Software update: pfSense 2.5.2

Version 2.5.2 of pfSense has been released. This package is based on the FreeBSD operating system and focuses on router and firewall tasks. It is available in the free Community Edition and a Plus trim, previously offered as a Factory Edition. It started in 2004 as a fork of m0n0wall due to differing views among the developers and over the years has grown into a router and firewall package that can be deployed in both small and very large environments. For more information, please refer to this page. WireGuard was removed from version 2.5.1 as a precaution, but it returns in 2.5.2, albeit as an experimental option. The changelog for this release looks like this:

Security

This release includes corrections for the following vulnerabilities in pfSense software:

• pfSense-SA-21_02.captiveportal (XSS in Captive Portal client login page, #11843)

General

• Added: WireGuard experimental add-on package

pfSense CE Aliases / Tables

• Added: PHP shell playback script to modify Alias ​​contents #11380

Authentication

• Added: Copy button for Authentication Server entries #11390

Backup / Restore

• Added: Randomize time of scheduled AutoConfigBackup runs #10811
• Fixed: Automated corruption recovery from cached config.xml backup files should check multiple backups #11748
• Fixed: AutoConfigBackup schedule custom hour value lost on page load #11946

Captive Portal

• Added: Redirect Captive Portal users to login page after they logout #11264
• Fixed: Captive Portal post-auth redirect is not properly respected #11842
• Fixed: Potential XSS vulnerability in Captive Portal redirurl handling #11843

Certificates

• Fixed: Certificate Manager does not report Unbound as using a certificate #11678
• Fixed: PHP error on certificate list due to unreadable private key #11859
• Fixed: Export P12 icon is missing if certificate is not locally renewable #11884

Configuration Upgrade

• Fixed: PHP error in upgrade_212_to_213() when upgrading certain IPsec tunnels #11801

Console Menu

• Changed: Allow reroot on ZFS from console and GUI reboot menu entries #11914

DHCP (IPv6)

• Fixed: dhcp6withoutra_script.sh does not get executed when advanced options are set #11883

DNS Forwarder

• Fixed: Disable DNSSEC option for dnsmasq #11781
• Fixed: Update dnsmasq to 2.85 to fix CVE-2021-3448 #11866

DNS Resolver

• Fixed: Unbound Python Integration repeatedly mounts dev without unmounting #11456
• Fixed: Stale hostname registration data for OpenVPN clients is not deleted from the DNS Resolver configuration at boot #11704
• Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x #11915

Dashboard

• Fixed: Thermal sensors widget no longer shows values ​​from certain hardware #11787
• Fixed: IPsec Dashboard widget only displays first P2 subnet when using a single traffic selector #11893
• Fixed: Editing widgets on Dashboard causes a PHP Warning #11939

Diagnostics

• Fixed: ARP Table populates hostname values ​​using expired DHCP lease data #11510
• Fixed: Sanitize OpenVPN Client Export certificate password in status output #11767
• Fixed: Sanitize Captive Portal RADIUS MAC secret in status output #11769
• Fixed: MAC address OEM information missing from ARP table #11819
• Fixed: State table content on diag_dump_states.php does not sort properly #11852

Dynamic DNS

• Added: New Dynamic DNS Provider: Mythic-Beasts #7842
• Added: New Dynamic DNS Provider: one.com #11293
• Added: New Dynamic DNS Provider: Yandex PDD #11294
• Added: New Dynamic DNS Provider: NIC.RU #11358
• Added: New Dynamic DNS Provider: Gandi LiveDNS IPv6 #11420
• Fixed: Automatic 25-day forced Dynamic DNS update removes wildcard domain #11667
• Fixed: Digital Ocean Dynamic DNS help text is incorrect #11754
• Fixed: NoIP.com Dynamic DNS update failure is not detected properly #11815
• Fixed: Dynamic DNS edit page incorrectly hides username field when switching away from Digital Ocean #11840

Gateways

• Added: Input validation to prevent setting a load balancing gateway group as default #11164

Hardware / Drivers

• Changed: Deprecate old cryptographic accelerator hardware which is not viable on modern systems #11426
• Fixed: Using SHA1 or SHA256 with AES-NI may fail if AES-NI attempts to accelerate hashing #11524

High Availability

• Fixed: Incorrect RADVD log message on HA event #11966

IGMP Proxy

• Fixed: IGMP Proxy restarts unnecessarily after IPv6 gateway events #11904

IPsec

• Added: GUI option to set RADIUS Timeout for EAP-RADIUS #11211
• Added: Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering #11395
• Changed: Move custom IPsec NAT-T port settings to Advanced Options #11518
• Fixed: strongSwan configuration always contains user EAP/PSK values #11564
• Added: IPsec GUI option to control Child SA start_action #11576
• Fixed: Error when adding both IPv4 and IPv6 P2 under an IPv4 or IPv6 only IKEv1 P1 #11651
• Fixed: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled #11792
• Fixed: IPsec VTI interface names are not properly formed for more than 32 interfaces #11794
• Fixed: Applying IPsec settings for more than ~30 tunnels times out PHP #11795
• Fixed: ipsec_vti() does not skip disabled VTI entries #11832
• Fixed: IPsec GUI allows multiple identical Phase 1 entries when using FQDN for remote gateway #11912
• Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values ​​with a decimal point #11967

IPv6 Router Advertisements (RADVD)

• Added: Use virtual link local IP address as RA source address for HA environments #11103
• Added: Shortcut buttons for service control and logs on RADVD configuration #11911
• Fixed: RADVD breaks on SIGHUP #11913

Interfaces

• Fixed: DHCP interfaces are always treated as having a gateway, even if one is not assigned by the upstream DHCP server #5135
• Fixed: Interfaces page displays MAC Address field for interfaces which do not support L2 #11387
• Fixed: CLI interface configuration without IPv6 leaves RA enabled #11609
• Fixed: Incomplete PPPoE custom reset values ​​lead to invalid cron entry #11698
• Fixed: Error when changing MTU if the interface is used for both IPv4 and IPv6 default routes #11855
• Added: VLAN list sorting #11968

L2TP

• Fixed: Unused L2TP VPN files are not removed when the service is disabled #11299
• Added: GUI option to set MTU for L2TP VPN server #11406

NTPD

• Fixed: NTP widget displays incorrect status #11495
• Fixed: NTP authentication input validation rejects valid keys #11850

Notifications

• Fixed: Invalid HTML encoding in modal Notices window #11765

OpenVPN

• Added: Allow the firewall to use DNS servers provided to an OpenVPN client instance #11140
• Fixed: OpenVPN Wizard does not support gateway groups #11141
• Added: Set Explicit Exit Notify to 1 by default for new OpenVPN client instances #11521
• Added: Support for Cisco AVPair {clientipv6} template in firewall rules returns by RADIUS #11596
• Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684
• Fixed: OpenVPN does not clean up parsed Cisco-AVPair rules on non-graceful disconnect #11699
• Fixed: OpenVPN does not kill IPv6 client states on disconnect #11700
• Fixed: OpenVPN client starts when CARP VIP is in BACKUP status when bound to Virtual IP aliased to CARP VIP #11793
• Fixed: Certificate validation with OCSP always fails in openvpn.tls-verify.php #11830
• Changed: Update OpenVPN to 2.5.2 #11844
• Fixed: OpenVPN client startup error if IPv6 Tunnel Network is defined in TAP mode #11869

Operating System

• Added: Kernel modules for alternate congestion control algorithms #7092
• Added: Kernel module for RTL8153 driver #11125
• Added: Xen console support #11402
• Fixed: Unquoted variable in dot.tcshrc can cause proxy password to be printed #11867

Routing

• Fixed: IPv4 link-local (169.254.xx) gateway does not function #11806

Rules / NAT

• Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address #6626
• Fixed: Disabling all interfaces associated with a floating rule causes the firewall to generate an incorrect pf rule #11688
• Fixed: Input validation prevents creating 1:1 NAT rules on IPsec #11751
• Fixed: Invalid combinations of TCP flag matching options cause pfctl parser error #11762
• Fixed: Port forward rules only function through the default gateway interface, reply-to does not work for Multi-WAN (CE Only) #11805
• Fixed: Error loading rules in certain cases where an interface is temporarily without an address #11861
• Fixed: NAT 1:1 fail to validate aliases #11923

Traffic Shaper (ALTQ)

• Fixed: Harmless error when enabling traffic shaper #11229
• Fixed: Segmentation fault when loading ALTQ traffic shaping rules using FAIRQ #11550

Traffic Shaper (Limiters)

• Fixed: Unused Limiter entries with schedules create unnecessary cron jobs #11636
• Fixed: Error when setting queue limit on CODELQ limiter #11725

Upgrade

• Fixed: Language presented to user during upgrade is misleading #11897

Web Interface

• Added: Replace HTTP links with HTTPS in the GUI #11228
• Fixed: Ambiguous text in help and input validation error for system domain name #11658
• Fixed: PHP error if PHP_error.log file is too large #11685
• Fixed: RAM Disk Settings shows Kernel Memory at 0 Kb and does not allow the user to create RAM disks #11702
• Fixed: HTTP Referer error message text is incorrect #11873
• Fixed: Missing /0 subnet when cloning repeatable CIDR mask controls #11880
• Fixed: Update NGINX to address CVE-2021-23017 #12061

WireGuard

• Fixed: Ignore WireGuard configurations under #11808

wireless

• Added: GUI options for WPA Enterprise with identity/password #2400
• Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453

XMLRPC

• Fixed: XMLRPC synchronization restarts all OpenVPN instances on the secondary node when making any change on the primary node #11082
• Fixed: XMLRPC Client does not honor its default timeout value #11718