pfSense® software, the world’s leading firewall, router, and VPN solution, provides secure network edge and cloud networking solutions for millions of deployments worldwide.
We are excited to announce the release of pfSense® Community Edition (CE) software version 2.8.0. This new version includes numerous major features, including some features which were previously exclusive to pfSense Plus software, along with many other enhancements and bug fixes. All pfSense CE users are encouraged to upgrade to this new version.
Upgrade Notes
Warning
Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process.
To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade.
Before upgrading, pay particular attention to the Pre-Upgrade Tasks section of the Upgrade Guide. The most crucial points are noted in this post, but the best practice is to follow all of the precautions noted in the Upgrade Guide.
Legacy Serial Consoles
After upgrading, older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. Devices may require manual intervention.
Updated Boot Loader
This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older, unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation of MMC, which has been followed by an installation to an add-on SSD without clearing the MMC contents.
Low Memory Hardware
Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running.
Tip: For devices running ZFS, see ZFS Tuning for information on reducing ZFS memory usage.
For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade. Rebooting before attempting the upgrade can also be beneficial.
New Features and Improvements
Automatic Configuration Backup
Automatic Configuration Backup, also called AutoConfigBackup or ACB, is a free service Netgate provides. This feature encrypts backups of the pfSense software configuration and uploads those encrypted backups to Netgate cloud storage servers. This service provides users with a secure and convenient method to create remote backups and restore known-good configurations. In this release, Netgate has rewritten the AutoConfigBackup user interface to make it more secure and efficient, fixed several bugs, and it now includes the ability for users to further enhance security by changing the Device Key.
New PPPoE Driver
This release contains a new PPPoE backend, if_pppoe, which enables a large performance increase over the existing MPD-based implementation. This option is not enabled by default, but users can opt into this new backend with a checkbox at System > Advanced on the Networking tab.
In addition to performance gains, users should see a dramatic decrease in CPU usage due to PPPoE throughput. Users who have multi-gigabit PPPoE WAN links can enable this new feature and enjoy much faster WAN speeds. However, the new if_pppoe backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.
Kea DHCP Feature Integration
This release contains several Kea DHCP features that bring feature parity with the ISC DHCP daemon. Some features were previously exclusive to pfSense Plus software, some features are new for this release.
- High Availability in the Kea DHCP daemon. This implementation has several advantages over the older ISC DHCP implementation, including:
- Supports HA for DHCPv4 and DHCPv6.
- Simplified HA setup, all in one place on each node for each type.
- Works in hot standby mode, which is more reliable.
- Can synchronize lease data over the SYNC interface for security and ease of use.
- Optionally encrypts lease synchronization data for added protection.
- DNS Registration of DHCP client hostnames from the Kea DHCP daemon to the Unbound DNS Resolver.
- Updates DNS records dynamically on-the-fly, updates do not require a resolver restart and are not disruptive.
- Supports DNS Registration for DHCPv4 and DHCPv6.
- DNS Registration can be configured in a per-interface or global manner, with the ability to enable or disable specific interfaces as needed.
- DNS records are not limited to the system domain name. DNS Registration honors the domain name on the DHCP settings for each interface and on static mappings.
- Keeps DNS records accurate and up-to-date on both high availability peers.
- Can register static mappings when Kea starts (similar to ISC) or when a static mapping client obtains a lease.
- DHCPv6 Prefix Delegation.
- Prefix Delegation settings in Kea use a different format than the ISC DHCPv6 daemon, so Kea cannot use existing settings for Prefix Delegation; settings for Prefix Delegation in Kea must be re-created manually when switching from ISC DHCPv6 to Kea DHCPv6.
- See DHCPv6 Prefix Delegation in the pfSense software documentation for details.
- Static ARP Support.
- This functionality was previously available in ISC DHCP, but is new to Kea.
- Custom Configuration Support.
- Enables users to implement Kea features and options not supported in the pfSense software GUI by using JSON configuration snippets.
- Stability Improvements.
- This release fixes several bugs in Kea on pfSense software which affected its configuration, stability, and overall operation.
NAT64
This release contains full support for NAT64.
NAT64 is a form of NAT that enables clients with only IPv6 addresses to reach remote hosts using IPv4 addresses. NAT64 accomplishes this by mapping IPv4 addresses into a special IPv6 prefix dedicated to this purpose, such as the default NAT64 prefix, 64:ff9b::/96.
NAT64 on pfSense software is implemented across multiple areas, including NAT64 firewall rules, PREF64 in router advertisements, and DNS64 in the DNS Resolver Advanced options.
There is a complete walkthrough for implementing NAT64 in the pfSense software documentation.
Gateway Fail-Back
This release includes support for enhanced gateway recovery "fail back" by optionally clearing states from lower tier gateways when a more preferred gateway recovers. This allows the firewall to force connections back to a higher priority gateway when it recovers, which can help in environments when lower priority gateways have significantly lower bandwidth or metered charges.
System Aliases
This release contains new Built-in System Aliases that allow user-created firewall rules to utilize aliases that were previously only usable by internal firewall rules. This feature also contains several new aliases with common collections of reserved and special-purpose networks, so that users do not need to define their own alias on each device for things like private networks or multicast networks.
State Policy
This release changes the default State Policy from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing, as well as with High Availability state synchronization on non-identical hardware. Workarounds are in place to fall back to Floating states in certain cases, such as IPsec/VTI. The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab. There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.
Security Advisories
This release fixes several security issues in pfSense software, including:
- pfSense-SA-25_01.webgui: Multiple problems in Dashboard widget key handling which could lead to XSS, denial of service, or configuration corruption.
- pfSense-SA-25_02.webgui: OpenVPN management interface command injection from OpenVPN status and Dashboard widget.
- pfSense-SA-25_03.webgui: Potential XSS in the AutoConfigBackup backup list.
- pfSense-SA-25_04.webgui: Potential disclosure of AutoConfigBackup Device Key if SSH service is enabled and exposed to untrusted networks.
- pfSense-SA-25_05.webgui: Stored XSS in Firewall Schedules.
- pfSense-SA-25_06.webgui: Stored XSS in IPsec tunnel Phase 1 list.
- pfSense-SA-25_07.webgui: Stored XSS in Wake on LAN pages and Dashboard widget.
System Patches for Previous Versions
Fixes for these security issues are available via the recommended patches function of the System Patches Package for users running pfSense Plus software version 24.11 as well as pfSense CE software version 2.7.2.
- See our previous post about Using the System Patches Package for a walkthrough that covers installing/updating the package and applying recommended patches.
Operating System and Base System Component Updates
This release includes additional security fixes for issues in FreeBSD as well as base system component packages. These binary-only fixes are only available by upgrading to a new release.
Release Notes
Release Notes for pfSense CE 2.8.0-RELEASE are available for a more comprehensive list of new features, bug fixes, and other changes in this release.
Installing the Upgrade
Netgate has a detailed Upgrade Guide available in the pfSense documentation to help explain the process. Below are the high-level steps to perform the upgrade.
Users currently running pfSense Community Edition (CE) software
Upgrades from an earlier version of pfSense CE software are usually made through the web-based user interface. Before making any major change, such as an upgrade, it is best practice to create and securely store a backup of the pfSense configuration. The pfSense documentation contains detailed Backup and Recovery instructions.
To perform the update:
- Navigate to System > Update in the pfSense software GUI
- Set Branch to “Current Stable Version (2.8.0)”
- Click Confirm to start the upgrade process
We encourage users to migrate from pfSense CE software to pfSense Plus software. Doing so will ensure you have access to all of the benefits of pfSense Plus software. You can find details on how to get pfSense Plus software in the Netgate shop.
Troubleshooting the Upgrade
Please review the documentation on Troubleshooting Upgrades for the most up-to-date information on working around upgrade issues.
This pfSense CE software release is ready for use in production environments. Should any issues arise, please post to our forum or contact Netgate Technical Assistance Center (TAC) for paid assistance.
Supporting the Project
When you purchase Netgate hardware, TAC, or AWS/Azure cloud instances, you directly sustain the engineering teams responsible for maintaining high quality pfSense software.
You may support this work through one or more of the following:
- Purchase an official appliance directly from Netgate or from our worldwide reseller partner network. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
- Purchase a TAC subscription, which provides you with direct access to Netgate Global Support
- Purchase Professional Services, which provides access to our most senior engineers for more complex projects outside the scope of TAC requests.
- Use a genuine pfSense Plus instance from Netgate to connect and protect your cloud workloads on AWS and Azure.
Our efforts are made possible by the support of our customers and the community, and for that we express our sincere thanks. This involvement makes the pfSense project a stronger solution for everyone.