pfSense 2.0.1 release is now available. This is a maintenance release with some bug and security fixes since 2.0 release. This is the recommended release for all installations. As always, you can upgrade from any previous release to 2.0.1, so if you haven’t upgraded to 2.0 yet, just upgrade straight to 2.0.1. For those who use the built in certificate manager, pay close attention to the notes below on a potential security issue with those certificates.

Change list

The following changes were made since 2.0 release.

• Improved accuracy of automated state killing in various cases (#1421)
• Various fixes and improvements to relayd
• Added to Status > Services and widget
• Added ability to kill relayd when restarting (#1913)
• Added DNS load balancing
• Moved relayd logs to their own tab
• Fixed default SMTP monitor syntax and other send/expect syntax
• Fixed path to FreeBSD packages repo for 8.1
• Various fixes to syslog:
• Fixed syslogd killing/restarting to improve handling on some systems that were seeing GUI hangs resetting logs
• Added more options for remote syslog server areas
• Fixed handling of ‘everything’ checkbox
• Moved wireless to its own log file and tab
• Removed/silenced some irrelevant log entries
• Fixed various typos
• Fixes for RRD upgrade/migration and backup (#1758)
• Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
• Fixed policy route negation for VPN networks (#1950)
• Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
• Fixed VoIP rules produced by the traffic shaper wizard (#1948)
• Fixed uname display in System Info widget (#1960)
• Fixed LDAP custom port handling
• Fixed Status > Gateways to show RTT and loss like the widget
• Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
• Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
• Clarified text of serial field when importing a CA (#2031)
• Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
• Fixed Captive Portal MAC passthrough rules (#1976)
• Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
• Fixed CARP status widget to properly show “disabled” status.
• Fixed end time of custom timespan RRD graphs (#1990)
• Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
• Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
• Fixed handling of OpenVPN client bandwidth limit option
• Fixed handling of LDAP certificates (#2018, #1052, #1927)
• Enforce validity of RRD graph style
• Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
• Fixed handling of hostnames in DHCP that start with a number (#2020)
• Fixed saving of multiple dynamic gateways (#1993)
• Fixed handling of routing with unmonitored gateways
• Fixed Firewall > Shaper, By Queues view
• Fixed handling of spd.conf with no phase 2′s defined
• Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc)
• Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
• Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
• Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
• Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
• Clarified text for media selection (#1910)

Notes for certificate generation vulnerability

7 years ago today, the name pfSense was settled on, and pfsense.org/com/net domains were registered. It’s grown from the volunteer efforts of a handful of people, to one of the most widely used platforms in the world, with a whole team of people making a living working on the project thanks to our support and reseller customers. Thanks to everyone who makes the project possible, and here’s to the next 7 years and beyond!

One of the common questions we get is how many installs are out there. While we don’t have any means of definitively knowing, we do have one metric that can be counted. Each month every system updates its IPv4 bogons list once, pulling from one of our servers. By counting the number of unique public IPs using FreeBSD’s fetch to pull that file within one calendar month, we know how many live installs are out there that have Internet connectivity at least.

October 2011 is the first month that number has exceeded 100,000, with a total of 103,137. We’re adding 3000 net new installs on average every month in 2011, with over 4000 additional installs in October.

This under-counts the total for several reasons:

No telling how many total installs are actually out there, but it’s definitely in excess of 103,000.

Thanks to all our users for helping us reach this significant milestone!

Thanks to many of you who contributed to our hackathon fund. It was a great success. We had 6 developers together here in Louisville. The primary areas of focus were 2.1 development, in the following areas.

• Moving packages to PBIs – the package system in 2.1 will switch to using the PBI package system, originally from PC-BSD, though also used by some on stock FreeBSD installs. The benefit of using PBIs is each package has all its dependencies included in the package, which eliminates the dependency messes that can happen currently, such as one package requiring a certain version of a dependent package but another requiring a different version, uninstallation of one package stomping on another package by uninstalling a dependency it requires, uninstallation of a package breaking the base system by deleting things it uses (though we already work around that one automatically), easing clean uninstall of packages, amongst other benefits. This will be a great improvement in the package system for 2.1.
• Updating to FreeBSD 9 – all of our patches are now up to date for FreeBSD 9, which will be the base OS for 2.1. We’ve also been working on minimizing the number of patches we have by getting things merged into FreeBSD where possible, as considerable efforts go into maintaining this, but we still have a significant patch set.
• Documentation updates – a variety of updates on doc.pfsense.org.
• General 2.1 release planning
• Logging update for wireless – now goes into its own log since it’s noisy.
• Server load balancer improvements – added service status, DNS load balancing ability, logging enhancements
• Enhanced stats for ALTQ for traffic shaper
• Work on Unbound as a replacement for dnsmasq, the underlying service used for the DNS forwarder.

And some minor other things I’m not remembering offhand. Thanks to our contributors for making this possible.

We were also at EuroBSDCon this month, presenting a full day training session on pfSense 2.0, which was the most popular tutorial at the conference with more than 50 people registered. It went great and was well received, though ran a bit long so we had to hurry at the end. A few pictures from the event were uploaded by Chris Horn, a friend of the project. That material will be refined and extended some to make it two full days, and offered again later this year. Keep an eye out here for info, and/or subscribe to our announcements list.

In a couple weeks, several of the developers will be coming together here in Louisville for another Hackathon, where we get together and work on various things related to the project for a week, as we’ve done approximately every 18 months since the project’s inception. This year we’ll have 7 developers, from 4 different continents. There isn’t a set agenda, though 2.1 release and IPv6 will be two items (of many) of focus. We like to make sure we can feed everyone, and provide coffee, beer, etc. for 7 days. Plus we’ve covered some travel expenses.

Whether you can just spare a few bucks for a fine beverage at Heine Brothers or Highland Coffee (both of which should be sponsors with the amount we spend there in a week), or enough for a few dozen pizzas, every bit helps!

Donate Here

Thanks!

After our coming session at EuroBSDCon 2011, we are planning to host a session in the US this year. It will be either one or two full days, and I’m leaning towards two but open to suggestions. It would likely be held in our home base of Louisville, KY, easily reachable by air or road.

In our past training sessions at BSDCan and EuroBSDCon, we’ve had between 15 and 70 people. This year looks like we’ll have about 40 at EuroBSDCon. We will have to charge more than the BSD conferences charge for a single tutorial, as they have sponsors who help cover the costs involved. I don’t know how much yet though. I need to get some kind of an idea of how many would attend, so I know what kind of venue. We won’t be selling out the Yum Center with 22,000 seats, but I’m not sure if we need space for 10 or 50. I would limit it to some reasonably low number, like 75 at most and maybe less. If this is something you would definitely travel to attend (depending on dates, cost), let me know in the comments or email.

Live streaming

Some people just can’t afford to travel, so we’ll also do what we can to provide live streaming, or at a minimum it will definitely be recorded for later purchase. Streaming capabilities may be dependent on the facility. We do have multiple 4G cards with pretty impressive performance, so that should suffice if nothing else. I expect we will find a way to offer this via live streaming on the Internet available for purchase. Those people will not be able to interact like those in person, simply watch and listen, and we’d probably bring up a special IRC channel for it.

To get an email when these things get finalized, make sure you’re on our announcements mailing list.

Thanks!

I’m proud to announce the release of version 2.0. This brings the past three years of new feature additions, with significant enhancements to almost every portion of the system. The changes and new features are summarized here. This is by far the most widely deployed release we’ve put out, thanks to the efforts of thousands of members of the community. We also have hundreds of customer systems that have been running 2.0 in production for months and years in some cases. More than 108,000 unique IPs have downloaded snapshots in 2011 from snapshots.pfsense.org alone, not counting downloads from the mirrors.

Upgrade considerations

It is very important to read the upgrade guide before performing an upgrade.

Download

Files for new installs available here on the mirrors.

NOTE: With 2.0 release and newer versions, we’re now also building the oft-requested nanobsd embedded version with VGA! You’ll find alternate builds with VGA in the filename, which are the VGA-enabled versions. Only use these on hardware with VGA video. The regular serial version must be used on all hardware that has only a serial port, like the popular PC Engines and Soekris models amongst others, as they will not boot or function correctly otherwise.

Update files for upgrades available here on the mirrors.

Documentation

Every page in 2.0 has a help link via the question mark on the top left of each page, which takes you to a page on the documentation site with information pertaining to that screen. Almost every page links to some level of detail, and that will be growing by the day in the weeks and months to come.

There is a growing amount of documentation available in the 2.0 category of the documentation site. An updated book is in the works, but no release date yet determined. More info on that will come soon. Currently the best source of info in the world on the project is still our existing book, and the updated information available via help links in the web interface and the 2.0 category. Much more to come.

Training

We’re having a full day 2.0 training session at EuroBSDCon 2011 on October 6. We’re also in the planning stages of a one or two full day training session to be held in the US, probably in our home base of Louisville.

Credits

This release is the result of years of work from dozens of people on the development alone, plus thousands who have helped with testing snapshots.  Most importantly are those who financially support the project. As I will cover more in a future post, this release would have never happened if not for having adequate financial support to employ multiple people full time to work on the project. Hundreds of companies have contributed and we’re very grateful for their support. I would like to thank our largest supporters here individually.

• Netgate – hardware resellers of pre-installed pfSense systems
• Hacom -  hardware resellers of pre-installed pfSense systems
• ApplianceShop - hardware resellers of pre-installed pfSense systems

Helping the project

There are many ways you can help the project, detailed on the website. Our biggest need is money to keep people employed working on the project. We’re currently in need of contributions for IPv6 development in 2.1, and more immediately, we’re having Hackathon 2011 in a couple weeks, bringing developers from around the world together in Louisville. Please help cover our expenses for both of these by donating today.

Thank you!

Ermal Luci and I will be presenting a full day training tutorial at EuroBSDCon 2011, in Maarssen, The Netherlands on October 6, 2011.

This tutorial will be a training-focused session, covering many of the changes in the 2.0 release, both from the perspective of a new user and providing information on changes for existing users of the project. Common usage scenarios, deployment considerations, step by step configuration guidance, and best practices will be covered for many features. Many configurations will be demonstrated in a live lab environment. We will also cover the new functionality in pfSense 2.1, which is already being used in production for its IPv6 capabilities.

Registration is now open. We look forward to meeting many of you there!

Most features of the base system will be covered in good technical detail. It will not be simply an overview of features, we’ll do live demos to configure various scenarios, and get into configuration detail for many items.

Future US Date

We’re also in the planning stages for hosting a training session in the US later this year. It will probably be in Louisville, KY and last one or two full days. Sign up to our announcements list to be notified when it’s scheduled.

As our commercial side has grown to the point we employ multiple full time people dedicated to working on the project and related customer needs, we’ve also gotten much more involved in upstream development in FreeBSD. Today Bjoern Zeeb committed PF 4.5 into FreeBSD HEAD for the 9 release (which will be the basis of pfSense 2.1), ported by Ermal Luci with help from Bjoern and Max Laier. Much of this work was funded by us, aside from volunteer efforts from Bjoern and Max providing some guidance along the way and Bjoern especially for review and assistance.

4.5 is the last version of PF before the syntax changed in OpenBSD, and the consensus amongst FreeBSD developers was to not break everyone’s ruleset who is running PF in stock FreeBSD just by doing an OS upgrade, hence why 4.5 was the version of choice.

Where does PF in FreeBSD go from here? We’ve had discussions on this topic already amongst several FreeBSD developers, as well as including some of the OpenBSD guys, and have some rough plans in place for the next steps.  More information on that will come later.

Thanks to Ermal, Bjoern and Max for getting this done!

I’m happy to announce what will likely be the final 2.0 release candidate, RC3, is now available. RC2 was a snapshots-only tag. The mirrors are currently syncing, with a few of them done already and the remaining will sync within the coming hours. If you’d like to view all the changes you can track the revision history in github. If you aren’t familiar with what’s been added and changed in 2.0 in general, see the 2.0 new features and changes page.

There are considerably fewer open issues on 2.0 right now than there were on 1.2.3 when it was released, and no major outstanding problems. 2.0 has gotten widespread use in production environments over the last year plus including in our most critical networks, and looks to be ready for release. We expect final release within a month, and consider RC3 the preferred release for all new installs.

Download

New installs

Upgrades