on pfSense 2.0.x. This most commonly presents as an inability to reach local
networks after upgrading. The automatic policy route negation rules on pfSense 2.0.x were too lenient, and that
behavior was corrected. To ensure proper routing to other local interfaces, VPNs, or static route networks rules must
be added to the local interfaces to pass traffic to these destinations without a gateway set. And that rule must be above
any others that would match and have a gateway set.

LLC
Upgrading High Availability Deployments
If upgrading from any previous version of pfSense (1.2.x, 2.0.x, etc) to pfSense 2.1 or later in an HA environment,
ensure that the pfsync interface has a rule to pass the correct traffic for state synchronization to work properly. pfSense
2.1 removed the automatic pfsync rule, since the documentation always recommended adding it manually and to add it
behind the scenes with no way to block it could be counter-productive and potentially insecure. If the documentation
was not followed, and a pfsync or allow all rule was not created on the sync interface, state synchronization may break
after this upgrade. Add an appropriate rule to the sync interface and it will work again.
At a minimum, pass traffic of the pfsync protocol from a source of the synchronization subnet to all cluster nodes.
Upgrading from versions older than pfSense® 2.0
See also:
Note for users of the OpenVPN Status Package
If a manual management directive was entered into the Advanced Configuration of an OpenVPN client or server,
it must be removed. The OpenVPN status code is built into pfSense® software version 2.x and later, and it is handled
internally. The management directive must be removed or the status of the VPN instance will not be properly reported.
Note for Captive Portal RADIUS WISPr Bandwidth Users
The WISPr RADIUS attributes were incorrectly applied to all versions prior to pfSense 2.0-RELEASE. They were
applied as Kbps where WISPr is supposed to be bps, hence those using WISPr attributes will have one one-thousandth
of the previous bandwidth unless the RADIUS server is corrected. The RADIUS server will need to have these values
updated to bps for proper functionality once the firewall has been upgraded to pfSense 2.0-RELEASE or later.
International/Special Characters in 1.2.x Configurations
International characters, such as åäö and so on, were not supported on pfSense 1.2.x, but were allowed in some places
due to overly lenient input validation and less strict XML parsing. These characters causes invalid XML when they
are stored directly, and as such if pfSense 1.2.x did not crash and toss out the configuration with such characters, it
will not upgrade to any current version of pfSense software.
pfSense software version 2.0 and later will reset and toss out the config.xml on every reboot if it contains these
characters bare, leaving the firewall at an “assign interfaces” prompt since it does not have a valid configuration.
The config.xml file can be run through an XML parser such as xmllint and the parser will show where problems
exist, if any. Fix the errors, and then the corrected configuration can be used for an upgrade. The good news is that
these characters are handled properly in most areas of the current pfSense GUI, and they are CDATA escaped so they
are safe from such errors.

LLC
Upgrading High Availability Deployments
When upgrading from pfSense 1.2.3 to 2.0 or later, Check the CARP VIPs to make sure they are actually on the proper
interface. That is, that the interface chosen for the VIP properly matches the subnet in which the CARP VIP resides,
and that the subnet mask is proper. pfSense 2.0 validates this more strictly than previous releases, and as a consequence
if a CARP VIP was misconfigured on pfSense 1.2.3, it may not upgrade cleanly.
7.6.3 Perform the Upgrade
There are several methods available to update an installation of pfSense® software. Either the WebGUI or the console
can be used.
Note: Before performing an upgrade, read through the entire Upgrade Guide.
If problems occur during the upgrade process, consult Troubleshooting Upgrades for assistance.
Upgrading using the GUI
The Automatic Update check feature contacts a Netgate server and determines if there is a release version newer than
the version on the firewall. This check is performed when an administrator visits the dashboard or System > Update.
To perform the upgrade in the GUI:
• Navigate to System > Update or click in the System Information dashboard widget next to the new
version notification.
• Click Confirm to start the update
• Wait for the upgrade to complete
The update takes a few minutes to download and apply, depending on the speed of the Internet connection being used
and the speed of the firewall hardware. The firewall will reboot automatically when finished.
Tip: Monitor the firewall console during the upgrade if possible to watch for potential problems.
Upgrading using the Console
An update may also be run from the console. The console option is available from any means available for console
access: Video/Keyboard, Serial Console, or SSH.
• Connect to the firewall console or login via ssh
• Enter menu option 13
• Wait for the upgrade to complete
Alternately, from a shell prompt running as root, manually execute the following command:
# pfSense-upgrade

LLC
Tip: When upgrading from SSH, the GNU screen utility can be a useful tool to monitor the upgrade process in
environments where the connection to the firewall is unstable:
# pkg install screen
# rehash
# screen pfSense-upgrade
Reinstalling / Upgrading Configuration
If an upgrade will not function properly on an existing installation, the configuration file can be restored to a freshly
installed copy of pfSense software. An older configuration can always be imported into a new version. The upgrade
code will make necessary changes to the configuration so it will work with the current version of the software. See
Backup and Recovery for details.
7.6.4 Upgrading High Availability Clusters
This page provides guidance on upgrading redundant firewalls (CARP, pfsync, XMLRPC config sync) across major
versions of pfSense® software. Upgrading from one version to another generally follows the this procedure, exceptions
are noted later in the page.
• Review changelog/blog/upgrade guide
• Take a backup from both nodes. Do not skip this step!
• Upgrade secondary as described in the Upgrade Guide
• Test secondary to be sure it is operating OK – expected packages present, services running, no obvious errors in
logs, etc
• Switch CARP to maintenance mode on primary from Status > CARP
• Ensure traffic is still flowing properly and that the network is functional. If it is not, then exit maintenance mode
on the primary, fix the secondary then try again.
• Upgrade primary as described in the Upgrade Guide
• Check primary to ensure it upgraded OK – expected packages present, services running, no obvious errors in
logs, etc
• Exit maintenance mode on primary
• Test again
XMLRPC Config Sync Considerations
Upgrade either the primary or the secondary first, leaving the other on the older version until testing is complete.
Supported versions of pfSense software from the last several years properly check for and prevent unintentionally
synchronizing data between incompatible versions.

LLC
pfsync considerations
The underlying pfsync protocol often changes between FreeBSD versions. Versions of pfSense software with a dif-
ferent base OS version of FreeBSD cannot sync their states between each other. Failover will still function, but not
stateful failover so all existing connections will be dropped.
pfsync and Interface-bound States
States contain information about the interface to which they are bound. If the interfaces do not line up on both nodes
then the states will not properly sync, for example if WAN is ix0 on one node and igb0 on the other.
Adding interfaces to LAGGs can work around this, since then the states would be bound to the lagg on each node
rather than the underlying interface. For example, lagg0 on primary contains ix0, lagg0 on secondary contains
igb0, but the states are on lagg0 for both so sync will function.
CARP considerations
CARP is generally the same between versions and will fail over and back as expected.
See also:
• Troubleshooting Upgrades
7.6.5 Update Settings
Branch / Tracking Snapshots
By default, the update check looks for officially released versions of pfSense software, but this method can also be
used to track development snapshots.
To change the branch used for updates:
• Navigate to System > Update
• Set the Branch to the desired type of updates
• Wait for the page to refresh and perform a new update check
The branch list will vary depending on the current development cycle. Examples of options that may be found in the
list include:
Latest Stable Version Stable versions are the best option, as they see the most testing and are reasonably
safe and trouble-free. However, as with any upgrade, read the changelog and update notes for that
release.
pfSense Plus Upgrade Upgrade a system from pfSense CE software to pfSense Plus software. Present
on registered systems with access to pfSense Plus software respositories.
See also:
See Migrate from pfSense® CE software to Netgate pfSense Plus software for details on migrating
to pfSense Plus software.
Previous Stable Version (Deprecated) A pointer to the previous release so that firewalls may pull pack-
ages and update files from the previous release while waiting for a maintenance window or similar
upgrade opportunity. May also be labeled “Legacy”.

LLC
Latest Development Snapshots Tracks development snapshot builds. These may either be snapshots for
the next minor or major version depending on the status of the development cycle.
Next Major Version Tracks snapshots for the next major update version. This is riskier, but in some
cases may be required for newer hardware or new features that are not yet released. Consult the
forum and test in a lab to see if these snapshots are stable in a particular environment.
Warning: Do not run development versions of pfSense software in production environments.
Dashboard Check
The Dashboard Check checkbox on System > Update, Update Settings tab controls whether or not the System
Information widget on the dashboard performs an update check. On firewalls with low resources or slow disks,
disabling this check will reduce the load caused by running the check each time an administrator views the dashboard.
Boot Environments
The Automatic Creation checkbox controls whether or not the firewall automatically creates a new ZFS Boot Envi-
ronment when performing an upgrade.
Administrators may choose to do this, for example, if disk space is constrained and ZFS Boot Environments are not
desired, or if they wish to manage ZFS Boot Environments manually.
See also:
See ZFS Boot Environments (Plus Only) for more information.
GitSync
This section is for developers and should not be used by end users. Leave settings in this area empty or disabled.
7.7 Migrate from pfSense® CE software to Netgate pfSense Plus soft-
ware
Netgate now offers the ability to migrate from the Community Edition (CE) of pfSense® software to pfSense Plus
software.
This enables users with virtual machines or hardware not sold by Netgate to utilize the advantages of pfSense Plus
software.
pfSense Plus Software Migration Procedure
• Requirements
• Obtain an Activation Token
• Register and Migrate
7.7. Migrate from pfSense® CE software to Netgate pfSense Plus software 325

LLC
7.7.1 Requirements
To perform this migration:
• The firewall must be running pfSense CE software version 2.6.0 or later.
Before starting, take one of the following steps:
– Perform fresh install of at least pfSense CE software version 2.6.0 by following the installation guide.
– Upgrade an existing installation of pfSense CE software to version 2.6.0 or later by following the upgrade
guide.
• The firewall must be connected to the Internet to perform the migration.
Warning: The migration process preserves the existing filesystem type, so ensure that a firewall is in the intended
state before upgrading. For example, install pfSense CE software using ZFS so that it can use pfSense Plus software
with ZFS.
7.7.2 Obtain an Activation Token
Activation tokens are generated by the Netgate Store. To obtain a token, follow these steps:
• Visit the Netgate Store
• Create a new account or log into an existing account
• Visit the pfSense Plus Software Subscription product page
• Select the desired Software Type
• Add the product to the cart
• Complete the checkout process
After completing the checkout process the store will send an activation token by e-mail to the address on the Netgate
Store account.
Tip: If the activation e-mail does not arrive in a timely manner, check spam or junk mail folders in the e-mail client.
Warning: Activation tokens are single use. Ensure the pfSense CE software installation is functional and is in
the intended configuration before performing the migration.
7.7.3 Register and Migrate
• Navigate to System > Register in the pfSense CE software GUI
• Paste the Activation Token into the text area on the page
• Click Register
The page will display a message indicating the registration results. If the registration was successful, continue.
If registration failed, contact Netgate TAC.

LLC
• Navigate to System > Update
The page will contain a message announcing the pfSense Plus software migration branch.
• Set Branch to pfSense Plus Upgrade as seen in figure pfSense Plus Software Branch Selection.
• Wait for the firewall to complete the update check
• Click Confirm to confirm and start the migration process
Fig. 18: pfSense Plus Software Branch Selection
The migration process will proceed from there and reboot when it is complete. This may take several minutes to
complete, especially in locations with slow download speeds. Monitor the console for progress.
Warning: Do not manually reboot or remove power from the device until the migration completes as this may
interrupt the process and cause it to fail.
Congratulations, the firewall is now running pfSense Plus Software!
See also:
• Virtualization
• Connect to the Console
• Troubleshooting Installation Issues
• Troubleshooting Upgrades

LLC

CHAPTER
EIGHT
CONFIGURATION
8.1 Setup Wizard
The first time a user logs into the pfSense® software GUI, the firewall presents the Setup Wizard automatically. The
first page of the wizard is shown in Figure Setup Wizard Starting Screen.
Click Next to proceed.
Tip: Using the setup wizard is optional. Click the logo at the top left of the page to exit the wizard at any time.
Fig. 1: Setup Wizard Starting Screen
The next screen of the wizard explains the availability of support from Netgate. Click Next again to start the
configuration process using the wizard.
329

LLC
8.1.1 General Information Screen
The next screen (Figure General Information Screen) configures the name of this firewall, the domain in which it
resides, and the DNS servers for the firewall.
Hostname The Hostname is a name that should uniquely identify this firewall. It can be nearly anything,
but must start with a letter and it may contain only letters, numbers, or a hyphen.
Domain Enter a Domain, e.g. example.com. If this network does not have a domain, use
<something>.home.arpa, where <something> is another identifier: a company name, last
name, nickname, etc. For example, company.home.arpa The hostname and domain name are
combined to make up the fully qualified domain name of this firewall.
Primary/Secondary DNS Server The IP address of the Primary DNS Server and Secondary DNS
Server, if known.
These DNS servers may be left blank if the DNS Resolver will remain active using its default set-
tings. The default configuration has the DNS Resolver active in resolver mode (not forwarding
mode), when set this way, the DNS Resolver does not need forwarding DNS servers as it will com-
municate directly with Root DNS servers and other authoritative DNS servers. To force the firewall
to use these configured DNS servers, enable forwarding mode in the DNS Resolver or use the DNS
Forwarder.
If this firewall has a dynamic WAN type such as DHCP, PPTP or PPPoE these may be automatically
assigned by the ISP and can be left blank.
Note: The firewall can have more than two DNS servers, add more under System > General Setup
after completing the wizard.
Override DNS When checked, a dynamic WAN ISP can supply DNS servers which override those set
manually. To force the use of only the DNS servers configured manually, uncheck this option.
See also:
For more information on configuring the DNS Resolver, see DNS Resolver
Click Next to continue.
8.1.2 NTP and Time Zone Configuration
The next screen (Figure NTP and Time Zone Setup Screen) has time-related options.
Time server hostname A Network Time Protocol (NTP) server hostname or IP address. Unless a spe-
cific NTP server is required, such as one on LAN, the best practice is to leave the Time server
hostname at the default 2.pfsense.pool.ntp.org. This value will pick a set of random
servers from a pool of known-good NTP hosts.
To utilize multiple time server pools or individual servers, add them in the same box, separating
each server by a space. For example, to use three NTP servers from the pool, enter: 0.pfsense.
pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org
This numbering is specific to how .pool.ntp.org operates and ensures each address is drawn
from a unique pool of NTP servers so the same server does not get used twice.
Timezone Choose a geographically named zone which best matches location of this firewall, or any other
desired zone.
8.1. Setup Wizard 330

LLC
Fig. 2: General Information Screen
Fig. 3: NTP and Time Zone Setup Screen
8.1.3 WAN Configuration
The next page of the wizard configures the WAN interface of the firewall. This is the external network facing the ISP
or upstream router, so the wizard offers configuration choices to support several common ISP connection types.
WAN Type The Selected Type (Figure WAN Configuration) must match the type of WAN required by
the ISP, or whatever the previous firewall or router was configured to use. Possible choices are
Static, DHCP, PPPoE, and PPTP. The default choice is DHCP due to the fact that it is the most
common, and for the majority of cases this setting allows a firewall to “Just Work” without additional
configuration. If the WAN type is not known, or specific settings for the WAN are not known, this
information must be obtained from the ISP. If the required WAN type is not available in the wizard,

LLC
or to read more information about the different WAN types, see Interface Types and Configuration.
Note: If the WAN interface is wireless, additional options will be presented by the wizard which
are not covered during this walkthrough of the standard Setup Wizard. Refer to Wireless, which has
a section on Wireless WAN for additional information. If any of the options are unclear, skip the
WAN setup for now, and then perform the wireless configuration afterward.
Fig. 4: WAN Configuration
MAC Address This field, shown in Figure General WAN Configuration, changes the MAC address used
on the WAN network interface. This is also known as “spoofing” the MAC address.
Note: The problems alleviated by spoofing a MAC address are typically temporary and easily
worked around. The best course of action is to maintain the original hardware MAC address, resort-
ing to spoofing only when absolutely necessary.
Changing the MAC address can be useful when replacing an existing piece of network equipment.
Certain ISPs, primarily Cable providers, will not work properly if a new MAC address is encoun-
tered. Some Internet providers require power cycling the modem, others require registering the new
address over the phone. Additionally, if this WAN connection is on a network segment with other
systems that locate it via ARP, changing the MAC to match and older piece of equipment may also
help ease the transition, rather than having to clear ARP caches or update static ARP entries.
Warning: If this firewall will ever be used as part of a High Availability Cluster, do not spoof
the MAC address.
Maximum Transmission Unit (MTU) The MTU field, shown in Figure General WAN Configuration,
can typically be left blank, but can be changed when necessary. Some situations may call for a lower
MTU to ensure packets are sized appropriately for an Internet connection. In most cases, the default
assumed values for the WAN connection type will work properly.
Maximum Segment Size (MSS) MSS, shown in Figure General WAN Configuration can typically be
left blank, but can be changed when necessary. This field enables MSS clamping, which ensures
TCP packet sizes remain adequately small for a particular Internet connection.
Static IP Configuration If the “Static” choice for the WAN type is selected, the IP address, Subnet
Mask, and Upstream Gateway must all be filled in (Figure Static IP Settings). This information
must be obtained from the ISP or whoever controls the network on the WAN side of this firewall.
The IP Address and Upstream Gateway must both reside in the same Subnet.
DHCP Hostname This field (Figure DHCP Hostname Setting) is only required by a few ISPs. This
value is sent along with the DHCP request to obtain a WAN IP address. If the value for this field is
unknown, try leaving it blank unless directed otherwise by the ISP.

LLC
Fig. 5: General WAN Configuration
Fig. 6: Static IP Settings
Fig. 7: DHCP Hostname Setting

LLC
PPPoE Configuration When using the PPPoE (Point-to-Point Protocol over Ethernet) WAN type (Fig-
ure PPPoE Configuration), The PPPoE Username and PPPoE Password fields are required, at a
minimum. The values for these fields are determined by the ISP.
PPPoE Username The login name for PPPoE authentication. The format is controlled by
the ISP, but commonly uses an e-mail address style such as myname@example.com.
PPPoE Password The password to login to the account specified by the username above.
The password is masked by default. To view the entered password, check Reveal
password characters.
PPPoE Service Name The PPPoE Service name may be required by an ISP, but is typ-
ically left blank. When in doubt, leave it blank or contact the ISP and ask if it is
necessary.
PPPoE Dial on Demand This option leaves the connection down/offline until data is re-
quested that would need the connection to the Internet. PPPoE logins happen quite
fast, so in most cases the delay while the connection is setup would be negligible. If
public services are hosted behind this firewall, do not check this option as an online
connection must be maintained as much as possible in that case. Also note that this
choice will not drop an existing connection.
PPPoE Idle Timeout Specifies how much time the PPPoE connection remain up without
transmitting data before disconnecting. This is only useful when coupled with Dial on
demand, and is typically left blank (disabled).
Note: This option also requires the deactivation of gateway monitoring, otherwise the
connection will never be idle.
Fig. 8: PPPoE Configuration
PPTP Configuration The PPTP (Point-to-Point Tunneling Protocol) WAN type (Figure PPTP WAN
Configuration) is for ISPs that require a PPTP login, not for connecting to a remote PPTP VPN.
These settings, much like the PPPoE settings, will be provided by the ISP. A few additional options
are required:
Local IP Address The local (usually private) address used by this firewall to establish the
PPTP connection.
CIDR Subnet Mask The subnet mask for the local address.

LLC
Remote IP Address The PPTP server address, which is usually inside the same subnet as
the Local IP address.
Fig. 9: PPTP WAN Configuration
These last two options, seen in Figure Built-in Ingress Filtering Options, are useful for preventing invalid traffic from
entering the network protected by this firewall, also known as “Ingress Filtering”.
Block RFC 1918 Private Networks Blocks connections sourced from registered private networks such
as 192.168.x.x and 10.x.x.x attempting to enter the WAN interface . A full list of these
networks is in Private IP Addresses.
Block Bogon Networks When active, the firewall blocks traffic from entering if it is sourced from re-
served or unassigned IP space that should not be in use. The list of bogon networks is updated
periodically in the background, and requires no manual maintenance. Bogon networks are further
explained in Block Bogon Networks.
Click Next to continue once the WAN settings have been filled in.
Fig. 10: Built-in Ingress Filtering Options

LLC
8.1.4 LAN Interface Configuration
This page of the wizard configures the LAN IP Address and Subnet Mask (Figure LAN Configuration).
If this firewall will not connect to any other network via VPN, the default 192.168.1.0/24 network may be
acceptable. If this network must be connected to another network, including via VPN from remote locations, choose
a private IP address range much more obscure than the common default of 192.168.1.0/24. IP space within
the 172.16.0.0/12 RFC 1918 private address block is generally the least frequently used, so choose something
between 172.16.x.x and 172.31.x.x to help avoid VPN connectivity difficulties.
If the LAN is 192.168.1.x and a remote client is at a wireless hotspot using 192.168.1.x (very common), the
client will not be able to communicate across the VPN. In that case, 192.168.1.x is the local network for the client
at the hotspot, not the remote network over the VPN.
If the LAN IP Address must be changed, enter it here along with a new Subnet Mask. If these settings are changed,
the IP address of the computer used to complete the wizard must also be changed if it is connected through the LAN.
Release/renew its DHCP lease, or perform a “Repair” or “Diagnose” on the network interface when finished with the
setup wizard.
Fig. 11: LAN Configuration
8.1.5 Set admin password
Next, change the administrative password for the GUI as shown in Figure Change Administrative Password. The best
practice is to use a strong and secure password, but no restrictions are automatically enforced. Enter the password in
the Admin Password and confirmation box to be sure that has been entered correctly.
Warning: Do not leave the password set to the default pfsense. If access to the firewall administration via
GUI or SSH is exposed to the Internet, intentionally or accidentally, the firewall could easily be compromised if it
still uses the default password.

LLC
Fig. 12: Change Administrative Password
8.1.6 Completing the Setup Wizard
That completes the setup wizard configuration. Click Reload (Figure Reload the GUI) and the GUI will apply the
settings from the wizard and reload services changed by the wizard.
Fig. 13: Reload the GUI
Tip: If the LAN IP address was changed in the wizard and the wizard was run from the LAN, adjust the client
computer’s IP address accordingly after clicking Reload.
When prompted to login again, enter the new password. The username remains admin.
After reloading, the final screen of the wizard includes convenient links to check for updates, get support, and other
resources. Click Finish to complete and exit the wizard.
At this point the firewall will have basic connectivity to the Internet via the WAN and clients on the LAN side will be
able to reach Internet sites through this firewall.
If at any time this initial configuration must be repeated, revisit the wizard at System > Setup Wizard from within the
GUI.
8.2 Interface Configuration
Basic aspects of interface configuration within pfSense® software can be performed at the console and in the setup
wizard to start, but changes may also be made after the initial setup by visiting pages under the Interfaces menu. A
few basics are covered here, the details can be found in Interface Types and Configuration.
8.2. Interface Configuration 337

LLC
8.2.1 Assign interfaces
Interfaces added after the initial setup may be assigned roles by visiting Interfaces > Assignments. There are numer-
ous tabs on that page used for assigning and creating different types of interfaces. The two most commonly used tabs
are Interface assignments and VLANs.
See also:
VLAN configuration is covered in Virtual LANs (VLANs).
The Interface assignments tab shows a list of all currently assigned interfaces: WAN, LAN, and any OPTx entries
configured on the firewall. Next to each interface is a drop-down list of all network interfaces/ports found on the
system. This list includes hardware interfaces as well as VLAN interfaces and other virtual interface types. The MAC
address, VLAN tag, or other identifying information is printed along side the interface name to aid in identification.
The other tabs, much like the VLAN tab, are there to create additional interfaces which can then be assigned. All of
these interface types are covered in Interface Types and Configuration.
To change an existing interface assignment to another network port:
• Navigate to Interfaces > Assignments
• Locate the interface to change in the list
• Select the new network port from the drop-down list on the row for that interface
• Click Save
To add a new interface from the list of unused network ports:
• Select the port to use from the drop-down list labeled Available Network Ports
• Click Add
This action will add another line with a new OPT interface numbered higher than any existing OPT interface, or if this
is the first additional interface, OPT1.
8.2.2 Interface Configuration Basics
Interfaces are configured by choosing their entry from under the Interfaces menu. For example, to configure the WAN
interface, choose Interfaces > WAN.
Every interface is configured in the same manner and any interface can be configured as any interface type (Static,
DHCP, PPPoE, etc). Additionally, the blocking of private networks and bogon networks may be performed on any
interface. Every interface can be renamed, including WAN and LAN, to a custom name. Furthermore, every interface
can be enabled and disabled as desired, so long as a minimum of one interface remains enabled.
See also:
For detailed interface configuration information, see Interface Types and Configuration
The IPv4 Configuration Type can be changed between Static IPv4, DHCP, PPPoE, PPP, PPTP, L2TP, or None to
leave the interface without an IPv4 address. When Static IPv4 is used, an IPv4 Address, subnet mask, and IPv4
Upstream Gateway may be set. If one of the other options is chosen, then type-specific fields appear to configure
each type.
The IPv6 Configuration Type can be set to Static IPv6, DHCP6, SLAAC, 6rd Tunnel, 6to4 Tunnel, Track Interface,
or None to leave IPv6 unconfigured on the interface. When Static IPv6 is selected, set an IPv6 address, prefix length,
and IPv6 Upstream Gateway.

LLC
If this a wireless interface, the page will contain many additional options to configure the wireless portion of the
interface. Consult Wireless for details.
Note: Selecting a Gateway from the drop-down list, or adding a new gateway and selecting it, will direct the firewall
to treat this interface as a WAN type interface for NAT and related functions. This is not desirable for internal-facing
interfaces such as LAN or a DMZ. Gateways may still be utilized on those interfaces for static routes and other
purposes without selecting a Gateway here on the interfaces page.
8.3 Managing Lists in the GUI
The pfSense® software GUI has a common set of icons which are used for managing lists and collections of objects
throughout the firewall. Not every icon is used in every page, but their meanings are consistent based on the context
in which they are seen. Examples of such lists include firewall rules, NAT rules, IPsec, OpenVPN, and certificates.
Add a new item to a list
Add an item to the beginning of a list
Add an item to the end of a list
Edit an existing item
Copy an item (create a new item based on the selected item)
Disable an active item
Enable a disabled item
Delete an item
Used for moving entries after selecting one or more items. Click to move the selected items above
this row. Shift-click to move the selected items below this row.
Sections may have their own icons specific to each area. Consult the appropriate sections of this documentation for
specifics about icons found in other parts of the firewall.
Tip: To determine which action an icon will perform, hover over the icon with the mouse pointer and a tooltip will
display a short description of the icon’s purpose.
8.3. Managing Lists in the GUI 339

LLC
8.4 Quickly Navigate the GUI with Shortcuts
Many areas of the GUI have shortcut icons present in the area known as the “Breadcrumb Bar”, as seen in Figure
Shortcuts Example. These shortcut icons reduce the amount of hunting required to locate related pages, allowing
a firewall administrator to navigate quickly between the status page of a service, its logs, and configuration. The
shortcuts for a given topic are present on each page related to that topic.
Fig. 14: Shortcuts Example
Note: Shortcut icons only appear when their respective actions are possible and the target pages exist. Not every
section has every icon.
The shortcut icons have the following effects when they appear in the GUI:
Start Service If the service is stopped, this icon starts the service.
Restart Service If the service is running, this icon restarts the service.
Note: Some services will stop and start, others reload the configuration. Check the documentation
of each service for details.
Stop Service If the service is running, this icon stops the service.
Related Settings This icon navigates to the settings page for this section.
Status Page Link This icon navigates to the status page for this section.
Log Page Link This icon navigates to the logs page for this section.
Help Link This icon navigates to a related help topic for this page.
The Service Status page (Status > Services) also has shortcut controls for pages related to each service, as shown in
Figure Shortcuts on Service Status. The icons have the same meaning as in the above section.
Fig. 15: Shortcuts on Service Status
8.4. Quickly Navigate the GUI with Shortcuts 340

LLC
8.5 General Configuration Options
System > General Setup contains basic configuration options for pfSense® software. A few of these options are also
found in the Setup Wizard.
Hostname The Hostname is the short name for this firewall, such as firewall1, hq-fw, or site1.
The name must start with a letter and it may contain only letters, numbers, or a hyphen.
Domain The Domain name for this firewall, e.g. example.com . If this network does not have a do-
main, use <something>.home.arpa, where <something> is another identifier: a company
name, last name, nickname, etc. For example, company.home.arpa
The Hostname and Domain name are combined to make up the Fully Qualified Domain Name (FQDN) of this fire-
wall. For example, if the Hostname is fw1 and the Domain is example.com, then the FQDN is fw1.example.
com.
8.5.1 DNS Server Settings
Options in this section control how the firewall resolves hostnames using DNS.
Note: The DNS Resolver is active by default and uses resolver mode (DNS Resolver Mode). When set this way the
DNS Resolver does not need forwarding DNS servers as it will communicate directly with root DNS servers and other
authoritative DNS servers.
To use the servers in this list, switch the DNS resolver to forwarding mode. The DNS Forwarder (DNS Forwarder)
only supports forwarding mode and will always use the servers from this list.
DNS Servers
This page supports multiple DNS servers managed as a list. To add more DNS servers, click Add DNS Server.
To remove an entry from the list click Delete.
The DNS server list may be left blank if the DNS Resolver is active in its default resolver mode. If this firewall has a
dynamic WAN type such as DHCP or PPPoE these servers may be automatically assigned by the ISP and can also be
left blank.
Each DNS server entry has the following properties:
Address The IP address of the DNS Server.
Hostname The FQDN of the DNS server, used to validate DNS server certificates when using DNS over
TLS (DNS Resolver Configuration).
Gateway The gateway through which the firewall will reach this DNS server.
This is useful in a Multi-WAN scenario where, ideally, the firewall will have at least one DNS server
configured per WAN. More information on DNS for Multi-WAN can be found in DNS Forwarding
and Static Routes.
8.5. General Configuration Options 341

LLC
DNS Resolution Behavior
These options fine tune the way the firewall utilizes DNS servers.
DNS Server Override When checked, a dynamic WAN ISP can supply DNS servers which override
those set manually. To force the use of only the DNS servers on this page, uncheck this option. This
does not apply to the DNS Resolver when acting in resolver mode.
DNS Resolution Behavior This option controls how the firewall itself resolves DNS queries.
Use Local DNS (127.0.0.1), fall back to remote DNS Servers (Default) By default, the
firewall will consult the DNS Resolver or DNS Forwarder running on this firewall to
resolve hostnames for itself. It does this by listing localhost (127.0.0.1) as its first
DNS server internally. If the local DNS server is unreachable, the firewall will send
queries directly to the DNS servers configured on this page, or those received from
dynamic WANs.
This method gives the firewall the best chance of having working DNS.
Use Local DNS (127.0.0.1), ignore remote DNS Servers Like the option above, this op-
tion will make the firewall use its own DNS Resolver or DNS Forwarder to resolve
hostnames. However, it will not attempt to use any other server.
This option is more secure as it forces DNS to be resolved using the configuration on
the DNS Resolver or DNS Forwarder, which may have special requirements restricting
or redirecting name resolution. For example, if the DNS Resolver is configured for
DNS over TLS, using this option ensures that the firewall will not send queries to DNS
servers without using TLS.
Use remote DNS Servers, ignore local DNS This option forces the firewall to use the
DNS servers configured on this page or from dynamic WANs and it will not utilize
the local DNS Resolver or DNS Forwarder.
This option is useful when the local DNS service is configured in a strict manner to
control client behavior, but the firewall still needs unrestricted access to DNS for tasks
such as updates and installing packages.
8.5.2 Localization
Options in this section control the firewall clock and language.
Time Zone The time zone used by the firewall for its clock. Choose a geographically named zone which
best matches location of this firewall, or a common zone such as UTC. The firewall clock, log entries,
and other areas of the firewall base their time on this zone.
Note: Changing the zone requires a reboot to fully activate the new zone in all areas of the firewall.
Tip: Avoid using the GMT +/- zones as they do not operate in an intuitive manner. See Trou-
bleshooting Time Zone Configuration for more information.
Time Servers Network Time Protocol (NTP) server hostnames or IP addresses. Unless a specific NTP
server is required, such as one on LAN, the best practice is to leave the Time Servers value at
the default 2.pfsense.pool.ntp.org. This value will pick random servers from a pool of
known-good IPv4 and IPv6 NTP hosts.

LLC
To utilize multiple time servers or pools, add them in the same box, separating each entry by a space.
For example, to use three NTP servers from the pool, enter:
0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org
This numbering is specific to how .pool.ntp.org operates and ensures each address is drawn
from a unique pool of NTP servers so the same server does not get used twice.
Language The language used by the GUI. The GUI has been translated into multiple languages in addi-
tion to the default English language.
8.5.3 webConfigurator
Options in this section control various behaviors of the web-based GUI, which can be referred to as the GUI, WebGUI,
or webConfigurator.
Theme The Theme controls the look and feel of the GUI. Several themes are included in the base system,
and they only make cosmetic not functional changes to the GUI.
Top Navigation This option controls the behavior of the menu bar at the top of each page. There are two
possible choices:
Scrolls with page The default behavior. When the page scrolls, the navigation remains at
the top of the page, so it is no longer visible as it scrolls off the top of the window.
This is the best option for most situations.
Fixed When selected, the navigation remains fixed at the top of the window, always visible
and available for use.
This behavior can be convenient, but can be problematic on smaller screens such as
tablets and mobile devices. On low resolution browsers long menus can be cut off,
leaving options at the bottom unreachable.
Hostname in Menu Chooses if and how the GUI includes the firewall hostname in the menu. This can
aid in quickly identifying a firewall when managing multiple firewalls in separate tabs or windows,
but it consumes extra space in the menu.
Default (No hostname) The GUI does not display the hostname or FQDN in the menu.
Hostname Only When set, the GUI includes the firewall Hostname (no domain name) in
the menu.
If all firewalls are in the same domain, or if they have unique hostnames, this may be
sufficient.
Fully Qualified Domain Name When set, the GUI includes the Fully Qualified Domain
Name of the firewall in the menu.
This takes more space than displaying the hostname portion alone, but may be neces-
sary to properly distinguish firewalls if they use similar hostnames in multiple domains.
Dashboard Columns The dashboard is limited to 2 columns by default. On wider displays, additional
columns can utilize extra horizontal screen space. The maximum number of columns is 4.
Interfaces Sort When unset (default), the GUI presents interfaces in their natural order from the con-
figuration. This is critical for functions such as High Availability which require specific interface
ordering. When this option is set, the GUI sorts the interface list alphabetically.
Associated Panels Show/Hide A few GUI pages contain collapsible panels with settings or functions.
These panels take up extra screen space so they are hidden by default. For firewall administrators

LLC
who use the panels frequently, this can be slow and inefficient. The options in this group make the
GUI show these panels by default instead of hiding them.
Available Widgets Controls the Available Widgets panel on the Dashboard.
Log Filter Controls the log filtering ( ) panel used for searching log entries under
Status > System Logs.
Manage Log Controls the per-log settings in the Manage Log ( ) panel available for
each log under Status > System Logs.
Monitoring Settings Controls the options panel used to change the graphs at Status >
Monitoring.
Require State Filter When set, the state table contents at Diagnostics > States are suppressed by the
GUI unless a filter string is present. This helps the GUI handle large state tables which otherwise
may fail to load.
Left Column Labels When checked, the option labels in the left column are set to toggle options when
clicked. This can be convenient if the firewall administrator is used to the behavior, but it can also
be problematic on mobile or in cases when the behavior is unexpected.
Alias Popups When set, the tooltip presented by the GUI when hovering over an alias in a rule list only
shows the alias description. When unset, the contents of the alias are included in the tooltip. For
firewalls with large aliases, this may cause performance or browser rendering issues.
Disable Dragging When set, the GUI disables drag-and-drop on rule lists. Most users find drag-and-drop
to be convenient and beneficial, thus the feature is enabled by default. Users who find the behavior
undesirable can set this option.
Login Page Color Controls the color of the login page, which is independent of the theme.
Login Hostname When set, the GUI includes the hostname on the login form.
Warning: This can be considered a security risk since it exposes information about the firewall
to users who have not yet authenticated. If the firewall GUI is only reachable by authorized
management clients, the convenience may outweigh the potential risk.
8.6 Advanced Configuration Options
System > Advanced contains numerous options of an advanced nature. These options customize the firewall behavior
for more complex environments. Most administrators will not need to adjust these options for basic deployments.
Some of these options are covered in more detail in other sections of the documentation where their discussion is more
topical or relevant, but they are all mentioned here with a brief description.
8.6. Advanced Configuration Options 344

LLC
8.6.1 Admin Access Tab
The options on the Admin Access tab govern various methods for administering the firewall, including via the web
interface, SSH, serial, and physical console.
webConfigurator (GUI)
Protocol
The protocol used by the GUI to accept web browser connections. May be one of:
HTTP Plain unencrypted HTTP. Insecure and basic, but widely compatible and less likely to have client
issues. Should not be used in most cases, and should never be exposed to insecure networks.
HTTPS (SSL/TLS) Encrypted (“Secure”) HTTP. Protects communication between the client browser
and the firewall GUI. Requires an SSL/TLS certificate to function. Depending on the browser and
certificate configuration, there may be compatibility issues, but typically these are easily overcome
by using current versions.
Note: The best practice is to use HTTPS so only encrypted traffic is exchanged between the GUI and clients.
SSL/TLS Certificate
The SSL/TLS Certificate to be used by the GUI in HTTPS (SSL/TLS) mode.
The firewall automatically generates a default self-signed certificate on the first boot. That is not an ideal situation, but
is better than no encryption at all.
The primary disadvantage of a self-signed certificate is the lack of assurance of the identity of the host, since the
certificate is not signed by a Certificate Authority trusted by the browser. Additionally, because for the bulk of Internet
users such an invalid certificate should be considered a risk, modern browsers may restrict how such certificates
are handled. Firefox, for example, gives a warning screen and forces the user to import the certificate and allow a
permanent exception. Chrome shows a warning screen with a link to continue.
Tip: To use an externally signed SSL certificate and key, import them using the Certificate Manager, then select the
certificate here.
Tip: The ACME Package can utilize the free Let’s Encrypt service to automatically obtain and update a signed
certificate for the GUI or for other purposes on the firewall.
Tip: Another alternate technique is to generate a self-signed CA and then generate a GUI certificate from that
CA. Export the CA from the firewall and then import that CA into client browsers manually. Using this method, all
certificates signed by that CA will be trusted by browsers. Specifics vary by client platform.
Tip: To generate a new self-signed certificate for the GUI, connect using the console or ssh and from a shell prompt,
run the following command:

LLC
# pfSsh.php playback generateguicert
TCP Port
The port used by the GUI for accepting connections from browsers. By default the GUI uses HTTPS on port 443
with a redirect from port 80 for the best compatibility and ease of initial configuration. To change the port, enter a
new port number into the TCP Port field.
Note: Moving the WebGUI to an alternate port is preferred by some administrators for security by obscurity reasons,
though such practices should not be considered as offering any security benefit. Do not expose the GUI to untrusted
networks such as the Internet.
Tip: Moving the GUI to another port will free up the standard web ports for use with port forwards or other services
such as HAproxy.
Max Processes
The number of web server worker proceses used by the GUI when listening for client browser connections. The default
value is 2.
If multiple administrators view the GUI at the same time and pages are taking too long to load, or are failing to load,
then increase the Max Processes value.
WebGUI Redirect
Controls whether or not the firewall runs a redirect on port 80 so that if a browser attempts to access the firewall with
HTTP, the firewall will accept the request and then redirect the browser to the TCP Port used by the GUI (e.g. HTTPS
on port 443).
The redirect is enabled by default for ease of access and compatibility.
Disabling the redirect allows another daemon to bind to port 80.
HSTS
Controls whether the GUI web server sends the Strict-Transport-Security HTTPS response header (HSTS)
to the browser. Check this box to disable the behavior.
HSTS forces the browser to use only HTTPS for future requests to the firewall FQDN to ensure it does not accidentally
downgrade to an unencrypted connection.
Warning: When disabling HSTS, clients which visited the GUI when HSTS was enabled must perform browser-
specific steps for the change to take effect. Consult browser documentation for information on clearing cached
HSTS behavior.

LLC
OCSP Must-Staple
Controls whether or not the GUI web server forcefully enables OCSP Stapling.
If the GUI SSL/TLS Certificate requires OCSP Stapling, this behavior is automatically enabled by the GUI web
server. If the certificate property cannot be automatically determined by the firewall, this option can force the behavior.
Tip: Import the full CA and certificate chain or this option will be ignored by the GUI web server.
WebGUI Login Autocomplete
Controls whether or not the login form allows autocomplete so browsers can save the login credentials, for conve-
nience.
In high-security environments, such as those that must adhere to specific security compliance standards, this behavior
is not acceptable.
Note: This only controls autocomplete on the login form.
Warning: Few modern browsers respect this option. Many still offer to save passwords even when the form
specifies that the browser must not allow the behavior. This behavior must be controlled or changed using browser
options.
WebGUI login messages
Controls whether or not the firewall prints successful login messages to the console and system log.
On hardware with a PC speaker, these console messages generate a beep from the speaker, which some users find
undesirable.
Checking this option stops the log message and the resulting beep.
Anti-lockout
Controls whether or not the firewall adds special rules to permit access to the WebGUI port and SSH port on the LAN
interface by default.
These special rules override user-defined filter rules and prevent the user from accidentally locking themselves out
of the firewall GUI or SSH. To control which LAN IP addresses may access the GUI and SSH using firewall rules,
disable the anti-lockout rules.
When two or more interfaces are present, the firewall puts anti-lockout rules on the LAN interface; If only one interface
is configured, the firewall places rules on that interface instead.
Warning: Filter rules must be in place to allow GUI access before enabling this option! If the LAN rules do
not allow access to the GUI, removing the anti-lockout rule will block access to the GUI, potentially leaving the
administrator without a means to reach the firewall.

LLC
Note: Resetting the LAN IP address from the console also resets the anti-lockout rule. If administrative access is
unavailable after enabling this option, choose the console menu option 2, then choose to set the LAN IP address, and
enter in the exact same IP address and accompanying information.
DNS Rebind Check
Controls whether or not the DNS resolver or forwarder performs DNS rebinding checks. These checks prevent the
firewall from receiving DNS responses containing private IP addresses from DNS servers to prevent DNS rebinding
attacks.
Note: When accessing the firewall by IP address, these checks are not enforced because the attack is only relevant
when using a hostname.
Check this box to disable DNS rebinding protection if it interferes with GUI access or name resolution.
See also:
More detail on DNS rebinding attacks may be found on Wikipedia.
The most common case for disabling DNS rebinding checks is when the firewall is set to use an internal DNS server
which will return private (RFC1918) answers for hostnames.
Tip: Instead of disabling all DNS rebinding protections, the checks can be selectively disabled on a per-domain basis
in the DNS Resolver or DNS Forwarder. See DNS Resolver and DNS forwarder.
Browser HTTP_REFERER enforcement
Controls whether or not the GUI checks and enforces HTTP_REFERER contents.
The GUI checks the referring URL sent by a client browser to ensure that the form was submitted from this firewall.
This check prevents a form on another site from submitting a request to the firewall, changing an option when the
administrator did not intend for that to happen.
This also breaks some convenience behaviors, such as having a page that links to various firewall devices, though the
benefits of the check typically outweigh the advantage of those behaviors.
Alternate Hostnames
A list of Alternate Hostnames for the firewall allowed by DNS Rebind Checks and HTTP_REFERER Enforce-
ment. To keep these features active, but alter their behavior slightly, add Alternate Hostnames.
By default the GUI allows access to the hostname configured on the firewall and all IP addresses configured on the
firewall. Hostnames in this field are allowed by the firewall for GUI access and for referring URL purposes.

LLC
Man-In-The-Middle Attack/Warning
If a browser attempts to access the GUI using an IP address that is not configured on the firewall, such as a port forward
from another firewall, the GUI prints a message indicating that access to the firewall may be compromised due to a
Man-In-The-Middle (MITM) attack.
If such a forwarding was deliberatey configured on this firewall or on a firewall upstream, the message may be safely
ignored. If access to the firewall should have been direct, then take great care before logging in to ensure the login
credentials are not being routed through an untrusted system.
Access is not disabled by the firewall in this case, it only prints a warning, so there is no option to disable this behavior.
Browser Tab Text
By default, the GUI prints the firewall hostname first in the page/tab title, followed by the page name. To reverse this
behavior and show the page name first and hostname second, check Display page name first in browser tab.
Administrators who access many firewalls at the same time in separate tabs tend to prefer having the hostname first
(default). Administrators who access one firewall with many pages in separate tabs tend to prefer having the page
name first.
Secure Shell (SSH)
The Secure Shell (SSH) server provides remote console access and file management. A user can connect with any
standard SSH client, such as the OpenSSH command line ssh client, PuTTY, SecureCRT, or iTerm2.
When using SSH, both the admin username and root username are accessible using the admin account credentials.
Users in the User Manager that have the User - System - Shell account access privilege are also al-
lowed to login over ssh. These users do not have root access privileges, and do not print the menu when they login
because many of the options require root privileges.
Tip: To grant users additional shell privileges, use the sudo package.
File transfers to and from the firewall are also possible by using a Secure Copy (SCP) client such as the OpenSSH
command line scp, FileZilla, WinSCP or Fugu. To use SCP, connect as the root user, not admin. If a custom user
has the User - System - Copy files permission, or all access, then they may also utilize SCP.
Tip: SSH clients must be kept up-to-date. As time goes on, security standards evolve and the SSH server settings
utilized by SSH servers will change. Outdated clients may not be able to connect using the strong security keys and
algorithms required by sshd. If a client will not connect, check for an update from the vendor.

LLC
Enable Secure Shell
To enable the SSH daemon, check Enable Secure Shell. After saving with this option enabled, the firewall will
generate SSH keys if they are not already present and then start the SSH daemon.
SSHd Key Only
This option controls which authentication methods the SSH daemon allows for clients. It can be set to one of the
following values:
Password or Public Key Allows a user to authenticate with either a valid password or valid key. This is
the default behavior.
Public Key Only Restricts authentication to only valid keys, passwords are not allowed.
Require Both Password and Public Key Requires a valid password and a valid key.
Key-based logins are a much more secure practice, though it does take more preparation to configure.
Add user keys for key-based login by editing users in the User Manager (User Management and Authentication).
When editing a user, paste the allowed public keys into the Authorized Keys text field for the account.
Allow Agent Forwarding
Controls whether or not the SSH daemon allows agent forwarding for clients.
Agent forwarding allows a user to run an SSH agent on their client system and connect to the firewall, and then to
other remote SSH servers using the key from their agent. In this case, the user does not need to have their private keys
on the firewall but can still use key-based authentication to remote servers.
Use of an SSH agent can be considered a security issue in certain cases. Additionally, the firewall is not intended to
be a general purpose SSH client or intermediate system, thus this feature is disabled by default.
SSH Port
Controls the port used by the SSH daemon to accept client connections. To change the port, type the new port into the
SSH Port box.
Moving the SSH server to an alternate port provides a negligible security improvement, and frees up the port for other
uses.
Tip: Brute force SSH scanners focus on hitting TCP port 22 but if the daemon is open to the Internet on another port,
it will eventually be found and hit by scanners.

LLC
Best Practices for SSH
If this firewall is installed in an environment that requires leaving SSH access unrestricted by firewall rules, which is
dangerous, the best practice is to take one of the following actions:
Change the SSH Port Moving to a random alternate port prevents log noise from many, but not all,
brute-force SSH login attempts and casual scans. It can still be found with a port scan, however.
Force Key-Based Authentication Key-based authentication must always be used by publicly accessible
SSH servers to eliminate the possibility of successful brute force attacks. Set SSHd Key Only to
either Public Key Only or Require Both Password and Public Key.
Multiple unsuccessful logins from the same IP address will result in locking out the IP address trying to authenticate,
but that alone is not considered sufficient protection.
Login Protection
The sshguard daemon is used by the firewall to protect against brute force logins for both the GUI and SSH
connections. The options in this section fine-tune the behavior of this protection.
Threshold The total score value above which sshguard will block clients. Most attacks have a score
of 10, the default threshold value is 30.
Blocktime The initial minimum number of seconds to block attackers who have exceeded the Threshold
value. The default value is 120 seconds. Repeat offenders are blocked for increasingly longer
amounts of time (1.5x for each repetition).
Note: Attackers are unblocked at random intervals so actual block time will be longer than stated.
This prevents clients from predicting the timing to optimize targeted attacks.
Detection Time The amount of time, in seconds, attackers are remembered by sshguard since their
last offense before it resets their score. Default is 1800 seconds.
Whitelist A list of subnets which are excluded from login protection. This lowers security but is generally
acceptable from specific secure management networks.
For example, it may be necessary to add entries for network monitoring systems which probe the
SSH port but do not login. Otherwise such systems may be flagged as attackers.
Serial Communications
If the firewall is running on hardware without a monitor or if it will be running “headless” (without keyboard and video
attached), then the serial console can be enabled to maintain physical control, so long as the hardware has a serial port
(not USB).
If hardware is detected which has no VGA port, the serial console is forced on and cannot be disabled, and the serial
options are all hidden except for the speed.

LLC
Serial Terminal
When Serial Terminal is set, the operating system enables the console on the first serial port. This console will receive
kernel boot messages and a menu after the firewall has finished booting. This will not disable the onboard keyboard
and video console.
To connect to the serial console, use a null modem cable connected to a serial port or adapter on another PC or serial
device.
See also:
For more information on connecting to a serial console, see Connecting to a Serial Console and Start a Serial Client.
When making any changes to the serial console, the firewall must be rebooted before they take effect.
Serial Console Speed
The default serial console speed is 115200 bps and almost all hardware works well at that speed. In rare cases, a slower
speed may be required which can be set here by picking the desired speed from the Serial Speed drop-down.
When upgrading from an older version, this may remain at an older value such as 9600 or 38400 to match the BIOS
on older hardware. Increasing the speed to 115200 is almost always safe and more useful than slower speeds.
Primary Console
On hardware with both the serial console enabled and a VGA port available, the Primary Console selector chooses
which is the preferred console, so it will receive the boot log messages. Other OS kernel messages will show up on all
console connections, and both consoles will have a usable menu.
In cases where the boot cannot complete, the preferred console must be used to resolve the problem, such as reassigning
interfaces.
Console Menu
Normally the firewall always presents the menu on the console, and the menu will be available as long as someone has
physical access to the console. In high-security environments this is not desirable.
This option adds password protection to the console. The console accepts the same usernames and passwords used to
access the GUI. After setting this option, the firewall must be rebooted before it takes effect.
Note: While this will stop accidental key presses and keep out casual users, this is by no means a perfect security
method. A knowledgeable person with physical access can still reset the passwords (see Forgotten Password with a
Locked Console). Consider other physical security methods if console security is a requirement.

LLC
8.6.2 Firewall/NAT Tab
Firewall Advanced
IP Do-Not-Fragment compatibility
This option is a workaround for operating systems which generate fragmented packets with the “don’t fragment” (DF)
bit set. Linux NFS (Network File System) is known to do this, as well as some VoIP implementations.
When this option is enabled, the firewall will not drop these malformed packets but instead it will clear the DF bit.
The firewall will also randomize the IP identification field of outgoing packets to compensate for operating systems
that set the DF bit but set a zero IP identification header field.
MSS Clamping
MSS Clamping Enable maximum segment size clamping on TCP flows over IPsec tunnels. This helps
overcome problems with path MTU discovery (PMTUD) on IPsec VPN links.
This is useful is large TCP packets have problems traversing the VPN, or if slow/choppy connections
across the VPN are observed by users. Ideally it should be set to the same value on both sides of the
VPN, but traffic will have MSS clamping applied in both directions.
Enable When set, the Maximum MSS option is available and its value is used by the
firewall configuration.
Maximum MSS The maximum segment size set in TCP packets flowing across IPsec
VPN tunnels. Defaults to 1400. Must be low enough to account for the overhead of
IPsec and the MTU of the link, but no so low that unnecessarily small segments are
sent as that can be inefficient.
IP Random ID generation
If Insert a stronger ID into IP header of packets passing through the filter is checked, the firewall replaces the
IP identification field of packets with random values to compensate for operating systems that use predictable values.
This option only applies to packets that are not fragmented after the optional packet reassembly.
Firewall Optimization Options
The optimization mode controls how the firewall expires state table entries:
Normal The standard optimization algorithm, which is optimal for most environments.
High Latency Used for high latency links, such as satellite links. Expires idle connections later than
default.
Aggressive Expires idle connections quicker. More efficient use of CPU and memory but can drop legit-
imate connections earlier than expected. This option can also improve performance in high traffic
deployments with lots of connections, such as web services.
Conservative Tries to avoid dropping any legitimate connections at the expense of increased memory
usage and CPU utilization. Can aid in environments that require long-lived but mostly idle UDP
connections, such as VoIP.

LLC
The table Firewall Optimization Details contains the values chosen by PF for each optimization algorithm. The values
are taken from the PF source code. The first line is the raw value, second line is human readable:
Table 1: Firewall Optimization Details
Normal High Latency Conservative Aggressive
tcp.first
First TCP packet
60
1min
180
3min
3600
60min
30
30sec
tcp.opening
No response yet
30
30sec
35
35sec
900
15min
5
5sec
tcp.established
Established
86400
24h
86400
24h
432000
5days
18000
5h
tcp.closing
Half closed
900
15min
905
15min + 5sec
3600
1h
60
60sec
tcp.finwait
Got both FINs
45
45sec
50
50sec
600
10min
30
30sec
tcp.closed
Got an RST
90
90sec
95
95sec
180
3min
30
30sec
tcp.tsdiff
Allowed TS diff
30
30sec
60
60sec
60
60sec
10
10sec
Disable Firewall
When Disable all packet filtering is set, the firewall becomes a routing-only platform. This is accomplished by
disabling pf entirely, and as a consequence, NAT is disabled since it is also handled by pf.
Tip: To disable only NAT, do not use this option. Consult Disabling Outbound NAT for more information on
controlling outbound NAT behavior.

LLC
Disable Firewall Scrub
When set, the scrubbing option in pf is disabled. The scrub action in pf can interfere with NFS, and in rare cases,
with VoIP traffic as well. By default, the firewall uses the fragment reassemble option which reassembles
fragmented packets before sending them on to their destination, when possible. More information on the scrub
feature of pf can be found in the OpenBSD PF Scrub Documentation.
Note: Disabling scrub also disables other features that rely on scrub to function, such as DF bit clearing and ID
randomization. Disabling scrub does not disable MSS clamping if it is active for VPNs, or when an MSS value is
configured on an interface.
Firewall Adaptive Timeouts
Adaptive Timeouts control state handling in pf when the state table is nearly full. Using these timeouts, a firewall
administrator can control how states are expired or purged when there is little or no space remaining to store new
connection states.
Adaptive Timeouts are enabled by default and the default values are calculated automatically based on the configured
Firewall Maximum States value.
Adaptive Start Adaptive scaling is started once the state table reaches this level, expressed as a number
of states. Adaptive Start defaults to 60% of Firewall Maximum States.
Adaptive End When the size of the state table reaches this value, expressed as a number of state table
entries, all timeout values are assumed to be zero, which causes pf to purge all state entries imme-
diately. This setting defines the scale factor, it should be set greater than the total number of states
allowed. Adaptive End defaults to 120% of Firewall Maximum States.
When the number of connection states exceeds the threshold set by Adaptive Start, timeout values are scaled linearly
with factor based on the number of states used between the Start and End state counts. The timeout adjustment factor is
calculated as follows: (Number of states until the Adaptive End value is reached) / (Difference between the Adaptive
End and Adaptive Start values).
Note: As an example, consider a firewall with Adaptive Start set to 600000, Adaptive End set to 1200000 and
Firewall Maximum States set to 1000000. In this situation, when the state table size reaches 900000 entries the
state timeouts will be scaled to 50% of their normal values.
(1,200,000 - 900,000) / (1,200,000 - 600,000) = 300,000 / 600,000 = 0.50, 50%
Continuing the example, when the state table is full at 1,000,000 states the timeout values will be reduced to 1/3 of
their original values.
Tip: The state table usage indicator on the dashboard will change color and text when the state table size crosses
these thresholds.

LLC
Firewall Maximum States
This value is the maximum number of connections the firewall can hold in its state table. The default size is calculated
based on 10% of total RAM. This default value is sufficient for most installations, but can be adjusted higher or lower
depending on the load and available memory.
Each state consumes approximately 1 KB of RAM, or roughly 1 MB of RAM for every 1000 states. The firewall must
have adequate free RAM to contain the entire state table before increasing this value. Firewall states are discussed
further in Stateful Filtering.
Tip: On a firewall with 8GB of RAM the state table would have a default size of approximately 800,000 states. A
custom Firewall Maximum States value of 4,000,000 would consume about 4GB of RAM, half the available 8GB
total.
Firewall Maximum Table Entries
This value defines the maximum number of entries that can exist inside of address tables used by the firewall for
collections of addresses such as aliases, ssh/GUI lockout records, hosts blocked by snort alerts, and so on. By default
this is 400,000 entries. If the firewall has features enabled which can load large blocks of address space into aliases
such as URL Table aliases or the pfBlockerNG package, then increase this value to comfortably include at least double
the total amount of entries contained in all aliases combined.
Firewall Maximum Fragment Entries
When scrub is enabled the firewall maintains a table of packet fragments waiting to be reassembled. By default this
table can hold 5000 fragments. In rare cases a network may have an unusually high rate of fragmented packets which
can require more space in this table. When this limit is reached, the following log message will appear in the main
system log:
kernel: [zone: pf frag entries] PF frag entries limit reached

LLC
Static Route Filtering
The Bypass firewall rules for traffic on the same interface option applies if the firewall has one or more static
routes defined. If this option is enabled, traffic that enters and leaves through the same interface will not be checked
by the firewall. This may be required in situations where multiple subnets are connected to the same interface, to
avoid blocking traffic that is passed through the firewall in one direction only due to asymmetric routing. See Bypass
Firewall Rules for Traffic on Same Interface for a more in-depth discussion on that topic.
Disable Auto-added VPN rules
By default, when IPsec is enabled firewall rules are automatically added to the appropriate interface which will allow
the tunnel to establish. When Disable Auto-added VPN rules is checked, the firewall will not automatically add these
rules. By disabling these automatic rules, the firewall administrator has control over which addresses are allowed to
connect to a VPN. Further information on these rules can be found at VPNs and Firewall Rules.
Disable Reply-To
In a Multi-WAN configuration the firewall has a beneficial default behavior that ensures traffic leaves the same interface
it arrived through. This is accomplished using the pf keyword reply-to which is added automatically to interface
tab firewall rules for WAN-type interfaces. When a connection matches a rule with reply-to, the firewall remembers
the path through which the connection was made and routes the reply traffic back to the gateway for that interface.
Tip: WAN-type interfaces are interfaces which have a gateway set on their Interfaces menu entry configuration, or
interfaces which have a dynamic gateway such as DHCP, PPPoE, or assigned OpenVPN, GIF, or GRE interfaces.
In situations such as bridging, this behavior is undesirable if the WAN gateway IP address is different from the gateway
IP address of the hosts behind the bridged interface. Disabling reply-to will allow clients to communicate with the
proper gateway.
Another case that has issues with reply-to involves static routing to other systems in a larger WAN subnet. Dis-
abling reply-to in this case would help ensure that replies return to the proper router instead of being routed back
to the gateway.
This behavior can also be disabled on individual firewall rules rather than globally using this option.
Disable Negate rules
In a Multi-WAN configuration traffic for directly connected networks and VPN networks typically must still flow
properly when using policy routing. The firewall will insert rules to pass this local and VPN traffic without a gateway
specified, to maintain connectivity. In some cases these negation rules can over-match traffic and allow more than
intended.
Tip: The best practice is to create manual negation rules at the top of internal interfaces such as LAN. These rules
should pass to local and VPN destinations without a gateway set on the rule, to honor the system routing table. These
rules do not have to be at the top of the interface rules, but they must be above rules that have a gateway set.

LLC
Allow APIPA
Automatic Private IP Addressing (APIPA), or IPv4 Link-Local addressing, uses a special subnet of 169.254.0.0/
16. This traffic is for local links only (same L2), it must not be routed or traverse a firewall. As such, inbound traffic
from these addresses is automatically blocked by internal firewall rules by default.
When Allow APIPA traffic is checked, the default block rules are removed, and user firewall rules can control the
traffic.
There are some use cases which utilize these addresses for private communication on an interface, such as AWS VPC
BGP, and in those cases, the option can be enabled along with carefully crafted manual firewall rules.
Warning: When this option is enabled, take care to never allow APIPA traffic to match policy routing rules.
If APIPA traffic matches policy routing rules, behavior is unpredictable. There have been reports of such errors
leading to packet loops and unexpectedly high resource usage. See Redmine Issue #2073 for more.
Aliases Hostnames Resolve Interval
This option controls how often hostnames in aliases are resolved and updated by the filterdns daemon. By default
this is 300 seconds (5 minutes). In configurations with a small number of hostnames or a fast/low-load DNS server,
decrease this value to pick up changes faster.
Check Certificate of Alias URLs
When Verify HTTPS certificates when downloading alias URLs is set, the firewall will require a valid HTTPS
certificate for web servers used in URL table aliases. This behavior is more secure, but if the web server is private and
uses a self-signed certificate, it can be more convenient to ignore the validity of the certificate and allow the data to be
downloaded.
Warning: The best practice is to always use a server certificate with a valid chain of trust for this type of role,
rather than weakening security by allowing a self-signed certificate.
Bogon Networks
The Update Frequency drop-down for Bogon Networks controls how often these lists are updated. Further informa-
tion on bogon networks may be found in Block Bogon Networks.
Network Address Translation
NAT Reflection for Port Forwards
The NAT Reflection mode for port forwards option controls how NAT reflection is handled by the firewall. These
NAT redirect rules allow clients to access port forwards using the public IP addresses on the firewall from within local
internal networks.
See also:
Refer to NAT Reflection for a discussion on the merits of NAT Reflection when compared to other techniques such as
Split DNS.

LLC
There are three possible modes for NAT Reflection:
Disabled The default value. When disabled, port forwards are only accessible from WAN and not from
inside local networks.
Pure NAT This mode uses a set of NAT rules to direct packets to the target of the port forward. It has
better scalability, but it must be possible to accurately determine the interface and gateway IP address
used for communication with the target at the time the rules are loaded. There are no inherent limits
to the number of ports other than the limits of the protocols. All protocols available for port forwards
are supported.
When this option is enabled, Automatic Outbound NAT for Reflection must also be enabled if the
clients and servers are in the same local network.
NAT + Proxy NAT + proxy mode uses a helper program to send packets to the target of the port forward.
The connection is received by the reflection daemon and it acts as a proxy, creating a new connection
to the local server. This behavior puts a larger burden on the firewall, but is useful in setups where
the interface and/or gateway IP address used for communication with the target cannot be accurately
determined at the time the rules are loaded. NAT + Proxy reflection rules are not created for ranges
larger than 500 ports and will not be used for more than 1000 ports total between all port forwards.
This feature only supports TCP port forwards.
Individual NAT rules have the option to override the global NAT reflection configuration, so they may have NAT
reflection forced on or off on a case-by-case basis.
Reflection Timeout
The Reflection Timeout setting forces a timeout on connections made when performing NAT reflection for port
forwards in NAT + Proxy mode. If connections are staying open and consuming resources, this option can mitigate
that issue.
NAT Reflection for 1:1 NAT
When checked, this option adds additional reflection rules which enable access to 1:1 mappings of external IP ad-
dresses from internal networks. This gives the same functionality that already exists for port forwards, but for 1:1
NAT. There are complex routing scenarios that may render this option ineffective.
This option only affects the inbound path for 1:1 NAT, not outbound. The underlying rule style is similar to the Pure
NAT mode for port forwards. As with port forwards, there are per-entry options to override this behavior.
Automatic Outbound NAT for Reflection
When checked, this option automatically creates outbound NAT rules which assist reflection rules that direct traffic
back out to the same subnet from which it originated. These additional rules allow Pure NAT and 1:1 NAT Reflection
to function fully when the clients and servers are in the same subnet. In most cases, this box must be checked for NAT
Reflection to work.
Note: This behavior is necessary because when clients and servers are in the same subnet, the traffic source must
be changed so that the connection appears to originate from the firewall. Otherwise, the return traffic will bypass the
firewall and the connection will not succeed.

LLC
TFTP Proxy
The built-in TFTP proxy will proxy connections to TFTP servers outside the firewall, so that client connections may
be made to remote TFTP servers. Ctrl-click or shift-click to select multiple entries from the list. If no interfaces are
chosen, the TFTP proxy service is deactivated.
State Timeouts
The State Timeout section allows fine-tuning of the state timeouts for various protocols. These are typically handled
automatically by the firewall and the values are dictated by the Firewall Optimization Options options. In rare cases,
these timeouts may need adjusted up or down to account for irregularities in device behavior or site-specific needs.
All of the values are expressed in seconds, and control how long a connection in that state will be retained in the state
table.
See also:
Descriptions in the following options reference firewall state conditions as described in Interpreting States.
TCP First The first packet of a TCP connection.
TCP Opening The state before the destination host has replied (e.g. SYN_SENT:CLOSED).
TCP Established An established TCP connection where the three-way handshake has been completed.
TCP Closing One side has sent a TCP FIN packet.
TCP FIN Wait Both sides have exchanged FIN packets and the connection is shutting down. Some
servers may continue to send packets during this time.
TCP Closed One side has sent a connection reset (TCP RST) packet.
TCP Tsdiff The allowed TCP timestamp difference.
UDP First The first UDP packet of a connection has been received.
UDP Single The source host has sent a single packet but the destination has not replied (e.g.
SINGLE:NO_TRAFFIC).
UDP Multiple Both sides have sent packets.
ICMP First An ICMP packet has been received.
ICMP Error An ICMP error was received in response to an ICMP packet.
Other First, Other Single, Other Multiple The same as UDP, but for other protocols.
8.6.3 Networking Tab
IPv6 Options
Allow IPv6
The Allow IPv6 option controls a set of block rules which prevent IPv6 traffic from being handled by the firewall.
Note: This option does not disable IPv6 functions or prevent it from being configured, it only controls traffic flow.
When the option is enabled, IPv6 traffic will be allowed when permitted by firewall rules and/or automatic rules,
depending on the firewall configuration. This option is enabled by default on new configurations.

LLC
When the option is unchecked, all IPv6 traffic will be blocked. This behavior is similar to how IPv6 was treated before
it was supported by pfSense® software. Configurations imported from or upgraded from versions older than 2.1 will
have this option unchecked, so they behave consistently after upgrade.
IPv6 over IPv4 Tunneling
The Enable IPv6 over IPv4 Tunneling option enables forwarding for IP protocol 41/RFC 2893 to an IPv4 address
specified in the IPv4 address of Tunnel Peer field.
When configured, this forwards all incoming protocol 41/IPv6 traffic to a host behind this firewall instead of handling
it locally.
Tip: Enabling this option does not add firewall rules to allow the protocol 41 traffic. A rule must exist on the WAN
interface to allow the traffic to pass through to the local receiving host.
Prefer IPv4 over IPv6
When set, this option causes the firewall itself to prefer sending traffic to IPv4 hosts instead of IPv6 hosts when a DNS
query returns results for both.
In rare cases when the firewall has partially configured, but not fully routed, IPv6 this can allow the firewall to continue
reaching Internet hosts over IPv4.
Note: This option controls the behavior of the firewall itself, such as when polling for updates, package installations,
downloading rules, and fetching other data. It cannot influence the behavior of clients behind the firewall.
IPv6 DNS Entry
This option controls whether or not the firewall creates local DNS entries for the firewall itself with IPv6 addresses,
when available.
By default (unchecked), the firewall automatically adds DNS entries for itself using its local IPv4 and IPv6 interface
addresses. In some cases, such as with dynamic IPv6 addresses like tracked interfaces, the IPv6 address may disappear
or change and clients may attempt to use an outdated address until their cached DNS response expires.
When the option is checked, the firewall only adds DNS entries for its IPv4 addresses.
DHCP6 DUID
This option controls the DHCPv6 Unique Identifier (DUID) used by the firewall when requesting an IPv6 address.
The firewall generates a DUID automatically, but in some cases, an administrator may want to use a different DUID.
For example, if the operating system was reinstalled and the firewall should use the same DUID it had in the past, or
if an upstream network administrator requires a specific DUID.
Note: Most users do not need to change this to any specific value, the default behavior is fine for nearly all environ-
ments. When in doubt, leave it alone unless directed to change it by an upstream network provider.

LLC
There are several possible DUID formats that this option can accept, chosen by the drop-down menu. When a format
is chosen, the GUI displays a different set of input boxes specific to the selected format. The exact format depends
upon the needs of the network administrator (e.g. ISP, datacenter, etc) and they would provide the format and values.
The available DUID formats are:
Raw DUID DUID represented exactly as observed in a DUID file or in logs. Entered as:
Raw DUID A single text area in which the DUID can be entered.
This option also includes a Copy DUID button which copies the DUID from the placeholder
(automatically generated by the firewall) into the text box so that the existing DUID can easily be
placed into the configuration.
DUID-LLT DUID format with Link-Layer Address Plus Time. Entered as:
Time Time (in seconds) since January 1st, 2000 UTC
Link-Layer Address The link-layer address (MAC) of an interface on the firewall in the
format xx:xx:xx:xx:xx:xx.
DUID-EN DUID assigned by a vendor based on Enterprise Number. Entered as:
Enterprise Number IANA Private Enterprise Number of the vendor.
Identifier Variable length identifier in the format xx:xx:xx:xx. The length depends
upon the vendor.
DUID-LL DUID based on only Link-Layer Address. Entered as:
Link-Layer Address The link-layer address (MAC) of an interface on the firewall in the
format xx:xx:xx:xx:xx:xx.
DUID-UUID DUID based on the host Universally Unique Identifier (UUID). Entered as:
DUID-UUID The UUID for this host in nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn
format
Network Interfaces
Hardware Checksum Offloading
When checked, this option disables hardware checksum offloading on the network cards. Checksum offloading is
usually beneficial as it allows the checksum to be calculated (outgoing) or verified (incoming) in hardware at a much
faster rate than it could be handled in software.
Note: When checksum offloading is enabled, a packet capture will see empty (all zero) or flag incorrect packet
checksums. These are normal when checksum handling is happening in hardware.
Checksum offloading is broken in some hardware, particularly Realtek cards and virtualized/emulated cards such as
those on Xen/KVM. Typical symptoms of broken checksum offloading include corrupted packets and poor throughput
performance.
Tip: In virtualization cases such as Xen/KVM it may be necessary to disable checksum offloading on the host as well
as the VM. If performance is still poor or has errors on these types of VMs, switch the type of NIC if possible.

LLC
Hardware TCP Segmentation Offloading
Checking this option will disable hardware TCP segmentation offloading (TSO, TSO4, TSO6). TSO causes the NIC
to handle splitting up packets into MTU-sized chunks rather than handling that at the OS level. This can be faster for
servers and appliances as it allows the OS to offload that task to dedicated hardware, but when acting as a firewall
or router this behavior is highly undesirable as it actually increases the load as this task has already been performed
elsewhere on the network, thus breaking the end-to-end principle by modifying packets that did not originate on this
host.
Warning: This option is not desirable for routers and firewalls, but can benefit workstations and appliances. It
is disabled by default, and should remain disabled unless the firewall is acting primarily or solely in an appli-
ance/endpoint role.
Do not uncheck this option unless directed to do so by a support representative. This offloading is broken in some
hardware drivers, and can negatively impact performance on affected network cards and roles.
Hardware Large Receive Offloading
Checking this option will disable hardware large receive offloading (LRO). LRO is similar to TSO, but for the incoming
path rather than outgoing. It allows the NIC to receive a large number of smaller packets before passing them up to the
operating system as a larger chunk. This can be faster for servers and appliances as it offloads what would normally
be a processing-heavy task to the network card. When acting as a firewall or router this is highly undesirable as it
delays the reception and forwarding of packets that are not destined for this host, and they will have to be split back
up again on the outbound path, increasing the workload significantly and breaking the end-to-end principle.
Warning: This option is not desirable for routers and firewalls, but can benefit workstations and appliances. It
is disabled by default, and should remain disabled unless the firewall is acting primarily or solely in an appli-
ance/endpoint role.
Do not uncheck this option unless directed to do so by a support representative. This offloading is broken in some
hardware drivers, and can negatively impact performance on affected network cards and roles.
hn ALTQ Support
Checking this option will enable support for ALTQ traffic shaping on hn(4) network interfaces in Hyper-V.
For ALTQ to work on hn(4) interfaces, the operating system must disable the multi-queue API which may reduce
the system capability to handle traffic. The administrator must decide if this reduction in performance is worth the
benefit of traffic shaping.
The firewall must be rebooted for this setting to take effect.

LLC
Suppress ARP messages
The firewall makes a log entry in the main system log when an IP address appears to switch to a different MAC
address. This log entry notes that the device has moved addresses, and records the IP address and the old and new
MAC addresses.
This event can be completely benign behavior (e.g. NIC teaming on a Microsoft server, a device being replaced) or
a legitimate client problem (e.g. IP conflict), and it could show up constantly or rarely if ever. It all depends on the
network environment.
The best practice is to allow these ARP messages to be printed to log since there is a chance it will report a problem
worth the attention of a network administrator. However, if the network environment contains systems which generate
these messages while operating normally, suppressing the errors can make the system log more useful as it will not be
cluttered with unneeded log messages.
Reset All States
When set, if an interface IP address changes, the firewall will reset the entire state table instead of only clearing states
for the old interface IP address.
This behavior is potentially disruptive, and is off by default. In single WAN environments, this is not typically any
more disruptive than the WAN address changing, since clients already have to reestablish all connections.
In most cases, this behavior is not necessary, but it can help in certain situations where WAN addresses change rapidly
and the normal behavior misses states for former IP addresses.
8.6.4 Miscellaneous Tab
Proxy Support
If this firewall resides in a network which requires a proxy for outbound Internet access, enter the proxy options in this
section so that requests from the firewall for items such as packages and updates will be sent through the proxy.
Proxy URL This option specifies the location of the proxy for making outside connections. It must be
an IP address or a fully qualified domain name.
Proxy Port The port to use when connecting to the proxy URL. By default the port is 8080 for HTTP
proxy URLs, and 443 for SSL proxy URLs. The port is determined by the proxy, and may be a
different value entirely (e.g. 3128). Check with the proxy administrator to find the proper port
value.
Proxy Username If required, this is the username that is sent for proxy authentication.
Proxy Password If required, this is the password associated with the username set in the previous option.
Load Balancing
When pfSense® software is directed to perform load balancing, successive connections will be redirected in a round-
robin manner to a gateway, balancing the load across all available paths. The options in this section alter or fine-tune
that behavior.
Sticky Connections When active, connections from the same source are sent through the same gateway,
rather than being sent in a purely round-robin manner.
This “sticky” association will exist as long as states are in the table for connections from a given
source address (e.g. the IP address of a user). Once the states for that source expire, so will the

LLC
sticky association. Further connections from that source host will be redirected to the next available
gateway in the group.
This behavior can help with protocols such as HTTPS and FTP, where the server may be strict about
all connections coming from the same source. The downside of this behavior is that balancing is not
as efficient, a heavy user could dominate a single WAN rather than having their connections spread
out.
Source Tracking Timeout Controls how long the sticky association will be maintained for a host after
the all of the states from that host expire. The value is specified in seconds.
By default, this value is not set, so the association is removed as soon as the states expire. If sticky
connections appear to work initially but seem to stop partway through sessions, increase this value
to hold an association longer. Web browsers often hold open connections for a while as users are on
a site, but if there is a lot of idle time, connections may be closed and states may expire.
Power Savings
When Enable PowerD is checked, the powerd daemon is started. This daemon monitors the system and can lower
or raise the CPU frequency based on system activity. If processes need the power, the CPU speed will be increased as
needed. This option will lower the amount of heat a CPU generates, and may also lower power consumption.
Note: The behavior of this option depends greatly on the hardware in use. In some cases, the CPU frequency
may lower but have no measurable effect on power consumption and/or heat, where others will cool down and use
considerably less power. It is considered safe to run, but is left off by default unless supported hardware is detected.
The mode for powerd may also be selected for three system states:
AC Power Normal operation connected to AC power.
Battery Power Mode to use when the firewall is running on battery. Support for battery power detection
varies by hardware.
Unknown Power Mode used when powerd cannot determine the power source.
Four modes choices exist for each of these states:
Maximum Keeps the performance as high as possible at all times.
Minimum Keeps performance at its lowest, to reduce power consumption.
Adaptive Tries to balance savings by decreasing performance when the system is idle and increasing
when busy.
Hiadaptive Similar to adaptive but tuned to keep performance high at the cost of increased power con-
sumption. It raises the CPU frequency faster and drops it slower. This is the default mode.
Note: Some hardware requires powerd running to operate at its maximum attainable CPU frequency. If the firewall
device does not have powerd enabled but always runs at what appears to be a low CPU frequency, enable powerd
and set it to Maximum for at least the AC Power state.

LLC
Watchdog
Certain firewall hardware includes a Watchdog feature which can reset the hardware when the watchdog daemon can
no longer interface with the hardware after a specified timeout. This can increase reliability by resetting a unit when a
hard lock is encountered that might otherwise require manual intervention.
The downside to any hardware watchdog is that any sufficiently busy system may be indistinguishable from one that
has suffered a hard lock.
Enable Watchdog When checked, the watchdogd daemon is run which attempts to latch onto a sup-
ported hardware watchdog device.
Watchdog Timeout The time, in seconds, after which the device will be reset if it fails to respond to
a watchdog request. If a firewall regularly has a high load and triggers the watchdog accidentally,
increase the timeout.
Cryptographic & Thermal Hardware
Cryptographic Hardware
There are a few options available for accelerating cryptographic operations via hardware. Some are built into the
kernel, and others are loadable modules.
See also:
Cryptographic Accelerator Support
The following choices are available, depending on hardware:
BSD Crypto Device Loads the BSD Crypto device module (cryptodev) so it can be used by other
available acceleration devices. Most accelerator drivers hook into the crypto(9) framework in
FreeBSD, so many aspects of the system will automatically use acceleration for supported ciphers
when this module is loaded.
AES-NI CPU-based Acceleration Loads the AES-NI (Advanced Encryption Standard, New Instruc-
tions) kernel module. Notably, the aesni module will accelerate operations for AES-GCM, avail-
able in IPsec.
Support for AES-NI is built into many recent Intel and some AMD CPUs. Check with the OEM for
specific CPU or SoC support.
Speeds with AES-NI vary by support of the underlying software. IPsec speed will be greatly in-
creased with AES-NI loaded provided that AES-GCM is used and properly configured.
AES-NI and BSD Crypto Device Loads both the AES-NI and BSD Crypto Device modules together,
which is the optimal configuration in most cases. Choose this unless a specific environment or
configuration is found to work better without it.
SafeXcel and BSD Crypto Device Loads both the safexcel and the BSD Crypto Device modules.
SafeXcel acceleration hardware is found on some ARM systems sold by Netgate, such as the SG-
3100.
There are other supported cryptographic devices with drivers built into the kernel. One example is the driver for the
Marvell Cryptographic Engine and Security Accelerator (CESA) chipset, which is found on some ARM systems sold
by Netgate, such as the SG-1100 and SG-2100.
In most cases, if a supported accelerator chip is detected by the firewall, it will be shown in the System Information
widget on the dashboard or in the system log at boot time.

LLC
Note: Certain special cases also exist where software can detect and use acceleration hardware directly, even without
drivers loaded. One example is OpenSSL, which directly supports AES-NI. Thus, even without the driver loaded,
software which utilizes encryption through OpenSSL can still take advantage of AES-NI acceleration.
Thermal Sensors
The firewall can read temperature data from a few sources to display on the dashboard. If the firewall has a supported
CPU, selecting a thermal sensor will load the appropriate driver to read its temperature.
Note: Temperature data can be displayed by the Thermal Sensors dashboard widget or via sysctl.
The following sensor types are supported:
None/ACPI The firewall will attempt to read the temperature from an ACPI-compliant motherboard
sensor if one is present, otherwise no sensor readings are available.
Intel Core Loads the coretemp module which supports reading thermal data from Intel core-series
CPUs and other modern Intel CPUs using their on-die sensors, including Atom-based processors.
AMD K8, K10, and K11 Loads the amdtemp module which supports reading thermal data from mod-
ern AMD CPUs using their on-die sensors.
If the firewall does not have a supported thermal sensor chip, this option will have no effect. To unload the selected
module, set this option to None/ACPI and then reboot.
Note: The coretemp and amdtemp modules report thermal data directly from the CPU core. This may or may not
be indicative of the temperature elsewhere in the system. Case temperatures can vary greatly from temperatures on the
CPU die.
Kernel Page Table Isolation (PTI)
Kernel PTI is a method for working around CPU vulnerabilities such as Meltdown. By exploiting that vulnerability
without Kernel PTI, kernel memory could be accessed by unprivileged users on affected CPUs.
Note: While more secure, this protection can incur a performance penalty. If untrusted users do not have access to
run arbitrary code on the firewall, it can be disabled without significant security risk.
Kernel PTI is active by default only on CPUs affected by the vulnerability.
This option forces the workaround off, and requires a reboot to change.
If a vulnerable CPU is not detected, PTI is disabled by default and this option will have no effect.
The current state of Kernel PTI is printed below the option.

LLC
Microarchitectural Data Sampling (MDS) Mitigation
Microarchitectural Data Sampling (MDS) mitigation is a method for working around weaknesses in Intel CPUs which
support hyperthreading. By exploiting MDS without mitigation in place, kernel memory could be accessed by unpriv-
ileged users on affected CPUs.
Note: While more secure, this protection can incur a performance penalty. If untrusted users do not have access to
run arbitrary code on the firewall, it can be disabled without significant security risk.
This option controls which method of MDS mitigation is used, if any. Changing the option requires a reboot to activate.
The following modes are available:
Default The default operating system behavior. As of this writing, the default behavior is to disable MDS
mitigation.
Mitigation Disabled Forcefully disable MDS mitigation.
VERW instruction (microcode) mitigation enabled Use VERW instruction mitigation, implemented
in CPU microcode, to mitigate MDS. This is the fastest and most optimal way to mitigate MDS, but
it requires support in the CPU microcode for this instruction.
Software sequence mitigation enabled Mitigates MDS by using software sequences, which is much
slower, but safer.
Automatic VERW or Software selection When set to Automatic, the operating system will attempt to
use VERW instructions if they are available and software in all other cases.
The current state of MDS mitigation is printed below the option.
Schedules
The Do not kill connections when schedule expires option controls whether or not states are cleared when a sched-
uled rule transitions into a state that would block traffic. If unchecked, connections are terminated when the schedule
time has expired. If checked, connections are left alone and will not be automatically closed by the firewall.
Gateway Monitoring
State Killing on Gateway Failure
When using Multi-WAN, clearing states on failed WANs can help redirect traffic for long-lived connections such as
VoIP phone/trunk registrations to another WAN. However, clearing states can also disrupt ongoing connections if a
lesser-used gateway is unstable or there is a gateway which is down long term but is not disabled, which would still
states when it fails or is down during a filter reload.
There are several choices for this behavior, including:
Do not kill states on gateway failure (Default) The monitoring process will not flush states when a
gateway is in a down state during a filter reload. This is the default behavior and is the least disrup-
tive, though clients may have to wait for connections to timeout after a WAN failure.
Kill states for all gateways which are down Selectively kill states using gateways that fail or are down
during a filter reload, so long as those states were created by policy routing rules.
This function can only kill states which contain gateway information populated by policy routing
rules (e.g. gateways or gateway groups on firewall rules, or even reply-to.). It cannot kill states

LLC
created by default gateway switching as in that case the gateway in the state is 0.0.0.0/:: and
not a specific gateway.
Flush all states on gateway failure Clears all states for existing connections when any gateway fails or
is in a down state during a filter reload.
Warning: When this is triggered the firewall clears the entire state table if any gateway is
down, which can be highly disruptive.
More information on how this impacts Multi-WAN can be found in State Killing/Forced Switch.
Skip Rules When Gateway is Down
By default, when a rule has a specific gateway set and this gateway is down, the gateway is omitted from the rule and
traffic is sent via the default gateway.
The Do not create rules when gateway is down option overrides that behavior and the entire rule is omitted from the
ruleset when the gateway is down. Instead of flowing via the default gateway, the traffic will match a different rule
instead. This is useful if traffic must only ever use one specific WAN and never flow over any other WAN.
Tip: When utilizing this option, create a reject or block rule underneath the policy routing rule with the same
matching criteria. This will prevent the traffic from potentially matching other rules below it in the ruleset and taking
an unintended path.
RAM Disk Settings
The /tmp and /var directories are used for writing files and holding data that is temporary and/or volatile. Using
a RAM disk can reduce the amount of writing that happens on disks in the firewall. Modern SSDs do not have disk
write concerns as older drives once did, but it can still be a concern when running from lower quality flash storage
such as USB thumb drives.
This behavior has the benefit of keeping most of the writes off of the disk in the base system, but packages may
yet write frequently to the drive. It also requires additional handling to ensure data such as RRD graphs and DHCP
leases are retained across reboots. Data for both is saved during a proper shutdown or reboot, and also periodically if
configured.
Use RAM Disks When checked, a memory disk is created at boot time for /tmp and /var/ and the
associated structure is initialized. When this setting is toggled, a reboot is required and forced on
save.
Warning: The size of RAM disks is limited by the amount of available kernel memory. The
actual limit is calculated and printed in the GUI underneath the size options.
/tmp RAM Disk Size The size of the /tmp RAM disk, in MiB. The default value is 40, but should be
set higher if there is available RAM and kernel memory.
/var RAM Disk Size The size of the /var RAM disk, in MiB. The default value is 60, but should be set
much higher, especially if packages will be used. 512-1024 is a better starting point, depending
on the available firewall RAM and kernel memory.

LLC
Periodic RAM Disk Data Backups These options control how frequently data in RAM disks is backed
up. If the firewall is rebooted unexpectedly, the last backup is restored when the firewall boots. The
lower the value, the less data that will be lost in such an event, but more frequent backups write more
to the disk.
RRD Data The time, in hours, between periodic backups of RRD files containing graph
data.
DHCP Leases The time, in hours, between periodic backups of the DHCP lease
databases.
Log Directory The time, in hours, between periodic backups of the system log directory.
Warning: Aside from the points mentioned above, there are several items to be cautious about when choosing
whether or not to use the RAM disk option. Used improperly, this option can lead to data loss or other unexpected
failures.
Utilize remote syslog to send the logs to another device on the network rather than risking losing data from unex-
pected outages.
Packages may not properly account for the use of RAM disks, and may not function properly at boot time or in
other ways. Test each package, including whether or not it works immediately after a reboot.
These are RAM disks, so the amount of RAM available to other programs will be reduced by the amount of space
used by the RAM disks. For example if the firewall has 2GB of RAM, and has 512MB for /var and 512MB for
/tmp, then only 1GB of RAM will be available to the OS for general use.
Special care must be taken when choosing a RAM disk size, which is discussed in the following section.
RAM Disk Sizes
Setting a size too small for /tmp and /var can backfire, especially when it comes to packages. The suggested sizes
on the page are an absolute minimum and often much larger sizes are required. The most common failure is that
when a package is installed, and parts of the package touch places in both /tmp and /var and it can ultimately fill
up the RAM disk and cause other data to be lost. Another common failure is setting /var as a RAM disk and then
forgetting to move a squid cache to a location outside of /var - if left unchecked, it will fill up the RAM disk.
For /tmp, a minimum of 40 MiB is required. For /var a minimum of 60 MiB is required. To determine the proper
size, check the current usage of the /tmp and /var directories before making a switch. Check the usage several
times over the course of a few days so it is not caught at a low point. Watching the usage during a package installation
adds another useful data point.
Hard Disk Standby
The Hard disk standby time option activates power management for disk drives in the firewall. The drop-down field
sets the number of minutes that the disk can be idle before going into standby mode.
Using standby mode is not necessary for SSD or flash media. For traditional spinning platter hard disks, it may result
in power savings and can potentially lengthen the disk lifetime by saving wear, at a cost of slower disk access when
resuming from an idle state. Actual results entirely depend on the hardware involved.
The default behavior is Always On which prevents the disk from entering standby mode.

LLC
Installation Feedback
When this option is set, the firewall will not send its Netgate Device ID when making requests to Netgate servers.
8.6.5 System Tunables Tab
The System Tunables tab under System > Advanced provides a means to set run-time FreeBSD system tunables,
also known as sysctl OIDs.
Tip: In most cases, the best practice is to leave these tunables at their default values.
Firewall administrators familiar with FreeBSD, or users doing so under the direction of a developer or support repre-
sentative, may want to adjust or add values on this page so that they will be set as the system starts.
Note: The tunables on this page are different from Loader Tunables. Loader Tunables are read-only values once
the system has booted, and those values must be set in /boot/loader.conf.local.
Creating and Editing Tunables
To edit an existing tunable, click .
To create a new tunable, click New at the top of the list.
When editing or creating a tunable, the following fields are available:
Tunable The sysctl OID to set
Value The value to which the Tunable will be set.
Note: Some values have formatting requirements. Due to the vast number of sysctl OIDs, the GUI
does not validate that the given Value will work for the chosen Tunable.
Description An optional description for reference.
Click Save when the form is complete.
Tunable OIDs and Values
There are many OIDs available from sysctl, some of them can be set, some are read only outputs, and others must
be set before the system boots as Loader Tunables. The full list of OIDs and their possible values is outside the
scope of this documentation, but for those interested in digging a little deeper, The sysctl manual page from FreeBSD
contains detailed instructions and information.

LLC
8.6.6 Notifications
The firewall can notify administrators of important events and errors by displaying an alert in the menu bar, indicated
by the icon.
In addition to GUI notifications, the firewall also supports the following remote notification methods:
• E-mail using SMTP
• Telegram notification API
• Pushover notification API
General Settings
Certificate Expiration When set, the firewall will issue notifications when certificates approach their ex-
piration date, so that administrators can take corrective action to renew or replace them. Notifications
are also sent for expired certificates.
The expiration times are checked daily, and notifications are displayed in the GUI and sent remotely.
Certificate Expiration Threshold The value, in days, at which certificates are considered to be ap-
proaching their expiration date.
The default value is currently 27 days. Certificates from Let’s Encrypt (ACME package) typically
renew when they have around 30 days before they expire. The default value is long enough that it
does not notify unnecessarily, but with enough time left that problems can be corrected.
Tip: If certificates are imported into the firewall from third party sources which take longer to
process, increase this value sufficiently to give administrators enough notice to obtain an updated
replacement certificate before the expiration date.
SMTP E-mail
E-mail notifications are delivered by a direct SMTP connection to a mail server. The server must be configured to
allow relaying from the firewall or accept authenticated SMTP connections.
Disable SMTP When checked, the firewall will not send SMTP notifications. This is useful to silence
notifications while keeping SMTP settings in place for use by other purposes such as packages that
utilize e-mail.
E-mail server The hostname or IP address of the e-mail server through which the firewall will send
notifications.
SMTP Port of E-mail server The port to use when communicating with the SMTP server. The most
common ports are 25 and 587.
In many cases, 25 will not work unless it is to a local or internal mail server. Providers frequently
block outbound connections to port 25, so use 587 (the Submission port) when possible.
Connection Timeout to E-Mail Server The length of time, in seconds, that the firewall will wait for an
SMTP connection to complete.
Secure SMTP Connection When set, the firewall will attempt an SSL/TLS connection when sending
e-mail. The server must accept SSL/TLS connections or support STARTTLS.

LLC
Validate SSL/TLS When set, the certificate presented by the mail server is checked for validity against
the root certificates trusted by the firewall. Ensuring this validity is the best practice.
In some rare cases a mail server may have a self-signed certificate or a certificate that otherwise
fails validation. Unchecking this option will allow notifications to be sent to these servers using
SSL/TLS. In this case, communication is still encrypted, but the identity of the server cannot be
validated.
From e-mail address The e-mail address for the From: header in notification messages, which specifies
the source. Some SMTP servers attempt to validate this address so the best practice is to use a real
address in this field. This is commonly set to the same address as Notification E-mail address.
Notification E-mail address The e-mail address for the To: header of the message, which is the desti-
nation where the notification e-mails will be delivered by the firewall.
Notification E-Mail Auth Username Optional. If the mail server requires a username and password for
authentication, enter the username here.
Notification E-Mail Auth Password Optional. If the mail server requires a username and password for
authentication, enter the password here and in the confirmation field.
Notification E-mail Auth Mechanism This field specifies the authentication mechanism required by the
mail server. The majority of e-mail servers work with PLAIN authentication, others such as MS
Exchange may require LOGIN style authentication.
Note: In 2022 Google has started phasing out access to SMTP Submission and other similar services using the account
username and password directly. To access these services Google has deemed “less secure” after the change, the user
must enable 2-Step Verification for their Google account and then create an App Password which can authenticate
with these services.
Click Save at the bottom of the page to store the settings before proceeding.
Click Test SMTP Settings to generate a test notification and send it via SMTP using the previously stored
settings. Save settings before clicking this button.
Startup/Shutdown Sound
If the firewall hardware has a PC speaker, it will play a sound when startup finishes and again when a shutdown is
initiated.
Check Disable the startup/shutdown beep to prevent the firewall from playing these sounds.
Telegram
The notification system supports the Telegram API which can send notifications to desktops and mobile devices,
among others.
Note: Using the Telegram API requires a Telegram Bot and its associated API key.
Enable Telegram When set, the firewall will attempt to send remote notifications using the Telegram
API and the settings in this section.

LLC
API Key Required. The Telegram Bot API key the firewall will use to authenticate with the Telegram
API server.
Chat ID The destination for the notifications. This can be a chat ID number for private notifications, or
a channel @username for public notifications.
Click Test Telegram Settings to generate a test notification and send it using the Telegram API with the
previously stored settings. Save settings before clicking this button.
Pushover
The notification system supports the Pushover API which can send notifications to desktops and mobile devices,
among others.
Note: Using the Pushover API requires a Pushover account user key and API key (Pushover Registration).
Enable Pushover When set, the firewall will attempt to send remote notifications using the Pushover
API and the settings in this section.
API Key Required. The Pushover API Key (Pushover Registration) the firewall will use to authenticate
with the Pushover API server.
User Key Required. The User Key (Pushover Registration) of the Pushover account to which the API
Key belongs.
Notification Sound The notification sound that the end user device (Phone, etc) will play when notifica-
tion messages are sent by the firewall.
See also:
For a list of sounds and audio, see the Pushover API Notification Sounds Documentation.
Message Priority The message priority for firewall notifications.
Note: For more information about the priorities and their meanings, see the Pushover API Priority
Documentation.
The following priorities are available:
Normal Default setting. May trigger sound, vibration, and notification display depending
on the user settings and client platform.
Lowest No sound or vibration, but increases the notification count on some platforms.
Low No sound or vibration. May trigger a notification display depending on the user
settings and client platform.
High Always play sound and vibrate. Bypasses pre-set quiet hours. Notification display
is highlighted in red.
Emergency Similar to High priority, but the notification is repeated until acknowledged
by the user.

LLC
Emergency Priority Notification Retry Interval The amount of time, in seconds, the Pushover servers
will send the same notification for Emergency priority notifications until the notification is acknowl-
edged.
This parameter must have a value of at least 30 seconds between retries. Default is 60 seconds (1
minute).
Emergency Priority Notification Expiration The duration, in seconds, for which Emergency priority
notifications will be retried until the notification is acknowledged. Notifications will be resent at
intervals determined by the value of Emergency Priority Notification Retry Interval.
This parameter must have a maximum value of at most 10800 seconds (3 hours). Default is 300
seconds (5 minutes).
Click Test Pushover Settings to generate a test notification and send it using the Pushover API with the
previously stored settings. Save settings before clicking this button.
8.7 Console Menu Basics
Basic configuration and maintenance tasks can be performed from the pfSense® system console. The console is
available using a keyboard and monitor, serial console, or by using SSH. Access methods vary depending on hardware.
Below is an example of what the console menu will look like, but it may vary slightly depending on the version and
platform:
WAN (wan) -> vmx0 -> v4/DHCP4: 198.51.100.6/24
v6/DHCP6: 2001:db8::20c:29ff:fe78:6e4e/64
LAN (lan) -> vmx1 -> v4: 10.6.0.1/24
v6/t6: 2001:db8:1:eea0:20c:29ff:fe78:6e58/64
0) Logout (SSH only) 9) pfTop
1) Assign Interfaces 10) Filter Logs
2) Set interface(s) IP address 11) Restart webConfigurator
3) Reset webConfigurator password 12) PHP shell + pfSense tools
4) Reset to factory defaults 13) Update from console
5) Reboot system 14) Disable Secure Shell (sshd)
6) Halt system 15) Restore recent configuration
7) Ping host 16) Restart PHP-FPM
8) Shell
Page Contents
• 1) Assign Interfaces
• 2) Set interface(s) IP address
• 3) Reset webConfigurator password
• 4) Reset to factory defaults
• 5) Reboot system
• 6) Halt system
8.7. Console Menu Basics 375

LLC
• 7) Ping host
• 8) Shell
• 9) pfTop
• 10) Filter Logs
• 11) Restart webConfigurator
• 12) PHP shell + pfSense tools
• 13) Upgrade from console
• 14) Enable/Disable Secure Shell (sshd)
• 15) Restore recent configuration
• 16) Restart PHP-FPM
8.7.1 1) Assign Interfaces
This option restarts the Interface Assignment task, which is covered in detail in Assign Interfaces and Manually
Assigning Interfaces. This menu option can create VLAN interfaces, reassign existing interfaces, or assign new ones.
8.7.2 2) Set interface(s) IP address
The script to set an interface IP address can set WAN, LAN, or OPT interface IP addresses, but there are also other
useful features of this script:
• The firewall prompts to enable or disable DHCP service for an interface, and to set the DHCP IP address range
if it is enabled.
• If the firewall GUI is configured for HTTPS, the menu prompts to switch to HTTP. This helps in cases when the
SSL configuration is not functioning properly.
• If the anti-lockout rule on LAN has been disabled, the script enables the anti-lockout rule in case the user has
been locked out of the GUI.
8.7.3 3) Reset webConfigurator password
This menu option invokes a script to reset the admin account password and status. The password is reset to the default
value of pfsense.
The script also takes a few other actions to help regain entry to the firewall:
• If the GUI authentication source is set to a remote server such as RADIUS or LDAP, it prompts to return the
authentication source to the Local Database.
• If the admin account has been removed, the script re-creates the account.
• If the admin account is disabled, the script re-enables the account.

LLC
8.7.4 4) Reset to factory defaults
This menu choice restores the system configuration to factory defaults. It will also attempt to remove any installed
packages.
This action is also available in WebGUI at Diagnostics > Factory Defaults.
See Resetting to Factory Defaults for more details about how this process works.
8.7.5 5) Reboot system
This menu choice cleanly shuts down the firewall and restarts the operating system. There are several options which
control what the firewall will do when rebooting. The choices offered by the reboot option are explained in Reboot
Methods.
See also:
This action is also available in WebGUI at Diagnostics > Reboot, see Rebooting the Firewall for details.
8.7.6 6) Halt system
This menu choice cleanly shuts down the firewall and either halts or powers off, depending on hardware support.
Warning: The best practice is to never cut power from a running system. Halting before removing power is
always the safest choice.
See also:
This action is also available in WebGUI at Diagnostics > Halt System. See Halting and Powering Off the Firewall
for additional details.
8.7.7 7) Ping host
This menu option runs a script which attempts to contact a host to confirm if it is reachable by the firewall through a
connected network. The script prompts the user for an IP address, and then the script sends that target host three ICMP
echo requests.
The script displays output from the test, including the number of packets received, sequence numbers, response times,
and packet loss percentage.
The script uses ping when given an IPv4 address or a hostname, and ping6 when given an IPv6 address.
This is only a basic ping test. For more options, see Ping Host to run a similar test from the GUI.

LLC
8.7.8 8) Shell
This menu choice starts a command line shell.
Warning: A shell is very useful and very powerful, but also has the potential to be very dangerous.
Note: The majority of users do not need to touch the shell, or even know it exists.
Complex configuration tasks may require working in the shell, and some troubleshooting tasks are easier to accomplish
from the shell, but there is always a chance of causing irreparable harm to the system.
Veteran FreeBSD users may feel slightly at home there, but there are many commands which are not present on
pfSense software installations since unnecessary parts of the OS are removed for security and size constraints.
A shell started in this manner uses tcsh, and the only other shell available is sh . While it is possible to install other
shells for the convenience of users, Netgate neither recommends nor supports using other shells.
8.7.9 9) pfTop
This menu option invokes pftop which displays a real-time view of the firewall states, and the amount of data they
have sent and received. It can help pinpoint sessions currently using large amounts of bandwidth, and may also help
diagnose other network connection issues.
See also:
See pfTop for more information on how to use pfTop.
8.7.10 10) Filter Logs
The Filter Logs menu option displays firewall log entries in real-time, in their raw form. The raw logs contain much
more information per line than the log view in the WebGUI (Status > System Logs, Firewall tab), but not all of this
information is easy to read.
Tip: For a simplified console view of the firewall logs in real time with low detail, use the following shell command:
tail -F /var/log/filter.log | filterparser.php
8.7.11 11) Restart webConfigurator
Restarting the webConfigurator will restart the system process that runs the GUI (nginx). In extremely rare cases the
process may have stopped, and restarting it will restore access to the GUI.
If the GUI is not responding and this option does not restore access, invoke menu option 16 to Restart PHP-FPM
after using this menu option.

LLC
8.7.12 12) PHP shell + pfSense tools
The PHP shell is a powerful utility that executes PHP code in the context of the running system. As with the normal
shell, it is also potentially dangerous to use. This is primarily used by developers and experienced users who are
intimately familiar with both PHP and the pfSense software code base.
See also:
See Using the PHP Shell for additional details and a list of available playback scripts.
8.7.13 13) Upgrade from console
This menu option runs the pfSense-upgrade script to upgrade the firewall to the latest available version. This is
operationally identical to running an upgrade from the GUI and requires a working network connection to reach the
update server.
This method of upgrading is covered with more detail in Upgrading using the Console.
8.7.14 14) Enable/Disable Secure Shell (sshd)
This option toggles the status of the Secure Shell Daemon, sshd. This option works the same as the option in the
WebGUI to enable or disable SSH.
8.7.15 15) Restore recent configuration
This menu option starts a script that lists and restores backups from the configuration history. This is similar to access-
ing the configuration history from the GUI at Diagnostics > Backup/Restore on the Config History tab (Restoring
from the Config History).
This script can display the last few configuration files, along with a timestamp and description of the change made in
the configuration, the user and IP address that made the change, and the config revision. This is especially useful if a
recent configuration error accidentally prevented access to the GUI.
8.7.16 16) Restart PHP-FPM
This menu option stops and restarts the daemon which handles PHP processes for nginx. If the GUI web server
process is running but unable to execute PHP scripts, invoke this option. Run this option in conjunction with Restart
webConfigurator for the best result.
8.8 Resetting to Factory Defaults
The firewall configuration can be reset back to defaults, a process which also attempts to remove any installed pack-
ages. This reset can be performed in the GUI from Diagnostics > Factory Defaults, by using the console menu, or in
some cases by using a hardware button.
In each case, the firewall will automatically reboot with a default configuration after the reset, which may require
console access to resolve.
Note: This process does not remove any changes made to the file system, it only resets the configuration.
8.8. Resetting to Factory Defaults 379

LLC
If system files have been corrupted or altered in an undesirable way, the best practice is to make a backup and reinstall
from installation media.
8.8.1 Factory Default from the GUI
To reset the configuration to factory defaults using the GUI:
• Navigate to Diagnostics > Factory Defaults
• Review the items on the page which will be affected by the reset
• Click Factory Reset
• Click OK to confirm the action and start the reset process
8.8.2 Factory Default from the Console
To reset the configuration to factory defaults using the console:
• Access the console menu locally or via SSH with an admin-level account (admin, root, or another privileged
account using sudo).
• Enter the menu option which corresponds with Reset to factory defaults (e.g. 4)
• Press Enter
• Enter the y to confirm the action
• Press Enter to start the reset process
8.8.3 Factory Default using a Hardware Button
On some appliances from Netgate, the reset button may be depressed with a paperclip or other similar object during
the boot sequence.
Warning: Reset button behavior varies by hardware. Check the appropriate product manual to confirm support
and button behavior before attempting this procedure.
For most hardware which supports this feature, the procedure is similar:
• Apply power to the unit
• Depress the reset button after the initial POST sequence completes
• Hold the reset button in until the system LEDs turn off or the system reboots
The unit will reset the configuration to factory defaults and reboot again with that default configuration.
8.8. Resetting to Factory Defaults 380

LLC
8.9 XML Configuration File
pfSense® software stores its settings in an XML format configuration file. All configuration settings including settings
for packages are held in this one file. Run-time configuration files for services and firewall behavior are generated
dynamically based on the settings held within this XML configuration file.
Those familiar with FreeBSD and related operating systems have found this out the hard way, when their changes to
system configuration files were repeatedly overwritten by the firewall before they came to understand that pfSense
software handles everything automatically.
The configuration file is stored at /conf/config.xml on the firewall.
8.9.1 Manually editing the configuration
A handful of configuration options are only available by manually editing the configuration file, though this isn’t
required in the vast majority of deployments. Some of these options are covered in other parts of this documentation
where they are relevant. Additionally, for advanced administrators in rare cases large-scale or tricky changes may be
easier to make by directly editing the configuration file.
Warning: Even for seasoned administrators it is easy to incorrectly edit the configuration file. Always keep
backups and be aware that breaking the configuration will result in unintended consequences.
Edit a Backup
The safest and easiest method of editing the configuration file is to make a backup, edit the backup, and then restore:
• Navigate to Diagnostics > Backup/Restore in the GUI
• Download and save backup file
• Open the file in a text editor that properly understands UNIX line endings, and preferably an editor that has
special handling for XML such as syntax highlighting. Do not use notepad.exe on Windows.
• Make changes to the configuration and save
• Navigate to Diagnostics > Backup/Restore in the GUI
• Restore the edited configuration
The firewall will automatically reboot as a part of the restoration process, and the new settings will be active afterward.
Edit In Place
Editing the configuration in-place is also possible in a variety of ways. The general procedure is:
• Edit /conf/config.xml
• Run rm /tmp/config.cache to clear the configuration cache
• Reboot, or use the GUI to save/reload whichever part of the firewall utilizes the edited settings
From the console or ssh, administrators familiar with the vi editor can use the viconfig command to edit the running
configuration, and this command automatically clears the cache file after saving and exiting.
Other editors are available on the firewall, such as ee or in the GUI under Diagnostics > Edit File (Editing Files on the
Firewall). Clear the cache file manually after using one of these other methods, either using the shell or Diagnostics
> Command Prompt (Command Prompt).
8.9. XML Configuration File 381

LLC
8.10 pfSense® Plus Software Registration
The pfSense Plus Software Registration page is located at System > Register. This page activates features in pfSense
Plus software installations on hardware and virtual machines not purchased from Netgate. The page also activates
older Netgate® hardware purchased with Factory Edition (FE) pfSense software before the Netgate Device ID (NDI)
was introduced.
The registration process requires an activation token supplied by Netgate. This token is generated when purchasing
pfSense Plus software or via Netgate TAC for older Netgate hardware.
For more information about pfSense Plus software, or to purchase pfSense Plus software, visit Netgate Store.
Note: Registration is free for hardware purchased from Netgate with pfSense Plus software or the older Factory Edi-
tion of pfSense software. Most hardware is pre-registered and does not require activation. To activate hardware which
is not automatically recognized, submit a request to Netgate TAC along with the serial number and NDI for the device
at https://go.netgate.com. The serial number and NDI are displayed on the dashboard in the System Information
widget, and may also be on a sticker located on the bottom of the device.
The current registration status is shown on the dashboard in the Netgate Services and Support widget, and is also
indicated on System > Register.
The text on the registration page varies depending on the current registration status and availability. The page also
displays errors encountered during the activation process, such as not being able to contact the registration server.
8.10.1 Registration Process
To register an installation of pfSense Plus software with Netgate:
• Obtain a pfSense Plus software activation token from Netgate
• Navigate to System > Register on the firewall
• Enter the Activation Token
• Click Register
See also:
• Basic Firewall Configuration Example
• Troubleshooting Clock Issues
• Troubleshooting
• Troubleshooting Access when Locked Out of the Firewall
• Troubleshooting Time Zone Configuration
Most pfSense® software configuration is performed using the web-based GUI. There are a few tasks that may also be
performed from the console, whether it be a monitor and keyboard, over a serial port, or via SSH.
8.10. pfSense® Plus Software Registration 382

LLC
8.11 Connecting to the GUI
To reach the GUI, follow this basic procedure:
• Connect a client computer to the same network as the LAN interface of the firewall. This computer may be
directly connected with a network cable or connected to the same switch as the LAN interface of the firewall.
By default, the LAN IP address of a new installation of pfSense software is 192.168.1.1 with a /24 mask
(255.255.255.0), and there is also a DHCP server running. If a client computer is set to use DHCP, it should
obtain an address in the LAN subnet automatically.
• On the client computer, open a web browser such as Firefox, Safari, or Chrome and navigate to https://192.168.
1.1.
The GUI listens on HTTPS by default, but if the browser attempts to connect using HTTP, it will be redirect by
the firewall to the HTTPS port instead.
• Enter the default credentials in the login page:
username admin
password pfsense
In some cases additional steps may be necessary before the client computer can reach the GUI.
Warning: If the default LAN subnet conflicts with the WAN subnet, the LAN subnet must be changed before
connecting it to the rest of the network. Attempting to access the GUI in this situation is unpredictable and unlikely
to work until the conflict is resolved.
The LAN IP address may be changed and DHCP may be disabled using the console:
• Open the console (VGA, serial, or using SSH from another interface)
• Choose option 2 from the console menu
• Enter the new LAN IP address, subnet mask, and specify whether or not to enable DHCP.
• Enter the starting and ending address of the DHCP pool if DHCP is enabled. This can be any range inside the
given subnet.
Note: When assigning a new LAN IP address, it cannot be in the same subnet as the WAN or any other active
interface. If there are other devices already present on the LAN subnet, it also cannot be set to the same IP address as
an existing host.
If the DHCP server on the firewall is disabled, client computers on LAN must have a statically configured IP address
in the LAN subnet, such as 192.168.1.5, with a subnet mask that matches the one given to the firewall, such as
255.255.255.0.
8.11. Connecting to the GUI 383

CHAPTER
NINE
BACKUP AND RECOVERY
9.1 Making Backups in the GUI
Making a backup in the GUI is simple:
• Navigate to Diagnostics > Backup & Restore
• Set any desired options, or leave the options at their default values.
• Click Download Configuration as XML (Figure GUI Backup).
Fig. 1: GUI Backup
The web browser will then prompt to save the file somewhere on the PC being used to view the GUI. It will be named
config-<hostname>-<timestamp>.xml, but that may be changed before saving the file.
384

LLC
9.1.1 Backup Options
When performing a backup, GUI options are available to control what is contained within the backup file.
Backup Area Limits the backup contents to a single configuration area, rather than a complete configu-
ration backup.
The default behavior is to inclue all areas in the backup.
Note: When restoring a configuration containing only a single area, the Restore area value must
be set to match.
Skip Packages Controls whether or not the backup will contain installation data and settings for pack-
ages. Omitting this data from a backup can be a useful way to quickly remove all traces of packages
from a configuration when troubleshooting.
Warning: After restoring a configuration without package data all packages must be reinstalled
and reconfigured.
The default is unchecked so that all package data is included in the backup.
Skip RRD Data Controls whether or not the backup will contain an exported copy of data used to gen-
erate monitoring graphs. When restoring a backup containing RRD data, the graph data is also
restored.
The default is checked which omits the RRD data from the backup as it significantly increases the
size of backup files.
Include Extra Data Controls whether or not the backup file will include additional optional data. This
includes Captive Portal databases and DHCP lease databases. These databases are volatile. While
the data can be useful for transferring to new hosts or for frequent backups, it is not as useful for
long-term backups.
The default is unchecked which omits this extra data from the backup as it can significantly increase
the size of backup files.
Backup SSH Keys Controls whether or not the backup file will include a copy of the SSH host keys.
Clients use these keys to uniquely identify the firewall, so preserving the keys when restoring makes
it easier for clients to recognize the firewall after reinstalling or restoring to new hardware. Addition-
ally, AutoConfigBackup uses the SSH host keys to identify the firewall when creating and restoring
backups, so preserving the keys allows the firewall to maintain a consistent backup history after a
reinstallation.
Encryption Controls whether or not the backup file is encrypted before download.
When set, the GUI presents Password and confirmation fields, the contents of which are used by
pfSense® software to encrypt the backup file with AES-256.
The default behavior is unchecked which creates clear text XML backup files.
9.1. Making Backups in the GUI 385

LLC
9.2 Using the AutoConfigBackup Service
Automatic Configuration Backup (AutoConfigBackup, or ACB for short) is available as a core component of pfSense®
software. The service is free for all users of pfSense software, both Plus and CE.
This feature is located at Services > Auto Config Backup.
9.2.1 Functionality and Benefits
When a change is made to the configuration on a firewall, AutoConfigBackup automatically encrypts the contents with
the passphrase entered in the AutoConfigBackup settings and then uploads the backup over HTTPS to Netgate servers.
This gives instant, secure offsite backups of a firewall with no user intervention.
Note: Only the most recent 100 encrypted configurations for each device are retained on Netgate servers.
9.2.2 Encryption Password
Before the configuration is transmitted to Netgate servers, the firewall encrypts the backup using the AES-256-CBC
algorithm and a password created by the firewall administrator on the Settings tab (Configuration). This password is
only used locally by AutoConfigBackup and is not transmitted to remote servers.
When restoring a backup from the list of available remote backups, the contents are downloaded and then decrypted
with the configured encryption password.
Warning: Keep a careful record of the encryption password!
The backup contents cannot be recovered if the password is lost. The password is private and only known to the
local firewall. Neither Netgate nor anyone else will be able to assist in reading the encrypted backups without the
password.
9.2. Using the AutoConfigBackup Service 386

LLC
9.2.3 Device Key
The AutoConfigBackup servers require a unique identifier to identify a specific firewall. This identifier is required to
save or restore a backup configuration. ACB uses the SHA256 hash of the SSH public key on the firewall for this
purpose.
The device key is located on the Services > Auto Config Backup menu item, under the Restore and Backup now
tabs.
Warning: Keep a careful record of this Device Key!
If the Device Key of a firewall is lost there is a chance it can be recovered. The Settings page allows the entry of
a Hint which is stored in the data store alongside the encrypted backup entries. If the hint is distinct, the Netgate
support team may be able to use it to recover the device key. Do not count on this though!
9.2.4 Configuration
To adjust the settings navigate to Services > Auto Config Backup, Settings tab.
Configuring AutoConfigBackup
Enable ACB When checked, ACB is active and will make automatic configuration backups.
Backup Frequency Select when ACB will create backups
On Every Configuration Change When selected, ACB will perform a backup on every
significant configuration change.
Note: Some minor configuration changes are safely ignored if they do not impact
functionality.
On a Regular Schedule Enables Schedule controls to perform timed backups instead of
performing a backup on every change. This can be more efficient on systems with
many frequent changes.
Schedule Controls the Minute of the hour, Hours of the day, Day of the month, Month of the year, and
Day of the week on which backups are performed using the standard cron format.
The value of Minute is randomized until the page is saved.
Note: This control is only visible when Backup Frequency is set to On a Regular Schedule.
Encryption Password/Confirm The password used by ACB to encrypt the backup, as described in En-
cryption Password.
Hint/Identifier An optional hint which will be stored as plain text metadata along with the encrypted
configuration. This hint may allow Netgate TAC to locate the device key if it is lost.
Manual Backups to Keep Up to 50 manual backups may be retained, which are not automatically over-
written by automatic backups. These manual backups still count against the 100 backup limit.

LLC
Testing Backup Functionality
• Make a change to force a configuration backup, such as editing and saving a firewall or NAT rule.
• Click Apply Changes
• Navigate to Services > Auto Config Backup, Restore tab
• Look for the new backup in the list
Manually Backing Up
Manual backups should be made before an upgrade or a series of significant changes. ACB will store a manual backup
specifically showing the reason, which then makes it easy to restore if necessary. Since each configuration change
triggers a new backup, when a series of changes is made it can be difficult to know where the process started.
To force a manual backup of the configuration:
• Navigate to Services > Auto Config Backup
• Click the Backup Now tab at the top
• Enter a Revision Reason
• Click Backup
Tip: Take a manual backup prior to upgrading to a new pfSense software release, and name the backup so the reason
the backup was made is clear.
Restoring a Configuration
To restore a configuration:
• Navigate to Services > Auto Config Backup
• Click the Restore tab at the top
• Locate the desired backup in the list
• Click to the right of the configuration row
The firewall will download the configuration specified from the AutoConfigBackup server, decrypt it with the En-
cryption Password, and restore it.
Warning: By default the firewall will not initiate a reboot. Depending on the configuration items restored, a
reboot may not be necessary. For example, firewall and NAT rules are automatically reloaded after restoring a
configuration, but interface configurations are not.
After restoring, a the GUI presents a prompt offering to reboot. If the restored configuration changes anything other
than the NAT and firewall rules, choose Yes.

LLC
9.2.5 Bare Metal Restoration
If the disk in the firewall fails or if the SSH key changes due to a re-installation of pfSense software, the ACB service
can restore a backup from the previous installation as long as the Device Key and the Encryption Password of the
previous installation are both known.
• Replace the failed disk
• Install pfSense software on the new disk
• Configure LAN and WAN
• Navigate to Services > Auto Config Backup, Settings tab
• Set the Encryption Password to match the previous installation
• Navigate to the Restore tab
• Paste the old device key into the Device Key field
• Click the Submit button
This temporarily allows ACB to display a list of backups for an alternate Device Key.
Click Reset to restore the native ID for this firewall.
Once the firewall has been rebooted, it will be running with the configuration backed up before the failure.
9.2.6 Checking the AutoConfigBackup Status
The status of an AutoConfigBackup run cay be checked by reviewing the list of backups shown on the Restore tab.
This list is pulled from the AutoConfigBackup servers. If the backup is listed there, it was successfully created.
If a backup fails, an alert is logged, and it will be visible as a notice in the GUI.
9.3 ZFS Boot Environments (Plus Only)
ZFS Boot Environments make upgrades and major changes safer by taking snapshots of key filesystem areas, allow-
ing the firewall to be rolled back to an earlier known good state if the user encounters problems with an upgrade,
configuration change, or other potentially problematic situation.
The upgrade process automatically creates a new ZFS Boot Environment by default and administrators can create them
manually as well. Administrators can then select a previous ZFS Boot Environments using the GUI or even the boot
loader menu which makes quickly recovering from unforeseen issues a breeze.
Warning: ZFS Boot Environments are available only in pfSense®
Plus software version 22.05 and later. They are
not available on pfSense® CE software.
9.3. ZFS Boot Environments (Plus Only) 389

LLC
9.3.1 How Boot Environments Work
A ZFS Boot Environment is a snapshot of the filesystem at a specific point in time, plus a clone of that snapshot.
Snapshots are read only views of the filesystem at a given point, whereas clones are read/write.
Each snapshot and clone consumes some disk space but the exact amount varies based on how much the current
contents of the filesystem have diverged from the contents when the entries were created.
Note: For most users tracking periodic updates or creating occasional ZFS boot environments the disk usage will be
moderate over time. Users tracking development snapshots with frequent updates may see much larger amounts of
space consumed by ZFS Boot Environments from snapshots. See Boot Environment Disk Space Usage for details.
When an administrator triggers the upgrade process the firewall creates a new ZFS Boot Environment before the
upgrade begins. This preserves the current state of the firewall as it was before the upgrade. The upgrade process
then activates the new ZFS Boot Environment so that when the upgrade proceeds and reboots, it reboots into the new
environment to complete the upgrade.
If there is a problem, the administrator can activate the pre-upgrade ZFS Boot Environment and reboot the firewall and
it will return to its state before the upgrade happened.
9.3.2 Boot Environment Requirements
• pfSense®
Plus software version 22.05 or later
• The firewall must be using ZFS
Note: If the firewall is using UFS, it must be reinstalled with ZFS.
• ZFS requires 64-bit hardware (amd64, arm64)
• Certain ZFS dataset layout changes may require a fresh install, though many existing ZFS installations will work
9.3.3 Managing Boot Environments in the GUI
The GUI page to manage ZFS Boot Environments is System > Boot Environments.
Note: If the Boot Environment menu entry is missing, the firewall does not support ZFS Boot Environments.
The Boot Environments page lists all existing ZFS Boot Environments with the following fields, as shown in ZFS Boot
Environment list in the GUI:
Name The name of the ZFS Boot Environment.
Automatic entries, such as those created by the upgrade process, are prefixed by auto- and include
the timestamp at which they were created.
Base Version The version of pfSense® software contained within the ZFS Boot Environment.
Created The time at which the ZFS Boot Environment was created.
Last Booted The time at which the firewall last booted into the ZFS Boot Environment.
Space The amount of disk space consumed by the ZFS Boot Environment.
Description The longer text description of the ZFS Boot Environment.

LLC
Fig. 2: ZFS Boot Environment list in the GUI
Actions Actions the administrator can take on the ZFS Boot Environment.
• : Indicates the ZFS Boot Environment the firewall will use for the next boot
• : Persistently activate the entry as the next ZFS Boot Environment
• : Edit the ZFS Boot Environment
• : Clone the ZFS Boot Environment
• : Temporarily activate the ZFS Boot Environment one time and reboot
There is an additional confirmation prompt to reboot after selecting this option.
• : Delete the ZFS Boot Environment
Creating a new Boot Environment
Administrators can create new ZFS Boot Environments in several different ways.
Warning: While boot environments are helpful, they do not remove the need for off-device backups. Take
separate configuration backups before starting any potentially disruptive set of changes, including upgrades.

LLC
Automatic During Upgrade
By default the firewall automatically creates a new ZFS Boot Environment before performing an upgrade. This behav-
ior can be disabled, see Boot Environments.
Quick Create
Clicking Quick Create from the ZFS Boot Environment list will clone the current default ZFS Boot Environment.
The resulting entry will be named quick- followed by the current timestamp.
Create / Clone
Clicking Create from the ZFS Boot Environment list opens a form to create a new ZFS Boot Environment with custom
options, including:
Name Short name to briefly indicate purpose, must only contain characters from the set a-z, A-Z, 0-9
and _.
Clone From The existing ZFS Boot Environment to use as the basis for this new entry.
Description A longer description for the ZFS Boot Environment without formatting restrictions.
Click Save to create the new ZFS Boot Environment.
The entry from the ZFS Boot Environment list works identically but it pre-selects the chosen entry in the Clone
From field.
Editing an existing Boot Environment
Clicking on the row for a ZFS Boot Environment opens a form to edit the Name and Description of the entry.
The clone source cannot be changed after the entry has been created.
Selecting Boot Environments in the GUI
There are multiple ways in the GUI to select which ZFS Boot Environment the firewall will use next.
From the ZFS Boot Environment at System > Boot Environments there are two methods:
• Click to select the ZFS Boot Environment persistently
• Click to select the ZFS Boot Environment for a single boot only and reboot. This is not persistent and the
next boot after will return to the default.
From Diagnostics > Reboot, select a Boot Environment from the list and reboot. This is not persistent and the next
boot after will return to the default.

LLC
9.3.4 Selecting Boot Environments in the Loader Menu
At boot, pfSense® software briefly displays the loader menu with a logo and several options to control the boot
behavior.
This loader menu will contain an option for ZFS Boot Environments, typically option 8 but may vary depending on
the platform.
Fig. 3: Loader Menu - Enter the number for the Boot Environments option
Press the option for Boot Environments and the loader will display a new menu with ZFS Boot Environment options.
From this menu:
• Press option 2 to cycle through all available boot environments. Stop when the desired ZFS Boot Environment
name is shown.
• Press option 3 to change the bootfs location if it is not correct
This is unnecessary in the vast majority of cases as it likely only has one option.
• Press the Enter key to boot the selected Boot Environment or press 1 to return to the previous menu and
change other options.
Note: This change is not persistent and the next boot after will return to the default ZFS Boot Environment. To make
this change persist, select the entry in the GUI using .

LLC
Fig. 4: Boot Environment Selection Menu
9.3.5 Boot Environment Status
The System Information widget on the Dashboard contains a Boot Environment section which prints the current ZFS
Boot Environment and what the next ZFS Boot Environment will be.
Note: If the Boot Environment section of the widget is missing, the firewall does not support ZFS Boot Environ-
ments.
On System > Boot Environments the list of environments has an icon at the start of the row indicating the active and
next ZFS Boot Environment.
• : The firewall booted from this entry.
• : The firewall will boot from this entry next.
If this icon is not present the firewall will boot from the entry indicated by .

LLC
9.3.6 Boot Environment Disk Space Usage
ZFS Boot Environment snapshots consume an increasing amount of disk space over time as the contents of the disk
diverge from when it was created compared to the current state of the disk.
A ZFS Boot Environment snapshot taken before upgrading to a new version of pfSense® Plus software can consume
several gigabytes of space as those updates will rewrite the entire base system and all of the other components including
packages as they are all reinstalled. Updating between development snapshots will cause a ZFS Boot Environment to
consume about 500MB of disk space, give or take, based on what changed in the snapshot.
Warning: Frequent upgrades between development snapshots can cause ZFS Boot Environments to consume a
lot of disk space!
The operating system reflects this usage as a change in the capacity of the disk. The size of a disk will appear
to decrease proportionate to the snapshot usage, and this change is reflected on the dashboard Disks widget and in
utilities such as df.
Removing older ZFS Boot Environments that are no longer necessary will free the space and make it available again.
While the system will attempt to clean up older automatically created ZFS Boot Environments, ultimately it is up to
the administrator to decide which ZFS Boot Environments are necessary.
Tip: Automatic creation of ZFS Boot Environments during upgrade can be disabled. Administrators may choose to
do this, for example, if space is at a premium and administrators prefer not to use ZFS Boot Environments, or they
wish to manage ZFS Boot Environments manually, See Boot Environments.
Examples
The following are examples of space usage for numerous ZFS Boot Environments.
GUI
This figure shows the Dashboard Disks and ZFS widgets on a firewall with a 12GB disk and 12 ZFS Boot Environ-
ments from snapshot upgrades.
Fig. 5: Dashboard Disk Usage with 12 Boot Environments

LLC
Note that the disk size is listed as being only about 3GB when it should be significantly larger.
The next figure is the same system with the older Boot Environments removed so that only the default and one previous
entry remain:
Fig. 6: Dashboard Disk Usage with 1 Boot Environment
Shell
Similar to the above example, this is the same firewall but with the disk usage checked at the shell instead of the GUI.
With 12 Boot Environments:
: df -h /
Filesystem Size Used Avail Capacity Mounted on
pfSense/ROOT/default 3.1G 1.2G 1.9G 39% /
: zfs list /
NAME USED AVAIL REFER MOUNTPOINT
pfSense/ROOT/default 6.93G 1.90G 1.20G /
With the default plus one automatic Boot Environment:
: df -h /
Filesystem Size Used Avail Capacity Mounted on
pfSense/ROOT/default 8.1G 1.2G 6.9G 15% /
: zfs list /
NAME USED AVAIL REFER MOUNTPOINT
pfSense/ROOT/default 1.96G 6.89G 1.20G /

LLC
9.3.7 Boot Environment Tips & Tricks
Reboot to Roll Back
• Create a new ZFS Boot Environment before making potentially disruptive changes to the firewall. This repre-
sents the current known-good state of the firewall.
Warning: While boot environments are helpful, they do not remove the need for off-device backups. Take
separate configuration backups before starting any potentially disruptive set of changes.
• Activate the new ZFS Boot Environment persistently with
• Proceed to make the changes and monitor the firewall state.
If the changes caused a problem:
• Reboot and the firewall will restart from the ZFS Boot Environment with the known-good state.
If the changes are OK:
• Activate the default ZFS Boot Environment to continue using the new changes on future reboots.
9.4 Alternate Remote Backup Techniques
The easiest method to make secure and encrypted remote backups of the pfSense® software configuration is the
free Using the AutoConfigBackup Service service. Rest easy knowing it is taking care of handling remote backups
automatically without needing to worry. Sit back, have a cup of coffee, and read on for alternate techniques.
The other techniques in this document perform backups remotely, but each method has its own security issues which
may rule out their use. For starters, several of these techniques do not encrypt the configuration, which may contain
sensitive information. This can result in the raw configuration being transmitted over an unencrypted, untrusted link.
If one of these techniques must be used, it is best to do so from a non-WAN link (LAN, DMZ, etc.) or across a VPN.
Access to the storage media holding the backup must also be controlled, if not encrypted.
9.4.1 Pull
Pulling the configuration means to use a remote client to “pull” the configuration off of the firewall. The methods in
this section accomplish the same goal using different utilities.
Pull with wget
The wget utility can retrieve the configuration from a remote firewall. This process can be scripted with cron or by
other means to automate the process.
Warning: Even when using HTTPS, this is not a truly secure transport mode since certificate checking is disabled
to accommodate self-signed certificates, enabling man-in-the-middle attacks. When running backups with wget
across untrusted networks, use HTTPS with a certificate that can be verified by wget.
The wget command must be split into multiple steps to handle the login procedure and backup download while also
accounting for CSRF verification.
9.4. Alternate Remote Backup Techniques 397

LLC
For a firewall running HTTPS with a self-signed certificate, the commands are as follows:
• Fetch the login form and save the cookies and CSRF token:
$ wget -qO- --keep-session-cookies
--save-cookies cookies.txt
--no-check-certificate
https://192.168.1.1/diag_backup.php
| grep "name='__csrf_magic'"
| sed 's/.*value="(.*)".*/1/' > csrf.txt
• Submit the login form along with the first CSRF token and save the second CSRF token (can’t reuse the same
file) – now the script is logged in and can take action:
$ wget -qO- --keep-session-cookies --load-cookies cookies.txt
--save-cookies cookies.txt --no-check-certificate
--post-data "login=Login&usernamefld=admin&passwordfld=pfsense&__csrf_magic=
˓
→$(cat csrf.txt)"
| sed 's/.*value="(.*)".*/1/' > csrf2.txt
• Submit the download form along with the second CSRF token to save a copy of config.xml:
$ wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate
--post-data "download=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1
˓
→csrf2.txt)"
https://192.168.1.1/diag_backup.php -O config-router-`date +%Y%m%d%H%M%S`.xml
Note: The behavior of variable expansion and other aspects of the commands may vary by shell. This example uses
bash for the client shell.
Replace the username and password with the credentials for the firewall, and the IP address is whichever IP address is
reachable from the client performing the backup, and using HTTP or HTTPS to match the firewall GUI.
There are additional parameters which can control the contents of the backup in several ways:
• To backup the RRD files, remove the &donotbackuprrd=yes parameter from the post data string on the
last command.
• To include extra data such as DHCP leases and captive portal databases, add &backupdata=yes to the post
data string on the last command.
• To include the SSH keys for the firewall, add &backupssh=yes to the post data string on the last command.
The client performing the backup will also need access to the GUI, so adjust the firewall rules accordingly. Performing
this type of backup over an Internet-connected WAN is not secure. At a minimum, use HTTPS and restrict access to
the GUI to a trusted set of public IP addresses. A better practice is to do this locally or over a VPN.

LLC
Using cURL
The same task can be accomplished using cURL instead of wget:
• Fetch the login form and save the cookies and CSRF token:
$ curl -L -k --cookie-jar cookies.txt
https://192.168.1.1/
• Submit the login form to complete the login procedure:
$ curl -L -k --cookie cookies.txt --cookie-jar cookies.txt
--data-urlencode "login=Login"
--data-urlencode "usernamefld=admin"
--data-urlencode "passwordfld=pfsense"
--data-urlencode "__csrf_magic=$(cat csrf.txt)"
https://192.168.1.1/ > /dev/null
Now the script is logged in and can perform actions!
• Fetch the target page to obtain a new CSRF token:
• Download the backup:
--data-urlencode "download=download"
--data-urlencode "donotbackuprrd=yes"
--data-urlencode "__csrf_magic=$(head -n 1 csrf.txt)"
https://192.168.1.1/diag_backup.php > config-router-`date +%Y%m%d%H%M%S`.xml
Note: The behavior of variable expansion and other aspects of the commands may vary by shell. This example uses
bash for the client shell.
There are additional parameters which can control the contents of the backup in several ways:
• To backup the RRD files, remove the --data-urlencode "donotbackuprrd=yes" parameter from
the last command.
• To include extra data such as DHCP leases and captive portal databases, add --data-urlencode
"backupdata=yes" to the last command.
• To include the SSH keys for the firewall, add --data-urlencode "backupssh=yes" to the last
command.

LLC
9.4.2 Push with SCP
The scp command can push the configuration file from the firewall to another host. Using scp to push a one-time
backup by hand can be useful, but using it in an automated fashion carries risks. The command line for scp varies
depending on the system configuration, but will be close to the following:
$ scp /cf/conf/config.xml
user@backuphost:backups/config-`hostname`-`date +%Y%m%d%H%M%S`.xml
Pushing the configuration in an automated manner requires the firewall administrator to generate an SSH key without
a passphrase. Due to the insecure nature of a key without a passphrase, generating such a key is left as an exercise
for the reader. This adds risk due to the fact that anyone with access to that file has access to the designated account,
though because the key is kept on the firewall where access is restricted, it isn’t a considerable risk in most scenarios.
Ensure the remote user is isolated and has little to no privileges on the destination system.
A chrooted scp environment may be desirable in this case. The scponly shell is available for most UNIX platforms
which allows SCP file copies but denies interactive login capabilities. Some versions of OpenSSH have chroot support
built in for sftp (Secure FTP). These steps greatly limit the risk of compromise with respect to the remote server, but
still leave the backed up data at risk. Once access is configured, a cron entry could be added to the firewall to invoke
scp.
A summary of the setup is as follows:
• Generate an ssh key for the root user on the firewall without a passphrase. (Warning: dangerous!)
• Add a user to a remote system, and add the new public key to its ~/.ssh/authorized_keys file
• Create a cron job on the firewall that would copy /cf/conf/config.xml to the remote system with scp
9.4.3 Basic SSH backup
Similar to the scp backup, there is another method that will work from one UNIX system to another. This method
does not invoke the SCP/SFTP layer, which in some cases may not function properly if a system is already in a failing
state:
$ ssh root@192.168.1.1 cat /cf/conf/config.xml > backup.xml
When executed, that command will yield a file called backup.xml in the current working directory that contains
the remote firewall configuration. Automating this method using cron is also possible, but this method requires an
SSH key without as passphrase on the host performing the backup. This key will enable administrative access to the
firewall, so it must be tightly controlled. (See Secure Shell (SSH) for details.)
9.5 Restoring from Backups
Backups are not useful without a means to restore them, and by extension, test them. Several means for restoring
configurations are available in pfSense® software. Each method has the same end result: a running firewall identical
to when the backup was made.
9.5. Restoring from Backups 400

LLC
9.5.1 Backup Compatibility
The version of pfSense Plus or pfSense CE software is not as important as the Configuration Revision number when
determining backup compatibility. Differences in the configuration revision number indicate changes in the format of
the configuration data which makes them not directly compatible.
See also:
There is a list of software versions and their corresponding configuration revision numbers at Versions of pfSense
software and FreeBSD.
Backups using the same configuration revision can be restored as-is, both for complete configuration backups and
partial (section-based) backups.
Complete backups with a lower configuration revision can be restored to a current version. The upgrade code will
adjust the values in the configuration to convert it into a current format.
Partial (section-based) backups cannot be restored if they were taken on a version with a different configuration
revision, as there is no mechanism for the upgrade code to handle partial backups.
Backups with a higher configuration revision cannot be restored to an older version. There is no mechanism to
downgrade a configuration as the older version will have no knowledge of changes which happened in future versions
of the software.
Restoring between pfSense CE and pfSense Plus or vice versa may work in many cases, but results depend upon the
target hardware and version. For example, restoring to pfSense Plus on hardware with an integrated Ethernet switch
may require manual adjustments. Contact Netgate TAC for specific guidance.
9.5.2 Restoring with the GUI
The easiest way for most users to restore a configuration is by using the GUI:
• Locate the Restore Backup section (Figure GUI Restore).
• Select the area to restore, or leave at the default selection for a complete backup.
Note: This value must match the Backup area chosen when creating the backup.
• Click Browse
• Locate the backup file on the local PC
• Click Restore Configuration
The firewall will then apply the configuration and reboot with the settings obtained from the backup file.
While easy to work with, this method has prerequisites when dealing with a full restore to a new installation. First, it
would need to be done after the new target system is fully installed and running. Second, it requires an additional PC
connected to a working network or crossover cable behind the firewall being restored.

LLC
Fig. 7: GUI Restore
Restore Options
Restore Area Restores a backup containing only a single configuration area, rather than a complete con-
figuration backup.
Warning: Restoring a single area does not trigger a reboot nor does it cause any part of the
configuration to be reapplied. To ensure the restored configuration area is active, issue a reboot
or manually refresh the configuration for the relevant area after restore (e.g. edit/save/apply on a
page, issue a filter reload, etc).
Warning: When restoring a single area, the area being restored must be from the same ver-
sion. Single areas do not support running upgrade code on the configuration, and thus cannot be
adjusted if the format of the area changed from a previous version.
Warning: This does not restore one area from a full backup, the backup file must only contain
the area to restore.
Note: This value must match the Backup area chosen when creating the backup.
Configuration File A Browse button to select a backup file to upload and restore.
Preserve Switch Configuration This option is available on Netgate hardware with integrated switches.
When set, the current active switch configuration will be copied into the restored configuration,
preserving it for later use. This makes it easier to restore a configuration from hardware without an
integrated switch.
Note: This only copies the integrated switch configuration, and does not copy VLAN or LAGG in-
terface entries which may be relevant to using the switch. This behavior is safer, as the configuration
being restored may also contain important configuration data in those areas.

LLC
Encryption When set, a Password field is presented, the contents of which is used by the firewall to
decrypt the contents of the backup file before restoring the configuration.
9.5.3 Restoring from the Config History
For minor problems, using one of the internal backups on the firewall is the easiest way to back out a change. The
previous 30 configurations are stored in the Configuration History, along with the current running configuration.
Each row in the configuration history list shows the date the configuration file was made, the configuration version,
the user and IP address of a person making a change in the GUI, the page that made the change, and in some cases, a
brief description of the change that was made. The action buttons to the right of each row show a description of what
they do when the mouse pointer is hovered over the button.
To restore a configuration from the history:
• Click the Config History tab (Figure Configuration History)
• Locate the desired backup in the list
• Click to restore that configuration file
Fig. 8: Configuration History
Restoring a configuration with this method does not initiate an automatic reboot. Minor changes do not require a
reboot, though reverting some major changes will.
If a change was only made in one specific section, such as firewall rules, trigger a refresh in that area of the GUI
to enable the changes. For firewall rules, a filter reload would be sufficient. For OpenVPN, edit and save the VPN
instance. The necessary actions to take depend on the changes in the restored configuration, but the best way ensure
that the full configuration is active is to reboot.
If necessary, reboot the firewall with the new configuration by going to Diagnostics > Reboot System and click Yes.
Previously saved configurations may be deleted by clicking , but do not delete them by hand to save space; the
old configuration backups are automatically deleted when new ones are created. It is desirable to remove a backup
from a known-bad configuration change to ensure that it is not accidentally restored.
A copy of the previous configuration may be downloaded by clicking .

LLC
Configuration Backup Cache Settings
The amount of backups stored in the configuration history may be changed if needed.
• Click the Config History tab
• Click at the right end of the Configuration Backup Cache Settings bar to expand the settings
• Enter the new number of configurations to retain in the Backup Count field
• Click Save
Along with the configuration count, the page also displays the amount of space consumed by the backup cache.
Config History Diff
The differences between any two configuration files may be viewed in the Config History tab. To the left of the
configuration file list there are two columns of radio buttons. Use the leftmost column to select the older of the two
configuration files, and then use the right column to select the newer of the two files. Once both files have been
selected, click Diff at either the top or bottom of the column.
Console Configuration History
The configuration history is also available from the console menu as option 15, Restore Recent Configuration. The
menu selection will list recent configuration files and offer to restore one. This is useful if a recent change has locked
administrators out of the GUI or taken the firewall off the network.
9.5.4 Restoring by Mounting the Disk
Attaching the disk from an installation of pfSense software to a computer running FreeBSD enables the drive to
be mounted by the FreeBSD host and a new configuration may be copied directly onto the installed system, or a
configuration file from a failed system may be copied off.
Note: This can also be performed on a separate installation of pfSense in place of a computer running FreeBSD, but
do not use an active production firewall for this purpose. Instead, use a spare or test firewall.
The config.xml file is kept in /cf/conf/, but the difference is in the location where this directory resides. This
is part of the root slice (typically da0p2). The drive and partition name will vary depending on disk type and position
in the host.

LLC
9.5.5 Encrypted Configuration files
The GUI can automatically determine the correct decryption method when restoring an encrypted configuration backup
file, whether it’s from a current version or an older version. When restoring an encrypted configuration file, check
Configuration file is encrypted then enter the password in the Password field, and restore as usual from there.
Encrypted configuration files can be manually decrypted using the correct password for offline inspection.
The method used to encrypt configuration files has changed in recent versions, so use the method appropriate for the
version which generated the encrypted configuration file.
In any of the following cases, replace <PASSWORD> with the appropriate password string, and change the filenames
as needed.
Plus 22.05 and CE 2.7.0 and later
These versions use secure options with high iterations for increased security:
$ openssl enc -d -a -aes-256-cbc
-in config-encrypted.xml -out dencryptedfile.xml
-pass pass:<PASSWORD> -salt -md sha256 -pbkdf2 -iter 500000
These versions also include a PHP shell script which can encrypt and decrypt configurations from a shell on the
firewall itself:
$ pfSsh.php playback cryptconfig
decrypt /root/config-encrypted.xml /root/dencryptedfile.xml
The script will prompt for the decryption password.
Plus 21.02 through 22.01 / CE 2.5.x through CE 2.6.x
These versions used more secure parameters than the older options, but with the default iteration count:
-pass pass:<PASSWORD> -salt -md sha256 -pbkdf2
Older versions
Versions before the ones stated previously used older legacy options:
-pass pass:<PASSWORD> -salt -md md5

LLC
9.6 Automatically Restore Configuration During Installation
In addition to restoring through the GUI, pfSense® software supports methods which restore a configuration to a new
setup without going through all the trouble of setting up a client and restoring using a web browser.
These methods are significantly easier than reconfiguring the LAN and restoring via the network, especially in complex
environments. The firewall will start up using the restored configuration immediately without needing intermediate
steps.
• Recover config.xml From Existing Installation
• Restore Configuration from USB During Install
• Restore using the External Configuration Locator (ECL)
9.6.1 Recover config.xml From Existing Installation
The installer has a Recover config.xml option which reads the configuration file from an existing installation before
starting the install process and puts it back in the exact same location when it finishes. This makes the feature useful
for upgrades, filesystem changes, or any other situation requiring a reinstallation on the same disk. In addition to
copying the existing configuration this function also attempts to copy the SSH host keys.
Note: The Recover config.xml option works on installations using either UFS or ZFS.
• Take a backup of the configuration before starting, if possible, in case this procedure does not work as expected
• Boot a pfSense software installation image
• Choose Recover config.xml when the option appears
• Select the existing installation drive (e.g. ada0)
The selection list shows the disk name, size, and filesystem type which is typically enough to identify the disk
• Wait a moment while the recovery process happens
The recovery process attempts to repair the filesystem on the disk up to 10 times, then mounts the disk and looks
for the existing configuration file. If it is able to find and read the configuration file, the recovery process copies
it to a temporary RAM disk during the installation process.
Note: The recovery process only briefly displays its output, so it can be difficult to spot whether it succeeded or
failed. If the process fails, the configuration either is not there or it was not recoverable. Either way, proceeding
is safe as it is unlikely the config.xml would be recovered from the drive by other means.
• Proceed through the installation as usual
At the end of the installation, the installer automatically copies the configuration from the temporary RAM disk back
to the target disk before rebooting.
The firewall will boot off the target disk with the configuration restored by the installer already in place. The firewall
will reinstall packages automatically in the background.
9.6. Automatically Restore Configuration During Installation 406

LLC
9.6.2 Restore Configuration from USB During Install
As part of the installation routine, the installer checks for an existing configuration on a USB drive formatted as FAT
or FAT32. If the installer can locate and read a configuration file, it copies the file to the target disk.
The configuration may include additional data from options on the backup page, such as RRD, SSH keys, DHCP lease
databases, and captive portal data. The configuration may also be encrypted, the installer will prompt for the password
to decrypt the configuration if necessary.
Warning: This feature does not support drives formatted with exFAT, only FAT or FAT32.
For this feature to work correctly, the USB drive must contain a partition table and it must not be formatted as a
raw device.
Tip: The pfSense software memstick installation image contains a FAT partition which the installer can use for this
purpose. If the partition is not visible on the workstation which wrote the memstick image, remove and reinsert the
USB drive.
• On a FAT/FAT32 formatted USB drive, make a directory called conf
• Copy a backup configuration file to the conf directory
• Rename the backup to config.xml
Example: If the USB drive is E:, the full path would be E:confconfig.xml
Note: The installer also looks for config.xml in the root directory of the drive, but the best practice is to
place the file in the conf directory.
• Unmount/eject the USB drive, remove it, then plug it into the firewall
• Boot the install media (Memstick, disc, etc)
• Install to the target disk
Note: If the configuration on the USB drive is encrypted, the installer will prompt for the decryption password
near the end of the installation process.
• Reboot the firewall
• Remove the USB drive only AFTER the firewall has begun to reboot
Warning: If the USB drive is removed too early, it may still be mounted and the system will panic!
• Remove the install media as well at this point
The firewall will boot off the target disk with the restored configuration.

LLC
9.6.3 Restore using the External Configuration Locator (ECL)
pfSense software also includes a feature called the External Configuration Locator, or ECL for short. The ECL process
runs at boot time to, as the name implies, locate configuration files on external storage. If the ECL finds a configuration
file, it copies that file to the firewall disk, replacing any existing configuration.
Note: The ECL runs on every boot, so its use is not limited to fresh installations.
This procedure is nearly identical to the method in Restore Configuration from USB During Install, but the USB
disk containing the configuration does not need to be present during the installation. The same warnings from that
procedure also apply here.
• On a FAT, FAT32, or UFS formatted USB drive, make a directory called config
• Copy a backup configuration file to the config directory
• Rename the backup to config.xml
Example: If the USB drive is E:, the full path would be E:configconfig.xml.
Note: The ECL also looks for config.xml in the root directory of the drive, but the best practice is to place
the file in the config directory.
• Unmount/eject and remove the USB drive
• Install pfSense software as usual
This is optional, since the ECL runs on existing installations.
• Reboot the firewall
• Insert the USB drive containing the configuration while the firewall boots and the ECL will read in the configu-
ration file from there
Note: USB drives which only contain files can be inserted before the firewall boots. Bootable USB drives, such
as the installation memstick, should not be inserted until after the firewall has started to boot from its own disk.
This behavior will vary by target device and its boot preferences. Monitor the console to find the appropriate
timing.
Timing is also affected by the speed of the device. Slower systems may not mount the USB drive before the
ECL runs.
• Wait for the firewall to complete the boot process
• Check that the configuration was loaded properly
If the configuration did not load as expected, check the file location and name on the USB drive, and check the
timing of when the USB drive was present during the boot process, then start over. Monitor the console for
details.
• Remove the USB drive once the correct configuration file is in place
If this is the first boot post-installation, then this process also triggers reinstallation of packages listed in the restored
configuration.

LLC
Warning: This procedure will copy the config.xml file from the USB drive to the target drive at every boot.
However, the running firewall will not copy its own configuration back to the USB drive. Thus, leaving the drive
inserted in the firewall will result in losing all configuration changes not present in the configuration file on the
USB drive.
9.7 Restoring a Configuration File to a Different Version
Configurations are specific to a given version of pfSense® software. The configuration is the same on all platforms
and architectures using the same version of pfSense software. The version of FreeBSD used is not relevant.
Generally speaking, a complete older configuration version can always be restored to a newer release of pfSense
software. The firewall will upgrade the configuration as needed provided that has the entire configuration and not a
partial copy.
A newer configuration cannot be restored to an older release that had a different configuration version. Certain
releases of pfSense software had the same configuration version, and restoring between those is possible, but still
not recommended. See Versions of pfSense software and FreeBSD to see which configuration versions were used on
specific releases.
A configuration section or partial configuration cannot be restored between different configuration versions. It may
work by pure luck, but often there are configuration format differences that require changes to be made to the older
configuration. These changes are automatic if a complete configuration is restored. If a partial restore is required,
perform a full upgrade in a test VM or lab and then copy the needed section out of the resulting config.xml
post-upgrade.
9.8 Caveats and Gotchas
While the configuration XML file kept by pfSense® software includes all of the settings, it does not include any
changes that may have been made to the system by hand, such as manual modifications of source code. Additionally
some packages require extra backup methods for their data.
The configuration file may contain sensitive information such as VPN keys or certificates, and passwords (other than
the admin password) in plain text. Some passwords must be available in plain text during run time, making secure
hashing of those passwords impossible (Password Storage Security Policies). Hence backup copies of these files must
also be protected in some way. If they are stored on removable media, take care with physical security of that media
and/or encrypt the drive.
If the GUI must be used over the WAN without a VPN connection, at least use HTTPS. Otherwise, a backup is
transmitted in the clear, including any sensitive information inside that backup file. We strongly recommend using a
trusted network or encrypted connection.
9.9 Password Storage Security Policies
Sensitive data such as PPPoE/PPTP client, PPTP VPN, DynDNS passwords as well as remote authentication servers
RADIUS (shared secret), LDAP (bind user password), and IPsec shared secrets, among others, appear in plain text
or with reversible Base64 encoding in the pfSense® software configuration file, config.xml. This is a deliberate
design decision in m0n0wall that has been carried over here.
Since the firewall cannot prompt the user for a password each time it is required, the implementations of affected areas
require plain text passwords to operate. pfSense software could, of course, use some snake oil encryption on those
passwords, but that would only create a false sense of security. Any encryption applied to the passwords could be
9.7. Restoring a Configuration File to a Different Version 409

LLC
reversed by anyone with access to the source code (i.e. everybody). Hashes like SHA256 cannot be used where the
plain text password is needed at a later stage, unlike for the system password, which is only stored as a hash.
By leaving the passwords in plain text, it is very clear that config.xml deserves to be stored in a secure location
(and/or encrypted with one of the countless programs out there). Any sort of hashing used would not be secure, and
would be dangerous because it would give the impression of security where none exists.
See also:
• Backup Files and Directories with the Backup Package
Thanks to the XML-based configuration file used by pfSense® software, backups are a breeze. All of the settings for
the system are held in one single file (see XML Configuration File). In the vast majority of cases, this one file can be
used to restore a system to a fully working state identical to what was running previously. There is no need to make
an entire system backup, as the base system files are not modified by a normal, running, system.
Note: In rare cases, packages may store files outside of config.xml, check the package documentation for additional
information and backup suggestions.
9.10 Backup Strategies
The optimal backup strategy can be summarized in the following points:
• Take frequent backups
• Keep multiple copies of backups in a safe location off the firewall
• Periodically test backups
The remainder of this section expands on these points.
The best practice is to make a backup after each minor change, and both before and after each major change or series
of changes. Typically, an initial backup is taken in case the change being made has undesirable effects. An after-the-
fact backup is taken after evaluating the change and ensuring it had the intended outcome. Periodic backups are also
helpful, regardless of changes, especially in cases where a manual backup may be missed.
pfSense software makes an internal backup upon each change, and the best practice is to download a manual backup as
well. The automatic backups made on each change are useful for reverting to prior configurations after changes have
proven detrimental, but are not good for disaster recovery as they are on the system itself and not kept externally. As
it is a fairly simple and painless process, administrators should make a habit of downloading a backup now and then
and keeping it in a safe place. Backups may be handled easily and automatically using the free AutoConfigBackup
service.
Tip: Backup files can contain sensitive information, so carefully consider security measures for backups kept off the
firewall. If they are on other network file shares, ensure access is restricted. For offline backups, consider physical
security measures such as keeping media containing backups in a fire safe and at a remote secure location such as a
second office or bank safety deposit box.
If changes have been made to system files, such as custom patches or code alterations, those changes must be backed
up manually or with the backup package described in Backup Files and Directories with the Backup Package, as they
will not be backed up or restored by the built-in backup system. This includes alterations to system files mentioned
elsewhere in the documentation, such as /boot/device.hints, /boot/loader.conf.local, and others.
9.10. Backup Strategies 410

LLC
Note: Custom patches should be handled using the System Patches package, which is backed up with config.xml,
rather than saving manually patched files.
In addition to making backups, backups must also be tested. Before placing a system into production, backup the
configuration, wipe the disk, and then attempt some of the different restoration techniques in this chapter. The best
practice is to periodically test backups on a non-production machine or virtual machine. The only thing worse than a
missing backup is an unusable backup!
RRD graph data can optionally be held in the XML configuration file backup. This behavior is disabled by default due
to the resulting size of the backup file. There are also other ways to ensure this data is backed up safely. See Backup
Files and Directories with the Backup Package later in this chapter.
9.10. Backup Strategies 411

CHAPTER
TEN
INTERFACE TYPES AND CONFIGURATION
10.1 WAN vs LAN Interfaces
pfSense® software treats interfaces differently based on whether or not they act as a WAN type interface (e.g. con-
nection to an upstream network) or a LAN type interface (e.g. connection to an internal network). Most traditional
interfaces will fall into one of the two categories, with VPN interfaces being more of a gray area.
Note: The NAT portions of this document only refer to IPv4 behavior, not IPv6.
10.1.1 Choosing between WAN and LAN Types
The IPv4 Upstream Gateway and IPv6 Upstream Gateway options on the interface configuration control whether
the firewall considers an assigned interface as a WAN or LAN type interface.
If an interface has a gateway selected the firewall treats it as a WAN type interface. If an interface does not have a
gateway selected the firewall treats as a LAN type interface.
There is no way to change the default behavior of dynamic interface types such as DHCP, PPP, and most assigned
VPN interfaces. The GUI hides the gateway options on the interface configuration for these types of interfaces. The
behavior of these interfaces is noted in the remainder of this document where relevant.
No matter how the firewall treats an interface by default the firewall behavior can almost always be adjusted through
the use of options in the GUI.
10.1.2 WAN Type Interface
A WAN type interface is an interface through which the Internet can be reached, directly or indirectly. The firewall
treats any interface with a gateway selected on its interface configuration as a WAN type interface. Dynamic IP address
interfaces such as DHCP and PPP receive a dynamic gateway automatically and the firewall always considers them
WAN interfaces.
For example, a static IP address WAN (e.g. Interfaces > WAN) would typically have a gateway selected such as
WAN_GW. If this gateway selection is not present the firewall will treat the interface as a LAN type interface instead.
The firewall behavior changes in several ways for WAN type interfaces:
• The firewall performs outbound NAT on traffic exiting a WAN type interface when using Automatic or Hybrid
outbound NAT modes.
• The firewall will not perform outbound NAT for traffic originating from the subnet(s) directly attached to a
WAN type interface when using Automatic or Hybrid outbound NAT modes.
412

LLC
• The firewall includes a WAN type interface in the count of WAN interfaces for Multi-WAN features. Some
functions are hidden unless the firewall has more than one WAN type interface.
• The firewall adds reply-to to firewall rules on a WAN type interface which returns packets for connections
coming in through that WAN back out via the same WAN where possible.
Note: This behavior can be overridden on a per-rule basis using the option on firewall rules or it can be disabled
globally on System > Advanced, Firewall & NAT tab.
• The firewall adds route-to to automatic firewall rules for outbound traffic on a WAN type interface which
ensures outbound traffic on the interface is sent to the configured gateway.
• The traffic shaper wizard treats a WAN type interface as a WAN.
• The DNS Resolver will not allow queries from the subnet(s) on a WAN type interface without a manual ACL
entry.
10.1.3 LAN Type Interface
A LAN type interface is an interface which connects to a local network, for example a LAN, DMZ, management
network, guest network, and so on. Typically this also includes site-to-site links used to reach other local or internal
networks, such as VPNs and private or dedicated circuits.
The firewall treats any assigned interface without a gateway selected on its interface configuration as a LAN type
interface.
Warning: Do not select a gateway on the Interfaces menu entry for local interfaces such as LAN or for site-to-site
VPNs.
Local and other interfaces may have a gateway defined under System > Routing so long as that gateway is not
selected on its interface configuration.
The firewall behavior changes in several ways for LAN type interfaces:
• The firewall will perform outbound NAT for traffic originating from the subnet(s) directly attached to a LAN
type interface when that traffic exits a WAN type interface and Automatic or Hybrid outbound NAT mode is
active.
• If NAT reflection is active the firewall will create NAT reflection rules which allow clients on LAN type inter-
faces to access port forwards from behind the firewall.
Note: This behavior can be changed on a per-rule basis using the option on NAT rules or it can be controlled
globally on System > Advanced, Firewall & NAT tab.
• The firewall will not perform outbound NAT on traffic exiting a LAN type interface when using Automatic or
Hybrid outbound NAT mode.
• The firewall does not add reply-to or route-to to firewall rules on a LAN type interface.
• The traffic shaper wizard treats a LAN type interface as a LAN.
• The DNS Resolver automatically allows queries from the subnet(s) on a LAN type interface.
10.1. WAN vs LAN Interfaces 413

LLC
10.1.4 VPN Interfaces
Assigned IPsec VTI and OpenVPN interfaces are treated differently than traditional interfaces. Most, but not all, of
these points also apply to assigned GRE and GIF tunnel interfaces.
VPNs have numerous use cases which are similar to both LAN and WAN type interfaces, and in some cases both.
For example a VPN could be for site-to-site links, remote access for mobile clients, or for connecting to the Internet
through a VPN provider. The default behavior of the firewall attempts to balance the most common user needs and
expectations when handling assigned VPN interfaces.
Note: Currently WireGuard interfaces act similar to traditional interfaces when assigned, so their behavior primarily
depends upon whether or not a gateway is selected in their interface configuration.
• The firewall treats an assigned VPN interface as a LAN type interface for NAT, which means that it lists the
subnets on these interfaces as traffic sources for outbound NAT and it does not perform outbound NAT on traffic
exiting these interfaces.
In most cases a user does not expect the firewall to perform NAT on VPN traffic by default. Outbound NAT
rules in Hybrid or Manual outbound NAT modes can make the firewall perform outbound NAT if a use case
requires NAT.
• The firewall treats an assigned VPN interface as a WAN type interface for traffic shaping if a VPN interface is
capable of using ALTQ traffic shaping.
• The firewall treats an assigned VPN interface as a WAN interface for firewall rule attributes such as reply-to
and route-to. This ensures that traffic entering the firewall over a specific VPN connection returns back
through the same VPN.
• The DNS Resolver treats an assigned VPN interface as a LAN interface and allows queries from subnet(s)
configured on the VPN.
Note: Firewall features such as per-interface rules, NAT, and reply-to do not work with IPsec VTI interfaces by
default. The IPsec Filter Mode setting can allow IPsec VTI interfaces to utilize these features. See Advanced IPsec
Settings.
10.1.5 Verifying an Interface Type
There are a couple ways to confirm if the firewall is treating an interface as a WAN or a LAN.
The interface status page (Status > Interfaces) is useful for determining the interface type. For non-VPN interfaces
the presence of the Gateway IPv4 and/or Gateway IPv6 attribute on an interface indicates that the firewall considers
it as a WAN type interface.
The next easiest method is to check the outbound NAT settings at Firewall > NAT, Outbound tab. Check the Auto-
matic Rules section if the mode is set to Automatic or Hybrid. WAN type interfaces will have rules in the list with
their name in the Interface column. LAN type interfaces have their subnets listed in the Source column of each rule.
Note: If the outbound NAT mode is Automatic or Hybrid and there are no entries in the Automatic Rules list, that
generally indicates that the firewall has either no WAN type interfaces or no LAN type interfaces. Check the gateway
settings on each assigned interface and ensure that all WAN interfaces have a gateway selected and that no LAN
interfaces have a gateway selected.
10.1. WAN vs LAN Interfaces 414

LLC
Another method is to start a traffic shaper wizard (Firewall > Traffic Shaper, Wizards tab) and step through until the
wizard lists the interfaces. From there, check if an interface is present in either the LAN or WAN interface selection
lists.
Note: This method will not work for interface types which do not support ALTQ traffic shaping.
10.2 Interface Configuration
To assign a new interface:
• Pick the new interface from the Available network ports list
• Click Add
The newly assigned interface will be shown in the list. The new interface will have a default name allocated by the
firewall such as OPT1 or OPT2, with the number increasing based on its assignment order. The first two interfaces
default to the names WAN and LAN but they can be renamed. These OPTx names appear under the Interfaces menu,
such as Interfaces > OPT1. Selecting the menu option for the interface will open the configuration page for that
interface.
10.2.1 General Configuration
The following options are available for all interface types.
Description The name of the interface. Interface names may only contain letters, numbers and the only
special character that is allowed is an underscore (_).
This changes the name of the interface on the Interfaces menu, on the tabs under Firewall > Rules,
under Services > DHCP, and elsewhere throughout the GUI. Using a custom name makes it easier
to remember the purpose of an interface and to identify an interface for adding firewall rules or
choosing other per-interface functionality.
IPv4 Configuration Type Configures the IPv4 settings for the interface. Details for this option are in the
next section, IPv4 Configuration Types.
IPv6 Configuration Type Configures the IPv6 settings for the interface. Details for this option are in
IPv6 Configuration Types.
MAC address The MAC address of an interface can be changed (“spoofed”) to mimic a previous piece
of equipment, depending on the type of interface.
Warning: The best practice is to not force a specific MAC address. The old MAC address
will generally be cleared out by resetting the equipment to which this firewall connects, or by
clearing the ARP table, or waiting for the old ARP entries to expire. Changing the MAC address
is a long-term solution to a temporary problem.
Spoofing the MAC address of the previous firewall can allow for a smooth transition from an old
router to a new router, so that ARP caches on devices and upstream routers are not a concern. It can
also be used to fool a piece of equipment into believing that it’s talking to the same device that it
was talking to before, as in cases where a certain network router is using static ARP or otherwise

LLC
filters based on MAC address. This is common on cable modems, where they may require the MAC
address to be registered if it changes.
Note: ARP cache problems tend to be very temporary, resolving automatically within minutes or
by power cycling other equipment.
One downside to spoofing the MAC address is that unless the old piece of equipment is permanently
retired, there is a risk of later having a MAC address conflict on the network, which can lead to
connectivity problems.
If the old MAC address must be restored, this option must be emptied out and then the firewall must
be rebooted. Alternately, enter the original MAC address of the network card and save/apply, then
empty the value again.
MTU (Maximum Transmission Unit) The Maximum Transmission Unit (MTU) size field can typically
be left blank, but can be changed when required. Some situations may call for a lower MTU to ensure
packets are sized appropriately for an Internet connection. In most cases, the default assumed values
for the WAN connection type will work properly. It can be increased for those using jumbo frames
on their network.
On a typical Ethernet style network, the default value is 1500, but the actual value can vary depend-
ing on the interface configuration.
MSS (Maximum Segment Size) Similar to the MTU field, the MSS field “clamps” the Maximum Seg-
ment Size (MSS) of TCP connections to the specified size in order to work around issues with Path
MTU Discovery.
Speed and Duplex The default value for link speed and duplex is to let the firewall decide what is best.
That option typically defaults to Autoselect, which negotiates the best possible speed and duplex
settings with the peer, typically a switch.
The speed and duplex setting on an interface must match the device to which it is connected. For
example, when the firewall is set to Autoselect, the switch must also be configured for Autoselect. If
the switch or other device has a specific speed and duplex forced, it must be matched by the firewall.
Switch Port Netgate Appliances with an integrated switch have an option on this page which controls
the link state for this interface by having it mirror the state of a switch port. In this way, a firewall
interface configured as a VLAN which maps to a switch port can be set to follow the status of the
physical switch port. Otherwise, since it is a VLAN attached to an internal uplink, the status would
always show as up.
Consult the Netgate Product Manuals for more information on switch configuration.
10.2.2 Reserved Networks
Block Private Networks When Block private networks is active, the firewall inserts a rule automati-
cally which prevents any RFC 1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.
0/16) and loopback (127.0.0.0/8) from communicating on that interface.
This option is typically only desirable on WAN type interfaces to prevent the possibility of privately
numbered traffic coming in over a public interface.
Block bogon networks When Block bogon networks is active, the firewall will block traffic from a list
of unallocated and reserved networks. This list is periodically updated by the firewall automatically.

LLC
Warning: This option should only be used on external interfaces (WANs), it is not necessary
on local interfaces and it can potentially block required local traffic.
See Block Bogon Networks for more details on how this feature works.
10.3 IPv4 Configuration Types
Once an interface has been assigned, in most cases it will require an IP address. For IPv4 connections, the following
choices are available in the IPv4 Configuration Type selector on an interface page (e.g. Interfaces > WAN):
• None
• Static IPv4
• DHCP
• PPP
• PPPoE
• PPTP
• L2TP
Each of these is described in this document.
10.3.1 None
When IPv4 Configuration Type is set to None, IPv4 is disabled on the interface. This is useful if the interface has no
IPv4 connectivity or if the IPv4 address on the interface is being managed in some other way, such as for a VPN or
tunnel interface.
10.3.2 Static IPv4
With Static IPv4, the interface contains a manually configured IPv4 address. When chosen, three additional fields are
available on the interface configuration screen:
IPv4 Address The IPv4 address for the interface (e.g. 192.168.1.1).
CIDR Subnet Mask The CIDR Subnet Mask determines the size of the subnet to which the IPv4 Ad-
dress belongs. This must match the value used by other hosts in the same subnet.
IPv4 Upstream Gateway An upstream gateway for IPv4 traffic, if any. Selecting a gateway here will
cause the firewall to treat this interface as a WAN-type interface for NAT and related functions. See
WAN vs LAN Interfaces for more information.
Warning: Do not set a gateway for internal interfaces such as a LAN or DMZ. Only select a
gateway on externally-connected interfaces such as a WAN or a private site-to-site link which
the firewall should consider a WAN.
Gateways may still be used on internal interfaces for the purpose of static routes without selecting
an IPv4 Upstream Gateway here.
10.3. IPv4 Configuration Types 417

LLC
The IPv4 Upstream Gateway field is pre-populated with existing IPv4 gateways defined under
System > Routing (Gateways).
The Add a new gateway button is a shortcut to create a new gateway if one does not already
exist. Clicking that button displays a modal form to add the gateway without leaving this page. Fill
in the details requested on the new form:
Default Gateway If this is the only WAN or will be a new default WAN, check this box.
The default IPv4 and IPv6 gateways work independently of one another. The two need
not be on the same interface. Changing the default IPv4 gateway has no effect on the
IPv6 gateway, and vice versa.
Gateway Name The name used to refer to the gateway internally, as well as in places like
Gateway Groups, quality graphs, and elsewhere.
Gateway IPv4 The IPv4 address of the gateway. This address must be inside the same
subnet as the Static IPv4 address when using this form.
Description A bit of text to indicate the purpose of the gateway.
10.3.3 DHCP
When an interface is set to DHCP, the operating system will attempt automatic IPv4 configuration of this interface
via DHCP. This option also activates several additional fields on the page. Under most circumstances these additional
fields may be left blank.
Hostname Some ISPs require the Hostname for client identification. The value in the Hostname field
is sent as the DHCP client identifier and hostname when requesting a DHCP lease.
Alias IPv4 Address This value used as a fixed IPv4 alias address by the DHCP client since a typical IP
Alias VIP cannot be used with DHCP. This can be useful for accessing a piece of gear on a separate,
statically numbered network outside of the DHCP scope. One example would be for reaching a
cable modem management IP address.
Reject Leases From An IPv4 address for a DHCP server that should be ignored. For example, a cable
modem that hands out private IP addresses when the cable sync has been lost. Enter the private IP
address of the modem here, e.g. 192.168.100.1 and the firewall will never pick up or attempt
to use a an IP address supplied by the specified server.
DHCP VLAN Priority Optionally sets a VLAN Priority tag (802.1p) on DHCP client traffic. Should
only be enabled when required by an ISP and with the settings they provide.
Advanced Configuration Enables options to control the protocol timing. In the vast majority of cases
this must be left unchecked and the options inside unchanged.
Protocol Timing The fields in this area give fine-grained control over the timing used by
dhclient when managing an address on this interface. These options are almost
always left at their default values. For more details on what each field controls, see the
dhclient man page
Presets Has several options for preset protocol timing values. These are useful as a starting
point for custom adjustments or for use when the values need to be reset back to default
values.
Configuration Override Enables a field to use a custom dhclient configuration file. The full path
must be given. Using a custom file is rarely needed, but some ISPs require DHCP fields or options
that are not supported by the GUI.

LLC
10.3.4 PPP Types
The various PPP-based connection types such as PPP, PPPoE, PPTP, and L2TP are all covered in detail at PPPs. When
one of these types is selected here on the interfaces screen, their basic options can be changed as described. To access
the advanced options, follow the link on this page or navigate to Interfaces > Assignments on the PPPs tab, find the
entry, and edit it there.
10.4 IPv6 Configuration Types
Similar to IPv4, the IPv6 Configuration Type controls if and how an IPv6 address is assigned to an interface. There
are several different ways to configure IPv6 and the exact method depends on the network to which this firewall is
connected and how the ISP has deployed IPv6.
Warning: Every ISP is different and large providers can even vary by region.
The ISP determines IPv6 settings for a circuit, and they are the only valid source for that information. As such,
this documentation does not include examples for specific providers. Contact the ISP for information about their
IPv6 client settings and requirements.
The ISP should provide instructions and specific values for configuring IPv6 on their service. For example, on a
circuit with a static IPv6 configuration the ISP should supply the subnet addresses and prefix values for the WAN
itself, as well as for routed prefixes. Providers who require DHCPv6 should supply values for settings such as the
prefix delegation size, along with any requirements they have for client behavior.
See also:
For more information on IPv6, including a basic introduction, see IPv6.
10.4.1 None
When IPv6 Configuration Type is set to None, IPv6 is disabled on the interface. This is useful if the interface has no
IPv6 connectivity or if the IPv6 address on the interface is being managed in some other way, such as for a VPN or
tunnel interface.
10.4.2 Static IPv6
The Static IPv6 controls work identically to the Static IPv4 settings. See Static IPv4 for details.
With Static IPv6, the interface contains a manually configured IPv6 address. When chosen, three additional fields
are available on the interface configuration screen: IPv6 Address, a prefix length selector, and the IPv6 Upstream
Gateway field.
Note: Do not set a gateway for internal interfaces such as a LAN or DMZ. Only select a gateway on externally-
connected interfaces such as a WAN or a private site-to-site link which the firewall should consider a WAN.
Gateways may still be used on internal interfaces for the purpose of static routes without selecting an IPv6 Upstream
Gateway here.
See WAN vs LAN Interfaces for more information.

LLC
The default IPv4 and IPv6 gateways work independently of one another. The two need not be on the same interface.
Changing the default IPv4 gateway has no effect on the IPv6 gateway, and vice versa.
10.4.3 DHCP6
DHCP6 configures automatic IPv6 configuration of this interface via DHCPv6. DHCPv6 will configure the inter-
face with an IPv6 address, prefix length, DNS servers, etc. but not a gateway. The gateway is obtained via router
advertisements, so this interface will be set to accept router advertisements. This is a design choice as part of the
IPv6 specification, not a limitation of this implementation. For more information on router advertisements, see Router
Advertisements.
Several additional fields are available for IPv6 DHCP that do not exist for IPv4 DHCP:
Use IPv4 Connectivity as Parent Interface When set, the IPv6 DHCP request is sent using IPv4 on this
interface, rather than using native IPv6. This is only required in special cases when the ISP requires
this type of configuration.
Request only an IPv6 Prefix When set, the DHCPv6 client does not request an address for the interface
itself, it only requests a delegated prefix.
DHCPv6 Prefix Delegation Size If the ISP supplies a routed IPv6 network via prefix delegation, they
will publish the delegation size, which can be selected here. It is typically a value somewhere
between 48 and 64. For more information on how DHCPv6 prefix delegation works, see DHCP6
Prefix Delegation.
Note: To use this delegation, another internal interface must be set to an IPv6 Configuration
Type of Track Interface (Track Interface) so that it can use the addresses delegated by the upstream
DHCPv6 server.
Send IPv6 Prefix Hint When set, the DHCPv6 Prefix Delegation Size is sent along with the request to
inform the upstream server how large of a delegation is desired by this firewall. If an ISP allows the
choice, and the chosen size is within their allowed range, the requested size will be given instead of
the default size.
Debug When set, the DHCPv6 client is started in debug mode.
Do not wait for a RA Informs the operating system not to wait for a router advertisement when config-
uring the interface. This is required by some ISPs.
Do not allow PD/Address release Prevents the operating system from sending a DHCPv6 release mes-
sage on exit.
Some ISPs will release the allocated address or prefix when a client sends this message. With this
option set, the client is more likely to receive the same allocation with subsequent requests.
DHCPv6 VLAN Priority Optionally sets a VLAN Priority tag (802.1p) on DHCPv6 client traffic.
Should only be enabled when required by an ISP and with the settings they provide.
Advanced Configuration Enables a wide array of advanced tuning parameters for the DHCPv6 client.
These options are rarely used, and when they are required, the values are dictated by the ISP or
network administrator. See the dhcp6c.conf man page for details.
Configuration Override Enables a field to use a custom configuration file. The full path must be given.
Using a custom file is rarely needed, but some ISPs require DHCP fields or options that are not
supported in the pfSense GUI.

LLC
10.4.4 SLAAC
Stateless address autoconfiguration (SLAAC) as the IPv6 type makes the operating system attempt to configure the
IPv6 address for the interface from router advertisements (RA) that advertise the prefix and related information.
Note: DNS is not typically provided via RA, so the firewall will still attempt to get DNS servers via DHCPv6 when
using SLAAC. The RDNSS extensions to the RA process may allow DNS servers to be obtained from RA in some
cases. For more information on router advertisements, see Router Advertisements.
This selection has one additional option:
Use IPv4 connectivity as parent interface When set, IPv6 requests are sent over the IPv4 connectivity
layer used by this interface (e.g. PPPoE) rather than the parent interface directly. May be required
by certain ISPs.
10.4.5 6RD Tunnel
6RD is an IPv6 tunneling technology employed by ISPs to quickly enable IPv6 support for their networks, passing
IPv6 traffic inside specially crafted IPv4 packets between and end user router and the ISP relay. It is related to 6to4 but
is intended to be used within the ISP network, using the IPv6 addresses from the ISP for client traffic. To use 6RD, the
ISP must supply three pieces of information: The 6RD prefix, the 6RD Border Relay, and the 6RD IPv4 Prefix length.
6RD Prefix The 6RD IPv6 prefix assigned by the ISP, such as 2001:db8::/32.
6RD Border Relay The IPv4 address of the ISP 6RD relay.
6RD IPv4 Prefix Length Controls how much of the end user IPv4 address is encoded inside of the 6RD
prefix. This is normally supplied by the ISP. A value of 0 means the entire IPv4 address will be
embedded inside the 6RD prefix. This value allows ISPs to effectively route more IPv6 addresses to
customers by removing redundant IPv4 information if an ISP allocation is entirely within the same
larger subnet.
10.4.6 6to4 Tunnel
Similar to 6RD, 6to4 is another method of tunneling IPv6 traffic inside IPv4. Unlike 6RD, however, 6to4 uses constant
prefixes and relays. As such there are no user-adjustable settings for using the 6to4 option. The 6to4 prefix is always
2002::/16. Any address inside of the 2002::/16 prefix is considered a 6to4 address rather than a native IPv6
address. Also unlike 6RD, a 6to4 tunnel can be terminated anywhere on the Internet, not only at the end user ISP, so
the quality of the connection between the user and the 6to4 relay can vary widely.
6to4 tunnels are always terminated at the IPv4 address of 192.88.99.1. This IPv4 address is anycasted, meaning
that although the IPv4 address is the same everywhere, it can be routed regionally toward a node close to the user.
Another deficiency of 6to4 is that it relies upon other routers to relay traffic between the 6to4 network and the remainder
of the IPv6 network. There is a possibility that some IPv6 peers may not have connectivity to the 6to4 network, and
thus these would be unreachable by clients connecting to 6to4 relays, and this could also vary depending upon the 6to4
node to which the user is actually connected.

LLC
10.4.7 Track Interface
The Track Interface choice works in concert with another IPv6 interface using DHCPv6 Prefix Delegation. When
a delegation is received from the ISP, this option designates which interface will be assigned the IPv6 addresses
delegated by the ISP and in cases where a larger delegation is obtained, which prefix inside the delegation is used.
IPv6 Interface A list of all interfaces on the system currently set for dynamic IPv6 WAN types offering
prefix delegation (DHCPv6, PPPoE, 6rd, etc.). Select the interface from the list which will receive
the delegated subnet information from the ISP.
IPv6 Prefix ID If the ISP has delegated more than one prefix via DHCPv6, the IPv6 Prefix ID controls
which of the delegated /64 subnets will be used on this interface. This value is specified in hex-
adecimal.
For example, If a /60 delegation is supplied by the ISP that means 16 /64 networks are available,
so prefix IDs from 0 through f may be used.
For more information on how prefix delegation works, see DHCP6 Prefix Delegation.
10.5 Interface Groups
Unlike the other interfaces in this chapter, an Interface Group is not a type of interface that can be assigned. Interface
groups are used to apply firewall or NAT rules to a set of interfaces on a common tab. If this concept is unfamiliar,
consider how the firewall rules for OpenVPN, the PPPoE server, or L2TP server work. There are multiple interfaces
in the underlying OS, but the rules for all of them are managed on a single tab for each type.
If many interfaces of a similar function are present on the firewall that need practically identical rules, an interface
group may be created to add rules to all of the interfaces at the same time. Interfaces can still have their own individual
rules, which are processed after the group rules.
10.5.1 Interface Group Options
When creating or editing an Interface Group, the following options are available:
Group Name The name of the interface group. Has the same restrictions as the name of an interface.
The name may only contain upper and lowercase letters, no numbers, spaces, or special characters.
Group Description An optional text description for reference.
Group Members A multi-select list of assigned interfaces on the firewall from which group members can
be added. Add interfaces to the group by selecting them with ctrl-click (PC) or cmd-click (MAC).
10.5.2 Creating an Interface Group
To create an interface group:
• Navigate to Interfaces > Assignments, Interface Groups tab
• Click Add to create a new group
• Fill in the options as described in Interface Group Options
• Click Save
10.5. Interface Groups 422

LLC
Fig. 1: Add Interface Group
10.5.3 Using an Interface Group
Interface groups each have an individual tab under Firewall > Rules to manage their rules. Figure Interface Group
Firewall Rules Tab shows the firewall rule tab for the group defined in figure Add Interface Group
Fig. 2: Interface Group Firewall Rules Tab
See also:
Configuring firewall rules for information on managing firewall rules.
10.5. Interface Groups 423

LLC
10.5.4 Group Rule Processing Order
The rule processing order for user rules is:
• Floating rules
• Interface group rules
• Rules on the interface directly
For example, if a rule on the group tab matches a connection, the interface tab rules will not be consulted. Similarly,
if a floating rule with Quick set matched a connection, the interface group rules will not be consulted.
The processing order prevents some combination of rules that otherwise might be a good fit. For example, if a general
blocking rule is present on the group, it cannot be overriden by a rule on a specific interface. Same with a pass rule, a
specific interface rule cannot block traffic passed on a group tab rule.
10.5.5 Use with WAN Interfaces
The best practice is to not use interface groups with multiple WANs. Doing so may appear to be convenient, but the
group rules do not receive the same treatment as actual WAN tab rules. For example, rules on a tab for a WAN-type
interface will receive reply-to which allows pf to return traffic back via the interface from which it entered. Group
tab rules do not receive reply-to which effectively means that the group rules only function as expected on the
WAN with the default gateway.
10.6 PPPs
There are four types of PPP interfaces:
• PPP for cellular and modem devices
• PPPoE for DSL or similar connections
• PPTP and L2TP for ISPs that require them for authentication
In most cases these are managed by the interface settings directly, but the settings are also available under Interfaces
> Assignments on the PPPs tab.
See also:
• PPP Logs
10.6.1 Multi-Link PPP (MLPPP)
Multi-Link PPP (MLPPP) is available for any type of PPP instance by selecting multiple Link Interface entries at the
same time.
Warning: MLPPP only works on multiple circuits from the same provider where the provider supports MLPPP.
MLPPP bonds multiple PPP links into a single larger aggregate channel. Unlike other multi-WAN techniques MLPPP
can utilize the full bandwidth of all links for a single connection. MLPPP also does not have the usual concerns about
load balancing and failover. The MLPPP link is presented as one interface with one IP address. If one link fails the
connection functions the same but with reduced capacity.
For more information on MLPPP, see Multiple WAN Connections.
10.6. PPPs 424

LLC
10.6.2 PPP (Point-to-Point Protocol) Interface Types
Add or edit a PPP entry as follows:
• Navigate to Interfaces > Assignments on the PPPs tab
• Click to edit an existing entry or to add a new entry
• Set the Link Type
The Link Type determines the remaining options on the page. The available link types are explained throughout the
remainder of this document.
PPP (Cellular Modem)
The PPP link type is used for talking to a modem over a serial device. This can be anything from a USB modem
dongle for accessing a cellular network down to an old hardware modem for dial-up access.
Note: Some cellular modems appear as Ethernet devices and not serial devices. Those are configured as regular
interfaces, not as PPP devices.
See also:
• Cellular Wireless
When configuring a PPP device, the following options are available:
Link Interface A list of serial devices that the firewall can use to communicate with a modem. Click on
a specific entry to select it for use by the firewall.
Note: The firewall does not automatically detect the serial device for a modem. Some modems
present themselves as several devices and the subdevice for the PPP line may be any of the available
choices. Start with the last device, then try the first, and then others in between if none of those
function.
Description A text description of this PPP instance, for reference (e.g. VZW Modem).
Country The country in which this modem resides (e.g. United States).
The firewall populates the Provider list based on the value of this field.
Provider The cellular service provider for this modem (e.g. Verizon).
The firewall populates the Plan list based on the value of this field.
Plan The type of cellular service this modem uses from Provider.
This populates the remaining fields where possible with values specific to the Plan.
The remaining options can be configured manually if other values are needed, or when using an unlisted provider:
Username and Password The credentials used for the PPP login, if any.
Phone Number The number to dial at the ISP to gain access. For cellular providers this tends to be a
number such as *99# or #777. For dial-up this is usually a traditional telephone phone number.
10.6. PPPs 425

LLC
Access Point Name (APN) Some ISPs require this value to identify the service to which the client con-
nects. Some providers use this to distinguish between consumer and business plans or legacy net-
works.
APN Number Optional setting. Defaults to 1 if the APN is set, and ignored when APN is unset.
SIM PIN Security code on the SIM to prevent unauthorized use of the card.
Warning: Do not enter anything here if the SIM does not have a PIN.
SIM PIN Wait Number of seconds the firewall will wait for the SIM to discover network after the PIN
is sent to the SIM. If the delay is not long enough the SIM may not have time to initialize properly
after unlocking.
Init String The modem initialization string, if necessary. Most modern modems do not require a custom
initialization string.
Note: Do not include AT at the beginning of the command.
Connection Timeout Time the firewall will wait for a connection attempt to succeed, in seconds. Default
is 45 seconds.
Uptime Logging When checked, the firewall tracks the uptime for the connection and displays it on
Status > Interfaces.
PPPoE (Point-to-Point Protocol over Ethernet)
PPPoE is a popular method of authenticating and gaining access to an ISP network, most commonly found on DSL
networks, but may also be used on fiber or other link types.
Warning: Due to limitations in the way PPPoE frames are processed by network cards incoming PPPoE traffic
is limited to a single network interface queue. As such, performance may be limited or otherwise lower than
expected. See PPPoE with Multi-Queue NICs for details.
To configure a PPPoE link, start by setting Link Type to PPPoE and complete the remainder of the settings as follows:
Link Interface(s) A list of network interfaces the firewall can use for PPPoE. These are typically physical
interfaces but PPPoE can also work over some other interface types such as VLANs. Select one entry
for normal PPPoE or multiple entries for MLPPP.
Description An optional text description of the PPP entry.
Username and Password The credentials for this PPPoE connection. The credentials will be pro-
vided by the ISP and the username is typically in the form of an e-mail address, such as
mycompany@ispexample.com.
Service Name Left blank for most ISPs but some ISPs require this to be set to a specific value.
Contact the ISP to confirm the value if the connection does not function when left blank.
Configure NULL Service Name Some ISPs require clients to send a NULL value instead of a blank
service name. Check this option when the ISP requires this behavior.
10.6. PPPs 426

LLC
Periodic Reset Configures a pre-set time when the firewall will drop the connection and reconnect. This
is rarely needed, but in certain cases it can better handle reconnections when an ISP has forced daily
reconnections or similar quirky behavior.
PPTP (Point-to-Point Tunneling Protocol)
Not to be confused with a PPTP VPN, this type of PPTP interface is meant to connect to an ISP and authenticate,
much the same as PPPoE. The options for a PPTP WAN are identical to the PPPoE options of the same name. Refer
to the previous section for configuration information.
L2TP (Layer 2 Tunneling Protocol)
L2TP, as it is configured here, is used for connecting to an ISP that requires it for authentication as a type of WAN.
L2TP works nearly identically to PPTP. Refer to the previous sections for configuration information.
L2TP has one additional option not found on other types:
Shared Secret A shared secret the firewall will use to authenticate the tunnel connection and encrypt
control L2TP control packets. May be left blank if the server does not support a shared secret.
Warning: This must match the shared secret set on the L2TP server.
10.6.3 Advanced PPP Options
All PPP types have several advanced options in common. In most cases these settings can remain at their default
values.
Click Display Advanced to display these options.
Dial On Demand The default behavior for a PPP link is to immediately connect and immediately attempt
to reconnect when a link is lost. This behavior is described as Always On. Dial-on-Demand
delays this connection attempt. When set, the firewall waits until a packet attempts to leave the via
this interface to make a connection attempt. Once the firewall connects it will not automatically
disconnect.
Idle Timeout The firewall will hold a PPP connection open indefinitely by default. A value in Idle
Timeout, specified in seconds, will cause the firewall to monitor the line for activity. If there is no
traffic on the link for the given amount of time, the firewall will disconnect the link. If Dial-on-
Demand has also been set, the firewall will return to dial-on-demand mode.
Note: The firewall performs gateway monitoring by default which generates two ICMP pings per
second on the interface. Idle Timeout will not function in this case. This can be worked around by
editing the gateway for this PPP link and checking Disable Gateway Monitoring.
Compression (vjcomp) This option controls whether or not the firewall will use Van Jacobson TCP
header compression for this connection. By default the firewall will negotiate this with the peer
during login and enable it if both sides support the feature. Checking Disable vjcomp will disable
support for this feature. This feature is beneficial because it saves several bytes per TCP data packet
when possible. The best practice is to keep the option enabled unless the remote requires it to be
disabled.
10.6. PPPs 427

LLC
Note: This compression is ineffective for TCP connections with enabled modern extensions like
time stamping or SACK, which modify TCP options between sequential packets.
TCP MSS Fix This option causes the PPP daemon to adjust incoming and outgoing TCP SYN segments
so that the requested maximum segment size (MSS) is not greater than the amount allowed by the
interface MTU.
This is necessary in most cases to avoid problems caused by routers which drop ICMP “Datagram
Too Big” messages. Without these messages, peers cannot detect a when packets attempt to cross a
link which cannot carry frames of the required size. Consider this scenario. The originating machine
sends data which passes a rogue router then arrives at a host that has an MTU that is not big enough
for the data. Because the IP “Don’t Fragment” option is set, this machine sends an ICMP “Datagram
Too Big” message back to the originator and drops the packet. The rogue router drops the ICMP
message and the originator never gets to discover that it must reduce the fragment size or drop the
IP “Don’t Fragment” option from its outgoing data. If this behavior is undesirable, check Disable
tcpmssfix.
Note: The MTU and MSS values for the interface may also be adjusted on the configuration page
for the interface under the Interfaces menu, such as Interfaces > WAN (Interface Configuration).
Short Sequence (ShortSeq) This option is only meaningful when the firewall is negotiating MLPPP with
the provider. It proscribes shorter multi-link fragment headers, saving two bytes on every frame. It
is not necessary to disable this for connections that are not multi-link. If MLPPP is active and this
feature must be disabled, check Disable shortseq.
Address Control Field Compression (ACFComp) This option only applies to asynchronous link types.
It saves two bytes per frame. To disable this, check Disable ACF Compression.
Protocol Field Compression (ProtoComp) This option saves one byte per frame for most frames. To
disable this, check Disable Protocol Compression.
PPPoE has two additional advanced options:
Multilink over single link When set, the firewall will use LCP multi-link extensions over a single link.
This ignores the MTU/MRU settings. Only enable if supported by the ISP.
Force MTU When set, overrides the MTU negotiated with the ISP with a higher value known to work
on the link.
Warning: This option violates RFC 1661 and can break connectivity. While it may result in
faster speed as larger packets can be transferred, there is no guarantee that it will function in the
future if the provider makes changes.
10.6. PPPs 428

LLC
10.7 GRE (Generic Routing Encapsulation)
Generic Routing Encapsulation (GRE) is a method of tunneling traffic between two endpoints without encryption. It
can be used to route packets between two locations that are not directly connected, which do not require encryption.
It can also be combined with a method of encryption that does not perform its own tunneling.
Note: The GRE protocol was originally designed by Cisco, and it is the default tunneling mode on many of their
devices.
GRE tunnels can carry either IPv4, IPv6, or both types of traffic at the same time.
10.7.1 GRE Interface Settings
Parent interface The interface upon which the GRE tunnel will terminate. Often this will be WAN or a
WAN-type connection.
Remote Address The address of the remote peer. This is the address where the GRE packets will be sent
by this firewall; The routable external address at the other end of the tunnel.
Local IPv4/IPv6 Tunnel Address The internal IPv4 and IPv6 address for the end of the tunnel on this
firewall. The firewall will use this address for its own traffic in the tunnel, and tunneled remote traffic
would be sent to this address by the remote peer.
Remote IPv4/IPv6 Tunnel Address The IPv4 and IPv6 address used by the firewall inside the tunnel to
reach the far side. Traffic destined for the other end of the tunnel must use this address as a gateway
for routing purposes.
IPv4/IPv6 Tunnel Subnet The subnet mask for the GRE interface address.
Add Static Route When set, the firewall adds an explicit static route for the remote inner tunnel ad-
dress/subnet via the local tunnel address. This can help with reaching the remote subnet in cases
where other route table entries may select the wrong path to that destination.
Description A short description of this GRE tunnel for documentation purposes.
10.7.2 GRE Interface Management
To create or manage a GRE interface:
• Navigate to Interfaces > Assignments, GRE tab
Note: The items in this list are managed in the usual way. See Managing Lists in the GUI.
• Click Add to create a new GRE instance
• Complete the settings as described in GRE Interface Settings
• Click Save
• Select the new GRE interface in the Available network ports list
10.7. GRE (Generic Routing Encapsulation) 429

LLC
• Click Add
• Note the name given to the new interface (e.g. OPT1)
• Navigate to Interfaces > <name> where <name> corresponds to the name of the GRE interface (e.g. OPT1)
• Check Enable interface
• Enter a new name for the interface in Description (optional)
• Click Save
Then use the interface as any other WAN-type interface. The firewall automatically creates a dynamic gateway for
routing purposes. Depending on the use case, the interface may need NAT or firewall rules, static routes, and so on.
10.8 GIF (Generic tunnel InterFace)
A Generic Tunneling Interface (GIF) is similar to GRE; Both protocols are a means to tunnel traffic between two hosts
without encryption. In addition to tunneling IPv4 or IPv6 directly, GIF may be used to tunnel IPv6 over IPv4 networks
and vice versa. GIF tunnels are commonly used to obtain IPv6 connectivity to a tunnel broker such as Hurricane
Electric in locations where IPv6 connectivity is unavailable.
See also:
See Configuring IPv6 Through A Tunnel Broker Service for information about connecting to a tunnel broker service.
GIF interfaces carry more information across the tunnel than can be done with GRE, but GIF is not as widely supported.
For example, a GIF tunnel is capable of bridging layer 2 between two locations while GRE cannot.
GIF interfaces can carry IPv4 or IPv6 traffic, but not both at the same time.
Note: Support for GIF varies by vendor, but is not as common as others like GRE.
10.8.1 GIF Interface Settings
Parent interface The interface upon which the GIF tunnel will terminate. Often this will be WAN or a
WAN-type connection.
GIF Remote Address The address of the remote peer. This is the address where the GIF packets will be
sent by this firewall; The routable external address at the other end of the tunnel. For example, in a
IPv6-in-IPv4 tunnel to Hurricane Electric, this would be the IPv4 address of the tunnel server, such
as 209.51.181.2.
GIF tunnel local address The internal address for the end of the tunnel on this firewall. The firewall
will use this address for its own traffic in the tunnel, and tunneled remote traffic would be sent to
this address by the remote peer. For example, when tunneling IPv6-in-IPv4 via Hurricane Electric,
they refer to this as the Client IPv6 Address.
GIF tunnel remote address The address used by the firewall inside the tunnel to reach the far side. Traf-
fic destined for the other end of the tunnel must use this address as a gateway for routing purposes.
For example, when tunneling IPv6-in-IPv4 via Hurricane Electric, they refer to this as the Server
IPv6 Address.
GIF Tunnel Subnet The subnet mask or prefix length for the interface address. Typically 64. This
option is ignored with IPv6 and a 128 prefix is enforced by the kernel instead.
10.8. GIF (Generic tunnel InterFace) 430

LLC
ECN Friendly Behavior The ECN friendly behavior option controls whether or not the Explicit Con-
gestion Notification (ECN)-friendly practice of copying the TOS bit into/out of the tunnel traffic is
performed by the firewall. By default the firewall clears the TOS bit on the packets or sets it to 0,
depending on the direction of the traffic. With this option set, the bit is copied as needed between
the inner and outer packets to be more friendly with intermediate routers that can perform traffic
shaping. This behavior breaks RFC 2893 so it must only be used when both peers agree to enable
the option.
Outer Source Filtering When set, the firewall will not automatic filter based on the outer GIF source.
This is normally desirable as it ensures a match with the configured remote peer, which is more
secure. When disabled, martian and inbound filtering is not performed which allows asymmetric
routing of the outer traffic. This is less secure, but some GIF peers may source traffic in this manner.
Description A short description of this GIF tunnel for documentation purposes.
10.8.2 GIF Interface Configuration
To create or manage a GIF interface:
• Navigate to Interfaces > Assignments, GIF tab
Note: The items in this list are managed in the usual way. See Managing Lists in the GUI.
• Click Add to create a new GIF instance
• Complete the settings as described in GIF Interface Settings
• Click Save
• Select the new GIF interface in the Available network ports list
• Click Add
• Note the name given to the new interface (e.g. OPT1)
• Navigate to Interfaces > <name> where <name> corresponds to the name of the GIF interface (e.g. OPT1)
• Check Enable interface
• Enter a new name for the interface in Description (optional)
• Click Save
Then use the interface as any other WAN-type interface. The firewall automatically creates a dynamic gateway for
routing purposes. Depending on the use case, the interface may need NAT or firewall rules, static routes, and so on.
10.8. GIF (Generic tunnel InterFace) 431

LLC
10.9 LAGG (Link Aggregation)
Link aggregation is handled by lagg(4) type interfaces (LAGG) on pfSense® software. LAGG combines multiple
physical interfaces together as one logical interface. There are several ways this can work, either for gaining extra
bandwidth, redundancy, or some combination of the two.
Note: LACP will only work across multiple switches if the switches are Stackable.
10.9.1 LAGG Interface Settings
When creating or editing a LAGG interface, the following settings are available:
Parent Interfaces This list contains all currently unassigned interfaces, plus members of the current
LAGG interface when editing an existing instance.
To add interfaces to this LAGG, select one or more interfaces in this list.
Note: An interface may only be added to a LAGG group if it is not assigned. If an interface is not
present in the list, it is likely already assigned as an interface.
LAGG Protocol The operating modes for LAGG interfaces are: LACP, Failover, Load Balance, Round
Robin, and None.
LACP The most commonly used LAGG protocol. This mode supports IEEE 802.3ad
Link Aggregation Control Protocol (LACP) and the Marker Protocol. In LACP mode,
negotiation is performed with the switch – which must also support LACP – to form a
group of ports that are all active at the same time. This is knowns as a Link Aggregation
Group, or LAG. The speed and MTU of each port in a LAG must be identical and the
ports must also run at full- duplex. If link is lost to a port on the LAG, the LAG
continues to function but at reduced capacity. In this way, an LACP LAGG bundle can
gain both redundancy and increased bandwidth.
Traffic is balanced between all ports on the LAG, however, for communication between
two single hosts it will only use one single port at a time because the client will only
talk to one MAC address at a time. For multiple connections through multiple devices,
this limitation effectively becomes irrelevant. The limitation is also not relevant for
failover.
In addition to configuring this option on the firewall, the switch must enable LACP on
these ports or have the ports bundled into a LAG group. Both sides must agree on the
configuration in order for it to work properly.
LACP Timeout Mode controls how often the firewall sends LACP PDUs. An LACP
timeout occurs when three consecutive PDUs are missed.
Slow Default. LACP PDUs are sent every 30 seconds. A timeout occurs after
90 seconds.
Fast LACP PDUs are sent every second. A timeout occurs after 3 seconds.
Failover When using the Failover LAGG protocol traffic will only be sent on the primary
interface of the group. If the primary interface fails, then traffic will use the next
available interface.
10.9. LAGG (Link Aggregation) 432

LLC
Note: By default, traffic may only be received by the active interface. Create a
system tunable for net.link.lagg.failover_rx_all with a value of 1 to
allow traffic to be received on every member interface.
Failover mode has one additional option:
Failover Primary Interface This option sets the primary interface for failover
mode, or auto to allow the firewall to select the primary interface automatically.
In auto mode, the first selected interface in the list is primary.
Each non-primary interface is eligible for use in failover if the primary fails.
Load Balance Load Balance mode accepts inbound traffic on any port of the LAGG group
and balances outgoing traffic on any active ports in the LAGG group. It is a static setup
that does not monitor the link state nor does it negotiate with the switch. Outbound
traffic is load balanced based on all active ports in the LAGG using a hash computed
using several factors, such as the source and destination IP address, MAC address, and
VLAN tag.
Round Robin This mode accepts inbound traffic on any port of the LAGG group and
sends outbound traffic using a round robin scheduling algorithm. Typically this means
that traffic will be sent out in sequence, using each interface in the group in turn.
None This mode disables traffic on the LAGG interface without disabling the interface
itself. The OS will still believe the interface is up and usable, but no traffic will be sent
or received on the group.
Description A short note about the purpose of this LAGG instance.
10.9.2 LAGG Interface Configuration
To create or manage LAGG interfaces:
• Navigate to Interfaces > Assignments, LAGGs tab
• Click Add to create a new LAGG, or click to edit an existing instance.
• Complete the settings as described in LAGG Interface Settings
• Click Save
After creating a LAGG interface, it works like any other physical interface. Assign the lagg interface under Interfaces
> Assignments and give it an IP address, or build other things on top of it such as VLANs.
Note: If the only purpose of the LAGG interface is to carry VLANs, it does not need to be assigned.
10.9. LAGG (Link Aggregation) 433

LLC
10.9.3 LAGG and Traffic Shaping
Due to limitations in FreeBSD, lagg(4) does not support altq(4) so it is not possible to use the traffic shaper
on LAGG interfaces directly. vlan(4) interfaces support altq(4) and VLANs can be used on top of LAGG
interfaces, so using VLANs can work around the problem. As an alternate workaround, Limiters can control bandwidth
usage on LAGG interfaces.
10.9.4 LAGG Throughput
Using a LAGG does not necessarily guarantee full throughput equal to the sum of all interfaces. In particular, a single
flow will not exceed the throughput of a LAGG member interface. Traffic on a LAGG is hashed in such a way that
flows between two hosts, such as this firewall and an upstream gateway, would only use a single link since the flow is
between a single MAC address on each side.
In networks where many hosts communicate with different MAC addresses, the usage can approach the sum of all
interfaces in the LAGG.
10.10 QinQ Configuration
QinQ, also known as IEEE 802.1ad or stacked VLANs, is a means of nesting VLAN tagged traffic inside of packets
that are already VLAN tagged, or “double tagging” the traffic.
See also:
QinQ is used to move groups of VLANs over a single link containing one outer tag, as can be found on some links
between locations from ISPs or datacenters. QinQ can be a quick and easy way of trunking VLANs across locations
without having a trunking-capable connection between the sites, provided the infrastructure between the locations
does not strip tags from the packets.
10.10.1 QinQ Interface Settings
When creating or editing a QinQ interface entry, the following options are available:
Parent Interface The interface that will carry the QinQ traffic.
First level tag The outer VLAN ID on the QinQ interface, or the VLAN ID given by the provider for the
site-to-site link.
Adds interface to QinQ interface groups When checked, a new interface group will be created called
QinQ that can be used to filter all of the QinQ subinterfaces at once.
When hundreds or potentially thousands of QinQ tags are present, this greatly reduces the amount
of work needed to use the QinQ interfaces
Description Optional text for reference, used to identify the entry
Member(s) Member VLAN IDs for QinQ tagging. These can be entered one per row or in ranges such
as 100-150.
Click Add Tag to add another line for more tags or ranges.
10.10. QinQ Configuration 434

LLC
10.10.2 QinQ Interface Configuration
Setting up QinQ interfaces is fairly simple:
• Click the QinQ tab
• Click Add to add a new QinQ entry
• Configure the QinQ entry as described in QinQ Interface Settings
• Click Save to complete the interface
10.10.3 QinQ Example
In the following example (Figure QinQ Basic Example), a QinQ interface is configured to carry tagged traffic for
VLANs 10 and 20 across the link on igb3 with a first level tag of 2000.
Fig. 3: QinQ Basic Example
In Figure QinQ List, this entry is shown on the QinQ tab summary list.
The automatic interface group, shown in Figure QinQ Interface Group, must not be manually edited. Because these
interfaces are not assigned, it is not possible to make alterations to the group without breaking it. To re-create the
group, delete it from this list and then edit and save the QinQ instance again to add it back.
Rules may be added to the QinQ tab under Firewall > Rules to pass traffic in both directions across the QinQ links.
10.10. QinQ Configuration 435

LLC
Fig. 4: QinQ List
Fig. 5: QinQ Interface Group
From here, how the QinQ interfaces are used is mostly up to the needs of the network. Most likely, the resulting
interfaces may be assigned and then configured in some way, or bridged to their local equivalent VLANs (e.g. bridge
an assigned igb2.10 to igb3.2000.10 and so on).
The QinQ configuration will be roughly the same on both ends of the setup. For example, if both sides use identical
interface configurations, then traffic that leaves Site A out on igb3.2000.10 will go through VLAN 2000 on
igb3, come out the other side on VLAN 2000 on igb3 at Site B, and then in igb3.2000.10 at Site B.
10.11 Integrated Switches
Certain models of hardware sold by Netgate have integrated switches. These switches can be configured in a variety
of ways, with multiple ports on the same network or with each port on a separate network. The default configuration
of the switch and the procedure to change that configuration varies by model.
Models with integrated switches include:
• Netgate 7100
• Netgate 3100
• Netgate 2100
• Netgate 1100
See also:
• Bridging
• Wireless
pfSense® software supports numerous types of network interfaces, either using physical interfaces directly or by
employing other protocols such as PPP or VLANs.
Interface assignments and the creation of new virtual interfaces are all handled under Interfaces > Assignments.
10.11. Integrated Switches 436

LLC
10.12 Physical and Virtual Interfaces
Most interfaces discussed in this chapter can be assigned as WAN, LAN, or an OPT interface under Interfaces >
Assignments. All currently-defined and detected interfaces are listed directly on Interfaces > Assignments or in the
list of interfaces available for assignment. By default, this list includes only the physical interfaces, but the other tabs
under Interfaces > Assignments can create virtual interfaces which can then be assigned.
Interfaces support various combinations of options. They can also support multiple networks and protocols on a single
interface, or multiple interfaces can be bound together into a larger capacity or redundant virtual interface.
All interfaces are treated equally; Every interface can be configured for any type of connectivity or role. The default
WAN and LAN interfaces can be renamed and used in other ways.
Physical interfaces and virtual interfaces are treated the same once assigned, and have the same capabilities. For
example, a VLAN interface can have the same type of configuration that a physical interface can have. Some interface
types receive special handling once assigned, which are covered in their respective sections of this chapter.
This section covers the various types of interfaces that can be created, assigned, and managed.
10.13 Switches
Some Netgate Appliances sold in the Netgate Store contain built-in switches which can be configured in the GUI
under Interfaces > Switches. Documentation for the switch configuration can vary by model, and may be found in
the Netgate Product Manuals which match a given product.
10.14 Limitations
While the firewall does not impose any limits on the number of interfaces, large numbers of interfaces may function
in suboptimal ways. For example, the firewall may take much longer to configure interfaces and the GUI may have
rendering issues with large numbers of tabs or menu entries.
Most hardware will accommodate as many physical interfaces as can fit into the case. Issues may vary from driver to
driver but generally are hardware-related and not the result of the operating system or pfSense software.
Note: With a large number of physical interfaces, the number of mbufs will likely need to be increased. See Hardware
Tuning and Troubleshooting.
Physical limitations aside, significant numbers of virtual interfaces such as VLANs, LAGGs, VPNs, and more may be
added to the firewall. These types interfaces tend to outnumber physical interfaces, especially VLANs.
Issues reported by users with large numbers of interfaces (physical and virtual) vary by hardware, configuration, and
browser. These issues tend to increase as the number of interfaces approaches 200. Should a particular environment
require more than 128 interfaces, consider alternate designs that do not involve using all of the interfaces on the firewall
directly. If the firewall must handle large numbers of interfaces, be wary of potential performance and GUI concerns.
10.12. Physical and Virtual Interfaces 437

CHAPTER
ELEVEN
USER MANAGEMENT AND AUTHENTICATION
11.1 Default Username and Password
The default credentials for a pfSense® software installation are:
Username admin
Password pfsense
11.2 Privileges
Managing privileges for users and groups is done similarly, so both will be covered here rather than duplicating the
effort. Whether a user or group is managed, the entry must be created and saved first before privileges can be added to
the account or group.
To add privileges, edit an existing user or group and click Add in the Assigned Privileges or Effective Privi-
leges section.
The GUI presents a list of all available privileges. Privileges may be added one at a time by selecting a single entry,
or by multi-select using ctrl-click or cmd-click. If other privileges are already present on the user or group, they are
hidden from this list so they cannot be added twice. To search for a specific privilege by name, enter the search term
in the Filter box and click Filter.
Selecting a privilege will show a short description of its purpose in the information block area under the permission
list and action buttons. Most of the privileges are self-explanatory based on their names, but a few notable permissions
are:
WebCfg - All Pages Grants the user access to any page in the GUI
WebCfg - Dashboard (all) Grants the user access to the dashboard page and all of its associated func-
tions (widgets, graphs, etc.)
WebCfg - System: User Password Manager Page If the user has access to only this page, they can
login to the GUI to set their own password but do nothing else.
User - VPN - IPsec xauth Dialin Allows the user to connect and authenticate for IPsec xauth
User - Config - Deny Config Write Prevents the user from making changes to the firewall configuration
(config.xml).
438

LLC
Warning: This does not prevent the user from taking other actions that do not involve writing
to the configuration.
User - System - Shell account access Grants the user the ability to login over SSH, though the user will
not have root-level access so functionality is limited. A package for sudo is available to enhance this
feature.
After login, the firewall will attempt to display the dashboard. If the user does not have access to the dashboard, the
GUI will forward the user to the first page in their privilege list to which they have access.
Menus on the firewall only contain entries for which privileges exist on a user account. For example, if the only Diag-
nostics page that a user has access to is Diagnostics > Ping then no other items will be displayed in the Diagnostics
menu.
11.3 Manage Local Users
The Users tab under System > User Manager is where individual users are managed.
Note: The admin user cannot be deleted and its username may not be changed.
11.3.1 Creating and Editing Users
The first step is always to add the user and save. Privileges can only be added to existing users, they cannot be added
when creating a new user.
Tip: If multiple users need the same privileges, the most efficient method is to add a group and then add users to the
group.
To add a new user:
• Navigate to System > User Manager
• Click Add
To edit an existing user:
• Navigate to System > User Manager
• Click on the row containing the user
11.3. Manage Local Users 439

LLC
11.3.2 User Settings
When creating or editing a user, the following options are available:
Disabled This checkbox controls whether this user will be active. To deactivate this account, check the
option.
Username Sets the login name for the user. This field is required, must be 16 characters or less and may
only contain letters, numbers, and a period, hyphen, or underscore.
Password / Confirm Password The password for this user. Ensure the two fields match to confirm the
password.
Note: Passwords are stored in the configuration as hashes, not plain text.
Full Name Optional field which can be used to enter a longer name or a description for this user account.
Expiration Date Optional date at which the firewall will automatically deactivate this user account. The
date must be entered in MM/DD/YYYY format.
Custom Settings Enables options for per-user custom GUI settings. See Per-user GUI Options and
Dashboard Layout for details.
Group Memberships If one or more groups exist on the firewall (Manage Local Groups), this control
can add the user as a member.
To add a group for this user:
• Click the group name in the Not Member Of column
• Click to move it to the Member Of column
To remove a group from the user:
• Click the group name in the Member Of column
• Click to move it to the Not Member Of column
Effective Privileges A list of privileges this user has, either directly assigned or inherited by group mem-
bership.
Appears only when editing an existing user, not when creating a user.
Privilges assigned to the user may be edited by these controls, but group privileges cannot. Group
privileges must be managed on the group.
See also:
See Privileges for information on managing privileges.
Certificate Certificates associated with this user account.
The behavior of this section changes depending on whether the page is creating a new user or editing
an existing user. This section is disabled if there are no internal certificate authorities defined on the
firewall capable of signing a certificate.
To create a certificate while adding a user:
• Check Click to create a user certificate
• Fill in the Descriptive name

LLC
• Choose a Certificate Authority
• Select a Key Type and Key Length
• Select a Digest Algorithm
• Enter a Lifetime
See also:
For more information on these parameters, see Create an Internal Certificate.
When editing a user, this section of the page instead becomes a list of certificates associated with
this user account.
To create a certificate for an existing user:
• Click Add
• Fill in the settings on the page as described in Create an Internal Certificate (some data is
pre-filled)
To associate an existing certificate with this user:
• Set Method to Choose an Existing Certificate
• Select an entry from the Existing Certificate list
• Click Save
Authorized SSH keys Public keys for SSH and SCP authentication.
To add a key, paste or enter in the key data. Multiple keys are allowed, one per line.
Warning: Only enter authorized keys into this field. Do not add them to files in user home
directories. Those files will be overwritten by the GUI the next time account information is
synchronized to disk (e.g. at boot time).
IPsec Pre-Shared Key Pre-Shared Key (PSK) for this user to connect to a non-xauth Pre-Shared Key
mobile IPsec setup.
If a PSK is entered here, the username is used as the identifier. The PSK is also displayed under
VPN > IPsec on the Pre-Shared Keys tab.
Note: This field has no effect for IKEv2 or xauth mobile IPsec.
Keep Command History If this user has shell access, this option preserves the last 1000 unique com-
mands entered at a shell prompt between login sessions. The user can access history using the up and
down arrows at an SSH or console shell prompt and search the history by typing a partial command
and then using the up or down arrows.

LLC
Per-user GUI Options and Dashboard Layout
Each user can have their own settings for various GUI options and their dashboard layout. To enable this for a user,
check the Custom Settings box when adding or editing the user.
When that option is active, additional GUI options for the user are present on the user account page. Additionally, the
user can have their own personal dashboard layout, starting from the system-wide layout.
Choose the other GUI options desired for the user such as theme, top navigation, host name in menu, dashboard
columns, show/hide associated panels, left column labels and browser tab text.
Tip: Users with the WebCfg - System: User Settings privilege may adjust their own GUI options.
Users in the admin group already have this privilege.
A user with Custom Settings enabled and the User Settings privilege will have menu option System > User Settings.
The user can select this to change the GUI options for their account.
When a user with Custom Settings adds, moves or removes dashboard widgets, the custom dashboard layout is saved
in the preferences for only that user.
11.4 Manage Local Groups
Groups manage sets of user privileges so they do not need to be maintained individually on every user account. For
example, a group can be used for IPsec xauth users, or a group that can access the firewall dashboard, a group of
firewall administrators, or many other possible scenarios using any combination of privileges.
Groups are managed under System > User Manager on the Groups tab.
Note: The all and admins groups cannot be deleted.
11.4.1 Groups and Remote Authentication
When working with group privileges while authenticating against LDAP and RADIUS (Authentication Servers), local
groups must exist with names that exactly match groups from the server. For example, if an LDAP group named
firewall_admins exists then the firewall must also contain a identically named group, firewall_admins,
with the desired privileges.
If a user attempts to authenticate against a remote authentication server and there are no matching groups, the user will
not have any privileges from groups, and cannot access resources which require privileges.
11.4.2 Creating and Editing Groups
As with users, the first step is to add the group and save. Privileges can only be added to existing groups, they cannot
be added when creating a new group.
To add a new group:
• Navigate to System > User Manager, Groups tab
• Click Add
11.4. Manage Local Groups 442

LLC
To edit an existing group:
• Navigate to System > User Manager, Groups tab
• Click on the row containing the group
11.4.3 Group Settings
Group name The name of the group.
For groups in the Local scope, this setting has the same restrictions as a username: It must be 16
characters or less and may only contain letters, numbers, and a period, hyphen, or underscore.
Groups in the Remote scope do not have strict name restrictions, for example they may have longer
names.
Scope The scope in which this group is available for use.
Note: LDAP and RADIUS groups can match names in both local and remote scopes.
Local Groups on the firewall itself, such as those for use in the shell, filesystem, and other
local uses. These groups are added to the operating system, so they are subject to
naming restrictions imposed there.
Remote Groups from remote sources, such as authentication servers (RADIUS or LDAP).
These groups are not exposed to the operating system, and thus are only available for
use in the GUI and other similar uses not involving the operating system layer. This
scope has relaxed name restrictions, for example, group names may be longer and may
contain spaces.
Description Optional free-form text for reference and to better identify the purpose of the group in case
the Group name is not sufficient.
Group Memberships This set of controls defines which existing users will be members of the new group.
Firewall users are listed in the Not Members column by default.
To add a user to this group:
• Click the user name in the Not Members column
• Click to move it to the Members column
To remove a user from this group:
• Click the user name in the Members column
• Click to move it to the Not Members column
Assigned Privileges A list of privileges assigned to this group. Appears only when editing an existing
group.
See also:
See Privileges earlier in this for information on managing privileges.
11.4. Manage Local Groups 443

LLC
11.5 Authentication Servers
The firewall can use RADIUS and LDAP servers to authenticate users from remote sources.
User Manager Support contains information on which areas of the firewall support these servers
To add a new server:
• Navigate to System > User Manager, Authentication Servers tab
• Click Add
To edit an existing server, click next to its entry on the same page.
Each type of authentication server is covered in the following documents
11.5.1 RADIUS Authentication Servers
Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly supported by a wide variety of net-
working equipment for user authentication, authorization, and accounting (AAA).
Servers are commonly available as well, including FreeRADIUS and Active Directory via NPS.
Though most areas on pfSense® software which support RADIUS now integrate their RADIUS settings via the user
manager, a few remain which use separate settings, such as the PPPoE and L2TP servers.
See also:
• Controlling Client Parameters via RADIUS
Warning: Secure the link between the firewall and the RADIUS server. If the server is local, use a trusted
management network. If the server is remote, communicate only over VPN tunnels.
Some RADIUS protocols transmit passwords in plain text, and though others attempt to protect the password in
other ways, other aspects of the protocol are not encrypted and may contain sensitive information.
RADIUS Configuration
Descriptive name The name for this RADIUS server. This name will be used to identify the server
throughout the GUI.
Protocol The protocol used by the firewall when performing RADIUS requests. May be one of:
PAP Password Authentication Protocol. Sends passwords unencrypted, and is considered
weak. It is more widely supported than other methods, and may be required by specific
features (e.g. mOTP).
Warning: Due to its security deficiencies, avoid using PAP where possible.
MD5-CHAP Challenge-Handshake Authentication Protocol using MD5 hashing. The
RADIUS server sends a challenge value and the client responds with a hash of the
challenge value and the password together. More secure than PAP as it does not trans-
mit passwords in the clear, but both parties must know the plain text of the password.
11.5. Authentication Servers 444

LLC
MS-CHAPv1 A Microsoft variation of CHAP where neither side needs to know the plain
text of the password. Though it is generally more secure, it has other known weak-
nesses which make it vulnerable to attack.
MS-CHAPv2 An updated variation of MS-CHAPv1. It is used in EAP as well as
802.1x/WPA Enterprise for wireless. However, it also has known weaknesses.
Note: Certain RADIUS features may require specific modes. For example, mOTP typically requires
PAP since it reads the password in the clear to separate the PIN and OTP code. Services utilizing
EAP typically use MS-CHAPv2.
Hostname or IP address The address of the RADIUS server. This can be a fully qualified domain name
or an IPv4 IP address.
Warning: The RADIUS client on the firewall does not currently support IPv6.
Shared Secret The password established for this firewall on the RADIUS server software.
Services offered This selector sets which services are offered by this RADIUS server.
Authentication The firewall will use this RADIUS server to authenticate users.
Accounting The firewall will send RADIUS start/stop accounting packet data for login
sessions if supported in the area where it is used.
Authentication and Accounting The server will be used for both types of actions.
Authentication port Only appears if an Authentication mode is chosen. Sets the UDP port where RA-
DIUS authentication will occur. The default RADIUS authentication port is 1812.
Accounting port Only appears if an Accounting mode is chosen. Sets the UDP port where RADIUS
accounting will occur. The default RADIUS accounting port is 1813.
Authentication Timeout Controls how long, in seconds, that the RADIUS server may take to respond
to an authentication request. If left blank, the default value is 5 seconds. If an interactive two-factor
authentication system is in use, increase this timeout to account for how long it will take the user to
receive and enter a token, which can be 60-120 seconds or more if it must wait for an external action
such as a phone call, SMS message, etc.
RADIUS NAS IP Attribute Sets the value the firewall will send in the RADIUS request
NAS-IP-Address attribute. This value is used by the RADIUS server to identify this firewall.
The server can use this value to make authentication decisions, or to denote which node users were
authenticated by in accounting data.
In most cases, the NAS-IP-Address value does not matter so long as it is unique to this firewall.
However, more complicated RADIUS environments may use this attribute to let the server make
more informed decisions about users logging into different services. For example, if there are mul-
tiple Captive Portal instances on the firewall, multiple RADIUS server entries can be created, each
using the specific interface address for a given portal. The RADIUS server could then choose to
only let certain sets of users login to each portal.

LLC
Adding a RADIUS Server
To add a new RADIUS server:
• Add the firewall as a client on the RADIUS server
• Click Add
• Set the Type selector to RADIUS
The GUI will change the form to display RADIUS Server Settings
• Fill in the fields as described in RADIUS Configuration
• Click Save to create the server
• Navigate to Diagnostics > Authentication to test the RADIUS server using a valid account.
RADIUS Groups
There are two requirements for RADIUS groups to function properly:
• The RADIUS server must return a list of groups in the Class RADIUS reply attribute as a string.
• The same groups must exist locally (Manage Local Groups)
Multiple groups returned by the RADIUS server in the Class attribute must be separated by a semicolon. For
example, in FreeRADIUS, to return the admins and VPNUsers groups, use the following Reply-Item RADIUS
Attribute:
Class := "admins;VPNUsers"
If the RADIUS server returns the group list properly for a user, and the groups exist locally, then the groups will be
listed on the results when using the Diagnostics > Authentication page to test an account.
If the groups do not show up when testing, ensure the groups exist in the Group Manager with matching names and
that the server is returning the Class attribute as a string, not binary.
11.5.2 LDAP Authentication Servers
Though Lightweight Directory Access Protocol (LDAP) is technically a repository for user information, it also sup-
ports mechanisms for user authentication via bind operations.
There are many popular user directory implementations which use LDAP, including Active Directory, OpenLDAP,
FreeIPA, and more.
Note: LDAP server implementations and schemas vary widely. As such, there are no complete and specific examples
in this document.

LLC
LDAP Configuration
Hostname or IP address The address of the LDAP server. This can be a fully qualified domain name,
an IPv4 IP address, or an IPv6 IP address.
Note: If this LDAP server uses SSL, the value of this field must match the certificate presented by
the LDAP server. Typically this means it must be a hostname which resolves to the IP address of the
LDAP server, but the specific requirements depend on the contents of the server certificate.
For example, with a value of ldap.example.com in this field, the server certificate must include
an FQDN value of ldap.example.com, and ldap.example.com must resolve to 192.
168.1.5. One exception to this is if the IP address of the server also happens to be the listed
in the server certificate.
This can be worked around in some cases by creating a DNS host override to make the server cer-
tificate hostname resolve to the correct IP address if they do not match in this network infrastructure
and they cannot be easily fixed.
Port value This setting specifies the port on which the LDAP server is listening for LDAP queries. The
default port is 389 for Standard TCP and STARTTLS, and 636 for SSL. This field is updated
automatically with the proper default value based on the selected Transport.
Note: When using port 636 for SSL, the firewall uses an ldaps:// URL, not STARTTLS.
Ensure that the LDAP server is listening on the correct port with the correct mode.
Transport This setting controls which transport method will be used by the firewall to communicate with
the LDAP server.
Warning: LDAP queries will contain sensitive data, such as usernames, passwords, and other
information about the user. The best practice is for the firewall to use encryption when commu-
nicating with the LDAP server, if the LDAP server supports it. Both SSL/TLS and STARTTLS
will encrypt traffic between the firewall and the LDAP server.
Standard TCP (Default) Plain unencrypted TCP connections on port 389. This is not
secure, but is widely supported and also useful for debugging with packet captures.
Do not use this protocol across untrusted networks.
STARTTLS Encrypted Connects using TCP port 389 but negotiates encryption with the
server using STARTTLS.
Note: Not all LDAP servers support STARTTLS, check the LDAP server documen-
tation and configuration.
SSL/TLS Encrypted Connects using SSL/TLS on TCP port 636 to encrypt LDAP
queries.
Note: Not all LDAP servers support SSL/TLS, check the LDAP server documentation
and configuration.

LLC
Peer Certificate Authority The CA chosen with this selector is used by the firewall to validate the LDAP
server certificate when Transport is set to SSL/TLS Encrypted or STARTTLS Encrypted mode.
The selected CA must match the CA which signed the LDAP server certificate, otherwise validation
will fail. If the LDAP server is using a globally trusted certificate (e.g. Let’s Encrypt or another
public CA), choose Global Root CA List.
See Certificate Authority Management for more information on creating or importing CAs.
Client Certificate (Plus only) This certificate is sent to the LDAP server to identify this client when using
an encrypted transport mode. If the LDAP server requires a client certificate, the server will use this
certificate to ensure that the firewall is authorized to make LDAP queries.
This certificate must be issued by the CA used by the LDAP server to validate connecting clients.
Protocol version Chooses which version of the LDAP protocol is employed by the LDAP server, either
2 or 3, typically 3.
Server Timeout The time, in seconds, after which LDAP operations are considered as failed. Using a
lower value will allow the GUI to try other authentication sources faster when the server fails. If the
LDAP server is slow or overloaded, a larger value can help the firewall accept delayed responses.
Search scope Determines where, and how deep, an LDAP search will be performed to locate a match.
Level Controls the depth of the LDAP search.
One Level Search only one level, defined by the Authentication Containers.
Entire Subtree Search the entire subtree of the directory, starting with the Au-
thentication Containers.
Tip: This is typically the best choice, and is nearly always required for Active
Directory configurations.
Base DN Controls where the search will start. Typically set to the root of the LDAP
structure, e.g. DC=example,DC=com
Authentication containers A list of potential account locations or containers, separated by semicolons.
These containers will be prepended to the Base DN above when the firewall crafts LDAP queries.
Alternately, specify a full container path here and leave the Base DN blank.
Tip: If the LDAP server supports it, and the bind settings are correct, click Select a con-
tainer to browse the LDAP server and select containers from a list.
Some examples of containers are:
• CN=Users;DC=example;DC=com This searches for users inside of the domain component
example.com, a common syntax for Active Directory
• CN=Users,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com This
searches in two different locations, the second of which is restricted to the OtherUsers
organizational unit.
Extended Query Specifies an extra restriction to query after the username, which allows group mem-
bership to be used as a filter. This must include both the item to search as well as the method of
searching. For example, a restriction based on group membership would use memberOf. Check
the LDAP server documentation for information on forming such queries.

LLC
To set an extended query, check the box and fill in the Query value with a filter such as:
memberOf=CN=VPNUsers,CN=Users,DC=example,DC=com
Bind credentials Controls how this LDAP client will attempt to bind to the server.
Note: Active Directory typically requires the use of bind credentials and may need a service account
or administrator-equivalent depending on the server configuration. Consult Windows documentation
to determine which is necessary in a specific environment.
Bind Anonymous (Default) When checked the firewall will use anonymous binds. When
unchecked the GUI presents the Bind Credentials fields.
Bind Credentials (User DN/Password) When Bind Anonymous is unchecked, the cre-
dentials in these fields are used by the firewall to make authenticated binds when per-
forming a query.
The User DN may be a username or a full DN, depending on what the LDAP server
requires.
Attributes
Initial Template This option only appears when initially creating an LDAP server entry.
It pre-fills the remaining options on the page with common defaults for a given type of
LDAP server. The choices include OpenLDAP, Microsoft AD, and Novell eDirectory.
User naming attribute The attribute used to identify the name of a user, most commonly
cn or samAccountName.
Group naming attribute The attribute used to identify a group, such as cn.
Group member attribute The attribute of a user that signifies it is the member of a group,
such as member, memberUid, memberOf, or uniqueMember.
RFC2307 Groups Specifies how group membership is organized on the LDAP server. When unset (de-
fault), the queries assume the server uses Active Directory style group membership (RFC 2307bis)
where groups are listed as an attribute of the user object. When checked, queries use RFC 2307 style
group membership where the users are listed as members on the group object.
Note: In this mode the Group member attribute will typically be set to memberUid, but
may vary by LDAP schema.
RFC2307 User DN When set, queries include the user DN when searching for groups.
Group Object Class Specifies the object class of RFC 2307 style groups. Typically posixGroup but
it may vary by LDAP schema. Not necessary for Active Directory style groups.
Shell Authentication Group DN The LDAP group DN for users allowed to login via SSH. This is used
with the Shell Authentication option on the Settings tab to allow LDAP users to login via SSH.
To login via SSH, users must be a member of this group and have valid posixAccount attributes
in their LDAP account.
UTF8 Encode When checked, queries to the LDAP server are encoded for UTF-8 and the responses are
decoded from UTF-8. Support varies depending on the LDAP server. Generally only necessary if
user names, groups, passwords, and other attributes contain UTF-8 or international style accented
characters.

LLC
Username Alterations When unchecked, a username given as user@hostname will have the
@hostname portion stripped so only the username is sent in the LDAP bind request. When
checked, the username is sent in full.
Allow Unauthenticated Bind When set, bind requests with empty passwords will be rejected locally.
Some LDAP servers, specifically Microsoft Active Directory, will accept unauthenticated bind re-
quests and treat them as successful.
Warning: This behavior must be disabled on the LDAP server where possible. Allowing
requests to succeed with an empty password is a significant security risk and it affects any device
or service authenticating against an LDAP server.
Though this option allows the firewall to reject such authentication attempts, other LDAP clients
may not offer the same choice. Disabling the feature on the server is the most secure means of
correcting the problem. Consult the LDAP server documentation for information on disabling
this behavior.
Adding an LDAP Server
To add a new LDAP server:
• Make sure that the LDAP server can be reached by the firewall
• Import the Certificate Authority used by the LDAP server before proceeding if using SSL/TLS or STARTTLS
encryption
See Certificate Authority Management for more information on creating or importing CAs.
• Click Add
• Set the Type selector to LDAP
The GUI will change the form to display LDAP server settings
• Fill in the fields as described previously in LDAP Configuration
• Click Save to create the server
• Visit Diagnostics > Authentication to test the LDAP server using a valid account
LDAP Groups
There are two requirements for LDAP groups to function properly:
• The LDAP authentication settings must match the group membership style used by the LDAP server
• The same groups must exist locally (Manage Local Groups)
If the LDAP query returns the group list properly for a user, and the groups exist locally, then the groups will be listed
on the results when using the Diagnostics > Authentication page to test an account.
If the groups do not show up, ensure they exist in the Group Manager with matching names and that the proper group
structure is present on the LDAP authentication server entry (e.g. RFC 2703 options.)
See also:
• Hangouts Archive to view the August 2015 Hangout on RADIUS and LDAP.

LLC
• External User Authentication Examples
11.6 Settings
The Settings tab in the User Manager controls how the firewall authenticates users for the GUI and SSH.
Session Timeout This field specifies how long a GUI login session will last when idle. This value is
specified in minutes, and the default is four hours (240 minutes). A value of 0 may be entered
to disable session expiration, making the login sessions valid forever. A shorter timeout is better,
though it should be long enough that an active administrator would not be logged out unintentionally
while making changes.
Warning: Allowing a session to stay valid when idle for long periods of time is insecure. If an
administrator leaves a terminal unattended with a browser window open and logged in, someone
or something else could take advantage of the open session.
Authentication Server This selector chooses the primary authentication source for users logging into the
GUI. This can be a RADIUS or LDAP server, or the default Local Database.
Note: If the RADIUS or LDAP server is unreachable, the authentication will fall back to Local
Database even if another method is chosen.
Password Hash Algorithm Selects which algorithm the firewall will use when creating hashes for pass-
words in user manager accounts.
May be one of the following choices:
bcrypt - Blowfish-based crypt Secure password hashing with a crypt algorithm based on
Blowfish. The most secure option currently available.
Note: This hashing algorithm is restricted to a maximum password length of 72
characters.
SHA-512 - SHA-512-based crypt Secure password hashing with a crypt algorithm based
on SHA-512. Weaker than bcrypt but still has an acceptable level of security in many
environments.
Some users may prefer SHA-512-based crypt hashes for compatibility or compliance
purposes.
Shell Authentication When set, the selected Authentication Server will also be configured as the au-
thentication source for SSH access to the firewall. By default, only accounts in the User Manager
with shell privileges can login over SSH.
This works with both RADIUS and LDAP servers, with some caveats:
RADIUS Servers When used with a RADIUS server, accounts must exist on the firewall
with the same names and the expected privileges. They will authenticate against RA-
DIUS but use the local accounts settings otherwise.
LDAP Servers When used with an LDAP server, the Shell Authentication Group DN
must be set on the LDAP Authentication Server entry. Users must be a member of that
group and have valid posixAccount attributes in their LDAP account.
11.6. Settings 451

LLC
Auth Refresh Time Time in seconds for which the firewall cache authentication results. The default is
30 seconds, maximum 3600 (one hour). Shorter times result in more frequent queries to authenti-
cation servers.
The firewall periodically re-authenticates users against the remote server to ensure the account is
still valid and has the expected privileges. Checking frequently is more secure, but puts a larger
burden on the authentication server and can increase page load times on the firewall.
11.6.1 Remote Authentication Servers and Privileges
When using a RADIUS or LDAP server to authentication for the GUI, the users and/or group memberships must be de-
fined in the firewall in order to properly allocate permissions, as there is no method to obtain permissions dynamically
from an authentication server.
For group membership to work properly, the firewall must be able to recognize the groups as presented by the authen-
tication server. This requires two things:
• The local groups must exist with identical names (Manage Local Groups).
• The firewall must be able to locate or receive a list of groups from the authentication server.
See Authentication Servers for details specific to each type of authentication server.
11.7 Logging Out of the GUI
To end a GUI login session navigate to System > Logout or close the browser window.
Sessions will automatically expire if they are idle for longer than the Session Timeout defined on System > User
Manager, Settings tab. The default session timeout is 4 hours (240 minutes) of idle time.
See also:
• Sudo Package
• External User Authentication Examples
• Granting Users Access to SSH
• Accessing the Firewall Filesystem with SCP
• Authenticating Users with Google Cloud Identity
• Troubleshooting Authentication
• Troubleshooting Access when Locked Out of the Firewall
The User Manager in pfSense® software provides the ability to create and manage multiple user accounts. These
accounts can be used to access the GUI, use VPN services like IPsec and OpenVPN, and use the Captive Portal.
The User Manager is located at System > User Manager. From there users, groups, servers may be managed, and
settings that govern the behavior of the User Manager may be changed.
The User Manager can also be used to define external authentication sources such as RADIUS and LDAP.
See also:
Hangouts Archive to view the February 2015 Hangout on User Management and Privileges, and the August 2015
Hangout on RADIUS and LDAP.
11.7. Logging Out of the GUI 452

LLC
11.8 User Manager Support
As of this writing, not all areas of the firewall hook back into the User Manager.
GUI Supports users in the User Manager, and via RADIUS or LDAP. Groups or Users from RADIUS or
LDAP require definitions in the local User Manager to manage their access permissions.
SSH/SCP Supports users from the User Manager, and via RADIUS or LDAP. Requires special privilege
granted to users or groups.
IPsec Supports users in the User Manager, RADIUS or LDAP via User Manager for Xauth, and RADIUS
for IKEv2 with EAP-RADIUS.
OpenVPN Supports users in the User Manager, RADIUS or LDAP via User Manager.
Captive Portal Support local users, RADIUS, or LDAP via User Manager.
L2TP Supports users in the L2TP settings, and via RADIUS in the L2TP settings.
PPPoE Server Supports users in the PPPoE settings, and via RADIUS in the PPPoE settings.
11.8. User Manager Support 453

CHAPTER
TWELVE
CERTIFICATE MANAGEMENT
12.1 Certificate Properties
Certificate authority and certificate entries have several properties in common. The common properties of both types
are covered here.
12.1.1 Keys
The public and private keys of the certificate are used for cryptographic operations.
Key Type Certificate key type can be either RSA or ECDSA (Elliptic Curve Digital Signature Algo-
rithm).
RSA RSA keys are more common and well-supported than ECDSA, as well as having
some performance benefits.
Key Length When using RSA keys, the security is proportional to the key size.
Larger keys are more secure, but they also take longer to generate and are
slower to use. RSA performance decreases rapidly as the key size increases.
The best practice is to not use keys smaller than 2048 bits where possible.
Legacy and embedded systems may not support larger keys.
ECDSA ECDSA is a newer method, and is not as widely adopted. Its main advantage is
that is can use smaller keys to provide equivalent levels of security to RSA. ECDSA is
slower at verifying signatures than RSA, but scales better.
Curve Name There are a variety of ECDSA curves available, but only a few
have been confirmed to work with various services on the firewall. The services
which support each curve are noted in the list. Pick the curve based on which
services will use this certificate authority or certificate.
12.1.2 Digest Algorithm
Digest Algorithms, also known as Message Digest Algorithms and Hash Algorithms, are used to create a fixed-length
hash of content for signing.
The larger the hash, the stronger it is and the less likely it is to be susceptible to collisions which compromise the
integrity of the hash. The current best practice is to use a minimum of SHA-256.
454

LLC
Warning: Though the GUI still contains support for SHA-1, it is considered weak and should not be used. Rare
exceptions can be made for legacy systems which do not support stronger hashes.
12.1.3 Lifetime
The Lifetime of a certificate authority or certificate determines the length, in days, for which the certificate is valid.
Shorter lifetimes are more secure, but require more work as the certificates must be renewed or replaced more fre-
quently.
See also:
Renew or Reissue a CA or Certificate.
For certificate authorities, a longer lifetime such as 3650 days (10 years) is acceptable.
Certificates for users typically also have a long lifetime, but specific values depend largely on the needs of an orga-
nization. The GUI defaults to 3650 days for User Certificates, but it a better practice is to use a lower value when
practical.
Server certificates have stricter requirements for their lifetime. The current accepted maximum lifetime for server
certificates is 398 days. Most browsers and other software will no longer accept new server certificates with longer
lifetimes.
Note: Another special case is server certificates obtained using ACME from Let’s Encrypt. These only have a
lifetime of 90 days, but since they are automatically replaced well before they expire, there is little extra administrative
overhead once the initial setup is complete.
12.1.4 Distinguished Name
The entity to which a certificate authority or certificate belongs, also known as the Subject, is identified by the unique
components of the certificate. The primary component for this purpose is the Distinguished Name (DN). These are
typically filled in with an organization’s information, or in the case of an individual, personal information. This
information is mostly cosmetic, and used to verify the accuracy of the CA, and to distinguish one CA from another.
A DN is composed of several fields which contain information about the subject.
Only the Common Name is required, the other fields may be left blank.
Warning: A DN with less unique information has the potential to be misidentified later when comparing certifi-
cate subjects. Always fill in enough information to uniquely identify the subject.
Common Name A short name, such as a username or hostname. Do not use spaces or punctuation, other
than that which is typically found in a hostname.
Note: This name is not used directly for certificate validation on modern systems, which look at
Subject Alternative Name values instead.
Country Code The two letter ISO country code for the certificate subject location.
12.1. Certificate Properties 455

LLC
Note: The ISO country code is not the same as a the hostname TLD code for a country.
State or Province The geographical state or province name for the certificate subject location. This value
should be spelled out, not using an abbreviation or code.
City The city for the certificate subject location.
Organization The name of the organization to which the subject belongs. For example, a company name,
government agency name, or similar.
Organizational Unit A division or department inside the organization, if any. For example, “IT Depart-
ment” or “Accounting”.
Note: When creating a certificate, the GUI populates most of these fields with the values from the certificate authority
chosen for signing. The contents of the fields may be changed before performing the signing operation.
12.1.5 Subject Alternative Name
The Subject Alternative Name (SAN) list is only present on certificates. It contains information used to validate the
identity of the certificate. For example, when connecting to a device on the network, a system may compare the
hostname or IP address to which it connected with values in the certificate SAN list. This way, it can be sure it is
communicating with the intended host and not an impostor.
Note: The Common Name value from a certificate is automatically added to the SAN list internally, as its inclusion
is a requirement of current standards.
The following types of SAN entries can be added to a certificate:
FQDN or Hostname A fully qualified domain name (e.g. host.domain.tld) or a hostname (host).
In most cases this hostname would also exist in DNS. In the case of user certificates, this could also
be a username.
IP Address An IP address (e.g. x.x.x.x), typically an address found on a network device using this
certificate. Necessary for clients to properly validate the certificate when connecting by IP address
instead of by hostname.
URI A Uniform Resource Identifier for the certificate subject. In practice, only used as an alternate way
to determine the hostname when communicating with servers. It does not restrict certificate validity
to specific URIs on a server.
E-mail Address An e-mail address for the certificate subject.
12.1. Certificate Properties 456

LLC
12.1.6 Certificate Properties in Lists
When viewing the lists of CA and certificate entries, the properties of the entry are available in the Distinguished
Name column. The DN is printed there and additional detailed information is available from the icon.
Underneath that information, the GUI prints the start and end dates for the validity of the entry. The difference between
the start and end date is the Lifetime. When an entry is nearing expiration, the GUI highlights the end date in yellow.
When an entry is expired, it is red. The system also generates notifications for expiring certificates.
See also:
The certificate expiration warning threshold is 27 days by default, but can be customized. See Notifications for details.
12.2 Certificate Authority Management
Certificate Authority (CA) entries are managed from System > Cert Manager, on the CAs tab.
See also:
Renew or Reissue a CA or Certificate
12.2.1 Certificate Authority Settings
When creating a CA entry, the following options are available:
Trust Store Controls whether or not this CA is added to the certificate trust store on the firewall. When
added to the trust store, a CA will be considered valid for all certificate operations performed by the
operating system. If the firewall must contact a server using a certificate issued by a private CA,
this allows such certificates to be trusted by client programs such as LDAP authentication, SMTP
notifications, URL table connections, and many others.
Randomize Serial Controls whether or not the CA will randomize serial numbers when it signs certifi-
cates or if it will use a sequential serial number.
The current best practice is to randomize serial numbers so they are unpredictable. This also reduces
the chances of generating two certificates with the same serial number in circumstances where the
CA is moved between different hosts or signs certificates in multiple places.
Common Properties See Certificate Properties which covers the remaining fields on the page.
When importing or editing an existing CA entry, the following options are available:
Certificate Data The PEM-encoded certificate data for the CA.
Certificate data is typically contained in a file ending with .crt or .pem. It would be plain text,
and enclosed in a block such as:
-----BEGIN CERTIFICATE-----
[A bunch of random-looking base64-encoded data]
-----END CERTIFICATE-----
The format varies slightly for ECDSA certificates.
Certificate Private Key The PEM-encoded private key for the CA. If this is omitted, the CA cannot
sign certificates or CRLs, but it can be used for other purposes. When empty, the CA is marked as
“External”. They key can be filled in later to enable signing and to have the CA treated as “Internal”.
12.2. Certificate Authority Management 457

LLC
The key data is typically in a file ending in .key. It would be plain text data enclosed in a block
such as:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
The format varies slightly for ECDSA keys.
Next Certificate Serial The serial number of the next certificate, used when the CA is not set to random-
ize serial numbers.
It is essential that each certificate have a unique serial, or there will be problems later with certificate
revocation. If the next serial is unknown, attempt to estimate how many certificates have been made
from the CA, and then set the number high enough a collision would be unlikely.
12.2.2 Create a new Certificate Authority Entry
To create a new CA entry, start the process as follows:
• Navigate to System > Cert Manager, CAs tab
• Click Add to create a new a CA
• Enter a Descriptive name for the CA
This is used as a label for this CA throughout the GUI.
• Select the Method that best suits how the CA will be generated
Create an Internal Certificate Authority Creates a new root CA. Fill in the settings as described
in Certificate Authority Settings.
Import an Existing Certificate Authority Exports a CA certificate created on another host, with or
without a private key. This can be useful in two ways: One, for CAs made using another system,
and two, for CAs made by others that must be trusted.
Fill in the settings as described in Certificate Authority Settings.
Note: If the CA has been signed by an intermediary and not directly by a root CA, then import
each entry in the chain separately, starting with the root CA.
Create an Intermediate Certificate Authority Creates a new intermediate CA, to be signed by an-
other internal CA on this firewall.
Pick an existing internal CA for the Signing Certificate Authority and fill in the remaining
settings as described in Certificate Authority Settings.
If errors are reported, such as invalid characters or other input problems, they will be described on the screen. Correct
the errors, and attempt to Save again.

LLC
12.2.3 Edit a Certificate Authority
To edit an existing CA:
• Locate the CA entry in the list
• Click the icon at the end of its row
The edit screen presented by the GUI allows editing the fields as if the CA were being imported.
For information on the fields on this screen, see Certificate Authority Settings. In most cases the purpose of this screen
would be to add the CA to the trust store, correct the Serial of the CA if needed, or to add a key to an imported CA so
it can be used to create and sign certificates and CRLs.
12.2.4 Export a Certificate Authority
To export a CA:
• Click the icon at the end of its row to export the CA certificate.
The file will download with the descriptive name of the CA as the file name, with the extension .crt.
• Click the icon to export the private key for the CA if necessary
The file will download with the descriptive name of the CA as the file name, with the extension .key.
In most cases the private key for a CA would not be exported unless the CA is being moved to a new location or
a backup is being made. When using the CA for a VPN or most other purposes, only export the certificate for
the CA and do not export the key.
Warning: If the private key for a CA gets into the wrong hands, the other party could generate new
certificates that would be considered valid against the CA.
12.2.5 Remove a Certificate Authority
To remove a CA, first it must be removed from active use.
• Check areas that can use a CA, such as OpenVPN, IPsec, and packages.
Note: In most cases, the areas using a CA are noted in the In Use column of the CA list. This does not
necessarily include all areas, especially if the CA is used by a package.
• Remove entries utilizing the CA or select a different CA

LLC
• Click at the end of the row for the CA
• Click OK on the confirmation dialog
12.2.6 Renew a Certificate Authority
To renew a CA entry:
• Click at the end of the row for the CA
• Follow the rest of the renewal procedure as described in Renew or Reissue a CA or Certificate
12.3 Certificate Management
Certificates are managed from System > Cert Manager, on the Certificates tab.
When creating a certificate on any platform the process generally follows this flow:
• User creates a certificate signing request (CSR) and set of keys. The public key is a part of the CSR, but the
private key is separate.
• The user transmits only the CSR to the CA, not the private key which remains private to the user.
• The CA signs the CSR, which results in a certificate.
• The CA transmits the certificate to the user.
The user now has a certificate trusted by the CA, and the private key for the certificate.
The GUI handles most this process automatically, but it also supports performing individual steps separately as well.
For example, when creating an internal certificate, there is no need to create and sign a CSR in separate steps, the GUI
automates that process and does them in one step. Aside from that, the GUI supports creating a CSR which can be
sent to a separate CA and it also supports signing CSRs.
12.3.1 Certificate Settings
When creating a certificate entry or working with a CSR, the following common options are available:
Common Properties See Certificate Properties which covers properties of most certificate entries.
Certificate Type Sets the intended purpose of this certificate. This influences which key usage properties
are set in the certificate and thus limits the ways in which the certificate can operate.
Warning: The certificate can only be used for purposes which match the selected type. At-
tempting to use it in other ways will produce errors and fail, or prevent the certificate from being
shown for selection.
User Certificate Certificates for end users and clients. For example, IPsec and OpenVPN
client certificates.
12.3. Certificate Management 460

LLC
Note: User type certificates include Extended Key Usage attributes indicating they
may be used for client authentication. They also are marked with a constraint indicat-
ing that they are not a CA.
Server Certificate Certificates for servers, services, daemons, etc. For example, HTTPS
servers (GUI, Captive Portal, HAProxy, etc), IPsec IKEv2 mobile server, OpenVPN
servers, and for packages such as FreeRADIUS.
Note: Server type certificates include Extended Key Usage attributes indicating they
may be used for server authentication as well as the OID 1.3.6.1.5.5.8.2.2
which is used by Microsoft to signifiy that a certificate may be used as an IKE inter-
mediate. These are required for Windows 7 and later to trust the server certificate for
use with certain types of VPNs. They also are marked with constraints indicating that
they are not a CA, and they have nsCertType set to server.
Alternative Names Identifiers for this certificate, such as a hostname. See Subject Alternative Name for
details.
When importing an existing certificate entry, the following options are available:
Certificate Data The PEM-encoded certificate data for the certificate.
Certificate data is typically contained in a file ending with .crt or .pem. It would be plain text,
and enclosed in a block such as:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
The format varies slightly for ECDSA certificates.
Private Key Data The PEM-encoded private key for the certificate.
The key data is typically in a file ending in .key. It would be plain text data enclosed in a block
such as:
The format varies slightly for ECDSA keys.
12.3.2 Create a new Certificate
To create a new certificate, start the process as follows:
• Navigate to System > Cert Manager, Certificates tab
• Click Add to create a new certificate
• Enter a Descriptive name for the certificate
This is used as a label for this certificate throughout the GUI.
• Select the Method that best suits how the certificate will be generated
These options and further instructions are in the corresponding sections below:

LLC
– Create an Internal Certificate
– Import an Existing Certificate
– Create a Certificate Signing Request
– Sign a Certificate Signing Request
• Complete the steps for the chosen method
• Click Save to finish the import process
Create an Internal Certificate
The most common Method is Create an Internal Certificate. This will make a new certificate using one of the existing
certificate authorities.
• Select the Certificate Authority which will sign this certificate. Only a CA that has a private key present can
be in this list, as the private key is required in order for the CA to sign a certificate.
• Set the properties of the certificate as described in Certificate Settings.
• Click Save.
Import an Existing Certificate
To import an existing certificate from an external source, set Method to Import an Existing Certificate. This can be
useful for certificates made using another system or for certificates provided by a third party.
There are two ways to import a certificate, indicated by the Certificate Type option:
X.509 (PEM) Enter the Certificate data and Private key data, which are both required. See Certificate
Settings for details on populating the contents of the fields.
The most common error is not pasting in the right portion of the certificate or private key. Make sure
to include the entire block, including the beginning header and ending footer around the encoded
data.
PKCS #12 (PFX) This method reads the certificate data from a PKCS #12 file, commonly found with
a .p12 extension. If the .p12 file contains a CA, it is also imported along with the certificate,
provided it does not already exist locally.
PKCS #12 Certificate Click Browse to locate the .p12 file on the local client, it will be
uploaded and read when saving.
PKCS #12 Certificate Password Enter the password used to protect the contents of the
.p12 file
Intermediates When set, if the PKCS #12 file contains multiple CA entries in a chain,
this option will import all of them instead of only one.

LLC
Create a Certificate Signing Request
Choosing a Method of Certificate Signing Request creates a new request file that can signed by a CA at a later time,
including by a third party CA not present on the firewall. This is commonly used to obtain a certificate from a trusted
root certificate authority.
The parameters for creating this certificate are identical to those for creating a certificate and are covered in Certificate
Settings.
Note: Though the GUI shows fields for Certificate Type and Alternative Names as described in Certificate Settings,
they are only suggestions for the CA. The signing CA may ignore these options and replace them with values of its
own.
Sign a Certificate Signing Request
Signing a certificate signing request (CSR) is a special process which uses an internal CA on the firewall to sign a CSR
and turn it into a full-fledged certificate.
The following options are available when signing a CSR:
CA to sign with The CA on the firewall which will sign this CSR. This must be an internal CA (private
key present).
CSR to sign This option chooses whether to sign a new CSR not present on the firewall or an existing
CSR on the firewall.
New CSR When chosen, the GUI presents fields in which the CSR data can be pasted.
CSR Data The PEM-encoded CSR data. CSR data is typically contained in a
file ending with .req or .pem. It would be plain text, and enclosed in a block
such as:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Key Data The optional PEM-encoded private key for the certificate. This is not
required to sign a CSR, but may be useful, or even necessary, if the resulting
certificate will be used on the firewall. For example, a private key would be
required for a local service or as a user certificate used with a VPN export
package.
The key data is typically in a file ending in .key. It would be plain text data
enclosed in a block such as:
Existing CSR The remaining items in the drop-down list are CSR entries which already
exist on the firewall. Choose one to sign.
Certificate Lifetime The lifetime of the new certificate. See Lifetime for details.
Digest Algorithm The digest algorithm for the new certificate. See Digest Algorithm for details.

LLC
When signing a CSR, the signing CA may also give new values for Certificate Type and Alternative Names as
described in Certificate Settings. The signing process in the GUI does not support automatically reading these values
from a CSR, so set them again here.
When complete, the result is a certificate entry in the list, which can then be used or exported.
12.3.3 Edit a Certificate
To edit an existing certificate:
• Locate the Certificate entry in the list
• Click the icon at the end of its row to reach the Edit page for the certificate.
The Edit page can modify some aspects of the certificate, such as:
• The Descriptive Name of the certificate.
• The Certificate Data, which may need to be replaced if the certificate was renewed by a CA off the firewall.
• The Private key data, which may need updated if the private key is regenerated (e.g. with a stronger key, or a
different key type)
The Edit page also contains options for exporting entries with a password. See Export Password-Protected Files for
details.
12.3.4 Export a Certificate
There are multiple methods to export certificates. The primary difference is whether or not the files will have password
protection. The certificate itself does not contain private information and thus does not require protection. The private
key and PKCS #12 format files do contain private information and thus can be exported in a protected manner.
Export Unprotected Files
• Click the icon at the end of its row to export the certificate.
The file will download with the descriptive name of the certificate as the file name, with the extension .crt.
• Click the icon to export the private key for the certificate.
The file will download with the descriptive name of the certificate as the file name, with the extension .key.
• Click the icon to export a PCKS #12 file containing the CA, certificate, and private key together.
The file will download with the descriptive name of the certificate as the file name, with the extension .p12.

LLC
Export Password-Protected Files
The GUI can also export password-protected versions of the private key and PKCS #12 archives. This is more secure,
but some systems may not support using password-protected keys.
• Click the icon at the end of its row to reach the Edit page for the certificate.
• Fill in the desired Export Password
• Click the Export Private Key button to export the private key for the certificate.
The password-protected file will download with the descriptive name of the certificate as the file name, with the
extension .key.
• Click the PCKS #12 button to export a PCKS #12 file containing the CA, certificate, and private key
together.
The password-protected file will download with the descriptive name of the certificate as the file name, with the
extension .p12.
12.3.5 Export a Certificate Signing Request
• Locate the CSR entry in the list
• Click the icon at the end of its row to export the CSR.
The file will download with the descriptive name of the CSR as the file name, with the extension .req.
12.3.6 Remove a Certificate
To remove a certificate, first it must be removed from active use.
• Check areas that can use a certificate, such as the WebGUI options, OpenVPN, IPsec, and packages
Note: In most cases, the areas using a certificate are noted in the In Use column of the certificate list. This
does not necessarily include all areas, especially if the certificate is used by a package.
• Remove entries using the certificate, or choose another certificate
• Navigate to System > Cert Manager on the Certificates tab
• Locate the certificate to delete in the list
• Click at the end of the row for the certificate

LLC
12.3.7 Renew a Certificate
To renew a certificate entry:
• Locate the certificate entry in the list
• Click at the end of the row for the certificate
• Follow the rest of the renewal procedure as described in Renew or Reissue a CA or Certificate
12.3.8 User Certificates
If a VPN is being used that requires user certificates, they may be created in one of several ways. The exact method
depends on where the authentication for the VPN is being performed and whether or not the certificate already exists.
No Authentication or External Authentication
If there is no user authentication, or if the user authentication is being performed on an external server (RADIUS,
LDAP, etc) then make a user certificate like any other certificate described earlier. Ensure that User Certificate is
selected for the Certificate Type and set the Common Name to match the username.
Local Authentication
If user authentication is being performed by this firewall, the user certificate can be made inside of the User Manager.
The User Manager can create a certificate while creating a user or it can add certificates to existing users. These
processes are documented at Manage Local Users.
12.4 Renew or Reissue a CA or Certificate
When a CA or certificate expires it must be replaced, renewed, or reissued. The GUI can Renew or Reissue a certificate
using a semi-automatic process. This process can retain the existing properties of the CA or certificate, but results in a
freshly signed copy. This process can also make changes to the lifetime, keys, and digest so they meet current security
best practices.
The new copy of this certificate must be distributed to the intended target as it was originally.
12.4.1 Certificate Properties
The Renew or Reissue page displays information about the entry, including:
Subject The subject of the certificate, containing its Distinguished Name (DN)
Serial The serial number of the certificate.
Subject Key ID Fingerprint of the certificate key.
Certificate Type Either User or Server, if known.
Issued By The CA which signed the certificate (Name and DN)
12.4. Renew or Reissue a CA or Certificate 466

LLC
12.4.2 Renew or Reissue Options
There are two options available which control what happens when the certificate is renewed:
Reuse Key When set (default), the existing key on the certificate is retained. When unset, a fresh key
will be created when the certificate is reissued.
Reuse Serial Set this option to retain the existing serial number when reissuing. Uncheck to generate a
new serial.
Retaining the serial when renewing a CA allows existing certificates to remain valid, though some
clients may not respect the new CA if the serial does not change.
Similarly, certificates should have a new serial every time they are renewed or some peers will reject
them.
The exact behavior depends on the service and clients, but generally speaking it is safe to reuse
the serial on a CA but not safe to reuse the serial on a server or user certificate. For example,
OpenVPN is OK with reusing the serial number on a CA when renewing, while web browsers will
reject changing a server certificate, even self-signed, if the serial does not change when the contents
of the certificate change.
Strict Security When set, upgrades the security of the certificate to meet current standards.
The Renew or Reissue page performs a security analysis on the certificate, comparing its current
values for Lifetime, Digest, and RSA Key size with current best security practices. This analysis is
printed at the bottom of the page. If any of the values are weak, the Would Change column in the
analysis indicates Yes.
12.4.3 Renew or Reissue Example
To start the renewal process, first locate the CA or certificate to renew:
• Navigate to System > Cert Manager
• Navigate to the CAs tab for CA entries, or the Certificates tab for certificates
• Locate the entry to renew in the list
• Click at the end of the row for the certificate to load the Renew or Reissue page for the certificate
Note: The icon only appears for entries which have been signed by an internal CA on the firewall.
• Review the contents of the page
• Set the Renew or Reissue Options as desired
• Click Renew/Reissue
• Click OK to confirm the action
When the process completes, the certificate entry is updated in the configuration.
Note: If the certificate is in use by a service on the firewall, the associated service(s) are restarted automatically.
12.4. Renew or Reissue a CA or Certificate 467

LLC
For user certificates, the updated certificate must be exported and transmitted to the user. If a new key was generated
by the renewal process, it must also be transmitted to the user.
12.5 Certificate Revocation List Management
Certificate Revocation Lists (CRLs) are a part of the X.509 system that publish lists of certificates that must no longer
be trusted. These certificates may have been compromised or otherwise need to be invalidated. An application using
a CA, such as OpenVPN may optionally use a CRL so it can verify connecting client certificates. A CRL is generated
and signed against a CA using its private key, so in order to create or add certificates to a CRL in the GUI, the private
key of the CA must be present. If the CA is managed externally and the private key for the CA is not on the firewall, a
CRL may still be generated outside of the firewall and imported.
The traditional way to use a CRL is to only have one CRL per CA and only add invalid certificates to that CRL. The
GUI, however, supports multiple CRLs for a single CA. In OpenVPN, different CRLs may be chosen for separate
VPN instances. This could be used, for example, to prevent a specific certificate from connecting to one instance
while allowing it to connect to another. For IPsec, all CRLs are consulted and there is no selection as currently exists
with OpenVPN.
Certificate Revocation Lists are managed from System > Cert Manager, on the Certificate Revocation tab.
From this screen CRL entries can be added, edited, exported, or deleted. The list shows all existing CRLs and an option
to add a new CRL from a given CA. The screen also indicates whether the CRL is internal or external (imported), and
it shows a count of how many certificates have been revoked on each CRL, and indicates if the CRL is in use.
12.5.1 Create a new Certificate Revocation List
To create a new CRL:
• Navigate to System > Cert Manager, on the Certificate Revocation tab
• Select a CA from the drop-down menu under the Create or Import a New Certificate Revocation List
• Click Add at the end of the row to create a new CRL
• Set the Method to Create an Internal Certificate Revocation List
• Enter a Descriptive Name for the CRL
This is used to identify this CRL in lists around the GUI. It’s usually best to include a reference to the name of
the CA and/or the purpose of the CRL.
• Enter the Lifetime value as a number of days for which the CRL should be valid
The default value is 730 days (2 years).
Note: In practice, this limit would almost never be reached as the CRL is regenerated any time the CRL is
edited or when a service which utilizes a CRL is reconfigured.
Note: The system attempts to prevent using too large a value for the lifetime to ensure the date doesn’t overflow.
On 32-bit platforms, the limit is before the UNIX time rollover in 2038. On other platforms, the limit is before
UTCTime 2-digit dates roll over in 2050. See Redmine #13424 for details. Systems reporting an expired CRL
can work around the error by making a new CRL with a lower lifetime or by applying a patch on that Redmine
issue.
12.5. Certificate Revocation List Management 468

LLC
• Click Save
The browser will be return to the CRL list, and the new entry will be shown there.
12.5.2 Import an Existing Certificate Revocation List
To import a CRL from an external source:
• Navigate to System > Cert Manager, on the Certificate Revocation tab
• Select a CA from the drop-down menu under the Create or Import a New Certificate Revocation List
• Click Add at the end of the row to create a new CRL
• Set the Method to Import an Existing Certificate Revocation List
• Enter a Descriptive Name for the CRL
This is used to identify this CRL in lists around the GUI. It’s usually best to include a reference to the name of
the CA and/or the purpose of the CRL.
• Enter the CRL data
This is typically in a file ending in .crl. It would be plain text data enclosed in a block such as:
-----BEGIN X509 CRL-----
-----END X509 CRL-----
• Click Save to finish the import process.
If an error appears, follow the on-screen instructions to correct the problem and then try again. The most common
error is not pasting in the right portion of the CRL data. Make sure to enter the entire block, including the beginning
header and ending footer around the encoded data.
Warning: New entries cannot be added to imported CRLs. To update an imported CRL, see Updating an Imported
Certificate Revocation List.
12.5.3 Export a Certificate Revocation List
• Navigate to System > Cert Manager on the Certificate Revocation tab
• Locate the CRL to delete in the list
• Click the icon
The file will download with the descriptive name of the CRL as the file name, and the extension .crl.

LLC
12.5.4 Delete a Certificate Revocation List
• Check areas that can use a CRL, such as OpenVPN
• Remove entries using the CRL, or choose another CRL instead
• Locate the CRL to delete in the list
• Click the icon at the end of the row for the CRL
If an error appears, follow the on-screen instructions to correct the problem and then try again.
12.5.5 Revoke a Certificate
A CRL isn’t useful unless it contains revoked certificates. A certificate is revoked by adding the certificate to a CRL,
or by entering its serial number.
• Locate the CRL to edit in the list
The GUI lists any revoked certificates on the CRL, and a control to add new ones.
• Select a Reason from the drop-down list to indicate why the certificate is being revoked
This information doesn’t affect the validity of the certificate it is merely informational in nature. This option
may be left at the default value.
• To revoke by certificate, select the certificate(s) from the Revoke Certificates list
Note: Multiple certificates can be revoked at once by selecting all of them in the list.
• To revoke by serial number, enter one or more certificate serial numbers separated by spaces in the Revoke by
Serial field
• Click Add and the certificate(s) will be added to the CRL
Note: Certificates can be revoked by selection and by serial at the same time.
After adding a certificate, the CRL will be re-written if it is currently in use by any VPN instances so that the CRL
changes will be immediately active.

LLC
12.5.6 Removing a Certificate from a CRL
Certificates can be removed from the CRL when editing a CRL:
• Find the certificate in the list and click the icon to remove it from the CRL
After removing a certificate, the CRL will be re-written if it is currently in use by any VPN instances so that the CRL
12.5.7 Updating an Imported Certificate Revocation List
To update an imported CRL:
• Navigate to System > Cert Manager on the Certificate Revocation tab.
• Enter a new copy of the CRL Data
• Click Save
After updating the imported CRL, it will be re-written if it is currently in use by any VPN instances so that the CRL
12.6 DH Parameters
To put it simply, the DH parameters are extra bits of randomness that help out during the key exchange process. They
do not have to match on both sides of the tunnel, and new DH parameters can be made at any time. DH parameters
are not specific to a given setup in the way that certificates or keys are. There is no need to import an existing set of
DH parameters because generating new parameters is a better practice.
pfSense® software ships with a default set of DH parameter files so that new firewalls do not have to spend sig-
nificant CPU resources to build them when they are needed. These pre-generated parameters are stored in /etc/
dh-parameters. Selecting a specific length in the GUI will use the DH parameter set from the corresponding file.
These DH parameters are not stored in config.xml.
To generate a new set of DH parameters, which can take quite a long time depending on the hardware in use, run the
following commands:
/usr/bin/openssl dhparam -out /etc/dh-parameters.1024 1024
12.6. DH Parameters 471

LLC
CPU time used to generate the parameters increases significantly with length. For example, generating 1024-bit DH
parameters only takes about 7 seconds on a C2758 CPU, but generating 2048-bit parameters takes 4 minutes, and
generating 4096-bit parameters takes 10 minutes.
The GUI allows longer DH parameters to be selected if they exist in /etc/ in the format specified above.
Supported lengths are: 1024, 2048, 3072, 4096, 7680, 8192, 15360, and 16384.
For example, to generate a new set of DH parameters of length 8192, run:
The Certificate Manager under System > Cert Manager, creates and maintains certificate authority (CA), certificate,
and certificate revocation list (CRL) entries for use by the firewall.
Entries in the Certificate Manager are used by the firewall for purposes such as TLS for the GUI, VPNs, LDAP, various
packages, and more.
12.7 Basic Introduction to X.509 Public Key Infrastructure
One authentication option for VPNs is to use X.509. An in depth discussion of X.509 and Public Key Infrastructure
(PKI) is outside the scope of this documentation, and is the topic of a number of entire books for those interested in
details. This chapter provides a basic understanding necessary for creating and managing certificates.
With PKI, a CA is the source of trust and is the first entity of a PKI structure. This CA then signs all of the individual
certificates in a set. The certificate of the CA is used on VPN servers and clients to verify the authenticity of server and
client certificates. The certificate for the CA can be used to verify signing on certificates, but not to sign certificates.
Signing certificates requires the private key for the CA. The secrecy of the CA private key is what ensures the security
of a PKI. Anyone with access to the CA private key can generate certificates to be used on a PKI, hence it must be
kept secure. This key is never distributed to clients or servers.
Warning: Never copy more files to clients than are needed, as this may compromise the security of the PKI
structure.
A certificate is considered valid if it has been trusted by a given CA. In the case of a VPN, this means that a certificate
made from a specific CA would be considered valid for any VPN using that CA. For that reason the best practice is
to create a unique CA for each VPN that has a different level of security. For instance, if there are two mobile access
VPNs with the same security access, using the same CA for those VPNs is OK. However if one VPN is for users and
another VPN is for remote management, each with different restrictions, then it is best for each VPN to have a unique
CA.
Certificate revocation lists (CRLs) are lists of certificates that have been compromised or otherwise invalidated. Re-
voking a certificate will cause it to be considered untrusted so long as the application using the CA also uses a CRL.
CRLs are generated and signed against a CA using its private key, so in order to create or add certificates to a CRL in
the GUI the private key for a CA must be present.
12.7. Basic Introduction to X.509 Public Key Infrastructure 472

CHAPTER
THIRTEEN
FIREWALL
One of the primary functions performed by pfSense® software is filtering traffic, deciding which traffic to pass or
block between networks. This section covers fundamentals of firewalling, best practices, and required information
necessary to configure firewall rules.
13.1 Managing Firewall Rules
Firewall rules control traffic passing through the firewall. These topics describe how to create and manage rules, plus
settings related to rules.
13.1.1 Firewalling Fundamentals
This section deals primarily with introductory firewall concepts and lays the ground work for understanding how to
configure firewall rules using pfSense® software.
Basic Terminology
Rule and ruleset are two terms used throughout this chapter:
Rule Refers to a single entry on the Firewall > Rules screen. A rule instructs the firewall how to match
or handle network traffic.
Ruleset Refers to a group of rules collectively. Either all firewall rules as a whole, or a set of rules in a
specific context such as the rules on an interface tab. The complete firewall ruleset is the sum of all
user configured and automatically added rules, which are covered further throughout this section.
Rulesets on the Interface tabs are evaluated on a first match basis. This means that reading the ruleset for an interface
from top to bottom, the first rule that matches will be the one used by the firewall. Evaluation stops after reaching this
match and then the firewall takes the action specified by that rule. Always keep this in mind when creating new rules,
especially when crafting rules to restrict traffic. The most permissive rules should be toward the bottom of the list, so
that restrictions or exceptions can be made above them.
Note: The Floating tab is the lone exception to this rule processing logic. See Floating Rules for details.
473

LLC
Stateful Filtering
pfSense software is a stateful firewall, which means it remembers information about connections flowing through
the firewall so that it can automatically allow reply traffic. This data is retained in the State Table. The connection
information in the state table includes the source, destination, protocol, ports, and more: Enough to uniquely identify
a specific connection.
Using this mechanism, traffic need only be permitted on the interface where it enters the firewall. When a connection
matches a pass rule the firewall creates an entry in the state table. Reply traffic to connections is automatically allowed
back through the firewall by matching it against the state table rather than having to check it against rules in both
directions. This includes any related traffic using a different protocol, such as ICMP control messages that may be
provided in response to a TCP, UDP, or other connection.
See also:
See Firewall Advanced and State Type for more information about state options and types.
State table size
The firewall state table has a maximum size to prevent memory exhaustion. Each state takes approximately 1 KB of
RAM. The default state table size in pfSense is calculated by taking about 10% of the RAM available in the firewall
by default. On a firewall with 1GB of RAM, the default state table size can hold approximately 100,000 entries.
See also:
See Large State Tables for more information on state table sizing and RAM usage.
Each user connection typically consists of two states: One created as it enters the firewall, and one as it leaves the
firewall. Therefore, with a state table size of 1,000,000, the firewall can handle approximately 500,000 user sessions
actively traversing the firewall before any additional connections will be dropped. This limit can be increased as
needed so long as it does not exceed the available amount of RAM in the firewall.
To increase the state table size:
• Navigate to System > Advanced on the Firewall & NAT tab
• Enter the desired number for Firewall Maximum States, or leave the box blank for the default calculated value.
See Figure Increased State Table Size to 2,000,000
• Click Save
Fig. 1: Increased State Table Size to 2,000,000
Historical state table usage is tracked by the firewall. To view the graph:
• Navigate to Status > Monitoring
• Click to expand the graph options
• Set Category for the Left Axis to System
• Set the Graph for the Left Axis to States
13.1. Managing Firewall Rules 474

LLC
• Click Update Graphs
Block vs. Reject
There are two ways to disallow traffic using firewall rules on pfSense: Block and reject.
A rule set to block will silently drop traffic. A blocked client will not receive any response and thus will wait until its
connection attempt times out. This is the behavior of the default deny rule in pfSense software.
A rule set to reject will respond back to the client for denied TCP and UDP traffic, letting the sender know that
the connection was refused. Rejected TCP traffic receives a TCP RST (reset) in response, and rejected UDP traffic
receives an ICMP unreachable message in response. Though reject is a valid choice for any firewall rule, IP protocols
other than TCP and UDP are not capable of being rejected; These rules will silently drop other IP protocols because
there is no standard for rejecting other protocols.
Deciding Between Block and Reject
There has been much debate amongst security professionals over the years as to the value of block vs. reject. Some
argue that using block makes more sense, claiming it “slows down” attackers scanning the Internet. When a rule is set
to reject, a response is sent back immediately that the port is closed, while block silently drops the traffic, causing the
attacker’s port scanner to wait for a response. That argument does not hold water because every good port scanner can
scan hundreds or thousands of hosts simultaneously, and the scanner is not stalled waiting for a response from closed
ports. There is a minimal difference in resource consumption and scanning speed, but so slight that it shouldn’t be a
consideration.
If the firewall blocks all traffic from the Internet, there is a notable difference between block and reject: Nobody knows
the firewall is online. If even a single port is open, the value of that ability is minimal because the attacker can easily
determine that the host is online and will also know what ports are open whether or not the blocked connections have
been rejected by the firewall. While there isn’t significant value in block over reject, the best practice is to use block on
WAN rules. There is some value in not actively handing information to potential attackers, and it is also a bad practice
to automatically respond to an external request unnecessarily.
For rules on internal interfaces the best practice is to use reject in most situations. When a host tries to access a
resource that is not permitted by firewall rules, the application accessing it may hang until the connection times out or
the client program stops trying to access the service. With reject the connection is immediately refused and the client
avoids these hangs. This is usually nothing more than an annoyance, but it is still a good idea to use reject to avoid
potential application problems induced by silently dropping traffic inside a network.
13.1.2 Introduction to the Firewall Rules screen
This section provides an introduction and overview of the Firewall Rules screen located at Firewall > Rules. This
page lists the WAN ruleset to start with, which by default has no entries other than those for Block private networks
and Block bogon networks if those options are active on the WAN interface, as shown in Figure Default WAN Rules.
Tip: Click the to the right of the Block private networks or Block bogon networks rules to reach the WAN
interface configuration page where these options can be enabled or disabled. See Block Private Networks and Block
Bogon Networks for more details.
Click the LAN tab to view the LAN rules. By default, the only entries are the Default allow LAN to any rules for
IPv4 and IPv6 as seen in Figure Default LAN Rules, and the Anti-Lockout Rule if it is active. The anti-lockout rule is

LLC
Fig. 2: Default WAN Rules
designed to prevent administrators from accidentally locking themselves out of firewall management services. Click
next to the anti-lockout rule to reach the page where this rule can be disabled.
See also:
For more information on how the Anti-Lockout Rule works and how to disable the rule, see Anti-lockout Rule and
Anti-lockout.
Fig. 3: Default LAN Rules
To display rules for other interfaces, click their respective tabs. OPT interfaces will appear with their descriptive
names, so if the OPT1 interface was renamed DMZ, then the tab for its rules will also say DMZ.
To the left of each rule is a set of an indicator icons, including:
• The action of the rule: pass ( ), block ( ), or reject ( ).
• Logging status: If logging is enabled for the rule, is present.
• Advanced options: If the rule has any advanced options enabled, an icon is present.
Hovering the mouse cursor over any of these icons will display text explaining their meaning. The same icons are
shown for disabled rules, except the icon and the rule are a lighter shade of their original color.

LLC
Adding a firewall rule
To add a rule to the top of the list, click Add.
To add a rule to the bottom of the list, click Add.
Editing Firewall Rules
To edit a firewall rule, click to the right of the rule, or double click anywhere on the line.
The edit page for that rule will load, and from there adjustments are possible. See Configuring firewall rules for more
information on the options available when editing a rule.
Reordering Firewall Rules
The order of the rules on an interface can be changed in two different ways: Drag-and-drop or select-and-click.
To reorder rules using the drag-and-drop method:
• Move the mouse over the firewall rule to move, the cursor will change to indicate movement is possible.
• Click and hold the mouse button down
• Drag the mouse to the desired location for the rule
• Release the mouse button
• Click Save to store the new rule order
Warning: Attempting to navigate away from the page after moving a rule, but before saving the order, will result
in the browser presenting an error confirming whether or not to exit the page. If the browser navigates away from
the page without saving, the rule will still be in its original location.
To move rules in the list in groups or by selecting them first, use the select-and-click method:
• Select the rules to move
Note: Select rules by single clicking anywhere on their line or by checking the box at the start of the row.
• Click on the row below where the rule should be moved.
Tip: Hold Shift before clicking the mouse on to move the rule below the selected rule instead of above.
When moving rules using the select-and-click method, the new order is stored automatically.

LLC
Copying Firewall Rules
To make a new rule that is similar to an existing rule, click to the right of the existing rule. The edit screen
will appear with the existing rule’s settings pre-filled, ready to be adjusted. When duplicating an existing rule, the new
rule will be added directly below the original rule. For more information about how to configure the new rule, see
Configuring firewall rules.
To copy multiple rules:
• Select the rules to copy
• Click the Copy button below the rule list
The firewall will open a new modal dialog with options to set before copying.
• Select the Destination Interface
• Select Convert interface definitions to automatically adjust the source of the rule to match the target interface,
if necessary
• Click Paste to complete the operation
Warning: When copying rules to different interfaces, they may fall at the start or the end of the target interface
rule list depending on the order of the interface rules in the configuration. Be prepared to reorder the rules on the
target interface before applying changes.
Deleting Firewall Rules
To delete a single rule, click to the right of the rule. The firewall will present a confirmation prompt before
deleting the rule.
To delete multiple rules:
• Select the rows to remove
• Click the Delete button below the rule list
• Confirm the action

LLC
Checking Rule Usage
The States column contains usage counters for each rule. It shows the number of active states created by a rule and
the amount of traffic consumed by those states.
Hovering the mouse over these counters shows additional detailed statistics.
Note: Though the firewall makes an effort to maintain these statistics, the values can reset over time depending on
firewall ruleset reloads and other similar actions.
Clicking the value in this column will display a list of states created by the rule.
Clearing States Created by a Rule
Click the icon to the right of a rule and then confirm the action to clear all active states created by that rule.
Note: This only affects states on this interface created by this rule directly. It does not clear states on other interfaces
where traffic may have exited the firewall.
Disabling and Enabling Firewall Rules
To disable a rule, click at the end of its row. The appearance of the rule will change to a lighter shade to indicate
that it is disabled and the icon changes to .
To enable a rule which was previously disabled, click at the end of its row. The appearance of the rule will
return to normal and the enable/disable icon will return to the original .
A rule may also be disabled or enabled by editing the rule and toggling the Disabled checkbox.
To disable or enable multiple rules at once:
• Select the rules to disable
• Click the Toggle button below the rule list

LLC
Rule Separators
Firewall Rule Separators are colored bars in the ruleset that contain a small bit of text, but do not take any action on
traffic. They are useful for visually separating or adding notes to special parts of the ruleset. Figure Firewall Rule
Separators Example shows how they can be utilize to group and document the ruleset.
Fig. 4: Firewall Rule Separators Example
To create a new Rule Separator:
• Open the firewall rule tab where the Rule Separator will reside
• Click Separator
• Enter description text for the Rule Separator
• Choose the color for the Rule Separator by clicking the icon of the desired color
• Click and drag the Rule Separator to its new location
• Click Save inside the Rule Separator to store its contents
• Click Save at the bottom of the rule list
To move a Rule Separator:
• Open the firewall rule tab containing the Rule Separator
• Click and drag the Rule Separator to its new location

LLC
To delete a Rule Separator:
• Open the firewall rule tab containing the Rule Separator
• Click inside the Rule Separator on the right side
Rule Separators cannot be edited. If a change in text or color is required, create a new Rule Separator and delete the
existing entry.
Tracking Firewall Rule Changes
When a rule is created or updated the firewall records the user’s login name, IP address, and a timestamp on the rule
to track who added and/or last changed the rule in question. If the firewall automatically created the rule, that is also
noted. This is done for firewall rules as well as port forwards and outbound NAT rules. An example of a rule update
tracking block is shown in Figure Firewall Rule Time Stamps, which is visible when editing a firewall rule at the very
bottom of the rule editing screen.
Fig. 5: Firewall Rule Time Stamps
13.1.3 Ingress Filtering
Ingress filtering refers to the concept of firewalling traffic entering a network from an external source such as the
Internet. In deployments with multi-WAN, the firewall has multiple ingress points. The default ingress policy on
pfSense® software is to block all traffic as there are no allow rules on WAN in the default ruleset. Replies to traffic
initiated from inside the local network are automatically allowed to return through the firewall by the state table.
13.1.4 Egress Filtering
Egress filtering refers to the concept of firewalling traffic initiated inside the local network, destined for a remote
network such as the Internet. pfSense, like nearly all similar commercial and open source solutions, comes with a LAN
rule allowing everything from the LAN out to the Internet. This isn’t the best way to operate, however. It has become
the de facto default in most firewall solutions because it is what most people expect. The common misperception is
“Anything on the internal network is ‘trustworthy’, so why bother filtering”?

LLC
Why employ egress filtering?
From our experience in working with countless firewalls from numerous vendors across many different organizations,
most small companies and home networks do not employ egress filtering. It can increase the administrative burden as
each new application or service may require opening additional ports or protocols in the firewall. In some environments
it is difficult because the administrators do not completely know what is happening on the network, and they are
hesitant to break things. In other environments it is impossible for reasons of workplace politics. The best practice
is for administrators to configure the firewall to allow only the minimum required traffic to leave a network where
possible. Tight egress filtering is important for several reasons:
Limit the Impact of a Compromised System
Egress filtering limits the impact of a compromised system. Malware commonly uses ports and protocols that are
not required on most business networks. Some bots rely on IRC connections to phone home and receive instructions.
Some will use more common ports such as TCP port 80 (normally HTTP) to evade egress filtering, but many do not.
If access to TCP port 6667, the usual IRC port, is not permitted by the firewall, bots that rely on IRC to function may
be crippled by the filtering.
Another example is a case where the inside interface of a pfSense software installation was seeing 50-60 Mbps of traffic
while the WAN had less than 1 Mbps of throughput. There were no other interfaces on the f

the-pfsense-documentation.pdf

More Related Content

What's hot (20)

Similar to the-pfsense-documentation.pdf (20)

Recently uploaded (20)

the-pfsense-documentation.pdf