What is pfSense® Plus Software?

Netgate announced the creation of pfSense Plus software, and the renaming of the open-source project to pfSense Community Edition (CE), in January 2021. The rationale was simple: The existence of pfSense Plus software would allow Netgate to add advanced features required by business customers. In the time since that announcement, a number of premium capabilities have been added to pfSense Plus software that are not available in pfSense CE software.

Benefits of pfSense Plus Software

More Frequent Software Updates

One of the most significant differences is the release cadence.

Three Releases per Year

pfSense Plus software gets major updates three times per year, and additional point releases when required. This allows Netgate to keep pfSense Plus software closely in sync with the many changes and updates that are made ‘upstream,’ including in FreeBSD.

Cryptography and VPN Acceleration

pfSense Plus software incorporates a number of capabilities that improve the performance of VPN connectivity.

See also

VPN Scaling

These exclusive capabilities include:

OpenVPN Data Channel Offload (DCO) support

This provides huge performance gains when processing encrypted OpenVPN data by reducing the amount of context switching that happens for each packet.

Intel IPsec Multi-Buffer (IIMB) support

This increases VPN performance on Intel, AMD and ARM platforms where extended instruction support is present by replacing some cryptographic functions provided by the kernel with accelerated functions that utilize those extended instructions.

See also


Intel QuickAssist Technology (QAT) support

This is an Intel-specific hardware acceleration technology that significantly increases performance, using asynchronous processing, for many cryptographic operations.

SafeXcel cryptographic accelerator support

This is an acceleration technology present on some ARM platforms, such as the Netgate 1100 and 2100 appliances.

CESA support

This is an acceleration technology present on some ARM platforms such as the Netgate 3100 appliance.

AWS VPC VPN Connection Wizard add-on package

This add-on package automatically creates a VPN tunnel and BGP configuration to communicate with an Amazon AWS VPC.

See also

AWS VPC Wizard

IPsec Profile Wizard add-on package

This add-on package creates IPsec configuration profiles for Apple devices (iOS and macOS), and IPsec import script bundles for Windows devices.

OpenVPN Client Import add-on package

This add-on package Imports a unified OpenVPN client configuration file as exported by an OpenVPN server.

Additional Features

Additional premium features found in pfSense Plus software include:

ZFS Boot Environment (BE) Management in webConfigurator

This feature makes it easier to take snapshots of key file system areas, resulting in safer upgrades and major changes. If the user encounters problems with an upgrade or configuration change, the firewall can be ‘rolled back’ to an earlier known good state.

ZFS dashboard widget (to track status of disks using ZFS)

This feature allows easy monitoring of disks using the zfs file system.

CARP mode (multicast or unicast)

This is an option to choose how CARP (High Availability) operates, either in multicast or unicast mode. Some environments (including virtualization) don’t work well, or not at all, with multicast mode. pfSense CE software only supports multicast.

Ethernet (Layer 2) Filtering Rules support

This feature is experimental rule-based pass/block filtering of packets based on Ethernet (Layer 2) header attributes (e.g. MAC addresses). These rules are processed before other (L3) rules in the inbound direction, and after those rules outbound.

LDAP Client Certificate support

This feature supports a certificate sent to the LDAP server to identify this client when using an encrypted transport mode.

GUI Options for WAN 802.1X Authentication Bridging and VLAN 0 PCP Tagging

These options allow directly connecting to certain ISP networks which typically require specific devices at the edge, such as a modem with an authentication certificate.

Native Packet Flow Data Export for NetFlow/IPFIX

Starting with pfSense Plus software version 24.03 the firewall can directly export NetFlow v5 and IPFIX traffic flow data to one or more collectors using the pflow(4) feature in PF. The data is collected directly from firewall states and does not require a separate daemon, service, or add-on package.

Capabilities For Netgate Hardware

There are also several capabilities in pfSense Plus software that are unique to the appliance hardware that Netgate sells and supports.

These include:

  • ARM64 support (for Netgate’s ARM-based appliances)

  • The Firmware Update add-on package

  • MMC Utilities package

  • Support for specialized hardware such as status LEDs, reset buttons, switches, and hardware watchdog devices

  • Default optimized configurations for Netgate hardware appliances