pfSense Plus

Changes in this version of pfSense Plus software.

Backup / Restore

  • Fixed: RRD data fails to restore via the ECL #16141

Captive Portal

  • Fixed: Captive Portal Ethernet rules can block ARP #16264

  • Fixed: Reserved DUMMYNET pipes for Captive Portal can overlap #16540

Configuration Backend

  • Changed: Improve file handling of the configuration cache #16469

DHCP (IPv4)

  • Changed: Upgrade to Kea 3.0.2 #16388

  • Changed: Kea configuration parameter client-class is deprecated #16468

DHCP (IPv6)

  • Fixed: Hostnames in Kea static leases may not be registered with DNS #16552

DNS Forwarder

  • Fixed: PHP error in DNS Forwarder host overrides when the language is set to French #14741

DNS Resolver

  • Changed: Update Unbound to 1.24.2 to address CVE-2025-11411 #16503

Dashboard

  • Fixed: Manually verifying the boot environment makes config changes #15499

  • Fixed: Thermal Sensors widget does not respect per-sensor threshold vales #16266

Diagnostics

  • Fixed: Captive Portal backwardsyncpassword value not sanitized in status output #16339

Dynamic DNS

  • Added: Preserve other record types when updating IPv4 or IPv6 using deSEC DDNS #12495

  • Fixed: Dynamic DNS does not use preferred VIP in Gateway Group #16326

  • Fixed: Custom Dynamic DNS services ignore the monitor interface #16368

Gateway Monitoring

  • Fixed: Gateway monitoring daemon can unexpectedly use a CARP VIP as the source IP address #16322

Gateways

  • Fixed: Gateway list order is incorrect until reloading page after moving entries and saving #16495

Hardware / Drivers

  • Fixed: Netgate 2100/3100 LED controller not responding to gpioctl #16526

  • Fixed: QLink/Marvell 41000 NIC bug #16248

  • Added: Support 2.5G SGMII (SFP GPON ONT) in bxe driver (QLogic NetXtreme II BCM57810) #16321

  • Fixed: e1000 network interfaces unexpectedly link at half-duplex #16449

IPsec

  • Changed: Update strongSwan to 6.0.3 #16509

IPv6 Router Advertisements (radvd/rtsold)

  • Fixed: Cannot set RADVD router lifetime to 0 #16472

Installer

  • Fixed: Configuration data restored during installation can be overwritten by hardware-specific default values #16176

Interfaces

  • Added: VXLAN Interfaces #11732

  • Added: Option to change QinQ ethertype to Service VLAN Tag #13340

  • Fixed: Retain previous QinQ VLAN tag type value for existing entries on upgrade #13622

Logging

  • Added: Option to disable logging of packets blocked due to unmatched IP options #16068

  • Fixed: syslogd daemon can terminate when a remote log server refuses connections #16362

OpenVPN

  • Fixed: Automatic IPv6 gateways for OpenVPN servers are created with the wrong gateway address #16351

  • Fixed: OpenVPN servers will not start with DH parameter lengths less than 2048 #16421

  • Fixed: OpenVPN does not include client-to-client in generated configuration for Peer-to-Peer SSL/TLS servers #16428

Operating System

  • Fixed: rc.savecore errors prevent boot in ZFS #15613

  • Fixed: Swap fails to activate when multiple swap partitions exist #16232

PHP Interpreter

  • Changed: Upgrade PHP to 8.4 #16471

PPP Interfaces

  • Changed: Sanitize PPPoE configuration parameters #16128

  • Fixed: PPPoE interfaces using if_pppoe increase error counters due to normal ALTQ traffic shaping operations #16216

  • Fixed: Virtual IP addresses on PPPoE interfaces using if_pppoe can prevent PPP session termination #16487

Package System

  • Fixed: Error notification and log message "Updating repositories metadata" returned error code 1 at boot due to certctl race condition #16341

Rules / NAT

  • Added: Allow floating rules using the “match” action to match based on IP Options #16215

  • Added: Block non-global NAT64 addresses by default #16241

  • Changed: Refactor PF ruleset generation #16307

  • Added: Avoid traffic stalls from unnecessary filter reloads #16308

  • Fixed: NAT64 rules using reply-to do not forward packets #16429

  • Fixed: Filter rule evaluation continues after matching a match quick rule #16475

  • Added: Support state killing on gateway recovery for policy-routed traffic from the firewall itself #16502

  • Added: Endpoint-independent Port Restricted Cone Outbound NAT rules #16517

  • Fixed: NAT64 rules do not pass traffic when a gateway is specified for the rule #16546

  • Changed: Update output and parsing behavior for PHP shell pfanchordrill #16551

System Logs

  • Fixed: Log entries without a hostname can cause the system log to display in an unexpected manner #15411

Traffic Shaper (Limiters)

  • Fixed: Using a Limiter on a rule with a gateway group limits all traffic through that gateway instead of the host IP address #15770

Translations

  • Fixed: Korean locale configuration name is incorrect #16505

Unknown

  • Fixed: pfSense Plus does not work with AWS new Instance Metadata Service (IMDSv2) #14772

Upgrade

  • Fixed: PHP shell playback script upgradeconfig incorrectly replaces running configuration when Nexus is enabled #16179

  • Added: Fix configuration artifacts on upgrade #16253

User Manager / Privileges

  • Fixed: sshguard does not trigger for GUI logins from usernames containing unexpected characters #16312

  • Fixed: GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages #16314

Virtual IP Addresses

  • Fixed: Input validation text for deleting an IP Alias VIP within a CARP VIP subnet may reference incorrect VIP #16272

Web Interface

  • Fixed: Boot Environment page fails to load if pfsense:version ZFS property contains newlines #16375

  • Changed: Apple TouchID/FaceID probes for site icon files that do not exist #6727

XMLRPC

  • Fixed: Membership to admins group is lost when synchronizing user changes via XMLRPC #16392