What’s coming in 2.0
This release already contains some significant new features. Among them:
- Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing. Thanks to Ermal Luçi for doing the work, and the numerous people who contributed to the bounty to make this happen!
- User manager – multiple administrative users can be created, with varying levels of access. Access groups can be defined to easily grant identical access rights to multiple users. Rights can be defined individually for each page in the web interface.
- LDAP authentication – LDAP is integrated into the user manager so pfSense can authenticate from any LDAP server. Microsoft Active Directory and Novell eDir have been throughly tested, though any LDAP server should work. You can even define groups in your directory and assign rights in pfSense to those groups.
- Significant OpenVPN improvements – these are still a work in progress, more info to come.
- Routing improvements – still a work in progress as well, but will allow more flexible routing capabilities.
Tags: 1.3, 1.3 new features
March 15th, 2008 at 2:18 am
The pfSense team is amazing…looking forward to this release, great work!
March 15th, 2008 at 6:33 am
These improvements sound great! Together with all the good stuff the FreeBSD guys did for 7.0 it’ll be superb. Thanks a lot!
March 15th, 2008 at 5:34 pm
I only just discovered pfSense days after the final version 1.2 was released (first installed it 2 weeks ago today) and I’m already looking forward to this! The team has done some amazing work here already – I can’t wait to see what the future brings.
March 16th, 2008 at 3:23 pm
Is there a way to get 1.3 for testing. I would like to do some beta testing if that is Ok by you guys.
March 16th, 2008 at 6:47 pm
Any plan for IPv6 support?
March 16th, 2008 at 7:30 pm
IPv6 is partially done in HEAD, the bleeding edge development branch, but won’t be in 1.3 unless the developer who wrote that support ports it to the branch for 1.3. Not sure if he’ll do that or not, I would guess not.
March 16th, 2008 at 7:33 pm
ssbaksa: as it says in the post, publicly available releases will be available in the near future. Only pfSense developers with commit access will have access to images before they’re publicly available.
March 16th, 2008 at 10:23 pm
fantastic! I think I’ll never abandon pfsense, as I never did since I knew it!
congratulations for all pfsense developers!
March 17th, 2008 at 2:55 am
i definitely count myself as a strong pfsense evangelist – let alone the fact that I use it , i set it up for my clients as well with great success! Great going fellas!
March 17th, 2008 at 3:03 am
what a player!!!! look forward to it especially the multi-WAN interface features… keep it up…
March 17th, 2008 at 10:39 am
Great job and thanks to all!
March 17th, 2008 at 1:15 pm
[...] pfSense Team have outlined their development plans for version 1.3 which will be base on FBSD 7.0. It’s the plan to release the next version within the next [...]
March 17th, 2008 at 1:43 pm
Hi,
Thnak you for the great work. Any idea about when carpdev is going to make into pfSense/freebsd?
March 17th, 2008 at 2:58 pm
Thank you! multiple interface support. It will be great!
March 18th, 2008 at 4:27 am
Will the blocklist functionality be in version 1.3?
March 18th, 2008 at 6:08 am
Is full NAT-T going to be available?
March 18th, 2008 at 4:34 pm
I’m constantly amazed that anyone else bothers with another solution. I only hope to see OSPF, past that it’s all gravy!
March 18th, 2008 at 7:47 pm
NAT-T will be included before the release.
Not sure what you mean by “blocklist” psk. We will have the ability to load address/network lists from an external source like HTTP.
March 18th, 2008 at 10:51 pm
Hello! Maybe support dual adsl(PPPOE) is a good things! Look forward!
March 19th, 2008 at 3:50 am
Saying thank you is not enough to express my gratitude for that hard work u guys doing
March 19th, 2008 at 8:04 am
Great work guys, this will be an incredible release. FreeBSD 7, LDAP support, and multiple users is the ticket, that’s totally excellent.
March 19th, 2008 at 5:56 pm
What about deep packet inspection and build-in smtp server? In my eyes, this is all it need to be perfect
Thanks guys.
//Claus
March 19th, 2008 at 6:31 pm
Thank you to all. I am definately also spreading the PFSense word as far as I go.
Thank you all.
March 19th, 2008 at 7:43 pm
Rocksolid best firewall i ever used congratulations for the new release i can even wait to install on to.
A question are you going to re design the interface or may be give the packages so we can skin the product??
My best regards and exellent work.
March 19th, 2008 at 8:49 pm
Great firewall.
Thank you all.
March 19th, 2008 at 9:19 pm
Re: redesigning the interface – no, the default theme will be the same. We do include multiple themes though, and it is possible to create your own.
We would accept any theme contributions as well for inclusion in future releases. If you create a theme you would like to contribute to the project, email it to coreteam@pfsense.org.
March 20th, 2008 at 3:40 am
It would be nice if it was possible to define multiple DHCP-Pools for use in different subnets on different nics.
March 20th, 2008 at 4:27 am
Someone asked about including an SMTP server. Actually that can be done with native PHP code. PHPMailer is a pure PHP class that uses fsockopen to send email. It can send the email directly or send to a remote mail server using SMTP authentication. It has fail over support to use an alternative mail server if the primary one fails. Attachment support and much much more. PHPMailer License is LGPL.
March 20th, 2008 at 12:02 pm
Any thoughts on compiling everything with GCC’s stack-smashing protection?
See http://tataz.chchile.org/~tataz/FreeBSD/SSP/
March 20th, 2008 at 4:44 pm
Any chance to implement VPN+DHCP on wan interface?
(for ISPs that require you to get internal address via DHCP and then use it to establish VPN connection for external adress)
March 20th, 2008 at 7:22 pm
What’s the intended release of 1.3 stable, as next month will be the release of the first 1.3 testing ?
March 20th, 2008 at 8:08 pm
Amazing firewall. Any plans for virus scanning? LDAP support is going to be great. Will the LDAP support work for VPN authentication? Keep up the great work, Similar products cost hundreds or even thousands. Thanks!
March 21st, 2008 at 1:30 pm
I love pfSense but a couple of features I would like to see to do with firewall logging are:
1. Ability to filter the firewall log on IP addresses, etc
2. Move (or duplicate) the “Log Packets” tick box from inside the rule to the rules listing page so that you can see at a glance and easily change which rules are logging.
Also, dual WAN sounds great. Is there support for 3G Data cards like the Option GT Fusion+ ? It would be very useful to be able to use this to automatically backup and/or supplement my wired ADSL connection.
Keep up the great work guys!
March 21st, 2008 at 3:45 pm
1.3 may have PPP support which will allow for dial up and 3G, but 3G will be for a very limited number of cards. Those all use different drivers, most of which aren’t available in FreeBSD without us adding custom kernel patches if even that is possible.
Because it appears to be essentially impossible to widely support 3G, that support may get pulled prior to the 1.3 release and deferred to a later release since it still needs a lot of work and it isn’t a huge priority.
A lot of the other things people are mentioning are package candidates – virus scanning, SMTP server, etc. We welcome contributions, we don’t have the resources to get all this done. Plus gateway virus scanning isn’t as good as it might sound, even in commercial implementations it’s very limited, causes severe performance problems, or both.
To have your feature requests considered, please first review this list and make sure it isn’t there already:
http://cvstrac.pfsense.org/rptview?rn=23
And if not already in the list, submit feature request tickets here:
http://cvstrac.pfsense.org/tktnew
March 21st, 2008 at 3:47 pm
We’re nowhere near close enough to 1.3 release to speculate timing on the final release. We’d like a faster release cycle than 1.2, but it’s impossible to say at this point if that’ll happen.
March 22nd, 2008 at 4:18 am
All of us expect it!
Thanks for your hard working.
March 22nd, 2008 at 5:58 am
I’m using pfsense as gate between 3 shops. It works great really!!!
March 22nd, 2008 at 12:08 pm
Awesome you guys. Keep up the great work!
March 23rd, 2008 at 8:47 pm
Many thanks for this great system.
One question, Will 1.3 support multiwan squid?
March 23rd, 2008 at 9:18 pm
waiting for traffic shaper working in bridge mode or support for full proxy arp route mode (simple splitting public IP between WAN and DMZ with proxy ARP and special routing does not work), and monthly/daily transfer limit for wan port in failover (i have one extra wan with charge 0 when transferr below 500MB per month, good way for failower)
March 23rd, 2008 at 9:40 pm
Multi-WAN support for services running on localhost (including squid, things like FTP that are proxied, and other packages) will hopefully make 1.3.
Re: traffic shaper for bridging, that’s a limitation of the underlying system that we can’t do anything about unless/until it is implemented in FreeBSD.
It’s unlikely we’ll have transfer limits on WAN interfaces in the foreseeable future, definitely not in 1.3.
March 24th, 2008 at 7:37 am
What about the support for L2TP?
March 24th, 2008 at 11:16 am
L2TP support is in HEAD but not 1.3. It might get back ported, might not. Probably depends on how well it works now and what it would take to make it release-ready.
March 25th, 2008 at 9:02 pm
Hi,
I look forward to 1.3, however;
How about built in DNS cache _maybe_ BIND is not the best of ideas due to everyone using it..
Would make resolves much quick for users in the Green for say a office
Real-time clamav of browsing is not a bad idea ether
Best Regards,
Edward.
March 25th, 2008 at 11:03 pm
I would like to know will pfsense ever support dynamic to dynamic ipsec vpn?
March 25th, 2008 at 11:26 pm
Edward: we’ve had a caching DNS server literally since day one, dnsmasq.
Dynamic to dynamic IPsec should make 1.3, it’s there already but needs some tweaking and testing.
March 26th, 2008 at 7:14 am
Thats good to know that it will make 1.3 do you have a link to a tutorial on how to make it work in the current version? I actually need to test out some tunnels this week
March 26th, 2008 at 10:40 am
How about some new feature screenshots. Make sure your not pulling our leg
March 26th, 2008 at 11:05 am
Slick: maybe.
We’ll eventually put up a screenshot gallery with some of the new things.
March 26th, 2008 at 1:49 pm
Great work! We love this project. I’m wondering if any changes or improvements will be made with regard to PFSense and SIP NAT traversal. We have noticed that 1.2-Release has a few quirks that make many ITSP’s stumble while trying to pass RTP (audio) streams through PFSense NAT, where they don’t stumble traversing other NAT Firewalls. Also we are wondering what changes, if any will happen to the PPTP server or PPTP Pass-through code. I and others in forums have had some issues surrounding PPTP tunnels between between 2 PFSense boxes, where the issues do not express themselves when connecting to and from non PFSense pptp servers and pass-throughs.
March 26th, 2008 at 1:53 pm
Karl: Check the Features page on the website for info on PPTP limitations. There are good work arounds available, but we’re working on a solution to those limitations.
siproxd package should fix SIP issues, it’s still under development though, I’m not sure of its current status.
March 26th, 2008 at 7:08 pm
Will the new version allow captive portal to run on a vlan rather then the interface?
March 27th, 2008 at 4:55 am
I love pfSense.
March 27th, 2008 at 3:10 pm
Captive portal should run on a VLAN interface now.
There are no major captive portal changes planned for 1.3, some minor additions to m0n0wall will be brought over.
March 27th, 2008 at 3:42 pm
can bacula could be implemented in pfsense ?
ClarckConnect has it , so pfsense could be better
March 27th, 2008 at 4:29 pm
If someone wants to create a package for Bacula, sure. We don’t have any plans on doing so in the foreseeable future.
March 27th, 2008 at 4:49 pm
Hi.
I really like pfSense and the idea behind of the project.
I was looking for Load Balancer when I found the project that at that time it didn’t fit in my requirement so I build my own load balancer in freebsd and pf and I learn a lot about load balancer and their constants issues with routing and stuff.
One thing that is still bugging me is the multi wan configuration and the way of how the load balancer realize the connection is really down and so on.
Is there is any plan to implement SCTP in pfSense 1.3 ?
Thanks for the hard work.
March 27th, 2008 at 6:07 pm
Jose: it sounds like you’re a good candidate to become a pfSense developer.
We plan to replace slbd with relayd in 1.3, which may remove some of the annoyances you found with it.
No plans for SCTP at this time. You’re welcome to contribute code.
March 28th, 2008 at 1:47 am
I will be more than grateful to be part of this project.
were I can talk with you and send some part of what I did ?
Thanks.
March 28th, 2008 at 2:07 am
Jose: email coreteam@pfsense.org with info on what you have done, we can discuss further via email. Thanks!
March 28th, 2008 at 4:20 am
Any chance an anomalysing technology will be added such as TOR.
March 28th, 2008 at 11:08 am
Tor would be a nice package, we welcome contributions.
March 29th, 2008 at 3:03 pm
Thanks for great work!
I’m very interested in openvpn improvements. Is support of many instances of openvpn client planned?
March 31st, 2008 at 2:07 am
I’m not sure what you mean by “support of many instances of openvpn client”. Right now 1.2 supports as many OpenVPN clients as your hardware can handle. 1.2 is fully scalable to the processing and memory limits of your hardware, hence scalability is not among the coming improvements since it’s already there.
March 31st, 2008 at 2:27 am
>I’m not sure what you mean by “support of many instances of openvpn >client”
I mean two or more outbound(from pfsense) openvpn connections.
March 31st, 2008 at 10:54 am
> I mean two or more outbound(from pfsense) openvpn connections.
That’s not a problem, never has been.
It’s true of PPTP, there might be a fix for that.
April 1st, 2008 at 3:44 pm
pfSense is good choice for my home use!
but there some missing features like:
multicast routing (someone likes IPTV)
DVB-interface support (TV- or just IP-functions)
fully functional proxyarp
it’ll be good to see this features in later releases. THANX for your work!
April 1st, 2008 at 4:56 pm
>> I mean two or more outbound(from pfsense) openvpn connections.
> That’s not a problem, never has been.
Sorry, my bad!
Another interest – is support of openvpn-2.1 planned? It has good improvements (topology subnet).
April 2nd, 2008 at 11:29 am
OpenVPN 2.1 is the version used in pfSense 1.3.
SB HidDeN: “fully functional proxy ARP” has existed from day one, our proxy ARP is as fully functional as proxy ARP can be. So I’m not sure what you mean by that.
April 2nd, 2008 at 11:48 am
Hi,
This release is awaited here in our IT shop, we plan to offer pfSense as a router solution for our actual clients and one question burns our brains.
When you say
“Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces.”
is there anychance that this mean we could use the traffic shaper inside an ipsec tunnel. This is our major issue with pfSense right now, since we tunnel all our voip and rdp sessions. We already priorise the actual ipsec tunnel which works great but still doesn’t separate file transfer and printspooling from realtime protocols.
From what I red in the forums, it is a limitation of the actual ipsec implementation of ipsec in the freebsd kernel, if it’s still the case, should we look at freebsd development to implement this, or pfSense could a other implementation of ipsec than the one in freebsd kernel.
Thank you and thank you for the great coding here!
April 6th, 2008 at 6:07 pm
Shaping of traffic within IPsec tunnels is now possible as well.
April 7th, 2008 at 12:12 pm
Does that mean 802.11n support too? That’s apparently in FreeBSD 7.0 right? Although I’m not sure what needs to be in the OS and what ends up being a driver thing. It seems a lot of drivers are closed source binaries right now?
April 7th, 2008 at 12:33 pm
For wireless, whatever is in FreeBSD 7.x will be available. 802.11n is not available in 7.0 and I’m not sure if it will be available in any 7.x release. If/when it is, we’ll support it.
April 7th, 2008 at 5:32 pm
It’s not? Reading from:
http://www.freebsd.org/features.html
“Wireless: FreeBSD 7.0 ships with significantly enhanced wireless support, including high-power Atheros-based cards, new drivers for Ralink, Intel, and ZyDAS cards, WPA, background scanning and roaming, and 802.11n.”
April 7th, 2008 at 8:23 pm
That short features list is misleading. “Support” has been added, but no 802.11n drivers exist.
From the full release notes for 7.0:
“The 802.11 protocol stack has been significantly reworked. Among the new features are support for background scanning and roaming between APs, as well as support that will be required by 802.11n-capable devices.”
http://www.freebsd.org/releases/7.0R/relnotes.html
And this article from ONLamp mentions:
“The new code has working 802.11n support although no drivers have been released yet.”
http://www.onlamp.com/pub/a/bsd/2008/02/26/whats-new-in-freebsd-70.html
So yes, it supports 802.11n…with no drivers.
Not sure when they might be added, here in a post from January, Jim Thompson thinks it might be 18+ months. Jim is well in tune to wireless developments in FreeBSD, I trust this to be an accurate assessment (of course circumstances can always change).
http://m0n0.ch/wall/list/showmsg.php?id=337/58
April 8th, 2008 at 8:06 am
Is there any rls date of the 1.3 atm ?
Regards KuBuntU
April 9th, 2008 at 3:56 pm
I think with the meaning of “fully functional proxy arp” is to have possible setups like the one described here:
http://forum.pfsense.org/index.php?topic=8528.msg48094
e.g. splitting ip addresse ranges into different interfaces/zones by using proxy arp and routing, without bridging or assigning the IP as VIP to WAN, giving a server a provate IP and doing the NAT stuff.
e.g. you are given the public IPs x.y.z.1-8
your ISP router has x.y.z.1 (acts as gateway)
your pfsense WAN has x.y.z.2
your pfsense OPT1 (dmz1) has x.y.z.3
your servers in dmz1 have x.y.z.4 and x.y.z.5
incoming requests are proxy arped by WAN and routed through OPT1
is this possible with pfsense?
April 12th, 2008 at 4:02 pm
neovatar: You can’t mix IP subnets like that. If you want that kind of functionality, avoiding NAT with your public IPs, you just need to put the machine on a bridged or routed interface with the public IPs. It doesn’t make much sense to directly assign a public IP on internal interfaces within an otherwise private subnet. Most commercial firewalls don’t allow that, and I don’t believe there is any way to make that happen with pf, so it’s unlikely you’ll ever see that. 1:1 NAT is the way most if not all commercial firewalls accommodate that.
April 14th, 2008 at 9:59 pm
So when can we expect the first release of 1.3……….
April 15th, 2008 at 12:18 am
It works, no major issues, and the snapshots are building, but we aren’t quite ready to deal with the repercussions of it being publicly available.
April 15th, 2008 at 11:01 am
Great, thanks. Was just trying to figure out what you meant by “The first publicly available release will come within the next month.”
April 15th, 2008 at 11:33 am
“within the next month”? Where do you see that?
I changed it to 2 months in the post.
April 15th, 2008 at 4:57 pm
Yea, I just take whatever you say and double it…..
April 16th, 2008 at 8:05 am
pfSense is fantastic!
(in Romania in education the salary is very poor)
I use it in my school (aprox. 70+ clients) and never have problems with it …
I would like to donate some money, but unfortunatelly actually my budget is not the best …
But if I will have more money, I will donate …
Maybe it will be a little amount of money, but I will donate it …
Thank you very much pfSense TEAM for the great work!
“Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing.”
It is a very very big improvement!
Thanks again!
Zoli.
April 22nd, 2008 at 3:07 am
In terms of routing, are we speaking of OSPF like or BGP like functional options (non-Alpha / non-Beta stuff) – or completely something else?
April 22nd, 2008 at 3:10 am
In terms of routing: several things, final list not yet determined. More on that will come.
April 23rd, 2008 at 12:01 am
[...] of the development time since the 1.2 release has been spent on the new features in 1.3, however an updated 1.2 release is also in the [...]
April 24th, 2008 at 12:14 pm
HA GOT A GREAT QUESTION THAT EVERYONE WANT TO KNOW AND YES IM YELLING BECAUSE ONE REASON YOU SAY THAT PER USER SEAT BANDWIDTH DOES NOT WORK AND MULTI-WAN DOES NOT WORK.
WELL I GOT NEWS FOR YOU IF YOU COPYED M0N0WALL THEN PER USER SEAT BANDWIDTH WOULD WORK BUT INSTEAD YOU DUMMYNET OUT AND PUT ALTQ IN INSTEAD BUT IF YOU REINSTALL DUMMYNET BACK ONTO THE SYSTEM ITSELF IT WORKS GREAT AND 10 TIMES FASTER.
SO ANSWER THAT.
THANK YOU.
SOUTHERN ILLINOIS WIRELESS, INC.
PAUL ROWE CEO/CTO
April 24th, 2008 at 3:21 pm
When per user seat bandwidth setting going to available to us im hoping it will be in 1.3. To whom it may concern im sorry if I came on very strong about this matter but you see it is all over you blog for the past two years nothing has been done to met common ground on this matter at hand I am a owner of a wireless internet business and yes your product works great. I can at time be head strong but running a business you have to demand perfection or no one will respect in this field it is a though business so understand why this issue is so important to almost everyone if we can control how our bandwidth is done great i have what they call radius for my back bone for my user database at which i store the bandwidth setting which works under WISPr. I will ask nicely please do ont delete this for other like me want this feature in a extream way
Thank You
Southern Illinois Wireless, Inc.
April 24th, 2008 at 4:26 pm
Will the new version include a feature that would enable pptp vpn server IP address assignment by RADIUS server ? At the moment it’s a feature that is most important to me.
April 24th, 2008 at 7:00 pm
Paul: Nobody ever said multi-WAN doesn’t work, it works great, there are countless installs using it.
The problem with per user shaping is dummynet doesn’t work with pf due to a FreeBSD bug. I won’t bother addressing your comments any further than that, since you apparently have no respect for those of us dedicating significant time to this project and feel you’re entitled to us spending our free time doing what you want to scream about.
If you would like to fund development to implement any missing features you’re welcome to email me. Otherwise implement them yourself, or ask nicely and we’ll consider it, but it’s unlikely 1.3 will see any new features aside from funded development due to time constraints.
April 24th, 2008 at 7:00 pm
ET: not likely, unless someone wants to fund that development.
April 24th, 2008 at 9:03 pm
I am fund one that of which i asked but im not trying to be rude i relize programming time is very consuming and im sorry if you feel that I was harsh but 2 year of of over 530 people requesting and funding this project say alot wth that said. Those number speak for them selves but if you all need help programming this project for this feature I would be willing to help with it. Please let me know
April 25th, 2008 at 11:54 pm
I have used pfsense almost from the start of the project. It is amazing how far it has come. I would love to see pfsense add packages such as clamAV, spam assasin, and other anti spyware\adaware filtering systems for both filtering incoming and outgoing web traffic and e-mail based proxy filtering.
Pfsense already has everything that other firewall systems have and then some, other projects such as ClarkCoonect and Untangle, but if pfsense were to do all the great filtering features of ClarkConnect and Untangle, your product would be hands down unbeatable.
Keep up the outstanding work : )
April 26th, 2008 at 11:07 am
Paul Rowe, at this point covering your a$$ is no longer fit =P. You should of shut the $#%# up first time…you are bashing a project that provides your so called “BIZNESS” a FREE tool!!! If you have such an issue with whatever you do not not like – one SHUT UP cause it is free or TWO – put a BOUNTY ON IT!!!! PAY for Support! How’s that for speaking freely? To pfSense team – EXCELLENT work as always.
April 28th, 2008 at 12:41 pm
Just a friendly reminder about the reset-all states issue for udp sessions during failover. Thanks for a great product!!!!
April 28th, 2008 at 2:28 pm
Hi PfSense team !
Congrats for a fantastic product ! We use it in multi-wan setup in our two main locations and it’s working great. Saved the day another time this very morning when two links came down.
I would like to point out a couple possibilities of improvement along the way. We are still using IPCop boxes (main+backup behind each of the 2 pfSense) to do our IPSec VPNs for two major reasons, which I believe can be corrected:
- visibility – in IPCop, one glance on the VPN screen tells you immediately (with bright colors) which VPNs are down, which are up, which are administratively closed. And the button to recycle each vpn or turn off and back on is right there. The stability of the links is great too.
- possibility of IPSec VPN failover – I have currently not found a way using only pfSense to achieve two IPSEC vpns between our two sites (each using different VLAN interface and ISP) with failover from main to backup in case of link failure. Is it me or is it effectively a limitation ? Could it be improved ?
Thanks again for a fab product !!
F.
April 30th, 2008 at 8:18 am
I’ve been looking at the HP 700wl series wireless firewalls for a captive portal, but this this LDAP functionality in pfSense, I am going to have to look at that instead! One of the drawbacks with the HP stuff is that I can’t define multiple containers for LDAP auth… will this be possible in pfSense? Pretty please?!
April 30th, 2008 at 12:47 pm
Hi,
will Link Aggregation (LACP) included in version 1.3? When will a first iso of 1.3 available? Can I download an 1.3 version?
April 30th, 2008 at 5:45 pm
Thomas: lagg(4) support is partially done, and will probably make 1.3. No timeframe on availability yet, watch for future posts on this blog for further info.
May 2nd, 2008 at 5:54 am
LDAP authentication: did you mean ldap auth for all the pfsense apps? (es. Captive portal)
Thank you for the great work done and for the possibilities you give us!!!
r3N0oV4
May 2nd, 2008 at 11:56 am
LDAP authentication is currently only for administrative users, not other users like captive portal, PPTP, etc. Those can all use RADIUS which is sufficient for the same purpose most of the time.
May 4th, 2008 at 4:35 am
Hello All. thanks all this programmers for this good [ Free Project ].
Chris Buechler Says: Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing.
this is very nice thing. in version 1.2 we can run wizard for Traffic shaper again and again .. and lost all rules. in 1.3 this has been change or not ?
Thanks Again.
May 4th, 2008 at 2:54 pm
John: that’s specifically one of the things addressed, the wizard annoyances of the last version should no longer be an issue. Once 1.3 is publicly available I encourage you to test it and let us know if any of those annoyances are still there (we’ll be doing the same ourselves, but more eyes is better).
May 4th, 2008 at 5:13 pm
Paul, I recommend that you return your pfsense setup to the place you bought it and go purchase a commercially available firewall solution and support that will fit your needs. Where do you get off demanding anything from this team and their project. The software this team has created rivals many of the commercially available firewalls, and the price is right. They deserve your heartfelt thanks, not your ridicule!
Thanks to the team, and keep up the good work!
May 5th, 2008 at 2:15 pm
Being that 1.3 will be on a different version of FreeBSD, will there be a firmware upgrade or will we have to reload / reconfigure an existing box from scratch?
May 5th, 2008 at 2:18 pm
oh.. and I just wanted to say.. “GREAT JOB ON A GREAT PRODUCT”
May 5th, 2008 at 3:22 pm
Firmware update from 1.2 to 1.3 will be possible.
May 7th, 2008 at 11:37 am
how will the firmware update affect the embedded version of pfSense?
Indeed, this is personally my favorite open source project… hands down! congratulations to all involved with the pfSense project, you should be proud! i look forward to being wowed by 1.3 and success with everything.
May 7th, 2008 at 1:15 pm
Embedded upgrades will depend on what we end up doing with embedded. We’re looking at moving to a completely different kind of image, and if that happens, there will be no way to upgrade from any previous version to 1.3 without reflashing. Fixing embedded upgrades from 1.3 on is a priority, and will likely require significant changes to embedded.
May 12th, 2008 at 5:34 pm
I’m probably in a vanishing minority to say this, but: “Novell eDirectory authentication!” Fantastic! Thankyou.
May 12th, 2008 at 9:05 pm
Steve: glad someone appreciates it.
I was wondering myself how widely used that would be, it was a requirement for the company that sponsored the work.
May 13th, 2008 at 7:17 am
Rubbing up people the wrong way, as demonstrated by your arrogant posts above, means that you truly NEED a multi-faceted security solution like pfsense to prevent people taking a targeted stab at you.
So, why don’t you attempt to make amends and sponsor the project, providing a bounty for the service you demand so eloquently?
I should think a few thousand dollars would begin to repair your reputation
May 13th, 2008 at 7:18 am
oops, that was at Paul Rowe, help me?
May 14th, 2008 at 12:03 pm
Chris,
“LDAP authentication is currently only for administrative users, not other users like captive portal, PPTP, etc. Those can all use RADIUS which is sufficient for the same purpose most of the time.”
Can we expect LDAP authentication for the captive portal sometime in a future release? Using it for only admin users is ok, but I really need it for the captive portal so I can use pfSense instead of the HP7xxwl stuff (without having to add a RADIUS server into the mix for another point of failure)… :/
Thanks!
May 14th, 2008 at 10:41 pm
Mike: not in 1.3 unless you’re willing to fund the work. Otherwise at some point in the future post-1.3, maybe.
May 15th, 2008 at 5:16 am
I disagree on 3G-support. Now when speeds up to 7.2 down / 1.6 up is widely available it’s getting very common i Europe to use 3G as a backup connection. I understand the problem with supporting different devices through patches, but basic support for the most common devices would be really excellent.
I just love pfSense and look forward to 1.3.
May 16th, 2008 at 12:26 am
danne: not sure what you disagree with. I agree it’s absolutely an important feature and it’s something we really want to offer, but if we can’t properly support more than a couple devices it’s probably not worthwhile. More will be coming later – keep blog.pfsense.org in your RSS reader.
May 22nd, 2008 at 10:48 am
“Mike: not in 1.3 unless you’re willing to fund the work. Otherwise at some point in the future post-1.3, maybe.”
I’m kinda new to this project, is there a set price for something like this? How does this work?
May 22nd, 2008 at 11:09 am
Mike: Depends on the project. Generally you provide the exact specifications of what you want (as it differs from what is there now), then we’ll take a look at it, make sure it’s possible, figure out how long it will take, and provide a fixed quote based on that. As long as the resultant work is open source as part of the pfSense project, our prices are based on a low hourly rate.
You can email me at cmb@bsdperimeter.com if you would like to discuss further.
This isn’t an extortion plot or anything.
We can’t possibly implement every feature request, or even the majority of them, as there just isn’t time. We’ve found this is the best way to prioritize development and work towards fully making a living working on pfSense, and there are numerous companies willing to fund work. All the major new features in 1.3 are the result of funded development.
June 11th, 2008 at 11:49 pm
All this talk, enough with all thanks and kudos we all know how great it is. What I would like to know exactly is when it will be publicly available. Can anybody tell me? The “next month” release date is pretty much open-ended.
June 12th, 2008 at 12:21 am
I’ll get a development update post up probably this weekend. It works, it’s been working for a while, snapshots are building, we’ll probably let it out to the general public soon. We don’t have time to deal with the onslaught of bug reports right now (the majority of which end up being misconfiguration, but take significant time to investigate), and a number of changes are in process at the moment.
June 19th, 2008 at 2:49 am
Is there a reason the pfSense group/project is so secretive about the next product roadmap – seriously? I see so many of the SAME questions by numerous people and its always the same. Most other projects have “some” sort of ETA; organized ones anyhow. For some people, this product is what they based their IT decisions on – Vyatta or pfSense? Untangle or pfSense? SmoothWall or pfSense? etc etc etc…
June 19th, 2008 at 6:20 pm
JBanks: we’re not secretive about a road map, we don’t have a formal one. The primary reason is we have no system to easily do so – this is being covered as part of the git conversion, Redmine which will replace cvstrac gives us facilities to put together development road maps. Look for one after the git conversion is completed.
August 11th, 2008 at 11:31 pm
Tried the alpha-alpha release. Could not establish an IPsec VPN with older 1.2 version. PPTP server seems to always check the radius option even though I repeatedly un-check it. Interface looks great! The rate limiter option could use a download/upload perspective instead of the src/dst address. Do we need to add 2 rules there, one for upstream, one downstream? Overall it looks mighty fine!!
September 20th, 2008 at 11:16 am
Are there any plans to implement a browser based SSL VPN solution in 1.3?
You are all doing a great job with this project, I am a huge fan of pfSense.
September 20th, 2008 at 12:58 pm
We have no plans to implement a “clientless” (which is marketing BS) or “browser-based” (also marketing BS) SSL VPN for two reasons.
1) there isn’t a good open source one.
2) Reasons explained here:
http://article.gmane.org/gmane.comp.security.firewalls.pfsense.support/14336/
December 17th, 2008 at 9:43 pm
Totally love this firewall! Rock solid. Multi-wan is awesome. Carp is great. Failover is a dream!! Can’t say enough positive as a firewall.
BUT – Also agree with above RE: Load Balancer monitoring…
I have not been able to use the built-in load balancer in PFSense because it lacks customized monitors. I know there are solid open-source tcp monitor packages around, was hoping to see this added. Better yet, a little http get monitor with text string evaluation would do it… Many times a web server is UP on tcp, but down for HTTP GET on 80…
Adding this would mean many of us could ditch two boxes entirely (Master LB and Failover LB) and use PFSense for the whole thing…
What a dream that would be!
December 17th, 2008 at 10:07 pm
Al: the load balancer in 1.3/2.0 has already been replaced with relayd and does what you mentioned.
March 1st, 2010 at 9:43 am
hello there, my question deals with aggregation and is asked with total respect to the programmers as I know nothing about programming. That being said is this possible and work.
when a request to the internet reaches pfsense, pfsense uses 1 wan to get the size of the page or whatever from the page server. Then pfsense splits the reply in half and requests a half from each of the wan’s, gets it and sends the page to the requesting computer.
since everything dealing with the internet deals in packets theoreticlly this is possible, but is it practical in real life? is it something that cam be programmed?
Thanks for the info
March 3rd, 2010 at 4:36 pm
Francis: that’s not theoretically, or otherwise, possible because of the way the Internet works. Post to the forum or mailing list for more in depth discussion