26.03 New Features and Changes¶
This is a regularly scheduled software release including new features and bug fixes.
Tip
Review the Upgrade Guide before performing any upgrade of pfSense software.
System Patches Package¶
All installations now include the System Patches Package by default. It will automatically be present on fresh installations, and added on upgrade for existing installations which do not already have the package.
The best practice is to periodically check for and apply updates to that package, and apply Recommended System Patches to address issues fixed between releases.
SSH Algorithms¶
This release includes several changes to algorithms for the SSH daemon for key exchange, encryption, and message authentication. These changes increase security by including post-quantum key exchange algorithms and by removing older and weaker algorithms.
The current set of SSH server algorithms are supported by most SSH, SCP, and SFTP clients released in the last several years, but some older or specialized clients may fail to connect. Ensure all client software is fully up-to-date before upgrading to this version of pfSense Plus software.
If a client does not connect to the SSH daemon on this version, please post on the Netgate Forum and include the full client name and version.
TLS Certificate Strength¶
As with the previous pfSense software release, the version of OpenSSL in this release has strict certificate requirements. For example, if a TLS server certificate for a service such as the GUI has a weak key (<2048 bits), the service may fail with an error such as “key too small”.
Such weak certificates have been deprecated for some time and the GUI has warned against using weak settings, however, if the certificates were generated on other systems and imported, or generated years ago with long lifetimes, users may not realize such certificates are now considered insecure.
This version of pfSense software checks the GUI certificate during the upgrade process and will re-generate a new GUI certificate if the current certificate is invalid, expired, or weak.
Even with that automatic check, the best practice is to inspect all server
certificates before upgrading. Navigate to the System > Certificates,
Certificates tab. On that page, check each TLS server certificate by
clicking the 
Renew/Reissue icon. On the renewal
screen, inspect the Certificate Properties vs Strict Security table. If any
items in the Would Change column are Yes, then either renew the
certificate with Strict Security checked, or create/import a replacement
certificate which meets these standards.
If the Renew/Reissue icon is not available for a
certificate, such as for those imported from an external CA, use the
icon to view the certificate properties and check the values
manually.
Automatic Static Link-Local Address¶
Previous releases automatically added the fe80::1:1 link-local address to
interfaces configured for IPv6 tracking. This behavior was causing problems for
some users and was not offering many, if any, tangible benefits in modern
environments.
If clients used this automatic address for link-local traffic, users may need to update their configurations to use other link-local addresses after upgrading.
TLS Certificate Auto-Renew¶
This version of pfSense software can automatically renew TLS server certificates which are self-signed or signed by an internal CA stored in the pfSense software configuration. Automatic renewal is a per-certificate option, and pfSense software automatically enables this option for the GUI certificate when possible. When automatically renewing a certificate, pfSense software uses the latest strict security options to ensure the certificate meets current standards.
While many operating systems and browsers will ignore strict validity requirements for self-signed certificates or certificates signed by a custom CA, some do not. Allowing GUI certificates to expire will result in the GUI being unreachable in those cases.
Users can edit the GUI certificate entry and disable the automatic renewal option if it does not suit their environment.
While the option is not automatically enabled for other TLS server certificates, it is generally safe to enable it manually. For example, TLS server certificates for OpenVPN servers can safely auto-renew.
See also
pfSense Plus¶
Changes in this version of pfSense Plus software.
Aliases / Tables¶
Fixed: Editing an alias used in static routes does not correctly update the routing table #16407
Authentication¶
Build / Release¶
Added: Include System Patches package by default #16695
Certificates¶
Configuration Backend¶
Fixed: Alerts do not trigger for empty configuration change descriptions #16557
DHCP (IPv4)¶
Fixed: UTF-8 characters saved in the Client Identifier of DHCP static mappings result in an invalid configuration #16661
DHCP Server (IPv6)¶
Fixed: Kea DHCPv6 Leases page does not include delegated prefixes from active dynamic leases #16697
DNS Forwarder¶
Fixed: PHP error when saving 2+ DNS Forwarder domain overrides via Nexus MIM API or GUI #16708
DNS Resolver¶
Dashboard¶
Changed: Speed up MBUF Usage command in System Information Dashboard widget #15780
Dynamic DNS¶
Gateways¶
Hardware / Drivers¶
IPsec¶
Fixed: Cannot disable IPsec Advanced Settings tab option for Strict Interface Binding #16709
Interfaces¶
Logging¶
Fixed: Firewall log always shows rules with Reject action under “Associated Rules” #16644
OpenVPN¶
Operating System¶
Added: Update the SSH server configuration to current standards and include post-quantum cryptography algorithms #16423
PHP Interpreter¶
Changed: Upgrade PHP to 8.5.x #16668
PPP Interfaces¶
Fixed: PPPoE on VirtIO
vtnetinterface fails to pass routed traffic #16638