pfSense® software, the world’s leading firewall, router, and VPN solution, provides secure network edge and cloud networking solutions for millions of deployments worldwide.
We are excited to announce the release of pfSense® Community Edition (CE) software version 2.8.0. This new version includes numerous major features, including some features which were previously exclusive to pfSense Plus software, along with many other enhancements and bug fixes. All pfSense CE users are encouraged to upgrade to this new version.
Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process.
To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade.
Before upgrading, pay particular attention to the Pre-Upgrade Tasks section of the Upgrade Guide. The most crucial points are noted in this post, but the best practice is to follow all of the precautions noted in the Upgrade Guide.
After upgrading, older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. Devices may require manual intervention.
This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older, unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation of MMC, which has been followed by an installation to an add-on SSD without clearing the MMC contents.
Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running.
Tip: For devices running ZFS, see ZFS Tuning for information on reducing ZFS memory usage.
For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade. Rebooting before attempting the upgrade can also be beneficial.
Automatic Configuration Backup, also called AutoConfigBackup or ACB, is a free service Netgate provides. This feature encrypts backups of the pfSense software configuration and uploads those encrypted backups to Netgate cloud storage servers. This service provides users with a secure and convenient method to create remote backups and restore known-good configurations. In this release, Netgate has rewritten the AutoConfigBackup user interface to make it more secure and efficient, fixed several bugs, and it now includes the ability for users to further enhance security by changing the Device Key.
This release contains a new PPPoE backend, if_pppoe, which enables a large performance increase over the existing MPD-based implementation. This option is not enabled by default, but users can opt into this new backend with a checkbox at System > Advanced on the Networking tab.
In addition to performance gains, users should see a dramatic decrease in CPU usage due to PPPoE throughput. Users who have multi-gigabit PPPoE WAN links can enable this new feature and enjoy much faster WAN speeds. However, the new if_pppoe backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.
This release contains several Kea DHCP features that bring feature parity with the ISC DHCP daemon. Some features were previously exclusive to pfSense Plus software, some features are new for this release.
This release contains full support for NAT64.
NAT64 is a form of NAT that enables clients with only IPv6 addresses to reach remote hosts using IPv4 addresses. NAT64 accomplishes this by mapping IPv4 addresses into a special IPv6 prefix dedicated to this purpose, such as the default NAT64 prefix, 64:ff9b::/96.
NAT64 on pfSense software is implemented across multiple areas, including NAT64 firewall rules, PREF64 in router advertisements, and DNS64 in the DNS Resolver Advanced options.
There is a complete walkthrough for implementing NAT64 in the pfSense software documentation.
This release includes support for enhanced gateway recovery "fail back" by optionally clearing states from lower tier gateways when a more preferred gateway recovers. This allows the firewall to force connections back to a higher priority gateway when it recovers, which can help in environments when lower priority gateways have significantly lower bandwidth or metered charges.
This release contains new Built-in System Aliases that allow user-created firewall rules to utilize aliases that were previously only usable by internal firewall rules. This feature also contains several new aliases with common collections of reserved and special-purpose networks, so that users do not need to define their own alias on each device for things like private networks or multicast networks.
This release changes the default State Policy from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing, as well as with High Availability state synchronization on non-identical hardware. Workarounds are in place to fall back to Floating states in certain cases, such as IPsec/VTI. The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab. There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.
This release fixes several security issues in pfSense software, including:
Fixes for these security issues are available via the recommended patches function of the System Patches Package for users running pfSense Plus software version 24.11 as well as pfSense CE software version 2.7.2.
This release includes additional security fixes for issues in FreeBSD as well as base system component packages. These binary-only fixes are only available by upgrading to a new release.
Release Notes for pfSense CE 2.8.0-RELEASE are available for a more comprehensive list of new features, bug fixes, and other changes in this release.
Netgate has a detailed Upgrade Guide available in the pfSense documentation to help explain the process. Below are the high-level steps to perform the upgrade.
Upgrades from an earlier version of pfSense CE software are usually made through the web-based user interface. Before making any major change, such as an upgrade, it is best practice to create and securely store a backup of the pfSense configuration. The pfSense documentation contains detailed Backup and Recovery instructions.
To perform the update:
We encourage users to migrate from pfSense CE software to pfSense Plus software. Doing so will ensure you have access to all of the benefits of pfSense Plus software. You can find details on how to get pfSense Plus software in the Netgate shop.
Please review the documentation on Troubleshooting Upgrades for the most up-to-date information on working around upgrade issues.
This pfSense CE software release is ready for use in production environments. Should any issues arise, please post to our forum or contact Netgate Technical Assistance Center (TAC) for paid assistance.
When you purchase Netgate hardware, TAC, or AWS/Azure cloud instances, you directly sustain the engineering teams responsible for maintaining high quality pfSense software.
You may support this work through one or more of the following:
Our efforts are made possible by the support of our customers and the community, and for that we express our sincere thanks. This involvement makes the pfSense project a stronger solution for everyone.