pfSense v2.8.1

pfSense is a multifunctional software router-firewall based on FreeBSD.

Key features: routing (including dynamic routing), firewall protection, NAT, DHCP server, load balancing, VPN (including OpenVPN and L2TP), dDNS, PPPoE, IDS, and proxying.

What’s Changed:

Major Performance Improvements

PPPoE Performance: 25-100% faster

• New: Kernel-level if_pppoe driver with RSS (multi-core)
• Speed: 8-10 Gbps on fiber
• Status: Optional, disabled by default
• Limitation: No MLPPP support
• Enable: System > Advanced > Networking

FreeBSD 15 Improvements

• SIMD operations for string/memory functions (amd64)
• 40% TLB performance improvement under Hyper-V
• Socket/TCP buffer auto-scaling limit: 8 MB
• Memory leak fixes (#15471)

Security Fixes

7 critical pfSense security advisories fixed:

1. pfSense-SA-25_01.webgui — XSS/DoS in dashboard widgets
2. pfSense-SA-25_02.webgui — Command injection in OpenVPN
3. pfSense-SA-25_03.webgui — XSS in AutoConfigBackup
4. pfSense-SA-25_04.webgui — Device Key disclosure
5. pfSense-SA-25_05.webgui — XSS in Firewall Schedules
6. pfSense-SA-25_06.webgui — XSS in IPsec Phase 1
7. pfSense-SA-25_07.webgui — XSS in Wake on LAN

FreeBSD Security Updates:

• TCP spoofing vulnerabilities (FreeBSD-SA-23:17.pf)
• ZFS data corruption fixes (FreeBSD-EN-23:16/18.openzfs)
• OpenSSL AES-GCM corrections
• Latest CVE fixes integrated

New Features

• Kea DHCP High Availability (from pfSense Plus)
• NAT64 Support
• Built-in system aliases
• Improved gateway failback (#855)

And much more

Преимущества

• Modular architecture.
• Own package manager.
• Built-in monitoring, logging, and reporting.
• Firewall, intrusion detection and prevention systems (IDS/IPS), and antivirus.
• Integrations with Security Onion, Wazuh, etc.

1. Get an SSH key pair for connection to a virtual machine.

2. Create a security group in the network where you will deploy the VM with pfSense and configure the following rules:

   Traffic direction	Port range	Protocol	Destination / Source	CIDR blocks
   Inbound	22	Any	CIDR	0.0.0.0/0
   Inbound	25	Any	CIDR	0.0.0.0/0
   Inbound	465	Any	CIDR	0.0.0.0/0
   Inbound	587	Any	CIDR	0.0.0.0/0
   Inbound	80	Any	CIDR	0.0.0.0/0
   Inbound	443	Any	CIDR	0.0.0.0/0
   Outbound	All range	Any	CIDR	0.0.0.0/0

   Security groups are used in Yandex Cloud services to control network access to the object they apply to. If you assign a security group without rules to the network interface of a VM, the VM will not be able to send or receive traffic.

3. Create a VM from a public image:

   • Under Image/boot disk selection, in the Product search field, enter pfSense and select the pfSense public image.

   • Under Network settings, in the Security groups field, select the security group you created previously.

   • Under Access:

     • Enter freebsd in the Login field.

       Warning

       You must not use admin or other logins. Use freebsd only.

     • Paste the contents of the public SSH key file in the SSH key field.

     Save the VM public IP address.

4. Connect to the VM over SSH. To do this, use the freebsd username and the private SSH key you previously created.

5. To access the console, click 8. Open root_password:

   ee /conf/root_password
   

6. Copy the password. You will need it to access the web interface.

7. In the browser, go to https://<VM_public_IP_address>/.

8. Use the following parameters to connect to the service:

   • Username: admin.
   • Password: <password_from_root_password_file>.

   Change the password if needed.

• Creating VPN connections between physical and cloud resources.
• Protecting sites and applications.
• Translating addresses.
• Filtering traffic.
• Routing on the internet.
• Detecting intrusions (IDS/IPS).
• Traffic monitoring.
• Dynamic routing.

OpenNix
OpenNix provides support to pfSense users in Yandex Cloud. You can contact their support team by email at support@opennix.ru. Support is available on business days from 9 a.m. to 6 p.m., GMT+3.