COVID-19 aid for pfSense software users LEARN MORE

Netgate Blog

pfSense 2.4.5-RELEASE-p1 Now Available

We are pleased to announce the release of pfSense® software version 2.4.5-p1, now available for new installations and upgrades!

pfSense software version 2.4.5-p1 is a maintenance release which brings several important stability and bug fixes for issues present in pfSense 2.4.5-RELEASE.

pfSense 2.4.5-RELEASE-p1 updates and installation images are available now!

To see a complete detailed list of changes, see the Release Notes.

Highlights

Security / Errata

pfSense software release version 2.4.5-p1 addresses several security issues:

  • Addressed an issue with large pf tables causing system instability and high CPU usage during filter reload events on some multi-CPU platforms (e.g. Hyper-V, Proxmox, some bare metal systems)
  • Fixed an issue with SSHGuard which could prevent it from protecting against brute force logins
  • Updated Unbound to address CVE-2020-12662 and CVE-2020-12663
  • Updated json-c to address CVE-2020-12762
  • Added protection against misconfigured group privileges preventing the admin account from making configuration changes
  • Addressed issues with Suricata and FRR failing to start on some platforms (notably Netgate SG-1100, arm64/aarch64)

  • Addressed FreeBSD Security Advisories & Errata Notices including:

For complete details about these issues, see the Release Notes.

Notable Bug Fixes

In addition to security fixes, pfSense software version 2.4.5-p1 also includes important bug fixes.

  • Fixed language selection for Chinese (Taiwan) / HK Translations
  • Added support for Intel iwm(4) wireless cards (client mode only)
  • Added support for QLogic 10Gbit/s Ethernet interfaces (qlxgb)
  • Updated DNS Resolver EDNS buffer sizes for DNS flag day

For a complete list of corrected bugs, see the Release Notes.

Upgrade Notes

IMPORTANT: Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are in effect.

During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.

Due to the significant nature of the changes in this upgrade, warnings and error messages are likely to occur while the upgrade is in process. In particular, errors from PHP and package updates may be observed on the console and in logs. In nearly all cases these errors are a harmless side effect of the inconsistent state of the system during the upgrade from changes in the operating system, libraries, and PHP versions. Once the upgrade completes, the system will be in a consistent state again. Only errors which persist after the upgrade are significant.

Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.

Do not update packages before upgrading pfSense! Either remove all packages or do not update packages before running the upgrade.

The upgrade will take several minutes to complete. The exact time varies based on download speed, hardware speed, and other factors such installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading it could take 10-20 minutes or more until the upgrade process ends. The firewall may reboot several times during the upgrade process. Monitor the upgrade from the firewall console for the most accurate view.

If the update check fails, or the update does not complete, run pkg install -y pfSense-upgrade to ensure that pfSense-upgrade is present.

Consult the Upgrade Guide for additional information about performing upgrades to pfSense software.

Upgrading to pfSense 2.4.5-RELEASE-p1

Updating from an earlier pfSense 2.4.x release to 2.4.5-RELEASE-p1 is possible via the usual methods:

From the GUI:

  • Navigate to System > Update
  • Set Branch to Latest stable version (2.4.x)
  • Click Confirm to start the upgrade process

From the console or ssh:

  • Select option 13 OR select option 8 and run pfSense-upgrade

Update Troubleshooting

See Upgrade Troubleshooting for the most up-to-date information on working around upgrade issues.

If the update system does not offer an upgrade to 2.4.5-p1 or the upgrade will not proceed, take the following steps:

  • Navigate to System > Updates
  • Set Branch to Latest stable version
  • Refresh the repository configuration and upgrade script by running the following commands from the console or shell:

    pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
    

Planning for the upcoming 2.5.0 release

We are hard at work on the upcoming pfSense 2.5.0 release. Keep an eye on the draft copy of the 2.5.0 Release Notes for information about upcoming changes. 2.5.0 will bring a base OS upgrade to FreeBSD 12.x as well as upgrades to OpenSSL 1.1.1 and PHP 7.3.

The built-in load balancer has been deprecated from pfSense 2.5.0, and all related code has been removed, as it is not compatible with OpenSSL on FreeBSD 12.x. Plan migrations to alternate solutions such as the HAProxy package now.

Please note that pfSense version 2.5.0 WILL NOT require AES-NI. The original plan was to include a RESTCONF API in pfSense version 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus the removal of the AES-NI requirement.

Reporting Issues

This release is ready for a production use. Should any issues come up with pfSense 2.4.5-RELEASE-p1, please post about them on the the forum or on the /r/pfSense subreddit.

Thanks!

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:

Download

Downloads for New Installs

Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.

Supporting the Project

Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.

  • Official appliances direct from the source. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
  • Commercial Support – Purchasing support from us provides you with direct access to Netgate Global Support.
  • Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.