What’s coming in 2.0

March 15th, 2008 by Chris Buechler

This release already contains some significant new features. Among them:

  • Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing. Thanks to Ermal Luçi for doing the work, and the numerous people who contributed to the bounty to make this happen!
  • User manager – multiple administrative users can be created, with varying levels of access. Access groups can be defined to easily grant identical access rights to multiple users. Rights can be defined individually for each page in the web interface.
  • LDAP authentication – LDAP is integrated into the user manager so pfSense can authenticate from any LDAP server. Microsoft Active Directory and Novell eDir have been throughly tested, though any LDAP server should work. You can even define groups in your directory and assign rights in pfSense to those groups.
  • Significant OpenVPN improvements – these are still a work in progress, more info to come.
  • Routing improvements – still a work in progress as well, but will allow more flexible routing capabilities.

131 Responses to “What’s coming in 2.0”

  1. KC Says:

    The pfSense team is amazing…looking forward to this release, great work!

  2. Chris Says:

    These improvements sound great! Together with all the good stuff the FreeBSD guys did for 7.0 it’ll be superb. Thanks a lot!

  3. Ben Turner Says:

    I only just discovered pfSense days after the final version 1.2 was released (first installed it 2 weeks ago today) and I’m already looking forward to this! The team has done some amazing work here already – I can’t wait to see what the future brings.

  4. ssbaksa Says:

    Is there a way to get 1.3 for testing. I would like to do some beta testing if that is Ok by you guys.

  5. me Says:

    Any plan for IPv6 support?

  6. Chris Buechler Says:

    IPv6 is partially done in HEAD, the bleeding edge development branch, but won’t be in 1.3 unless the developer who wrote that support ports it to the branch for 1.3. Not sure if he’ll do that or not, I would guess not.

  7. Chris Buechler Says:

    ssbaksa: as it says in the post, publicly available releases will be available in the near future. Only pfSense developers with commit access will have access to images before they’re publicly available.

  8. srs Says:

    fantastic! I think I’ll never abandon pfsense, as I never did since I knew it!

    congratulations for all pfsense developers!

  9. mantissa Says:

    i definitely count myself as a strong pfsense evangelist – let alone the fact that I use it , i set it up for my clients as well with great success! Great going fellas!

  10. Esad Says:

    what a player!!!! look forward to it especially the multi-WAN interface features… keep it up…

  11. amenchetti Says:

    Great job and thanks to all!

  12. pfSense 1.3 - what's coming? | FreeBSD - the unknown Giant Says:

    [...] pfSense Team have outlined their development plans for version 1.3 which will be base on FBSD 7.0. It’s the plan to release the next version within the next [...]

  13. Lars Hupfeldt Says:

    Hi,

    Thnak you for the great work. Any idea about when carpdev is going to make into pfSense/freebsd?

  14. ssjoco Says:

    Thank you! multiple interface support. It will be great!

  15. psk Says:

    Will the blocklist functionality be in version 1.3?

  16. Rob Says:

    Is full NAT-T going to be available?

  17. Doug Says:

    I’m constantly amazed that anyone else bothers with another solution. I only hope to see OSPF, past that it’s all gravy!

  18. Chris Buechler Says:

    NAT-T will be included before the release.

    Not sure what you mean by “blocklist” psk. We will have the ability to load address/network lists from an external source like HTTP.

  19. Benny Kill Says:

    Hello! Maybe support dual adsl(PPPOE) is a good things! Look forward!

  20. Al Says:

    Saying thank you is not enough to express my gratitude for that hard work u guys doing

  21. Jonathan Puddle Says:

    Great work guys, this will be an incredible release. FreeBSD 7, LDAP support, and multiple users is the ticket, that’s totally excellent.

  22. Claus Krogsgaard Says:

    What about deep packet inspection and build-in smtp server? In my eyes, this is all it need to be perfect

    Thanks guys.

    //Claus

  23. sisyphus Says:

    Thank you to all. I am definately also spreading the PFSense word as far as I go.

    Thank you all.

  24. Rusomenace Says:

    Rocksolid best firewall i ever used congratulations for the new release i can even wait to install on to.
    A question are you going to re design the interface or may be give the packages so we can skin the product??

    My best regards and exellent work.

  25. ecosta Says:

    Great firewall.

    Thank you all.

  26. Chris Buechler Says:

    Re: redesigning the interface – no, the default theme will be the same. We do include multiple themes though, and it is possible to create your own.

    We would accept any theme contributions as well for inclusion in future releases. If you create a theme you would like to contribute to the project, email it to coreteam@pfsense.org.

  27. Thomas Says:

    It would be nice if it was possible to define multiple DHCP-Pools for use in different subnets on different nics.

  28. Mark J Crane Says:

    Someone asked about including an SMTP server. Actually that can be done with native PHP code. PHPMailer is a pure PHP class that uses fsockopen to send email. It can send the email directly or send to a remote mail server using SMTP authentication. It has fail over support to use an alternative mail server if the primary one fails. Attachment support and much much more. PHPMailer License is LGPL.

  29. mw Says:

    Any thoughts on compiling everything with GCC’s stack-smashing protection?
    See http://tataz.chchile.org/~tataz/FreeBSD/SSP/

  30. Hawara Says:

    Any chance to implement VPN+DHCP on wan interface?
    (for ISPs that require you to get internal address via DHCP and then use it to establish VPN connection for external adress)

  31. Rubens Says:

    What’s the intended release of 1.3 stable, as next month will be the release of the first 1.3 testing ?

  32. Adam Says:

    Amazing firewall. Any plans for virus scanning? LDAP support is going to be great. Will the LDAP support work for VPN authentication? Keep up the great work, Similar products cost hundreds or even thousands. Thanks!

  33. Graham Says:

    I love pfSense but a couple of features I would like to see to do with firewall logging are:

    1. Ability to filter the firewall log on IP addresses, etc

    2. Move (or duplicate) the “Log Packets” tick box from inside the rule to the rules listing page so that you can see at a glance and easily change which rules are logging.

    Also, dual WAN sounds great. Is there support for 3G Data cards like the Option GT Fusion+ ? It would be very useful to be able to use this to automatically backup and/or supplement my wired ADSL connection.

    Keep up the great work guys!

  34. Chris Buechler Says:

    1.3 may have PPP support which will allow for dial up and 3G, but 3G will be for a very limited number of cards. Those all use different drivers, most of which aren’t available in FreeBSD without us adding custom kernel patches if even that is possible.

    Because it appears to be essentially impossible to widely support 3G, that support may get pulled prior to the 1.3 release and deferred to a later release since it still needs a lot of work and it isn’t a huge priority.

    A lot of the other things people are mentioning are package candidates – virus scanning, SMTP server, etc. We welcome contributions, we don’t have the resources to get all this done. Plus gateway virus scanning isn’t as good as it might sound, even in commercial implementations it’s very limited, causes severe performance problems, or both.

    To have your feature requests considered, please first review this list and make sure it isn’t there already:
    http://cvstrac.pfsense.org/rptview?rn=23

    And if not already in the list, submit feature request tickets here:
    http://cvstrac.pfsense.org/tktnew

  35. Chris Buechler Says:

    We’re nowhere near close enough to 1.3 release to speculate timing on the final release. We’d like a faster release cycle than 1.2, but it’s impossible to say at this point if that’ll happen.

  36. bonbon Says:

    All of us expect it!
    Thanks for your hard working.

  37. AntonB_Russia Says:

    I’m using pfsense as gate between 3 shops. It works great really!!!

  38. PredatoryFern Says:

    Awesome you guys. Keep up the great work!

  39. afrugone Says:

    Many thanks for this great system.
    One question, Will 1.3 support multiwan squid?

  40. Dzezik Says:

    waiting for traffic shaper working in bridge mode or support for full proxy arp route mode (simple splitting public IP between WAN and DMZ with proxy ARP and special routing does not work), and monthly/daily transfer limit for wan port in failover (i have one extra wan with charge 0 when transferr below 500MB per month, good way for failower)

  41. Chris Buechler Says:

    Multi-WAN support for services running on localhost (including squid, things like FTP that are proxied, and other packages) will hopefully make 1.3.

    Re: traffic shaper for bridging, that’s a limitation of the underlying system that we can’t do anything about unless/until it is implemented in FreeBSD.

    It’s unlikely we’ll have transfer limits on WAN interfaces in the foreseeable future, definitely not in 1.3.

  42. Ide Says:

    What about the support for L2TP?

  43. Chris Buechler Says:

    L2TP support is in HEAD but not 1.3. It might get back ported, might not. Probably depends on how well it works now and what it would take to make it release-ready.

  44. EdwardOCallaghan Says:

    Hi,

    I look forward to 1.3, however;

    How about built in DNS cache _maybe_ BIND is not the best of ideas due to everyone using it..

    Would make resolves much quick for users in the Green for say a office ;)

    Real-time clamav of browsing is not a bad idea ether ;)

    Best Regards,
    Edward.

  45. Mike Hargroove Says:

    I would like to know will pfsense ever support dynamic to dynamic ipsec vpn?

  46. Chris Buechler Says:

    Edward: we’ve had a caching DNS server literally since day one, dnsmasq.

    Dynamic to dynamic IPsec should make 1.3, it’s there already but needs some tweaking and testing.

  47. Mike Hargroove Says:

    Thats good to know that it will make 1.3 do you have a link to a tutorial on how to make it work in the current version? I actually need to test out some tunnels this week

  48. Slick Says:

    How about some new feature screenshots. Make sure your not pulling our leg :P

  49. Chris Buechler Says:

    Slick: maybe. :) We’ll eventually put up a screenshot gallery with some of the new things.

  50. Karl Fife Says:

    Great work! We love this project. I’m wondering if any changes or improvements will be made with regard to PFSense and SIP NAT traversal. We have noticed that 1.2-Release has a few quirks that make many ITSP’s stumble while trying to pass RTP (audio) streams through PFSense NAT, where they don’t stumble traversing other NAT Firewalls. Also we are wondering what changes, if any will happen to the PPTP server or PPTP Pass-through code. I and others in forums have had some issues surrounding PPTP tunnels between between 2 PFSense boxes, where the issues do not express themselves when connecting to and from non PFSense pptp servers and pass-throughs.

  51. Chris Buechler Says:

    Karl: Check the Features page on the website for info on PPTP limitations. There are good work arounds available, but we’re working on a solution to those limitations.

    siproxd package should fix SIP issues, it’s still under development though, I’m not sure of its current status.

  52. David Lavgne Says:

    Will the new version allow captive portal to run on a vlan rather then the interface?

  53. duckTH Says:

    I love pfSense.

  54. Chris Buechler Says:

    Captive portal should run on a VLAN interface now.

    There are no major captive portal changes planned for 1.3, some minor additions to m0n0wall will be brought over.

  55. Tadas Says:

    can bacula could be implemented in pfsense ?
    ClarckConnect has it , so pfsense could be better ;)

  56. Chris Buechler Says:

    If someone wants to create a package for Bacula, sure. We don’t have any plans on doing so in the foreseeable future.

  57. Jose Amengual Says:

    Hi.

    I really like pfSense and the idea behind of the project.

    I was looking for Load Balancer when I found the project that at that time it didn’t fit in my requirement so I build my own load balancer in freebsd and pf and I learn a lot about load balancer and their constants issues with routing and stuff.

    One thing that is still bugging me is the multi wan configuration and the way of how the load balancer realize the connection is really down and so on.

    Is there is any plan to implement SCTP in pfSense 1.3 ?

    Thanks for the hard work.

  58. Chris Buechler Says:

    Jose: it sounds like you’re a good candidate to become a pfSense developer. :)

    We plan to replace slbd with relayd in 1.3, which may remove some of the annoyances you found with it.

    No plans for SCTP at this time. You’re welcome to contribute code.

  59. Jose Amengual Says:

    I will be more than grateful to be part of this project.

    were I can talk with you and send some part of what I did ?

    Thanks.

  60. Chris Buechler Says:

    Jose: email coreteam@pfsense.org with info on what you have done, we can discuss further via email. Thanks!

  61. naturalblue Says:

    Any chance an anomalysing technology will be added such as TOR.

  62. Chris Buechler Says:

    Tor would be a nice package, we welcome contributions.

  63. Taras Says:

    Thanks for great work!
    I’m very interested in openvpn improvements. Is support of many instances of openvpn client planned?

  64. Chris Buechler Says:

    I’m not sure what you mean by “support of many instances of openvpn client”. Right now 1.2 supports as many OpenVPN clients as your hardware can handle. 1.2 is fully scalable to the processing and memory limits of your hardware, hence scalability is not among the coming improvements since it’s already there.

  65. Taras Says:

    >I’m not sure what you mean by “support of many instances of openvpn >client”
    I mean two or more outbound(from pfsense) openvpn connections.

  66. Chris Buechler Says:

    > I mean two or more outbound(from pfsense) openvpn connections.

    That’s not a problem, never has been.

    It’s true of PPTP, there might be a fix for that.

  67. SB HidDeN Says:

    pfSense is good choice for my home use!
    but there some missing features like:
    multicast routing (someone likes IPTV)
    DVB-interface support (TV- or just IP-functions)
    fully functional proxyarp

    it’ll be good to see this features in later releases. THANX for your work!

  68. Taras Says:

    >> I mean two or more outbound(from pfsense) openvpn connections.

    > That’s not a problem, never has been.

    Sorry, my bad!
    Another interest – is support of openvpn-2.1 planned? It has good improvements (topology subnet).

  69. Chris Buechler Says:

    OpenVPN 2.1 is the version used in pfSense 1.3.

    SB HidDeN: “fully functional proxy ARP” has existed from day one, our proxy ARP is as fully functional as proxy ARP can be. So I’m not sure what you mean by that.

  70. Olivier Gauthier Says:

    Hi,
    This release is awaited here in our IT shop, we plan to offer pfSense as a router solution for our actual clients and one question burns our brains.

    When you say
    “Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces.”
    is there anychance that this mean we could use the traffic shaper inside an ipsec tunnel. This is our major issue with pfSense right now, since we tunnel all our voip and rdp sessions. We already priorise the actual ipsec tunnel which works great but still doesn’t separate file transfer and printspooling from realtime protocols.
    From what I red in the forums, it is a limitation of the actual ipsec implementation of ipsec in the freebsd kernel, if it’s still the case, should we look at freebsd development to implement this, or pfSense could a other implementation of ipsec than the one in freebsd kernel.

    Thank you and thank you for the great coding here!

  71. Chris Buechler Says:

    Shaping of traffic within IPsec tunnels is now possible as well.

  72. Lurks Says:

    Does that mean 802.11n support too? That’s apparently in FreeBSD 7.0 right? Although I’m not sure what needs to be in the OS and what ends up being a driver thing. It seems a lot of drivers are closed source binaries right now?

  73. Chris Buechler Says:

    For wireless, whatever is in FreeBSD 7.x will be available. 802.11n is not available in 7.0 and I’m not sure if it will be available in any 7.x release. If/when it is, we’ll support it.

  74. Lurks Says:

    It’s not? Reading from:
    http://www.freebsd.org/features.html

    “Wireless: FreeBSD 7.0 ships with significantly enhanced wireless support, including high-power Atheros-based cards, new drivers for Ralink, Intel, and ZyDAS cards, WPA, background scanning and roaming, and 802.11n.”

  75. Chris Buechler Says:

    That short features list is misleading. “Support” has been added, but no 802.11n drivers exist.

    From the full release notes for 7.0:

    “The 802.11 protocol stack has been significantly reworked. Among the new features are support for background scanning and roaming between APs, as well as support that will be required by 802.11n-capable devices.”
    http://www.freebsd.org/releases/7.0R/relnotes.html

    And this article from ONLamp mentions:
    “The new code has working 802.11n support although no drivers have been released yet.”
    http://www.onlamp.com/pub/a/bsd/2008/02/26/whats-new-in-freebsd-70.html

    So yes, it supports 802.11n…with no drivers. :)

    Not sure when they might be added, here in a post from January, Jim Thompson thinks it might be 18+ months. Jim is well in tune to wireless developments in FreeBSD, I trust this to be an accurate assessment (of course circumstances can always change).
    http://m0n0.ch/wall/list/showmsg.php?id=337/58

  76. KuBuntU Says:

    Is there any rls date of the 1.3 atm ?

    Regards KuBuntU

  77. neovatar Says:

    I think with the meaning of “fully functional proxy arp” is to have possible setups like the one described here:

    http://forum.pfsense.org/index.php?topic=8528.msg48094

    e.g. splitting ip addresse ranges into different interfaces/zones by using proxy arp and routing, without bridging or assigning the IP as VIP to WAN, giving a server a provate IP and doing the NAT stuff.

    e.g. you are given the public IPs x.y.z.1-8
    your ISP router has x.y.z.1 (acts as gateway)
    your pfsense WAN has x.y.z.2
    your pfsense OPT1 (dmz1) has x.y.z.3
    your servers in dmz1 have x.y.z.4 and x.y.z.5

    incoming requests are proxy arped by WAN and routed through OPT1

    is this possible with pfsense?

  78. Chris Buechler Says:

    neovatar: You can’t mix IP subnets like that. If you want that kind of functionality, avoiding NAT with your public IPs, you just need to put the machine on a bridged or routed interface with the public IPs. It doesn’t make much sense to directly assign a public IP on internal interfaces within an otherwise private subnet. Most commercial firewalls don’t allow that, and I don’t believe there is any way to make that happen with pf, so it’s unlikely you’ll ever see that. 1:1 NAT is the way most if not all commercial firewalls accommodate that.

  79. southman Says:

    So when can we expect the first release of 1.3………. :)

  80. Chris Buechler Says:

    It works, no major issues, and the snapshots are building, but we aren’t quite ready to deal with the repercussions of it being publicly available.

  81. southman Says:

    Great, thanks. Was just trying to figure out what you meant by “The first publicly available release will come within the next month.”

  82. Chris Buechler Says:

    “within the next month”? Where do you see that? ;)

    I changed it to 2 months in the post. :)

  83. southman Says:

    Yea, I just take whatever you say and double it….. :)

  84. boppzoli Says:

    pfSense is fantastic!
    I use it in my school (aprox. 70+ clients) and never have problems with it …
    I would like to donate some money, but unfortunatelly actually my budget is not the best … :( (in Romania in education the salary is very poor)
    But if I will have more money, I will donate …
    Maybe it will be a little amount of money, but I will donate it … :)

    Thank you very much pfSense TEAM for the great work!

    “Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing.”
    It is a very very big improvement!

    Thanks again!
    Zoli.

  85. Pinoyboy Says:

    In terms of routing, are we speaking of OSPF like or BGP like functional options (non-Alpha / non-Beta stuff) – or completely something else?

  86. Chris Buechler Says:

    In terms of routing: several things, final list not yet determined. More on that will come.

  87. pfSense Digest » Blog Archive » Development status update Says:

    [...] of the development time since the 1.2 release has been spent on the new features in 1.3, however an updated 1.2 release is also in the [...]

  88. Paul Rowe Says:

    HA GOT A GREAT QUESTION THAT EVERYONE WANT TO KNOW AND YES IM YELLING BECAUSE ONE REASON YOU SAY THAT PER USER SEAT BANDWIDTH DOES NOT WORK AND MULTI-WAN DOES NOT WORK.

    WELL I GOT NEWS FOR YOU IF YOU COPYED M0N0WALL THEN PER USER SEAT BANDWIDTH WOULD WORK BUT INSTEAD YOU DUMMYNET OUT AND PUT ALTQ IN INSTEAD BUT IF YOU REINSTALL DUMMYNET BACK ONTO THE SYSTEM ITSELF IT WORKS GREAT AND 10 TIMES FASTER.

    SO ANSWER THAT.

    THANK YOU.
    SOUTHERN ILLINOIS WIRELESS, INC.
    PAUL ROWE CEO/CTO

  89. Paul Rowe Says:

    When per user seat bandwidth setting going to available to us im hoping it will be in 1.3. To whom it may concern im sorry if I came on very strong about this matter but you see it is all over you blog for the past two years nothing has been done to met common ground on this matter at hand I am a owner of a wireless internet business and yes your product works great. I can at time be head strong but running a business you have to demand perfection or no one will respect in this field it is a though business so understand why this issue is so important to almost everyone if we can control how our bandwidth is done great i have what they call radius for my back bone for my user database at which i store the bandwidth setting which works under WISPr. I will ask nicely please do ont delete this for other like me want this feature in a extream way

    Thank You
    Southern Illinois Wireless, Inc.

  90. ET Says:

    Will the new version include a feature that would enable pptp vpn server IP address assignment by RADIUS server ? At the moment it’s a feature that is most important to me.

  91. Chris Buechler Says:

    Paul: Nobody ever said multi-WAN doesn’t work, it works great, there are countless installs using it.

    The problem with per user shaping is dummynet doesn’t work with pf due to a FreeBSD bug. I won’t bother addressing your comments any further than that, since you apparently have no respect for those of us dedicating significant time to this project and feel you’re entitled to us spending our free time doing what you want to scream about.

    If you would like to fund development to implement any missing features you’re welcome to email me. Otherwise implement them yourself, or ask nicely and we’ll consider it, but it’s unlikely 1.3 will see any new features aside from funded development due to time constraints.

  92. Chris Buechler Says:

    ET: not likely, unless someone wants to fund that development.

  93. Paul Rowe Says:

    I am fund one that of which i asked but im not trying to be rude i relize programming time is very consuming and im sorry if you feel that I was harsh but 2 year of of over 530 people requesting and funding this project say alot wth that said. Those number speak for them selves but if you all need help programming this project for this feature I would be willing to help with it. Please let me know

  94. darklogic Says:

    I have used pfsense almost from the start of the project. It is amazing how far it has come. I would love to see pfsense add packages such as clamAV, spam assasin, and other anti spyware\adaware filtering systems for both filtering incoming and outgoing web traffic and e-mail based proxy filtering.

    Pfsense already has everything that other firewall systems have and then some, other projects such as ClarkCoonect and Untangle, but if pfsense were to do all the great filtering features of ClarkConnect and Untangle, your product would be hands down unbeatable.

    Keep up the outstanding work : )

  95. Pinoyboy Says:

    Paul Rowe, at this point covering your a$$ is no longer fit =P. You should of shut the $#%# up first time…you are bashing a project that provides your so called “BIZNESS” a FREE tool!!! If you have such an issue with whatever you do not not like – one SHUT UP cause it is free or TWO – put a BOUNTY ON IT!!!! PAY for Support! How’s that for speaking freely? To pfSense team – EXCELLENT work as always.

  96. Nick Says:

    Just a friendly reminder about the reset-all states issue for udp sessions during failover. Thanks for a great product!!!!

  97. Franck Horlaville Says:

    Hi PfSense team !

    Congrats for a fantastic product ! We use it in multi-wan setup in our two main locations and it’s working great. Saved the day another time this very morning when two links came down.

    I would like to point out a couple possibilities of improvement along the way. We are still using IPCop boxes (main+backup behind each of the 2 pfSense) to do our IPSec VPNs for two major reasons, which I believe can be corrected:

    - visibility – in IPCop, one glance on the VPN screen tells you immediately (with bright colors) which VPNs are down, which are up, which are administratively closed. And the button to recycle each vpn or turn off and back on is right there. The stability of the links is great too.

    - possibility of IPSec VPN failover – I have currently not found a way using only pfSense to achieve two IPSEC vpns between our two sites (each using different VLAN interface and ISP) with failover from main to backup in case of link failure. Is it me or is it effectively a limitation ? Could it be improved ?

    Thanks again for a fab product !!

    F.

  98. Mike Says:

    I’ve been looking at the HP 700wl series wireless firewalls for a captive portal, but this this LDAP functionality in pfSense, I am going to have to look at that instead! One of the drawbacks with the HP stuff is that I can’t define multiple containers for LDAP auth… will this be possible in pfSense? Pretty please?!

  99. Thomas Says:

    Hi,

    will Link Aggregation (LACP) included in version 1.3? When will a first iso of 1.3 available? Can I download an 1.3 version?

  100. Chris Buechler Says:

    Thomas: lagg(4) support is partially done, and will probably make 1.3. No timeframe on availability yet, watch for future posts on this blog for further info.

  101. Santilli Quirino Says:

    LDAP authentication: did you mean ldap auth for all the pfsense apps? (es. Captive portal)
    Thank you for the great work done and for the possibilities you give us!!!
    r3N0oV4

  102. Chris Buechler Says:

    LDAP authentication is currently only for administrative users, not other users like captive portal, PPTP, etc. Those can all use RADIUS which is sufficient for the same purpose most of the time.

  103. John Dakos Says:

    Hello All. thanks all this programmers for this good [ Free Project ].

    Chris Buechler Says: Traffic shaper completely rewritten – now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing.

    this is very nice thing. in version 1.2 we can run wizard for Traffic shaper again and again .. and lost all rules. in 1.3 this has been change or not ?

    Thanks Again.

  104. Chris Buechler Says:

    John: that’s specifically one of the things addressed, the wizard annoyances of the last version should no longer be an issue. Once 1.3 is publicly available I encourage you to test it and let us know if any of those annoyances are still there (we’ll be doing the same ourselves, but more eyes is better).

  105. Southman Says:

    Paul, I recommend that you return your pfsense setup to the place you bought it and go purchase a commercially available firewall solution and support that will fit your needs. Where do you get off demanding anything from this team and their project. The software this team has created rivals many of the commercially available firewalls, and the price is right. They deserve your heartfelt thanks, not your ridicule!

    Thanks to the team, and keep up the good work!

  106. psk Says:

    Being that 1.3 will be on a different version of FreeBSD, will there be a firmware upgrade or will we have to reload / reconfigure an existing box from scratch?

  107. psk Says:

    oh.. and I just wanted to say.. “GREAT JOB ON A GREAT PRODUCT”

  108. Chris Buechler Says:

    Firmware update from 1.2 to 1.3 will be possible.

  109. smallcaps Says:

    how will the firmware update affect the embedded version of pfSense?

    Indeed, this is personally my favorite open source project… hands down! congratulations to all involved with the pfSense project, you should be proud! i look forward to being wowed by 1.3 and success with everything.

  110. Chris Buechler Says:

    Embedded upgrades will depend on what we end up doing with embedded. We’re looking at moving to a completely different kind of image, and if that happens, there will be no way to upgrade from any previous version to 1.3 without reflashing. Fixing embedded upgrades from 1.3 on is a priority, and will likely require significant changes to embedded.

  111. Steve Mellor Says:

    I’m probably in a vanishing minority to say this, but: “Novell eDirectory authentication!” Fantastic! Thankyou.

  112. Chris Buechler Says:

    Steve: glad someone appreciates it. :) I was wondering myself how widely used that would be, it was a requirement for the company that sponsored the work.

  113. white_hat_man Says:

    Rubbing up people the wrong way, as demonstrated by your arrogant posts above, means that you truly NEED a multi-faceted security solution like pfsense to prevent people taking a targeted stab at you.
    So, why don’t you attempt to make amends and sponsor the project, providing a bounty for the service you demand so eloquently?
    I should think a few thousand dollars would begin to repair your reputation :)

  114. white_hat_man Says:

    oops, that was at Paul Rowe, help me?

  115. Mike Says:

    Chris,

    “LDAP authentication is currently only for administrative users, not other users like captive portal, PPTP, etc. Those can all use RADIUS which is sufficient for the same purpose most of the time.”

    Can we expect LDAP authentication for the captive portal sometime in a future release? Using it for only admin users is ok, but I really need it for the captive portal so I can use pfSense instead of the HP7xxwl stuff (without having to add a RADIUS server into the mix for another point of failure)… :/

    Thanks!

  116. Chris Buechler Says:

    Mike: not in 1.3 unless you’re willing to fund the work. Otherwise at some point in the future post-1.3, maybe.

  117. danne Says:

    I disagree on 3G-support. Now when speeds up to 7.2 down / 1.6 up is widely available it’s getting very common i Europe to use 3G as a backup connection. I understand the problem with supporting different devices through patches, but basic support for the most common devices would be really excellent.

    I just love pfSense and look forward to 1.3.

  118. Chris Buechler Says:

    danne: not sure what you disagree with. I agree it’s absolutely an important feature and it’s something we really want to offer, but if we can’t properly support more than a couple devices it’s probably not worthwhile. More will be coming later – keep blog.pfsense.org in your RSS reader. :)

  119. Mike Says:

    “Mike: not in 1.3 unless you’re willing to fund the work. Otherwise at some point in the future post-1.3, maybe.”

    I’m kinda new to this project, is there a set price for something like this? How does this work?

  120. Chris Buechler Says:

    Mike: Depends on the project. Generally you provide the exact specifications of what you want (as it differs from what is there now), then we’ll take a look at it, make sure it’s possible, figure out how long it will take, and provide a fixed quote based on that. As long as the resultant work is open source as part of the pfSense project, our prices are based on a low hourly rate.

    You can email me at cmb@bsdperimeter.com if you would like to discuss further.

    This isn’t an extortion plot or anything. :) We can’t possibly implement every feature request, or even the majority of them, as there just isn’t time. We’ve found this is the best way to prioritize development and work towards fully making a living working on pfSense, and there are numerous companies willing to fund work. All the major new features in 1.3 are the result of funded development.

  121. Atrillanes Says:

    All this talk, enough with all thanks and kudos we all know how great it is. What I would like to know exactly is when it will be publicly available. Can anybody tell me? The “next month” release date is pretty much open-ended.

  122. Chris Buechler Says:

    I’ll get a development update post up probably this weekend. It works, it’s been working for a while, snapshots are building, we’ll probably let it out to the general public soon. We don’t have time to deal with the onslaught of bug reports right now (the majority of which end up being misconfiguration, but take significant time to investigate), and a number of changes are in process at the moment.

  123. JBanks Says:

    Is there a reason the pfSense group/project is so secretive about the next product roadmap – seriously? I see so many of the SAME questions by numerous people and its always the same. Most other projects have “some” sort of ETA; organized ones anyhow. For some people, this product is what they based their IT decisions on – Vyatta or pfSense? Untangle or pfSense? SmoothWall or pfSense? etc etc etc…

  124. Chris Buechler Says:

    JBanks: we’re not secretive about a road map, we don’t have a formal one. The primary reason is we have no system to easily do so – this is being covered as part of the git conversion, Redmine which will replace cvstrac gives us facilities to put together development road maps. Look for one after the git conversion is completed.

  125. A.I. Says:

    Tried the alpha-alpha release. Could not establish an IPsec VPN with older 1.2 version. PPTP server seems to always check the radius option even though I repeatedly un-check it. Interface looks great! The rate limiter option could use a download/upload perspective instead of the src/dst address. Do we need to add 2 rules there, one for upstream, one downstream? Overall it looks mighty fine!!

  126. Fred Stephani Says:

    Are there any plans to implement a browser based SSL VPN solution in 1.3?

    You are all doing a great job with this project, I am a huge fan of pfSense.

  127. Chris Buechler Says:

    We have no plans to implement a “clientless” (which is marketing BS) or “browser-based” (also marketing BS) SSL VPN for two reasons.

    1) there isn’t a good open source one.
    2) Reasons explained here:
    http://article.gmane.org/gmane.comp.security.firewalls.pfsense.support/14336/

  128. Al Says:

    Totally love this firewall! Rock solid. Multi-wan is awesome. Carp is great. Failover is a dream!! Can’t say enough positive as a firewall.

    BUT – Also agree with above RE: Load Balancer monitoring…

    I have not been able to use the built-in load balancer in PFSense because it lacks customized monitors. I know there are solid open-source tcp monitor packages around, was hoping to see this added. Better yet, a little http get monitor with text string evaluation would do it… Many times a web server is UP on tcp, but down for HTTP GET on 80…

    Adding this would mean many of us could ditch two boxes entirely (Master LB and Failover LB) and use PFSense for the whole thing…

    What a dream that would be!

  129. Chris Buechler Says:

    Al: the load balancer in 1.3/2.0 has already been replaced with relayd and does what you mentioned.

  130. Francis Says:

    hello there, my question deals with aggregation and is asked with total respect to the programmers as I know nothing about programming. That being said is this possible and work.

    when a request to the internet reaches pfsense, pfsense uses 1 wan to get the size of the page or whatever from the page server. Then pfsense splits the reply in half and requests a half from each of the wan’s, gets it and sends the page to the requesting computer.

    since everything dealing with the internet deals in packets theoreticlly this is possible, but is it practical in real life? is it something that cam be programmed?

    Thanks for the info

  131. Chris Buechler Says:

    Francis: that’s not theoretically, or otherwise, possible because of the way the Internet works. Post to the forum or mailing list for more in depth discussion

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply