Today we celebrate the 20th anniversary of the initial public beta of m0n0wall. pfSense software is the continuation of the idea and ideals of m0n0wall, which had its initial Public Beta on 15 February 2003. Thanks to Manuel Kasper and all the m0n0wall community members for an idea that is still fresh and relevant after 20 years, continuing with the latest release of pfSense Plus software.
pfSense® Plus software version 23.01-RELEASE is now available. This is a regularly scheduled release of pfSense Plus software including new features, additional hardware support, and bug fixes. The release contains significant enhancements, such as:
Visit our release notes for the full list of improvements and our upgrade guide to get started with best practices for upgrading.
We have moved the version of PHP used by pfSense Plus software to PHP 8.1 and changed the base operating system version of FreeBSD used by pfSense Plus software from 12-STABLE to the current development “top of tree” version, also known as “main,” or “HEAD,” and, at the time of writing, “14-CURRENT”.
Prior to this release, pfSense software was based on PHP 7.4, which is now in the EOL phase. Moving to PHP 8.1 means we will be on the latest available release of PHP. PHP 8.1 is supported upstream until late 2024.
Following the FreeBSD main branch gives pfSense software access to the latest drivers, fixes and features in FreeBSD. When new features are added to FreeBSD, developers merge them into the main branch first, after review. Similarly, FreeBSD development work is focused on the main branch for other items such as the latest bug, errata, and security fixes, as well as other corrections. Additional benefits include:
As a part of the FreeBSD upgrade, this version removes several deprecated IPsec algorithms:
For a smooth transition, reconfigure tunnels with better encryption and test them prior to upgrading. On upgrade, IPsec tunnels will be updated to remove any deprecated algorithms from their configuration.
Tunnels without valid encryption or authentication settings will be shut down, and the upgrade process will notify the user of any changes.
This only affects IPsec and not other uses of these algorithms. For example, BGP can still use TCP-MD5 authentication.
Another highlight of this release is that we added support for ChaCha20-Poly1305 encryption with IPsec and OpenVPN DCO. Support for AES-128-GCM encryption with OpenVPN DCO has also been added.
Netgate® developers have made several contributions with regards to ChaCha20-Poly1305 over the past couple of years, including bringing ChaCha20-Poly1305 support for IPsec and OpenVPN DCO to FreeBSD, ChaCha20-Poly1305 support for IPsec to VPP and TNSR® software, and Wireguard (which uses ChaCha20-Poly1305) to FreeBSD and the pfSense Project.
We added support because it is a standard encryption transform for IPsec, the only transform used by Wireguard, and is supported by OpenVPN. It makes sense for FreeBSD and pfSense software, as well as VPP and TNSR software, to have this capability.
Some benefits of having support for ChaCha20-Poly1305 encryption include an additional option available to users and the ability to more easily compare the performance of IPsec, Wireguard, and OpenVPN so that users can choose the right solution for their needs.
A long-standing difficult-to-reproduce crash in Unbound during reloading has been addressed. It is now safe again to enable DHCP registration alongside Unbound Python mode in pfBlockerNG.
In addition to the Unbound crash, a memory leak with DHCP registration and Unbound Python mode was also identified. This is largely mitigated by updates to Python and related libraries, but there is additional ongoing work to resolve it further for future releases. At least two additional issues with Unbound itself were significant contributors to the memory leaks when using the Unbound Python integration. These patches have been submitted upstream to Unbound and are pending review and acceptance. The first patch eliminates the need to reload the Python interpreter every time Unbound is reloaded. The second patch adds missing cleanup in the Unbound Python module.
Since the release of pfSense Plus software version 22.05, many improvements have been made to Captive Portal. Read the full list in the release notes.
The pfBlockerNG package has been updated to match pfBlockerNG-devel. Both packages are now in sync and fully up-to-date. After upgrading, it is safe to uninstall pfBlockerNG-devel (keeping settings) and install pfBlockerNG instead.
In addition to the above highlights, over 100 other updates have been included in this release across many functional areas. For more information, see the Release Notes and Redmine.
A detailed upgrade guide is available in our documentation to help you through the process. Here are the general steps needed to perform the upgrade.
The update check will run again and then offer a 23.01-RELEASE version of the software.
Note: the Netgate SG-1000 will not be eligible to upgrade to pfSense Plus software version 23.01. This is also true for all Intel 32-bit devices.
For cloud platforms where pfSense Plus is available (AWS and Azure), pfSense Plus software version 23.01-RELEASE will be available as soon as the publishing process for each platform completes.
We encourage you to move from pfSense CE software to Netgate pfSense Plus software, which is still available at no charge. To do so:
Depending on your system, you may need to upgrade to pfSense Plus 22.05 before you have access to the pfSense Plus 23.01-RELEASE build.
See Upgrade Troubleshooting for the most up-to-date information on working around upgrade issues.
If the update system does not offer an upgrade to the current release, or the upgrade will not proceed, take the following steps:
This pfSense Plus software release is ready for use in production environments. Should any issues arise, please post to our forum or contact Netgate Technical Assistance Center (TAC) for paid support. Thank you!
pfSense Plus software is derived from FreeBSD and pfSense CE software with additional proprietary changes. The source code for the upstream projects is freely and publicly available from the same repositories as pfSense CE software:
To install or reinstall a release version of pfSense Plus software, contact Netgate TAC to obtain the installation media and include the Netgate Device ID of the hardware.
Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.
Our efforts are made possible by the support of our customers and the community. You may support this work through one or more of the following: