Pfsense 2.3 Download

Posted onby
  1. Pfsense 2.3.2 Download
  2. Latest Pfsense Version
  3. Pfsense 2.5.0
  4. Pfsense 2.5.0 Release Date
  5. Pfsense 2.5 Changes

Version 2.3.4 of pfSense, a specialist FreeBSD-based operating system designed for firewalls and routers, has been released: ' We are happy to announce the release of pfSense software version 2.3.4. This is a maintenance release in the 2.3.x series, bringing stability and bug fixes, fixes for a few security issues, and a handful of new features. The USB memstick image is meant to be written to disc before use and includes an installer that installs pfSense software to the hard drive on your system. This is the preferred means of running pfSense software. The entire hard drive will be overwritten, dual booting with another OS is not supported. DVD Image (ISO). Date: October 31, 2017. PfSense® software version 2.3.5 is now available for upgrades! As we have promised, we will continue to deliver security and stability fixes to the pfSense 2.3.x line even after we have released pfSense 2.4.0, since i386 and NanoBSD were deprecated in pfSense 2.4.0. These updates will continue for a minimum of one year.

The pfSense® software version 2.3.x release is a Security and Errata maintenance release. 2.4.x is the primarystable supported branch. If the firewall hardware is capable of running2.4.x, consider upgrading to that release instead.

Updating to 2.3.5 from 2.3.4 on an amd64 installation that couldotherwise use 2.4.x requires configuring the firewall to stay on 2.3.xas follows:

  • Navigate to System > Update, Update Settings tab

  • Set Branch to Security / Errata Only

  • Navigate back to the Update tab to see the latest 2.3.x update

Sep 22, 2018 See 2.3 New Features and Changes for a larger list of changes. Due to the GUI overhaul, older themes have been removed. All previously chosen themes are reset on upgrade to the default “pfSense” 2.3 theme. Status RRD Graphs moved to Status Monitoring and has been revamped. The same data, and more, is still accessible but with a modern.

If the update system offers an upgrade to 2.3.5 but the upgrade will notproceed, ensure the firewall has correct versions of the repositoryconfiguration and upgrade script for 2.3.x by running the followingcommands from the console or shell:

Firewalls running 32-bit (i386) installations of pfSense software do notneed to take any special actions to remain on 2.3.x as they are unableto run later versions.

Operating System / Architecture changes¶

  • Upgrade of base OS to FreeBSD 10.3-RELEASE-p20

  • Fixed issues with major version base upgrades via pkg

Security / Errata¶

  • Fixes for the set of WPA2 Key Reinstallation Attack issues commonlyknown as KRACK in wpa_supplicantand hostapd(FreeBSD-SA-17:07.wpa)

  • A number of base system packages have been updated to addresssecurity issues, including dnsmasq,perl,cURL, and others.


  • Added support for the IPv6 AUTO_LINKLOCAL flag on bridge interfaces

  • Added an option to use static IPv6 over an IPv4 PPP parent (e.g.PPPoE) #7598

  • Added IPv6 Prefix Delegation interface selection

  • Improved input validation for GIF interfaces#7789


  • Rewrote Dashboard AJAX updating in a centralized and optimized way toreduce load, improve accuracy, and increase speed

  • Added a new Customer Support dashboard widget, enabled by default andon upgrade

  • Changed the way AJAX updates are handled on the Dashboard widgets toimprove efficiency and fix issues with some widgets refreshing in atimely manner

  • Changed how pkg metadata is handled to reduce the load on theDashboard and reduce unnecessary calls to the pkg server for theSystem Information dashboard widget update check, and for theInstalled Packages dashboard widget

  • Improved error checking to prevent dashboard widget parsing errors

  • Fixed a variable conflict in the NTP Status Dashboard widget#7795

  • Fixed a problem with the Picture Dashboard widget when it does nothave a picture defined#7896

  • Changed IPsec Dashboard Widget tunnel status to handle newerstrongSwan childid format#7499

  • Fixed time display for UTC in the NTP Dashboard Widget#7714


  • Changed the design of the login page for the WebGUI to a more modernstyle, with several color choices available

  • Added URL fingerprinting to JavaScript and CSS file references toimprove client-side behavior when files change between versions#7251

  • Updated Logo to the new logo and made it a vectorized SVG image forbetter scaling

  • Updated favicon to the new logo and added multiple sizes fordifferent platforms

  • Added an option for sorting the Interfaces menu by description

  • Added “auth_check” type of simple test that a page can use to verifya user is logged in and has access, using less cpu, which is betterfor AJAX data polling

  • Improved handling of PHP errors for user-entered PHP code ondiag_command.php

  • Changed Interfaces menu “(Assign)” to “Assignments” and added supportfor menu divider bars

  • Fixed automatic selection of ‘128’ as prefix/mask for IPv6 addressfields #7625

  • Replaced Math.trunc with Math.floor to make IE properly handletraffic graphs #7804

  • Changed nginx configuration so it does not allow direct download files #8005

  • Fixed hostname input handling on diag_dns.php


  • Added a delay to allow dpinger time to properly initialize beforeusing results

  • Added a log message when gateway alarms are raised/cleared to showthe parameters that triggered the alarm

  • Reset All States on WAN IP Change option#1629


  • Fixed handling of Port Forwards so they do not make up newdestination information when a configured against a DHCP interfacethat does not currently have an address

  • Fixed ALTQ Traffic Shaper PRIQ priority number validation


Pfsense 2.3.2 Download

  • Added an option to set the Rekey Margin for IPsec tunnels in thePhase 1 settings

  • Added RADIUS accounting support for mobile IPsec when accounting isenabled on the Authentication Server entry

  • Added checks to prevent simultaneous/repeated calling ofvpn_ipsec_configure() by /etc/rc.newipsecdns


  • Fixed an issue with installing packages from a backup when restoringusing the External Configuration Locater on the first bootpost-install #7914

  • Fixed handling of forced Dynamic DNS hostnames for DHCPv6 staticmappings #7324

  • Fixed several issues with cron job updating and removal

  • Added the device serial/id to the console and SSH menu banner#7968

  • Changed /etc/hosts such that the FQDN is listed first, except forlocalhost, so that dnsmasq will properly reverse resolve hostnames#7771

See also

For information about upgrading to current versions, seeUpgrade Guide.


Uninstalling all packages is required when upgrading fromold releases. Packages must be removed before the upgrade is performed.After the upgrade is complete, packages can be reinstalled. Packageconfiguration is automatically retained.

See 2.3 New Features and Changes for a larger list of changes.

  • Due to the GUI overhaul, older themes have been removed. All previously chosenthemes are reset on upgrade to the default “pfSense” 2.3 theme.

  • Status > RRD Graphs moved to Status > Monitoring and has beenrevamped. The same data, and more, is still accessible but with a moderninterface.

  • System > Firmware is now System > Update

  • System > Packages is now System > Package Manager


  • On pfSense® software versions 2.2 and 2.3, limiters cannot be used on firewallrules residing on interfaces where NAT applies. This limits their use toLAN-type interfaces only, and not WANs, in most circumstances. This has beenfixed on pfSense 2.4.Bug #4326

  • On pfSense software versions 2.2 and 2.3, limiters cannot be used where pfsyncis enabled. This has been fixed on pfSense 2.4.3.Bug #4310


Latest Pfsense Version


NanoBSD has been deprecated as of pfSense 2.4.0-RELEASE. Thissection remains only for users on i386 hardware with NanoBSD who must upgradeto pfSense 2.3.5-p2.

In most cases, a normal installation may be used in place of NanoBSD.Activating the option to keep /var and /tmp in RAM can typicallyyield the same net benefits for older/slower CF and SD media. Firewalls withmodern SSDs should have no concerns with writes.

1GB NanoBSD images have been removed as they were too small to properly functionand upgrade. If a 1GB NanoBSD image is in use, it cannot be upgraded. It must bere-imaged on a larger card using the 4GB or 2GB image or converted to a fullinstallation.

Package System¶

  • Due to the package system overhaul, any custom package repository settings areremoved so the firewall will pull package information directly from pfSenseservers.

  • We highly recommend uninstalling all packages before upgrading.

Removed features that are disabled on upgrade¶

  • Groups with spaces are no longer permitted. They are not allowed at the OSlevel and were not functioning properly. On upgrade, such groups are renamedwith an underscore (‘_’) in place of a space.

  • The “Enable” checkbox for IPsec has been removed. If IPsec was disabled, allPhase 1 entries are disabled automatically on upgrade.

  • The Unity plugin for IPsec has been disabled by default, where it waspreviously enabled by default. This is preferable for the vast majority ofusers, however those using mobile IPsec with IKEv1 may need to enable it underVPN > IPsec, Advanced tab.

  • The apinger daemon for gateway monitoring has been replaced bydpinger. Due to the differences in settings between the two, many advancedgateway parameters are reset on upgrade.

  • The PPTP Server has been removed, if the PPTP server was in use, seekalternate solutions such as IPsec or OpenVPN. Do not continue to use PPTP.

    • The PPTP server settings, firewall rules, and so on have all been removed

    • If the “Redirect” PPTP server type was in use, add manual NAT rules forTCP/1723 and GRE to point to the actual server.

  • Layer 7 classification support has been removed and any configuration using L7is automatically removed on upgrade.

  • WEP support has been removed from Wireless interfaces, and if a wirelessinterface was using WEP, the interface is deactivated on upgrade.

  • Single DES support has been removed from IPsec, if a Phase 1 or Phase 2 entrywas using DES, it is deactivated on upgrade.

    • Note: 3DES support is still present. Only the older and insecure, singleDES option was removed.

  • The Live CD platform has been removed. The ISO is a bootable installer, asalways, but it cannot run a live system.

    • For the very few people who were still using Live CD: If the hardware canboot from USB, install to a USB thumb drive and run from it instead. Use theoptions to keep /var and /tmp in RAM, and do not install packages,then net result should be similar but ultimately more functional.

  • Some obsolete password hashes, such as nt-hash, are removed from users onupgrade. There was no remaining code on pfSense that utilized these hashes, sothere should be no loss of functionality.

  • Support for fifolog was removed, and will revert to clog format onupgrade.

  • The net.inet.ip.fastforwarding tunable is no longer present, and is unseton upgrade.

  • Some PHP modules, such as MySQL, were included by default on previous versionsbut are no longer a part of the base system on 2.3. They are available aspackages that may be installed manually from the shell (e.g. pkginstallphp56-mysql)

New features that may require action¶

  • The default system password hash has been changed to bcrypt. Current passwordswill continue to work. Existing users need to reset their password to convertto the new, more secure, hash. #4120

  • A new option was added to Captive Portal for FreeRADIUS-friendly stop/startRADIUS accounting updates that solves problems with user session time limits.If stop/start RADIUS accounting is being used with FreeRADIUS, the new optionshould be activated manually.

Upgrading from a 2.3 Snapshot¶

  • If a firewall was upgraded to 2.3 before Jan 21, 2016, some files from 2.2.xor earlier packages may still be left behind that can prevent new packagesfrom installing properly. Run the following command the clean up outdatedsymlinks that are not relevant for 2.3:

Multi-WAN Weighted Load Balancing¶

Pfsense 2.5.0

There is a quirk in pf handling of weighted load balancing where Load balancingfails when one gateway has a weight of 1 and another gateway has a weight >1.Coming from 2.2.x, if this scenario applies, simply double the assigned weights.For example: WAN1 = 1, WAN2 = 5 on 2.2.x should be WAN1 = 2, WAN2 =10 on 2.3.

Pfsense 2.5.0 Release Date

Captive Portal¶

Pfsense 2.5 Changes

Due to the change in the web server from lighttpd to nginx, in somecases the portal HTML must be updated to include the zone parameter. On 2.3.1and later the web server process attempts to handle this automatically, but itis best to include the HTML in the portal page directly, inside the form tag: