1.2.3 release status update

February 10th, 2009 by Chris Buechler

The announcement for the 1.2.3 snapshots advised caution because of some changes going in, and unknowns with the switch to FreeBSD 7.1. It has been well tested at this point, and I wouldn’t hesitate to use it in production if it contains something you need or a developer suggests using it. A timeline on a final release isn’t available at this time though.

The primary changes are:

IPsec connection reloading improvements – When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it means you can’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.

Dynamic site to site IPsec – because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.

IPsec NAT-T support has also been added.

Upgrade to FreeBSD 7.1 – We never know what we might run into when changing FreeBSD versions. Sometimes a version change requires numerous changes in our code base, as going from 6.x to 7.0 did. Going from 7.0 to 7.1 hasn’t required many changes at all though. This was the primary reason for caution, and it has proven to be a non-issue. It also has proven to fix many hardware regressions between 6.2 and 7.0. A number of users have reported that hardware that worked fine on 6.2 stopped working on 7.0. In every case I’m aware of, 7.1 fixed that problem.

Wireless code update – Sam Leffler, one of the primary developers of wireless on FreeBSD, was kind enough to point us to the latest wireless code back ported from FreeBSD 8.0 to 7.1. There are companies shipping access points on this code base. Our 1.2.3 snapshots include this code, and several users have reported considerable improvements in compatibility, stability and performance.

Dynamic interface bridging bug fix – the bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.

Download

49 Responses to “1.2.3 release status update”

  1. PredatoryFern Says:

    Awesome. Thanks to all contributorsm, the pfSense team and Sam Leffler for their hard work on this release!

  2. BennTech Says:

    NAT-T…seriously??!? Yes, finally! Been waiting on this for a LONG time. Thanks!

  3. thekurgan Says:

    It’s always nice to get to a FBSD *.1 version. Great work, truly amazing product, will wait anxiously for the 1.2.3.

  4. Teg Bains Says:

    Wow. That is quite a list of fixes! The VLAN fix is HUUUGE!

    Thanks for all the great work!

  5. Jonathan Says:

    You guys are superb.

  6. Robert Says:

    * IPsec NAT-T
    * Dynamic site to site IPsec

    Holy crap….these are the only two things that were missing that I needed. No new features my ass…. thank you!!

  7. Chris Buechler Says:

    The code for NAT-T support was already there, it was just hidden from the GUI and the kernel patch wasn’t included previously.

  8. Dominik Says:

    pfSense ist getting better and better. I love it.

    I can’t wait to switch my “dynamic openvpn site to site” setup to “dynamic site to site IPsec”.

    Thank you to the pfSense team and all the developers.

  9. Alpha Says:

    We have used pfsense for a few years, and it keep growing.

    Really happy to know that “dynamic site to site IPsec” is finally supported ^^

    PFSense really great~

    I guess another most wanted feature / fix is the FTP issue under multi-wan

  10. PfUser Says:

    Nice Pfsense Devs,

    One question… when role-based webGUI access will available to use?

  11. Chris Buechler Says:

    PfUser: in 2.0, like all new features (dynamic site to site and NAT-T were exceptions because the code was already there for both, they just needed a minor change and exposing to the GUI).

  12. Juve Says:

    Awsome.
    The fact that not all the tunnels reset when changing one is very cool an d important. Large IPSEC concentrator will be easier to manage.
    Nat-T…nice!

    I’ll be testing it as soon as I can.

    Thx

  13. Beat Says:

    Must be blind… cannot find the NAT-T Setting…

  14. philrou Says:

    where is the 1.2.3 file to download ?

  15. Chris Buechler Says:

    philrou: Added the link to this post.

    Beat: haven’t checked an actual snapshot, will at some point.

  16. Robert Says:

    Re: NAT-T

    Is there a reason not to enable it all the time? If it doesn’t need to be used, it won’t be. ‘Not sure why we need a GUI checkbox at all.

  17. Laith Z. Says:

    Really great,

    We are willing to migrate all our Cisco firewalls to pfSense as well as use it in all new deployments, I am really impressed with all new features, our company is almost completely relying on this great piece of software.

    I hope to see pfSense better and better.

    Regards

  18. Chris Buechler Says:

    Beat: the checkbox is definitely there in snapshots.

    Robert: right, it won’t be used if it isn’t supported but is enabled, but still something we want to let people control. Some may never want to use it even if it is available, and with all the various deployments out there, we don’t want to turn on something that wasn’t previously turned on, there’s a chance that will break things for some people.

  19. Mr John Bravo Says:

    Just wanted to thank y’all for fixing the VPN/ipsec issues. I had been havving issues with connecting my pfsense to tz190 sonicwalls with enhanced os (customer boxes). After the 1.2.3 update the VPNs came up instantly no problem. Thanks again.

    Mr. Johnathan Bravo

    –ohhh mama!!!—

  20. Robert Says:

    JBravo,
    I agree. This sole feature allows me to start replacing Sonicwalls in my environment. I’ve been waiting for what seems like years.

    And for home use, the addition of UPnP and (easy) static DHCP mapping makes pfSense even more desirable than a Cisco ASA5505 in many ways.

  21. Gladiz Says:

    seriously after I try pfsense version 1.2.3 was more aggressive. uga update its running very well. Exactly the same as FreeBSD 7.1 which I use now.
    From the GUI display almost no change dibandingakan stable version 1.2.2 .. However, the performance of version 1.2.3 systemnya more stable.
    Load Balance, traffic sharper, multi wan (pppoe & static). running normally. Internet connection for the client is more stable.
    What can I give advice. try pfsense version 1.2.3 and feel the difference ..

  22. Duncan Says:

    Is everything OK with the build server? No new snapshots since the 11th of Feb.

    Waiting with anticipation!

    Thanks for the great work.

    Duncan

  23. Chris Buechler Says:

    Duncan: there haven’t been any changes since the 11th. When there are, they’ll be updated again.

  24. Jason Litka Says:

    I haven’t used a snapshot of pfSense before. Is it possible to upgrade from snap to snap as new ones are released, and then later to the final 1.2.3, or would a system require a reinstall to update?

  25. Chris Buechler Says:

    Jason: you can upgrade just like any release.

  26. Jason Litka Says:

    @Chris: Cool, thanks.

  27. Albert Says:

    I’m downloading now, any chance glxsb.ko is available? Its the Geode security block driver which I believe is included in 7.1 CVS. It has been backported to 6 as well.

  28. Albert Says:

    In case its not in CVS:

    http://user.lamaiziere.net/patrick/glxsb-220608.tar.gz

  29. Chris Buechler Says:

    Albert: we forgot that was in 7.1, thanks for the reminder. It was just added to the kernel config, will be in snapshots starting 02/19.

    try it out and let us know how it goes.

  30. Martin Says:

    Where can I find the change logs for 1.2.3 and 2.0?

  31. Chris Buechler Says:

    Martin:

    1.2.x here: https://rcs.pfsense.org/projects/pfsense/repos/mainline/logs/RELENG_1_2

    2.0 here: https://rcs.pfsense.org/projects/pfsense/repos/mainline/logs/master

  32. Martin Says:

    Thanks!

  33. tohil Says:

    I guys

    any news when the 1.2.3 will released as stable?

  34. Chris Buechler Says:

    tohil: No idea, we’re mostly working on getting ready for the Hackathon next week and will be working almost entirely on 2.0 then. I suspect since everything on 1.2.3 is working fine, and we haven’t seen any regressions, we’ll make it a RC by the end of the month.

  35. Arayzf Says:

    Does it capable of a squid proxy multi-wan load balancing and failover? Actually this is my very big problem that’s why I am hesitant to use pfsense on our organization. Please have this fix pfsense developer. I’ll be much proud if you done so. I am looking forward to use pfsense as our firewall,webfilter etc. Just waiting from your feedback. Thanks

  36. Chris Buechler Says:

    Arayzf: No, there is no policy routing from localhost until 2.0 at earliest. Put squid on your internal network instead.

    Should you be interested in funding that development, it can be guaranteed for 2.0. Just email me.

  37. mikemee Says:

    Hmm, not sure what I did wrong, but I just did an upgrade from 1.2.-RC1 (Nov 08?) of embedded on an Alix box using pfSense-Embedded-Update-1.2.3-20090307-1252.tgz and now it won’t talk to me anymore (yeah, I did it remotely like you’re not supposed to do).

    Guess I’ll find out on Monday what its dumping on the terminal port. Fortunately its not a critical box ;)

  38. Chris Buechler Says:

    I wouldn’t recommend upgrading embedded at all at this point.

    There will be a new embedded coming in the next couple months, utilizing nanobsd (a standard FreeBSD build process). At that point, a re-flash to the new embedded will be required, but from there it will always reliably upgrade.

  39. Robert Says:

    Chris, is this new build part of the 2.0 track only? Or will there be a 1.2x refresh?

  40. Chris Buechler Says:

    Robert: It’ll be available with a 1.2.x base too, that will actually be where I start.

    I’m not yet sure if 1.2.3 final release embedded will be this way, or if it’ll be right after that.

    I’ll have a blog post dedicated to this sometime in April as work gets under way.

  41. rigius Says:

    Hi,
    Do you have any news on the advancement of the 1.2.3 release?
    Thanks for this wonderful tool.

  42. Chris Buechler Says:

    We bumped the version to RC1 a couple days ago and will have a RC1 release sometime this week.

  43. Robert Says:

    RC1? Is it soup yet?

  44. Chris Buechler Says:

    1.2.3 is stable, but we’re focused on moving 2.0 to FreeBSD 8 at the moment so it will probably be another few days before 1.2.3 RC1.

  45. Jason B Says:

    Hello, any update on 1.2.3 release?

  46. Chris Buechler Says:

    Jason: there’s one right there above your post.

  47. Michael Says:

    Hmm I am sitting here in front of freshly installed snapshot from yesterday (21) and it shows as 1.2.3 RC1 :)

  48. Chris Buechler Says:

    Michael: yup. :) The official signed RC1 release is being built as I’m typing this, it’ll be out this evening.

  49. Paul M Says:

    please can you update the download link?

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply