25.11.1 New Features and Changes

This is a software maintenance release with fixes for issues discovered in pfSense Plus software version 25.11.

Tip

Review the Upgrade Guide before performing any upgrade of pfSense software.

General

TLS Server Certificate Lifetime

CA/Browser forum baseline requirements are calling for shorter TLS server certificate validity periods to be phased in over the next few years and the next change is to a maximum of 200 days for server certificates issued between March 15, 2026, and March 15, 2027.

To follow those recommendations, this release lowers the recommended secure server certificate lifetime from 398 days to 200 days.

TLS Certificate Strength

The version of OpenSSL in this release further tightens certificate requirements and removes support for certain weak properties. For example, if a TLS server certificate for a service such as the GUI has a weak key (<2048 bits), the service may fail with an error such as “key too small”.

Such weak certificates have been deprecated for some time and the GUI has warned against using weak settings, however, if the certificates were generated on other systems and imported, or generated years ago with long lifetimes, users may not realize such certificates are now considered insecure.

Before upgrading, navigate to the System > Certificates, Certificates tab. On that page, check each TLS server certificate by clicking the Renew/Reissue icon. On the renewal screen, inspect the Certificate Properties vs Strict Security table. If any items in the Would Change column are Yes, then either renew the certificate with Strict Security checked, or create/import a replacement certificate which meets these standards.

If the Renew/Reissue icon is not available for a certificate, such as for those imported from an external CA, use the icon to view the certificate properties and check the values manually.

If the upgrade has already happened and the GUI will not start, then generate and activate a new secure self-signed GUI certificate at a shell prompt with the following command:

# pfSsh.php playback generateguicert

See also

• Renew or Reissue a CA or Certificate

• HTTPS Certificate Problems

IPv6 connection failures with TSO enabled

The PF packet filter may receive packets that do not fit the interface MTU. This can happen when the packet should not be fragmented (e.g. with IPv6, or IPv4 flagged with DF) while the non-default TCP segmentation offload (TSO) behavior is enabled. When this happens for connections from the firewall itself, the connection is terminated.

Users with TSO enabled have reported this problem happening when attempting to communicate with Netgate servers over IPv6 for packages, updates, and so on. We have not received any reports of this happening over IPv4 or for users with TSO disabled.

This problem has been fixed upstream, and the correction is available in this release. However, to communicate with Netgate servers and receive this update, affected users running pfSense Plus version 25.11 will need to revert the TSO option back to its default setting before attempting the upgrade.

• Navigate to System > Advanced, Networking tab

• Check Disable hardware TCP segmentation offload

• Click Save

TSO is disabled by default, and keeping TSO disabled is the best practice.

See also

• Hardware TCP Segmentation Offloading

• TSO/LRO

syncache Panic

This version includes upstream source changes that address a cause of kernel panics due to TCP SYN caching behavior. Some affected users may have implemented a potential workaround by setting a system tunable value for net.inet.tcp.syncookies=0. This tunable can be removed after upgrading.

Netgate 2100

The LAN port link parameters on the Netgate 2100 have been updated to address a potential signal transmission issue.

This issue prevented packets containing a specific byte pattern from being transmitted through the LAN port on the Netgate 2100. No other models are affected.

Security

rtsold

FreeBSD published security advisory FreeBSD-SA-25:12.rtsold for a remote command execution vulnerability in rtsold, which also affects pfSense software:

A fix for this issue is in this release, patches are available for the previous release. For details, see 25.11 New Features and Changes.

Errata

PPPoE on vtnet interfaces may not pass routed traffic

Certain combinations of hypervisor software versions, settings, and hardware may encounter a failure to pass routed traffic over PPPoE on vtnet interfaces while running pfSense Plus software version 25.11.x (#16638). The problem does not occur on pfSense Plus software development snapshots for version 26.03.

Netgate has received a handful of reports for this issue, but so far the problem has not been recreated in lab conditions. The specific affected versions, settings, or hardware have also not been identified by affected users.

There are two workarounds for this issue:

• Change the PPPoE interface to use a different virtual interface type, such as em or vmx.

• Disable hardware off-loading on the physical NIC in the hypervisor. For example:

  # ethtool -K enp1s0 rx off tx off tso off gso off gro off
  

pfSense Plus

Changes in this version of pfSense Plus software.

Aliases / Tables

• Added: Allow using interface subnet macros with interfaces which only contain VIPs #16613

Backup / Restore

• Fixed: ECL can modify a discovered config file #16153

Captive Portal

• Fixed: Captive Portal “Allowed IPs” entries do not work if the language is not set to English #16549

Certificates

• Changed: Update recommended maximum server certificate lifetimes to 200 days #16606

Configuration Upgrade

• Fixed: Some package installation configuration data may be missing after OS upgrade #16634

• Changed: Remove quick from previous match rules on upgrade #16636

DHCP (IPv4)

• Fixed: kea2unbound crashes when reading an invalid configuration file #16602

DNS Resolver

• Fixed: Unbound configuration validation does not test the complete configuration #16637

Gateway Monitoring

• Added: Gateway recovery functionality for the default failover gateway group when all gateways are offline #16635

Hardware / Drivers

• Fixed: Packets containing a specific byte pattern may not be transmitted via switch ports on the Netgate 2100 #16633

IPv6 Router Advertisements (radvd/rtsold)

• Fixed: Potential remote command execution via DNSSL router advertisement messages #16593

Operating System

• Fixed: pfctl shows incorrect number of table addresses #16588

• Fixed: Connections from the firewall itself fail with oversize packets and TSO enabled #16614

Package System

• Added: Allow packages to preserve RAM disk data between boots #16624

Routing

• Fixed: Input validation error when saving an existing static route which contains an alias destination #16625

Rules / NAT

• Fixed: Incorrect configuration change message when deleting an outbound NAT rule #16566

System Logs

• Fixed: Some remote syslog messages are duplicated when “System Events” option is enabled #16376

• Fixed: Firewall logs do not match PF rules with rule number 0 #16575

• Fixed: Firewall logs do not correctly parse short packet errors #16579

Upgrade

• Changed: Save the update branch preference on system update #16626

User Manager / Privileges

• Fixed: Inconsistent and incorrect privilege names on some PPP service-related log tabs #16630