pfSense Plus RELEASE 25.11.1

This is a software maintenance release with fixes for issues discovered in the previous pfSense Plus software version.

• Shorter TLS certificate lifetimes: Recommended maximum TLS server certificate lifetime reduced from 398 days to 200 days to align with upcoming CA/Browser Forum baseline requirement changes (for certs issued Mar 15, 2026 → Mar 15, 2027).

• Stricter TLS certificate security (OpenSSL hardening): Certificates with weak properties (e.g., RSA keys < 2048 bits) may cause services like the GUI to fail. Admins should review and renew/replace non-compliant certificates before upgrading (or regenerate the GUI cert via pfSsh.php playback generateguicert if the GUI won’t start).

• IPv6 stability fix with TSO enabled: Resolves a case where oversized packets combined with TCP Segmentation Offload (TSO) could terminate connections originating from the firewall (notably seen when reaching Netgate services over IPv6). Best practice remains keeping TSO disabled.

• Kernel stability improvement (syncache panic): Includes upstream fixes addressing kernel panics related to TCP SYN caching; workarounds like net.inet.tcp.syncookies=0 can be removed after upgrade.

• Netgate 2100 LAN port reliability update: Updates LAN port link parameters to prevent an edge-case transmission issue triggered by a specific byte pattern (Netgate 2100 only).

• Security advisory fix (rtsold RCE): Incorporates a fix for FreeBSD-SA-25:12.rtsold, a remote command execution vulnerability affecting rtsold (and thus pfSense).

• Virtualized PPPoE errata (vtnet): Notes an unresolved issue where PPPoE on vtnet may not pass routed traffic in certain hypervisor setups; workarounds include switching interface type (e.g., em/vmx) or disabling offloads in the hypervisor NIC.

• Broad pfSense Plus enhancements and fixes across subsystems: Multiple targeted improvements across aliases/tables, backup/restore, captive portal, certificates, config upgrade, DHCP, DNS Resolver (Unbound), gateway monitoring, hardware/drivers, IPv6 RA, pfctl/tables, package system, routing, rules/NAT, system logs, upgrade behavior, and privilege/UI consistency.

These updates reinforce pfSense Plus as a secure, modern, and robust firewall and network edge platform for both on-premises and cloud environments.