Messages from the pfSense Team

Call for Testing: pfSense Plus 26.03 RC Now Available!

Bob.Dig — Mon, 09 Mar 2026 21:54:42 GMT

@luckman212 nope

Now Available: pfSense Plus 25.11.1

stephenw10 — Tue, 27 Jan 2026 16:17:06 GMT

@matthewfearnley said in Now Available: pfSense Plus 25.11.1: /etc/inc/pkg-utils.inc:93 Hmm, odd. It shows the NDI correctly on the dashboard?

Announcing Netgate Nexus: Multi-Instance Management for pfSense Plus

nefarius — Mon, 19 Jan 2026 23:56:00 GMT

Nice work, please add fine‑grained RBAC to Netgate Nexus. We need a way to allow operators to manage all registered pfSense instances (view instances, use remote GUI/console) without giving them access to any Nexus controller settings or menus. A separation of “Instance Management” and “Controller Administration” privileges would enable proper role separation and significantly improve security in multi‑team environments.

PSA: IPv6 connection failures with TSO enabled in pfSense+ 25.11

marcosm — Mon, 12 Jan 2026 21:09:55 GMT

pfSense+ version 25.11 can fail to connect to Netgate package servers over IPv6 when TCP segmentation offload (TSO) is enabled. Affected users will need to revert the TSO option back to its default setting. See:
https://docs.netgate.com/pfsense/en/latest/releases/25-11.html#ipv6-connection-failures-with-tso-enabled

Security Advisory: Potential remote command execution via DNSSL router advertisement messages

pfGeorge — Thu, 18 Dec 2025 18:57:58 GMT

Problem

On December 16, 2025, FreeBSD published a security advisory for a remote command execution vulnerability in rtsold. The advisory can be found here:

https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc

Discussion

While remote command execution vulnerabilities are concerning, exploitation of this particular vulnerability would be difficult. The vulnerability requires an attacker to be on the same network as a pfSense software installation interface configured to obtain an IPv6 address using DHCPv6 (e.g. WAN) and the attacker must also be able to send multicast messages to that pfSense software installation interface.

In this case, an attacker can send a correctly timed IPv6 router advertisement message containing a DNS search list (DNSSL) entry with a malicious payload, and the contents could be executed as shell commands on the pfSense software installation. Exploitation of this vulnerability would require very precise timing, as the vulnerability window is very short.

This vulnerability is possible due to a lack of validation for DNS search list data. The rtsold daemon executes a script to update the system DNS configuration when it receives an IPv6 router advertisement message containing RDNSS (Recursive DNS servers) or DNSSL (DNS search list) content. The rtsold daemon does not validate the content of DNSSL data when passing it directly to a shell script, /sbin/resolvconf, which also does not validate the data before use.

While pfSense software does not rely on /sbin/resolvconf to manage resolv.conf, and it configures that script to not write any files, the script still gets executed and processes the problematic data, and thus is still a valid vulnerability.

pfSense software runs rtsold with the -1 parameter which causes it to terminate after the first response it receives. Therefore, the rtsold daemon is only active for a brief window during interface configuration. This limits exposure, as the first response is typically the router on the segment. However, this also creates an opportunity where the attacker could still trigger the bug if they respond first, or if the attacker is the only responder.

Solution

Since pfSense software does not rely on /sbin/resolvconf, the workaround for this problem is a patch linked in Redmine issue #16593, which will pass -R /usr/bin/true to rtsold which prevents it from executing the problematic script. With that change in place, the malicious data would have no effect. FreeBSD has added validation to rtsold which will address the problem at a lower level in future releases of pfSense software.

To mitigate this issue now:

Users without IPv6 connectivity
Simply ensure that no interfaces are configured to use DHCPv6.

Users with IPv6 connectivity requiring DHCPv6
Apply the attached patch found in Redmine issue #16593, or the corresponding recommended patch in the System Patches package. An updated System Patches package is published for pfSense Plus 25.11, pfSense Plus 25.07.1, and pfSense CE 2.8.1.

The attached patch on Redmine issue #16593 applies on pfSense Plus software versions 23.05 and newer, as well as pfSense CE software versions 2.7.0 and newer. Older installations should upgrade to a supported release or make similar source changes manually.

Now Available: pfSense® Plus 25.11-RELEASE

SteveITS — Thu, 11 Dec 2025 21:46:23 GMT

dashboard showed the "boot verification" banner for roughly 15 minutes at 95-100% CPU usage, and finally "failed" and booted back into 25.07. From what I could see a pfBlocker update was running as it was slowly creating GeoIP country files System > Update > Update Settings has a configurable timer...the default is 300s though, which is about 1/3 to 1/4 of what it actually waited.

A new public BETA for pfSense® Plus 25.11 is now available!

pfGeorge — Tue, 11 Nov 2025 19:33:40 GMT

A new public BETA for pfSense Plus 25.11 is now available!

Netgate would like to thank all the users willing to test this BETA release. Your involvement is essential to making Netgate's pfSense Plus product a stronger solution for everyone!

OpenVPN Changes
OpenVPN has deprecated DH parameters that are less than 2048 bits. OpenVPN users will notice that if the update process detects a setting of 1024, the update process will automatically change this setting to 2048.

This maintenance release includes numerous updates, bug fixes, and enhancements, with more to come.

Installing the Upgrade
Netgate has a detailed Upgrade Guide available in the pfSense documentation to help explain the process.

New Netgate® Installer Version 1.1 Available

pfGeorge — Mon, 27 Oct 2025 22:16:03 GMT

Netgate is pleased to announce version 1.1 of the Netgate Installer for pfSense Plus and pfSense CE software. Customers and community users are encouraged to download this latest version, which will be necessary to install newer versions of pfSense Plus and future pfSense CE releases.

Features:

Installation target media detection for smaller storage devices - The Netgate Installer will now detect smaller installation target storage, and choose better defaults for filesystem layouts.
Network settings - Network settings that are specified during the installation process will carry over into the running configuration of the firewall.
Custom names for ZFS pools - Users will now have the option to set their own names for ZFS pools. This is useful when dealing with multiple storage devices.

Also included are many bugfixes and improvements to the user experience.

Upgrade to pfSense Plus today!

Netgate is a registered trademark of Rubicon Communications, LLC
pfSense is a registered trademark of Electric Sheep Fencing, LLC ("ESF")

Updates to the pf packet filter in FreeBSD and pfSense software

Cyber100 — Tue, 09 Sep 2025 17:14:34 GMT

@pfGeorge So what? What should I do or not do? Update something somewhere or just wait?

Now Available: pfSense® CE 2.8.1-RELEASE

Viktor.V — Thu, 04 Sep 2025 20:02:32 GMT

@dennypage Create an igmp rule on your floating rules, and do not set the direction to in. Set: Interface Leave: Direction to any Set: Protocol to IGMP only Set: Source to any Set: Destination to any Set: Quick Set: Adavanced Options, Allow IP options For example if you have pfblocker dnsbl auto rules (ping auto rule, permit auto rule) on top, it can cause trouble on the states. Check: the States of this rule. You should see tcp and upd packets as well, 443. If you set the direction on your lan intarfce to in, you should see igmp only, otherwise you have to place at the very top of all your other floating rules before everything else.

Call for Testing: pfSense® CE 2.8.1 RC Now Available!

pfGeorge — Tue, 26 Aug 2025 18:22:13 GMT

A new Release Candidate for pfSense Community Edition 2.8.1 has been published. This will be a maintenance software release primarily containing bug fixes. This is the final testing version of this software, before official release.

This Release Candidate includes a number of bugfixes in the following areas:

AutoConfigBackup
DynamicDNS
PPPoE Interfaces
OpenVPN
Operating System Updates
Firewall Rules/NAT
System Logs
UPnP

Call for Testing
Thank you to all users willing to test this Release Candidate. Given the diversity of users' environments and configurations, it is the most effective way to ensure that the software is robust and reliable for everyone. By testing this Release Candidate and providing feedback on any issues, our users can play a vital role in improving the software for everyone.

Where to report issues
We encourage you to test the things that are important or unique to your deployments. Please report any errors or concerns in the Development category of the Netgate Forum. Depending on the issue, we may ask for more details or for you to open a bug on redmine.pfsense.org.

Summary
We want to express our sincere thanks to all users willing to test this Release Candidate. Your community involvement is essential to making Netgate's pfSense CE software a stronger solution for everyone.

Full Release Notes:
https://docs.netgate.com/pfsense/en/latest/releases/2-8-1.html

Now Available: pfSense® Plus 25.07.1-RELEASE

Bob.Dig — Mon, 18 Aug 2025 19:37:37 GMT

said in Now Available: pfSense Plus 25.07.1-RELEASE: Coincidence? Yes, indeed.

Now Available: pfSense® Plus 25.07-RELEASE

mvikman — Mon, 04 Aug 2025 19:37:24 GMT

@stephenw10 Yeah, I saw that release post and that was the reason I tested the old download link

pfSense® CE 2.8.1 Beta Now Available!

reberhar — Thu, 17 Jul 2025 19:02:52 GMT

Thanks for working on it.

pfSense Plus 25.07 Beta Now Available

Gertjan — Mon, 07 Jul 2025 20:59:43 GMT

@yellowRain said in pfSense Plus 25.07 Beta Now Available: Here are some tips and ideas on ipv6. You would have to start with the start : your ISP. The bad news : IPv6 isn't IPv4. After decades, for IPv4, the DHCPv4 WAN IP attribution won. Some ISPs still persist offering a PPPOE connection. What left - 1 % or so, is "totally not standard", so you have to use the ISP box, and connect pfSense as a 'LAN device' using DHCPv4 on the WAN, and you done. For IPv6 : if your ISP was respecting all IPv6 RFCs, then 'set WAN to use DHCPv6-client, and done. Maybe some ISP give you a page with IPv6 setting, but I guess that's pretty rare. Some ISP propose the awkward "Negociate IPv6 over IPv4" or some other strange method. So, normally - afaik, already this : setting a custom static ipv6 address for pfsense router is already quiet 'non standard'. The ISP or ISP box should give : An IPv6 WAN address for the pfSense WAN interface and as many 'prefixes' (/64 networks) for every pfSense LAN your pfSense has. Typically, your ISP or ISP has 256 (/56) indicate with of these prefixes for you (probably minus on, as from the first prefix, only one IPv6 is used, the one for your pfSense WAN). But, as the bad news tells us : every ISP on planet earth has probably broken something (uses their own non RFC method). I'm not staying your 'static' method isn't good, Just that it is - again afaik - not standard. Btw : SLAAC : things can be done differently, I guess, I just never used it.

Now Available: pfSense® CE 2.8.0-RELEASE

jc1976 — Wed, 28 May 2025 21:31:50 GMT

@stephenw10 Can't we just have a full install ISO again? It seems there are too many use cases where that is either the best, or only way, for us to install instead of the 'netinstaller'.

pfSense CE 2.8 Release Candidate is Here!

dennypage — Tue, 20 May 2025 21:58:04 GMT

@Sergei_Shablovsky said in pfSense CE 2.8 Release Candidate is Here!: So, as a solution You propose me just…to stop using ntopng ? Seriously ? If the unexposed redis vulnerabilities concern you, then yes, I definitely suggest that you stop using ntopng. There are likely much worse vulnerabilities, known and unknown, in ntopng itself. Running any add-on package increases risk, and ntopng is a large and complicated piece of code which brings a higher level of risk than most. Of course, you have to decide for yourself what level of risk you are willing to operate with. FWIW, as a whole I recommend use of ntopng as a diagnostic tool only. I do not recommend it as something for continual, routine operation. @Sergei_Shablovsky said in pfSense CE 2.8 Release Candidate is Here!: I clearly understand that most of this CVEs are out of Netgate’s obligation. But is this mean the current 2.8.0 would be in BETA until all of this CVEs would be resolved by developer’s community ? No. It is not practical to stop the release of pfSense because there is a vulnerability in an add-on provided by the community. pfSense itself would never release. If you want to go down that path, a much more practical approach would be for Netgate to remove the add-on from the repository until all vulnerabilities in the component and all of its dependencies were remediated. Ouch.

Important Security Updates for pfSense Plus 24.11 and CE 2.7.2 Software

Normandy214 — Fri, 16 May 2025 18:02:08 GMT

@pfGeorge 24.03 is listed as still being a supported version (https://docs.netgate.com/pfsense/en/latest/releases/versions.html) , but the published fixes are listed as only being for 24.11 and 2.7.2. Does that mean 24.03 doesn't have this vulnerability or is 24.03 no longer supported, or patches for 24.03 are coming out later?

New pfSense Plus 25.03-BETA is here!

marcg — Tue, 15 Apr 2025 14:02:56 GMT

Might be time to unpin this post, and shorten the list of pinned posts at the top of this important forum section?

New pfSense Plus 25.03-BETA is here!

jwt — Mon, 24 Mar 2025 18:20:23 GMT

@mr_nets it's in this beta

pfSense Plus 25.03-BETA is here!

RobbieTT — Fri, 07 Feb 2025 17:04:23 GMT

@chudak said in pfSense Plus 25.03-BETA is here!: Why is 25.0x taking so long this time? Because it is a really good update. ️

pfSense Plus Software Version 24.11 is here!

Cabledude — Mon, 25 Nov 2024 23:03:38 GMT

I thought it best to create a separate topic so we can keep this one clean.

pfSense Plus 24.11-RC is here!

cmcdonald — Thu, 14 Nov 2024 00:38:22 GMT

@DominikHoffmann The oven is running and a release build is baking. Soon.

pfSense Plus 24.11-BETA is here!

stephenw10 — Fri, 01 Nov 2024 16:11:46 GMT

That's this: https://redmine.pfsense.org/issues/15411 It creates some logs at boot that cause it. Once they scroll off the page should display normally.