pfSense Community Edition has been effectively frozen since 2.7.2. Security patches, new WireGuard kernel fixes, Zenarmor's latest engine, and modern hardware support are only landing in pfSense Plus. Here's why it matters — and the exact migration path that preserves your config.
pfSense Community Edition was the default for a decade. That era has ended. Netgate's engineering time, security response, and feature roadmap now flow exclusively through pfSense Plus.
Beyond "get support," here are the six things Plus does better than CE that you will notice within the first week.
Every system update creates a snapshot. If a release breaks VPN or a driver, pick the previous BE from the boot menu — back to a working firewall in 30 seconds. CE has no equivalent.
The kernel-space WireGuard module on Plus is the version that actually received the upstream security audit and crash fixes. CE builds still ship the earlier code with PPS-related panics under load.
Encrypted, automatic, off-box backup of config.xml on every save — included. On CE this was paywalled in the old gold subscription model that no longer exists.
QAT on newer Intel Atom / Xeon D boards, AES-NI IPsec, and TSO/LRO for 10G NICs are tuned by default in Plus. Same hardware on CE frequently needs manual loader.conf tweaks.
Sunny Valley ships DPI signature updates for the Plus branch first. The CE branch is usually one signature-train behind — which means apps that launched in the last quarter are mis-classified.
Netgate Technical Assistance Centre opens tickets for Plus users on Netgate hardware. Community forums are also more Plus-focused now — bug reports on CE often get "please test on Plus."
The steps differ depending on what hardware you're running. Find your situation below.
SG-1100 / 2100 / 4100 / 6100 / 8200 / 8300
Easiest path. Plus is the default on Netgate hardware and your licence is tied to the device serial. If you're on CE on a Netgate box (unusual), you can re-flash Plus factory image from recovery.
Home lab, mini-PC, SuperMicro, ProtectLi
Use the pfSense Plus Home+Lab free licence. Sign up on the Netgate portal, download the Plus installer ISO, USB-boot, install fresh, then restore your config.xml. This is the path 90% of CE users take.
ESXi, Proxmox, Hyper-V, KVM
Same as Path B, but easier to stage. Snapshot the CE VM, spin up a parallel Plus VM on a cloned virtual disk, restore config, test, then swap MACs / interfaces. Zero downtime if you do it right.
Spend 20 minutes on these steps. It's the difference between a 30-minute migration and a 3-hour rescue mission.
Tick Encrypt this configuration file, set a password you'll remember, and download. Keep a second unencrypted copy on a box that isn't the firewall.
Screenshot or note the list. Packages are not restored by the config import — you re-install them manually after Plus boots, and the config then re-applies their settings.
In CE, run ifconfig -a from the shell. Record which physical NIC (igb0, em0, re0…) is WAN vs LAN vs OPT. On Plus, the names may stay the same on identical hardware, but verify.
Any ACME certs, IPsec shared secrets, OpenVPN certs, pfBlockerNG feed URLs. Most are in config.xml but verify you have a recovery method if the import partially fails.
Production sites: announce a 1-hour maintenance window. Keep a spare firewall or console cable on hand. If this is your only internet gateway — plan for 2× the time you think you'll need.
Generate a free licence key. Save the token — you'll paste it into Plus after first boot. Netgate may email a verification link; complete that first.
This walks through Path B (self-built x86-64). Paths A and C are noted where they differ.
On Netgate portal → Downloads, pick the current pfSense Plus release, architecture amd64, media type USB Memstick Installer (VGA). File will be around 700 MB, .img.gz.
Use Rufus (Windows) or dd (Linux / macOS) with the decompressed .img. Min 4 GB USB. Do not use Etcher for the .img.gz — decompress first.
Plug USB into the firewall. Boot, accept the licence, pick Install. Filesystem: choose ZFS (this is what gives you boot environments). Pool type: stripe for one disk, mirror for two. No need to create partitions manually.
After first reboot, the console asks "Should VLANs be set up now?" (usually N), then prompts for WAN, LAN, OPT assignments. Match the names to what you recorded in your pre-migration step 3.
Plus boots with default LAN 192.168.1.1/24 and DHCP on. Plug your laptop into LAN, browse to https://192.168.1.1. Default credentials: admin / pfsense — you'll change this in the wizard.
Upload your exported config.xml, enter the encryption password if you used one. Leave Restore area as ALL. Click Restore — the firewall reboots applying your old settings.
Enter the licence token from Netgate portal. Once registered, you unlock Auto-Config-Backup and the official package repository.
Go down your list from pre-migration step 2. Install each. The config already contains their settings — once the package is installed, those settings activate automatically. Order matters only for Suricata + pfBlockerNG (install Suricata first).
Check routing, DHCP leases, firewall rules, VPN tunnels, ACME certs, NAT port-forwards. Run a speed test. Browse to a blocked domain to confirm pfBlockerNG/Suricata triggered. Tail /var/log/system.log from Diagnostics → System Logs for 10 minutes watching for new errors.
# Confirm you're on Plus and the release channel is set cat /etc/version cat /etc/version.patch pfSense-upgrade -d # Verify ZFS pool health and the boot environments zpool status bectl list # WireGuard kernel module loaded? kldstat | grep -i wireguard # Any failed services since boot? service -e | grep -i fail dmesg | tail -40 # Hardware crypto offload engines active? kldstat | grep -E "aesni|qat" sysctl kern.features.hwpmc_hooks
Three layers of rollback, in order of how much pain they cost you.
Reboot, at the FreeBSD boot menu press 7 for boot environments, pick the previous BE. You're back on the last-known-good config in under a minute. This only helps for post-install updates, not for the big CE→Plus jump.
If the Plus install completed but something fundamental broke, boot the USB again, reinstall, restore the same config.xml. Sometimes a corrupted first boot is the only issue and the second install is clean.
Keep a CE 2.7.2 installer USB stick on hand during the migration. If Plus genuinely fails on your hardware (rare — usually NIC driver issues), reinstall CE and restore the same config.xml. You're back where you started, minus an hour.
Yes — if you use it for home, personal, non-commercial lab, or educational purposes, the Home+Lab licence is free and does not expire. You register for it on the Netgate portal, get a token, paste it into Plus. Commercial / for-profit deployments on non-Netgate hardware require a paid subscription, which is the main revenue model.
Yes — the config.xml format is compatible. Firewall rules, aliases, NAT, DHCP, DNS Resolver, IPsec, OpenVPN, WireGuard peers, ACME certificates, CAs, users, and VLANs all restore exactly. What does not auto-restore: installed packages (you re-install by hand) and package-specific state that lives outside config.xml (e.g. Suricata PCAP logs, pfBlockerNG downloaded feed files — those rebuild on first update run).
Only on virtual machines (Path C) — snapshot CE, spin up a parallel Plus VM with a cloned virtual disk, restore config, test in isolated VLAN, then flip the uplink. On physical hardware there's always a 20–30 minute window while you swap drives or USB-install. For ISPs with a single WAN, negotiate a maintenance window. For dual-WAN sites, failover to the secondary during the primary upgrade.
Netgate has not made a public "CE is dead" announcement. What they have done is shift all active development into Plus, reduce CE build cadence to near-zero, and quietly remove CE from recommended-install pages. In practical terms: assume CE is receiving only critical-CVE patches on an indeterminate schedule. Don't build anything new on it.
No. Plus runs on the same AMD64 hardware as CE — same minimum 2 GB RAM, same NIC support (usually better, in fact, because of newer drivers). The Home+Lab licence has no hardware restriction. If your CE box runs fine today, Plus will run on it fine too, usually faster.
Patched forks don't restore. OPNsense config is not compatible with pfSense at all (different XML tree). Community-only packages that aren't in the official Plus repo won't re-install. If you depend on any custom package, audit whether it still exists in the Plus ecosystem before you pull the trigger. In most cases there's a supported equivalent.
For a straightforward home lab box: 30 minutes, most of it spent re-installing packages. For a production firewall with 20+ VPN tunnels, custom Suricata rules, pfBlockerNG with 50 feeds, ACME automation, and HAProxy: budget 2 hours and do it on a Saturday night.
Yes — we do CE→Plus migrations as a fixed-fee engagement. Full config audit, Plus Home+Lab or commercial licence setup, USB media prep, on-site or remote install, package re-install, smoke test, 30-day post-migration tuning included. See pricing in the CTA below.
Remote or on-site. Licence registration, USB install, config restore, package re-install, VPN/ACME validation, 30 days of post-migration support. Typical completion: 2–4 hours for single firewall, 1 day for HA pair.
