pfSense CE 2.7.0: New Features and Upgrade Steps

Open-source firewalls are a great solution for home lab environments and production use cases. Certainly, there isn’t an open-source firewall that stands out any more than pfSense. The pfSense firewall solution is excellent and provides many capabilities and features. Netgate has just announced the release of pfSense CE 2.7.0 and pfSense Plus 23.05.1 with new features. Let’s unpack the new features and walk through the upgrade steps.

What is pfSense Firewall?

First of all, what is pfSense? pfSense is an open-source firewall and router that is based on FreeBSD, a robust, flexible, and secure Unix-like operating system. This firewall platform provides a wealth of features typically found in commercial packages, making it a popular choice among IT professionals and enthusiasts.

One of the key attributes of pfSense is its versatility. It can function as a firewall, router, or even a Virtual Private Network (VPN) server. Thanks to its modular design, pfSense can be configured to fulfill a broad range of networking roles while maintaining high security.

The pfSense firewall has packet filtering, VPN support, and Network Address Translation (NAT) features. It also supports load balancing and failover capabilities, providing network reliability and resilience.

Furthermore, it incorporates a web-based interface that makes it easier for administrators to manage and monitor the network. This user-friendly interface allows you to configure rules, manage network traffic, and monitor system logs, all from your web browser.

Another distinct advantage of pfSense is its extensive community support. Being an open-source platform, it benefits from a global community of users and developers who contribute to its development and provide assistance with troubleshooting and optimization.

What is the Difference Between pfSense CE and pfSense Plus?

pfSense CE (Community Edition) and pfSense Plus are two distinct versions of the pfSense firewall software, each catering to different use cases and audiences.

pfSense CE is the free, open-source version of the software. It’s maintained and developed by a community of volunteers and is widely used by individuals and small businesses who appreciate its robust features and the flexibility of an open-source platform.

On the other hand, pfSense Plus is a commercial product developed by Netgate, the company behind pfSense. It includes additional features and enhancements that are particularly beneficial for enterprise and professional use. These additions often revolve around advanced security, scalability, and ease of use in larger or more complex network environments. Moreover, pfSense Plus comes with professional support and regular updates, providing users with peace of mind regarding the stability and security of their networks.

In essence, while both pfSense CE and pfSense Plus share the same core functionality, pfSense Plus offers added benefits and features, making it more suitable for larger businesses and enterprise-level applications.

Unpacking pfSense CE 2.7.0: What’s New?

pfSense CE 2.7.0 brings many changes designed to enhance performance, improve usability, and bolster security. Let’s delve into the most notable ones.

Enhanced Captive Portal and Limiters

The captive portal and limiters have transitioned from ipfw to pf, the default packet filter in pfSense. This change leverages Layer 2 features, improving performance and stability by eliminating the need for packets to traverse both pf and ipfw.

UPnP and Multiple Game Systems

A fix has been added to address issues with UPnP and multiple game systems, resolving connectivity problems for multiple consoles when UPnP is enabled.

New Gateway State Killing Options

The firewall now offers more flexibility in deciding how to kill states automatically during failover events, introducing new manual ways to selectively remove states.

Improved Firewall/NAT Rule Usability

The Firewall/NAT rule interface has been revamped, making it easier to create and manage rules. This includes new buttons to toggle multiple rules and copy rules to other interfaces.

Upgraded OpenVPN and PHP

OpenVPN and PHP have been upgraded to versions 2.6.4 and 8.2.6 respectively, bringing a host of security fixes and performance improvements. However, the PHP upgrade may cause issues in packages not yet upgraded to use the latest PHP libraries.

Track the ‘Main’ Branch of FreeBSD

pfSense CE now tracks the ‘main’ branch of FreeBSD, allowing for quicker security updates and bug fixes, without additional technical debt to backport to older versions of FreeBSD.

Added Support for ChaCha20-Poly1305 to IPsec

Support for ChaCha20-Poly1305, also used in WireGuard and OpenVPN with DCO, has been added, providing an additional secure AEAD transform for these VPN systems.

Addressed Issues with Unbound Crashes

Several issues causing unbound crashes have been addressed, including a fix for a specific issue that could cause unbound to crash when receiving certain DNS queries.

New Packet Capture GUI

A new packet capture GUI has been introduced to enhance the ability to capture and analyze network traffic.

UDP Broadcast Relay Package

A new UDP broadcast relay package has been added, which can be used to relay UDP broadcast packets between networks.

Upgrading to pfSense CE 2.7.0: A Step-by-Step Guide

Before any major upgrade, it’s recommended to save a firewall configuration backup. Additionally, uninstalling all packages is advisable due to significant changes in PHP and base OS versions, which may interfere with the upgrade process.

To upgrade to pfSense CE 2.7.0, follow these steps:

1. Navigate to System > Update
2. Set Branch to “Current Stable Version (2.7.0 RELEASE)”
3. Click Confirm to start the upgrade process

The screens below are from pfSense Plus, upgrading to the 23.05.1 release, but the steps are the same:

Navigate to System > Update.

Choose the target branch. Below it is the latest pfSense Plus release (23.05.1). However, you would choose pfSense CE 2.7.0 if you are running CE. Click Confirm.

The upgrade process begins.

After a couple of minutes, the upgrade finishes and the system will count down until it reboots.

After the system reboots, you should see the latest version reflected on the dashboard

New Installations of pfSense CE 2.7.0

For new installations of pfSense CE 2.7.0, you’ll need to download and install from an image.

pfSense Plus 23.05.1: Enhancing Stability

While pfSense Plus 23.05.1 may not boast of a long list of new features, it embraces the mantra of stability, incorporating several bug fixes and enhancements. Notice the following new features:

Aliases / Tables

The PHP error that occurred when trying to bulk import Alias content has been rectified.

CARP (Common Address Redundancy Protocol)

This release includes two essential fixes for CARP. First, the problem with unicast CARP VIPs not being able to communicate using IPv6 Link Local Addresses has been fixed. Also, an issue causing CARP VIPs to become master too early at boot time has been resolved.

Captive Portal

The new version has addressed system crashes or unresponsiveness linked to the Captive Portal. Additionally, a PHP error in Captive Portal usedmacs handling has been fixed.

DNS Resolver

Issues with setting system DNS servers that could incorrectly modify routes for interface addresses have been fixed. Plus, a discrepancy in the “TTL for Host Cache Entries” description has been addressed.

Dashboard

The PHP error arising from an empty <plugins> tag in config.xml has been fixed.

IPsec

A couple of significant improvements have been made to IPsec. Reassembled packets received on a VTI are now forwarded correctly, and a PHP error in the IPsec tunnels list has been fixed.

Interfaces

A panic that occurred when changing the parent of a VLAN interface used by limiters has been addressed.

Notifications

The software no longer sets system LEDs incorrectly on hardware with less than three LEDs.

Rules / NAT

The outbound NAT rule input validation error when trying to specify “Other Subnet” with a valid address manually has been fixed. Also, the issue of “Enable IPv6 over IPv4 tunneling” option resulting in an invalid PF rule has been resolved.

Web Interface

The “Max Processes” value is now properly stored when saving on system_advanced_admin.php.

This list of enhancements and bug fixes shows the commitment to refining the user experience and ensuring the firewall’s efficiency and stability. Remember to review these changes and plan for them in your upgrade process, particularly if you utilize any areas where bugs have been fixed.

Upgrading to pfSense Plus 23.05.1: A Step-by-Step Guide

Before any major upgrade, saving a firewall configuration backup is recommended. Also, see the images above for the screenshots for pfSense Plus.

To upgrade to pfSense Plus 23.05.1 from versions 23.01 and 23.05, follow these steps:

1. Navigate to System > Update
2. Set Branch to “Current Stable Version (23.05.1 RELEASE)”
3. Click Confirm to start the upgrade process

If you’re upgrading from version 22.05 of pfSense Plus, you must first upgrade to version 23.01 by following these steps:

1. Navigate to System > Update
2. Set Branch to “Previous Stable Release (23.01 RELEASE)”
3. Click Confirm to start the upgrade process
4. Once this upgrade is complete, follow the steps above to upgrade from version 23.01 to version 23.05.1

Install pfSense in Proxmox

Check out my video on how to install pfSense on Proxmox.

Wrapping up

The pfSense firewall is a powerful, flexible, and feature-rich solution catering to various networking needs. Whether you’re managing a home network or an enterprise-grade infrastructure, pfSense offers an efficient, cost-effective, and robust platform to secure and manage your network environment.

Other links you may like

• Guest VM Running in Nested Nutanix CE on VMware vSphere Won’t Boot
• Install Nested Nutanix CE in VMware vSphere ESXi 6.7 Update 1
• pfSense Proxmox Install Process and Configuration
• pfSense VLAN Cannot Access Internet – A Troubleshooting Guide
• Customizing Untangle Captive Portal page