pfSense Digest

Some of you might have noticed that a lot of work went into getting IPsec running a bit smoother for large numbers of connections. We would like to take a moment and thank a number of folks for their hard work and for their generous monetary contributions that made these efforts possible.

1. Heiko Gabe w/ neos-ag.de donated significant monetary resources to sponsor these fixes. Heiko has sponsored many projects in pfSense and we are exceptionally grateful for his continued support.

2. Timo Teräs is a racoon developer and helped correct a few very minor bugs in racoon and worked on improving setkey code in FreeBSD. Timo is a genius and we are absolutely grateful to him for helping us out.

3. Seth Mos is a pfSense developer and uses IPsec at his work. Seth has been extremely patient and has worked with Timo and Heiko to coordinate, test and get these patches into pfSense.

Now pfSense can handle far more connections than it could when we began. We could barely handle 75 connections at a time then racoon would go into “sbwait” state mode and would wedge. Now we have noticed that 250+ active tunnels can be running simultaneously and everything seems to work great. I would not be surprised to see us being able to handle thousands of tunnels but we still need to test this.

Thanks to everyone involved, our IPsec is far more scalable than what is in FreeBSD itself! Next step is to try and convince the FreeBSD developers to adopt our changes so everyone can win.

Please give everyone above a great round of applause, we really appreciate you guys!!

The pfSense development team is happy to bring you the final release candidate in the 1.2 series! A summary of the changes since RC3 follows.

• libc fix for security advisory FreeBSD-SA-08:02
• Numerous text touch ups and typo corrections
• Do not ping other end of IPsec connections on CARP backup hosts
• Fix edit.php error when opening empty file
• Math fix on throughput graph
• Increase maximum alias count (99 to 299)
• Captive portal locking improvements to fix issues in high load environments
• IPsec stability fixes for large deployments (> 200 connections)
• VLAN support for ALIX hardware
• Boot time beep change for hardware like some embedded devices and VMware, where beeps were excessively long and annoying
• Warn after VLAN creation that a reboot may be required (VLANs on some NICs don’t come up properly until after a reboot, and we know of no way to reliably detect when a reboot is required)
• Forced page refreshes removed from all pages. This was problematic for very large log files, and annoying when reviewing logs.
• Fix for display of wireless networks with a space in the SSID
• Updated PHP version
• Fix improper shifting of configuration items (DHCP, rules, NAT, etc.) when an OPT interface is removed
• Updated pf.os for passive OS detection
• Properly remove DynDNS cache after making changes to DynDNS configuration
• PPPoE Server moved from VPN to Services menu to more appropriately reflect its purpose, as labeling it “VPN” is misleading

For a complete list of all changes, please see our cvstrac change log since the RC3 release.

An embedded upgrade file for RC4 will not been released.Unfortunately there are issues with embedded upgrade that we haven’t been able to resolve to date. At the end of the upgrade, numerous processes will signal 11 and some hardware will hang and not reboot. The upgrade files will be available from the snapshot server a couple hours from the time of this post, if you would like to try them and help us figure out this problem. Without some assistance and/or luck in the next week on getting this resolved, we may go ahead with the final 1.2 release without supporting embedded upgrades. The release is too good on full installs to keep holding back for this embedded upgrade issue, when 90% of our downloads are full installs.

1.2 Final Release
This will be the last 1.2 release candidate. The final 1.2 release will come before the end of the month.

Downloads

You can find the files for RC4 on the mirrors.
Full Install Update
Embedded image and Live CD with Installer

This is a question that comes up frequently from users. RELENG stands for Release Engineering, and is the way we label tags in our revision control software, CVS. We follow the same naming conventions as the FreeBSD project, because it makes sense and the developers are all familiar with it.

RELENG_1_2 contains the source for the 1.2 release. This branch has been frozen for more than 6 months, meaning no new features allowed.

RELENG_1 is the branch where development for the 1.3 release is currently happening. When the first 1.3 beta release nears, this will be branched to RELENG_1_3.

The 1.0 release should have been RELENG_1_0, however we did not start tagging releases until a while after 1.0 was released. This is the reason we cannot easily update 1.0 with bug fixes, and have recommended 1.2 release candidates for all deployments for several months now. This will not be the case going forward.

Lastly, the HEAD branch contains the most bleeding edge development code. It contains a lot of work in progress, and at this point we’re not sure what release that code will eventually become.

The webpage of the m0n0wall project now offers some screencasts that walk you through different configuration steps of a m0n0wall. Some of them apply to pfSense as well. If you are interested you can check them out at http://m0n0.ch/wall/screencasts.php .

If you are an AT&T/former Bellsouth DSL customer using PPPoE on pfSense, a recent change made by AT&T has broken the pfSense PPPoE client in its default configuration for some customers. This change seems to be getting rolled out almost at random, affecting different people at different times. m0n0wall is affected in the same fashion, with the same resolution.
The fix is to backup your configuration (Diagnostics -> Backup/Restore), open it in a text editor and go down to where you see <pppoe>. Add a line somewhere between <pppoe> and </pppoe> containing only <dnsnosec/>.  So a portion of your configuration will look like the following:

<pppoe>
<dnsnosec/>
…
</pppoe>

Then save the configuration, go back to the Backup/Restore page and restore the modified configuration. The PPPoE client will begin immediately working again.

Thorough discussion of the issue if you’re interested – AT&T’s Random DSL Configuration Changes Begin.

The final 1.2 release candidate, coming soon, will have support for VLANs on the vr(4) chipset. This is a common request since it’s the chipset used by ALIX boards.

This is already available in the RC4 pre-release available on the snapshot server here.