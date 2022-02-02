Versie 2.6 van pfSense is uitgekomen. Dit pakket is gebaseerd op het besturingssysteem FreeBSD en richt zich op router- en firewalltaken. Het is verkrijgbaar in de gratis Community Edition en een Plus-uitvoering, die voorheen als Factory Edition werd aangeboden. Het is in 2004 begonnen als een afsplitsing van m0n0wall vanwege verschillende visies bij de ontwikkelaars en in de loop van de jaren uitgegroeid tot een router- en firewallpakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. De changelog voor deze uitgave ziet er als volgt uit:

This is a regularly scheduled release of pfSense CE and pfSense Plus software including new features, additional hardware support, and bug fixes.

Warning

When upgrading to pfSense Plus 22.01 and later versions, the pfSense-upgrade process will forcefully reinstall all operating system packages and add-on packages to ensure a consistent state and package set. This may increase the time the upgrade will take to download and install.

This release contains several significant changes to IPsec for stability and performance. Read the IPsec section of this document carefully.

Warning: IPsec VTI interface names have changed in this release. Configurations will be updated automatically where possible to use the new names. If any third party software configurations or other manual changes referenced the old IPsec VTI interface names directly (e.g. ) they must be updated to the new format. Log Compression for rotation of System Logs is now disabled by default for new ZFS installations as ZFS performs its own compression.

Tip: The best practice is to disable Log Compression for rotation of System Logs manually for not only existing ZFS installations, but also for any system with slower CPUs. This setting can be changed under Status > System Logs on the Settings tab. The default password hash format in the User Manager has been changed from bcrypt to SHA-512. New users created in the User Manager will have their password stored as a SHA-512 hash. Existing user passwords will be changed to SHA-512 next time their password is changed.

Note:User Manager passwords are only stored as a hash, thus existing users cannot be automatically changed to the new format. To convert a user password from an older hash format, change the password for the user in the User Manager.

Fixed: PHP exits with signal 11 on SG-3100 when calling PCRE functions #11466

Fixed: Error loading rules when URL Table Ports content is empty #4893

Fixed: Mixed use of aliases in a port range produces unloadable ruleset #11818

Fixed: Unable to create nested URL aliases #11863

Fixed: Creating or editing aliases fails with multiple hosts separated by spaces #12124

Fixed: When attempting to delete an in-use alias, input validation only prints the first item using the alias in the error message #12177

Changed: Use SHA-512 for user password hashes #10298

Fixed: Restoring from AutoConfigBackup presents reboot type selection option then reboots automatically #10662

Added: Backup and restore SSH host key(s) #11118

Fixed: Output from reboot process is printed on Backup & Restore page when restoring a configuration file #11909

Fixed: Custom value for AutoConfigBackup schedule Hours is not shown when loading the settings page #11946

Changed: Make AutoConfigBackup menu entry point to the settings tab so it loads faster when there is no WAN connectivity #12093

Fixed: Viewing an AutoConfigBackup entry takes approximately 60 seconds to completely load #12247

Changed: Explicitly state where AutoConfigBackup stores encrypted backup data #12296

Changed: Remove deprecated libzmq code and references #12060

Fixed: Cannot enter persistent CARP maintenance mode when CARP is disabled #11727

Fixed: When a CARP VIP VHID change is synchronized to a secondary node, the CARP VIP is removed from the interface and the old VHIDs remain active #12202

Fixed: Changing VHID on CARP VIP does not update VHID of related IP Alias VIPs #12227

Fixed: rc.carpmaster only sends notifications via SMTP #12584

Fixed: Vouchers may expire too early when using RAM disks #11894

Fixed: Incorrect variable substitution in captive portal error page #11902

Fixed: Clicking “logout” on portal page does not function when logout popup is disabled #12138

Fixed: Captive Portal database and ipfw rules are out of sync after unclean shutdown #12355

Fixed: Captive Portal input validation for "After authentication Redirection URL" and "Blocked MAC address redirect URL" is swapped #12388

Fixed: Captive Portal online user statistics data is not cleared on unclean shutdown #12455

Fixed: Certificate Revocation tab does not list active users of CRL entries #11831

Fixed: Certificate manager reports CA as in use by an LDAP server when LDAP is not configured for TLS #11922

Fixed: Certificate Manager performs redundant escaping of special characters in certificate DN fields #12034

Added: Input validation to prevent unsupported UTF-8 characters from being used in certificate subject components #12035

Fixed: Certificate Manager shows incorrect DN for imported entries with UTF-8 encoding #12041

Fixed: Cannot configure WAN IP address with /32 CIDR mask via console menu #11581

Changed: Suppress kernel messages when loading dummynet and thermal sensor modules #12454

Added: DHCPv4 client does not support supersede statement for option 54 #7416

statement for option 54 #7416 Added: Support for UEFI HTTP Boot option in DHCPv4 Server #11659

Fixed: DHCPv4 server configuration does not include ARM TFTP filenames #11905

Fixed: ARM 32/64 network boot options are not parsed on Static DHCP Mapping page #12216

Fixed: DHCPv6 Server should not offer configuration options for unsupported PPPoE Server interfaces #12277

Fixed: PHP error if no DHCPv6 Relay interfaces are selected #11969

Fixed: Unbound crashes with signal 11 when reloading #11316

Fixed: Unbound falls back to using all outgoing network interfaces if manually selected outgoing interface(s) are unavailable #12460

Fixed: System Information widget unnecessarily polls data for hidden items #12241

Fixed: IPsec widget generates errors if no tunnels are defined #12337

Fixed: IPsec widget treats phase 1 in “connecting” state as connected #12347

Added: Disks dashboard widget to replace Disk Usage section of System Information widget #12349

Fixed: Thermal Sensors Dashboard widget filter for negative values refers to invalid variable #12470

Fixed: State table content on diag_dump_states.php does not sort properly #11852

does not sort properly #11852 Changed: Hide “Reboot and run a filesystem check” for ZFS systems #11983

Fixed: “GoTo line #” function does not work on diag_edit.php #12050

#12050 Fixed: Sanitize WireGuard private and pre-shared keys in status output #12256

Added: Include firewall rules from packages which failed to load in status output #12269

Added: Include firewall rules generated from OpenVPN RADIUS ACL entries in status output #12316

Fixed: ARP table interface column empty for entries on unassigned interfaces #12698

Added: Option to set interval of forced Dynamic DNS updates #9092

Added: Support DNS Made Easy authentication without a username #9341

Fixed: RFC 2136 Dynamic DNS client uses IPv6 alias VIP instead of Track IPv6 address for AAAA records #11816

Added: New Dynamic DNS Provider: Strato #11978

Fixed: Dynamic DNS cache expiration time check calculation method may cause update to happen on the wrong day #12007

Fixed: NoIP.com incorrectly encodes Dynamic DNS update credentials #12021

Added: New Dynamic DNS Provider: deSEC #12086

Added: Support Check IP services which return bare IP address values #12194

Fixed: Yandex Dynamic DNS client does not set the PddToken value #12331

value #12331 Added: Dynamic DNS client proxy support #12342

Fixed: Update Dynamic DNS code for one.com to use their new login process #12352

Fixed: Dynamic DNS updates do not respect certificate authority trust store #12589

Fixed: Dynamic DNS client updates using a private IP address when it cannot determine the public IP address #12617

Fixed: Dynamic DNS may not use the correct interface when updating during failover #12631

Fixed: Duplicate comconsole_port lines in /boot/loader.conf #11653

lines in #11653 Changed: Upgrade to pkg 1.17.x #12171

Added: Support DNS server gateway selection on system.php for multiple gateways not assigned to interfaces #12116

for multiple gateways not assigned to interfaces #12116 Fixed: Default IPv4 gateway may be set to IPv6 gateway value in certain cases #12282

Added: Support for network interfaces using the qlnxe driver #11750

Fixed: Incorrect RADVD log message on HA event #11966

Added: Support 0 CIDR mask for IGMP Proxy networks #7749

Fixed: Disconnected IPsec phase 2 entries are not shown in IPsec status #6275

Fixed: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded #7801

Fixed: EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes #11447

Fixed: Incorrect phase 2 entry removed when deleting multiple items consecutively #11552

Fixed: strongSwan configuration contains incorrect structure for mobile pool DNS records #11891

Fixed: IPsec status tunnel descriptions are incorrect #11910

Changed: PC/SC Smart Card Daemon pcscd running on all devices at all times, should be optional #11933

running on all devices at all times, should be optional #11933 Fixed: IPsec status fails when many tunnels are connected #11951

Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967

Fixed: Mobile IPsec NAT/BINAT entries missing from firewall rules #12023

Fixed: Applying IPsec settings for many tunnels is slow or times out #12026

Fixed: Gateway alarm always triggers IPsec restart #12039

Changed: Improve IPsec identifier settings #12044

Fixed: IPsec status IKE disconnect button drops all connections for the IKE ID, not a specific IKE SA ID #12052

Fixed: Tunnels with conflicting REQID values can lead to multiple identical Child SA entries #12155

Added: IPsec keep alive option to initiate phase 2 without using ICMP #12169

Added: Add connect/disconnect buttons to IPsec dashboard widget #12181

Added: GUI options to configure IKE retransmission behavior #12184

Fixed: IPsec status shows connect buttons while tunnel is connecting #12189

Fixed: IPsec writes CRL files when tunnel does not use certificates #12195

Fixed: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available #12196

Fixed: Mobile IPsec phase 1 should not display “Gateway duplicates” option #12197

Fixed: Disabling an IPsec phase 1 entry does not disable related phase 2 entries #12198

Fixed: Disabled IPsec VTI interfaces are always created #12212

Fixed: IPsec bypass rules display help text under each entry #12236

Fixed: IPsec phase 1 entry with 0.0.0.0 as its remote gateway does not receive correct automatic firewall rules #12262

as its remote gateway does not receive correct automatic firewall rules #12262 Changed: Update “IPsec Filter Mode” option values and help text to reflect that VTI mode also helps transport mode (e.g. GRE) #12289

Fixed: IPsec manual initiation and termination should use a timeout value or forced actions #12298

Fixed: IPsec tunnels using a gateway group do not get reloaded in some cases #12315

Fixed: IPsec Phase 2 entry incorrectly orders proposals in AH mode #12323

Fixed: Hash algorithm GUI options are disabled after switching a phase 2 entry to AH mode #12324

Fixed: IPsec VTI interface remote endpoint is not resolved the correct way #12328

Fixed: Incorrect label for IPsec DH group 32 #12350

Added: Distinguish between policy-based and route-based entries on IPsec status SPD tab #12397

Fixed: Console boot output includes Configuring IPsec VTI interfaces when no VTI interfaces are configured #12419

when no VTI interfaces are configured #12419 Changed: Add IPsec phase 2 BINAT subnet size input validation #12430

Fixed: IPsec initiates on HA backup node when a tunnel interface is set to a gateway group #12566

Fixed: IPsec Mobile Client RADIUS Advanced parameters are not reset to default values when disabled #12575

Fixed: radvd only responds to the first Router Solicitation received after each multicast Router Advertisement #10304

only responds to the first Router Solicitation received after each multicast Router Advertisement #10304 Fixed: “Default preferred lifetime” router advertisement validation check uses incorrect variable #12159

Fixed: IPv6 RA DNSSL lifetime is too short, not compliant with RFC 8106 #12173

Fixed: Default IPv6 router advertisement intervals and lifetime are too low #12280

Fixed: “Default preferred lifetime” field for IPv6 RA does not have input validation #12439

Fixed: IPv6 interface prefix change not reflected in RADVD configuration #12604

Fixed: Router Advertisement DNS search domain from one interface may unintentionally be used by other interfaces #12626

Added: Restore RRD and extra data from configuration backups when restoring during installation #12518

Fixed: GRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot #6507

Fixed: Interface column empty in list of GIF tunnels when using IP Alias on CARP VIP as Interface #11337

Fixed: QinQ using OpenVPN ovpn interface as a parent is not configured at boot time #11662

interface as a parent is not configured at boot time #11662 Fixed: VLAN and QinQ edit pages allows selecting incompatible OpenVPN tun interfaces #11675

interfaces #11675 Fixed: Advanced DHCP client configuration “Protocol timing” help text is in the wrong location #11926

Added: VLAN list sorting #11968

Fixed: Boot messages contain entries about configuring LAGG/VLAN/QinQ interfaces even when no entries of those types are configured #12002

Fixed: Input validation incorrectly rejects a second IPv4-only GRE tunnel #12049

Fixed: Interface assignment mismatch is not detected if VLAN-only parent interface is removed #12170

Fixed: IPv6 DNS servers from dynamic sources are not listed on status_interfaces.php #12252

#12252 Fixed: IPv6 gateway for an interface is not shown on status_interfaces.php if the interface does not also have an IPv4 gateway #12253

if the interface does not also have an IPv4 gateway #12253 Fixed: Remove subnet overlap check on LAN interfaces when using 6rd #12371

Fixed: “6RD Prefix” field does not have input validation #12435

Fixed: Trying to delete an assigned PPPoE interface fails without printing an error message #12514

Fixed: Kernel panic during L2TP retransmit #9058

Fixed: FQDN L2TP server address is only resolved at boot #12072

Fixed: Logging configuration added by a package is not removed on uninstall #11846

Fixed: Remote log server input validation allows invalid values #12000

Added: Disable log compression on new installations when /var/log is a ZFS dataset with compression enabled #12011

is a ZFS dataset with compression enabled #12011 Changed: Improve log settings help text for file size, compression, and retention count #12012

Added: Create a log entry when a configuration change occurs #12118

Fixed: Rotation settings for individual log files do not take effect after saving #12366

Added: Poll Interval For GPS and PPS #9439

Added: Support for NTP Peer mode #11496

Added: Support SHA-256 hash NTP authentication #12213

Added: Option to suppress expiration notifications for revoked certificates #12109

Added: Support for Slack notifications #12291

Added: Send notification for halt, reboot, and reroot events #12441

Fixed: rc.notify_message only sends notifications via SMTP #12585

Added: Support aliases in OpenVPN local/remote/tunnel network fields #2668

Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684

option by default for new OpenVPN server instances #11684 Fixed: OpenVPN client certificate validation with OCSP always fails #11829

Added: Option to validate OpenVPN peer TLS certificate key usage #11865

Added: Log external IP address of OpenVPN clients on connect and disconnect #11935

Fixed: DNS Resolver does not add PTR record for OpenVPN clients #11938

Fixed: OpenVPN IPv6 tunnel network is not validated properly #11999

Fixed: OpenVPN RADIUS-based firewall rules use incorrect port ranges #12020

Fixed: Incorrect OpenVPN Client Export help link #12022

Fixed: OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses #12076

Fixed: Prevent using OpenVPN “Exit Notify” option with point-to-point modes #12102

Fixed: OpenVPN Wizard configuration missing recently added default values #12172

Fixed: OpenVPN does not clean up previous CA and CRL files #12192

Changed: Move “Description” option on OpenVPN server and client pages to top of the page, show internal instance ID #12218

Fixed: Prevent using OpenVPN “Inactive” option with point-to-point modes #12219

Fixed: Configuration files are not deleted after disabling an OpenVPN instance #12223

Fixed: OpenVPN page allows to delete/disable instance with an assigned interface #12224

Fixed: OpenVPN status incorrect for TAP servers without a defined tunnel network #12232

Fixed: OpenVPN client connect/disconnect scripts are not used in Remote Access (SSL/TLS) mode #12238

Added: Pop-up window to view firewall rules generated from RADIUS ACL entries on the OpenVPN status page #12321

Added: Support OpenVPN client-kill to terminate remote clients instead of clearing their session #12416

to terminate remote clients instead of clearing their session #12416 Fixed: Set OpenVPN Gateway Creation value to “Both” by default for new instances #12448

Changed: Ensure /usr/local/sbin/ scripts use full path to executable files #11985

scripts use full path to executable files #11985 Fixed: Update NGINX to address CVE-2021-23017 #12061

Added: Suppress kernel messages for lo0 configuration during boot #12094

configuration during boot #12094 Changed: Convert RAM disks to tmpfs #12145

#12145 Changed: Add note in log settings that disabling logging also disables sshguard login protection #12511

login protection #12511 Fixed: Kernel panic in nd6_dad_timer() #12548

Fixed: diag_dump_states.php no longer filters by rule ID #12605

Fixed: PPP interfaces lose the description field in ifconfig output when restarted #11959

Added: Option to select PPPoE Server authentication protocol #12438

Fixed: Package <plugins> and <tabs> content missing from configuration in some cases #11290

and content missing from configuration in some cases #11290 Added: Add librdkafka package to the pfSense package repository #12290

package to the pfSense package repository #12290 Fixed: PHP error on pkg_mgr_install.php when multiple instances are running #12713

Added: Graph for hardware temperature readings #9297

Fixed: Static routes using aliases are not automatically updated when alias content changes #7547

Fixed: Input validation does not prevent removing a gateway used by a DNS server #8390

Fixed: Kernel route table entries are removed if they match disabled static route entries #10706

Fixed: Modifying static routes results in a logged error, changes are not reflected in routing table #11599

Added: Require user to manually apply changes after altering static route entries #11895

Fixed: Route overlap input validation does not work properly #12554

Added: IPv6 support in easyrule CLI script #11439

CLI script #11439 Fixed: NAT rule overlap detection is inconsistent #11734

Fixed: Input validation not working for 1:1 NAT entries using an alias as a destination #11923

Fixed: easyrule script does not function properly #12151

script does not function properly #12151 Fixed: IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ::/0 #12164

#12164 Fixed: 1:1 NAT rule with internal IP address of “Any” results in an invalid firewall rule #12168

Fixed: Firewall rule tabs load slowly when many rules on the tab utilize gateways #12174

Fixed: VIP network addresses are not expanded on Port Forward rules #12233

Fixed: Duplicating a Port Forward does not copy “Filter Rule Association” values of “None” or “Pass” #12272

Added: Display default “Reflection Timeout” value on system_advanced_firewall.php #12318

#12318 Fixed: NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode #12319

Fixed: NAT rule overlap detection does not check special networks #12361

Fixed: Input validation prevents creating 1:1 NAT rules on OpenVPN #12408

Fixed: 1:1 NAT edit page lists incorrect entries in the Destination field #12410

Added: Icon for traffic direction on floating rules tab #12433

Fixed: Port forward rules are not created for special networks (pppoe, openvpn) #12452

Fixed: Automatic outbound NAT for reflection does not support IPv6 #12500

Fixed: Interface group name starting with a digit creates invalid XML for rule separators #12529

Added: Change Gateway/Group name in firewall rule list to clickable link to edit page for the entry #12555

Fixed: Automatic rule tracker IDs incorrect after multiple filter reloads #12588

Fixed: PHP error when clicking Delete on Outbound NAT with no rules selected #12694

Added: IPv6 support for base system SNMP service #12325

Fixed: System attempts to stop inactive services at shutdown #12001

Fixed: System attempts to start inactive services at boot #12038

Added: IPv6 support in the Traffic Shaper Wizard #4769

Fixed: Panic when using CBQ traffic shaping #11470

Added: Allow Chelsio T6 CXGBE ( cc ) drivers to be used for ALTQ traffic shaping #12499

) drivers to be used for ALTQ traffic shaping #12499 Changed: Traffic shaper wizard default bandwidth type should be Mbit/s #12501

Fixed: Unable to delete limiter referenced in filter rules #12503

Fixed: Kernel panic when using fq_pie limiter scheduler #12622

Added: UPnP/NAT-PMP STUN configuration options #10587

Changed: pfSense-upgrade should reinstall all packages on new version upgrades #12235

Added: Copy button for group entries in the User Manager #12226

Fixed: Validation when deleting a VIP does not check if the VIP is used by IPsec phase 1 entries #12356

Fixed: Validation when deleting a VIP does not prevent deleting a CARP VIP used as a parent for an IP Aliases VIP #12362

Added: Wake on LAN button to wake all devices #12480

Changed: Update font formats to WOFF2 #11507

Fixed: DHCP Leases page and ARP table page fail to load if DNS is not available #11512

Fixed: Notifications page cannot be saved without configuring or disabling SMTP #12107

Fixed: Lack of DNS or Internet connectivity causes GUI to be slow #12141

Changed: Convert help shortcut links to server-side redirects #12314

Fixed: Help text for RAM disk settings does not mention Captive Portal data #12389

Fixed: Input validation error can unintentionally result in removal of PPP type interface settings #12498

Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453

uses 100% of a CPU core at boot #11453 Fixed: Interfaces page does not show Wireless EAP client options #12239