We are happy to announce the release of pfSense® software version 2.3.4!

This is a maintenance release in the 2.3.x series, bringing stability and bug fixes, fixes for a few security issues, and a handful of new features. The full list of changes is on the 2.3.4 New Features and Changes page, including a list of FreeBSD and internal security advisories addressed by this release.

This release includes fixes for 24 bugs and 11 Features.

Read on for more details. May the 4th be with you.

On the 2.3.4-RELEASE Dashboard you’ll find a few additional pieces of information: The BIOS vendor, version, and release date – if the firewall can determine them – and a Netgate Unique ID. The Netgate Unique ID is similar to a serial number, it is used to uniquely identify an instance of pfSense software for customers who want to purchase support services. For hardware sold in our store, it also allows us to tie units to our manufacturing records. This ID is consistent across all platforms (bare metal, virtual machines, and hosted/cloud instances such as AWS/Azure). We had originally intended to use the hardware serial number or the UUID generated by the operating system, but we found that these were unreliable, inconsistent, and they could change unexpectedly when the operating system was reinstalled.

As with the serial number, this identifier is only displayed on the Dashboard for information purposes and is not transmitted anywhere automatically by default. In the future, customers can use this identifier when requesting support information from our staff or systems.

If you haven’t yet caught up on the changes in 2.3.x, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.

Firewall GUI Certificates

Users of Chrome 58 and later, and in some cases Firefox 48 and later, may have issues accessing the pfSense Web GUI if it uses a default self-signed certificate generated automatically by a firewall running pfSense version 2.3.3-p1 or earlier. This is because Chrome 58 strictly enforces RFC 2818 which calls for only matching hostnames using Subject Alternative Name (SAN) entries rather than the Common Name field of a certificate, and the default self-signed certificate did not populate the SAN field.

We have corrected the certificate code to correctly follow RFC 2818 in a user-friendly way by automatically adding the certificate Common Name value as the first SAN entry.

Firewall administrators will need to generate a new certificate for use by the GUI in order to utilize the new format. There are several ways to generate a compatible certificate, including:

Generate and activate a new GUI certificate automatically from the console or ssh shell using one of our playback scripts: pfSsh.php playback generateguicert

Utilize the ACME package to generate a trusted certificate for the GUI via Let’s Encrypt, which is already properly formatted.

Manually create a new self-signed Certificate Authority (CA) and a Server Certificate signed by that CA, then use that for the GUI.

Activate the local browser “EnableCommonNameFallbackForLocalAnchors” option in Chrome 58. This setting will be removed by Chrome eventually, so this is only a temporary fix.

Some users may remember this is not the first time that the default certificate format has been problematic due to browser changes. Several years ago, Firefox changed the way they calculate certificate trust chains, which could make a browser appear to freeze or hang when attempting to access multiple firewalls with self-signed certificates containing common default data which resulted in all such certificates containing the same Subject. Fixing that was more of a challenge, but it resulted in a much better end-user experience.

Upgrade Considerations

As always, you can upgrade from any prior version directly to 2.3.4. The Upgrade Guide covers everything you’ll need to know for upgrading in general. There are a few areas where additional caution should be exercised with this upgrade if upgrading from 2.2.x or an earlier release, all noted in the 2.3 Upgrade Guide.

Known Regressions

While, nearly all of the common regressions between 2.2.6 and 2.3-RELEASE have been fixed in subsequent releases, the following still exist:

IPsec IPComp does not work. This is disabled by default. However in 2.3.1, it is automatically not enabled to avoid encountering this problem. Bug 6167

IGMP Proxy does not work with VLAN interfaces, and possibly other edge cases. Bug 6099. This is a little-used component. If you’re not sure what it is, you’re not using it. This has been fixed on our 2.4 development branch.

Those using IPsec and OpenBGPD may have non-functional IPsec unless OpenBGPD is removed. Bug 6223

Packages

Compared to pfSense 2.2.x, the list of available packages in pfSense 2.3.x has been significantly trimmed. We have removed packages that have been deprecated upstream, no longer have an active maintainer, or were never stable. A few have yet to be converted for Bootstrap and may return if converted. See the 2.3 Removed Packages list for details.

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:

Main repository - the web GUI, back end configuration code, and build tools.

FreeBSD source - the source code, with patches of the FreeBSD base.

FreeBSD ports - the FreeBSD ports used.

Download

Downloads for New Installs

Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.

Supporting the Project

Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.