Software-update: pfSense Plus 25.11

Netgate heeft versie 25.11 van pfSense Plus uitgebracht. Dit pakket is gebaseerd op het besturingssysteem FreeBSD en richt zich op router- en firewalltaken. Het is verkrijgbaar in de gratis Community Edition en een Plus-uitvoering, die voorheen als Factory Edition werd aangeboden. De Plus-uitvoering draait op de hardware die Netgate aanbiedt, als virtuele machine in AWS of Azure. In tegenstelling tot de Community Edition is het echter geen open source.

Het is in 2004 begonnen als een afsplitsing van m0n0wall vanwege verschillende visies bij de ontwikkelaars en in de loop van de jaren uitgegroeid tot een router- en firewallpakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. De changelog voor deze uitgave ziet er als volgt uit:

General

• Base OS updated to FreeBSD 16-CURRENT
• OpenSSL upgraded to 3.5.3
• OpenSSH upgraded to 10.0p2
• PHP updated to 8.4
• VXLAN interface support has been re-added

Security

• Fixed anti-brute force protection bypass and potential denial of service #16312 #16314 pfSense-SA-25_09.sshguard

Endpoint-independent Port Restricted Cone Outbound NAT

This version includes partial experimental support for “Port Restricted Cone” endpoint-independent outbound NAT. This functionality must be manually enabled on a per-rule basis.

“Port Restricted Cone” NAT mappings attempt to preserve port and external address mappings for clients when speaking to multiple remote hosts, but in a dynamic way that does not rely on static port NAT. This helps avoid issues with multiple local clients using the same source port to the same remote host. These rules enable a client communicating with multiple remote hosts using the same source port to receive the same external IP address and port on outbound connections to any destination. This behavior facilitates use cases such as online gaming, peer-to-peer connections, and VoIP.

Inbound communication from a remote host and port is only possible after a local client initiates first contact to that remote host and port. While this is more secure, it is not yet capable of “full cone” NAT which some use cases may require such as certain types of online gaming.

See also

• Outbound NAT
• Endpoint-independent Port Restricted Cone NAT
• Configuring pfSense Software for Online Gaming

pfSense Plus

Changes in this version of pfSense Plus software.

Authentication

• Added: Support Message-Authenticator in the PHP RADIUS client #15952

Backup / Restore

• Fixed: RRD data fails to restore via the ECL #16141

Captive Portal

• Fixed: Captive Portal Ethernet rules can block ARP #16264
• Fixed: Reserved DUMMYNET pipes for Captive Portal can overlap #16540

Configuration Backend

• Changed: Improve file handling of the configuration cache #16469

DHCP (IPv4)

• Changed: Upgrade to Kea 3.0.2 #16388
• Changed: Kea configuration parameter client-class is deprecated #16468

DHCP (IPv6)

• Fixed: Hostnames in Kea static leases may not be registered with DNS #16552

DNS Forwarder

• Fixed: PHP error in DNS Forwarder host overrides when the language is set to French #14741

DNS Resolver

• Changed: Update Unbound to 1.24.2 to address CVE-2025-11411 #16503

Dashboard

• Fixed: Manually verifying the boot environment makes config changes #15499
• Fixed: Thermal Sensors widget does not respect per-sensor threshold vales #16266

Diagnostics

• Fixed: Captive Portal backwardsyncpassword value not sanitized in status output #16339

Dynamic DNS

• Added: Preserve other record types when updating IPv4 or IPv6 using deSEC DDNS #12495
• Fixed: Dynamic DNS does not use preferred VIP in Gateway Group #16326
• Fixed: Custom Dynamic DNS services ignore the monitor interface #16368

Gateway Monitoring

• Fixed: Gateway monitoring daemon can unexpectedly use a CARP VIP as the source IP address #16322

Gateways

• Fixed: Gateway list order is incorrect until reloading page after moving entries and saving #16495

Hardware / Drivers

• Fixed: Netgate 2100/3100 LED controller not responding to gpioctl #16526
• Fixed: QLink/Marvell 41000 NIC bug #16248
• Added: Support 2.5G SGMII (SFP GPON ONT) in bxe driver (QLogic NetXtreme II BCM57810) #16321
• Fixed: e1000 network interfaces unexpectedly link at half-duplex #16449

IPsec

• Changed: Update strongSwan to 6.0.3 #16509

IPv6 Router Advertisements (radvd/rtsold)

• Fixed: Cannot set RADVD router lifetime to 0 #16472

Installer

• Fixed: Configuration data restored during installation can be overwritten by hardware-specific default values #16176

Interfaces

• Added: VXLAN Interfaces #11732
• Added: Option to change QinQ ethertype to Service VLAN Tag #13340
• Fixed: Retain previous QinQ VLAN tag type value for existing entries on upgrade #13622

Logging

• Added: Option to disable logging of packets blocked due to unmatched IP options #16068
• Fixed: syslogd daemon can terminate when a remote log server refuses connections #16362

OpenVPN

• Fixed: Automatic IPv6 gateways for OpenVPN servers are created with the wrong gateway address #16351
• Fixed: OpenVPN servers will not start with DH parameter lengths less than 2048 #16421
• Fixed: OpenVPN does not include client-to-client in generated configuration for Peer-to-Peer SSL/TLS servers #16428

Operating System

• Fixed: rc.savecore errors prevent boot in ZFS #15613
• Fixed: Swap fails to activate when multiple swap partitions exist #16232

PHP Interpreter

• Changed: Upgrade PHP to 8.4 #16471

PPP Interfaces

• Changed: Sanitize PPPoE configuration parameters #16128
• Fixed: PPPoE interfaces using if_pppoe increase error counters due to normal ALTQ traffic shaping operations #16216
• Fixed: Virtual IP addresses on PPPoE interfaces using if_pppoe can prevent PPP session termination #16487

Package System

• Fixed: Error notification and log message "Updating repositories metadata" returned error code 1 at boot due to certctl race condition #16341

Rules / NAT

• Added: Allow floating rules using the “match” action to match based on IP Options #16215
• Added: Block non-global NAT64 addresses by default #16241
• Changed: Refactor PF ruleset generation #16307
• Added: Avoid traffic stalls from unnecessary filter reloads #16308
• Fixed: NAT64 rules using reply-to do not forward packets #16429
• Fixed: Filter rule evaluation continues after matching a match quick rule #16475
• Added: Support state killing on gateway recovery for policy-routed traffic from the firewall itself #16502
• Added: Endpoint-independent Port Restricted Cone Outbound NAT rules #16517
• Fixed: NAT64 rules do not pass traffic when a gateway is specified for the rule #16546
• Changed: Update output and parsing behavior for PHP shell pfanchordrill #16551

System Logs

• Fixed: Log entries without a hostname can cause the system log to display in an unexpected manner #15411

Traffic Shaper (Limiters)

• Fixed: Using a Limiter on a rule with a gateway group limits all traffic through that gateway instead of the host IP address #15770

Translations

• Fixed: Korean locale configuration name is incorrect #16505

Unknown

• Fixed: pfSense Plus does not work with AWS new Instance Metadata Service (IMDSv2) #14772

Upgrade

• Fixed: PHP shell playback script upgradeconfig incorrectly replaces running configuration when Nexus is enabled #16179
• Added: Fix configuration artifacts on upgrade #16253

User Manager / Privileges

• Fixed: sshguard does not trigger for GUI logins from usernames containing unexpected characters #16312
• Fixed: GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages #16314

Virtual IP Addresses

• Fixed: Input validation text for deleting an IP Alias VIP within a CARP VIP subnet may reference incorrect VIP #16272

Web Interface

• Fixed: Boot Environment page fails to load if pfsense:version ZFS property contains newlines #16375
• Changed: Apple TouchID/FaceID probes for site icon files that do not exist #6727

XMLRPC

• Fixed: Membership to admins group is lost when synchronizing user changes via XMLRPC #16392