2.5.2-P0 New Features and Changes

Known Issues / Errata

  • Dynamic DNS incorrectly encodes NoIP update credentials 

Security

  • AZTCOFW-SA-21_02.captiveportal (XSS in Captive Portal client login page,

General

  • Added: WireGuard experimental add-on package

Aliases / Tables

  • Added: PHP shell playback script to modify Alias contents 

Authentication

  • Added: Copy button for Authentication Server entries 

Backup / Restore

  • Added: Randomize time of scheduled AutoConfigBackup runs 
  • Fixed: Automated corruption recovery from cached config.xml backup files should check multiple backups 
  • Fixed: AutoConfigBackup schedule custom hour value lost on page load 

Captive Portal

  • Added: Redirect Captive Portal users to login page after they logout 
  • Fixed: Captive Portal post-auth redirect is not properly respected 
  • Fixed: Potential XSS vulnerability in Captive Portal redirurl handling 

Certificates

  • Fixed: Certificate Manager does not report Unbound as using a certificate 
  • Fixed: PHP error on certificate list due to unreadable private key 
  • Fixed: Export P12 icon is missing if certificate is not locally renewable 

Configuration Upgrade

  • Fixed: PHP error in upgrade_212_to_213() when upgrading certain IPsec tunnels 

Console Menu

  • Changed: Allow reroot on ZFS from console and GUI reboot menu entries 

DHCP (IPv6)

  • Fixed: dhcp6withoutra_script.sh does not get executed when advanced options are set 

DNS Forwarder

  • Fixed: Disable DNSSEC option for dnsmasq 
  • Fixed: Update dnsmasq to 2.85 to fix CVE-2021-3448 

DNS Resolver

  • Fixed: Unbound Python Integration repeatedly mounts dev without unmounting 
  • Fixed: Stale hostname registration data for OpenVPN clients is not deleted from the DNS Resolver configuration at boot 
  • Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x 

Dashboard

  • Fixed: Thermal sensors widget no longer shows values from certain hardware 
  • Fixed: IPsec Dashboard widget only displays first P2 subnet when using a single traffic selector 
  • Fixed: Editing widgets on Dashboard causes a PHP Warning 

Diagnostics

  • Fixed: ARP Table populates hostname values using expired DHCP lease data 
  • Fixed: Sanitize OpenVPN Client Export certificate password in status output 
  • Fixed: Sanitize Captive Portal RADIUS MAC secret in status output 
  • Fixed: MAC address OEM information missing from ARP table 
  • Fixed: State table content on diag_dump_states.php does not sort properly 

Dynamic DNS

  • Added: New Dynamic DNS Provider: Mythic-Beasts 
  • Added: New Dynamic DNS Provider: one.com 
  • Added: New Dynamic DNS Provider: Yandex PDD 
  • Added: New Dynamic DNS Provider: NIC.RU 
  • Added: New Dynamic DNS Provider: Gandi LiveDNS IPv6 
  • Fixed: Automatic 25-day forced Dynamic DNS update removes wildcard domain 
  • Fixed: Digital Ocean Dynamic DNS help text is incorrect 
  • Fixed: NoIP.com Dynamic DNS update failure is not detected properly 
  • Fixed: Dynamic DNS edit page incorrectly hides username field when switching away from Digital Ocean 

Gateways

  • Added: Input validation to prevent setting a load balancing gateway group as default 

Hardware / Drivers

  • Changed: Deprecate old cryptographic accelerator hardware which is not viable on modern systems 
  • Fixed: Using SHA1 or SHA256 with AES-NI may fail if AES-NI attempts to accelerate hashing 

High Availability

  • Fixed: Incorrect RADVD log message on HA event 

IGMP Proxy

  • Fixed: IGMP Proxy restarts unnecessarily after IPv6 gateway events 

IPsec

  • Added: GUI option to set RADIUS Timeout for EAP-RADIUS 
  • Added: Option to switch IPsec filtering modes to choose between enc and if_ipsec filtering
  • Changed: Move custom IPsec NAT-T port settings to Advanced Options 
  • Fixed: strongSwan configuration always contains user EAP/PSK values
  • Added: IPsec GUI option to control Child SA start_action 
  • Fixed: Error when adding both IPv4 and IPv6 P2 under an IPv4 or IPv6 only IKEv1 P1
  • Fixed: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled 
  • Fixed: IPsec VTI interface names are not properly formed for more than 32 interfaces
  • Fixed: Applying IPsec settings for more than ~30 tunnels times out PHP 
  • Fixed: ipsec_vti() does not skip disabled VTI entries 
  • Fixed: IPsec GUI allows creating multiple identical Phase 1 entries when using FQDN for remote gateway 
  • Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point

IPv6 Router Advertisements (RADVD)

  • Added: Use virtual link local IP address as RA source address for HA environments 
  • Added: Shortcut buttons for service control and logs on RADVD configuration 
  • Fixed: RADVD breaks on SIGHUP 

Interfaces

  • Fixed: DHCP interfaces are always treated as having a gateway, even if one is not assigned by the upstream DHCP server #5135
  • Fixed: Interfaces page displays MAC Address field for interfaces which do not support L2 
  • Fixed: CLI interface configuration without IPv6 leaves RA enabled 
  • Fixed: Incomplete PPPoE custom reset values lead to invalid cron entry 
  • Fixed: Error when changing MTU if the interface is used for both IPv4 and IPv6 default routes 
  • Added: VLAN list sorting 

L2TP

  • Fixed: Unused L2TP VPN files are not removed when the service is disabled 
  • Added: GUI option to set MTU for L2TP VPN server

NTPD

  • Fixed: NTP widget displays incorrect status 
  • Fixed: NTP authentication input validation rejects valid keys 

Notifications

  • Fixed: Invalid HTML encoding in modal Notices window 

OpenVPN

  • Added: Allow the firewall to use DNS servers provided to an OpenVPN client instance 
  • Fixed: OpenVPN Wizard does not support gateway groups 
  • Added: Set Explicit Exit Notify to 1 by default for new OpenVPN client instances 
  • Added: Support for Cisco AVPair {clientipv6} template in firewall rules returns by RADIUS 
  • Changed: Set explicit-exit-notify option by default for new OpenVPN server instances 
  • Fixed: OpenVPN does not clean up parsed Cisco-AVPair rules on non-graceful disconnect 
  • Fixed: OpenVPN does not kill IPv6 client states on disconnect 
  • Fixed: OpenVPN client starts when CARP VIP is in BACKUP status when bound to Virtual IP aliased to CARP VIP 
  • Fixed: Certificate validation with OCSP always fails in openvpn.tls-verify.php 
  • Changed: Update OpenVPN to 2.5.2 
  • Fixed: OpenVPN client startup error if IPv6 Tunnel Network is defined in TAP mode 

Operating System

  • Added: Kernel modules for alternate congestion control algorithms 
  • Added: Kernel module for RTL8153 driver 
  • Added: Xen console support 
  • Fixed: Unquoted variable in dot.tcshrc can cause proxy password to be printed 

Routing

  • Fixed: IPv4 link-local (169.254.x.x) gateway does not function 

Rules / NAT

  • Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address 
  • Fixed: Disabling all interfaces associated with a floating rule causes the firewall to generate an incorrect pf rule 
  • Fixed: Input validation prevents creating 1:1 NAT rules on IPsec 
  • Fixed: Invalid combinations of TCP flag matching options cause pfctl parser error 
  • Fixed: Port forward rules only function through the default gateway interface, reply-to does not work for Multi-WAN (CE Only) 
  • Fixed: Error loading rules in certain cases where an interface is temporarily without an address
  • Fixed: NAT 1:1 fail to validate aliases 

Traffic Shaper (ALTQ)

  • Fixed: Harmless error when enabling traffic shaper 
  • Fixed: Segmentation fault when loading ALTQ traffic shaping rules using FAIRQ 

Traffic Shaper (Limiters)

  • Fixed: Unused Limiter entries with schedules create unnecessary cron jobs 
  • Fixed: Error when setting queue limit on CODELQ limiter 

Upgrade

  • Fixed: Language presented to user during upgrade is misleading 

Web Interface

  • Added: Replace HTTP links with HTTPS in the GUI 
  • Fixed: Ambiguous text in help and input validation error for system domain name 
  • Fixed: PHP error if PHP_error.log file is too large 
  • Fixed: RAM Disk Settings shows Kernel Memory at 0 Kb and does not allow the user to create RAM disks 
  • Fixed: HTTP Referer error message text is incorrect 
  • Fixed: Missing /0 subnet when cloning repeatable CIDR mask controls 
  • Fixed: Update NGINX to address CVE-2021-23017 

WireGuard

  • Fixed: Ignore WireGuard configurations under <installedpackages></installedpackages> 

Wireless

  • Added: GUI options for WPA Enterprise with identity/password 
  • Fixed: wpa_supplicant uses 100% of a CPU core at boot 

XMLRPC

  • Fixed: XMLRPC synchronization restarts all OpenVPN instances on the secondary node when making any change on the primary node 
  • Fixed: XMLRPC Client does not honor its default timeout value 
© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.