Today we celebrate the 20th anniversary of the initial public beta of m0n0wall. pfSense software is the continuation of the idea and ideals of m0n0wall, which had its initial Public Beta on 15 February 2003. Thanks to Manuel Kasper and all the m0n0wall community members for an idea that is still fresh and relevant after 20 years, continuing with the latest release of pfSense Plus software.
pfSense® Plus software version 23.01-RELEASE is now available. This is a regularly scheduled release of pfSense Plus software including new features, additional hardware support, and bug fixes. The release contains significant enhancements, such as:
- Moving to PHP 8.1 and FreeBSD main
- Adding support for ChaCha20-Poly1305 encryption with IPsec
- Adding support for ChaCha20-Poly1305 and AES-128-GCM encryption with OpenVPN DCO
- Resolving previous issues with Unbound
- Continuing to improve Captive Portal
- Updating the pfBlockerNG package to match pfBlockerNG-devel
PHP 8.1 and FreeBSD main
We have moved the version of PHP used by pfSense Plus software to PHP 8.1 and changed the base operating system version of FreeBSD used by pfSense Plus software from 12-STABLE to the current development “top of tree” version, also known as “main,” or “HEAD,” and, at the time of writing, “14-CURRENT”.
Prior to this release, pfSense software was based on PHP 7.4, which is now in the EOL phase. Moving to PHP 8.1 means we will be on the latest available release of PHP. PHP 8.1 is supported upstream until late 2024.
Following the FreeBSD main branch gives pfSense software access to the latest drivers, fixes and features in FreeBSD. When new features are added to FreeBSD, developers merge them into the main branch first, after review. Similarly, FreeBSD development work is focused on the main branch for other items such as the latest bug, errata, and security fixes, as well as other corrections. Additional benefits include:
- Access to the most up-to-date drivers for a variety of hardware.
- Closer alignment to the development cycle of FreeBSD so we are developing future versions against similar branches.
- Avoidance of more complex and larger volumes of work any time pfSense software should change to a newer FreeBSD base.
- Ability to upstream our own changes and development to FreeBSD without a subsequent merge to an older base release, lowering our technical debt.
- Stability of the main branch and ability to address potential incompatibility issues as they arise instead of having to address them in larger batches between “stable” releases.
A Note on Deprecated IPsec Algorithms
As a part of the FreeBSD upgrade, this version removes several deprecated IPsec algorithms:
- 3DES ciphers
- Blowfish ciphers
- CAST 128 ciphers
- MD5 HMAC Authentication
For a smooth transition, reconfigure tunnels with better encryption and test them prior to upgrading. On upgrade, IPsec tunnels will be updated to remove any deprecated algorithms from their configuration.
Tunnels without valid encryption or authentication settings will be shut down, and the upgrade process will notify the user of any changes.
This only affects IPsec and not other uses of these algorithms. For example, BGP can still use TCP-MD5 authentication.
Another highlight of this release is that we added support for ChaCha20-Poly1305 encryption with IPsec and OpenVPN DCO. Support for AES-128-GCM encryption with OpenVPN DCO has also been added.
Netgate® developers have made several contributions with regards to ChaCha20-Poly1305 over the past couple of years, including bringing ChaCha20-Poly1305 support for IPsec and OpenVPN DCO to FreeBSD, ChaCha20-Poly1305 support for IPsec to VPP and TNSR® software, and Wireguard (which uses ChaCha20-Poly1305) to FreeBSD and the pfSense Project.
We added support because it is a standard encryption transform for IPsec, the only transform used by Wireguard, and is supported by OpenVPN. It makes sense for FreeBSD and pfSense software, as well as VPP and TNSR software, to have this capability.
Some benefits of having support for ChaCha20-Poly1305 encryption include an additional option available to users and the ability to more easily compare the performance of IPsec, Wireguard, and OpenVPN so that users can choose the right solution for their needs.
Resolved Unbound Issues
A long-standing difficult-to-reproduce crash in Unbound during reloading has been addressed. It is now safe again to enable DHCP registration alongside Unbound Python mode in pfBlockerNG.
In addition to the Unbound crash, a memory leak with DHCP registration and Unbound Python mode was also identified. This is largely mitigated by updates to Python and related libraries, but there is additional ongoing work to resolve it further for future releases. At least two additional issues with Unbound itself were significant contributors to the memory leaks when using the Unbound Python integration. These patches have been submitted upstream to Unbound and are pending review and acceptance. The first patch eliminates the need to reload the Python interpreter every time Unbound is reloaded. The second patch adds missing cleanup in the Unbound Python module.
Fixed Captive Portal Bugs
Since the release of pfSense Plus software version 22.05, many improvements have been made to Captive Portal. Read the full list in the release notes.
Updated pfBlockerNG Package
The pfBlockerNG package has been updated to match pfBlockerNG-devel. Both packages are now in sync and fully up-to-date. After upgrading, it is safe to uninstall pfBlockerNG-devel (keeping settings) and install pfBlockerNG instead.
Upgrading To The New Release
A detailed upgrade guide is available in our documentation to help you through the process. Here are the general steps needed to perform the upgrade.
Users Currently Running pfSense Plus 22.05:
- Backup your configuration
- Navigate to System > Update
- Choose the Latest Development Snapshots branch
The update check will run again and then offer a 23.01-RELEASE version of the software.
Note: the Netgate SG-1000 will not be eligible to upgrade to pfSense Plus software version 23.01. This is also true for all Intel 32-bit devices.
Users Currently Running pfSense Plus on the Cloud:
Users Currently Running pfSense Community Edition:
We encourage you to move from pfSense CE software to Netgate pfSense Plus software, which is still available at no charge. To do so:
- Migrate to pfSense Plus 23.01
- Follow the upgrade path to 23.01-RELEASE
Depending on your system, you may need to upgrade to pfSense Plus 22.05 before you have access to the pfSense Plus 23.01-RELEASE build.
See Upgrade Troubleshooting for the most up-to-date information on working around upgrade issues.
If the update system does not offer an upgrade to the current release, or the upgrade will not proceed, take the following steps:
- Navigate to System > Updates
- Set Branch to Latest Development Snapshots
- Refresh the repository configuration and upgrade script by running the following commands from the console or shell:
- pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
Tips on Upgrading
- Create a backup before you upgrade, or a snapshot if it is a VM.
- Do not update packages before upgrading. Remove all packages or update packages after the upgrade.
- The upgrade will generally take 10 to 30 minutes. Maintain power to your appliance while it is in progress.
- Track the progress of the upgrade from your firewall console.
This pfSense Plus software release is ready for use in production environments. Should any issues arise, please post to our forum or contact Netgate Technical Assistance Center (TAC) for paid support. Thank you!
Obtaining pfSense Software Source Code
pfSense Plus software is derived from FreeBSD and pfSense CE software with additional proprietary changes. The source code for the upstream projects is freely and publicly available from the same repositories as pfSense CE software:
- Main pfSense CE software repository - the web GUI, back end configuration code, and build tools.
- FreeBSD source - the operating system source code, with patches against the FreeBSD base.
- FreeBSD ports - the FreeBSD ports used.
To install or reinstall a release version of pfSense Plus software, contact Netgate TAC to obtain the installation media and include the Netgate Device ID of the hardware.
Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.
Supporting the Project
Our efforts are made possible by the support of our customers and the community. You may support this work through one or more of the following:
- Purchase an official appliance direct from Netgate or from our worldwide reseller partner network. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
- Purchase TAC support which provides you with direct access to Netgate Global Support.
- Purchase a professional services arrangement which provides access to our most senior engineers for more complex projects outside the scope of TAC support.