List of 2.0 New Features and Changes
Haven’t had a post up here in a while, but for anyone who watches our git repository, you know development never ceases. Vast amounts of work have gone into 2.0 this year, and it really shows. We’re deploying it in production, though generally recommend you don’t yet.
A work in progress list of 2.0 new features and changes is available. I think that has most of the changes, but it’s definitely missing some. If you notice anything that was missed, please leave a comment. We’ll be adding to it as we review the list more in the coming days.
It’ll be released sometime this year.
Tags: 2.0
May 3rd, 2010 at 3:08 am
Ahh, new news about pfSense 2.0
Hope for soon release, go on guys!!
May 3rd, 2010 at 3:10 am
Simply amazing. Can’t wait to have it on my Alix boards!
May 3rd, 2010 at 9:21 am
Please include a user manager module alike m0n0wall does under SYSTEM > User MANAGER, so you can define users and groups security levels such as ‘tech support’ to view-only and manager account to full access and supervisor account to have limited access to SYSTEM, INTERFACES, FIREWALL, SERVICE, VPN, STATUS and/or DIAGNOSTICS. Thanks
May 3rd, 2010 at 11:38 am
Eduardo: it’s there, and on the list
May 3rd, 2010 at 5:14 pm
Hopefully this will be stable soon. I tried the beta but it wasn’t working for me. I’d love to see the shaper working with LAN, OPT and one WAN interface. Please don’t let me wait that longer
May 3rd, 2010 at 7:10 pm
Please add the possibility for a hotspot
May 3rd, 2010 at 7:22 pm
MacDonald: …/me scratches head… you mean the captive portal that’s been there for 5+ years, since the first release?
May 3rd, 2010 at 7:54 pm
Chris: But making a page read-only for a user isn’t there yet, is it?
May 3rd, 2010 at 8:00 pm
True, Erik, it’s all or nothing.
May 3rd, 2010 at 10:23 pm
when will be the release? I’m looking forward to the enhanced captive portal with voucher support.
May 3rd, 2010 at 10:27 pm
Emmanuel: that’s answered as specifically as we can at this point in the post. We really can’t say any more specifically as we don’t know.
But those of you with developer skills, or even testing abilities, helping us along will speed up the process. See the remaining things to fix/todo items here:
http://redmine.pfsense.org/projects/pfsense/issues?query_id=5
May 3rd, 2010 at 11:54 pm
Amazing! Thanks so much for one of the best firewalls (commercial or open source) available.
May 4th, 2010 at 12:27 am
I just want to say thanks for such an awesome product. Everything in 1.2.3 just works, and that’s really cool. I’m kind of impatiently awaiting the 2.0 release,
but I just want to say I appreciate all the work you guys put in to this. It makes using your product a joy.
May 4th, 2010 at 3:57 am
Eagerly waiting for 2.0 release. Tested Beta 2.0 in my lab and waiting for green signal to use in production.
Thanks for the wonderful product. Whenever I meet any IT person i always discuss about the pfSense and recommend them to use it.
May 4th, 2010 at 9:10 am
2.0 / Chris & Scott promise so many features that will improve the capabilities of what I as a sys admin am able to offer with out-of-the-box efficiency and dependability. I’m so looking forward to it.
For example, being able to provide backup Internet in the form of a pay-as-you-go 3G USB modem, is very exciting.
I’m always eager to hear news about its development.
If you point us toward a technology preview / alpha build people will have something better to relate to for testing.
Will the OpenVPN Certificate Manager have the ability to import an existing CA cert and user certs and keys?
May 4th, 2010 at 2:44 pm
Everytime I take a look to new features in pfSense 2.0, I get more and more impatient to use it,
. Anyway I must say, as always, that it is the best and most professional firewall I have ever used!. THANK YOU SO MUCH FOR SUCH A GREAT PRODUCT!
May 5th, 2010 at 12:36 am
USB install and BOOT?!
May 5th, 2010 at 1:02 am
Terry: that’s entirely dependent on what FreeBSD RELENG_8 (8.1) is capable of on your hardware.
From what I’ve seen thus far, USB CD/DVD drives generally work fine, though not always. Booting from USB flash or hard drive I haven’t tried, but generally should work as well, people are doing it now with the stable releases.
May 5th, 2010 at 9:29 am
All very nice features. I look forward to GRE tunnels. Will they work with Cisco IOS?
My only other request in the name of stability is to scrutinize the packages more before they are allowed to be installed in 2.0. There are too many buggy ones for 1.2.3. Maybe some kind of approval process?
May 5th, 2010 at 9:38 am
I have used the USB flash boot for over two years (on the current STABLE build, not 2.0)… only problem I had was the flash drive’s read/write limit.
Suggestion: if you want package support, consider a recent flash drive with good read/write limits and block mapping. If you don’t need package support, the embedded image is effective read-only except for the config file (and possibly logs).
There is a way to make the full install boot the file system as read-only (mimicking the embedded image behavior), but packages which are not designed with this in mind will think that their file changes will be permanent (ex: SpamAssassin).
May 5th, 2010 at 1:36 pm
Time based access control would be a great feature. Hope it will be included in the final release!
Can’t wait to use it!
May 5th, 2010 at 2:55 pm
will 802.11n support be available in 2.0. the atheros drivers atm are abit flakey as well
May 5th, 2010 at 3:37 pm
Hello,
http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/#comment-2162
and about IPv6?
Still bad ISP?
May 5th, 2010 at 3:55 pm
Hi, great product. I am contemplating replacing our aging netscreen25 in our hosting center with pfsense. I am wondering about ipv6 support though? Its not in the feature list
Best regards
Brian
May 5th, 2010 at 4:20 pm
IPv6 will not be supported in 2.0, it’ll be one of the first things added after 2.0 release. Latest info always available here: http://doc.pfsense.org/index.php/Is_there_IPv6_support_available
May 5th, 2010 at 4:21 pm
Hacktivist: time-based rules are already available in 1.2.3, they’re just enhanced in 2.0, allowing more capabilities since they’re integrated with pf.
nuro: that’s beyond our control, whatever is in FreeBSD 8.1 is what we’ll have.
May 5th, 2010 at 4:32 pm
Robert: GRE is GRE, it’ll work with Cisco or anything else that does standard GRE.
Packages are largely maintained by outside contributors and aren’t extensively vetted, if they aren’t harmful (i.e. no back doors, don’t create gaping security holes), they can be accepted. What we need to do is classify them better, people seem to ignore the “status” label where a certain package may be labeled alpha and hence should never be installed for anything other than test purposes on a test system, people click away and install anyway. The alternative to not put them out there at all hides them from those who can help with fixes and development on the work in progress packages. So we’ll never go to a process where only approved packages are available, but at some point (probably post-2.0) we’ll differentiate between what we consider production-grade and non-production packages more obviously than we do now with the alpha/beta/stable labels.
May 6th, 2010 at 11:29 am
is carpdev support still targetting 2.0? I know it shouldn’t be your problem (I’ve been hoping to see it in FBSD for quite a while), but I heard you guys were making some progress towards it.
May 6th, 2010 at 12:25 pm
I downloaded a copy of 2.0 and popped it on a VirtualBox VM. Wow – nice job, guys! Lots of really cool things. I like the things you can do now from the firewall log with the easy rule thing. Way cool! I also like the rss feed thing, but I could not get it to save. Is there a trick to that? Otherwise, brilliant work!
May 8th, 2010 at 8:20 am
pfSense is awesome! With the implimentation of Layer 7 rules will the hardware requirements of 2.0 go up? I can hardly wait for 2.0… woot!
May 8th, 2010 at 12:24 pm
Fred: Not completely sure yet but it doesn’t seem to make much difference at all, for the average user it won’t increase hardware requirements.
May 8th, 2010 at 12:25 pm
Scott: no carpdev in RELENG_8, we have more resources to get things like that done now, but won’t be til post-2.0.
May 8th, 2010 at 4:55 pm
Gaaah! Almost can’t wait until you guys declare 2.0 production ready! We tried it en (rather early) BETA, and already were amazed by the new features!
Greatly appriciated is the new load balancer!
Thanks for all the hard work!
(I bought the book btw, great stuff! Any plans on publishing a revision based on 2.0?)
May 9th, 2010 at 11:15 pm
Thanks guys for such an amazing product, really excited at the new features coming in 2.0 especially the freeNAS / Samba possibility, that will be fantastic for the smaller users who prefer an “all in one box” solution.
Really hope the “bug” fixing process is nearing an end, just a shame i know next to nothing on coding so am unable to help, however i do recommend your product on to anyone needing captive portal solutions.
Keep up the good work.
May 10th, 2010 at 12:16 am
Richard: Not sure where you found that but there is no FreeNAS or Samba integration, we don’t believe you should ever build such an all in one box (though if someone wants to contribute such a package, we would add it to the repository, there isn’t anyone working on any such thing at this time). The two projects are difficult to integrate (someone was working on it years ago and abandoned the work), and that’s a bad role to combine on one system.
May 10th, 2010 at 3:29 pm
Awesome work. Pfsense continues to be the ultimate solution for nearly any size. The only request I would have would be an SSL vpn (web facing browser login type deal). But I wouldn’t trade it for any other distro regardless! Thanks Chris!
May 10th, 2010 at 5:04 pm
[...] please leave a comment. We’ll be adding to it as we review the list more in the coming days. (source) Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this [...]
May 10th, 2010 at 11:28 pm
Man I know it not a popular idea, but to me a free nas package would be so nice, at home I run a little VIA board with Pfsense and a Atom board with free nas for my file server, it would be great to be able to reduce the need for two boxes. No one would want this stuff it’s just nude pics of me ;D
I also run a few Pfsence boxes at work that connect our sites together via fiber and those nodes would be ideal freenas boxes, but hey I see the reason why not to do it if the router is on the internet, but not are routers are and I can think of lots of reason to run freenas.
May 11th, 2010 at 12:44 am
What about virtio drivers for running pfSense in a VM? would love to have pfSense run more efficiently on Virtualbox. Also would love to see CARP working in Virtualbox but am assuming that that is not due to pfSense…
May 11th, 2010 at 1:25 am
Chris; m0n0wall recently addes a hardware monitor option to show temperatures etc. Is this something that you will add, or possibly something the new widget system could provide?
May 11th, 2010 at 9:22 am
Data instead of time based voucher generation for the captive portal would be a great addition. Thanks for the work done thus far.
May 11th, 2010 at 8:00 pm
rhy7s: lots of companies already do data limits in that fashion with 1.2.x, that’s something you need a RADIUS server for.
Biffen: no plans for that at this time, that monitor supports very few hardware platforms. if a good sensor framework makes it into FreeBSD we’ll use it. We won’t be adding anything like that for 2.0.
D.M.: yeah that’s limits of virtualbox networking AFAIK. There doesn’t appear to be any virtio drivers for BSD, we generally recommend VMware ESX for good performance.
Clayton: as I said, we would gladly add it if someone wants to contribute it. It’s a ridiculous amount of work, and would have to run in a jail as the two would stomp all over each other otherwise.
Doug: there aren’t any open source solutions along those lines, and all the commercial ones are absolutely horrid what they do to your network stack. You really don’t want one. OpenVPN is SSL VPN, done right, not a nasty proprietary hack.
May 12th, 2010 at 1:39 am
Is there going to be a way to prioritize routes? Policy routes?
Here’s why: I need to have the default route go out over a tunnel (VPN, PPTP, L2TP, GRE), but of course the tunnel needs a route, too. So I need to be able to sort routes based on priority.
Also, policy based routing would be great, e.g. route outgoing http requests through NAT directly to the ISP provided connection, everything else route through the tunnel, etc.
Another issue: assign interfaces by MAC address. Plays a role with USB NICs, which may end up with different interface names upon reboot, based on the order in which they happen to respond/be recognized by the OS during boot, or based on which port they happen to be plugged into or which other USB devices happen to be present/removed (keyboard, mouse, etc.)
Lastly: is there a plan to support DisplayLink USB displays or a VNC console? The reason I ask is this: the computer I’m going to be using for this is some small Atom 330 based thing, which mostly is going to run headless. But it seems to be close to impossible this day and age to find a cheap 8-10″ VGA LCD display for the occasional console access. The only reasonably priced small-sized LCD screens seem to be the USB DisplayLink based ones, and I really don’t want to haul a 20″+ screen into the basement if for any reason I have to do a few things on the console (like relaunch the web interface or enable/disable ssh access, etc.)
May 12th, 2010 at 2:28 am
ugh, a couple more things, although obviously not for 2.0
a) I use a Zotac IONITX-L-E board, which supports the NVidia ION chipset’s RAID functionality, but BSD seems to have trouble with that. Obviously a BSD and not a pfSense issue, but it would be nice to be able to use a hardware RAID since I’m going to use two 8GB CF cards with a SATA adapter. In the mean time GEOM will have to do.
b) similarly, the ION is largely going to be unused. Is there any effort underway anywhere to do a CUDA/OpenCL crypto lib? It would be awesome if the GPU could be used as a crypto accelerator for VPN traffic, etc. Basically, these low-power Aton 330/ION boards should be able to handle rather sizable networks (dual core, 64-bit, 4GB RAM) only potential bottleneck is significant crypto processing, but there’s that unused GPU sitting there being idle…
May 12th, 2010 at 3:17 am
One more thing
There’s only a means to SET UP a GEOM mirror in the install mode, no selection to DESTROY a GEOM mirror. Problem is, if for some reason the storage devices don’t play well with each other, it’s impossible to install pfSense on the drives, because the left-over GEOM setup will cause issues. The only way to fix this is to format/partition the drives with some other OS before going back to attempting a pfSense install…
May 12th, 2010 at 7:51 pm
rcfa:
Assigning by MAC address shouldn’t be too hard to do. I think there are only a couple settings in the configuration that would need to be updated at boot to fix the configuration before other code runs that depends on those settings.
For accessing the console, if it has a serial port I suppose you could use a null-modem cable to connect it to an old laptop with a serial port or to any other laptop with an adapter to connect it to a USB port on the laptop. You may even be able to find some kind of portable serial terminal with a built-in LCD display. If the system does not have a serial port, I’m not sure what you could get that would be inexpensive and would work, though.
May 13th, 2010 at 1:57 am
Wow, fantastic list! Really looking forward to the multi-interface QoS!
Also, does “IP Alias type Virtual IPs” mean we can have Virtual IPs outside the range of the original IP subnet?
I.e. can we do CARP in single-public-IP scenarios by having the “real” primary interface IPs be non-routable and the public IP be virtual instead?
May 13th, 2010 at 7:33 pm
I have to say that this is my favorite open source firewall
I recently but the book and its simply grate and must have book when working with firewall’s
My Q is this dues PFsense Will support the option for SSL VPN via the web browser
May 13th, 2010 at 10:42 pm
Already running it in production, passing over 100Mb/s .
I only wish for a web browser SSL VPN and a better filtering/sorting of firewall log entries. Nat src, Nat dest, total bytes, etc.
For a firewall admin a fw device is as good as its log entries management.:-)
Great job guys!!
May 14th, 2010 at 10:29 am
Thanks Guys!
May 15th, 2010 at 2:07 pm
Just a few suggestions:
OSPF, BGPD and add options to NTPD like timezone.
May 15th, 2010 at 2:08 pm
chrisw: BGP and OSPF are both available in 1.2.3 (and 2.0) in packages.
May 17th, 2010 at 10:17 am
This a great job squid with tcp_outgoing_address works so no need more load balance this better for distrbuite the traffic great job guys!!
May 18th, 2010 at 8:59 am
Hi, anybody know how to setup this feature:
http://blog.pfsense.org/?p=35&cpage=1#comment-7048
If anybody can help me I will greatfull.
thanks
May 18th, 2010 at 6:27 pm
Chris, first I want 2 thank you for this great work.
Im wondering if you have ever considered implement some kind of WAN Optimization mechanism like trafficsqueezer or WanProxy.
It would be great in high latency/poor bandwidth scenarios.
Thanks!!
May 18th, 2010 at 8:00 pm
WOW!!! That IS an impressive list!
Um, does this mean a new book is in the works?
I can’t wait to see the day when y’all get tired, and greedy and sell-out this fantastic software to a great big, and even more greedy company who will promptly flush it down the toilet for piece of mind against their suffering bottom line because of their piece of shit firewall with back doors for Israeli, American, British, and Australian paranoid intelligence services, y’know…like Zone Alarm and Checkpoint.
May 24th, 2010 at 4:21 pm
Will 2.0 allow me to use the Traverse Solos multi-port ADSL2+ PCI card? I think it uses the San driver on OpenBSD. Is there something similar for PFSense? Also, is the Atheros AR9220 chipset supported for Wireless N cards?
Thanks.
May 26th, 2010 at 9:13 am
I’m another in need of IPv6 support in pfsense. This has been a long priority for us and something that has been available in m0n0wall for sometime. Would very much appreciate anything that could be done to accelerate IPv6 in pfsense.
May 26th, 2010 at 2:48 pm
Someone mentioned an web page accessible SSL VPN. Just my two cents, but depending on how you want access, I have found the best way to allow web access is to set up an NX server and use the NX web client. You can pass a user directly to any Linux app, or RDP, maybe citrix.
check out nomachine.com, but use the freenx port for the server.
May 26th, 2010 at 2:59 pm
I’m also really, really hoping for an integrated web-based SSL VPN…
May 27th, 2010 at 12:28 pm
hello all;
good job team.
i can’t see logout botton.
May 29th, 2010 at 8:44 am
bob,
Under System options you will find the logout function.
May 31st, 2010 at 10:53 pm
Please build with a ZFS-aware bootstrap loader! ZFS **GREATLY** increases the life of now completely affordable multiple GB NAND flash devices or even 16-32GB USB flash modules.
June 4th, 2010 at 11:41 am
Jeremy: This is what the nanoBSD version is for.
It mounts everything read-only (except when writing down configuration-changes)
June 7th, 2010 at 12:42 pm
Hi all,
a LNS fonctionnality wil be very great ! (and LAC too, if you have time
)
Thanks All, Pfsense rocks !
June 7th, 2010 at 4:37 pm
Scott for 2.1 probably for 2.0 i think its too late.
June 8th, 2010 at 1:32 am
Thanks Chris B !!!!!
Your pfSense is just AWESOME!!!!!!
dooby
June 10th, 2010 at 3:58 pm
Hi all. Thanx for the very good work !!! Keep it up
1- I’d like to know how the L7-Filtering is processed.
2 – Is IPSec XAuth support mean Mode-Config support too ? (dhcp other ipsec, dynamically send taffic end-points according to user autentication, RFC1918 IPs send, etc ? )
June 11th, 2010 at 4:55 am
In pfsense 2.0 able to use captive portal use multiple lan and each lan difference type of authentication ?
sample : LAN1 authen –> Radius server A
LAN2 authen –> LDAP
LAN3 authen –> Radius server B
LAN4 authen –> Local user
LAN5 no athen
Something like that
Ant,
June 11th, 2010 at 6:04 am
Ant: No. You can enable captive portal on multiple interfaces but they must all use the same config and authentication
June 12th, 2010 at 6:15 am
An other functionnality will be welcome:
3G backup with USB 3G key (like Huawei), If the xDSL break down, we can use the 3G access to backup the connection
June 16th, 2010 at 5:51 am
2.0 looks great. Multiple Wireless configurations was one of things I was really missing.
I hope it will be released soon though, so that you guys can get to work on the carpdev feature. Having more that one public IP is not really an option for me, as my ISP requires me to change to their “business” product, which cost about 300$ a month, as opposed to the 15$ I’m paying now. A bit much for a couple of IP addresses.
June 16th, 2010 at 8:05 pm
Policy Based Routing (PBR) please…. when I have multiple WAN, I hope that I can do route based on destination IP/URI for which WAN to be used (perhaps certian WAN requires Port REDIRECT for proxy)
June 16th, 2010 at 8:28 pm
mynullvoid: we’ve had PBR for something like 5 years now, in every stable release we’ve ever put out.
June 17th, 2010 at 11:12 am
I’m super excited about the big 2.0 release; I can’t wait! Thanks to all the developers for their hard work.
Cheers,
June 17th, 2010 at 11:16 pm
Chris Buechler: sorry I don’t get you, please review http://forum.pfsense.org/index.php/topic,24563.msg127610.html#msg127610
June 18th, 2010 at 8:53 pm
Something I really wish to see evolve is monitoring tools for larger deployments. I use ntop on a mid size national intranet (14 sites + VPN) to monitor them in real-time.
Running into limits of this tool; the lack of https (tho I do tunnel it over VPN), lack of centralized loging tools and support for push/publish centralized settings.
I really like what watchguard has on this.
And something else I miss. Ok so this might be legacy mayhem but I find it really useful: PXE server. Honest, the hours I have saved having default user and UBCD (www.ultimatebootcd.com) images on tap!
June 20th, 2010 at 7:16 pm
TellusCitizen: PXE is really simple for pfsense 1.2.2 & 1.2.3. Just install Mcrane’s TFTP package and configure DHCP correctly. You can also setup a tftp server the usual FreeBSD way on 2.0 but you’ll need to change the default config which is a tftp proxy (if I remember). It’s not too tough, but I prefer to have my tftp elsewhere on the network. Good luck.
June 21st, 2010 at 4:42 am
I’m a missionary for pfSense. I preach it all around.
Is it possible to have the functionality of transparent mode squid and shaper out of the box? You know it is not working without complicated changes, or am I outdated?
cheers and keep up the gorgeous work!
June 22nd, 2010 at 11:05 am
PFsense is really one of the best and most secure firewalls I’ve ever seen. I really trust this product and always. It combines the secure BSD plattform with a perfect built application. I am very happy to get the 2.0 for first test networks.
June 24th, 2010 at 11:07 pm
This is great, we are replacing our Cisco gear with PfSense, 1.2.3 and it just beautiful. great work guys.
June 25th, 2010 at 1:46 am
Great Stuff! All in for the HTTPS/SSL VPN. That would be perfecting this solution. Check out the different options that e.g. an adito fka SSL explorer has. No need to forward the whole network through HTTPS. Supply single forwarded ports would be one nice option, Other would be to just do forward internal web sites through the HTTPS portal. That would probably be a smaller dev effort than going the whole nine yards with the full VPN network forwarding. (and would not be that ugly) What do you think the dev effort would be? Thanks again!!!
June 25th, 2010 at 1:33 pm
You guys do some awesome work. I have been running PFSense on a Firebox X700 in a test lab, but could never use it in production because of watchdog timeout issues. Now with the latest build released on 6/24 it is incredibly stable and I have only seen 2 watchdog timeouts in the last 8 hours. Great job again to all devs and beta testers involved.
June 25th, 2010 at 1:35 pm
Cameron: you can thank FreeBSD developers for that, we have nothing to do with drivers.
I’m not sure that’s changed much or at all recently actually, there’s something atypical with the NICs in those Fireboxes.
June 26th, 2010 at 7:02 pm
Thanks a lot u guys, PFsense is the best opensource product that i have, i wondering if some monitoring tools like nagios + centreon + smstools.
So we just have to put USB GSM modem to make anything alert via sms.
tq in advance
July 9th, 2010 at 12:37 pm
The user management feature is super critical to us as it is make or break for us to continue using pfSense. With PCI, HIPPA and other requirements, having a single administrator is simply not an option. The fact that it will have LDAP integration is just icing on the cake.
July 14th, 2010 at 9:23 am
When will IPV6 be included???
July 14th, 2010 at 11:09 am
John: see above: “IPv6 will not be supported in 2.0, it’ll be one of the first things added after 2.0 release. Latest info always available here: http://doc.pfsense.org/index.php/Is_there_IPv6_support_available“
July 17th, 2010 at 1:25 pm
I am using v.1.2.3 and it works great. But my WIFI card drops the connection every 5 minutes. Will there be a better support for my WIFI card? Linksys WMP54G-eula _v4.1-qi-60214 TE.
Or should I change card/get an access point?
July 17th, 2010 at 2:02 pm
Hans: that’s outside of our control, some cards work better than others, dependent on the driver. The switch from FreeBSD 7.2 to 8.1 brings more and improved wireless drivers so that may resolve it for you.
July 18th, 2010 at 8:17 am
Thanks for a fast answer. I hope BSD 8.1 has improved support or else I’ll switch the card because I’m NOT going to switch firewall. This is definitely the best one. Keep up the good work.
July 21st, 2010 at 6:02 am
what about antispam feature on pfsense, something like the endian firewall
July 22nd, 2010 at 1:09 pm
We have been using pfsense now for about 2 years – it does almost everything out of the box. Great work – FreeBSD REALLY IS the safer platform for a security gateway.
There is one thing though: Squid tends to hang very often since 1.2.x times and we have tested 2.0 Beta 1 to 3 now and found that it still does tend to hang under typcial heavy loads caused by video streams and large downloads. Also the squidGuard feature stopped to do any filtering when we updated to 2.0 Beta 3. Is this a known bug? Maybe adding video cache would be a good thing.
Btw. are there any plans to make the outbound multi-WAN loadbalancing a bit more fine grained in control – i.e. make it possible to do stats and set priority by protocol / protocol – load distribution / user / policy / affinity or Layer 7?
Sorry of this was the wrong place to post this.
July 23rd, 2010 at 1:32 pm
Hi,
Are you planning to include SOAP (or any other equivalent) based services to control the firewall apart from the existing web GUI in the near future? A SOAP based service would be really beneficial to write software on top of pfsense.
July 23rd, 2010 at 1:36 pm
im wondering would it be too much for a separation of sorts.?? what im looking to do is have a divider where the inbound traffic goes to one card and the outbound traffic goes to another?? is this possible in current version?? will it be available in the future.?? love this software meanwhile..really stable..
July 26th, 2010 at 4:11 pm
chris
I don’t think it would work, specially if there are 2 IP addresses involved. A connection entering one card (with it’s own IP) and leaving from another would have a very high chance of being discarded or seen as a man-in-the-middle attack. And having the same IP with different MAC Addresses would also create havoc on your network.
If you intended to have a card replying external access (for example a DNS server on the firewall machine or somethinf on that line) and another for connections starting from the inside of the network (your LAN), that would work and is already implemented as Policy Routing.
Flavio
PS: Looking forward to final version as FreeBSD 8.1 has been released.
PS2: What a great software you have, belongs to the “Just Works” category (very well, I may add).
July 26th, 2010 at 5:01 pm
Manohar: aside from our existing XML-RPC capabilities, which aren’t exactly perfect for those kinds of scenario, no we don’t have any plans for anything along those lines at this time. Patches welcome though.
July 26th, 2010 at 11:51 pm
I’m still waiting the package on pfsense for limit for the work station specifically not using traffic shaper. you cant limit the band width one by one or customize.
July 26th, 2010 at 11:52 pm
Ang also the pacakges how to aggregate the speed of to isp.
July 27th, 2010 at 12:00 am
Pong: re: “limit the bandwidth one by one or customize”, it’s already there in 2.0 with limiters. We’ve already deployed it on several production installs for ISPs.
As for aggregating the speed of two ISPs, we do that as much as the laws of networking allow (or your ability to use BGP allows).
July 28th, 2010 at 2:13 am
Great product but we have one major feature missing. Support for Xen Server.
Will there be a Xen Server appliance or a way to install the Xen Server Tools?
Without Xen Tools there is no LiveMotion possible which limits pfSense significantly.
Any comments would be greatly appreciated.
Marcello
July 28th, 2010 at 2:28 am
Marcel: That’s dependent on FreeBSD and its Xen support, there is always ongoing work there but I don’t know where things stand at the moment. We use entirely VMware, mostly ESX, for testing, development, build servers, and some hosting. Don’t really work with Xen much, and we don’t have any Xen servers. That could be changed if you’re willing to put money towards it, email me if so (cmb at pfsense dot org).
July 28th, 2010 at 3:06 am
My pfsense is acting as a gateway, but I also have another gateway if the destination IP matches some IP I stated. The problem I got is that that another gateway requires traffic to pass a proxy server:port, can the version 2 do it?
July 28th, 2010 at 3:39 am
mynullvoid: ask on the 2.0 board on the forum
August 1st, 2010 at 9:40 am
First of all, thanks for this great software, I bought the book by amazon and it was a very interesting tool. I think that a really nice tool for Pfsense 2.0 could be the possibility to mark or tag some traffic as prioritary, like VoIP, to process first on ISP routers and avoid jitter and delay problems on VoIP links that goes into the OpenVPN tunnels. Typically VoIP traffic is not ciphered and security is not waranteed, recently lot of people started to use OpenVPN tunnels to transport VoIP links with more secutity, but then, all traffic priority tagging is lost(not really lost, is inside the tunnel and lose his effect), We would need to be able to raise priority of all UDP on 1194 for example (all voip dedicated tunnel), with lot of hardware delay higher than 100-110 is enought to dont understand anything, we need to be able to lower delay with proper voip tagging.
thanks !
August 8th, 2010 at 7:52 pm
Will there be any support for T1 cards? I would like to be able to terminate a T1 connection directly into a pfSense machine versus having to add something like an Adtran in front of pfSense.
Thanks for all the hard work guys, you’ve made a wonderful product thus far.
August 8th, 2010 at 8:05 pm
Reza: no plans at this time. If we had someone to provide funding for the hardware and time needed to add such support it could happen.
August 9th, 2010 at 4:10 am
DOES ANYONE KNOW, when PfSense 2.0 is about to be released for production use?
Thank you in advance for any reply… ANYONE
August 9th, 2010 at 1:13 pm
Haralambos: Read the post, that’s the most anyone knows.
August 10th, 2010 at 1:32 pm
Chris: What hardware would you need to be able to begin work on T1 stuff?
August 10th, 2010 at 1:44 pm
Joseph: we’d need T1 cards that are supported in FreeBSD. If any are, I’m not sure offhand. Plus, as importantly or more so, we need the money to cover the time. It’s really not a project we can take on right now, we’re focused on finishing 2.0 and that won’t be included. Definitely something we’d like to revisit in the future though.
August 11th, 2010 at 10:35 pm
keep me posted chris. after this release it might be nice to get it on the roadmap.
August 12th, 2010 at 7:07 pm
I’d like to add these feature for easy setup and able to increase speed on dual wan. Example, If you have two same 50/10 to become 100/20 in dual wan with bonding connections or load balancer.
August 12th, 2010 at 7:25 pm
Gage: in most scenarios that’s impossible because of how networking functions. Outside of tunneling all your Internet traffic out a datacenter with much more bandwidth, though that’s very expensive and makes latency much worse which will reduce performance of some things, or another option is bonding with your ISP via BGP or MLPPP, which isn’t an option for most people. Aside from those two scenarios it’s impossible to get the combined throughput of two Internet connections on a single TCP/UDP/any other protocol connection (use a download manager that opens multiple connections and you get the total throughput of them all).
September 1st, 2010 at 4:08 am
It would be nice if you could add multiple sources, destinations or services in the same rule.
September 1st, 2010 at 1:35 pm
Apostolos: you already can, that’s what aliases are for
September 11th, 2010 at 4:32 pm
@Marcel – easy to migrate pfSense VMs “live”, just set up a secondary in parallel on the next VM host and sync them via CARP. Then when you kill the first VM the other will take over automatically/transparently.
@Chris/Reza – we might have some spare T1 cards
@Hans – all Linksys devices, (including the low-end Cisco rebranded ones), are prone to overheating and random drop-outs. (Just try a better card!
@Nazir – pfSense is Cisco-compatible in SNMP. Just use a Cisco MIB in your monitoring system and you’ll get more than enough info for typical alerting purposes.
September 18th, 2010 at 11:00 am
One thing that I think is keeping this out of reach for large enterprises is that pfsense does not have a centralized management interface. In an enterprise like the company I work for where we have 80+ firewalls it’s just a management nightmare to touch all firewalls to admin them. So we use checkpoint… Other than that this is (by far in my opinion) the best OpenSource firewall project out there, and what better underlying OS then FreeBSD? Keep up the good work and looking forward to the 2.0 Release.
Thanks for pfsense!
September 19th, 2010 at 3:30 pm
Hey Guys! Amazing product!!
I would like to add to the wishlist!
1. Better SATA to CF support. Had loads of trouble with SATA to CF…but fine with IDE to CF. Even with Pfsense 2.0 beta.
2. Need the embedded version to support standard VGA/keyboard output… like the Hacom Pfsense version.
Thanks guys! Looking forward to pfsense 2.0!
September 19th, 2010 at 4:51 pm
Capone: for #1 you need to try that with FreeBSD 8.1 and report any problems to the appropriate FreeBSD list, we don’t have any control over that nor do we develop anything related to that.
bsdwiz: that’s sort of like saying FreeBSD can’t be used in large enterprises because it doesn’t have a centralized management interface. It does, it’s a matter of choosing something and using it. Though there would definitely be some custom programming involved regardless of your choice (but people do have large deployments with custom centralized management). We’ll have some news on that topic in the next year or so.
September 30th, 2010 at 12:40 am
I have set up 4 pfsense system and everything running fine, for two of the system i have prepared indenticaly standby pfsense in case of failure.
Never used for two year….
Is it possible in 2.0 to import a local user database with prepared user password.
October 20th, 2010 at 5:31 am
Thanks Chris, a really powerful product that we like. Great job!
Our Pfsense firwall works very well here. And we do like your integrated Packages, like Squid, too.
Now we’re wondering whether it’s fine to integrate the WANProxy into Pfsense as a Package? WANProxy runs well on FreeBSD platform so we believe that it should be OK to make smooth integration. It will be very helpful to accelerate certain applications via WAN transmission.
WANProxy’s URL: http://wanproxy.org/
Thank you, Chris!
October 20th, 2010 at 8:30 am
Peter: sure, you can add that as a package.
October 20th, 2010 at 10:14 am
Thank you Chris for the comments!
But will it be possible to integrate the said WANProxy as a package in 2.0? If so, many people can enjoy this useful function.
Thank you!
October 20th, 2010 at 10:57 am
Peter: if you want to create a package, you’re certainly welcome to submit one and we’ll get it committed. If you want us to, if you’re willing to pay for it we can definitely make that happen, just email me (cmb at pfsense dot org) to discuss further. Otherwise, we have no plans of adding that in the near future.
November 14th, 2010 at 11:48 pm
Hi Chris,
Can we have another status update on how far down the track 2.0 has reached? Is it likely that it will still be released “this year”? Can you give us a little insight into what’s happening other than “lot’s of testing”?
Is there anything that those of us who are more end users of pfsense can do to help?
I’m trying to pitch this more in a “please can you help us appreciate what’s happening” context!
Thanks.
James.
November 14th, 2010 at 11:55 pm
You can see what’s still remaining at redmine.pfsense.org. We expect RC1 soon.
April 29th, 2011 at 3:29 am
Can we use the Load Balancing / Wan Failover with SQUID? I hope will be possible now.
September 30th, 2011 at 3:48 am
same question
Can we use the Load Balancing / Wan Failover with SQUID? I hope will be possible now.
September 30th, 2011 at 4:12 am
pong: yes