Archive for January, 2008

IPsec Stability fixes and 1.2-RC4

Friday, January 18th, 2008

Some of you might have noticed that a lot of work went into getting IPsec running a bit smoother for large numbers of connections. We would like to take a moment and thank a number of folks for their hard work and for their generous monetary contributions that made these efforts possible.

1. Heiko Gabe w/ donated significant monetary resources to sponsor these fixes. Heiko has sponsored many projects in pfSense and we are exceptionally grateful for his continued support.

2. Timo Teräs is a racoon developer and helped correct a few very minor bugs in racoon and worked on improving setkey code in FreeBSD. Timo is a genius and we are absolutely grateful to him for helping us out.

3. Seth Mos is a pfSense developer and uses IPsec at his work. Seth has been extremely patient and has worked with Timo and Heiko to coordinate, test and get these patches into pfSense.

Now pfSense can handle far more connections than it could when we began. We could barely handle 75 connections at a time then racoon would go into “sbwait” state mode and would wedge. Now we have noticed that 250+ active tunnels can be running simultaneously and everything seems to work great. I would not be surprised to see us being able to handle thousands of tunnels but we still need to test this.

Thanks to everyone involved, our IPsec is far more scalable than what is in FreeBSD itself! Next step is to try and convince the FreeBSD developers to adopt our changes so everyone can win.

Please give everyone above a great round of applause, we really appreciate you guys!!

1.2-RC4 Released!

Wednesday, January 16th, 2008

The pfSense development team is happy to bring you the final release candidate in the 1.2 series! A summary of the changes since RC3 follows.

  • libc fix for security advisory FreeBSD-SA-08:02
  • Numerous text touch ups and typo corrections
  • Do not ping other end of IPsec connections on CARP backup hosts
  • Fix edit.php error when opening empty file
  • Math fix on throughput graph
  • Read the rest of this entry »

So what’s this RELENG_1, RELENG_1_2 stuff, anyway?

Wednesday, January 16th, 2008

This is a question that comes up frequently from users. RELENG stands for Release Engineering, and is the way we label tags in our revision control software, CVS. We follow the same naming conventions as the FreeBSD project, because it makes sense and the developers are all familiar with it.

RELENG_1_2 contains the source for the 1.2 release. This branch has been frozen for more than 6 months, meaning no new features allowed.

RELENG_1 is the branch where development for the 1.3 release is currently happening. When the first 1.3 beta release nears, this will be branched to RELENG_1_3.

The 1.0 release should have been RELENG_1_0, however we did not start tagging releases until a while after 1.0 was released. This is the reason we cannot easily update 1.0 with bug fixes, and have recommended 1.2 release candidates for all deployments for several months now. This will not be the case going forward.

Lastly, the HEAD branch contains the most bleeding edge development code. It contains a lot of work in progress, and at this point we’re not sure what release that code will eventually become.

New Screencast section at

Tuesday, January 15th, 2008

The webpage of the m0n0wall project now offers some screencasts that walk you through different configuration steps of a m0n0wall. Some of them apply to pfSense as well. If you are interested you can check them out at .

AT&T/Bellsouth random PPPoE changes

Saturday, January 5th, 2008

If you are an AT&T/former Bellsouth DSL customer using PPPoE on pfSense, a recent change made by AT&T has broken the pfSense PPPoE client in its default configuration for some customers. This change seems to be getting rolled out almost at random, affecting different people at different times. m0n0wall is affected in the same fashion, with the same resolution.
The fix is to backup your configuration (Diagnostics -> Backup/Restore), open it in a text editor and go down to where you see <pppoe>. Add a line somewhere between <pppoe> and </pppoe> containing only <dnsnosec/>.  So a portion of your configuration will look like the following:



Then save the configuration, go back to the Backup/Restore page and restore the modified configuration. The PPPoE client will begin immediately working again.

Thorough discussion of the issue if you’re interested – AT&T’s Random DSL Configuration Changes Begin.

VLANs now supported on ALIX boards

Saturday, January 5th, 2008

The final 1.2 release candidate, coming soon, will have support for VLANs on the vr(4) chipset. This is a common request since it’s the chipset used by ALIX boards.

This is already available in the RC4 pre-release available on the snapshot server here.