Select Page

The newest pfSense Community Edition release is now out.

This version is dubbed the pfSense CE 2.5.2 release.


  • Added: WireGuard experimental add-on package

pfSense CE

Aliases / Tables

  • Added: PHP shell playback script to modify Alias contents #11380


  • Added: Copy button for Authentication Server entries #11390

Backup / Restore

  • Added: Randomize time of scheduled AutoConfigBackup runs #10811
  • Fixed: Automated corruption recovery from cached config.xml backup files should check multiple backups #11748
  • Fixed: AutoConfigBackup schedule custom hour value lost on page load #11946

Captive Portal

  • Added: Redirect Captive Portal users to login page after they logout #11264
  • Fixed: Captive Portal post-auth redirect is not properly respected #11842
  • Fixed: Potential XSS vulnerability in Captive Portal redirurl handling #11843


  • Fixed: Certificate Manager does not report Unbound as using a certificate #11678
  • Fixed: PHP error on certificate list due to unreadable private key #11859
  • Fixed: Export P12 icon is missing if certificate is not locally renewable #11884

Configuration Upgrade

  • Fixed: PHP error in upgrade_212_to_213() when upgrading certain IPsec tunnels #11801

Console Menu

  • Changed: Allow reroot on ZFS from console and GUI reboot menu entries #11914


  • Fixed: does not get executed when advanced options are set #11883

DNS Forwarder

  • Fixed: Disable DNSSEC option for dnsmasq #11781
  • Fixed: Update dnsmasq to 2.85 to fix CVE-2021-3448 #11866

DNS Resolver

  • Fixed: Unbound Python Integration repeatedly mounts dev without unmounting #11456
  • Fixed: Stale hostname registration data for OpenVPN clients is not deleted from the DNS Resolver configuration at boot #11704
  • Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x #11915


  • Fixed: Thermal sensors widget no longer shows values from certain hardware #11787
  • Fixed: IPsec Dashboard widget only displays first P2 subnet when using a single traffic selector #11893
  • Fixed: Editing widgets on Dashboard causes a PHP Warning #11939


  • Fixed: ARP Table populates hostname values using expired DHCP lease data #11510
  • Fixed: Sanitize OpenVPN Client Export certificate password in status output #11767
  • Fixed: Sanitize Captive Portal RADIUS MAC secret in status output #11769
  • Fixed: MAC address OEM information missing from ARP table #11819
  • Fixed: State table content on diag_dump_states.php does not sort properly #11852

Dynamic DNS

  • Added: New Dynamic DNS Provider: Mythic-Beasts #7842
  • Added: New Dynamic DNS Provider: #11293
  • Added: New Dynamic DNS Provider: Yandex PDD #11294
  • Added: New Dynamic DNS Provider: NIC.RU #11358
  • Added: New Dynamic DNS Provider: Gandi LiveDNS IPv6 #11420
  • Fixed: Automatic 25-day forced Dynamic DNS update removes wildcard domain #11667
  • Fixed: Digital Ocean Dynamic DNS help text is incorrect #11754
  • Fixed: Dynamic DNS update failure is not detected properly #11815
  • Fixed: Dynamic DNS edit page incorrectly hides username field when switching away from Digital Ocean #11840


  • Added: Input validation to prevent setting a load balancing gateway group as default #11164

Hardware / Drivers

  • Changed: Deprecate old cryptographic accelerator hardware which is not viable on modern systems #11426
  • Fixed: Using SHA1 or SHA256 with AES-NI may fail if AES-NI attempts to accelerate hashing #11524

High Availability

  • Fixed: Incorrect RADVD log message on HA event #11966

IGMP Proxy

  • Fixed: IGMP Proxy restarts unnecessarily after IPv6 gateway events #11904


  • Added: GUI option to set RADIUS Timeout for EAP-RADIUS #11211
  • Added: Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering #11395
  • Changed: Move custom IPsec NAT-T port settings to Advanced Options #11518
  • Fixed: strongSwan configuration always contains user EAP/PSK values #11564
  • Added: IPsec GUI option to control Child SA start_action #11576
  • Fixed: Error when adding both IPv4 and IPv6 P2 under an IPv4 or IPv6 only IKEv1 P1 #11651
  • Fixed: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled #11792
  • Fixed: IPsec VTI interface names are not properly formed for more than 32 interfaces #11794
  • Fixed: Applying IPsec settings for more than ~30 tunnels times out PHP #11795
  • Fixed: ipsec_vti() does not skip disabled VTI entries #11832
  • Fixed: IPsec GUI allows creating multiple identical Phase 1 entries when using FQDN for remote gateway #11912
  • Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967

IPv6 Router Advertisements (RADVD)

  • Added: Use virtual link local IP address as RA source address for HA environments #11103
  • Added: Shortcut buttons for service control and logs on RADVD configuration #11911
  • Fixed: RADVD breaks on SIGHUP #11913


  • Fixed: DHCP interfaces are always treated as having a gateway, even if one is not assigned by the upstream DHCP server #5135
  • Fixed: Interfaces page displays MAC Address field for interfaces which do not support L2 #11387
  • Fixed: CLI interface configuration without IPv6 leaves RA enabled #11609
  • Fixed: Incomplete PPPoE custom reset values lead to invalid cron entry #11698
  • Fixed: Error when changing MTU if the interface is used for both IPv4 and IPv6 default routes #11855
  • Added: VLAN list sorting #11968


  • Fixed: Unused L2TP VPN files are not removed when the service is disabled #11299
  • Added: GUI option to set MTU for L2TP VPN server #11406


  • Fixed: NTP widget displays incorrect status #11495
  • Fixed: NTP authentication input validation rejects valid keys #11850


  • Fixed: Invalid HTML encoding in modal Notices window #11765


  • Added: Allow the firewall to use DNS servers provided to an OpenVPN client instance #11140
  • Fixed: OpenVPN Wizard does not support gateway groups #11141
  • Added: Set Explicit Exit Notify to 1 by default for new OpenVPN client instances #11521
  • Added: Support for Cisco AVPair {clientipv6} template in firewall rules returns by RADIUS #11596
  • Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684
  • Fixed: OpenVPN does not clean up parsed Cisco-AVPair rules on non-graceful disconnect #11699
  • Fixed: OpenVPN does not kill IPv6 client states on disconnect #11700
  • Fixed: OpenVPN client starts when CARP VIP is in BACKUP status when bound to Virtual IP aliased to CARP VIP #11793
  • Fixed: Certificate validation with OCSP always fails in openvpn.tls-verify.php #11830
  • Changed: Update OpenVPN to 2.5.2 #11844
  • Fixed: OpenVPN client startup error if IPv6 Tunnel Network is defined in TAP mode #11869

Operating System

  • Added: Kernel modules for alternate congestion control algorithms #7092
  • Added: Kernel module for RTL8153 driver #11125
  • Added: Xen console support #11402
  • Fixed: Unquoted variable in dot.tcshrc can cause proxy password to be printed #11867


  • Fixed: IPv4 link-local (169.254.x.x) gateway does not function #11806

Rules / NAT

  • Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address #6626
  • Fixed: Disabling all interfaces associated with a floating rule causes the firewall to generate an incorrect pf rule #11688
  • Fixed: Input validation prevents creating 1:1 NAT rules on IPsec #11751
  • Fixed: Invalid combinations of TCP flag matching options cause pfctl parser error #11762
  • Fixed: Port forward rules only function through the default gateway interface, reply-to does not work for Multi-WAN (CE Only) #11805
  • Fixed: Error loading rules in certain cases where an interface is temporarily without an address #11861
  • Fixed: NAT 1:1 fail to validate aliases #11923

Traffic Shaper (ALTQ)

  • Fixed: Harmless error when enabling traffic shaper #11229
  • Fixed: Segmentation fault when loading ALTQ traffic shaping rules using FAIRQ #11550

Traffic Shaper (Limiters)

  • Fixed: Unused Limiter entries with schedules create unnecessary cron jobs #11636
  • Fixed: Error when setting queue limit on CODELQ limiter #11725


  • Fixed: Language presented to user during upgrade is misleading #11897

Web Interface

  • Added: Replace HTTP links with HTTPS in the GUI #11228
  • Fixed: Ambiguous text in help and input validation error for system domain name #11658
  • Fixed: PHP error if PHP_error.log file is too large #11685
  • Fixed: RAM Disk Settings shows Kernel Memory at 0 Kb and does not allow the user to create RAM disks #11702
  • Fixed: HTTP Referer error message text is incorrect #11873
  • Fixed: Missing /0 subnet when cloning repeatable CIDR mask controls #11880
  • Fixed: Update NGINX to address CVE-2021-23017 #12061


  • Fixed: Ignore WireGuard configurations under <installedpackages></installedpackages> #11808


  • Added: GUI options for WPA Enterprise with identity/password #2400
  • Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453


  • Fixed: XMLRPC synchronization restarts all OpenVPN instances on the secondary node when making any change on the primary node #11082
  • Fixed: XMLRPC Client does not honor its default timeout value #11718
WordPress Appliance - Powered by TurnKey Linux