25.11 New Features and Changes

This is a regularly scheduled software release including new features and bug fixes.

Tip

Review the Upgrade Guide before performing any upgrade of pfSense software.

General

  • Base OS updated to FreeBSD 16-CURRENT

  • OpenSSL upgraded to 3.5.3

  • OpenSSH upgraded to 10.0p2

  • PHP updated to 8.4

  • VXLAN interface support has been re-added

Endpoint-independent (“Full Cone”) Outbound NAT

This version includes support for endpoint-independent outbound NAT, also known as “full cone” NAT. This functionality must be manually enabled on a per-rule basis.

Endpoint-independent NAT enables remote hosts to initiate inbound connections to an internal host after that internal host initiates an outbound connection. This behavior facilitates use cases such as online gaming, peer-to-peer connections, and VoIP.

This behavior is less strict and less secure than typical NAT rules, but it also lets administrators allow inbound traffic to clients without allocating routable addresses, manually defining forwarding rules, or using services such as UPnP IGD or PCP.

Danger

Endpoint-independent NAT allows inbound packets from any remote host to the external translation IP address, port, and protocol matching an active connection state. This bypasses filter rules since the packets are passed when PF checks the connection state. As such, potentially harmful traffic could be forwarded from remote hosts to the internal host. Take appropriate cautions to secure local devices when using this mode.

pfSense Plus

Changes in this version of pfSense Plus software.

Authentication

  • Added: Support Message-Authenticator in the PHP RADIUS client #15952

  • Fixed: diag_authentication.php crashes with a core dump if RADIUS client Shared Secret value is not correct #16290

Backup / Restore

  • Fixed: RRD data fails to restore via the ECL #16141

Captive Portal

  • Fixed: Captive Portal Ethernet rules can block ARP #16264

Configuration Backend

  • Changed: Improve file handling of the configuration cache #16469

DHCP (IPv4)

  • Changed: Upgrade to Kea 3.0.2 #16388

  • Changed: Kea configuration parameter client-class is deprecated #16468

DNS Forwarder

  • Fixed: PHP error in DNS Forwarder host overrides when the language is set to French #14741

Dashboard

  • Fixed: Manually verifying the boot environment makes config changes #15499

  • Fixed: Thermal Sensors widget does not respect per-sensor threshold vales #16266

Diagnostics

  • Fixed: Captive Portal backwardsyncpassword value not sanitized in status output #16339

Dynamic DNS

  • Added: Preserve other record types when updating IPv4 or IPv6 using deSEC DDNS #12495

  • Fixed: Dynamic DNS does not use preferred VIP in Gateway Group #16326

  • Fixed: Custom Dynamic DNS services ignore the monitor interface #16368

Gateway Monitoring

  • Fixed: Gateway monitoring daemon can unexpectedly use a CARP VIP as the source IP address #16322

Gateways

  • Fixed: Gateway list order is incorrect until reloading page after moving entries and saving #16495

Hardware / Drivers

  • Fixed: Netgate 2100/3100 LED controller not responding to gpioctl #16526

  • Fixed: QLink/Marvell 41000 NIC bug #16248

  • Added: Support 2.5G SGMII (SFP GPON ONT) in bxe driver (QLogic NetXtreme II BCM57810) #16321

  • Fixed: e1000 network interfaces unexpectedly link at half-duplex #16449

IPsec

  • Changed: Update strongSwan to 6.0.3 #16509

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Cannot set RADVD router lifetime to 0 #16472

Installer

  • Fixed: Configuration data restored during installation can be overwritten by hardware-specific default values #16176

Interfaces

  • Added: VXLAN Interfaces #11732

  • Added: Option to change QinQ ethertype to Service VLAN Tag #13340

  • Fixed: Retain previous QinQ VLAN tag type value for existing entries on upgrade #13622

Logging

  • Added: Option to disable logging of packets blocked due to unmatched IP options #16068

  • Fixed: syslogd daemon can terminate when a remote log server refuses connections #16362

OpenVPN

  • Fixed: Automatic IPv6 gateways for OpenVPN servers are created with the wrong gateway address #16351

  • Fixed: OpenVPN servers will not start with DH parameter lengths less than 2048 #16421

  • Fixed: OpenVPN does not include client-to-client in generated configuration for Peer-to-Peer SSL/TLS servers #16428

Operating System

  • Fixed: rc.savecore errors prevent boot in ZFS #15613

  • Fixed: Swap fails to activate when multiple swap partitions exist #16232

PHP Interpreter

  • Changed: Upgrade PHP to 8.4 #16471

PPP Interfaces

  • Changed: Sanitize PPPoE configuration parameters #16128

  • Fixed: PPPoE interfaces using if_pppoe increase error counters due to normal ALTQ traffic shaping operations #16216

  • Fixed: Virtual IP addresses on PPPoE interfaces using if_pppoe can prevent PPP session termination #16487

Package System

  • Fixed: Error notification and log message "Updating repositories metadata" returned error code 1 at boot due to certctl race condition #16341

Rules / NAT

  • Added: Allow floating rules using the “match” action to match based on IP Options #16215

  • Added: Block non-global NAT64 addresses by default #16241

  • Changed: Refactor PF ruleset generation #16307

  • Added: Avoid traffic stalls from unnecessary filter reloads #16308

  • Fixed: Filter rule evaluation continues after matching a match quick rule #16475

  • Added: Support state killing on gateway recovery for policy-routed traffic from the firewall itself #16502

  • Added: Endpoint-independent (“Full Cone”) Outbound NAT rules #16517

System Logs

  • Fixed: Log entries without a hostname can cause the system log to display in an unexpected manner #15411

Traffic Shaper (Limiters)

  • Fixed: Using a Limiter on a rule with a gateway group limits all traffic through that gateway instead of the host IP address #15770

Translations

  • Fixed: Korean locale configuration name is incorrect #16505

Unknown

  • Fixed: pfSense Plus does not work with AWS new Instance Metadata Service (IMDSv2) #14772

Upgrade

  • Fixed: PHP shell playback script upgradeconfig incorrectly replaces running configuration when Nexus is enabled #16179

  • Added: Fix configuration artifacts on upgrade #16253

Virtual IP Addresses

  • Fixed: Input validation text for deleting an IP Alias VIP within a CARP VIP subnet may reference incorrect VIP #16272

Web Interface

  • Fixed: Boot Environment page fails to load if pfsense:version ZFS property contains newlines #16375

  • Changed: Apple TouchID/FaceID probes for site icon files that do not exist #6727

XMLRPC

  • Fixed: Membership to admins group is lost when synchronizing user changes via XMLRPC #16392