What’s coming in 2.0

This release already contains some significant new features. Among them:

  • Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing. Thanks to Ermal Luçi for doing the work, and the numerous people who contributed to the bounty to make this happen!
  • User manager – multiple administrative users can be created, with varying levels of access. Access groups can be defined to easily grant identical access rights to multiple users. Rights can be defined individually for each page in the web interface.
  • LDAP authentication – LDAP is integrated into the user manager so pfSense can authenticate from any LDAP server. Microsoft Active Directory and Novell eDir have been throughly tested, though any LDAP server should work. You can even define groups in your directory and assign rights in pfSense to those groups.
  • Significant OpenVPN improvements – these are still a work in progress, more info to come.
  • Routing improvements – still a work in progress as well, but will allow more flexible routing capabilities.

Share this Post:

131 Responses to “What’s coming in 2.0”

  1. Santilli Quirino Says:

    LDAP authentication: did you mean ldap auth for all the pfsense apps? (es. Captive portal)
    Thank you for the great work done and for the possibilities you give us!!!
    r3N0oV4

  2. Chris Buechler Says:

    LDAP authentication is currently only for administrative users, not other users like captive portal, PPTP, etc. Those can all use RADIUS which is sufficient for the same purpose most of the time.

  3. John Dakos Says:

    Hello All. thanks all this programmers for this good [ Free Project ].

    Chris Buechler Says: Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing.

    this is very nice thing. in version 1.2 we can run wizard for Traffic shaper again and again .. and lost all rules. in 1.3 this has been change or not ?

    Thanks Again.

  4. Chris Buechler Says:

    John: that’s specifically one of the things addressed, the wizard annoyances of the last version should no longer be an issue. Once 1.3 is publicly available I encourage you to test it and let us know if any of those annoyances are still there (we’ll be doing the same ourselves, but more eyes is better).

  5. Southman Says:

    Paul, I recommend that you return your pfsense setup to the place you bought it and go purchase a commercially available firewall solution and support that will fit your needs. Where do you get off demanding anything from this team and their project. The software this team has created rivals many of the commercially available firewalls, and the price is right. They deserve your heartfelt thanks, not your ridicule!

    Thanks to the team, and keep up the good work!

  6. psk Says:

    Being that 1.3 will be on a different version of FreeBSD, will there be a firmware upgrade or will we have to reload / reconfigure an existing box from scratch?

  7. psk Says:

    oh.. and I just wanted to say.. “GREAT JOB ON A GREAT PRODUCT”

  8. Chris Buechler Says:

    Firmware update from 1.2 to 1.3 will be possible.

  9. smallcaps Says:

    how will the firmware update affect the embedded version of pfSense?

    Indeed, this is personally my favorite open source project… hands down! congratulations to all involved with the pfSense project, you should be proud! i look forward to being wowed by 1.3 and success with everything.

  10. Chris Buechler Says:

    Embedded upgrades will depend on what we end up doing with embedded. We’re looking at moving to a completely different kind of image, and if that happens, there will be no way to upgrade from any previous version to 1.3 without reflashing. Fixing embedded upgrades from 1.3 on is a priority, and will likely require significant changes to embedded.

  11. Steve Mellor Says:

    I’m probably in a vanishing minority to say this, but: “Novell eDirectory authentication!” Fantastic! Thankyou.

  12. Chris Buechler Says:

    Steve: glad someone appreciates it. :) I was wondering myself how widely used that would be, it was a requirement for the company that sponsored the work.

  13. white_hat_man Says:

    Rubbing up people the wrong way, as demonstrated by your arrogant posts above, means that you truly NEED a multi-faceted security solution like pfsense to prevent people taking a targeted stab at you.
    So, why don’t you attempt to make amends and sponsor the project, providing a bounty for the service you demand so eloquently?
    I should think a few thousand dollars would begin to repair your reputation :)

  14. white_hat_man Says:

    oops, that was at Paul Rowe, help me?

  15. Mike Says:

    Chris,

    “LDAP authentication is currently only for administrative users, not other users like captive portal, PPTP, etc. Those can all use RADIUS which is sufficient for the same purpose most of the time.”

    Can we expect LDAP authentication for the captive portal sometime in a future release? Using it for only admin users is ok, but I really need it for the captive portal so I can use pfSense instead of the HP7xxwl stuff (without having to add a RADIUS server into the mix for another point of failure)… :/

    Thanks!

  16. Chris Buechler Says:

    Mike: not in 1.3 unless you’re willing to fund the work. Otherwise at some point in the future post-1.3, maybe.

  17. danne Says:

    I disagree on 3G-support. Now when speeds up to 7.2 down / 1.6 up is widely available it’s getting very common i Europe to use 3G as a backup connection. I understand the problem with supporting different devices through patches, but basic support for the most common devices would be really excellent.

    I just love pfSense and look forward to 1.3.

  18. Chris Buechler Says:

    danne: not sure what you disagree with. I agree it’s absolutely an important feature and it’s something we really want to offer, but if we can’t properly support more than a couple devices it’s probably not worthwhile. More will be coming later – keep blog.pfsense.org in your RSS reader. :)

  19. Mike Says:

    “Mike: not in 1.3 unless you’re willing to fund the work. Otherwise at some point in the future post-1.3, maybe.”

    I’m kinda new to this project, is there a set price for something like this? How does this work?

  20. Chris Buechler Says:

    Mike: Depends on the project. Generally you provide the exact specifications of what you want (as it differs from what is there now), then we’ll take a look at it, make sure it’s possible, figure out how long it will take, and provide a fixed quote based on that. As long as the resultant work is open source as part of the pfSense project, our prices are based on a low hourly rate.

    You can email me at cmb@bsdperimeter.com if you would like to discuss further.

    This isn’t an extortion plot or anything. :) We can’t possibly implement every feature request, or even the majority of them, as there just isn’t time. We’ve found this is the best way to prioritize development and work towards fully making a living working on pfSense, and there are numerous companies willing to fund work. All the major new features in 1.3 are the result of funded development.

  21. Atrillanes Says:

    All this talk, enough with all thanks and kudos we all know how great it is. What I would like to know exactly is when it will be publicly available. Can anybody tell me? The “next month” release date is pretty much open-ended.

  22. Chris Buechler Says:

    I’ll get a development update post up probably this weekend. It works, it’s been working for a while, snapshots are building, we’ll probably let it out to the general public soon. We don’t have time to deal with the onslaught of bug reports right now (the majority of which end up being misconfiguration, but take significant time to investigate), and a number of changes are in process at the moment.

  23. JBanks Says:

    Is there a reason the pfSense group/project is so secretive about the next product roadmap – seriously? I see so many of the SAME questions by numerous people and its always the same. Most other projects have “some” sort of ETA; organized ones anyhow. For some people, this product is what they based their IT decisions on – Vyatta or pfSense? Untangle or pfSense? SmoothWall or pfSense? etc etc etc…

  24. Chris Buechler Says:

    JBanks: we’re not secretive about a road map, we don’t have a formal one. The primary reason is we have no system to easily do so – this is being covered as part of the git conversion, Redmine which will replace cvstrac gives us facilities to put together development road maps. Look for one after the git conversion is completed.

  25. A.I. Says:

    Tried the alpha-alpha release. Could not establish an IPsec VPN with older 1.2 version. PPTP server seems to always check the radius option even though I repeatedly un-check it. Interface looks great! The rate limiter option could use a download/upload perspective instead of the src/dst address. Do we need to add 2 rules there, one for upstream, one downstream? Overall it looks mighty fine!!

  26. Fred Stephani Says:

    Are there any plans to implement a browser based SSL VPN solution in 1.3?

    You are all doing a great job with this project, I am a huge fan of pfSense.

  27. Chris Buechler Says:

    We have no plans to implement a “clientless” (which is marketing BS) or “browser-based” (also marketing BS) SSL VPN for two reasons.

    1) there isn’t a good open source one.
    2) Reasons explained here:
    http://article.gmane.org/gmane.comp.security.firewalls.pfsense.support/14336/

  28. Al Says:

    Totally love this firewall! Rock solid. Multi-wan is awesome. Carp is great. Failover is a dream!! Can’t say enough positive as a firewall.

    BUT – Also agree with above RE: Load Balancer monitoring…

    I have not been able to use the built-in load balancer in PFSense because it lacks customized monitors. I know there are solid open-source tcp monitor packages around, was hoping to see this added. Better yet, a little http get monitor with text string evaluation would do it… Many times a web server is UP on tcp, but down for HTTP GET on 80…

    Adding this would mean many of us could ditch two boxes entirely (Master LB and Failover LB) and use PFSense for the whole thing…

    What a dream that would be!

  29. Chris Buechler Says:

    Al: the load balancer in 1.3/2.0 has already been replaced with relayd and does what you mentioned.

  30. Francis Says:

    hello there, my question deals with aggregation and is asked with total respect to the programmers as I know nothing about programming. That being said is this possible and work.

    when a request to the internet reaches pfsense, pfsense uses 1 wan to get the size of the page or whatever from the page server. Then pfsense splits the reply in half and requests a half from each of the wan’s, gets it and sends the page to the requesting computer.

    since everything dealing with the internet deals in packets theoreticlly this is possible, but is it practical in real life? is it something that cam be programmed?

    Thanks for the info

  31. Chris Buechler Says:

    Francis: that’s not theoretically, or otherwise, possible because of the way the Internet works. Post to the forum or mailing list for more in depth discussion

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply