Netgate Blog

pfSense Plus 21.02-RELEASE and pfSense CE 2.5.0-RELEASE Now Available

We are excited to announce the release of pfSense® Plus software version 21.02 and pfSense Community Edition (CE) software version 2.5.0, now available for new installations and upgrades!

This is the first release of pfSense Plus software, formerly known as Factory Edition. For more details about the distinctions between pfSense Plus and pfSense CE, read the pfSense Plus Announcement. Customers running the Factory Edition of pfSense software version 2.4.5-p1 and older can upgrade in-place automatically to pfSense Plus software version 21.02 as with any other previous upgrade.

These versions are the result of an immense development effort taking place over the last several years. Over 550 issues are resolved, including bug fixes, new features, and other significant changes.

pfSense Plus software version 21.02-RELEASE updates are available now. For installation images, contact Netgate TAC.

pfSense software Community Edition version 2.5.0-RELEASE updates and installation images are available for download now.

Highlights

The new versions include a long list of significant changes.

Notably, pfSense Plus adds:

  • Support for Intel® QuickAssist Technology, also known as QAT.

    • QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.
    • Supported hardware includes many C3000 and C2000 systems sold by Netgate and some other types of built-in QAT support and add-on cards.
  • Improved SafeXcel cryptographic accelerator support for the Netgate SG-2100 and Netgate SG-1100 which can improve IPsec performance.
  • Updated IPsec profile export

    • Exports Apple profiles compatible with current iOS and OS X versions
    • New export function for Windows clients to configure tunnels using PowerShell

Both pfSense Plus and pfSense CE include:

  • Base OS upgraded to FreeBSD 12.2-STABLE
  • OpenSSL upgraded to 1.1.1
  • Performance improvements
  • Kernel WireGuard implementation, as mentioned in a previous WireGuard blog post

  • IPsec enhancements

    • Configuration for the strongSwan IPsec backend was changed from the deprecated ipsec.conf/stroke format to the new swanctl/VICI format
    • Various improvements to tunnel configuration, including better options for lifetime and rekey to avoid duplicate security associations
  • OpenVPN upgraded to 2.5.0

    • OpenVPN 2.5.0 now mandates data cipher negotiation, but also tries to be friendly to older clients
    • ChaCha20-Poly1305 is now supported, which is the same cipher used by WireGuard and may offer speed improvements on some platforms
    • OpenVPN now disables compression by default because it is insecure, but it can still decompress traffic received from clients while not transmitting compressed packets
  • Certificate Manager updates

    • The GUI now supports renewing certificate manager entries (certificate authorities and certificates)
    • Notifications are generated for expiring certificate entries
    • Certificate keys and PKCS #12 archives can now be exported with password protection
    • Support was added for elliptic curve (ECDSA) certificates
    • Internal and imported CA entries can be added to the system-wide trust store
  • Significant changes in Captive Portal backend and HA behavior

For more details, see the Release Notes and Redmine.

Important Information

Please note, as stated here in March 2019, AES-NI is not required to run pfSense software version 2.5.0; this also applies to pfSense Plus 21.02.

A few noteworthy items about running or upgrading to pfSense Plus software version 21.02 or pfSense CE software version 2.5.0:

  • The built-in Load Balancer has been deprecated and is not present in this release

    • Users can migrate to the HAProxy package for most use cases covered by the old Load Balancer
  • Several abandoned and deprecated packages have been removed, including:

    • OpenBGPD (use FRR instead)
    • Quagga OSPF (use FRR instead)
    • routed
    • blinkled
    • gwled

Upgrade Notes

IMPORTANT: Proceed with caution when upgrading pfSense software while COVID-19 travel restrictions are in effect.

During this time of travel limitations, remote upgrades of pfSense software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.

Due to the significant nature of the changes in this upgrade, warnings and error messages are likely to occur while the upgrade is in process. In particular, errors from PHP and package updates may be observed on the console and in logs. In nearly all cases these errors are a harmless side effect of the inconsistent state of the system during the upgrade from changes in the operating system, libraries, and PHP versions. Once the upgrade completes, the system will be in a consistent state again. Only errors which persist after the upgrade are significant.

Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.

Do not update packages before upgrading! Either remove all packages or do not update packages before running the upgrade.

The upgrade will take several minutes to complete. The exact time varies based on download speed, hardware speed, and other factors such installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading it could take 10-20 minutes or more until the upgrade process ends. The firewall may reboot several times during the upgrade process. Monitor the upgrade from the firewall console for the most accurate view.

If the update check fails, or the update does not complete, run pkg install -y pfSense-upgrade to ensure that pfSense-upgrade is present.

Consult the Upgrade Guide for additional information about performing upgrades to pfSense software.

Upgrading to the new release

Updating from an earlier release to this release is possible via the usual methods:

From the GUI:

  • Navigate to System > Update
  • Set Branch to Next stable version
  • Click Confirm to start the upgrade process

From the console or ssh:

  • Select option 13 OR select option 8 and run pfSense-upgrade

Update Troubleshooting

See Upgrade Troubleshooting for the most up-to-date information on working around upgrade issues.

If the update system does not offer an upgrade to the current release or the upgrade will not proceed, take the following steps:

  • Navigate to System > Updates
  • Set Branch to Latest stable version
  • Refresh the repository configuration and upgrade script by running the following commands from the console or shell:

    pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
    

Reporting Issues

This release is ready for a production use. Should any issues come up with pfSense Plus software version 21.02 or pfSense CE software version 2.5.0, please post about them on the the forum or on the /r/pfSense subreddit.

Thanks!

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:

Download

Downloads for New Installs

Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.

Supporting the Project

Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.

  • Official appliances direct from the source. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
  • Commercial Support – Purchasing support from us provides you with direct access to Netgate Global Support.
  • Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.