1.2.3-RC1 is now making its way to the mirrors. This is primarily a maintenance release on the 1.2.x series, bringing an updated FreeBSD 7.1 base, and a few bug fixes.
The primary changes are:
IPsec connection reloading improvements – When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.
Dynamic site to site IPsec – because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.
IPsec NAT-T support has also been added.
Sticky connections enable/disable – sticky connections were previously only changed status at boot time for the server load balancer.
Upgrade to FreeBSD 7.1 – The FreeBSD base version has changed from 7.0 to 7.1. This brings support for new hardware, and seems to fix a number of hardware regressions between 6.2 and 7.0. A number of users have reported that hardware that worked fine on 6.2 stopped working on 7.0. In every case we’re aware of, 7.1 fixed that problem.
Wireless code update – Sam Leffler, one of the primary developers of wireless on FreeBSD, was kind enough to point us to the latest wireless code back ported from FreeBSD 8.0 to 7.1. This is included in 1.2.3-RC1. There are companies shipping access points on this code base. Several users have reported considerable improvements in compatibility, stability and performance.
Dynamic interface bridging bug fix – the bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.
Ability to delete DHCP leases – A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.
Polling fixed – polling was not being applied properly previously, and the supported interfaces list has been updated.
ipfw state table size – for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.
Server load balancing ICMP monitor fixed.
UDP state timeout increases – By default, pf does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.
Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.
Multiple servers per-domain in DNS forwarder overrides - previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.
Note: At the time of this post, most, but not all of the mirrors have the files. It may be close to 24 hours before they all have the files. If you find one that does not, choose a different one.