Back to Blog

pfSense, Releases

Netgate Releases pfSense Plus Software Version 23.09

Written by: Bill Rathbone

Date: November 06, 2023

Netgate Releases pfSense Plus Software Version 23.09

Netgate® is pleased to announce the Release of pfSense® Plus software version 23.09. Release Notes are available for review. 

Overview

Millions of businesses and individuals rely on Netgate software to connect and protect their networks around the world. pfSense Plus software is the commercially developed and supported Netgate firewall/VPN/router based on the open source pfSense CE project software. pfSense Plus contains enhanced capabilities that better serve business customers without disrupting the open source codebase that community members rely upon today.

pfSense Plus software, TAC LITE support and updates are included at no additional cost on Netgate appliances and public cloud images on the AWS and Azure marketplaces. pfSense Plus software with support and updates can be licensed with a TAC LITE, TAC PRO, or TAC ENTERPRISE annual subscription.

Major Changes and Features

OpenSSL upgraded to 3.0.12

This change was essential because OpenSSL 1.1.1 has reached End of Life (EOL) and will no longer receive security patches for vulnerabilities. 

The upgrade to OpenSSL 3.0.12 means that a number of older and weaker encryption and hash algorithms have been removed, and security certificates based on these older/weaker hashes have been deprecated. We HIGHLY recommend reviewing the release notes, and our blog on this topic, prior to any upgrade.

Encryption algorithms removed from OpenVPN include: ARIA, Blowfish (e.g. BF-CBC, which was formerly an OpenVPN default), CAST5, DES, DESX, IDEA, RC2, RC5, SEED, and SM4. Hash algorithms removed from OpenVPN include MD4, MDC2, SM3, and Whirlpool.

Kea DHCP added as an opt-in feature

The Kea DHCP server is available as an opt-in feature. Basic functionality is present in version 23.09, but it is not feature complete. You can find our blog on the topic here. Switching to the Kea DHCP server is done by:

  • Navigate to System > Advanced
  • Choose the Networking tab
  • Change the new Server Backend radio button in the DHCP Options section to "Kea DHCP"

Note: If you have assigned hostnames to devices on your network using static leases, or rely on dynamic lease registration in DNS, switching to Kea DHCP results in those hostnames being ignored. The static lease configuration is kept, so switching back to ISC DHCP will restore the functionality.

Improved support for SCTP

Support for SCTP has been improved in PF for firewall rules, NAT, and logging. Rules can now act on SCTP packets by port number. Previously it was only possible to filter on source or destination address.

IPv6 Router Configuration moved

IPv6 Router Advertisement configuration has been relocated to Services > Router Advertisement as a part of the ongoing Kea DHCP server integration.

Additional Changes

  • PHP upgraded to 8.2.11
  • The base operating system upgraded to a more recent point of FreeBSD 14-CURRENT
  • The release also addresses several bugs and other issues. 

Installing the Upgrade

Netgate has a detailed Upgrade Guide available in the pfSense documentation to help explain the process. Below are the high-level steps to perform the upgrade.

Users currently running pfSense Plus software

Upgrades from an earlier version of pfSense Plus software are usually made through the Web user interface. It’s always recommended to save a backup of the pfSense Plus configuration prior to any major change such as an upgrade. You can find Backup and Recovery instructions in the pfSense Documentation.

  • Navigate to System > Update
  • Set Branch to “Latest Stable Version (23.09)
  • Click Confirm to start the upgrade process

Troubleshooting the Upgrade

Please review the documentation on Troubleshooting Upgrades for the most up-to-date information on working around upgrade issues.

This pfSense Plus software release is ready for use in production environments. Should any issues arise, please post to our forum or contact Netgate Technical Assistance Center (TAC) for paid support.

Supporting the Project

When you purchase Netgate hardware, TAC, or AWS/Azure cloud instances, you directly sustain the engineering teams responsible for maintaining high quality pfSense software. 

You may support this work through one or more of the following:

  • Purchase an official appliance directly from Netgate or from our worldwide reseller partner network. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
  • Purchase TAC support which provides you with direct access to Netgate Global Support
  • Purchase Professional Services, which provides access to our most senior engineers for more complex projects outside the scope of TAC support.
  • Use a genuine pfSense Plus instance from Netgate to connect and protect your cloud workloads on AWS and Azure.

Our efforts are made possible by the support of our customers and the community, and for that we express our sincere thanks. This involvement makes the pfSense project a stronger solution for everyone.