The FreeBSD Foundation needs donations to meet their 2009 goal. They provide very important funding to the FreeBSD project, which serves as the base of the pfSense project. They are a not for profit organization, so your contribution may be tax deductible.
Our Christmas gift to the community is our 2.0 release reaching the beta milestone.
What does this mean? The release is feature complete, with no new features being added, and should stay relatively stable throughout the remainder of the development process. That’s not to say it’s production ready though, most of our developers are using it in production and have been for months, but unless you have a solid understanding of the underlying system and can manually verify the configuration, 2.0 is not yet for you.
To answer the inevitable “when will it be released?” – as always, “when it’s ready”. The release will happen sometime in 2010, but as for a more specific timeline, we can’t provide one at this time.
If you have a non-critical environment where you can try it out, you can find the latest build on the snapshot server. Please report your experiences on the 2.0 board on the forum. There is additional risk with snapshots as changes are made in the source very frequently, and you may get a snapshot from a point in time that caught part but not all of certain changes.
The most current list of known issues can be found here. Those marked as “Feedback” are either believed to be resolved but need more testing, or need further details to be able to replicate and resolve – feel free to add comments to any of those tickets if you can test the specific scenario described. Those marked as “New” are outstanding issues. We welcome contributions, if you can provide a fix for any of the open issues. Before opening a new ticket there, please post to the 2.0 board on the forum where we can help quantify the issue. Before reporting problems, ensure you’re on the latest snapshot. At least 10-20+ changes go in most every day, 7 days a week, so it’s very possible the issue you found is already fixed in our git repository. You can see all commits here.
Important upgrade warning
You can upgrade from 1.2.x to 2.0 just as with any other release, BUT, you cannot downgrade from 2.0 to 1.2.x. And after you upgrade, your configuration will be converted to a format that is usable only on 2.0. If you do upgrade, get a backup first so you can reinstall 1.2.3 if needed. Several of the features in 2.0 were revamped to the extent that a change in configuration formatting was necessitated. Many of the rough edges of 2.0 are in the configuration upgrade code, there is less risk with a clean 2.0 install than one upgraded from 1.2.x at this time. Though that’s largely in more advanced configurations.
Proceed with caution! Expect things to be broken, this is absolutely not production-ready for most scenarios for non-developers, but development is moving along rapidly, and we would appreciate feedback from those in a position to test things (and break their network).
Note that kernel debugging is still enabled, which will reduce performance, though from a packet forwarding perspective it’s usually not noticeable.
Merry Christmas from the pfSense team!
1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.
The primary changes from 1.2.2 are listed below.
Upgrade to FreeBSD 7.2 – The FreeBSD base version has changed from 7.0 to 7.2. This also brings fixes for two FreeBSD security advisories. One patching the SSL/TLS renegotiation vulnerability, which is applicable with HTTPS web interface access and potentially with OpenVPN. Another fixes a local root vulnerability, though it isn’t really applicable with pfSense as if you have the access required to exploit this, you already have root, and hence there is nothing to elevate. Warning for those using Intel PRO/100 cards – there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System -> Advanced if you have connectivity problems.
Embedded switched to nanobsd - this is a major improvement of our embedded version, and the old embedded has been discontinued. This is explained in detail here.
Dynamic interface bridging bug fix – The bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.
IPsec connection reloading improvements – When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.
Dynamic site to site IPsec – because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.
Sticky connections enable/disable – sticky connections were previously only changed status at boot time for the server load balancer.
Ability to delete DHCP leases – A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.
Polling fixed – polling was not being applied properly previously, and the supported interfaces list has been updated.
ipfw state table size – for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.
Server load balancing – ICMP monitor fixed.
UDP state timeout increases – By default, PF does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.
Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.
Multiple servers per-domain in DNS forwarder overrides - previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.
No XMLRPC Sync rules fixed - in some circumstances, rules marked to not sync would sync regardless.
Captive portal locking replaced – the locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.
DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.
Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.
For information on upgrading, see the Upgrade Guide.
Buy it pre-installed
pfSense: The Definitive Guide Book
If you haven’t gotten your copy of the book yet (foreword here), it was fully written to account for all the changes in the 1.2.3 release (which were final before it went to print). Pick up your copy today!
Glad to see two book reviews on Amazon already, both with five stars!
I was thrilled to have the foreword for the book written by one of my favorite authors, Michael W Lucas, the author of Absolute FreeBSD, Absolute OpenBSD, Cisco Routers for the Desperate, PGP & GPG, among other things. Thought I would share it here.
My friends and co-workers know that I build firewalls. At least once a month someone says “My company needs a firewall with X and Y, and the price quotes I’ve gotten are tens of thousands of dollars. Can you help us out?”
Anyone who builds firewalls knows this question could be more realistically phrased as “Could you please come over one evening and slap together some equipment for me, then let me randomly interrupt you for the next three to five years to have you install new features, debug problems, set up features I didn’t know enough to request, attend meetings to resolve problems that can’t possibly be firewall issues but someone thinks might be the firewall, and identify solutions for my innumerable unknown requirements? Oh, and be sure to test every possible use case before deploying anything.”
Refusing these requests makes me seem churlish. Accepting these requests ruins my cheerful demeanor. For a long time, I wouldn’t build firewalls except for my employer. pfSense lets me be a nicer person without having to actually work at it. With pfSense I can deploy a firewall in just a few hours — and most of that is running cables and explaining the difference between “inside” and “outside.” pfSense’s extensive documentation and user community offers me an easy answer to questions — “did you look that up?” If pfSense doesn’t support a feature, chances are I couldn’t support it either. But pfSense supports everything I could ask for, and with a friendly interface to boot. The wide userbase means that features are tested in many different environments and generally “just work,” even when interacting with the CEO’s kids’ Windows ME PC connected to the Internet by Ethernet over ATM over carrier pigeon. Best of all, pfSense is built on much of the same software I’d use myself. I trust the underlying FreeBSD operating system to be secure, stable, and efficient.
Security updates? Just click a button and reboot. You need new features? Just turn them on. pfSense handles clustering, traffic shaping, load balancing, integration with your existing equipment through RADIUS, IPsec, PPTP, monitoring, dynamic DNS, and more. Big-name industry suppliers charge outrageous fees to support what pfSense freely provides. If your employer insists on paying for support contracts, or if you just feel more secure knowing you can pick up the phone and scream for help, you can get pfSense support agreements very reasonably. If you don’t need a support contract, I happen to know that Chris, Jim, or anyone else with a pfSense commit bit will let grateful pfSense users buy them a beer or six.
Personally, I don’t build firewalls from scratch any more. When I need a firewall, I use pfSense.
– Michael W. Lucas
Five years ago today, the pfsense.* domains were first registered. The project actually hit 5 years since its inception about 2-3 months ago, living the first part of its life as projectx (some history here) with no website.We’ve come a long way!
Thanks to everyone who has supported the project in any fashion over the past five years. Here’s to even better things in the next 5 years!
And what better way to celebrate than picking up a fresh off the press copy of the pfSense book?
Finally, comprehensive documentation for pfSense is available in print!
Authored by pfSense co-founder Chris Buechler and pfSense developer Jim Pingle, The Definitive Guide to pfSense covers installation and basic configuration through advanced networking and firewalling of the popular open source firewall and router distribution.
This book is designed to be a friendly step-by-step guide to common networking and security tasks, plus a thorough reference of pfSense’s capabilities. The Definitive Guide to pfSense covers the following topics:
- An introduction to pfSense and its features.
- Hardware and system planning.
- Installing and upgrading pfSense.
- Using the web-based configuration interface.
- Backup and restoration.
- Firewalling fundamentals and defining and troubleshooting rules.
- Port forwarding and Network Address Translation.
- General networking and routing configuration.
- Bridging, Virtual LANs (VLANs), and Multi-WAN.
- Virtual Private Networks using IPsec, PPTP, and OpenVPN.
- Traffic shaping and load balancing.
- Wireless networking and captive portal setups.
- Redundant firewalls and High Availability.
- Various network related services.
- System monitoring, logging, traffic analysis, sniffing, packet capturing, and troubleshooting.
- Software package and third-party software installations and upgrades.
At the end of this book, you’ll find a menu guide with the standard menu choices available in pfSense and a detailed index.
Thanks for your support!
After several months since the last official 1.2.3-RC release, because of some tough issues in the underlying software that are now resolved, 1.2.3-RC3 is now available.
The final release will be coming very soon, please help test.
The major changes since 1.2.3-RC1:
- NAT-T support has been removed. Adding it brought out bugs in the underlying ipsec-tools, causing problems in some circumstances with renegotiation and completely breaking DPD. These issues are fixed in the CVS version of ipsec-tools, but it’s still considered alpha, and we found different problems when attempting to use it instead. NAT-T will be back in the 2.0 release, where it’s not as much of a pain since NAT-T is now in stock FreeBSD 8.
- Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.
- Captive portal locking replaced – the locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.
- Embedded switched to nanobsd – this is explained more here.
- DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.
- Atheros driver reverted to the one in FreeBSD 7.1 + patches from Sam Leffler, as existed in 1.2.3-RC1. The FreeBSD 7.2 driver exhibited numerous regressions that are no longer an issue, but reverting removed support for cards newly supported in FreeBSD 7.2.
Those are the major changes in this version that impact many users. A number of other minor edge case bugs were fixed, things that nearly all of you have never seen and won’t ever run into. If you’d like the full details on all the changes on the 1.2.x branch, see the git commit logs.
Passing on an email from The FreeBSD Foundation:
Millions of systems run FreeBSD. Hundreds of volunteers contribute to FreeBSD’s success. But what is the size of FreeBSD’s user base? This simple question is very hard to answer, but its answer is vital to the cause of promoting FreeBSD. It is extremely difficult to convince businesses to invest time and money to add FreeBSD support to their products based solely on vague estimates of the size of our community. We should know – working to make FreeBSD a more widely supported platform is a task the FreeBSD Foundation has worked on since its inception.
Please help us in our fight to promote FreeBSD. A donation to the FreeBSD Foundation helps fund our work, but it also gives us strength in numbers. Our count of unique donors is a vital indication of the size and buying power of our community. However, we have never broken even one thousand donors in any year. We know in our hearts that this is a small fraction of our user base and of those who want to help expand FreeBSD’s presence.
So stand up and be counted! Make a donation. Encourage other FreeBSD users to donate as well. No donation amount is too large or too small. Just by becoming a donor you are making a powerful statement about the strength of FreeBSD!
As the base operating system of this project, much of the work the FreeBSD Foundation sponsors directly benefits pfSense users as well. You can donate here. The FreeBSD Foundation is a non-profit 501(c)3 charity, so your contributions may be tax deductable.
Embedded has historically been a second class citizen, with most development focus and most users ( > 80% of downloads) using full installs. Taking advantage of what a full install offers was in fact the original reason for this project, though embedded was later added. This has now changed considerably, with the introduction of the next generation of pfSense embedded. It’s been on the snapshot server for quite some time and been a work in progress for months, but now we want to alert people of its presence for wider testing. It is based on nanobsd, a standardized build methodology for FreeBSD embedded applications.
The changes it brings:
- Reliable upgrades – Finally, no longer is there a need to re-flash your CF and restore your configuration.
- Multiple firmware support – there are two partitions, each containing their own separate pfSense install. To test upgrades, you can upgrade the second partition, and roll back to the first if necessary.
- Package support – packages that are suitable for an embedded platform are supported.
- Multiple hardware architecture support – with some additional changes that are currently in the works, this will allow us to support non-x86 architectures in the future, where FreeBSD supports those architectures and specific platforms. Expect to see MIPS and ARM first, with others possible. Historically, these platforms had such limited CPU, RAM and flash that we would have been forced to spend an inordinate amount of time trimming things down, removing numerous features only to end up with a much less attractive offering. That development time is better spent elsewhere. With new MIPS and ARM platforms offering considerably more flash and RAM, this is no longer the case. Though these hardware limits are still applicable to your typical consumer grade Linksys and similar routers, they will never be supported. Specific information on supported hardware will come in the future.
There are 512 MB, and 1, 2 and 4 GB images available. The 4 GB images work fine with larger size CF cards. For now there won’t be any images larger than 4 GB, though expect that to change for 2.0.
1.2.3 embedded will be released based on nanobsd, and the old means of doing embedded will be discontinued. This means the minimum CF size for 1.2.3 embedded will be 512 MB. This is necessary because of the dual firmware support, it has to be twice as big, and we want to leave plenty of space for future upgrades.
What about my smaller than 512 MB CF card?
There isn’t an easy way to accommodate CF cards less than 512 MB. A 512 MB card can be found for under $20 USD including shipping, you’ll need to upgrade.
You’ll find images in the nanobsd folders on the snapshot server.
For problem reporting, please use the 1.2.3 board on the forum, or the mailing list.