25.11 New Features and Changes¶

This is a regularly scheduled software release including new features and bug fixes.

Tip

Review the Upgrade Guide before performing any upgrade of pfSense software.

Errata¶

rtsold¶

FreeBSD published security advisory FreeBSD-SA-25:12.rtsold for a remote command execution vulnerability in rtsold, which also affects pfSense software:

A fix for this issue is available via the Recommended System Patches function of the System Patches Package for users running pfSense Plus software version 25.11, pfSense Plus software version 25.07.1, and pfSense CE software version 2.8.1. Users of older versions can upgrade to a supported release or apply the patch on Redmine issue #16593.

IPv6 connection failures with TSO enabled¶

PF may receive packets that do not fit the interface MTU. This can happen when the packet should not be fragmented (e.g. with IPv6, or IPv4 flagged with DF) while the non-default TCP segmentation offload (TSO) behavior is enabled. When this happens for connections from the firewall itself, the connection is terminated.

Users with TSO enabled have reported this problem happening when attempting to communicate with Netgate servers over IPv6 for packages, updates, and so on. We have not received any reports of this happening over IPv4 or for users with TSO disabled.

This problem has been fixed upstream, and the correction will be available in the next release. However, to communicate with Netgate servers and receive updates or packages, affected users running pfSense Plus version 25.11 will need to revert the TSO option back to its default setting.

Navigate to System > Advanced, Networking tab
Check Disable hardware TCP segmentation offload
Click Save

TSO is disabled by default, and keeping TSO disabled is the best practice.

General¶

Base OS updated to FreeBSD 16-CURRENT
OpenSSL upgraded to 3.5.3
OpenSSH upgraded to 10.0p2
PHP updated to 8.4
VXLAN interface support has been re-added

TLS Certificate Strength¶

The version of OpenSSL in this release further tightens certificate requirements and removes support for certain weak properties. For example, if a TLS server certificate for a service such as the GUI has a weak key (<2048 bits), the service may fail with an error such as “key too small”.

Such weak certificates have been deprecated for some time and the GUI has warned against using weak settings, however, if the certificates were generated on other systems and imported, or generated years ago with long lifetimes, users may not realize such certificates are now considered insecure.

Before upgrading, navigate to the System > Certificates, Certificates tab. On that page, check each TLS server certificate by clicking the Renew/Reissue icon. On the renewal screen, inspect the Certificate Properties vs Strict Security table. If any items in the Would Change column are Yes, then either renew the certificate with Strict Security checked, or create/import a replacement certificate which meets these standards.

If the Renew/Reissue icon is not available for a certificate, such as for those imported from an external CA, use the fa-info-circle icon to view the certificate properties and check the values manually.

If the upgrade has already happened and the GUI will not start, then generate and activate a new secure self-signed GUI certificate at a shell prompt with the following command:

# pfSsh.php playback generateguicert

Security¶

Fixed anti-brute force protection bypass and potential denial of service #16312 #16314 pfSense-SA-25_09.sshguard

Endpoint-independent Port Restricted Cone Outbound NAT¶

This version includes partial experimental support for “Port Restricted Cone” endpoint-independent outbound NAT. This functionality must be manually enabled on a per-rule basis.

“Port Restricted Cone” NAT mappings attempt to preserve port and external address mappings for clients when speaking to multiple remote hosts, but in a dynamic way that does not rely on static port NAT. This helps avoid issues with multiple local clients using the same source port to the same remote host. These rules enable a client communicating with multiple remote hosts using the same source port to receive the same external IP address and port on outbound connections to any destination. This behavior facilitates use cases such as online gaming, peer-to-peer connections, and VoIP.

Inbound communication from a remote host and port is only possible after a local client initiates first contact to that remote host and port. While this is more secure, it is not yet capable of “full cone” NAT which some use cases may require such as certain types of online gaming.

pfSense Plus¶

Changes in this version of pfSense Plus software.

Backup / Restore¶

Fixed: RRD data fails to restore via the ECL #16141

Captive Portal¶

Fixed: Captive Portal Ethernet rules can block ARP #16264
Fixed: Reserved DUMMYNET pipes for Captive Portal can overlap #16540

Configuration Backend¶

Changed: Improve file handling of the configuration cache #16469

DHCP (IPv4)¶

Changed: Upgrade to Kea 3.0.2 #16388
Changed: Kea configuration parameter client-class is deprecated #16468

DHCP (IPv6)¶

Fixed: Hostnames in Kea static leases may not be registered with DNS #16552

DNS Forwarder¶

Fixed: PHP error in DNS Forwarder host overrides when the language is set to French #14741

DNS Resolver¶

Changed: Update Unbound to 1.24.2 to address CVE-2025-11411 #16503

Dashboard¶

Fixed: Manually verifying the boot environment makes config changes #15499
Fixed: Thermal Sensors widget does not respect per-sensor threshold vales #16266

Diagnostics¶

Fixed: Captive Portal backwardsyncpassword value not sanitized in status output #16339

Dynamic DNS¶

Added: Preserve other record types when updating IPv4 or IPv6 using deSEC DDNS #12495
Fixed: Dynamic DNS does not use preferred VIP in Gateway Group #16326
Fixed: Custom Dynamic DNS services ignore the monitor interface #16368

Gateway Monitoring¶

Fixed: Gateway monitoring daemon can unexpectedly use a CARP VIP as the source IP address #16322

Gateways¶

Fixed: Gateway list order is incorrect until reloading page after moving entries and saving #16495

Hardware / Drivers¶

Fixed: Netgate 2100/3100 LED controller not responding to gpioctl #16526
Fixed: QLink/Marvell 41000 NIC bug #16248
Added: Support 2.5G SGMII (SFP GPON ONT) in bxe driver (QLogic NetXtreme II BCM57810) #16321
Fixed: e1000 network interfaces unexpectedly link at half-duplex #16449

IPsec¶

Changed: Update strongSwan to 6.0.3 #16509

IPv6 Router Advertisements (radvd/rtsold)¶

Fixed: Cannot set RADVD router lifetime to 0 #16472

Installer¶

Fixed: Configuration data restored during installation can be overwritten by hardware-specific default values #16176

Interfaces¶

Added: VXLAN Interfaces #11732
Added: Option to change QinQ ethertype to Service VLAN Tag #13340
Fixed: Retain previous QinQ VLAN tag type value for existing entries on upgrade #13622

Logging¶

Added: Option to disable logging of packets blocked due to unmatched IP options #16068
Fixed: syslogd daemon can terminate when a remote log server refuses connections #16362

OpenVPN¶

Fixed: Automatic IPv6 gateways for OpenVPN servers are created with the wrong gateway address #16351
Fixed: OpenVPN servers will not start with DH parameter lengths less than 2048 #16421
Fixed: OpenVPN does not include client-to-client in generated configuration for Peer-to-Peer SSL/TLS servers #16428

Operating System¶

Fixed: rc.savecore errors prevent boot in ZFS #15613
Fixed: Swap fails to activate when multiple swap partitions exist #16232

PHP Interpreter¶

Changed: Upgrade PHP to 8.4 #16471

PPP Interfaces¶

Changed: Sanitize PPPoE configuration parameters #16128
Fixed: PPPoE interfaces using if_pppoe increase error counters due to normal ALTQ traffic shaping operations #16216
Fixed: Virtual IP addresses on PPPoE interfaces using if_pppoe can prevent PPP session termination #16487

Package System¶

Fixed: Error notification and log message "Updating repositories metadata" returned error code 1 at boot due to certctl race condition #16341

Rules / NAT¶

Added: Allow floating rules using the “match” action to match based on IP Options #16215
Added: Block non-global NAT64 addresses by default #16241
Changed: Refactor PF ruleset generation #16307
Added: Avoid traffic stalls from unnecessary filter reloads #16308
Fixed: NAT64 rules using reply-to do not forward packets #16429
Fixed: Filter rule evaluation continues after matching a match quick rule #16475
Added: Support state killing on gateway recovery for policy-routed traffic from the firewall itself #16502
Added: Endpoint-independent Port Restricted Cone Outbound NAT rules #16517
Fixed: NAT64 rules do not pass traffic when a gateway is specified for the rule #16546
Changed: Update output and parsing behavior for PHP shell pfanchordrill #16551

System Logs¶

Fixed: Log entries without a hostname can cause the system log to display in an unexpected manner #15411

Traffic Shaper (Limiters)¶

Fixed: Using a Limiter on a rule with a gateway group limits all traffic through that gateway instead of the host IP address #15770

Translations¶

Fixed: Korean locale configuration name is incorrect #16505

Unknown¶

Fixed: pfSense Plus does not work with AWS new Instance Metadata Service (IMDSv2) #14772

Upgrade¶

Fixed: PHP shell playback script upgradeconfig incorrectly replaces running configuration when Nexus is enabled #16179
Added: Fix configuration artifacts on upgrade #16253

User Manager / Privileges¶

Fixed: sshguard does not trigger for GUI logins from usernames containing unexpected characters #16312
Fixed: GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages #16314

Virtual IP Addresses¶

Fixed: Input validation text for deleting an IP Alias VIP within a CARP VIP subnet may reference incorrect VIP #16272

Web Interface¶

Fixed: Boot Environment page fails to load if pfsense:version ZFS property contains newlines #16375
Changed: Apple TouchID/FaceID probes for site icon files that do not exist #6727

XMLRPC¶

Fixed: Membership to admins group is lost when synchronizing user changes via XMLRPC #16392