pfSense Digest

Thanks to Ermal, we now have support for GIF and GRE tunneling in pfSense. Integration with IPsec is coming soon. This isn’t something most people will use, but some like to use gif with IPsec and some need GRE for interoperability with other vendors’ equipment (commonly Cisco in some specific configurations that utilize it).

The use of tunneling with IPsec allows the use of routing across VPN, rather than requiring a SPD match, which is preferable in some environments. It also allows the use of routing protocols across VPN.

Thanks to the hard work of Ermal Luçi, pfSense 1.3 now contains a number of great interface and dynamic DNS related improvements. The following has all been completed.

1. PPPoE and PPTP are now possible on any interface rather than just WAN. For multi-WAN with multiple PPPoE or PPTP connections you previously needed to do the PPPoE or PPTP on the modem or other device, now pfSense handles this directly.
2. Dynamic DNS is now multi-account capable. This means you can use it with multiple WANs, and/or use multiple services on the same WAN.
3. carpdev support – This was attempted, and unfortunately backed out because of problems with carpdev in FreeBSD. If those problems are resolved, it will return. This allows the use of CARP without the static public IP requirement.
4. Interface list consistency – this isn’t really relevant to end users, but it’s a great improvement for developers. The means of obtaining the list of active interfaces obtained from m0n0wall initially had really turned into a hack as we have added functionality such as multi-WAN and single interface support. This resolves a number of development difficulties.
5. Completely reorganized back end interface support. The interfaces are all treated equally now, fully removing the “special” status that LAN and WAN formerly received.
6. Improved back end VLAN interface handling
7. Introduction for dummynet support in pf – this provides even more flexible and powerful traffic shaping abilities, including these two oft-requested features amongst numerous other possibilities:
   - Per user bandwidth limiting
   - Per local subnet bandwidth limiting
8. Improved ruleset creation speed – testing shows at least a 15% improvement here.
9. Captive Portal is now multi-WAN capable
10. Sticky connections for outbound load balancing should be fixed.

Mostly finished work

1. Replace the event system with a daemon offering better handling of events.

Work in progress

1. Better PPTP and FTP handling in NAT. The PPTP fixes will allow multiple outbound connections to the same external PPTP server using a single public IP. Details of that issue on the Features page on the website under PPTP/GRE NAT limitation.
2. More disciplines on the shaper such as shortest living connections getting higher priority, and addition of the JoBS/WFQ discipline for ALTQ.

Thanks Ermal!

We are pleased to welcome Matthew Grooms as our newest pfSense committer. As the developer of the Shrew Soft VPN client and an ipsec-tools developer, he brings a vast knowledge of IPsec to our development team.

Matthew recently committed some great IPsec improvements to 1.3. He provided the following, outlining these changes.

Completed Work

1. Split IPsec configuration into phase1 and phase2
2. Allow for multiple phase2 configurations for a single phase1 – this means you no longer have to create parallel tunnels for routing multiple subnets between two sites.
3. Enable a broader range of ID types to be specified
4. Improve options for variable length key cyphers ( Blowfish & AES )
5. Proper handling of address vs subnet negotiations in phase2
6. Introduce Hybrid, Xauth and modecfg support for remote access
7. Update Mobile access to allow for more secure policy generation
8. Update Mobile access configuration to define modecfg-attributes
9. Introduce initial support for user authentication
10. NAT-Traversal (NAT-T)

Remaining To Complete

1. Improve user management interface for mobile clients
2. Introduce RADIUS and LDAP support for extended auth
3. Improve IPsec SPD/SAD management to not purge active SAs on reload
4. Improve certificate management for IPsec configurations
5. Look into support for dyndns -> dyndns IPsec peers

More information
For those not exceptionally familiar with IPsec, the above lists may not tell you much of anything. More information on usage and what all this means will come in the future.

Eye Candy
New tunnels page
New mobile clients screen
New mobile clients phase 1 edit screen
New mobile clients phase 2 edit screen

Trying it out
This work is currently available in 1.3 snapshots. We encourage you to provide feedback on the mailing list or 1.3 board on the forum if you try it.

Kudos
Many thanks to Matthew for all his work on this! When completed, this will bring the most capable IPsec implementation of any open source firewall distribution to pfSense – by far. It will also provide a standards-compliant IPsec solution better than most commercial firewalls (what exists in 1.2 is already better than a number of them).

Those of you who have been using pfSense for several years will remember pre-1.0, there was an auto-upgrade page that would upgrade you to the latest available release with one click. It was later broken by some changes and removed prior to the 1.0 release, but has been fixed and resurrected. It’s now working in 1.3.

By default, it checks for a newer stable release than the one you are using, and if one is available, you can click a button and it will download and install the update. It also allows changing the URL to pull snapshots, or you can enter your own URL if you maintain a custom version. The current manual upgrade remains available as well.

1.3 is under such active development that it isn’t really suitable for any non-developers at this time. We gave the URL for the snapshots to attendees at our BSDCan tutorial, but won’t be releasing it to everyone just yet.

This release already contains some significant new features. Among them:

• Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing. Thanks to Ermal Luçi for doing the work, and the numerous people who contributed to the bounty to make this happen!
• User manager – multiple administrative users can be created, with varying levels of access. Access groups can be defined to easily grant identical access rights to multiple users. Rights can be defined individually for each page in the web interface.
• LDAP authentication – LDAP is integrated into the user manager so pfSense can authenticate from any LDAP server. Microsoft Active Directory and Novell eDir have been throughly tested, though any LDAP server should work. You can even define groups in your directory and assign rights in pfSense to those groups.
• Significant OpenVPN improvements – these are still a work in progress, more info to come.
• Routing improvements – still a work in progress as well, but will allow more flexible routing capabilities.