The FreeBSD Foundation needs donations to meet their 2009 goal. They provide very important funding to the FreeBSD project, which serves as the base of the pfSense project. They are a not for profit organization, so your contribution may be tax deductible.
Our Christmas gift to the community is our 2.0 release reaching the beta milestone.
What does this mean? The release is feature complete, with no new features being added, and should stay relatively stable throughout the remainder of the development process. That’s not to say it’s production ready though, most of our developers are using it in production and have been for months, but unless you have a solid understanding of the underlying system and can manually verify the configuration, 2.0 is not yet for you.
To answer the inevitable “when will it be released?” – as always, “when it’s ready”. The release will happen sometime in 2010, but as for a more specific timeline, we can’t provide one at this time.
If you have a non-critical environment where you can try it out, you can find the latest build on the snapshot server. Please report your experiences on the 2.0 board on the forum. There is additional risk with snapshots as changes are made in the source very frequently, and you may get a snapshot from a point in time that caught part but not all of certain changes.
The most current list of known issues can be found here. Those marked as “Feedback” are either believed to be resolved but need more testing, or need further details to be able to replicate and resolve – feel free to add comments to any of those tickets if you can test the specific scenario described. Those marked as “New” are outstanding issues. We welcome contributions, if you can provide a fix for any of the open issues. Before opening a new ticket there, please post to the 2.0 board on the forum where we can help quantify the issue. Before reporting problems, ensure you’re on the latest snapshot. At least 10-20+ changes go in most every day, 7 days a week, so it’s very possible the issue you found is already fixed in our git repository. You can see all commits here.
You can upgrade from 1.2.x to 2.0 just as with any other release, BUT, you cannot downgrade from 2.0 to 1.2.x. And after you upgrade, your configuration will be converted to a format that is usable only on 2.0. If you do upgrade, get a backup first so you can reinstall 1.2.3 if needed. Several of the features in 2.0 were revamped to the extent that a change in configuration formatting was necessitated. Many of the rough edges of 2.0 are in the configuration upgrade code, there is less risk with a clean 2.0 install than one upgraded from 1.2.x at this time. Though that’s largely in more advanced configurations.
Proceed with caution! Expect things to be broken, this is absolutely not production-ready for most scenarios for non-developers, but development is moving along rapidly, and we would appreciate feedback from those in a position to test things (and break their network).
Note that kernel debugging is still enabled, which will reduce performance, though from a packet forwarding perspective it’s usually not noticeable.
Merry Christmas from the pfSense team!
Scott and I are on FLOSS 101 discussing the project, check it out. Thanks much to Randal Schwartz and Leo Laporte for having us! FLOSS Weekly is a podcast covering free and open source software.
1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.
The primary changes from 1.2.2 are listed below.
Upgrade to FreeBSD 7.2 – The FreeBSD base version has changed from 7.0 to 7.2. This also brings fixes for two FreeBSD security advisories. One patching the SSL/TLS renegotiation vulnerability, which is applicable with HTTPS web interface access and potentially with OpenVPN. Another fixes a local root vulnerability, though it isn’t really applicable with pfSense as if you have the access required to exploit this, you already have root, and hence there is nothing to elevate. Warning for those using Intel PRO/100 cards – there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System -> Advanced if you have connectivity problems.
Embedded switched to nanobsd - this is a major improvement of our embedded version, and the old embedded has been discontinued. This is explained in detail here.
Dynamic interface bridging bug fix – The bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.
IPsec connection reloading improvements – When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.
Dynamic site to site IPsec – because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.
Sticky connections enable/disable – sticky connections were previously only changed status at boot time for the server load balancer.
Ability to delete DHCP leases – A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.
Polling fixed – polling was not being applied properly previously, and the supported interfaces list has been updated.
ipfw state table size – for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.
Server load balancing – ICMP monitor fixed.
UDP state timeout increases – By default, PF does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.
Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.
Multiple servers per-domain in DNS forwarder overrides - previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.
No XMLRPC Sync rules fixed - in some circumstances, rules marked to not sync would sync regardless.
Captive portal locking replaced – the locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.
DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.
Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.
For information on upgrading, see the Upgrade Guide.
You can get 1.2.3 pre-installed from Netgate on the ALIX and Hamakua platforms, as well as Applianceshop.eu, and our other recommended hardware vendors.
If you haven’t gotten your copy of the book yet (foreword here), it was fully written to account for all the changes in the 1.2.3 release (which were final before it went to print). Pick up your copy today!