pfSense CE → pfSense Plus Upgrade Guide

Comparing pfSense Plus & pfSense CE: Cost and Key Differences Explained

Migrate from pfSense® CE software to Netgate pfSense Plus software

This guide consolidates the full set of steps and best practices for upgrading a system from **---

Differences Between pfSense CE and pfSense Plus (as of July 2023)

1. Cost & Licensing

  • pfSense CE: Completely free, community‑supported.
  • pfSense Plus: Free for home and lab use. Automatic entitlement when used on Netgate hardware; CE → Plus migration requires registration but remains free.

2. Support Model

  • CE: Community forums only.
  • Plus: Eligible for paid Netgate TAC support.

3. Base System & Release Cadence

  • Both share the same FreeBSD base (FreeBSD 14 as of 2023).
  • Plus receives more frequent releases and hotfixes.
  • CE has a longer release cycle.

4. Features Exclusive to pfSense Plus

Feature CE Plus
Boot Environments (automatic snapshots) ✔️
QAT Crypto Acceleration ✔️
OpenVPN DCO (Data Channel Offload – Beta) ✔️
OpenVPN Client Import Tool ✔️
AWS VPN Wizard ✔️
IPsec Export for Apple Profiles ✔️
IPsec Export for Windows PowerShell ✔️

5. Features Fully Available on Both (no limitations)

Both versions support:

  • High Availability (CARP)
  • VLANs
  • OpenVPN
  • WireGuard
  • IPSec
  • L2TP
  • ZFS file system
  • All major routing & firewall features

6. ZFS & Boot Environments Clarification

  • Both CE and Plus support ZFS.
  • Only Plus includes the Boot Environment GUI tools + auto‑snapshot during upgrades.
  • CE requires more manual ZFS handling.

7. Security Patch Handling

  • Plus receives faster updates to the base OS when needed.
  • CE updates are slower but still maintained and not considered unsafe.

pfSense Community Edition (CE)** to pfSense Plus, based on Netgate guidance and practical lessons from field use.

1. Before You Begin

A. Confirm Requirements

  • A Netgate account with an activated pfSense+ subscription or device entitlement.
  • Your pfSense CE must be 2.6 or later.
  • Internet connectivity for the upgrade process.

B. Prepare Backups

  • Go to Diagnostics → Backup/Restore.
  • Download the latest full configuration backup.
  • If virtualized: take a VM snapshot.
  • If physical: prepare a USB installer for pfSense+ (failsafe recovery option).

C. Review Boot Environments

  • pfSense CE/Plus uses ZFS Boot Environments.
  • Each upgrade automatically creates a new boot environment (snapshot).

  • You may manually create one via:

    • System → Boot Environments → Create

2. Clean Up Before Upgrading

A. Evaluate Installed Packages

Netgate best practice:

  • Uninstall all third‑party packages before upgrade.

  • When uninstalling, choose “Keep configuration files”.

    • This allows you to reinstall packages after the upgrade with your settings intact.

If you decide to upgrade with packages installed:

  • Do this only if you understand the risks.
  • Some packages may break the upgrade or behave unpredictably.

3. Enable Upgrade to pfSense Plus

A. Purchase, Receive Token, and Prepare for Migration

To migrate from pfSense CE → pfSense Plus, follow this consolidated flow:

1. Purchase the Correct Subscription (TAC Lite or Standard)

  • Go to the Netgate Store.
  • Choose pfSense+ Software Subscription with TAC Lite Support (or the appropriate plan).
  • In the dropdown, select: Upgrade from pfSense CE to pfSense Plus (Do NOT leave it on Renewal/New Install.)
  • Add to cart and complete checkout.

After purchase, Netgate will email the activation token to the email address on the store account.

Tip: If the token email does not arrive quickly, check spam/junk folders.

Warning: Tokens are single‑use — ensure the CE system is stable and in its intended configuration before proceeding.

B. Register pfSense CE Using the Token

  1. In the pfSense CE GUI, navigate to System → Register.
  2. Paste the activation token.
  3. Click Register.
  4. Confirm registration success on the page.

C. Switch to the pfSense Plus Upgrade Branch

  1. Go to System → Update.
  2. The page should now announce availability of the pfSense Plus migration branch.

  3. Set Branch to:

    • pfSense Plus Upgrade
  4. Wait for the update check to finish.

D. Begin the Migration Upgrade

  • Click Confirm to start the migration.
  • This will convert CE → Plus as part of the upgrade process.

#

Official Netgate Migration Guide

Reference: https://docs.netgate.com/pfsense/en/latest/install/migrate-to-plus.html

A. Switch Update Branch

  1. Go to System → Update.
  2. Click the Update Settings tab.

  3. Change Branch to:

    • Current Stable Version (Plus 25.07 or newer).

B. Verify Licensing

If your CE system is not yet entitled for pfSense+:

  • Go to System → Registration.
  • Log in using your Netgate account.
  • Attach device to your subscription.

4. Perform the Upgrade

A. Start the Upgrade

  1. Go to System → Update.
  2. Click the Cloud icon to retrieve latest metadata.
  3. Wait for system to check installed version vs available version.

  4. When the upgrade path appears (example: 24.11 → 25.07), click:

    • “Confirm Update”

B. DO NOT Leave the Page (Important)

  • Keep the browser tab open and running during the entire upgrade process — do not close the window, do not refresh, and do not navigate away.
  • If possible, monitor via the physical console.

C. Automatic Reboot (Give It Plenty of Time)

  • System will download packages, verify signatures, create a new boot environment, apply updates, then reboot.

  • During reboot:

    • Do not power off.
    • Do not reset.
    • Expect long startup times during this phase — sometimes several minutes. The system is applying updates, rebuilding components, and performing housekeeping tasks. Do not assume it is stuck; give it plenty of time to complete.

The browser will auto‑refresh and reconnect when the web GUI is back.

5. Post‑Upgrade Validation

A. Log In and Verify Version

  • Dashboard should show: pfSense Plus 25.07.xx (or newer).

B. Verify Package Compatibility

  1. Go to System → Package Manager.
  2. Click Available Updates.
  3. Ensure all installed packages are updated.

C. Check for Hotfix Patches

  1. Go to System → Patches.
  2. Confirm that no new patches are required.

6. Restore Packages (If You Uninstalled Them Earlier)

  1. Go to System → Package Manager → Available Packages.
  2. Reinstall packages one by one.
  3. Your previous configurations should auto‑apply.

7. Rollback (If Something Breaks)

Option A: Restore Boot Environment

  1. Reboot pfSense.

  2. From bootloader menu choose:

    • Boot Environments
  3. Select the older (pre‑upgrade) environment.

Option B: Reinstall Using Online Installer

  • Boot from usb installer.
  • Choose Recover Configuration from URL.
  • Upload or paste your backup file.

Comfac‑IT Internal Note (Licensing for Clients)

Some Comfac‑IT clients prefer to purchase pfSense Plus licenses through us. When we buy from the Netgate Shop, we receive the activation tokens, and we are responsible for their issuance and tracking.

Internal workflow:

  • We schedule a calendar reminder exactly 1 month before token expiration.
  • Coordinate with the client early to ensure tokens are used on time.
  • Token cost from Netgate: PHP 7,740.
  • Comfac‑IT selling price: PHP 8,000.
  • Margin: PHP 260.

These amounts are small, so efficiency and proper scheduling are critical.

8. Final Recommendations

A. Maintain Good Upgrade Hygiene

  • Always backup before upgrading.
  • Always keep a recovery USB.
  • Only upgrade when you have a recovery window (off‑hours).

B. Best for Production

  • Physical hardware for stable routing.
  • Virtualization for labs and home setups.

C. Verify Logs

  • Check Status → System Logs → General / Package / Boot for anomalies.
Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on