2.5.0 New Features and Changes

pfSense® software version 2.5.0 brings a major OS version upgrade, OpenSSL upgrades, PHP and Python upgrades, and numerous bug fixes.


The original plan was to include a RESTCONF API in pfSense version 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense version 2.5.0 WILL NOT require AES-NI.


For those who have not yet updated to 2.4.4-p3 or 2.4.4, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.

Operating System / Architecture changes

  • Base OS upgraded to FreeBSD 12.0-RELEASE-p10

  • OpenSSL upgraded to 1.1.1a-freebsd

  • PHP upgraded to 7.3 #9365

  • Python upgraded to 3.6 #9360

Security / Errata

  • Deprecated the built-in relayd Load Balancer #9386

    • relayd does not function with OpenSSL 1.1.x

    • The relayd port is currently marked BROKEN for FreeBSD 12 and later, and has been this way since October – There is no apparent sign of work to make it compatible with OpenSSL 1.1.x

    • The HAProxy package may be used in its place; It is a much more robust and more feature-complete load balancer and reverse proxy

    • For more information on implementing HAProxy, see HAProxy package and the Hangout


See the FreeBSD 12.0 Release Notes for information on deprecated hardware drivers that may impact firewalls upgrading to pfSense version 2.5.0. Some of these were renamed or folded into other drivers, others have been removed, and more are slated for removal in FreeBSD 13 in the future.

Known Issues

  • During development of pfSense version 2.5.0, there is a significant chance that packages will be unstable until closer to the release. Most of this is due to OpenSSL changes. This will stabilize as development progresses.


  • Fixed URL-based Alias only storing last-most entry in the configuration #9074


  • Set RADIUS NAS Identifier to include webConfigurator and the firewall hostname when logging in the GUI #9209

  • Added exception handling to authentication attempts #9150


  • Fixed AutoConfigBackup allowing manual backups when disabled #9785

  • Added a special string (NoReMoTeBaCkUp) that when used in write_config() descriptions will prevent a remote backup #9693

  • Removed legacy AutoConfigBackup options (there were no more active accounts using the retired legacy service) #9687

  • Changed crypt_data() to use stronger key derivation #9421

  • Updated crypt_data() syntax for OpenSSL 1.1.x #9420

  • Added CDATA protection to the encryption_password XML tag, which allows international characters to be used in that field #7186

Captive Portal

  • Fixed Captive Portal vouchers shortcut links #9722

  • Changed Captive Portal vouchers to use phpseclib so it can generate keys natively in PHP, and to work around OpenSSL deprecating key sizes needed for vouchers #9443

  • Added trim() to the submitted username, so that spaces before/after in input do not cause authentication errors #9274

  • Optimized Captive Portal authentication attempts when using multiple authentication servers #9255

  • Fixed Captive Portal session timeout values for RADIUS users who do not have a timeout returned from the server #9208

  • Changed Captive Portal so that users no longer get disconnected when changes are made to Captive Portal settings #8616

  • Added an option so that Captive Portals may choose to remove or retain logins across reboot #5644


  • Added sorting and search/filtering to Certificate Authority & Certificate manager #9412

  • Fixed OCSP stapling detection for OpenSSL 1.1.x #9408

  • Corrected wording of CA/Cert CN input validation #9234


  • Added PPP uptime to the Dashboard Interfaces Widget #9426

  • Added option to disable PTI display in System Information widget #9323


  • Fixed incorrect expansion of Dynamic DNS advanced options on the DHCPv6 Server page #9448

  • Changed DHCP relay backend code to determine and specify separate upstream and downstream interface lists #9466

  • Prevented OpenVPN interfaces from being used by DHCP relay, since that type of interface is not compatible #8443

  • Fixed handling of spaces in DHCP lease hostnames by dhcpleases #9758

  • Added an option to disable ping check in dhcpd #9285

  • Fixed Show all configured leases so it is persistent after deleting a DHCP lease #9133

  • Fixed DHCP leases hostname parsing problems which prevented some hostnames from being displayed in the GUI #3500


  • Fixed a PHP warning in diag_dump_states.php #9780

  • Fixed reverse lookup of IPv6 addresses on diag_dns.php #9543

  • Fixed diag_system_activity.php to use batch mode for top so it displays process list w/o terminal, and increased amount of output displayed #9522


  • Added to the DNS Resolver private-address list for DNS rebinding protection #9708

  • Fixed CIDR selection issues with /32 entries in DNS Resolver Access List entries #9586

  • Added DNS Resolver (Unbound) Python Integration #9251

  • Added TCP_RFC7413 in kernel, required for the BIND package #7293

Dynamic DNS

  • Fixed Dynamic DNS class constructor name #9779

  • Fixed errors in DNSimple Dynamic DNS #9580

  • Fixed Dynamic DNS Dashboard Widget address parsing for entries with split hostname/domain (e.g. Namecheap) #9564

  • Added support for Gandi LiveDNS Dynamic DNS #9452

  • Fixed handling of wildcard (*) hostname entries in Cloudflare Dynamic DNS #9361

  • Added support for AAAA records to Digital Ocean Dynamic DNS #9280

  • Cleaned up whitespace issues in Azure Dynamic DNS backend code #9271

  • Added support for Linode Dynamic DNS #9268

  • Fixed issues with IPv6 on Azure Dynamic DNS #9248

  • Fixed handling of wildcards in Route53 Dynamic DNS #9053

  • Fixed handling of wildcards in Loopia Dynamic DNS #8014


  • Fixed issues with PPPoE over a VLAN failing to reconnect #9148

  • Added more prefix delegation size entries to selection list on interfaces.php #9590

  • Added initialization to the VLAN array in console setup #9582

  • Changed the way interface VLAN support is detected so it does not rely on the VLANMTU flag #9548

  • Fixed issues with Netgate & hardware model detection which caused problems with default interface mappings #8051

  • Fixed issues with display of previously-entered IP address values on interfaces_ppps_edit.php #9741

  • Fixed issues with PPPoE over a VLAN failing to reconnect #9148


  • Fixed IPsec VTI interface creation logic #9781

  • Added GUI option for IPsec P2/Child SA close action #9767

  • Added IPsec DH and PFS groups 25, 26, and 27 #9757

  • Added 25519 curve-based IPsec DH and PFS groups 31 and 32 #9531

  • Enabled NAT-T controls for IKEv2 #9695

  • Improved handling of IPsec restarts breaking VTI routing #9668

  • Fixed input validation that incorrectly prevented deleting IPsec P2 entries in some cases with VTI #9258

  • Fixed IPsec keyid identifier handling #9243

  • Fixed IPsec VTI MTU boot-time configuration #9111

  • Enabled the strongSwan PKCS#11 plugin #6775

  • Fixed IPsec configuration generation so that encryption options for every P2 on a given P1 are not duplicated on each P2 #6263


  • Changed system logging to use plain text logging and log rotation, the old binary clog format has been deprecated #8350

  • Updated firewall log daemon to match data structure changes for FreeBSD 12.x #9411

  • Updated firewall log parsing to match new format of logs in FreeBSD 12.x #9415

  • Updated default log size (512k + rotated copies), default lines to display (500, was 50), and max line limits (200k, up from 2k) #9734

  • Added log tabs for nginx, userlog, utx/lastlog, and some other previously hidden logs #9714

  • Relocated Package Logs into a tab under System Logs and standardized display/filtering of package logs #9714

  • Added GUI options to control log rotation #9711

  • Added code for packages to set their own log rotation parameters #9712

  • Removed the redundant nginx-error.log file #7198

  • Fixed some instances where logs were mixed into the wrong log files/tabs (Captive Portal/DHCP/squid/php/others) #1375

  • Reorganized/restructured several log tabs #9714

  • Added a dedicated authentication log #9754


  • Fixed custom view titles being forced to lower case #9681


  • Fixed SMTP notification password being unintentionally changed when testing SMTP settings #9684

  • Deprecated & Removed Growl Notifications #8821


  • Added validation to ensure NTP values are treated as numbers before use #9558

  • Added GUI options for NTP sync/poll intervals #6787


  • Fixed JavaScript issue when selecting multiple OpenVPN NCP algorithms #9756

  • Fixed OpenVPN wizard so it does not show DH parameter lengths that are not available #9748

  • Fixed issues with OpenVPN resynchronizing when running on a gateway group #9595

  • Updated OpenVPN local auth to handle changes in fcgicli output #9460

  • Added an option to set the OpenVPN TLS Key Direction #9030

  • Added GUI options to configure OpenVPN keepalive parameters #3473

Operating System

  • Fixed serial console terminal size issues #9569


  • Enabled the RADIX_MPATH kernel option for multi-path routing #9544

  • Fixed (Default) designation on routes to match the default route in the OS #9292

  • Fixed automatic static routes set for DNS gateway bindings not being removed when no longer necessary #8922

Rules / NAT

  • Fixed state kill ordering in rc.newwanip #4674


  • Updated the SMART page with new capabilities #9367


  • Fixed SNMP sysDescr contents to include hostname and patch version #9218


  • Added Italian translation #9716

  • Fixed an issue with international characters in configuration descriptions, which led to failures in certain cases, such as failing to set Manual Outbound NAT when the Language was set to pt_BR #6195


  • Revised update check to provide a more consistent version string in JSON format #9778

  • Fixed issues with checking for updates from the GUI behind a proxy with authentication #9478

User Manager / Privileges

  • Added input validation to prevent changing the authentication server name #9692

  • Added privilege to manage integrated switches #9620

  • Fixed privilege matching to handle JS anchor links #9550

  • Removed wildcards incorrectly used in isAllowedPage() #9541

  • Added menu entry for User Password Manager if the user does not have permission to reach the User Manager #9428

  • Improved Deny Config Write privilege handling in the User & Group Manager #9259

  • Fixed input validation of group name sizes to allow longer remote groups #3792

Web Interface

  • Corrected input validation for firewall rule VLAN priority/set #9763

  • Restricted Thoth tests to arm64 in status.php NG 2569

  • Added kernel memory usage to status.php output #9705

  • Redacted several additional fields in status.php output #9784 #9729 #9728 #9727 #9694

  • Increased the number of colors available for the login screen #9706

  • Added TLS 1.3 to GUI and Captive Portal web server configuration, and removed older versions (TLS 1.0 removed from Captive Portal, TLS 1.1 removed from GUI) #9607

  • Fixed a potential source of PHP errors when saving per-log settings #9540

  • Added GUI components for MDS mitigation #9532

  • Fixed empty lines in various forms throughout the GUI #9449

  • Fixed integrated switch LAGG member editing on switch_ports.php #9447

  • Improved validation of FQDNs #9023

  • Fixed wizard.php selection option size attribute handling #8907

  • Fixed platform detection for certain C2558/C2758 systems #6846


  • Added support for the athp(4) wireless interface driver #9538 #9600