Software update: pfSense 2.5.0

Spread the love

Version 2.5.0 of pfSense has been released. This package is based on the FreeBSD operating system and focuses on router and firewall tasks. It is available in the free Community Edition and a Plus trim, previously offered as a Factory Edition. It started in 2004 as a fork of m0n0wall due to differing views among the developers and over the years has grown into a router and firewall package that can be deployed in both small and very large environments. For more information, please refer to this page. The highlights for this release are as follows:

pfSense Plus 21.02-RELEASE and pfSense CE 2.5.0-RELEASE Now Available

We are excited to announce the release of pfSense® Plus software version 21.02 and pfSense Community Edition (CE) software version 2.5.0, now available for new installations and upgrades!

This is the first release of pfSense Plus software, formerly known as Factory Edition. For more details about the distinctions between pfSense Plus and pfSense CE, read the pfSense Plus Announcement. Customers running the Factory Edition of pfSense software version 2.4.5-p1 and older can upgrade in-place automatically to pfSense Plus software version 21.02 as with any other previous upgrade.

These versions are the result of an immense development effort taking place over the last several years. Over 550 issues are resolved, including bug fixes, new features, and other significant changes.

pfSense Plus software version 21.02-RELEASE updates are available now. For installation images, contact Netgate TAC. pfSense software Community Edition version 2.5.0-RELEASE updates and installation images are available for download now.


The new versions include a long list of significant changes. Notably, pfSense Plus adds:

  • Support for Intel® QuickAssist Technology, also known as QAT.
    • QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.
    • Supported hardware includes many C3000 and C2000 systems sold by Netgate and some other types of built-in QAT support and add-on cards.
  • Improved SafeXcel cryptographic accelerator support for the Netgate SG-2100 and Netgate SG-1100 which can improve IPsec performance.
  • Updated IPsec profile export
    • Exports Apple profiles compatible with current iOS and OS X versions
    • New export function for Windows clients to configure tunnels using PowerShell

Both pfSense Plus and pfSense CE include:

  • Base OS upgraded to FreeBSD 12.2-STABLE
  • OpenSSL upgraded to 1.1.1
  • Performance improvements
  • kernel WireGuard implementation, as mentioned in a previous WireGuard blog post

  • IPsec enhancements
    • Configuration for the strongSwan IPsec backend was changed from the deprecated ipsec.conf/stroke format to the new swanctl/VICI format
    • Various improvements to tunnel configuration, including better options for lifetime and rekey to avoid duplicate security associations
  • OpenVPN upgraded to 2.5.0

    • OpenVPN 2.5.0 now mandates data cipher negotiation, but also tries to be friendly to older clients
    • ChaCha20-Poly1305 is now supported, which is the same cipher used by WireGuard and may offer speed improvements on some platforms
    • OpenVPN now disables compression by default because it is insecure, but it can still decompress traffic received from clients while not transmitting compressed packets
  • Certificate Manager updates
    • The GUI now supports renewing certificate manager entries (certificate authorities and certificates)
    • Notifications are generated for expiring certificate entries
    • Certificate keys and PKCS #12 archives can now be exported with password protection
    • Support was added for elliptic curve (ECDSA) certificates
    • Internal and imported CA entries can be added to the system-wide trust store
  • Significant changes in Captive Portal backend and HA behavior

For more details, see the Release Notes and redmine.

Version number 2.5.0
Release status Final
Operating systems BSD
Website pfSense
License type Conditions (GNU/BSD/etc.)
You might also like