We are excited to announce the release of pfSense® software version 2.4, now available for new installations and upgrades!

pfSense software version 2.4.0 was a herculean effort! It is the culmination of 18 months of hard work by Netgate and community contributors, with over 290 items resolved. According to git, 671 files were changed with a total 1651680 lines added, and 185727 lines deleted. Most of those added lines are from translated strings for multiple language support!

pfSense 2.4.0-RELEASE updates and installation images are available now!

Highlights

Version 2.4.0 includes a long list of significant changes in pfSense software and in the underlying operating system and dependencies. Changes for pfSense 2.4.0 include:

  • FreeBSD 11.1-RELEASE as the base Operating System
  • New pfSense installer based on bsdinstall, with support for ZFS, UEFI, and multiple types of partition layouts (e.g. GPT, BIOS)
  • Support for Netgate ARM devices such as the SG-1000
  • OpenVPN 2.4.x support, which brings features like AES-GCM ciphers, speed improvements, Negotiable Crypto Parameters (NCP), TLS encryption, and dual stack/multihome
  • Translation of the GUI into 13 different languages! For more information on contributing to the translation effort, read our previous blog post and visit the project on Zanata
  • WebGUI improvements, such as a new login page, improved GET/POST CSRF handling, significant improvements to the Dashboard and its AJAX handling
  • Certificate Management improvements including CSR signing and international character support
  • Captive Portal has been rewritten to work without multiple instances of ipfw
  • Additional benefits of FreeBSD 11.0 and 11.1 include:

    • Security enhancements such as address space guards to address Stack Clash
    • New and updated drivers for a variety of hardware
    • Updated 802.11 wireless stack
    • Updated IPsec kernel implementation
    • Support for Microsoft® Hyper-V™ Generation 2 virtual machines, and other Hyper-V support improvements
    • Elastic Networking Adapter (ENA) support using the ena(4) FreeBSD driver for “next generation” enhanced networking on the Amazon® EC2™ platform

For more details, see the Release Notes and the previous Release Highlights post.

Important Information

A few noteworthy items about running or upgrading to pfSense 2.4:

  • 32-bit x86 and NanoBSD have been deprecated and are not supported on pfSense 2.4.

    • Hardware capable of running 64-bit images should be reinstalled with a 64-bit version.
    • 32-bit x86 hardware can continue to run pfSense software version 2.3.x, which will receive security updates for at least a year after pfSense 2.4.0-RELEASE.
    • NanoBSD installs on 64-bit hardware must be changed to run a full installation. This can be accomplished by reinstalling or by following the manual upgrade procedure to convert NanoBSD to a full installation.
  • To use ZFS, a reinstall of the operating system is required. It is not possible to upgrade in-place from UFS to ZFS at this time.
  • Wireless interfaces must be created on the Wireless tab under Interfaces > Assignments before they are available for assignment
  • Some hardware devices may not boot pfSense 2.4.0 installation images, for example, due to UEFI compatibility changes. These are primarily BIOS issues and not issues with the installer images. Upgrading in place from pfSense 2.3.x typically allows affected hardware to run version pfSense 2.4.x. In some cases, manually adjusting the installer images can allow the hardware to boot.

Upgrading to pfSense 2.4.0-RELEASE

This release can be used by installing directly or by upgrading from development snapshots or current releases.

To control how a firewall obtains updates, visit System > Update on the Update Settings tab:

  • For users running pfSense 2.3.x-RELEASE:

    • Stable, which is the default behavior, will upgrade the firewall to pfSense 2.4.0-RELEASE
    • Development Snapshots will upgrade the firewall to pfSense 2.3.5 development snapshots
    • Security/Errata Only (2.3.x) will be a new option, available soon, which tracks pfSense 2.3.x releases without upgrading to pfSense 2.4.x.
  • For users tracking pfSense 2.4.0-RC or older -BETA snapshots:

    • Stable, which is the default behavior, will upgrade the firewall to pfSense 2.4.0-RELEASE
    • Development Snapshots will cause the firewall to continue tracking snapshots, bypassing pfSense 2.4.0-RELEASE and continuing on to pfSense 2.4.1 development snapshots

Upgrading from Older Releases (2.2.x or earlier)

There is no direct upgrade path from pfSense software version 2.2.x or earlier to pfSense 2.4.0-RELEASE as we no longer generate the required update archives. A firewall running an older release can still be upgraded by making a stop at pfSense 2.3.x first. First, upgrade the firewall to pfSense 2.3.4 and then perform an update to pfSense 2.4.0 afterward. Performing an automatic update twice will accomplish this, as it will first upgrade to the latest pfSense 2.3.x and then to pfSense 2.4.x.

Alternately, reinstall pfSense 2.4.0 directly and restore the configuration.

Reporting Issues

This release is ready for a production use. Should any issues come up with pfSense 2.4.0-RELEASE, please post about them on the the forum.

Thanks!

pfSense CE software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:

Download

Downloads for New Installs

Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.

Supporting the Project

Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.

  • Official appliances direct from Netgate. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
  • Commercial Support – Purchasing support from us provides you with direct access to Netgate Global Support.
  • Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.