pfSense Digest

After several months since the last official 1.2.3-RC release, because of some tough issues in the underlying software that are now resolved, 1.2.3-RC3 is now available.

The final release will be coming very soon, please help test.

The major changes since 1.2.3-RC1:

• NAT-T support has been removed. Adding it brought out bugs in the underlying ipsec-tools, causing problems in some circumstances with renegotiation and completely breaking DPD. These issues are fixed in the CVS version of ipsec-tools, but it’s still considered alpha, and we found different problems when attempting to use it instead. NAT-T will be back in the 2.0 release, where it’s not as much of a pain since NAT-T is now in stock FreeBSD 8.
• Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.
• Captive portal locking replaced – the locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.
• Embedded switched to nanobsd – this is explained more here.
• DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.
• Atheros driver reverted to the one in FreeBSD 7.1 + patches from Sam Leffler, as existed in 1.2.3-RC1. The FreeBSD 7.2 driver exhibited numerous regressions that are no longer an issue, but reverting removed support for cards newly supported in FreeBSD 7.2.

Those are the major changes in this version that impact many users. A number of other minor edge case bugs were fixed, things that nearly all of you have never seen and won’t ever run into. If you’d like the full details on all the changes on the 1.2.x branch, see the git commit logs.

Downloads

New installs

Upgrades

We have been announcing the upcoming pfSense book already multiple times here on the blog. Here’s a quick update for all those waiting to finally buy it: It’s almost done!

As you can see from the information on the publishers site it only needs some finishing touches and even the first preview print has been produced.

Stay tuned, we’re almost there!

Passing on an email from The FreeBSD Foundation:

Millions of systems run FreeBSD. Hundreds of volunteers contribute to FreeBSD’s success. But what is the size of FreeBSD’s user base? This simple question is very hard to answer, but its answer is vital to the cause of promoting FreeBSD. It is extremely difficult to convince businesses to invest time and money to add FreeBSD support to their products based solely on vague estimates of the size of our community. We should know – working to make FreeBSD a more widely supported platform is a task the FreeBSD Foundation has worked on since its inception.

Please help us in our fight to promote FreeBSD. A donation to the FreeBSD Foundation helps fund our work, but it also gives us strength in numbers. Our count of unique donors is a vital indication of the size and buying power of our community. However, we have never broken even one thousand donors in any year. We know in our hearts that this is a small fraction of our user base and of those who want to help expand FreeBSD’s presence.

So stand up and be counted! Make a donation. Encourage other FreeBSD users to donate as well. No donation amount is too large or too small. Just by becoming a donor you are making a powerful statement about the strength of FreeBSD!

As the base operating system of this project, much of the work the FreeBSD Foundation sponsors directly benefits pfSense users as well. You can donate here. The FreeBSD Foundation is a non-profit 501(c)3 charity, so your contributions may be tax deductable.

Embedded has historically been a second class citizen, with most development focus and most users ( > 80% of downloads) using full installs. Taking advantage of what a full install offers was in fact the original reason for this project, though embedded was later added. This has now changed considerably, with the introduction of the next generation of pfSense embedded. It’s been on the snapshot server for quite some time and been a work in progress for months, but now we want to alert people of its presence for wider testing. It is based on nanobsd, a standardized build methodology for FreeBSD embedded applications.

The changes it brings:

• Reliable upgrades – Finally, no longer is there a need to re-flash your CF and restore your configuration.
• Multiple firmware support – there are two partitions, each containing their own separate pfSense install. To test upgrades, you can upgrade the second partition, and roll back to the first if necessary.
• Package support – packages that are suitable for an embedded platform are supported.
• Multiple hardware architecture support – with some additional changes that are currently in the works, this will allow us to support non-x86 architectures in the future, where FreeBSD supports those architectures and specific platforms. Expect to see MIPS and ARM first, with others possible. Historically, these platforms had such limited CPU, RAM and flash that we would have been forced to spend an inordinate amount of time trimming things down, removing numerous features only to end up with a much less attractive offering. That development time is better spent elsewhere. With new MIPS and ARM platforms offering considerably more flash and RAM, this is no longer the case. Though these hardware limits are still applicable to your typical consumer grade Linksys and similar routers, they will never be supported. Specific information on supported hardware will come in the future.

There are 512 MB, and 1, 2 and 4 GB images available. The 4 GB images work fine with larger size CF cards. For now there won’t be any images larger than 4 GB, though expect that to change for 2.0.

1.2.3 embedded will be released based on nanobsd, and the old means of doing embedded will be discontinued. This means the minimum CF size for 1.2.3 embedded will be 512 MB. This is necessary because of the dual firmware support, it has to be twice as big, and we want to leave plenty of space for future upgrades.

What about my smaller than 512 MB CF card?
There isn’t an easy way to accommodate CF cards less than 512 MB. A 512 MB card can be found for under $20 USD including shipping, you’ll need to upgrade.

Download
You’ll find images in the nanobsd folders on the snapshot server.

Support
For problem reporting, please use the 1.2.3 board on the forum, or the mailing list.

I will be presenting on pfSense at EuroBSDCon 2009, September 18-20 at University of Cambridge, England. A summary schedule, subject to change, is available and registration is open.

This will be my first EuroBSDCon, though I’m sure it’s as well done, informative, and fun as BSDCan and DCBSDCon, of which I’ve attended 6 combined.

My presentation will be an updated version of the presentation given at BSDCan, covering all the new functionality in 2.0, and our plans for beyond that.

I look forward to meeting some of you there!

small Update:

Holger and Seth will be there too.

Karolina, editor of BSD Magazine, has left a comment here on our blog on my previous post that BSD Magazine will continue to be published!  This is great news, but of course it still needs the support of the BSD community.

So if you’re one of those who commented previously that you wished you had heard of it previously, you can still subscribe now.

Doesn’t come as a surprise to me given that the client is still flaky on Vista and Windows 7 to this day, there is still no version compatible with 64 bit Windows (and never will be), but Cisco has ceased development of their IPsec VPN client. They’re forcing users to their SSL VPN product, which comes along with per-user licensing fees – something that did not apply to the IPsec VPN client. Cisco customers are paying an arm and a leg for the ASA and/or IOS hardware, and ought to have continued to be able to use any VPN without additional licensing fees on top of that.

But thanks Cisco, from a Cisco certified professional now making a good chunk of his living off replacing Cisco hardware with pfSense. I’m sure you’ve just driven a lot of folks to look at lower cost options, especially open source.

Can’t say I really care for the Cisco VPN Client anyway, it has blue screened Windows on me more in the past couple years than everything else combined (though the Mac version has never caused me any trouble).

Shrew Soft IPsec client is a nice, free alternative that’s proven to be more stable in my experience.

I have been a subscriber since the inaugural issue, and hope they can still make a go of it. Passing along an email from the editor of BSD Magazine.

I am sure most of you already heard that BSD magazine is going to be closed,
due to much lower benefits than expected and the economy in general…

There is one last chance thought – if I somehow manage to increase the sales
figures in stores the magazine will be published. I was given only one week
(till Monday). Not much, but better than nothing. I think it is worth trying!

I can’t do it alone -so I am asking you for your help and support. I know most
of you are already helping and I am really thankful for that.

If you could help me to promote the magazine on all forums, portals, blogs or
anywhere else I would be really grateful.

I have attached the cover of the most current issue of BSD magazine if you
would like to use it.

Please spread the word about BSD magazine!

Please vote on this poll and help us decide which size of NanoBSD embedded to ship in 1.2.3.

http://forum.pfsense.org/index.php/topic,17369.0.html

Just a really quick update: The theme was added to the 1.2.3 branch and should be available after the next snapshot builder run. However, we have decided to not make it the default theme yet. You can switch to the new theme under system>general after updating your install or after installing from a recent snapshot-livecd.

You can grab the updates or new livecd from the snapshot-site.