- Pfsense 2.3.2 Download
- Latest Pfsense Version
- Pfsense 2.5.0
- Pfsense 2.5.0 Release Date
- Pfsense 2.5 Changes
Version 2.3.4 of pfSense, a specialist FreeBSD-based operating system designed for firewalls and routers, has been released: ' We are happy to announce the release of pfSense software version 2.3.4. This is a maintenance release in the 2.3.x series, bringing stability and bug fixes, fixes for a few security issues, and a handful of new features. The USB memstick image is meant to be written to disc before use and includes an installer that installs pfSense software to the hard drive on your system. This is the preferred means of running pfSense software. The entire hard drive will be overwritten, dual booting with another OS is not supported. DVD Image (ISO). Date: October 31, 2017. PfSense® software version 2.3.5 is now available for upgrades! As we have promised, we will continue to deliver security and stability fixes to the pfSense 2.3.x line even after we have released pfSense 2.4.0, since i386 and NanoBSD were deprecated in pfSense 2.4.0. These updates will continue for a minimum of one year.
The pfSense® software version 2.3.x release is a Security and Errata maintenance release. 2.4.x is the primarystable supported branch. If the firewall hardware is capable of running2.4.x, consider upgrading to that release instead.
Updating to 2.3.5 from 2.3.4 on an amd64 installation that couldotherwise use 2.4.x requires configuring the firewall to stay on 2.3.xas follows:
Navigate to System > Update, Update Settings tab
Set Branch to Security / Errata Only
Navigate back to the Update tab to see the latest 2.3.x update
Sep 22, 2018 See 2.3 New Features and Changes for a larger list of changes. Due to the GUI overhaul, older themes have been removed. All previously chosen themes are reset on upgrade to the default “pfSense” 2.3 theme. Status RRD Graphs moved to Status Monitoring and has been revamped. The same data, and more, is still accessible but with a modern.
If the update system offers an upgrade to 2.3.5 but the upgrade will notproceed, ensure the firewall has correct versions of the repositoryconfiguration and upgrade script for 2.3.x by running the followingcommands from the console or shell:
Firewalls running 32-bit (i386) installations of pfSense software do notneed to take any special actions to remain on 2.3.x as they are unableto run later versions.
Operating System / Architecture changes¶
Upgrade of base OS to FreeBSD 10.3-RELEASE-p20
Fixed issues with major version base upgrades via pkg
Security / Errata¶
Fixes for the set of WPA2 Key Reinstallation Attack issues commonlyknown as KRACK in wpa_supplicantand hostapd(FreeBSD-SA-17:07.wpa)
A number of base system packages have been updated to addresssecurity issues, including dnsmasq,perl,cURL, and others.
Added support for the IPv6 AUTO_LINKLOCAL flag on bridge interfaces
Added an option to use static IPv6 over an IPv4 PPP parent (e.g.PPPoE) #7598
Added IPv6 Prefix Delegation interface selection
Improved input validation for GIF interfaces#7789
Rewrote Dashboard AJAX updating in a centralized and optimized way toreduce load, improve accuracy, and increase speed
Added a new Customer Support dashboard widget, enabled by default andon upgrade
Changed the way AJAX updates are handled on the Dashboard widgets toimprove efficiency and fix issues with some widgets refreshing in atimely manner
Changed how pkg metadata is handled to reduce the load on theDashboard and reduce unnecessary calls to the pkg server for theSystem Information dashboard widget update check, and for theInstalled Packages dashboard widget
Improved error checking to prevent dashboard widget parsing errors
Fixed a variable conflict in the NTP Status Dashboard widget#7795
Fixed a problem with the Picture Dashboard widget when it does nothave a picture defined#7896
Changed IPsec Dashboard Widget tunnel status to handle newerstrongSwan childid format#7499
Fixed time display for UTC in the NTP Dashboard Widget#7714
Changed the design of the login page for the WebGUI to a more modernstyle, with several color choices available
Updated Logo to the new logo and made it a vectorized SVG image forbetter scaling
Updated favicon to the new logo and added multiple sizes fordifferent platforms
Added an option for sorting the Interfaces menu by description
Added “auth_check” type of simple test that a page can use to verifya user is logged in and has access, using less cpu, which is betterfor AJAX data polling
Improved handling of PHP errors for user-entered PHP code ondiag_command.php
Changed Interfaces menu “(Assign)” to “Assignments” and added supportfor menu divider bars
Fixed automatic selection of ‘128’ as prefix/mask for IPv6 addressfields #7625
Replaced Math.trunc with Math.floor to make IE properly handletraffic graphs #7804
Changed nginx configuration so it does not allow direct download of.inc files #8005
Fixed hostname input handling on diag_dns.php
Added a delay to allow dpinger time to properly initialize beforeusing results
Added a log message when gateway alarms are raised/cleared to showthe parameters that triggered the alarm
Reset All States on WAN IP Change option#1629
Fixed handling of Port Forwards so they do not make up newdestination information when a configured against a DHCP interfacethat does not currently have an address
Fixed ALTQ Traffic Shaper PRIQ priority number validation
Pfsense 2.3.2 Download
Added an option to set the Rekey Margin for IPsec tunnels in thePhase 1 settings
Added RADIUS accounting support for mobile IPsec when accounting isenabled on the Authentication Server entry
Added checks to prevent simultaneous/repeated calling ofvpn_ipsec_configure() by /etc/rc.newipsecdns
Fixed an issue with installing packages from a backup when restoringusing the External Configuration Locater on the first bootpost-install #7914
Fixed handling of forced Dynamic DNS hostnames for DHCPv6 staticmappings #7324
Fixed several issues with cron job updating and removal
Added the device serial/id to the console and SSH menu banner#7968
Changed /etc/hosts such that the FQDN is listed first, except forlocalhost, so that dnsmasq will properly reverse resolve hostnames#7771
For information about upgrading to current versions, seeUpgrade Guide.
Uninstalling all packages is required when upgrading fromold releases. Packages must be removed before the upgrade is performed.After the upgrade is complete, packages can be reinstalled. Packageconfiguration is automatically retained.
See 2.3 New Features and Changes for a larger list of changes.
Due to the GUI overhaul, older themes have been removed. All previously chosenthemes are reset on upgrade to the default “pfSense” 2.3 theme.
Status > RRD Graphs moved to Status > Monitoring and has beenrevamped. The same data, and more, is still accessible but with a moderninterface.
System > Firmware is now System > Update
System > Packages is now System > Package Manager
On pfSense® software versions 2.2 and 2.3, limiters cannot be used on firewallrules residing on interfaces where NAT applies. This limits their use toLAN-type interfaces only, and not WANs, in most circumstances. This has beenfixed on pfSense 2.4.Bug #4326
On pfSense software versions 2.2 and 2.3, limiters cannot be used where pfsyncis enabled. This has been fixed on pfSense 2.4.3.Bug #4310
Latest Pfsense Version
NanoBSD has been deprecated as of pfSense 2.4.0-RELEASE. Thissection remains only for users on i386 hardware with NanoBSD who must upgradeto pfSense 2.3.5-p2.
In most cases, a normal installation may be used in place of NanoBSD.Activating the option to keep
/tmp in RAM can typicallyyield the same net benefits for older/slower CF and SD media. Firewalls withmodern SSDs should have no concerns with writes.
1GB NanoBSD images have been removed as they were too small to properly functionand upgrade. If a 1GB NanoBSD image is in use, it cannot be upgraded. It must bere-imaged on a larger card using the 4GB or 2GB image or converted to a fullinstallation.
Due to the package system overhaul, any custom package repository settings areremoved so the firewall will pull package information directly from pfSenseservers.
We highly recommend uninstalling all packages before upgrading.
Removed features that are disabled on upgrade¶
Groups with spaces are no longer permitted. They are not allowed at the OSlevel and were not functioning properly. On upgrade, such groups are renamedwith an underscore (‘_’) in place of a space.
The “Enable” checkbox for IPsec has been removed. If IPsec was disabled, allPhase 1 entries are disabled automatically on upgrade.
The Unity plugin for IPsec has been disabled by default, where it waspreviously enabled by default. This is preferable for the vast majority ofusers, however those using mobile IPsec with IKEv1 may need to enable it underVPN > IPsec, Advanced tab.
apingerdaemon for gateway monitoring has been replaced by
dpinger. Due to the differences in settings between the two, many advancedgateway parameters are reset on upgrade.
The PPTP Server has been removed, if the PPTP server was in use, seekalternate solutions such as IPsec or OpenVPN. Do not continue to use PPTP.
The PPTP server settings, firewall rules, and so on have all been removed
If the “Redirect” PPTP server type was in use, add manual NAT rules forTCP/1723 and GRE to point to the actual server.
Layer 7 classification support has been removed and any configuration using L7is automatically removed on upgrade.
WEP support has been removed from Wireless interfaces, and if a wirelessinterface was using WEP, the interface is deactivated on upgrade.
Single DES support has been removed from IPsec, if a Phase 1 or Phase 2 entrywas using DES, it is deactivated on upgrade.
Note: 3DES support is still present. Only the older and insecure, singleDES option was removed.
The Live CD platform has been removed. The ISO is a bootable installer, asalways, but it cannot run a live system.
For the very few people who were still using Live CD: If the hardware canboot from USB, install to a USB thumb drive and run from it instead. Use theoptions to keep
/tmpin RAM, and do not install packages,then net result should be similar but ultimately more functional.
Some obsolete password hashes, such as nt-hash, are removed from users onupgrade. There was no remaining code on pfSense that utilized these hashes, sothere should be no loss of functionality.
fifologwas removed, and will revert to clog format onupgrade.
net.inet.ip.fastforwardingtunable is no longer present, and is unseton upgrade.
Some PHP modules, such as MySQL, were included by default on previous versionsbut are no longer a part of the base system on 2.3. They are available aspackages that may be installed manually from the shell (e.g.
New features that may require action¶
The default system password hash has been changed to bcrypt. Current passwordswill continue to work. Existing users need to reset their password to convertto the new, more secure, hash. #4120
A new option was added to Captive Portal for FreeRADIUS-friendly stop/startRADIUS accounting updates that solves problems with user session time limits.If stop/start RADIUS accounting is being used with FreeRADIUS, the new optionshould be activated manually.
Upgrading from a 2.3 Snapshot¶
If a firewall was upgraded to 2.3 before Jan 21, 2016, some files from 2.2.xor earlier packages may still be left behind that can prevent new packagesfrom installing properly. Run the following command the clean up outdatedsymlinks that are not relevant for 2.3:
Multi-WAN Weighted Load Balancing¶
There is a quirk in pf handling of weighted load balancing where Load balancingfails when one gateway has a weight of 1 and another gateway has a weight >1.Coming from 2.2.x, if this scenario applies, simply double the assigned weights.For example: WAN1 =
1, WAN2 =
5 on 2.2.x should be WAN1 =
2, WAN2 =
10 on 2.3.
Pfsense 2.5.0 Release Date
Pfsense 2.5 Changes
Due to the change in the web server from
nginx, in somecases the portal HTML must be updated to include the zone parameter. On 2.3.1and later the web server process attempts to handle this automatically, but itis best to include the HTML in the portal page directly, inside the form tag: