Software-update: pfSense Plus 25.11

Netgate heeft versie 25.11 van pfSense Plus uitgebracht. Dit pakket is gebaseerd op het besturingssysteem FreeBSD en richt zich op router- en firewalltaken. Het is verkrijgbaar in de gratis Community Edition en een Plus-uitvoering, die voorheen als Factory Edition werd aangeboden. De Plus-uitvoering draait op de hardware die Netgate aanbiedt, als virtuele machine in AWS of Azure. In tegenstelling tot de Community Edition is het echter geen open source.

Het is in 2004 begonnen als een afsplitsing van m0n0wall vanwege verschillende visies bij de ontwikkelaars en in de loop van de jaren uitgegroeid tot een router- en firewallpakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. De changelog voor deze uitgave ziet er als volgt uit:

General

Base OS updated to FreeBSD 16-CURRENTOpenSSL upgraded to 3.5.3OpenSSH upgraded to 10.0p2PHP updated to 8.4VXLAN interface support has been re-added

Base OS updated to FreeBSD 16-CURRENT

OpenSSL upgraded to 3.5.3

OpenSSH upgraded to 10.0p2

PHP updated to 8.4

VXLAN interface support has been re-added

Security

Fixed anti-brute force protection bypass and potential denial of service #16312 #16314 pfSense-SA-25_09.sshguard

Fixed anti-brute force protection bypass and potential denial of service #16312 #16314 pfSense-SA-25_09.sshguard

Endpoint-independent Port Restricted Cone Outbound NAT

This version includes partial experimental support for “Port Restricted Cone” endpoint-independent outbound NAT. This functionality must be manually enabled on a per-rule basis.

“Port Restricted Cone” NAT mappings attempt to preserve port and external address mappings for clients when speaking to multiple remote hosts, but in a dynamic way that does not rely on static port NAT. This helps avoid issues with multiple local clients using the same source port to the same remote host. These rules enable a client communicating with multiple remote hosts using the same source port to receive the same external IP address and port on outbound connections to any destination. This behavior facilitates use cases such as online gaming, peer-to-peer connections, and VoIP.

Inbound communication from a remote host and port is only possible after a local client initiates first contact to that remote host and port. While this is more secure, it is not yet capable of “full cone” NAT which some use cases may require such as certain types of online gaming.

See also

Outbound NATEndpoint-independent Port Restricted Cone NATConfiguring pfSense Software for Online Gaming

Outbound NAT

Endpoint-independent Port Restricted Cone NAT

Configuring pfSense Software for Online Gaming

pfSense Plus

Changes in this version of pfSense Plus software.

Authentication

Added: Support Message-Authenticator in the PHP RADIUS client #15952

Added: Support Message-Authenticator in the PHP RADIUS client #15952

Backup / Restore

Fixed: RRD data fails to restore via the ECL #16141

Fixed: RRD data fails to restore via the ECL #16141

Captive Portal

Fixed: Captive Portal Ethernet rules can block ARP #16264Fixed: Reserved DUMMYNET pipes for Captive Portal can overlap #16540

Fixed: Captive Portal Ethernet rules can block ARP #16264

Fixed: Reserved DUMMYNET pipes for Captive Portal can overlap #16540

Configuration Backend

Changed: Improve file handling of the configuration cache #16469

Changed: Improve file handling of the configuration cache #16469

DHCP (IPv4)

Changed: Upgrade to Kea 3.0.2 #16388Changed: Kea configuration parameter client-class is deprecated #16468

Changed: Upgrade to Kea 3.0.2 #16388

Changed: Kea configuration parameter client-class is deprecated #16468

DHCP (IPv6)

Fixed: Hostnames in Kea static leases may not be registered with DNS #16552

Fixed: Hostnames in Kea static leases may not be registered with DNS #16552

DNS Forwarder

Fixed: PHP error in DNS Forwarder host overrides when the language is set to French #14741

Fixed: PHP error in DNS Forwarder host overrides when the language is set to French #14741

DNS Resolver

Changed: Update Unbound to 1.24.2 to address CVE-2025-11411 #16503

Changed: Update Unbound to 1.24.2 to address CVE-2025-11411 #16503

Dashboard

Fixed: Manually verifying the boot environment makes config changes #15499Fixed: Thermal Sensors widget does not respect per-sensor threshold vales #16266

Fixed: Manually verifying the boot environment makes config changes #15499

Fixed: Thermal Sensors widget does not respect per-sensor threshold vales #16266

Diagnostics

Fixed: Captive Portal backwardsyncpassword value not sanitized in status output #16339

Fixed: Captive Portal backwardsyncpassword value not sanitized in status output #16339

Dynamic DNS

Added: Preserve other record types when updating IPv4 or IPv6 using deSEC DDNS #12495Fixed: Dynamic DNS does not use preferred VIP in Gateway Group #16326Fixed: Custom Dynamic DNS services ignore the monitor interface #16368

Added: Preserve other record types when updating IPv4 or IPv6 using deSEC DDNS #12495

Fixed: Dynamic DNS does not use preferred VIP in Gateway Group #16326

Fixed: Custom Dynamic DNS services ignore the monitor interface #16368

Gateway Monitoring

Fixed: Gateway monitoring daemon can unexpectedly use a CARP VIP as the source IP address #16322

Fixed: Gateway monitoring daemon can unexpectedly use a CARP VIP as the source IP address #16322

Gateways

Fixed: Gateway list order is incorrect until reloading page after moving entries and saving #16495

Fixed: Gateway list order is incorrect until reloading page after moving entries and saving #16495

Hardware / Drivers

Fixed: Netgate 2100/3100 LED controller not responding to gpioctl #16526Fixed: QLink/Marvell 41000 NIC bug #16248Added: Support 2.5G SGMII (SFP GPON ONT) in bxe driver (QLogic NetXtreme II BCM57810) #16321Fixed: e1000 network interfaces unexpectedly link at half-duplex #16449

Fixed: Netgate 2100/3100 LED controller not responding to gpioctl #16526

Fixed: QLink/Marvell 41000 NIC bug #16248

Added: Support 2.5G SGMII (SFP GPON ONT) in bxe driver (QLogic NetXtreme II BCM57810) #16321

Fixed: e1000 network interfaces unexpectedly link at half-duplex #16449

IPsec

Changed: Update strongSwan to 6.0.3 #16509

Changed: Update strongSwan to 6.0.3 #16509

IPv6 Router Advertisements (radvd/rtsold)

Fixed: Cannot set RADVD router lifetime to 0 #16472

Fixed: Cannot set RADVD router lifetime to 0 #16472

Installer

Fixed: Configuration data restored during installation can be overwritten by hardware-specific default values #16176

Fixed: Configuration data restored during installation can be overwritten by hardware-specific default values #16176

Interfaces

Added: VXLAN Interfaces #11732Added: Option to change QinQ ethertype to Service VLAN Tag #13340Fixed: Retain previous QinQ VLAN tag type value for existing entries on upgrade #13622

Added: VXLAN Interfaces #11732

Added: Option to change QinQ ethertype to Service VLAN Tag #13340

Fixed: Retain previous QinQ VLAN tag type value for existing entries on upgrade #13622

Logging

Added: Option to disable logging of packets blocked due to unmatched IP options #16068Fixed: syslogd daemon can terminate when a remote log server refuses connections #16362

Added: Option to disable logging of packets blocked due to unmatched IP options #16068

Fixed: syslogd daemon can terminate when a remote log server refuses connections #16362

OpenVPN

Fixed: Automatic IPv6 gateways for OpenVPN servers are created with the wrong gateway address #16351Fixed: OpenVPN servers will not start with DH parameter lengths less than 2048 #16421Fixed: OpenVPN does not include client-to-client in generated configuration for Peer-to-Peer SSL/TLS servers #16428

Fixed: Automatic IPv6 gateways for OpenVPN servers are created with the wrong gateway address #16351

Fixed: OpenVPN servers will not start with DH parameter lengths less than 2048 #16421

Fixed: OpenVPN does not include client-to-client in generated configuration for Peer-to-Peer SSL/TLS servers #16428

Operating System

Fixed: rc.savecore errors prevent boot in ZFS #15613Fixed: Swap fails to activate when multiple swap partitions exist #16232

Fixed: rc.savecore errors prevent boot in ZFS #15613

Fixed: Swap fails to activate when multiple swap partitions exist #16232

PHP Interpreter

Changed: Upgrade PHP to 8.4 #16471

Changed: Upgrade PHP to 8.4 #16471

PPP Interfaces

Changed: Sanitize PPPoE configuration parameters #16128Fixed: PPPoE interfaces using if_pppoe increase error counters due to normal ALTQ traffic shaping operations #16216Fixed: Virtual IP addresses on PPPoE interfaces using if_pppoe can prevent PPP session termination #16487

Changed: Sanitize PPPoE configuration parameters #16128

Fixed: PPPoE interfaces using if_pppoe increase error counters due to normal ALTQ traffic shaping operations #16216

Fixed: Virtual IP addresses on PPPoE interfaces using if_pppoe can prevent PPP session termination #16487

Package System

Fixed: Error notification and log message "Updating repositories metadata" returned error code 1 at boot due to certctl race condition #16341

Fixed: Error notification and log message "Updating repositories metadata" returned error code 1 at boot due to certctl race condition #16341

Rules / NAT

Added: Allow floating rules using the “match” action to match based on IP Options #16215Added: Block non-global NAT64 addresses by default #16241Changed: Refactor PF ruleset generation #16307Added: Avoid traffic stalls from unnecessary filter reloads #16308Fixed: NAT64 rules using reply-to do not forward packets #16429Fixed: Filter rule evaluation continues after matching a match quick rule #16475Added: Support state killing on gateway recovery for policy-routed traffic from the firewall itself #16502Added: Endpoint-independent Port Restricted Cone Outbound NAT rules #16517Fixed: NAT64 rules do not pass traffic when a gateway is specified for the rule #16546Changed: Update output and parsing behavior for PHP shell pfanchordrill #16551

Added: Allow floating rules using the “match” action to match based on IP Options #16215

Added: Block non-global NAT64 addresses by default #16241

Changed: Refactor PF ruleset generation #16307

Added: Avoid traffic stalls from unnecessary filter reloads #16308

Fixed: NAT64 rules using reply-to do not forward packets #16429

Fixed: Filter rule evaluation continues after matching a match quick rule #16475

Added: Support state killing on gateway recovery for policy-routed traffic from the firewall itself #16502

Added: Endpoint-independent Port Restricted Cone Outbound NAT rules #16517

Fixed: NAT64 rules do not pass traffic when a gateway is specified for the rule #16546

Changed: Update output and parsing behavior for PHP shell pfanchordrill #16551

System Logs

Fixed: Log entries without a hostname can cause the system log to display in an unexpected manner #15411

Fixed: Log entries without a hostname can cause the system log to display in an unexpected manner #15411

Traffic Shaper (Limiters)

Fixed: Using a Limiter on a rule with a gateway group limits all traffic through that gateway instead of the host IP address #15770

Fixed: Using a Limiter on a rule with a gateway group limits all traffic through that gateway instead of the host IP address #15770

Translations

Fixed: Korean locale configuration name is incorrect #16505

Fixed: Korean locale configuration name is incorrect #16505

Unknown

Fixed: pfSense Plus does not work with AWS new Instance Metadata Service (IMDSv2) #14772

Fixed: pfSense Plus does not work with AWS new Instance Metadata Service (IMDSv2) #14772

Upgrade

Fixed: PHP shell playback script upgradeconfig incorrectly replaces running configuration when Nexus is enabled #16179Added: Fix configuration artifacts on upgrade #16253

Fixed: PHP shell playback script upgradeconfig incorrectly replaces running configuration when Nexus is enabled #16179

Added: Fix configuration artifacts on upgrade #16253

User Manager / Privileges

Fixed: sshguard does not trigger for GUI logins from usernames containing unexpected characters #16312Fixed: GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages #16314

Fixed: sshguard does not trigger for GUI logins from usernames containing unexpected characters #16312

Fixed: GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages #16314

Virtual IP Addresses

Fixed: Input validation text for deleting an IP Alias VIP within a CARP VIP subnet may reference incorrect VIP #16272

Fixed: Input validation text for deleting an IP Alias VIP within a CARP VIP subnet may reference incorrect VIP #16272

Web Interface

Fixed: Boot Environment page fails to load if pfsense:version ZFS property contains newlines #16375Changed: Apple TouchID/FaceID probes for site icon files that do not exist #6727

Fixed: Boot Environment page fails to load if pfsense:version ZFS property contains newlines #16375

Changed: Apple TouchID/FaceID probes for site icon files that do not exist #6727

XMLRPC

Fixed: Membership to admins group is lost when synchronizing user changes via XMLRPC #16392

Fixed: Membership to admins group is lost when synchronizing user changes via XMLRPC #16392

Source: Tweakers.net