Main conrainer

pfSense moves to Apache License

With the pending departure of Chris Buechler, we wanted to find a way to express to the community our continued commitment to keep pfSense® software open source.

As such, pfSense is moving to the Apache License 2.0  in order to align the goals of the project with other (unannounced) offerings from Netgate.  The Apache License 2.0 is a permissive license similar to the MIT License. The main conditions of this license require preservation of copyright and license notices.

Where the 2-Clause and 3-Clause BSD licenses provides no direct language around the areas of copyright, patents and trademarks, the Apache License does. The Apache License is very clear that individual contributors grant copyright license to anyone who receives the code, that their contribution is free from patent encumbrances (and if it is not, that they license that patent to anyone who receives the code,) and that use of Trademarks extends only as far as is necessary to use the product.  As a reminder, only genuine pfSense software can bear the registered trademark of pfSense. It also includes a patent termination clause, should a lawsuit arise.

The Apache License 2.0 is the third most popular license on github. Android, Apache, Chef, DockerOpenStackSalt Stack, and Swift use the Apache License 2.0.

Now pfSense does as well.

 

 

 

Moving Forward

Over the past few months, the Netgate® engineering team and our community contributors have delivered the software foundation for a new era of pfSense® technology.

In April we released version 2.3 of pfSense software which features a new, modern webGUI utilizing Bootstrap, as well as converting the underlying system to FreeBSD® pkg.  The pkg conversion enables us to update pieces of the system individually going forward, rather than the monolithic updates of the past.  The webGUI rewrite brings a new responsive look and feel to the pfSense project, which minimizes resizing or scrolling across a wide range of devices from desktop to mobile phones.

Since releasing pfSense 2.3 we have demonstrated both a dual Ethernet ARM device and the new dual Ethernet Minnowboard Turbot, running an experimental version of pfSense software version 2.4.  We have also shown technology demonstrations of kernel bypass networking via netmap-fwd, which can yield ten-fold improvements in packet processing.  Taken together, these results demonstrate the start of a new era for Netgate and pfSense.

As we enter this new era, Chris Buechler has informed us that he will be leaving the project to pursue a career outside of pfSense and Netgate. On behalf of the company and community, I thank Chris for his passion and dedication to the pfSense project. He worked hard to help build pfSense into an Open Source project that is recognized and respected worldwide as the best-in-class Open Source firewall and router based on FreeBSD.  We will not only miss the technical expertise Chris brought, but also his in-depth knowledge of the pfSense community and customer base. Please join me me in wishing Chris well in his future endeavors.  We will announce a new community manager in the next several weeks. With change, comes great opportunity.

As most of you know, pfSense serves a worldwide community of more than 350,000 users who are passionate about protecting their networks, large and small, using the most flexible, extendable and reliable Open Source firewall and router available.

What we have accomplished over the past few years bringing pfSense technology up to date with changes in FreeBSD, expanding availability into the cloud with Amazon® AWS, Microsoft® Azure and VMware® Certified images, while also making changes in how we think about security and networking is nothing short of amazing.  We know that we have more amazing in us and that Netgate and pfSense have a bright future ahead.  We are excited about our people, we are energized by our ability to change and grow, and we look forward to the success which lies ahead.  We look forward to your continued contributions, and continuing to participate with you in creating the best that pfSense can be.

Thank you for your continued effort working collaboratively in our passionate community of contributors, testers, and users. Together we will continue to advance the state of the art of the best Open Source network security software on the planet.

 Aloha Oe, Chris.

Jim and the Netgate Team

 

pfSense 2.3.1-RELEASE Now Available!

We are happy to announce the release of pfSense® software version 2.3.1!

This is a maintenance release in the 2.3.x series, bringing a number of bug fixes, two security fixes in the GUI, as well as security fixes for OpenSSL, OpenVPN and FreeBSD atkbd and sendmsg. The full list of changes is on the 2.3.1 New Features and Changes page.

This release includes a total of 103 bug fixes. 79 regressions in 2.3 have been fixed, mostly minor issues in the new GUI. Several of these are significant issues, and have resolved nearly all the post-upgrade problems encountered in 2.3-RELEASE. 24 issues affecting 2.2.x and prior versions have also been fixed.

If you haven’t yet caught up on the changes in 2.3.x, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.

Upgrade Considerations

As always, you can upgrade from any prior version directly to 2.3.1. The Upgrade Guide covers everything you’ll need to know for upgrading in general.  There are a few areas where additional caution should be exercised with this upgrade if upgrading from 2.2.x or an earlier release, all noted in the 2.3 Upgrade Guide.

For those upgrading from a 2.3 beta or RC version who have not yet upgraded to 2.3-RELEASE, please see this post.

Known Regressions

While, nearly all of the common regressions in 2.3-RELEASE have been fixed in 2.3.1, the following still exist:

  • IPsec IPComp does not work. This is disabled by default. However in 2.3.1, it is automatically not enabled to avoid encountering this problem. Bug 6167
  • IGMP Proxy does not work with VLAN interfaces. Bug 6099. This is a little-used component. If you’re not sure what it is, you’re not using it.
  • Those using IPsec and OpenBGPD may have non-functional IPsec unless OpenBGPD is removed. Bug 6223

Packages

The list of available packages in pfSense 2.3.x has been significantly trimmed.  We have removed packages that have been deprecated upstream, no longer have an active maintainer, or were never stable. A few have yet to be converted for Bootstrap and may return if converted. See the 2.3 Removed Packages list for details.

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on Github. 2.3.1-RELEASE is built from the RELENG_2_3_1 branch of each repository.

Main repository – the web GUI, back end configuration code, and build tools.
FreeBSD source – the source code, with patches of the FreeBSD 10.3 base.
FreeBSD ports – the FreeBSD ports used.

Download

Downloads are available on the mirrors as usual.

Downloads for New Installs and Upgrades to Existing Systems – note it’s usually easier to just use the auto-update functionality, in which case you don’t need to download anything from here. Check the Firmware Updates page for details.

Supporting the Project

Our efforts are made possible by the support our customers and the community. You can support our efforts via one or more of the following.

  • pfSense Store –  official hardware, apparel and pre-loaded USB sticks direct from the source.  Our pre-installed appliances are the fast, easy way to get up and running with a fully-optimized system. All are now shipping with 2.3 release installed.
  • Gold subscription – Immediate access to past hang out recordings as well as the latest version of the book after logging in to the members area.
  • Commercial Support – Purchasing support from us provides you with direct access to the pfSense team.
  • Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.

pfSense 2.3 Update 1 Available

Since the new pkg system enables us to update pieces of the system individually, rather than the monolithic updates of the past, we have released a patch that fixes the NTP CVEs covered by FreeBSD SA 16:16.ntp. Updating ntpd from 4.2.8p6 to 4.2.8p7 is the only change.

This update appears as 2.3_1, for update 1. This should not be confused with 2.3.1, which is a full maintenance release coming soon. 2.3_1 is only available for those already running 2.3 release.

Note for this update, your version number will remain the same afterwards, still showing as 2.3-RELEASE.

This update does not trigger a reboot. The NTP service needs to be manually restarted under Status>Services afterwards.

pfSense 2.3-RELEASE Now Available!

We are happy to announce the release of pfSense® software version 2.3!

The most significant changes in this release are a rewrite of the webGUI utilizing Bootstrap, and the underlying system, including the base system and kernel, being converted entirely to FreeBSD pkg. The pkg conversion enables us to update pieces of the system individually going forward, rather than the monolithic updates of the past.  The webGUI rewrite brings a new responsive look and feel to pfSense requiring a minimum of resizing or scrolling on  a wide range of devices from desktop to mobile phones.

For the highlights, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.

The full list of changes is on the 2.3 New Features and Changes page.

To get to a release, we’ve closed 760 total tickets.  While the majority of these were related to the Bootstrap conversion, 137 are fixed bugs impacting 2.2.6 and earlier releases.

Upgrade Considerations

As always, you can upgrade from any prior version directly to 2.3. The Upgrade Guide covers everything you’ll need to know for upgrading in general.  There are a few areas where additional caution should be exercised with this upgrade.

For those upgrading from a 2.3 beta or RC version to final, please see this post.

Known Regressions

  • OpenVPN topology change – configuration upgrade code was intended to set upgraded OpenVPN servers to topology net30, rather than the new default of topology subnet. This is not working as intended in some cases, but has been fixed for 2.3.1. In the mean time, editing your OpenVPN server instance and setting the topology to “net30” there will accomplish the same thing and fix it.
  • IP aliases with CARP IP parent lose their parent interface association post-upgrade. Go to Firewall>Virtual IPs, edit the affected IP alias, pick the appropriate CARP IP parent, then save and apply changes. Make sure every virtual IP has something shown in the Interface column on firewall_virtual_ip.php.
  • IPsec IPComp does not work. This is disabled by default. Disable IPComp under VPN>IPsec, Advanced to work around if you’ve enabled IPComp. Bug 6167
  • IGMP Proxy does not work with VLAN interfaces. Bug 6099. This is a little-used component. If you’re not sure what it is, you’re not using it.

Any significant regressions discovered post-release will be added to this post.

Clear Browser Cache

Due to the many changes in the web interface, clearing your browser cache or doing a forced reload (shift+refresh) is a good idea after upgrading. If you see any cosmetic problems in the web interface post-upgrade, a stale browser cache is the likely reason.

Packages

The list of available packages in pfSense 2.3 has been significantly trimmed.  We have removed packages that have been deprecated upstream, no longer have an active maintainer, or were never stable. A few have yet to be converted for Bootstrap and may return if converted. See the 2.3 Removed Packages list for details.

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on Github. 2.3-RELEASE is built from the RELENG_2_3_0 branch of each repository.

Main repository – the web GUI, back end configuration code, and build tools.
FreeBSD source – the source code, with patches of the FreeBSD 10.3 base.
FreeBSD ports – the FreeBSD ports used.

Download

Downloads are available on the mirrors as usual.

Downloads for New Installs and Upgrades to Existing Systems – note it’s usually easier to just use the auto-update functionality, in which case you don’t need to download anything from here. Check the Firmware Updates page for details.

Supporting the Project

Our efforts are made possible by the support our customers and the community. You can support our efforts via one or more of the following.

  • pfSense Store –  official hardware, apparel and pre-loaded USB sticks direct from the source.  Our pre-installed appliances are the fast, easy way to get up and running with a fully-optimized system. All are now shipping with 2.3 release installed.
  • Gold subscription – Immediate access to past hang out recordings as well as the latest version of the book after logging in to the members area.
  • Commercial Support – Purchasing support from us provides you with direct access to the pfSense team.
  • Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.

 

2.3 Release Candidate now available!

We are proud to announce pfSense® software version 2.3 Release Candidate is now available!

The most significant changes in this release are a rewrite of the webGUI utilizing Bootstrap, and the underlying system being converted entirely to FreeBSD pkg (including the base system and kernel). The pkg conversion enables us to update pieces of the system individually going forward, rather than the monolithic updates of the past.

For the highlights, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.

The full list of changes is on the 2.3 New Features and Changes page.

In the process of getting here, we’ve closed out 742 total tickets, with most of those being items related to the Bootstrap conversion. Of those, 136 bugs have been resolved that affect 2.2.x and prior versions.

Downloads

(RC downloads are no longer available)

You can upgrade straight to 2.3 from any previous release. Check the Upgrade Guide for details.

Feedback, Questions, Need Help?

Report your experiences or get help with problems on the 2.3 board of the forum.

Features and Highlights of pfSense 2.3

Unless you’ve been completely out of the loop, you know that the official release of pfSense 2.3 is on the horizon. In anticipation of that event, Netgate, host of the pfSense® open-source software community and technical leader of the pfSense project, has put together a video that highlights many of the new and exciting changes in this release. Incalculable hours of engineering and testing time has been invested in this release. It’s certainly our biggest yet. As soon as it’s released, you can get it on official pfSense hardware at netgate.com. Enjoy!



pfSense Partner Interview: Amica Technology

Amica Technology is the Select Partner of pfSense® in the UK. As of this writing, Netgate and pfSense is working closely with Amica to facilitate official pfSense training in the UK in April.  We recently sat down with Chris Howard and his team to talk about the product and other opportunities to work together in 2016 and beyond.

amica

You are the Managing Director of Amica Technology. Tell us a little bit about your company.

Amica Technology is primarily a Managed Service Provider, based near Bournemouth on the South Coast on England. We have two remote offices, one in London and one in Yorkshire. We are passionate about customer service and never talk jargon to our clients unless they ask us to. We are also an ethical company. Because of these things we have achieved a very fast growth rate. We are still a fairly small company with just 17 staff, but we operate very efficiently so we are able to support a lot of clients.

What made you want to become an official pfSense partner in the UK?

To put it simply, we love the product. When we come across a product that we love, we immediately try to get on board with it because there is nothing easier to sell or support than a product that you are passionate about. Our clients are delighted because we’re saving them money with their firewall solutions. It’s a win-win situation.

Since becoming an official partner, how has your business performed?

Fantastically! 20% of our business is providing leased lines to businesses. Using pfSense as the gateway helps us to lower the monthly cost because our initial firewall investment has been smaller. We pass these savings straight onto the client and there are smiles all round.

How has the pfSense team enabled your business to succeed?

The partner support is great. Ingrid is so amazing to deal with and helps us to get things done and move forward. Chad’s marketing skills are superb and we see each other as an extension of each other’s team. Scott and the rest of the team are so knowledgeable about the product that it gives us the confidence to work with them.

What benefits does a customer realize by purchasing official pfSense products?

Initially it’s cost. Because the initial outlay and total cost of ownership are so low, it’s a no-brainer for most companies. Then people realize how easy the pfSense is to work with and they are pleased that they made the decision. We find that most people can do basic changes to the firewall with no support from us at all, and our clients that have attended the pfSense training suddenly become firewall experts. Once you’ve used pfSense, you very quickly forget about Cisco, Juniper, Sophos, etc.

What are the benefits of purchasing an official pfSense product from Amica?

Amica not only sell the products, but we also have a full design and implementation service. Many of our clients are able to install the products themselves, but for the ones that can’t we usually have an initial conversation over the telephone or face-to-face where we chat through what is required. Then we provide a quotation for the number of hours required for configuration and/or implementation. We’re straight-talking, honest and transparent. We love what we do and we want our clients to enjoy IT.

Explain your “service after the sale” approach.

Our support team are always there waiting to help with any problem you may face. We also offer maintenance contracts with 24×7 service level agreements for companies that require extra peace of mind. Our network architects can design and implement any custom configuration changes either remotely or on-site.