pfSense plus 各发行版本说明

v25.03 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

General¶

Older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. pfSense plus software attempts to detect known affected models of hardware from Netgate. Other devices may require manual intervention.

See ISA Serial Console not Fully Functional for details and a workaround.
This version of pfSense Plus software includes a new kernel-based PPPoE backend, if_pppoe. This will replace the current MPD-based implementation. This new backend is more efficient and enables much faster speeds over PPPoE interfaces.

This new PPPoE backend is not active by default in this version, but can be enabled with the global option under **System > Advanced** on the **Networking** tab. This backend will be enabled by default on future versions of pfSense Plus software.

The if_pppoe backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.

pfSense Plus¶

Changes in this version of pfSense Plus software.

Aliases / Tables¶

Added: System Aliases for various reserved networks #15776
Changed: Exclude the WireGuard and Tailscale interface group system aliases from rules #15848

Auto Configuration Backup¶

Fixed: Long configuration revision reasons can cause AutoConfigBackup upload to fail #12249
Fixed: AutoConfigBackup scheduled backups always upload even when the configuration has not changed #16010
Fixed: AutoConfigBackup remote revision timestamps may not be unique due to batch uploads #16011
Fixed: “Reset” button on AutoConfigBackup Restore tab does not submit the form #16012
Changed: AutoConfigBackup code cleanup and GUI refresh #16013
Added: Download function for AutoConfigBackup entries #16014
Added: Method to change the AutoConfigBackup device key #16015

Backup / Restore¶

Fixed: Reinstall Packages button reports another instance of pfSense-upgrade is running #15494
Fixed: Backup configuration cache is not cleaned automatically #15994

Captive Portal¶

Fixed: PHP error in Captive Portal with undefined zone interface list #15907
Fixed: Captive Portal does not function with MAC filtering disabled #15926
Fixed: Captive Portal service management via pfSsh.php svc fails when the zone name contains uppercase letters #16030
Fixed: Creating a Captive Portal zone with uppercase letters overwrites existing zones of the same name #16032

Certificates¶

Added: Certificate Authorities created in the GUI do not have the Basic Constraints extension marked critical #15818
Changed: Additional error handling for invalid certificate configuration #15975

Configuration Backend¶

Fixed: PHP error on save with very long configuration change descriptions #15911

DHCP (IPv4)¶

Added: Kea DHCP Custom Configuration Support (IPv4 and IPv6) #15321
Fixed: Kea fails to start if DHCP pool configuration contains default lease time or max lease time #15332
Added: Kea Static ARP Support (IPv4 only) #15654
Fixed: Kea can unintentionally attempt to spawn multiple processes and fail #16019
Fixed: Static lease DNS records are incorrectly removed when backing lease expires #16022

DHCP (IPv6)¶

Fixed: Old IPv6 addresses may continue to be used after DHCP or RA changes #12947
Added: Kea DHCPv6 Prefix Delegation Support (IPv6 Only) #15652

DNS Forwarder¶

Fixed: Unable to change DNS Forwarder domain overrides #15890

DNS Resolver¶

Fixed: DNS Resolver option for Query Name Minimization cannot be disabled #15925

Dashboard¶

Fixed: Clicking the picture widget image downloads the image with an invalid filename instead of showing it inline #15767
Changed: Improve the system load impact from Dashboard widgets #15969

Diagnostics¶

Fixed: Adding Wake-On-LAN entry from ARP table view can incorrectly include OEM text in MAC address field #15162
Fixed: PHP error from invalid IPv6 address on diagnostics_ping.php #16005
Fixed: The filtered states shown may include states for interfaces other than the selected interface #16043
Fixed: Cannot kill states using the post-NAT address #16047

Dynamic DNS¶

Added: Improve Dynamic DNS client IPv6 support #11177
Added: Per-instance options to control Dynamic DNS client Check IP Service behavior #14067
Fixed: Dynamic DNS uses the default gateway interface instead of the specified interface #14605
Fixed: RFC 2136 Dynamic DNS cannot update AAAA records over IPv6 #16028
Fixed: Dynamic DNS IP address may not be updated after changing the interface of a Dynamic DNS entry #16046

Gateway Monitoring¶

Fixed: The monitoring IP address for dynamic gateways may be unexpectedly routed via a different gateway #16069

Gateways¶

Changed: Clarify descriptions for gateway recovery options #15429
Fixed: Cannot set a new name when duplicating an existing gateway group #16036

IPsec¶

Fixed: Input validation for duplicate remote gateways does not work when using the duplicate P1 button #15598
Fixed: Firewall generates invalid rules for IPsec tunnels with descriptions containing special symbols #16095

IPv6 Router Advertisements (radvd/rtsold)¶

Fixed: Incorrect warning from radvd about AdvRDNSSLifetime value #12938
Added: PREF64 support in Router Advertisements #15808
Fixed: Routing Advertisements daemon fails to start when configured with more than 3 RDNSS entries in a prefix #15876

Interfaces¶

Fixed: Config access error with null static routes #16104
Fixed: Config access error after changing an interface from DHCP to Static #16105

L2TP¶

Fixed: L2TP server settings are not saved correctly #15882

Logging¶

Added: Enhanced firewall log action information display #15415
Fixed: PHP error when saving System Log settings #15988

Multi-Instance Management¶

Fixed: MIM GUI is unable to write IPv6 aliases #15959
Fixed: Renaming an alias in MIM does not update firewall and NAT rules with the new alias name #15989

NTPD¶

Fixed: PHP error after saving NTP settings with an interface selected #16063

OpenVPN¶

Fixed: Configuration upgrade from before revision 19.1 removes OpenVPN settings #15895

Operating System¶

Fixed: pftop core dump with ICMP states #15595
Fixed: Azure: User credentials entered during new VM deployments are not applied to the system #15871
Fixed: Values obtained from sysctl are sometimes unexpectedly empty, leading to PHP and other math errors #14648
Fixed: Errors on the console when starting/stopping services #15912
Fixed: RAM disk configuration check fails at boot #16023
Fixed: RAM Disk cron jobs are not saved correctly #16059
Fixed: Panic accessing sysctl OID net.inet.ip.nhdispatch with an INVARIANTS kernel #16081

PHP Interpreter¶

Fixed: Cookie named id prevents some forms from being loaded or saved properly #11268

Package System¶

Fixed: Deleting one pre-installed package may delete other pre-installed packages #15643
Fixed: The package post-install script does not run with a system upgrade on ZFS #16057
Changed: pkg no longer supports setting ALTABI manually at run-time #16060

Rules / NAT¶

Fixed: Separators for Ethernet rules span past the actions column #16079
Added: NAT64 support #2358
Fixed: Incorrect rule may be opened for editing after rule order has changed #15935
Fixed: Tracking information for firewall rules is not shown when editing the rule #15936
Fixed: Warning message in logs when changing firewall rules after setting Require Firewall Interface #15961
Fixed: Deleting or adding a firewall rule may result in an unexpected rule order #16076

System Logs¶

Added: Separate IDS/IPS and link-local firewall log entries from default block logging #16092

Traffic Shaper (ALTQ)¶

Fixed: Error when viewing ALTQ Traffic Shaper queue status #15885

Traffic Shaper (Limiters)¶

Fixed: Limiters saved while MIM is enabled disappear after reboot #16051
Fixed: Input validation error when applying limiter changes #13158
Fixed: Setting a limiter queue length greater than 100 prevents the limiter from loading #13662
Fixed: Cannot add limiters named new #13687
Fixed: PHP error when a queue is added with the same name as a limiter #15914

UPnP IGD & PCP¶

Changed: Update UPnP IGD & PCP GUI text #15864
Changed: Make the UPnP IGD & PCP STUN port optional #15865

Upgrade¶

Fixed: Upgrade available LED not set before branch is selected. #15880
Changed: Link to release information on the system update page #15953
Fixed: Boot loader is not upgraded on UFS installs #16064

User Manager / Privileges¶

Fixed: Users with Deny Config Write privilege can trigger some VLAN interface operations #15282
Fixed: Users with Deny Config Write privilege can trigger some QinQ interface operations #15318
Fixed: PHP error when a user is denied access to the dashboard #15873
Fixed: Users with Deny Config Write privilege can trigger logging operations #15874
Fixed: Users with Deny Config Write privilege can change their own password #15908

Web Interface¶

Added: Custom message text for the login screen #9293
Changed: Update nginx HTTP2 syntax #15863
Fixed: Incorrect color in button text within disabled rows #15977

v24.11 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

General

This release includes support for High Availability in the Kea DHCP daemon.

This implementation has several advantages over the older ISC DHCP implementation, including:
- Supports HA for DHCPv4 and DHCPv6.
- Simplified HA setup, all in one place on each node for each type.
- Works in hot standby mode, which is more reliable.
- Can synchronize lease data over the SYNC interface for security and ease of use, and can optionally encrypt the sync data for added protection.
This release includes support for DNS Registration of DHCP client hostnames from the Kea DHCP daemon to the Unbound DNS Resolver
- DNS records are updated dynamically on-the-fly, they do not require a resolver restart and are not disruptive.
- Supports DNS Registration for DHCPv4 and DHCPv6
- DNS Registration can be configured on a per-interface or global manner, with the ability to enable or disable specific interfaces as needed.
- DNS records are limited to the system domain name. DNS Registration honors the domain name on the DHCP settings for each interface and on static mappings.
- DNS records are accurate/updated on both high availability peers
- Static mappings can be registered when Kea starts (similar to ISC) or when a static mapping client obtains a lease.

Aliases / Tables

Added: Allow user-defined rules to utilize built-in system aliases #1979

Authentication

Fixed: sshguard is not properly detecting GUI login failures #15687
Fixed: GUI logout messages do not use the auth log facility #15719

Auto Configuration Backup

Fixed: Special characters in the ACB configuration change description can cause PHP errors #15711
Fixed: AutoConfigBackup tries to upload backups before the system has finished booting #15718

Backup / Restore

Fixed: Factory resetting the configuration removes WireGuard #15511
Fixed: Skip Packages option for Configuration Backups fails with large configurations #15624

CARP

Fixed: HA node with CARP VIP in backup state is unable to ping the active node using that CARP VIP address #14026

Captive Portal

Fixed: Captive Portal logo fails to load after authenticated redirect #15404
Fixed: Captive Portal zones can fail to start due to ID conflict #15772

Certificates

Fixed: CA certificates are not added to the Trust Store #15440
Fixed: Certificate Manager GUI inconsistency in Revocation tab titles #15454

Configuration Backend

Fixed: System proxy credentials with certain characters may fail to authenticate #15565

DHCP (IPv4)

Added: Settings tab for global Kea DHCP server options #5080
Fixed: Kea fails to restart due to race between process termination and startup #14977
Fixed: Kea will not start with identical MAC address filters on multiple interfaces #15130
Fixed: Changes in Kea DHCP interface pools may invalidate lease database content #15328
Fixed: Kea does not send configured TFTP server name #15518
Added: Kea High Availability Support (IPv4 and IPv6) #15575
Added: Kea DNS Resolver (Unbound) Integration (IPv4 and IPv6) #15651
Fixed: IPv4 DHCP client responses may be routed unexpectedly out unrelated WANs #15702
Fixed: Hostnames for ISC DHCP leases are not removed from Unbound when switching to Kea #15750
Added: Kea DHCP lease database RAM disk support (IPv4 and IPv6) #15828

DNS Forwarder

Fixed: DNS Forwarder ignores “Use remote DNS Servers, ignore local DNS” setting #15434
Changed: Update dnsmasq to version 2.90 #15465

DNS Resolver

Fixed: Reduce disruptions when changing DNS records from DHCP leases in Unbound #5413
Changed: Update Unbound to 1.22.0 #15483
Fixed: Automatic EDNS value may be lower than expected #15704
Fixed: Unbound configuration file contains Localhost address in forwarding mode with TLS enabled #15722
Fixed: unbound-checkconf fails with python mode enabled #15723

Dashboard

Added: Improve Thermal Sensors Dashboard widget readability #13520
Fixed: Traffic Graph widget displays bandwidth usage values which are half the actual usage amount #14933
Fixed: Firewall Logs Dashboard widget update interval does not behave as expected #15373
Added: Show current boot method in System Information Dashboard widget #15422
Fixed: Incorrect icon on collapsed dashboard widgets #15439
Fixed: Dashboard widgets refresh at unintended intervals #15725
Changed: Improve Thermal Sensors Dashboard widget refresh code #15728
Fixed: Session cookie warnings #15729

Diagnostics

Fixed: Sanitize RFC 2136 Dynamic DNS update keys in status.php output #15490
Fixed: File browser on diag_edit.php does not encode directory names before display #15525
Fixed: State table entries printed on diag_dump_states.php may contain an unexpected interface #15657

Dynamic DNS

Added: Enable @ support for Azure in Dynamic DNS #10000
Added: Enable @ support for name.com in Dynamic DNS #14289
Changed: Update Dynamic DNS API URL for porkbun.com #15779
Fixed: Dynamic DNS attempts to resolve entries with disabled interfaces #15802

FreeBSD

Fixed: Kernel panic in HA nodes when under high load #15413

Gateway Monitoring

Fixed: Gateway monitoring includes disabled gateways #15635

Gateways

Fixed: No default route after boot #15791

High Availability

Fixed: Removing a route from the High Availability primary node does not remove the entry from the routing table on the secondary node #15795

IGMP Proxy

Fixed: Kernel Panic when IGMPProxy gets CIDR Removed #15831

IPsec

Fixed: Mobile IPsec does not automatically switch to failover gateway #15685
Fixed: Mobile IPsec sends incorrect DNS attribute IDs #15755

IPv6 Router Advertisements (radvd/rtsold)

Fixed: Non Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD #12581

Installer

Fixed: Installing to ZFS mirror does not format or populate EFI partition on additional disks #15083

Interfaces

Fixed: Adding MSS and MTU values on a LAGG VLAN interface breaks connectivity #14083
Fixed: PHP error when applying interface settings if the /tmp/.interfaces.apply file is present but empty #15423
Added: Use natural sorting when sorting interfaces #15437
Fixed: OpenVPN QinQ interface creation fails #15692
Fixed: Interface group members are not validated on load/save on interfaces_groups_edit.php, and are printed without encoding on interfaces_groups.php #15778

Logging

Fixed: Restarting the logging daemon during rotation also restarts sshguard, leading to frequent log messages #12747

Multi-WAN

Fixed: State Killing on Gateway Recovery fails for the default gateway group with the “Kill all” option selected #15694

NTPD

Added: NTP authentication support #8794

OpenVPN

Added: More GUI options for OpenVPN Client-Specific Overrides #12522
Fixed: PHP error with OpenVPN server certificate verification if the certificate has multiple CN attributes #15133

Operating System

Fixed: Kernel panic with pflow configured and active #15446
Fixed: Proxy variables in crontab contents are improperly formatted #15502
Fixed: resizewin occasionally gets fed a spurious line feed over certain serial console+client combinations #15777

PHP Interpreter

Changed: Update PHP to 8.3.x #15053
Fixed: Memory leak in pfSense module function pfSense_get_ifaddrs() #15471

Package System

Fixed: Updates fail against an authenticated upstream proxy #15094
Fixed: Package navigation menus can be duplicated when reinstalling the package #15700

Packet Capture

Added: Allow filtering packet captures by system-defined protocols #15609

Routing

Fixed: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on enc0 interface #15430
Fixed: IPsec VTI static routes may not be added after the system boots #15449
Fixed: Saving an IPv6 gateway overrides the IPv4 gateway #15589
Fixed: Routes with IPv6 Address as Next Hop for IPv4 Destination Causes Kernel Panic #15601
Fixed: Static routes using null gateways are not installed #15669

Rules / NAT

Fixed: Per-rule byte counter values lost across a filter reload #15516
Fixed: Separator positions are incorrect when copying interface group rules #15537
Added: GUI options to change default SCTP state timeouts #15661
Fixed: Setting the Port Forward interface to an interface group selects an invalid destination #15671

S.M.A.R.T.

Changed: Query for SMART data only on root disk devices #15586

SNMP

Fixed: File descriptor leak in bsnmpd #15481

Services

Fixed: NTP option “DNS Resolution” has no effect when using NTP pool hostnames #15552

UPnP/NAT-PMP

Fixed: Port forward rules created by miniupnpd do not expire #15470

Upgrade

Fixed: Upgrading an EFI system installed to ZFS mirror does not upgrade EFI loader on additional disks #15084

User Manager / Privileges

Fixed: CLI password check exits with a write access error when checking is a read-only operation #15442

Virtual IP Addresses

Fixed: Network and broadcast address input validation is incorrectly applied to IPv6 VIPs #15361

Web Interface

Changed: Remove deprecated HTTP/1.0 Pragma header #15781
Changed: Use minified nvd3 vendor files #15782