2.5.0 New Features and Changes¶
pfSense software version 2.5.0 brings a major OS version upgrade, OpenSSL upgrades, PHP and Python upgrades, and numerous bug fixes.
The original plan was to include a RESTCONF API in pfSense version 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense version 2.5.0 WILL NOT require AES-NI.
For those who have not yet updated to 2.4.4-p1 or 2.4.4, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.
Operating System / Architecture changes¶
Security / Errata¶
sshguardto block both ssh and the GUI using a single table, and removed the unnecessary manual scheduled table expiration #9223
- Added DNS over TLS host verification #8602
- Configure hostnames for DNS over TLS servers under System > General
- Deprecated the built-in relayd Load Balancer #9386
relayddoes not function with OpenSSL 1.1.x
relaydport is currently marked BROKEN for FreeBSD 12 and later, and has been this way since October – There is no apparent sign of work to make it compatible with OpenSSL 1.1.x
- The HAProxy package may be used in its place; It is a much more robust and more feature-complete load balancer and reverse proxy
- For more information on implementing HAProxy, see HAProxy package and the Hangout
See the FreeBSD 12.0 Release Notes for information on deprecated hardware drivers that may impact firewalls upgrading to pfSense version 2.5.0. Some of these were renamed or folded into other drivers, others have been removed, and more are slated for removal in FreeBSD 13 in the future.
- During development of pfSense version 2.5.0, there is a significant chance that packages will be unstable until closer to the release. Most of this is due to OpenSSL changes. This will stabilize as development progresses.
Backup / Restore¶
Firewall Rules / NAT / Aliases¶
Gateways / Routing¶
- Fixed issues with the default IPv4 gateway set to a group failing after restart #9004
- Updated the SMART page with new capabilities #9367
- Numerous optimizations and improvements for status.php diagnostics output #9290
- Fixed support for ZFS encrypted+mirrored swap #9281
- Fixed a PHP error on system_advanced_network.php when disabling “IPv6 over IPv4 Tunneling” #9264
- Improved handling of large captures on diag_packet_capture.php and disabled viewing of captures larger than 50MiB. #9239