25.11 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

Tip

Review the Upgrade Guide before performing any upgrade of pfSense software.

General

  • Base OS updated to FreeBSD 16-CURRENT

  • OpenSSL upgraded to 3.5.3

  • OpenSSH upgraded to 10.0p2

  • PHP updated to 8.4

  • VXLAN interface support has been re-added

Endpoint-independent Port Restricted Cone Outbound NAT

This version includes partial experimental support for “Port Restricted Cone” endpoint-independent outbound NAT. This functionality must be manually enabled on a per-rule basis.

“Port Restricted Cone” NAT mappings attempt to preserve port and external address mappings for clients when speaking to multiple remote hosts, but in a dynamic way that does not rely on static port NAT. This helps avoid issues with multiple local clients using the same source port to the same remote host. These rules enable a client communicating with multiple remote hosts using the same source port to receive the same external IP address and port on outbound connections to any destination. This behavior facilitates use cases such as online gaming, peer-to-peer connections, and VoIP.

Inbound communication from a remote host and port is only possible after a local client initiates first contact to that remote host and port. While this is more secure, it is not yet capable of “full cone” NAT which some use cases may require such as certain types of online gaming.

pfSense Plus

Changes in this version of pfSense Plus software.

Authentication

  • Added: Support Message-Authenticator in the PHP RADIUS client #15952

  • Fixed: diag_authentication.php crashes with a core dump if RADIUS client Shared Secret value is not correct #16290

Backup / Restore

  • Fixed: RRD data fails to restore via the ECL #16141

Captive Portal

  • Fixed: Captive Portal Ethernet rules can block ARP #16264

  • Fixed: Reserved DUMMYNET pipes for Captive Portal can overlap #16540

Configuration Backend

  • Changed: Improve file handling of the configuration cache #16469

DHCP (IPv4)

  • Changed: Upgrade to Kea 3.0.2 #16388

  • Changed: Kea configuration parameter client-class is deprecated #16468

DNS Forwarder

  • Fixed: PHP error in DNS Forwarder host overrides when the language is set to French #14741

Dashboard

  • Fixed: Manually verifying the boot environment makes config changes #15499

  • Fixed: Thermal Sensors widget does not respect per-sensor threshold vales #16266

Diagnostics

  • Fixed: Captive Portal backwardsyncpassword value not sanitized in status output #16339

Dynamic DNS

  • Added: Preserve other record types when updating IPv4 or IPv6 using deSEC DDNS #12495

  • Fixed: Dynamic DNS does not use preferred VIP in Gateway Group #16326

  • Fixed: Custom Dynamic DNS services ignore the monitor interface #16368

Gateway Monitoring

  • Fixed: Gateway monitoring daemon can unexpectedly use a CARP VIP as the source IP address #16322

Gateways

  • Fixed: Gateway list order is incorrect until reloading page after moving entries and saving #16495

Hardware / Drivers

  • Fixed: Netgate 2100/3100 LED controller not responding to gpioctl #16526

  • Fixed: QLink/Marvell 41000 NIC bug #16248

  • Added: Support 2.5G SGMII (SFP GPON ONT) in bxe driver (QLogic NetXtreme II BCM57810) #16321

  • Fixed: e1000 network interfaces unexpectedly link at half-duplex #16449

IPsec

  • Changed: Update strongSwan to 6.0.3 #16509

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Cannot set RADVD router lifetime to 0 #16472

Installer

  • Fixed: Configuration data restored during installation can be overwritten by hardware-specific default values #16176

Interfaces

  • Added: VXLAN Interfaces #11732

  • Added: Option to change QinQ ethertype to Service VLAN Tag #13340

  • Fixed: Retain previous QinQ VLAN tag type value for existing entries on upgrade #13622

Logging

  • Added: Option to disable logging of packets blocked due to unmatched IP options #16068

  • Fixed: syslogd daemon can terminate when a remote log server refuses connections #16362

OpenVPN

  • Fixed: Automatic IPv6 gateways for OpenVPN servers are created with the wrong gateway address #16351

  • Fixed: OpenVPN servers will not start with DH parameter lengths less than 2048 #16421

  • Fixed: OpenVPN does not include client-to-client in generated configuration for Peer-to-Peer SSL/TLS servers #16428

Operating System

  • Fixed: rc.savecore errors prevent boot in ZFS #15613

  • Fixed: Swap fails to activate when multiple swap partitions exist #16232

PHP Interpreter

  • Changed: Upgrade PHP to 8.4 #16471

PPP Interfaces

  • Changed: Sanitize PPPoE configuration parameters #16128

  • Fixed: PPPoE interfaces using if_pppoe increase error counters due to normal ALTQ traffic shaping operations #16216

  • Fixed: Virtual IP addresses on PPPoE interfaces using if_pppoe can prevent PPP session termination #16487

Package System

  • Fixed: Error notification and log message "Updating repositories metadata" returned error code 1 at boot due to certctl race condition #16341

Rules / NAT

  • Added: Allow floating rules using the “match” action to match based on IP Options #16215

  • Added: Block non-global NAT64 addresses by default #16241

  • Changed: Refactor PF ruleset generation #16307

  • Added: Avoid traffic stalls from unnecessary filter reloads #16308

  • Fixed: Filter rule evaluation continues after matching a match quick rule #16475

  • Added: Support state killing on gateway recovery for policy-routed traffic from the firewall itself #16502

  • Added: Endpoint-independent Port Restricted Cone Outbound NAT rules #16517

  • Fixed: NAT64 rules do not pass traffic when a gateway is specified for the rule #16546

System Logs

  • Fixed: Log entries without a hostname can cause the system log to display in an unexpected manner #15411

Traffic Shaper (Limiters)

  • Fixed: Using a Limiter on a rule with a gateway group limits all traffic through that gateway instead of the host IP address #15770

Translations

  • Fixed: Korean locale configuration name is incorrect #16505

Unknown

  • Fixed: pfSense Plus does not work with AWS new Instance Metadata Service (IMDSv2) #14772

Upgrade

  • Fixed: PHP shell playback script upgradeconfig incorrectly replaces running configuration when Nexus is enabled #16179

  • Added: Fix configuration artifacts on upgrade #16253

Virtual IP Addresses

  • Fixed: Input validation text for deleting an IP Alias VIP within a CARP VIP subnet may reference incorrect VIP #16272

Web Interface

  • Fixed: Boot Environment page fails to load if pfsense:version ZFS property contains newlines #16375

  • Changed: Apple TouchID/FaceID probes for site icon files that do not exist #6727

XMLRPC

  • Fixed: Membership to admins group is lost when synchronizing user changes via XMLRPC #16392