New PFsense Version 2.8 Released!
Comparing pfSense CE 2.7 vs 2.8
pfSense Community Edition (CE) 2.8.0 is a significant update over the 2.7.x branch, bringing major new features, system upgrades, and numerous fixes. Below is a detailed report of all key differences between pfSense CE 2.7 and 2.8, organized by category to help determine if an upgrade is advisable.
New Features Introduced in pfSense 2.8
Kernel-Based PPPoE Driver (if_pppoe): pfSense 2.8 introduces a new kernel-mode PPPoE backend (
if_pppoe) that greatly improves WAN throughput and reduces CPU usage for PPPoE connections. This is especially beneficial for multi-gigabit fiber connections, allowing much faster speeds with less CPU load. (Note: It's optional in 2.8 and not enabled by default; users can opt-in via a checkbox in System > Advanced > Networking. The legacy MPD-based PPPoE remains available for features like MLPPP which the new driver doesn't yet support.)NAT64 Support: pfSense 2.8 adds full NAT64 functionality, enabling IPv6-only clients to reach IPv4 hosts by translating addresses. This includes support in firewall rules (NAT rules can now be defined for NAT64), in router advertisements (PREF64 option to advertise the NAT64 prefix), and DNS64 integration in the DNS Resolver. The default NAT64 prefix (64:ff9b::/96) and a comprehensive NAT64 implementation guide are provided in the documentation.
Kea DHCP Integration (Replacement for ISC DHCP): pfSense 2.8 integrates ISC's modern Kea DHCP server for DHCPv4 and DHCPv6, bringing feature parity with (and eventual replacement of) the older ISC dhcpd. New capabilities via Kea include High Availability DHCP (with state synchronization and optional encryption between HA peers), dynamic DNS registration of DHCP client hostnames into Unbound DNS (updates happen in real-time without restarting the resolver), DHCPv6 Prefix Delegation support (with a new configuration format), static DHCP lease ARP table entries (Static ARP), and the ability to supply custom JSON config snippets for advanced Kea options. These enhancements were partially present in pfSense Plus and are now in CE 2.8. (Note: ISC DHCP is end-of-life and is deprecated? it will be removed in a future release, so migrating to Kea is recommended. When switching an existing setup, some settings like DHCPv6 prefix delegation must be reconfigured due to format differences.)
Enhanced Gateway Failback (State Clearing on Tier Recovery): A new gateway fail-back feature in 2.8 can automatically clear states on lower-tier WANs when a higher-priority WAN comes back online. This means when your primary WAN recovers, active connections can be shifted back to it by killing states on the secondary, ensuring optimal use of the preferred link. This behavior is configurable in Gateway Group settings.
Built-in Reserved Network Aliases: pfSense 2.8 introduces built-in system aliases for common special networks (eg RFC1918 private nets, multicast, bogons, etc.), which can now be used in user-defined firewall rules. Previously, admins had to manually create these aliases? now pfSense provides them and even exposes certain internal aliases for use in rules. This improves rule clarity and consistency across devices.
Other Notable Additions:
OpenVPN Enhancements: pfSense 2.8 adds more GUI options for OpenVPN client-specific overrides and introduces support for OpenVPN NBDD (NetBIOS Datagram Distribution) server mode. These provide finer control in OpenVPN setups (for example, easily pushing additional client parameters via the GUI). The OpenVPN wizard and client handling received various fixes (detailed under VPN updates below).
NTP Authentication: Network Time Protocol now supports authentication keys in pfSense 2.8, allowing NTP servers/clients to be configured with symmetric key authentication for improved integrity.
Custom Login Banner: The web GUI login page can now display a user-defined message or banner in 2.8. This is useful for compliance (eg warning banners) or personalization of the login screen.
Packet Capture Filters: The Packet Capture utility (which got a new GUI in 2.7) is improved to allow filtering by protocol (eg only capture certain IP protocols), making troubleshooting easier.
Deprecated or Removed Features from 2.7 to 2.8
ISC DHCP Server Deprecation: As noted, the old ISC DHCP daemon is deprecated and will be removed in a future release. In 2.8, the new Kea DHCP is available and can fully replace ISC DHCP functionality. Users are encouraged to transition to Kea, as pfSense will phase out the ISC DHCP server (which is end-of-life upstream).
OpenVPN Shared Key Tunnels: Shared-key mode OpenVPN (deprecated in 2.7) is still supported in 2.8 but remains deprecated – using it triggers warnings in the GUI and logs. It is recommended to migrate any OpenVPN server using shared keys to SSL/TLS mode for better security. No further new features are being developed for shared-key tunnels and they may be removed in a future update.
Removed OpenVPN Crypto Engine Option: pfSense 2.8 has removed the old OpenVPN Hardware Crypto accelerator selection option, which was previously deprecated. OpenVPN now uses the system OpenSSL libraries and offloading automatically, so the manual engine toggle was no longer needed.
Legacy Ciphers and Algorithms: pfSense 2.7 had already removed support for certain obsolete cryptographic algorithms in IPsec VPN only (3DES, Blowfish, CAST128, MD5-HMAC were dropped due to the FreeBSD 14 base update). In 2.8 these remain unavailable for IPsec (tunnels using them would have been auto-adjusted or disabled on upgrade to 2.7). There were no further cipher removals in 2.8, but administrators coming from 2.6 or earlier should note these algorithms are no longer usable for IPsec. (Other uses of MD5, etc., like BGP MD5, were unaffected.)
Captive Portal on IPFW: As of 2.7, Captive Portal was migrated off the old IPFW firewall to use pf instead. Thus, any legacy references to IPFW are no longer applicable in 2.8. The new Captive Portal implementation on pf is the default, and any features tied to the old mechanism have been removed.
Miscellaneous Removals: HTTP/1.0
Pragmaheader for caching was removed from the GUI web server config in 2.8 (an outdated header). Additionally, unit test files for the oldjquery-treegridlibrary were removed from the codebase (cleanup). These changes do not affect functionality but modernize the code. No core features from 2.7 were outright eliminated in 2.8 beyond what's noted above? most changes are additive or optional.
FreeBSD Base System Changes (FreeBSD 14 vs 15)
Base Operating System Upgrade: pfSense CE 2.7 was based on FreeBSD 14-CURRENT, whereas pfSense CE 2.8 updates the base to FreeBSD 15-CURRENT. This brings in roughly two years of FreeBSD development, including kernel improvements, updated device drivers, and security fixes at the OS level. Users can expect better hardware support and performance gains from the newer FreeBSD base.
PHP Version Bump: The PHP interpreter was upgraded from PHP 8.2 in pfSense 2.7 to PHP 8.3 in pfSense 2.8. This provides performance improvements and language security fixes. It also meant that pfSense packages (WebGUI components and add-ons) had to be updated for PHP 8.3 compatibility. (Because of this, the developers strongly recommend uninstalling third-party packages before upgrading and reinstalling them after, to avoid PHP incompatibilities during the upgrade.)
Kernel and System Libraries: By moving to FreeBSD 15, pfSense 2.8 benefits from an updated kernel and base system libraries. Notable low-level changes include fixes for system calls and drivers (eg, a fix for a rare kernel panic in
nhdispatchwas incorporated). The base system component updates also include security fixes that are only available by upgrading the OS (for instance, binary patches to FreeBSD core components).Boot Loader Update: The FreeBSD bootloader is updated in 2.8. In fact, pfSense 2.8 requires an updated boot loader to support the newer kernel and features (especially with ZFS). The upgrade process will automatically update the bootloader on most systems. However, in edge cases (multi-disk setups where BIOS/UEFI might boot from the wrong disk), an old loader could persist. The release notes caution that if you have multiple disks (eg, an older eMMC with an outdated install alongside a newer SSD), you should ensure the correct disk's loader is used or wipe the unused disk to avoid booting the old loader. In short, the loader update is normally seamless, but admins of appliances with unusual boot configurations should be mindful of this change.
OpenZFS and Filesystem: pfSense 2.7 introduced support for newer ZFS features but did not auto-enable them on upgrade to maintain compatibility with old boot environments. In 2.8, since the boot environment is updated, you can more safely upgrade ZFS pools if needed. The guidance in 2.7 was to leave pools un-upgraded (to avoid older loader issues)? with 2.8's new loader that gap is closing. Still, 2.8 did not force any ZFS pool upgrade – it remains optional. Several ZFS-related installation bugs were fixed (eg, installing pfSense to a ZFS mirror now properly configures the EFI partitions on all disks).
Kernel and Driver Updates
Hardware Driver Updates: The move to FreeBSD 15 brings many driver updates and new hardware support. For example:
Network Interfaces: Drivers for Intel NICs and others have been updated. pfSense 2.7 had fixed issues in Intel e1000/igb drivers (VLAN 0 handling) and Hyper-V network drivers (RSC disabling). pfSense 2.8 continues improving NIC support. It fixed a serial console garbling issue on PC Engines APU2 boards (newer APU2 models are now recognized properly), ensuring those popular embedded boards work without serial output issues.
Crypto Acceleration: Recognition for Intel QuickAssist (QAT) 4000 series devices was added. If you have QAT acceleration hardware, pfSense will display it in the System Information widget and can utilize it for cryptographic offloading.
Chelsea TOE: pfSense 2.7 introduced Chelsio T4/T5 TCP offload (TOE) support via the
t4_tommodule, which can significantly improve throughput on Chelsio 10GbE/40GbE cards. That support continues in 2.8 (with any FreeBSD 15 improvements to the Chelsio driver).Wireless and Other Drivers: While not explicitly highlighted in release notes, FreeBSD 15 updates wireless drivers and others. Any Wi-Fi cards or other peripherals supported by FreeBSD 15 (but not 14) are now usable in pfSense CE 2.8. Conversely, there were no known drops of driver support between these versions, so all hardware that worked on 2.7 should continue working on 2.8.
Kernel Improvements: The FreeBSD 15 kernel includes various under-the-hood enhancements. pfSense 2.8 benefited from upstream fixes such as:
A fix for a potential kernel panic when using interface-bound state filtering with IPsec (related to
route-to/reply-to) – pfSense adjusted the state handling (see State Policy below).Improvements in the routing stack (there was a fix for a kernel panic when adding routes with an IPv6 next-hop for an IPv4 destination).
Stability fixes for high-load scenarios (a noted fix for an HA cluster panic under high load was likely included).
These kernel changes improve reliability, especially in edge cases or heavy traffic conditions.
Device Compatibility: pfSense 2.8's base supports newer CPU and device architectures. (pfSense CE remains on amd64 architecture only for now – Netgate's ARM builds are pfSense Plus only – so 2.8 CE still targets x86_64 systems.) However, within amd64, newer CPU instructions and chipset features are leveraged by FreeBSD 15. There is no longer support for extremely old CPUs lacking SSE2 (those were dropped in earlier pfSense versions already). The platform support in 2.8 is largely the same as 2.7, aside from needing slightly more RAM and storage for the larger base OS.
WebGUI Changes and Improvements
Firewall/NAT Rule Management: pfSense 2.7 released usability improvements for firewall rules – including the ability to toggle multiple rules on/off in bulk and to copy firewall/NAT rules to other interfaces with one click. These changes carry into 2.8, making rule management more efficient compared to older versions. In 2.8, additional polish has been added (eg fixes to ensure rule order is preserved when copying or deleting rules).
New Packet Capture GUI: Introduced in 2.7, the Packet Capture utility in the Diagnostics menu has a revamped interface. This continues in 2.8, now with added filtering options as mentioned, allowing more fine-grained packet captures without needing the command line.
Navigation and Layout: pfSense 2.8 adds overflow scrolling for the top navigation dropdown menus when using the Fixed-Top menu style. This prevents the situation where long menus could run off the screen. The dashboard and other pages saw minor UI tweaks for clarity and consistency. For example, the Thermal Sensors widget has improved readability and refresh behavior, and the System Information widget now shows the current boot method (BIOS/UEFI).
Custom Login Message: A new option in 2.8 allows setting a custom text message on the login screen. Administrators can use this to display a warning banner or welcome message on the web interface login page (useful for security notices or branding). This was not available in 2.7.
General GUI Fixes and Updates: Many minor WebGUI bugs were fixed:
SFP module details: The interface status page now properly shows details for SFP/SFP+ fiber modules (2.7 added this feature) and 2.8 fixes any missing fields.
The UI now sanitizes input and output more thoroughly, fixing various potential cross-site scripting (XSS) vectors (see Security section). For instance, text fields in the GUI that displayed unfiltered data (like dashboard widget keys, interface group names, etc.) were cleaned up.
Visual fixes: Button text color in disabled table rows has been corrected for contrast. Also, collapsed/expanded widget icons and other icons were fixed where they were wrong in 2.7.
The GUI now handles HTTP 50x/404 errors with a friendly error page in the internal web server (nginx) instead of a blank or browser error, improving user experience if something goes wrong.
Translations and Internationalization: (Not explicitly noted in the question, but worth mentioning) Both 2.7 and 2.8 include improvements in translations of the interface. If you use pfSense in another language, 2.8 has updated language files and fixes some text that was previously untranslatable or hard-coded.
Overall, the WebGUI in 2.8 is more refined, but not dramatically different from 2.7. Upgrading should feel familiar, with a few extra options and cleaner behavior in edge cases.
Security Enhancements
Base System Security Fixes: Upgrading to pfSense 2.8 applies all FreeBSD security patches that were released since the 2.7 base. This includes fixes for vulnerabilities in the OS and base packages. For instance, pfSense 2.8 addresses issues in the FreeBSD kernel and services like
bsnmpd(fixed a file descriptor leak in SNMP daemon) and others that could only be fixed via a full release upgrade.WebGUI Vulnerability Patches: Both pfSense 2.7 and 2.8 fixed multiple WebGUI-related vulnerabilities. pfSense 2.8 specifically includes fixes for a series of 2025 security advisories:
XSS and potential config-corruption issues with dashboard widget keys.
An OpenVPN status page command injection vulnerability (through the management interface).
Several stored XSS issues (in AutoConfigBackup pages, Firewall Schedules, IPsec tunnel lists, Wake-on-LAN pages).
These are documented in pfSense-SA-25_0{1-07}.webgui advisories. All of these are patched in 2.8 (and were also made available as system patches for 2.7.2 users). Upgrading to 2.8 ensures these vulnerabilities are closed by default.
Default Firewall State Policy – Improved Security: In pfSense 2.8, the default state handling policy for firewall rules changed from Floating (shared state table across interfaces) to Interface-Bound (states are tied to the ingress interface). This increases security by isolating states per interface, making firewall behavior more predictable and preventing certain edge cases where packets might otherwise match an existing state on a different interface. Interface-bound state handling can prevent traffic "leaking" to unintended interfaces in complex multi-WAN or VPN scenarios, at the cost of some complexity when using policy routing or failover. (If needed, administrators can toggle the global default back to Floating in System > Advanced > Firewall & NAT, and even override state policy per-rule in advanced rule options.) The switch to interface-bound by default is a security-hardening measure; however, 2.8 has built-in fallbacks for known cases where floating is still needed (eg IPsec VTI, certain reply-to cases, pfsync in HA). In summary, out-of-the-box firewalling is stricter in 2.8, aligning with best practices.
Algorithm Updates and Ciphers: As mentioned, pfSense 2.7 removed deprecated IPsec algorithms (3DES, MD5, etc.). In pfSense 2.8, those remain absent, but ChaCha20-Poly1305 (a modern AEAD cipher) is available for IPsec since 2.7. OpenVPN in 2.8 continues to support the AES-NI and AES-GCM ciphers (with hardware acceleration if available), and the removal of the crypto engine option doesn't reduce security – it simplifies configuration while still using OpenSSL's accelerated routines. Also, any upstream OpenSSL or strongSwan (IPsec) updates in the base would improve security? for example, strongSwan and OpenSSL were updated with the base OS, including fixes for known CVEs.
SSH and Console Security: pfSense 2.8 fixed an issue where the AutoConfigBackup device key could be disclosed via the console/SSH in certain conditions. It also likely includes updates to OpenSSH that come with FreeBSD 15, and one advisory from 2.7 (SSH guard bypass of GUI login protection) was already addressed. Always, after upgrading, ensure any System Patches (if recommended by Netgate post-release) are applied for any late-breaking security issues.
Package Security: Key packages like dnsmasq (DNS Forwarder) and Unbound (DNS Resolver) were updated – dnsmasq to v2.90 and Unbound to 1.22.0 – which include their own set of security fixes (eg, DNS rebinding or cache-poisoning mitigations). Similarly, PHP 8.3 includes security improvements over 8.2. All of this means 2.8 is generally more secure out-of-the-box than 2.7.
Performance Optimizations
Faster PPPoE Throughput: The headline performance gain in 2.8 comes from the new PPPoE kernel driver. Tests have shown dramatically higher throughput on gigabit+ connections with the
if_pppoebackend, as the inefficiencies of userland PPP daemon (mpd) are bypassed. Users with 1Gbps or 10Gbps fiber PPPoE links who enable this should see the firewall route at near line-rate, whereas under 2.7 (with mpd) CPU could become a bottleneck at high speeds. CPU usage for handling PPPoE traffic is much lower with if_pppoe, freeing resources for other tasks.Gateway Failover Efficiency: The new gateway state-clearing on failback can indirectly improve performance in multi-WAN setups by automatically moving sessions back to the primary WAN. This avoids suboptimal use of a slower backup link and reduces manual intervention. It's more of a reliability/efficiency improvement than raw performance, but in metered or constrained backup links it can save bandwidth and cost by promptly restoring primary link usage.
Chelsio and QAT Offloading: The support for Chelsio TOE (introduced earlier) and recognition of QAT crypto devices means pfSense 2.8 can better leverage hardware acceleration on systems that have it. TOE can offload TCP processing from the kernel (useful for specific scenarios like high connection count or edge cases), and QAT can accelerate IPsec, OpenVPN, or compression operations. This was either new or improved over 2.7, contributing to performance in high-end use cases.
Unbound & DNS Performance: Unbound 1.22 in pfSense 2.8 brings performance enhancements in DNS resolution and caching over the older version in 2.7. Additionally, 2.8 fixed an issue where the DNS Resolver's host overrides could be processed inefficiently (ignoring aliases in some cases) – the fix can reduce unnecessary DNS queries and speed up local name resolution. Also, the DNS Resolver now supports DNS64 for NAT64 environments, avoiding extra queries for AAAA records when synthesizing addresses (a performance aid in NAT64 scenarios).
General System Performance: FreeBSD 15 includes scheduler and network stack optimizations. For example, there were memory leak fixes (one in the pfSense-specific ifaddrs function) which free up RAM over long uptimes, and improvements in how state tracking is done in pf, which could slightly enhance firewall throughput. While everyday users might not notice big differences, heavy loads and edge cases are handled more gracefully in 2.8. No known performance regressions have been reported from 2.7 to 2.8? if anything, users often report 2.8 "feels faster", likely due to these accumulated optimizations.
NTP and Logs: A small note – enabling NTP authentication in 2.8 might add a tiny overhead to NTP, but it's negligible. The logging subsystem had a fix where restarting the log daemon no longer repeatedly restarts
sshguardunnecessarily, which can reduce CPU wakeups. Also, the Dashboard in 2.8 was optimized to lower its refresh impact, potentially improving GUI responsiveness on low-power hardware when the dashboard is open.
Compatibility and Support Changes
Hardware Compatibility: As mentioned, pfSense 2.8 (FreeBSD 15) supports at least the same hardware as 2.7 and adds some new device support. Notably:
Older i386/32-bit systems were already unsupported since pfSense 2.4, so both 2.7 and 2.8 are 64-bit only.
Devices with very low memory (≤1 GB) may struggle with the 2.8 upgrade or operation. The documentation specifically cautions that 1 GB RAM systems can run out of memory during upgrade, depending on enabled services. It's advised to disable non-critical services and even reboot to clear memory before upgrading on such devices. In general, 2.8's footprint is slightly larger, so consider 2 GB RAM a more comfortable minimum for stable use.
Older BIOS-only systems: pfSense 2.8 still supports BIOS (non-UEFI) booting and MBR partitioning, but if you have a really old installation, ensure the bootloader updates (per notes above). There was a fix for installing on BIOS+MBR with ZFS (which didn't boot in 2.7), so compatibility there is improved.
Serial Console changes: FreeBSD's serial port probing changed in 15, resulting in some legacy serial ports (ISA-based COM ports) not being auto-detected the same way. pfSense 2.8 notes that older boards like the original PC Engines APU1 and certain RCC-VE appliances might not show the console without manual intervention after upgrade. The solution is to manually configure the
/boot/loader.conf.localto set the correcthint.uart.0.flags(detailed in Netgate docs) if you encounter a missing serial console on those devices. Netgate's own branded devices have this handled in pfSense Plus, but CE users on generic hardware should be aware.Netgate Appliances: All Netgate appliances that could run 2.7 (eg, SG-2100, 3100, 4100, 6100, etc.) are supported on CE 2.8 if you choose to run CE on them. However, Netgate's factory firmware for those is pfSense Plus. In terms of community hardware, popular devices like APU2/3/4, Protectli boxes, etc., are fully supported on 2.8 (with the minor APU2 console fix noted, which was resolved).
Package/Plugin Compatibility: Most pfSense add-on packages (Squid, pfBlocker-NG, Snort, etc.) were updated to support PHP 8.3 and pfSense 2.8 by the time of release. Initially, the 2.8 package repository was not immediately populated (there was a bug about missing package repos for the 2.8 release), but that was resolved quickly. Users should update their packages to the latest versions after upgrading. If you rely on a third-party package, ensure you check its 2.8 compatibility (the vast majority are fine, as 2.8's changes to the package APIs were minor).
Backward Compatibility: pfSense 2.8 can read and upgrade a 2.7 (or 2.6) configuration without issues. The config.xml is upgraded on first boot of 2.8, converting any deprecated settings:
DHCP settings are mostly carried over, but if you choose to switch to Kea, the conversion isn't automatic for DHCPv6 Prefix Delegation – you must re-enter those PD settings for Kea due to the format change.
All firewall rules, NAT, etc., remain the same in the config. Does the new default state policy apply only to new rules? existing rules keep working, and you can edit them to use the new per-rule state options if desired.
If you downgrade back to 2.7 (not common, but if needed), the config may have some 2.8-specific elements (like the state policy toggle or NAT64 rules) that 2.7 doesn't understand. It's best to restore from a 2.7-era backup if rolling back.
Platform Lifecycle: While not a technical compatibility issue, it's worth noting that pfSense CE appears to be in a slower release cycle than pfSense Plus. Netgate has indicated they will continue maintaining CE (as evidenced by the 2.8 release), so staying on CE is still viable. Upgrading to 2.8 keeps you on a supported path? remaining on 2.7 means you'd have to manually apply system patches for new vulnerabilities. So from a support standpoint, moving to 2.8 is advisable to receive the latest fixes.
Package Availability and Version Updates
pfSense encompasses many subsystems that act like “packages” (some are core, some optional). Here are changes between 2.7 and 2.8 in terms of packages and software versions:
DHCP Server: The most notable change is the inclusion of Kea DHCP in 2.8. In pfSense 2.7, the DHCP Server page only used the ISC dhcpd. In 2.8, the GUI has been extended to support Kea's features (eg, a new global “Settings” tab for DHCP where you can configure Kea-specific options like lease database settings). While ISC DHCP is still present for now, Kea can be enabled to take over DHCP duties. High-availability DHCP sync, DNS Dynamic Updates, and other advanced features are available only via Kea in 2.8. If you upgrade and do nothing, your existing ISC DHCP service continues to run. You can opt to migrate to Kea through the GUI (there may be a toggle or by enabling features that implicitly switch to Kea). Future pfSense will remove ISC, so 2.8 is a good time to get familiar with Kea. (Note: When using HA DHCP with Kea, you'll configure it on each node – the process is more streamlined than the old XMLRPC sync method.)
DNS Services: Both the DNS Forwarder (dnsmasq) and DNS Resolver (Unbound) saw updates:
dnsmasq was updated to v2.90 in pfSense 2.8. This brings bug fixes and minor features from upstream (like better DNSSEC and DHCPv6 handling).
Unbound was updated to v1.22.0. This version improves performance and fixes some bugs. pfSense 2.8 also adds DNS64 support to Unbound's advanced options (to be used in NAT64 setups). Additionally, an issue where Unbound's Python mode could fail config check was fixed, and the longstanding DHCP-Leases registration causing crashes issue was resolved in 2.7 prior (thanks to a patched MaxMind library). So by 2.8, Unbound with Python modules and DHCP registration is stable and memory-leak-free in our experience.
VPN Software:
OpenVPN: pfSense 2.7 included OpenVPN 2.6.4. pfSense 2.8 continues on the OpenVPN 2.6.x series (the latest stable branch; OpenVPN 2.7 was not yet stable as of early 2025). The exact version isn't explicitly stated, but it's likely updated (eg, to 2.6.5 or higher) with any security patches. As noted, new GUI options for OpenVPN features were added, but core OpenVPN functionality remains consistent. If you used OpenVPN in 2.7, it will work the same in 2.8. The deprecation of shared-key mode was already done in 2.7 (warnings), so you'll continue to see those warnings if applicable.
IPsec (strongSwan): pfSense 2.8 uses an updated strongSwan IPsec stack that comes with FreeBSD 15. There's no change needed from a user perspective except benefiting from fixes. For example, strongSwan in 2.8 fixed an issue where having many IPsec tunnels caused slow firewall rule reloads. Also, a bug with IPsec VTI gateways not populating static routes on boot was fixed. If you rely on IPsec VTI, 2.8 is smoother (the VTI interface creation and failover works better). All your IPsec configs from 2.7 import fine? just verify that any Phase1/Phase2 algorithms are still supported (again, the deprecated ones would have been dropped already in 2.7).
WireGuard: pfSense 2.7 and 2.8 both support WireGuard via the wireguard-kmod kernel module (which was reintroduced after the initial 2.5.x attempt). There aren't major changes in 2.8 regarding WireGuard? it continues to function as in 2.7. The only note is that 2.8 excludes the WireGuard interface group from certain automatic rule groups (an internal alias change), but this does not impact typical usage. If you had the WireGuard package in 2.7, it should carry over to 2.8 (ensure you update the package to the 2.8-compatible build). No new WireGuard version was mentioned, implying it's largely the same version of wireguard-kmod as before.
Other Core Packages:
Captive Portal now fully uses pf firewall integration. If you use Captive Portal, note that in 2.8 you can block MAC addresses via masks (new feature), and a bug where disconnected users' traffic wasn't fully cut off was fixed.
Dynamic DNS: Small change for Gandi DNS users – you must use a Personal Access Token (PAT) now instead of the legacy API key for Dynamic DNS updates.
NTP: As mentioned, NTP can be configured with authentication keys in 2.8. The NTP service version is whatever FreeBSD 15 includes (ntpd with relevant patches).
Packages (add-ons): Common add-on packages like pfBlocker-NG, Snort/Suricata, OpenBGPD/FRR, etc., have 2.8-compatible versions. pfSense 2.8 didn't drop support for any of the package frameworks. Just be sure to reinstall or upgrade packages after the base upgrade. One fix worth noting: in 2.8, a bug that could duplicate package menu entries on reinstall was fixed.
A new package introduced in the 2.7 era was UDP Broadcast Relay (to relay UDP broadcasts across subnets, useful for certain gaming or discovery protocols). This remains available in 2.8 as an add-on package for those who need that functionality.
Version Summary: In summary, pfSense 2.8 modernizes the software stack (FreeBSD 15, PHP 8.3, latest Unbound, dnsmasq, etc.), integrates Kea DHCP (optionally replacing ISC), and retains or updates all packages from 2.7. There should be no loss of functionality – only gains. Always check the official Release Notes for a comprehensive list of package version changes if you need exact version numbers.
Firewall, NAT, and Routing Improvements
Many improvements in pfSense 2.8 revolve around firewall, NAT, and routing behavior:
State Handling & Security: As detailed, the default state type is now interface-bound for new rules, which tighten security. pfSense 2.8 introduced both a global toggle and a per-rule State Policy options in the GUI. This allows advanced users to choose Floating vs. Interface-bound state handling per firewall rule. For example, in Multi-WAN you might keep floating states for load-balanced rules, but use interface-bound for others. This level of control did not exist in 2.7 (which only had the global floating state setting). Additionally, pfSense 2.8's underlying pf (packet filter) was adapted to automatically handle some special cases – eg, IPsec VTI traffic will revert to floating-state mode internally to avoid breaking those tunnels.
NAT Enhancements:
NAT64: A major addition in 2.8, as discussed, allowing IPv6-only clients to access IPv4 servers. Firewall NAT rules can now be set to NAT64 mode easily. There's also a UI to configure the NAT64 prefix and related settings. This was not present in 2.7 at all.
“Kill States” Option: There is a new option to kill states by target address in NAT rules. In 2.8, you can reset states based on the pre-NAT address when making changes. This is helpful when updating port forwards or 1:1 NAT – ensuring old states don't persist on the wrong host after you re-point NAT. It adds to the existing state killing functions.
NAT Outbound Alias Handling: A bug in 2.7 where hybrid outbound NAT using an alias of the wrong address family would create invalid PF rules was fixed. Now NAT rules more gracefully handle alias expansions, improving reliability of complex NAT configurations across IPv4/IPv6.
Firewall Rules UI: Beyond the multi-select and copy features from 2.7, pfSense 2.8 added small conveniences:
Hovering over system-defined aliases (like “LAN net”, or new reserved network aliases) in rules will show details in a tooltip – so you can quickly see what an alias contains without leaving the page.
The rules page also gained a fix for editing rules after reordering? previously, after you drag-and-drop re-ordered rules, clicking edit might open the wrong rule – that's fixed in 2.8.
It also addresses a rare issue where adding or deleting a rule very quickly could momentarily scramble rule order in the GUI (now resolved).
Routing & Multi-WAN:
The new Gateway Fail-back state clearing (under System > Advanced > Misc or directly in Gateway Groups settings) allows better multi-WAN routing control. In 2.7, when a failed primary WAN recovered, existing connections would often stay on the secondary WAN until they ended. In 2.8, you can choose to terminate those states to force traffic back onto the primary. This is particularly useful if the secondary WAN is metered or has limited bandwidth.
Selective State Killing on Gateway Recovery: This feature is essentially the one described above – it's implemented such that only states for the lower-tier gateway are killed while others persist. This fine-grained control did not exist in 2.7.
Routing Bug Fixes: A few IPv6 routing issues were fixed, for example NPTv6 (Network Prefix Translation) no longer breaks ICMPv6 path MTU discovery, and static routes over IPsec VTI come up reliably on boot in 2.8. These fixes mean a more robust routing experience in complex deployments (NPT, IPsec tunnels, etc.).
Router Advertisements (IPv6): pfSense 2.8's radvd supports the PREF64 option for NAT64 environments, meaning it can advertise the NAT64 prefix (like 64:ff9b::/96) to clients – an important piece for NAT64 to function seamlessly. This wasn't in 2.7. Also, radvd had a number of fixes (eg, no more false error about RDNSS lifetime, properly hides when disabled).
Alias and Table Improvements: With the introduction of built-in aliases for special networks in 2.8, managing aliases is easier. pfSense 2.8 also fixed edge cases like aliases containing IPv6 VIP addresses now include those in the table (previously they might not). In 2.7, many alias-related bugs were squashed (ensuring alias content is complete even if some hostnames don't resolve, etc.), so by 2.8 the alias system is quite robust.
Traffic Shaping: While not heavily changed, there were some important fixes from 2.7 to 2.8 for traffic shaping (limiters):
pfSense 2.8 fixed an issue where fragmented packets could be dropped when using limiters and where reply-to traffic on secondary WAN might be dropped with limiters. It also resolved a long-standing bug where limiters with names or queue lengths beyond certain values wouldn't function. These fixes make traffic shaping more reliable, which is crucial if you use limiters for bandwidth management (ALTQ remained the same between versions, with no new QoS features added).
UPnP and NAT-PMP: pfSense 2.8 made some adjustments to UPnP/PCP behavior: the GUI text was updated for clarity, and the STUN port is now optional. Additionally, a bug where UPnP-created port forwards would never expire was fixed. If you rely on UPnP for gaming consoles or similar, 2.8's implementation should be more predictable.
In sum, pfSense 2.8's firewall/NAT/routing is a superset of 2.7's capabilities, with NAT64 as a major new feature, smarter state and gateway handling, and a collection of fixes that tighten up edge behaviors.
VPN Features and Protocol Updates
IPsec (VPN): Both 2.7 and 2.8 use strongSwan for IPsec, but 2.8 includes many bug fixes:
New Cipher: As of 2.7, ChaCha20-Poly1305 was available for IPsec encryption, giving a faster option on devices without AES acceleration. This remains in 2.8. The removal of old algorithms (3DES, etc.) in 2.7 improved IPsec security baseline.
Stability: pfSense 2.8 fixed an issue where having a large number of IPsec tunnels caused very long filter reload times (this affected rule changes when dozens of tunnels exist). It also resolved a problem where removing an IPsec Phase 1 wouldn't properly remove all its Phase 2 entries or might remove too many.
Dual-Stack Tunnels: A new fix in 2.8 allows IPsec tunnel endpoints to listen on “any” address (both IPv4 and IPv6) simultaneously – previously configuring a dual-stack mobile IPsec could be tricky. Now you can have a single Mobile IPsec that accepts clients from either IPv4 or IPv6 addresses without separate configurations.
VTI Improvements: Virtual Tunnel Interfaces (route-based IPsec) are more reliable in 2.8: the VTI interfaces come up correctly even if Phase 2 “Local Network” was a network rather than address? and a failover in a HA setup will no longer leave stale states because mobile IPsec now properly detects a gateway failover. Also, firewall rules on the
enc0interface (for VTI IPsec) now account for interface-bound state policy properly.XSS Fix: Minor, but the IPsec Status pages had a potential XSS when listing Phase1s, which is fixed.
GUI Enhancements: The IPsec Phase 2 listing now shows the interface subnet for local and remote networks in a tooltip, making it easier to identify each Phase 2 entry at a glance in 2.8.
OpenVPN: pfSense 2.8 continues to refine OpenVPN support:
All the core OpenVPN functionality from 2.7 remains (including AES-NI support, OpenVPN 2.6 features like datagram tunnel (UDP) improvements).
New Options GUI: Two new features were exposed:
Client-Specific Overrides (CSOs): More of OpenVPN's configuration for per-client overrides can be set via the GUI now (for instance, specifying a different DNS server for a particular client, or explicit IPv6 if needed). This saves editing config files manually.
NBDD Mode: A checkbox to enable NBDD (Broadcast relay for NetBIOS over TCP/IP) on OpenVPN server instances was added. NBDD allows NetBIOS broadcasts to be forwarded over the VPN, which can help with network neighborhood discovery across the tunnel.
Usability Fixes: A number of OpenVPN bugs were fixed from 2.7 to 2.8:
WINS/NBT settings are now properly hidden or shown depending on whether the NetBIOS option is enabled, and they are pushed to clients correctly.
The OpenVPN wizard in 2.7 had an issue when a Virtual IP was chosen for the server? this is fixed in 2.8.
A rare case of the OpenVPN auth script pegging the CPU if a RADIUS server timed out was fixed – improving reliability for those using RADIUS authentication.
If a certificate used by OpenVPN had multiple Common Name fields, the status would misbehave in 2.7? 2.8 fixes that parse issue.
Also, the OpenVPN status page and dashboard widget now properly validate any user-supplied data before display, closing a potential injection vector.
OpenVPN Client Export (Package): Not directly mentioned, but presumably updated to handle any new options. If you use the client export package, ensure it's updated after moving to 2.8.
No Removal of OpenVPN features: Shared key mode is still there (deprecated), and other modes (SSL/TLS, user auth, tls-crypt, etc.) all continue to function as in 2.7. Upgrading does not require any OpenVPN reconfiguration except to note the hardware crypto engine option removal (which most users didn't need to touch).
WireGuard VPN: WireGuard is relatively static between 2.7 and 2.8 in pfSense CE. The kernel module was updated behind the scenes if FreeBSD 15 included a newer version, but the functionality is unchanged. Create Tunnels, assign interfaces, etc., works the same. One small interface group alias exclusion was made for cleanliness, but typical users won't notice. If you installed the WireGuard package on 2.7, you should install the 2.8-compatible WireGuard package after upgrade. Performance of WireGuard might be slightly improved if the newer kernel has any improvements in crypto or scheduling, but nothing specific was called out.
L2TP/PPTP: These legacy VPN types (mostly considered deprecated for security) are still present in pfSense 2.8 if you were using them. There were no notable changes, except a fix in 2.7 for a GUI value retention issue. They remain available but it's generally recommended to migrate to more secure VPNs (OpenVPN/IPsec/WireGuard). No new features for L2TP/PPTP in 2.8.
In summary, pfSense 2.8's VPN support is stronger through bug fixes and small feature adds, making VPN connections more stable and easier to configure, but the fundamental capabilities (encryption protocols, performance) remain similar to 2.7 aside from the default algorithm deprecations already done in 2.7.
Bug Fixes and Known Issues
pfSense 2.8 incorporates a huge number of bug fixes over the 2.7 series, improving stability and addressing known issues:
Notable Bug Fixes:
The long-standing Unbound crash when DNSBL and DHCP registration were enabled (which required a patch in 2.7) is fully resolved, thanks to upstream fixes in the Python module. Memory leaks in Unbound DHCP registration were also mitigated. Users of pfBlockerNG and DNSBL can now safely run DHCP lease registration without crashes, which was problematic in early 2.7.0.
DHCP Failover Sync: Kea's introduction fixed many of the old ISC DHCP failover quirks. For example, static route synchronization in XMLRPC had issues, now Kea's approach (sync over the sync interface) works reliably. Also, a bug with identical MAC filters on multiple interfaces preventing Kea from starting is fixed.
High Availability (CARP/pfsync): A critical bug where removing a route on the primary wouldn't remove it on the secondary was fixed. Also, some HA cluster panic issues under load were addressed in FreeBSD (one noted in Redmine #15413). Overall CARP synchronization of settings (like admin user group changes) was corrected.
UI and Config Glitches: Hundreds of small bugs were fixed. For example, editing interface settings no longer throws a PHP error if a temp file is empty? OpenVPN Q-in-Q interface creation works now? many pages now properly validate input and encode output (preventing various edge-case errors or cosmetic issues). The release notes list many such fixes, reflecting a more polished experience (eg, no more phantom error notifications for things that actually applied correctly).
Memory Leaks: A memory leak in a pfSense internal function
pfSense_get_ifaddrs()was fixed, as was a leak in the SNMP daemon file descriptors. Systems running for long periods will remain healthy with these fixes, whereas 2.7 might have slowly consumed more RAM in those areas.Known Issues Resolved: An example of a resolved known issue is the Malicious Driver Detection false alarms on Intel ixl 10Gb interfaces (which was fixed in 2.7) – 2.8 carries that fix. Another is an installer issue where an encrypted config file could not be restored during installation, which was fixed in 2.7 and thus in 2.8.
Known Issues in 2.8.0: As of release, no showstopper bugs have been widely reported for 2.8. Most users report smooth upgrades and stable operation. A few things to be aware of:
The package repository timing: Initially, some users found the package list empty right after upgrading (a temporary condition if the repositories were syncing). Hitting Refresh or waiting a short while resolved this. Netgate quickly fixed the repository availability, so this should no longer occur.
Legacy Hardware Console: If you have an older board with an ISA serial port (like PC Engines APU1 or certain Netgate RCC units), remember the serial console workaround mentioned (setting
hint.uart.0.flags="0x0"in loader). This is documented and only affects a handful of devices, but it's a "known issue" insofar as those users must take manual action for console access post-upgrade.Potential Upgrade Hiccups: Upgrading in-place from 2.7 to 2.8 can occasionally fail if package scripts interfere (hence the advice to remove packages first). If an upgrade fails, Netgate recommends using the Recovery Menu (accessible via console) or booting from install media to do a config recovery. Always backup config before upgrading. These aren't 2.8-specific issues, just general upgrade safeguards.
System Patches: If any minor issues are discovered post-release, Netgate may publish fixes via the System Patches package. For example, pfSense 2.7.2 had patches for the 2025 advisories until 2.8 came out. Keep an eye on Netgate's announcements or the forum for any recommended patches for 2.8. (At the time of writing, none major are known aside from what's already fixed in 2.8.0 release.)
Performance Tuning for ZFS: Systems with low RAM and ZFS might need some tuning (like enabling ZFS memory limit in System > Advanced > Misc). The docs have a ZFS Tuning note for 1GB devices. This isn't a bug, but a known adjustment for small systems.
Upgrade Considerations: The upgrade from 2.7.x to 2.8 is generally smooth. Just remember to:
Backup your config.
Remove or disable packages before upgrading (then re-install on 2.8).
Check for any deprecated settings (old ciphers, etc.) in use and update them before upgrading (eg, switch IPsec or OpenVPN to modern ciphers).
After upgrade, verify all services started (DHCP, DNS, etc.). If using new features like Kea, test that leases are handed out properly.
The vast majority of users can upgrade in-place via the GUI (System > Update, switch branch to 2.8.0). The process can take some time due to the OS change, and the device will reboot. Having console access during upgrade is helpful in case of issues (especially for headless appliances).
Conclusion (Is the Upgrade Advisable?)
pfSense CE 2.8.0 is a major update that brings numerous improvements in features, security, and performance. Key advancements like the new PPPoE driver, NAT64, and Kea DHCP integration can be compelling, especially if they fill a need in your network (eg, faster fiber speeds, IPv6 transition, or DHCP HA setups). Additionally, 2.8 includes critical security fixes that are important for any internet-facing firewall. Many bugs present in 2.7 are resolved, making 2.8 more stable in complex configurations (multi-WAN, many VPNs, etc.).
From a support perspective, running the latest version is beneficial – pfSense 2.7 will only receive limited fixes (if any, beyond what the System Patches package can provide), whereas 2.8 will be the basis for any new CE patches and updates. Netgate has indicated that while pfSense Plus has a faster release cadence, the Community Edition is still maintained and 2.8 is production-ready.
Upgrade Recommendation: For most users, upgrading to 2.8 is advisable and should be straightforward, provided you follow best practices (backup, etc.). It is especially recommended if:
You need any of the new features (Kea DHCP, NAT64, PPPoE performance, state management tweaks).
You care about the security fixes included (which you should for a firewall).
You experienced any of the bugs that are now fixed (eg, Unbound crashes, IPsec VTI route issues, etc.).
If your pfSense CE 2.7 setup is very stable and you use none of the new features, you might be cautious – but even then, the security and bug fixes make a strong case. Testing the upgrade in a lab or backup unit is never a bad idea if downtime is a concern. Overall, pfSense 2.8.0 represents a healthy evolution of the platform, and the enhancements across the board — from the FreeBSD 15 core to the WebGUI polish — provide a solid improvement over 2.7.
As always, read the official Release Notes and Upgrade Guide before proceeding, and ensure your hardware meets the slightly elevated requirements. With that prep, an upgrade to 2.8 should be a beneficial step for your network.
Sources:
pfSense CE 2.7.0 Release Notes
pfSense CE 2.8.0 Release Notes
Netgate pfSense CE 2.8.0 Announcement & Blog
Netgate Documentation and Redmine (Changelog details and issue fixes)
