Download pfSense Plus 23.09

Netgate has released version 23.09 of pfSense Plus. This package is based on the FreeBSD operating system and focuses on router and firewall tasks. It is available in the free Community Edition and a Plus version, which was previously offered as a Factory Edition. The Plus version runs on the hardware that Netgate offers, as a virtual machine in AWS or Azure and can also be used for free on your own hardware in a private environment. However, unlike the Community Edition, it is not open source.

It started in 2004 as a spin-off from m0n0wall due to different views among the developers and over the years has grown into a router and firewall package that can be deployed in both small and very large environments. For more information please refer to this page. The most important improvements made in this release are listed below:

OpenSSL upgraded to 3.0.12

This change was essential because OpenSSL 1.1.1 has reached End of Life (EOL) and will no longer receive security patches for vulnerabilities. The upgrade to OpenSSL 3.0.12 means that a number of older and weaker encryption and hash algorithms have been removed, and security certificates based on these older/weaker hashes have been deprecated.

We HIGHLY recommend reviewing the release notes, and our blog on this topic, prior to any upgrade. Encryption algorithms removed from OpenVPN include: ARIA, Blowfish (eg BF-CBC, which was formerly an OpenVPN default), CAST5, DES, DESX, IDEA, RC2, RC5, SEED, and SM4. Hash algorithms removed from OpenVPN include MD4, MDC2, SM3, and Whirlpool.

Kea DHCP added as an opt-in feature

The Kea DHCP server is available as an opt-in feature. Basic functionality is present in version 23.09, but it is not feature complete. You can find us blog on the topic here. Switching to the Kea DHCP server is done by:

• Navigate to System > Advanced
• Choose the Networking tab
• Change the new Server Backend radio button in the DHCP Options section to “Kea DHCP”

Note: If you have assigned hostnames to devices on your network using static leases, or rely on dynamic lease registration in DNS, switching to Kea DHCP results in those hostnames being ignored. The static lease configuration is kept, so switching back to ISC DHCP will restore the functionality.

Improved support for SCTP

Support for SCTP has been improved in PF for firewall rules, NAT, and logging. Rules can now act on SCTP packets by port number. Previously it was only possible to filter on source or destination address.

IPv6 Router Configuration moved

IPv6 Router Advertisement configuration has been relocated to Services > Router Advertisement as a part of the ongoing Kea DHCP server integration.

Additional Changes

• PHP upgraded to 8.2.11
• The base operating system upgraded to a more recent point of FreeBSD 14-CURRENT
• The release also addresses several bugs and other issues.