2.5.0-P0 New Features and Changes

AZTCO-FW® AZTCO-FW version 2.5.0 include a major OS version upgrade,

a kernel WireGuard implementation, OpenSSL upgrades, VPN and related security improvements,

plus numerous other bug fixes and new features.

AZTCO-FW

Customers running the Factory Edition of AZTCO-FW software version 2.4.5-p1

and older can upgrade in-place automatically to

AZTCO-FW software version 2.5.0 as with any other previous upgrade.

Changes

Updated IPsec profile export
- Exports Apple profiles compatible with current iOS and OS X versions
- New export function for Windows clients to configure tunnels using PowerShell

Operating System / Architecture changes

Base OS upgraded to FreeBSD 12.2-STABLE
OpenSSL upgraded to 1.1.1i-freebsd
PHP upgraded to 7.4
Python upgraded to 3.7

Security / Errata

Deprecated the built-in relayd Load Balancer
- relayd does not function with OpenSSL 1.1.x
- The relayd FreeBSD port has been changed to require libressl – There is no apparent sign of work to make it compatible with OpenSSL 1.1.x
- The HAProxy package may be used in its place; It is a much more robust and more feature-complete load balancer and reverse proxy

Aliases/Tables

Fixed aliases to allow IPv6 prefix entries which end in IPv4 addresses (e.g. x:x:x:x:x:x:d.d.d.d from RFC 4291 section 2.2.2)
Fixed a PHP error processing aliases when the configuration contains no aliases section
Fixed URL-based Alias only storing last-most entry in the configuration
Fixed an issue with PF tables remaining active after they had been deleted
Added Internationalized domain names support for aliases
Added the ability to copy an existing alias when creating a new entry
Fixed handling of URL-based aliases containing multiple URLs

Authentication

Added RADIUS authentication for SSH users
Added LDAP authentication for SSH users
Added option to control behavior of unauthenticated LDAP binds
Converted LDAP TLS setup from environment variables to LDAP_OPT_X_TLS_* options
Set RADIUS NAS Identifier to include webConfigurator and the firewall hostname when logging in the GUI
Added LDAP extended query for groups in RFC2307 containers
Fixed errors when using RADIUS for GUI authentication while the WAN is down

Backup/Restore

Changed crypt_data() to use stronger key derivation
Updated crypt_data() syntax for OpenSSL 1.1.x
Disabled AutoConfigBackup manual backups when AutoConfigBackup is disabled
Improved error handling when attempting to restore encrypted and otherwise invalid configurations which result in errors (e.g. wrong encryption passphrase, malformed XML)
Added option to include the DHCP v4/v6 leases database in config.xml backups
Added option to include the Captive Portal database in config.xml backups
Added option to include the Captive Portal used MACs database in config.xml backups
Added option to prevent all extra data from being added to config.xml backups
Added password confirmation when encrypting a config.xml backup
Added support for GPT partitioned drives to the External Configuration Locator
Added support for Limiters to the Traffic Shaper backup and restore area option
Added option to backup Dynamic DNS area
Fixed restoration of active voucher data from backup

Captive Portal

Improved XMLRPC sync of Captive Portal database information
Changed Captive Portal vouchers to use phpseclib so it can generate keys natively in PHP, and to work around OpenSSL deprecating key sizes needed for vouchers
Added trim() to the submitted username, so that spaces before/after in input do not cause authentication errors
Optimized Captive Portal authentication attempts when using multiple authentication servers
Fixed Captive Portal session timeout values for RADIUS users who do not have a timeout returned from the server
Changed Captive Portal so that users no longer get disconnected when changes are made to Captive Portal settings
Added an option so that Captive Portals may choose to remove or retain logins across reboot
Fixed deletion of related files when removing a Captive Portal zone
Fixed XMLRPC sync of Captive Portal used MACs database
Added validation of Captive Portal zone names to prevent using reserved words
Added support for IDN hostnames to Captive Portal Allowed Hostnames tab
Improved Captive Portal Allowed Hostnames so it supports multiple DNS records in responses
Fixed retention of automatic pass-through MAC entries when using Captive Portal Vouchers
Fixed Captive Portal Bandwidth per-user bandwidth limit values being applied when disabled
Changed handling of voucher logins with Concurrent Login option so that new logins are prevented rather than removing old sessions
Changed XMLRPC behavior to not remove zones from secondary node when disabling Captive Portal
Fixed XMLRPC sync failing to propagate voucher roll option changes to the secondary node
Fixed XMLRPC sync failing to create Captive Portal voucher files on secondary node
Fixed Captive Portal + Bridge interface validation
Added support for masking of Captive Portal pass-thru MACs
Added support for pre-filling voucher codes via URL parameters, so they can be used via QR code

Certificates

Fixed OCSP stapling detection for OpenSSL 1.1.x
Fixed GUI detection of revoked status for certificates issued and revoked by an intermediate CA
Removed PKCS#12 export links for entries which cannot be exported in that format (e.g. no private key)
Added an option to globally trust local CA manager entries
Added support for randomized certificate serial numbers when creating or signing certificates with local internal CAs
Added validation for CA/CRL serial numbers
Added support for importing ECDSA keys in certificates and when completing signing requests
Added support for creating and signing certificates using ECDSA keys
Added detailed certificate information block to the CA list, using code shared with the Certificate list
Added Certificate Lifetime to certificate information block
Added CA validity checks when attempting to pre-fill certificate fields from a CA
Added a daily certificate expiration check and notice, with settings to control its behavior and notifications (Default: 27 days)
Added functionality to import certificates without private keys (e.g. PKCS#11)
Added functionality to upload a PKCS#12 file to import a certificate
Added CA/Certificate renewal functionality
- This allows a CA or certificate to be renewed using its current settings (or a more secure profile), replacing the entry with a fresh one, and optionally retaining the existing key.
Added an “Edit” screen for Certificate entries
- This view allows editing the Certificate Descriptive name field
- This view also adds a (not stored) password field and buttons for exporting encrypted private keys and PKCS#12 archives
Improved default GUI certificate strength and handling of weak values
- Reduced the default GUI web server certificate lifetime to 398 days to prevent errors on Apple platforms
- Added notes on CA/Cert pages about using potentially insecure parameter choices
- Added visible warnings on CA/Cert pages if parameters are known to be insecure or not recommended
Revamped CRL management to be easier to use and more capable
- Added the ability to revoke certificates by serial number
- Added the ability to revoke multiple entries at a time
- Decluttered the main CRL list screen
- Moved to a single CRL create control to the bottom under the list rather than multiple buttons
Optimized CA/Cert/CRL code in various ways, including:
- Actions are now performed by refid rather than array index, which is more accurate and not as prone to being affected by parallel changes
- Improved configuration change descriptions as shown in the GUI and configuration history/backups
- Miscellaneous style and code re-use improvements
- Changed CA/Cert date calculations to use a more accurate method, which ensures accuracy on ARM past the 2038 date barrier

Configuration Backend

Changed error handling on boot error ‘XML configuration file not found’ so the user is given an opportunity to fix the problem manually

Configuration Upgrade

Retired m0n0wall configuration upgrade support

Console Menu

Fixed rc.initial execution of rc.local.running
Fixed rc.initial handling of -c commands with arguments
Fixed console menu display of subnet masks for DHCP interfaces

Dashboard

Added PPP uptime to the Dashboard Interfaces Widget
Improved long description truncation behavior in the services status widget
Fixed Dashboard traffic graph widget display of bandwidth units (b/s vs. B/s)
Added adaptive state timeout indication to the state table usage meter
Fixed Thermal Sensors dashboard widget showing invalid sensors
Added default route indicator to Gateways widget
Added hardware interface name as a tooltip on Interfaces widget entries

DHCP (IPv4)

Fixed handling of spaces in DHCP lease hostnames by dhcpleases
Fixed DHCP leases hostname parsing problems which prevented some hostnames from being displayed in the GUI
Added OMAPI settings to the DHCP Server
Increased number of NTP servers sent via DHCP to 3
Added an option to prevent known DHCP clients from obtaining addresses on any interface (e.g. known clients may only obtain an address from the interface where the entry is defined)
Added count of static mappings to list when editing DHCP settings for an interface
Fixed handling of client identifiers on static mappings containing double quotes
Added ARM32/64 network booting support to the DHCP Server
Increased the number of NTP servers for DHCP Static Mappings
Fix DHCP Dynamic DNS handling of per-host zone and key options from static mappings
Added per-host custom BOOTP/DHCP Options to static mappings
Added a button to clear all DHCP leases
Fixed ARPA zone declaration formatting in DHCP server configuration file

DHCP (IPv6)

Added options to disable pushing IPv6 DNS servers to clients via DHCP6
Fixed DHCPv6 domain search list
Fixed validation to allow omission of DHCPv6 range for use with stateless DHCP
Fixed issues creating IPv6 Static Mappings
Fixed DHCPv6 merging an IPv6 prefix with the input submitted in DNS servers field when using Track Interface
Fixed prefix delegation not being requested if no interfaces were set to track6
Fixed DHCPv6 Dynamic DNS domain key name validation
Fixed line formatting issues in the DHCPv6 configuration file
Fixed prefix not being included in the DNS entry registered by DHCPv6
Fixed DHCPv6 static mapping changes requiring a restart of the DNS resolver to activate
Fixed issues running DHCPv6 on certain types of tracked interfaces (e.g. bridges, VLANs)
Fixed issues with WAN not renewing IPv6 address after an upstream failure

DHCP Relay

Fixed DHCP Relay validation to allow OpenVPN TAP interfaces
Fixed inconsistent validation behavior for DHCP relay and bridges

Diagnostics

Added Reroot and Reboot with Filesystem Check options to GUI Reboot page
Added option to control wait time between ICMP echo request (ping) packets diag_ping.php
Improved data sanitization in status.php Sanitize MaxMind GeoIP key
Added config history list to status.php
Added DNS Resolver configuration to status.php
Added L2TP VPN configuration to status.php
Changed pftop page to hide filtering controls for views which do not support filtering
Added support for IDN hostnames to DNS Lookup, Ping, and Traceroute
Fixed diag_dns.php link to Ping passing incorrect parameters
Added a button to clear the NDP cache
Added a button to clear the ARP cache
Fixed hostname being ignored when DNS Lookup calculates response time
Fixed Kill States button on diag_dump_states.php when used with CIDR-masked subnets

DNS Forwarder

Updated dnsmasq to 2.84

DNS Resolver

Added IPv6 OpenVPN client addresses resolution to the DNS Resolver
Added DNS64 options to the DNS Resolver
Added support for multiple IP addresses in a DNS Resolver Host Override entry
Fixed DNS Resolver restart commands to work around potential environment issues
Fixed saving DNS Resolver ACL entries when using a non-English translation
Added support for IDN symbols in DNS Resolver ACL entries
Added Aggressive NSEC option to the DNS Resolver
Fixed DNS Resolver unintentionally retaining DHCP registration entries after disabling that feature
Fixed DNS Resolver restarting on every OpenVPN client connection when registering clients in DNS
Fixed issues with the DNS Resolver not starting when bound to disabled interfaces or interfaces without carrier
Fixed DNS Resolver custom TLS listen port being ignored
Improved formatting and ordering of items in the DNS Resolver access list configuration file

Dynamic DNS

Fixed Dynamic DNS Dashboard Widget address parsing for entries with split hostname/domain (e.g. Namecheap)
Added support for new CloudFlare Dynamic DNS API tokens
Added IPv6 support to No-IP Dynamic DNS
Fixed issues with Hover Dynamic DNS
Updated Cloudflare Dynamic DNS to query Zone ID with token
Added support for IPv6 to easyDNS Dynamic DNS
Added support for Domeneshop Dynamic DNS
Added Zone option to RFC 2136 Dynamic DNS
Updated FreeDNS Dynamic DNS to use their v2 API
Fixed DigitalOcean Dynamic DNS processing of zones with multiple pages of records
Improved Dynamic DNS Logging
Added support for dynv6.com Dynamic DNS
Fixed handling of Dynamic DNS AAAA records on 6rd tunnel interfaces bound to PPPoE interfaces
Added a button to duplicate Dynamic DNS entries
Fixed Dynamic DNS update for HE.net Tunnelbroker always setting IP address of the default WAN interface
Updated HE.net Tunnelbroker Dynamic DNS to use their current API
Added support for Wildcard A records for Gandi Dynamic DNS
Updated No-IP Dynamic DNS to use a newer API
Fixed Namecheap Dynamic DNS error code checking
Improved color blind accessibility of Dynamic DNS status

Gateways

Added support for obtaining a gateway via DHCP which is outside of the interface subnet
Added validation to prevent using descriptions on interfaces which would cause gateway names to exceeded the maximum allowed length
Added tooltip text to icons on the Gateways
Fixed issues with dpinger failing to update IPv6 gateway address on DHCPv6 WAN interfaces

Hardware / Drivers

Added bnxt driver for Broadcom NetXtreme interfaces
Added iOS/Android/Generic USB tethering driver

IGMP Proxy

Added input validation for IGMP Proxy settings

Installer

Created separate Auto (UFS) UEFI and Auto (UFS) BIOS installation options to avoid problems on hardware which boots differently on USB and non-USB disks
Fixed reinstalling with UFS on a ZFS formatted drive
Fixed platform detection for MBT-4220 and MBT-2220 on newer BIOS revisions
Fixed an issue with shutting down instead of rebooting after installing using ZFS

Interfaces

Added support for using IPv4 and IPv6 addresses on GRE interfaces at the same time
Added a check to disable Hardware Checksum Offloading in environments with interfaces which do not support it (e.g. vtnet, ena)
Changed the way interface VLAN support is detected so it does not rely on the VLANMTU flag
Added a PHP shell playback script restartallwan which restarts all WAN-type interfaces
Changed assignment of the fe80::1:1 default IPv6 link-local LAN address so it does not remove existing entries, which could cause problems such as Unbound failing to start
Added automatic MTU adjustment for GRE interfaces using IPsec as a transport
Fixed SLAAC interface selection when using IPv6 on a link which also uses PPP
Added GUI interface descriptions to Operating System interfaces
Added the ability to assign virtual type interfaces (IPsec, OpenVPN, GIF, GRE, etc) during console interface assignment
Fixed TSO not being disabled in some cases
Fixed group name length input validation
Improved interface caching for environments with many interfaces
Fixed fe80::1:1 being added to interfaces without track6
Added a check to prevent stf (6RD/6to4) interfaces from being used as parent interfaces
Fixed redundant disabling of static ARP at boot before it could be enabled
Fixed initialization of bridges which include a GIF interface at boot
Fixed problems with post-install interface changes not being retained if the user did not complete the wizard
Fixed inefficiencies when applying settings to a VLAN parent interface
Fixed interface MTU setting not being applied to all IPv6 routes
Fixed handling of MTU setting for 6rd and 6to4 interfaces
Fixed IPv6 IP Alias preventing Track Interface from working with DHCPv6 and RA
Changed DHCP interface renewal behavior to not restart services if the IP address did not change
Fixed an error when changing bridge STP settings
Added a binary package with updated Realtek interface drivers
Improved link state visibility on Status > Interfaces
Removed VTI interfaces from Interface Group selection since they do not currently function in this manner
Fixed issues with IPv6 on top of IPv4 PPPoE placing default route on incorrect interface

IPsec

Added 25519 curve-based IPsec DH and PFS groups 31 and 32
Enabled the strongSwan PKCS#11 plugin
Added support for ECDSA certificates to IPsec for IKE
Renamed IPsec “RSA” options to “Certificate” since both RSA and ECDSA certificates are now supported, and it is also easier for users to recognize
Converted IPsec configuration code from ipsec.conf ipsec/stroke style to swanctl.conf swanctl/vici style
- Split up much of the single large IPsec configuration function into multiple functions as appropriate.
- Optimized code along the way, including reducing code duplication and finding ways to generalize functions to support future expansion.
- For IKEv1 and IKEv2 with Split Connections enabled, P2 settings are properly respected for each individual P2, such as separate encryption algorithms
  - N.B.: In rare cases this may expose a previous misconfiguration which allowed a Phase 2 SA to connect with improper settings, for example if a required encryption algorithm was enabled on one P2 but not another.
- New GUI option under VPN > IPsec, Mobile Clients tab to enable RADIUS Accounting which was previously on by default. This is now disabled by default as RADIUS accounting data will be sent for every tunnel, not only mobile clients, and if the accounting data fails to reach the RADIUS server, tunnels may be disconnected.
- Additional developer & advanced user notes:
  - For those who may have scripts which touched files in /var/etc/ipsec, note that the structure of this directory has changed to the new swanctl layout.
  - Any usage of /usr/local/sbin/ipsec or the stroke plugin must also be changed to /usr/local/sbin/swanctl and VICI. Note that some commands have no direct equivalents, but the same or better information is available in other ways.
  - IPsec start/stop/reload functions now use /usr/local/sbin/strongswanrc
  - IPsec-related functions were converged into ipsec.inc, removed from vpn.inc, and renamed from vpn_ipsec_<name> to ipsec_<name>
- Reworked how reauthentication and rekey behavior functions, giving more control to the user compared to previous options
Reformatted status_ipsec.php to include more available information (rekey timer, encryption key size, IKE SPIs, ports)
Added support for PKCS#11 authentication (e.g. hardware tokens such as Yubikey) for IPsec
Fixed usage of Hash Algorithm on child ESP/AH proposals using AEAD ciphers
Added support for IPsec remote gateway entries using FQDNs which resolve to IPv6 addresses
Added manual selection of Pseudo-Random Function (PRF) for use with AEAD ciphers
Added support for using per-user addresses from RADIUS and falling back to a local pool otherwise
Added an option which allows multiple tunnels to use the same remote peer in certain situations (read warnings on the option before use)
Improved visible distinction of online/offline mobile IPsec users in the IPsec status and dashboard widget
Added options to change the IPsec NAT-T ports (local and remote)
Improved boot-time initialization of IPsec VTI interfaces
Added support for limiting IPsec VPN access by RADIUS user group
Changed IPsec to share the same RADIUS Cisco-AVPair parser code as OpenVPN for Xauth users
Fixed handling of IPsec VTI interfaces in environments with large numbers of IPsec tunnels
Added IPsec Advanced option to control maximum allowed Parallel P2 Rekey exchanges
Fixed issues with bringing up new Phase 2 entries on IPsec tunnels with “Split connections” enabled
Fixed issues where, in rare cases, IPsec tunnels would not reconnect until the firewall was rebooted
Improved the Remote Gateway field description for IPsec Phase 1 entries to indicate that 0.0.0.0 is allowed
Fixed issues with IKEv2 IPsec tunnels with multiple phase 2 entries combining traffic selectors in unexpected ways (set “Split Connections” to isolate them)
Added options to create IPsec bypass rules which prevent specific source and destination network pairs from entering policy-based IPsec tunnels
Documented settings which work around SA duplication issues experienced by users in certain cases
Improved IPsec GUI options for P1/P2 SA expiration and replacement to help prevent SA duplication
Fixed a PHP error in mobile IPsec input validation
Added validation to prevent unsupported wildcard certificates from being selected for use with IPsec

IPv6 Router Advertisements (RADVD)

Fixed Router Advertisement configuration missing information in Unmanaged mode
Fixed Router Advertisement lifetime input validation

L2TP

Fixed L2TP secret using an empty value after removing it from the GUI
Fixed L2TP input validation to allow leaving the remote address field blank when assigning addresses from RADIUS
Fixed inefficiencies in the initial L2TP reconfiguration process
Fixed L2TP Server and Client both using l2tpX for interface names
Fixed static routes on L2TP interfaces not being reapplied when reconnecting
Fixed L2TP server being restarted when making user account changes

LAGG Interfaces

Improved Interface Status and Widget information for LAGG
Fixed route for GIF/GRE peer when using VLAN on LAGG
Added option to toggle LACP PDU transmission fast timeout
Fixed LAGG member interface events causing filter reloads
Fixed issues with LAGG interface MTU being incorrectly applied to VLAN subinterfaces
Added option to control the master interface for LAGG in Failover mode

Logging

Changed system logging to use plain text logging and log rotation, the old binary clog format has been deprecated
Updated default log size (512k + rotated copies), default lines to display (500, was 50), and max line limits (200k, up from 2k)
Added log tabs for nginx, userlog, utx/lastlog, and some other previously hidden logs
Relocated Package Logs into a tab under System Logs and standardized display/filtering of package logs
Added GUI options to control log rotation
Added code for packages to set their own log rotation parameters
Removed the redundant nginx-error.log file
Fixed some instances where logs were mixed into the wrong log files/tabs (Captive Portal/DHCP/squid/php/others)
Reorganized/restructured several log tabs
Added a dedicated authentication log
Added an option for RFC 5424 format log messages which have RFC 3339 timestamps
Fixed an issue where a firewall log entry for loopback source/destination occasionally reported 127.0.0.1 as 127.0.01
Fixed issues with syslogd using an old IP address after an interface IP address change
Added watchfrr to routing log

Multi-WAN

Fixed Gateways being removed from routing groups based on low alert thresholds
Fixed a possible race condition in gateway group fail-over causing unexpected behavior
Fixed a load balancing failure when one gateway had a weight of 1 and another gateway had a weight >1

NAT Reflection

Fixed port forwards where the destination is a network alias creating invalid refection rules if multiple subnets are in that alias

Notifications

Deprecated & Removed Growl Notifications
Added a daily certificate expiration notification with settings to control its behavior
Fixed input validation of SMTP notification settings
Added support for sending notifications via Pushover API
Added support for sending notifications via Telegram
Fixed a PHP error when SMTP notifications fail

NTPD

Added GUI options for NTP sync/poll intervals
Added validation to prevent using noselect and noserve with pools
Added feature to automatically detect GPS baud rate
Fixed status and widget display of long hostnames and stratum
Fixed handling of the checkbox options on NTP servers
Updated GPS initialization commands for Garmin devices
Added an option to limit NTP pool server usage
Added option to force IPv4/IPv6 DNS resolution for NTP servers
Added support for NTP server authentication
Added an option to disable NTP
Added units to the NTP status page

OpenVPN

Updated OpenVPN to 2.5.0
- The default compression behavior has changed for security reasons. Incoming packets will be decompressed, outgoing packets will not be compressed. There is a GUI control to alter this behavior.
- Data cipher negotiation (Formerly known as Negotiable Cryptographic Parameters, or NCP) is now compulsory. Disabling negotiation has been deprecated. The option is still present in the GUI, but negotiation will be unilaterally enabled on upgrade. The upgrade process will attempt to use the expected data encryption algorithms before and after the upgrade completes, but in some cases more secure algorithms may be enabled as well. We strongly encourage using AEAD ciphers such as AES-GCM, future versions of OpenVPN will require them and will not have configurable cipher lists.
Added connection count to OpenVPN status and widget
Enabled the OpenVPN x509-alt-username build option
Restructured the OpenVPN settings directory layout
- Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to /var/etc/openvpn/<mode><id>/<x>
  - This keeps all settings for each client and server in a clean structure
Moved to CApath style CA structure for OpenVPN CA/CRL usage
Added support for OCSP verification of client certificates
Fixed a potential race condition in OpenVPN client ACLs obtained via RADIUS
Added support for more protocols (IP, ICMP), ports, and a template variable ({clientip}) in OpenVPN client ACLs obtained via RADIUS
Added the ability to register OpenVPN Remote Access (User Auth) clients in the DNS Resolver
Fixed an issue where duplicating an OpenVPN instance did not copy the password
Fixed issues with OpenVPN TCP clients failing to start
Added support for IPv6 OpenVPN ACLs obtained via RADIUS
Fixed validation to enforce OpenVPN client password usage when setting a username, to prevent a missing password from interrupting the boot process
Enabled asynchronous push in OpenVPN binary
Added OpenVPN client-specific override option to ignore routes pushed by the server (“push-reset”)
Clarified behavior of OpenVPN server option for Duplicate Connections

Operating System

Fixed a network performance regression in the fast forwarding path with IP redirects enabled NG4965
Fixed double ZFS entries in loader.conf
Added a method to enable persistent command history in the shell
Changed the default domain name of the firewall from .localdomain to .home.arpa

Package System

Disabled spell checking on package upgrade progress textarea
Fixed issues with package upgrade or reinstall hanging indefinitely
Fixed description used for buttons when editing packages

PPP Interfaces

Fixed issues with PPPoE over a VLAN failing to reconnect
Enabled selection of QinQ interfaces for use with PPP
Added option to set Host-Uniq value for PPPoE
Fixed incorrect interface assignment after switching from PPPoE
Fixed IPv6 not being disabled in mpd.conf when the IPv6 GUI option is set to ‘disabled’
Fixed PPPoE interface errors due to MTU settings

PPPoE Server

Fixed PPPoE server ignoring secondary RADIUS Server
Fixed PPPoE server Accounting updates option
Removed unnecessary restarts of the PPPoE server when adding/modifying users
Added input validation to prevent enabling the PPPoE server on a PPPoE client interface

Routing

Fixed automatic static routes set for DNS gateway bindings not being removed when no longer necessary
Fixed missing tooltip text for icons on the Static Routes Page

RRD Graphs

Fixed RRD graph handling of NTP graph data with negative freq values
Fixed RRD graph creation for interfaces using CODELQ

Rules / NAT

Added the ability to configure negated tagging, to match packets which do not not contain a given tag
Added support for IPv6 Port Forwards
Fixed handling of IPv6 NPt rules on 6rd WAN interfaces
Fixed 1:1 NAT issue when internal interface has VIPs
Fixed policy routing rules not being written correctly for a down gateway
Added EoIP to firewall rule Protocol list
Fixed separator bars on floating rules not covering the full table width
Fixed 1:1 NAT for IPv6 applying wrong subnet mask to “Single Host”
Added validation to prevent accidentally overlapping NPt networks and interface networks
Added support for dynamic interface addresses in 1:1 NAT rules
Added default values of TCP and UDP timeouts to the GUI
Fixed handling of IPv6 floating rules on 6rd interfaces
Fixed firewall rules for “PPPoE clients” only including the first PPPoE server instance
Fixed duplicated tracker IDs on block private networks rules
Fixed reply-to on rules for PPPoE WANs with IPv6 SLAAC
Added gateway/group IP addresses to mouseover on rules
Fixed formatting of floating rules with large numbers interfaces
Fixed form rendering issues with Port Forward Address Fields in Safari
Fixed firewall ruleset failing to load at boot when new ruleset would be invalid
Fixed an issue adding or deleting separator bars when no rules are present

S.M.A.R.T.

Updated S.M.A.R.T. Page with new capabilities

SNMP

Fixed SNMP reporting incorrect speed for switch uplink interface on Netgate SG-3100
Fixed SNMP input validation to require the Host Resources module when the PF module is also enabled

Traffic Graphs

Changed the Traffic Graph page from rate to iftop which brings IPv6 support and various other improvements

Traffic Shaper (ALTQ)

Changed default ALTQ queue bandwidth type to Mbit/s
Updated traffic shaper wizard settings for XBox and Wii ports
Added Broadcom NetXtreme to ALTQ-capable list
Added ALTQ support to the ix(4) driver
Fixed deletion of associated shaper queues when deleting an interface
Fixed ALTQ root queue bandwidth calculation
Fixed input validation for amount of queues supported by ALTQ schedulers
Added Google Stadia port range to the traffic shaper wizard
Fixed PHP errors in the traffic shaper wizard
Fixed ALTQ on hn(4) interfaces

Traffic Shaper (Limiters)

Fixed issues with net.inet.ip.dummynet.* tunables being ignored
Fixed issues with renaming limiters removing them from firewall rules
Fixed mask options not applying to sched limiter
Changed default Limiter queue bandwidth type to Mbit/s

Translations

Added Italian translation

Upgrade

Fixed issues with checking for updates from the GUI behind a proxy with authentication
Changed phrasing of message indicating the firewall is rebooting to upgrade
Fixed issues with the GUI incorrectly reporting “The system is on the latest version”

UPnP

Improved handling of UPnP with multiple gaming systems

User Manager / Privileges

Added menu entry for User Password Manager if the user does not have permission to reach the User Manager
Improved consistency of SSL/TLS references in LDAP authentication servers
Fixed irrelevant output being printed to users with ssh_tunnel_shell
Fixed theme not being applied to LDAP test results modal
Changed to more secure default values for certificates created through the user manager
Changed SSL/TLS LDAP authentication implementation to improve handling of multiple secure LDAP (SSL/TLS or STARTTLS) servers used at the same time

Virtual IP Addresses

Fixed a problem with PID file handling for the proxy ARP daemon
Fixed IP Alias VIPs on PPPoE interfaces

Web Interface

Updated JQuery to address multiple issues
Updated Bootstrap to 3.4.1
Updated Font-Awesome to v5
Increased the number of colors available for the login screen
Added TLS 1.3 to GUI and Captive Portal web server configuration, and removed older versions (TLS 1.0 removed from Captive Portal, TLS 1.1 removed from GUI)
Fixed empty lines in various forms throughout the GUI
Improved validation of FQDNs
Added CHACHA20-POLY1305 to nginx cipher list
Fixed Setup Wizard input validation to allow Primary/Secondary DNS Server field to remain empty
Fixed Setup Wizard input validation for IPv6 DNS Servers
Added an option to omit DNS Servers from resolv.conf
Fixed the icon area within buttons not being clickable
Fixed visibility issues with multiple selection form control in the pfsense-BETA-dark theme
Updated documentation links in the GUI
Fixed netmask/prefix form control incorrectly resetting to 128/32
Updated Help shortcut links
Improved handling of multiple login form submissions to avoid a potential CSRF error
Fixed reboot message when changing the Hardware Checksum Offloading setting
Added support for new site icons requested by current versions of Safari
Added descriptions to all write_config() calls

WireGuard

Added kernel-based WireGuard VPN implementation

Wireless

Added support for the athp(4) wireless interface driver
Added support for the ral(4) wireless interface driver to arm64
Added support for the rtwn(4) wireless interface driver
Added support for selecting 802.11n channel width (HT)

XMLRPC

Fixed XMLRPC synchronization of admin authorized keys for the admin user
Added option to synchronize changes for the account used for XMLRPC sync
Fixed XMLRPC synchronization for firewall rule descriptions with special characters
Fixed Incorrect synchronize IP address value causing XMLRPC errors