pfSense Digest

The pfSense team has a Christmas present for you all – the 1.2.1 final release. 

The only changes since RC4: 

• Fixed problem preventing RIP from starting
• Fixed broken link in VLAN reboot notification
• Fixed problem with SSL certificate generation

Changes since 1.2 release

This is a strictly a maintenance release, meaning it contains only bug fixes in the pfSense code, no new features. Though we also upgraded the base OS from FreeBSD 6.2 to 7.0, which necessitated numerous changes in how things are configured. The change to FreeBSD 7.0 brings improved performance and more hardware support.  

Change log

cvstrac contains a list of every single change from 1.2 release to 1.2.1 release. For those interested in just the highlights (lot of minor trivial things in the full change list), see the RC2, RC3 and RC4 release blog posts. 

Download

New Installs

Upgrades - for information on upgrading, read the Upgrade Guide. 

VMware Firewall/Router Appliance

RC3 was short lived because of a regression in the FTP proxy for those who use it to host FTP servers behind NAT. Unforeseen consequences of a bug fix in RC2 broke this. 

The only change from RC3 to RC4 is this bug fix resolving problems with the FTP proxy. 

1.2.1-RC4 VMware Appliance is also available.

1.2.1-RC3 is here!

This release has been replaced by RC4 because of a regression for the FTP helper with FTP servers hosted on your network behind NAT. 

Changes since 1.2.1-RC2 include:

• Do not accept \ in alias fieldnames
• Fix setup wizard WAN configuration page since removal of BIGPond
• Replaced route get default with netstat -rn equivalent
• No longer syncs CARP configuration when not needed
• Do not use broadcast on CARP addresses
• Fixes for CARP and VLANs related to interface and IP changes
• Added OpenNTPD to Status -> Services
• Removed enable filter bridge checkbox, it’s on by default
• Fixed “no state” rules
• Corrected description for bogon rule
• Now shows rejected rule icon correctly on firewall edit page
• Minor fixes for embedded upgrades (needs further testing)
• Creates a backup of config.xml prior to package installations
• Correct interface polling
• Minor PHP Shell changes/fixes
• Bumped /cf/ to 4.5M
• No longer destroys enc0
• NAT Reflection timeouts are now consistent for TCP/UDP
• Ensure default gateway is present after filter reload
• Detect iPhone / iPod and switch theme temporarily to pfSense
• Other minor changes, please see cvstrac.pfsense.org reports section for RELENG_1_2

If all goes well we will be releasing 1.2.1-Final on XMAS!

Happy pfSensing!

If you follow Scott’s twitter, you’ve seen our plans for the 1.2.1 release. This weekend will see the last RC, and the final release will come as a Christmas gift to the community.

With each release going forward, we will be providing a VMware appliance in addition to the versions currently provided. This one is being handled a little differently since it is in the first, in the future they will just be a part of the normal release announcement.

Many people (including nearly all of our developers) run pfSense in various VMware products covering their entire product line. For years now, the pfSense installer has automatically detected when you are running in VMware and applied OS tweaks specific to optimal performance when running under VMware hypervisors. More recently, Open-VM-Tools, the open source version of VMware Tools, is also available as a pfSense package. If you are one of the many existing users of pfSense in VMware, you should consider installing that package.

Latest download link available here.

There are numerous mission critical pfSense deployments running in ESX, so this is a proven virtual firewall solution. The VMware Appliance is different from a stock pfSense install in three ways:

• Default allow all rule added on WAN – usually your VM firewall’s WAN will be connected to your LAN, this makes it easier to get in.
• VMware Tools installed
• Hostname set to pfsensevm.local rather than pfsense.local

Compatibility

Works with VMware Server 1.0 and newer, Workstation 6.0 and newer, ESX 3.x, every version of ESXi, and every version of Player.

Is it good to run my production firewall in a VM?

Sometimes yes, sometimes no. A more expansive dialog on this will come.

Usage

For hosted products (Server, Workstation, Player, Fusion) – Just extract the zip file, and double click on the FreeBSD.vmx file.

For ESX and ESXi – there are several ways to pull this VM into ESX/ESXi. I personally prefer using the free VMware Converter.

Network Info

The WAN interface is configured as bridged, and the LAN is on VMnet2. The WAN is configured for DHCP by default, so if the network your VMs are bridged to contains a DHCP server, it will pull a lease. You will see the WAN IP at the console menu. Because the VM Appliance includes an allow all rule on WAN, you can just pull up the shown WAN IP in your web browser to log in. Note this allow all rule is simply for convenience in getting up and running – with this rule in place, you don’t have a firewall, you have a wide open router.

More info on VMware and networking will also come at some point.

pfSense 1.2.1-RC2 is now available for testing. This is the first official RC release of 1.2.1, and we believe it eliminates all regressions that have been found since the first 1.2.1 snapshots were made available 4 months ago. Plus it fixes several bugs in 1.2.

1.2.1-RC2 VMware Appliance is also available.

The changes from 1.2 release:

• Numerous changes to accommodate differences in FreeBSD 7.0. Lesson learned here – we hoped 1.2.1 would be a fast release cycle, but it ended up being a significant amount of work because of the changes in FreeBSD from 6.2 to 7.0. It’s certainly for the better, as 7.0 brings improved performance, more and better hardware support, enhanced wireless capabilities, and more.
• Multi-WAN bug fix – reply-to was not added to WAN rules, which caused difficulties under some specific circumstances with accessing services running on the firewall using OPT WAN interfaces.
• Bridging bug fix – problem with the way firewall rules were being applied to bridging could lead to strange behavior in some bridging scenarios. Also, DHCP clients used to be automatically allowed through bridges. This is no longer the case, if you use a DHCP client behind a bridge, your firewall rules must allow the DHCP traffic.
• Captive Portal bug fix – imported from m0n0wall, related to MAC authentication with RADIUS.
• Keep state change – the newer pf version changed to defaulting to keep state, rules that required no state keeping (same interface firewall rule bypass) needed “no state” added.
• NAT reflection bug fix – 20 second timeout was being incorrectly applied, affecting long-lived connections.
• Mobile IPsec fixes
• Some minor text clean up, typo fixes
• Packages screen now has a “Package Info” column rather than the “maintainer” column which was of limited use. Links to information on the package are shown there, for packages that have links defined. Many have links already, and work is currently under way to add a link for every package and expand the information available on them. The Installed Packages tab also shows the Package Info links. When you access the package screens, it fetches the most recent package information from our servers, incluing the Package Info links. You will see more links come with time, without having to upgrade pfSense.
• Significant speed up in boot process, especially when using CARP. There were some delays in the boot process that could be removed thanks to changes in FreeBSD 7.0, which has made booting quite a bit faster. 

There are a couple remaining known issues with 1.2.1. 

Wireless – there were some issues here, we think they should all be fine after a couple commits this weekend. This isn’t fully verified yet though, if you were having any trouble with wireless in 1.2.1 please try an updated snapshot and report your findings in the forum. 

VLANs – This one is difficult to quantify because it works fine in many circumstances, and fails in others. This will get some more attention over the next week. 

You can always find the most up to date status of known 1.2.1 issues on the developer wiki. 

Once we’re confident the wireless issues are indeed resolved and find and fix the cause of the VLAN problems some users are experiencing, we’ll be releasing the first official release candidate. The release candidate phase should be short, we expect a final release not long after the first RC assuming no additional significant issues are discovered.

pfSense 1.2.1 snapshots are now available for testing! These snapshots contain a few bug fixes since 1.2 release, and the base OS has changed to FreeBSD 7.0.

WARNING
These snapshots are not widely tested at this point. The change to FreeBSD 7.0, and some changes in the build system related to our git conversion may have created some OS issues. The pfSense code itself has not changed much from 1.2-release, and what has changed is all pretty well tested, so there likely won’t be any issues there. The OS changes mean you should be very careful if you choose to test these snapshots. Backup your configuration first, and make sure you have a pfSense 1.2 CD handy for reinstall in the worst case scenario. We are not aware of any problems, but again, this has not been widely tested yet so proceed with caution! I strongly suggest not trying this on any critical systems yet.

Base OS Changed to FreeBSD 7.0…for now

Our previous plan was to release 1.2.1 on a FreeBSD 6.3 base, but we want to keep our latest stable release on FreeBSD’s latest stable release, to ensure the best hardware support and performance. So our first public 1.2.1 snapshots are based on FreeBSD 7.0. This is subject to change back to 6.3 if significant issues are found that would delay this release. We’re hopeful this will be even better than 6.x, but time will tell.

Upgrading to 1.2.1 Snapshots
You should be able to successfully upgrade a 1.2 full install using a pfSense-Full-Update file from either the Firmware page or console upgrade. This has been tested a handful of times with no problems, but again – not widely tested. Embedded upgrades might be possible from the console, but have not been tested at all. If you would like to try, let us know how it goes. Make sure you backup your config, and be prepared to reflash.

Snapshot File Naming Convention
The file naming convention for snapshot releases has changed. They now include the date and time of the snapshot build. This is in YYYYmmdd format, and is in the local time of the build servers (Louisville, US Eastern). This makes the snapshots sort properly by date, and makes it easier for those of us who keep lots of snapshots to retain them with unique names. It also means we will never interrupt anyone’s download by overwriting with a new snapshot. Several builds will be retained in these folders for 1-2 days – make sure you get the newest build available.

New Forum Board for 1.2.1 Snapshots
Please keep all forum 1.2.1 discussion in the 1.2.1 Snapshot Feedback and Problems board. If you post to the mailing list, make sure you mention you are using 1.2.1 snapshots. If you try these snapshots, we would appreciate feedback on your experiences.

Download Link
Yes, I have fully read and understand the above and wish to continue to download 1.2.1 snapshots

Questions
General questions can be posed here as a comment, or on the forum. If you have a specific problem to report, please do not leave it as a comment, rather use the forum or mailing list. This allows us to work with you on issues without creating a mess in the comments here.

Enjoy!

Development work continues on 1.2.1 and 1.3.

1.2.1

We’re having some build server difficulty, or would have made snapshots available almost a month ago. We hope to have that resolved this week and get 1.2.1 snapshots available so the community can help us test the changes.

1.3

We have 1.3 snapshots building but have not had time to put together the required information to make them widely available. We’re also hesitant to provide snapshots of branches that are seeing frequent development and have a number of areas in the midst of significant changes. But once we can write up some caveats, basic guidance, and things to look out for, we will make the snapshots publicly available.

Revision Control Conversion

Bill Marquette has been working on converting our revision control from CVS to git, and replacing cvsweb and cvstrac. These will be much improved across the board once this conversion is complete. Our current systems are less than ideal for a number of reasons. More information on this will come once we get fully converted (ETA unknown).

We made it back safely from BSDCan yesterday. It was a great time, as always, with some great presentations. The slides from our tutorial will be available sometime this week after I catch up on some other things and have a chance to upload them. Thanks to those of you who attended, it was great to meet many pfSense users.

The pfSense developer summit went well also, many thanks to those who made contributions! We resolved a number of open tickets and made progress on several others. Still some more work to do before 1.2.1 is ready, but we got about half of it knocked out this week. More here on that later.

I would also like to thank several FreeBSD developers we had discussions with during the week. Historically we have only gotten attention from a very few FreeBSD developers (though their involvement is very much appreciated), and the tough problems we run into commonly do not get responses from developers with the ability to resolve those issues. Every year we get more attention from FreeBSD developers, and more are interested in ways we can work together more. We hope to be able to work together better in the future, to improve both pfSense and FreeBSD.