List of 2.0 New Features and Changes

May 3rd, 2010 by Chris Buechler

Haven’t had a post up here in a while, but for anyone who watches our git repository, you know development never ceases. Vast amounts of work have gone into 2.0 this year, and it really shows. We’re deploying it in production, though generally recommend you don’t yet.

A work in progress list of 2.0 new features and changes is available. I think that has most of the changes, but it’s definitely missing some. If you notice anything that was missed, please leave a comment. We’ll be adding to it as we review the list more in the coming days.

It’ll be released sometime this year.

130 Responses to “List of 2.0 New Features and Changes”

  1. Jan Phillip Greimann Says:

    Ahh, new news about pfSense 2.0

    Hope for soon release, go on guys!! :-)

  2. Marco Says:

    Simply amazing. Can’t wait to have it on my Alix boards!

  3. Eduardo Says:

    Please include a user manager module alike m0n0wall does under SYSTEM > User MANAGER, so you can define users and groups security levels such as ‘tech support’ to view-only and manager account to full access and supervisor account to have limited access to SYSTEM, INTERFACES, FIREWALL, SERVICE, VPN, STATUS and/or DIAGNOSTICS. Thanks :-)

  4. Chris Buechler Says:

    Eduardo: it’s there, and on the list

  5. James Says:

    Hopefully this will be stable soon. I tried the beta but it wasn’t working for me. I’d love to see the shaper working with LAN, OPT and one WAN interface. Please don’t let me wait that longer ;)

  6. MacDonald Says:

    Please add the possibility for a hotspot

  7. Chris Buechler Says:

    MacDonald: …/me scratches head… you mean the captive portal that’s been there for 5+ years, since the first release?

  8. Erik Fonnesbeck Says:

    Chris: But making a page read-only for a user isn’t there yet, is it?

  9. Chris Buechler Says:

    True, Erik, it’s all or nothing.

  10. Emmanuel Rivera Says:

    when will be the release? I’m looking forward to the enhanced captive portal with voucher support.

  11. Chris Buechler Says:

    Emmanuel: that’s answered as specifically as we can at this point in the post. We really can’t say any more specifically as we don’t know.

    But those of you with developer skills, or even testing abilities, helping us along will speed up the process. See the remaining things to fix/todo items here:
    http://redmine.pfsense.org/projects/pfsense/issues?query_id=5

  12. Martin Says:

    Amazing! Thanks so much for one of the best firewalls (commercial or open source) available.

  13. Chris Says:

    I just want to say thanks for such an awesome product. Everything in 1.2.3 just works, and that’s really cool. I’m kind of impatiently awaiting the 2.0 release, ;-) but I just want to say I appreciate all the work you guys put in to this. It makes using your product a joy.

  14. chowtamah Says:

    Eagerly waiting for 2.0 release. Tested Beta 2.0 in my lab and waiting for green signal to use in production.

    Thanks for the wonderful product. Whenever I meet any IT person i always discuss about the pfSense and recommend them to use it.

  15. Pete Boyd Says:

    2.0 / Chris & Scott promise so many features that will improve the capabilities of what I as a sys admin am able to offer with out-of-the-box efficiency and dependability. I’m so looking forward to it.
    For example, being able to provide backup Internet in the form of a pay-as-you-go 3G USB modem, is very exciting.
    I’m always eager to hear news about its development.

    If you point us toward a technology preview / alpha build people will have something better to relate to for testing.

    Will the OpenVPN Certificate Manager have the ability to import an existing CA cert and user certs and keys?

  16. RisingHawk Says:

    Everytime I take a look to new features in pfSense 2.0, I get more and more impatient to use it, :D. Anyway I must say, as always, that it is the best and most professional firewall I have ever used!. THANK YOU SO MUCH FOR SUCH A GREAT PRODUCT!

  17. Terry Says:

    USB install and BOOT?!

  18. Chris Buechler Says:

    Terry: that’s entirely dependent on what FreeBSD RELENG_8 (8.1) is capable of on your hardware.

    From what I’ve seen thus far, USB CD/DVD drives generally work fine, though not always. Booting from USB flash or hard drive I haven’t tried, but generally should work as well, people are doing it now with the stable releases.

  19. Robert Says:

    All very nice features. I look forward to GRE tunnels. Will they work with Cisco IOS?

    My only other request in the name of stability is to scrutinize the packages more before they are allowed to be installed in 2.0. There are too many buggy ones for 1.2.3. Maybe some kind of approval process?

  20. Scott Says:

    I have used the USB flash boot for over two years (on the current STABLE build, not 2.0)… only problem I had was the flash drive’s read/write limit.

    Suggestion: if you want package support, consider a recent flash drive with good read/write limits and block mapping. If you don’t need package support, the embedded image is effective read-only except for the config file (and possibly logs).
    There is a way to make the full install boot the file system as read-only (mimicking the embedded image behavior), but packages which are not designed with this in mind will think that their file changes will be permanent (ex: SpamAssassin).

  21. Hacktivist Says:

    Time based access control would be a great feature. Hope it will be included in the final release!

    Can’t wait to use it!

  22. nuro Says:

    will 802.11n support be available in 2.0. the atheros drivers atm are abit flakey as well

  23. netinfo Says:

    Hello,
    and about IPv6?
    Still bad ISP? ;-) http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/#comment-2162

  24. Brian Simonsen Says:

    Hi, great product. I am contemplating replacing our aging netscreen25 in our hosting center with pfsense. I am wondering about ipv6 support though? Its not in the feature list

    Best regards

    Brian

  25. Chris Buechler Says:

    IPv6 will not be supported in 2.0, it’ll be one of the first things added after 2.0 release. Latest info always available here: http://doc.pfsense.org/index.php/Is_there_IPv6_support_available

  26. Chris Buechler Says:

    Hacktivist: time-based rules are already available in 1.2.3, they’re just enhanced in 2.0, allowing more capabilities since they’re integrated with pf.

    nuro: that’s beyond our control, whatever is in FreeBSD 8.1 is what we’ll have.

  27. Chris Buechler Says:

    Robert: GRE is GRE, it’ll work with Cisco or anything else that does standard GRE.

    Packages are largely maintained by outside contributors and aren’t extensively vetted, if they aren’t harmful (i.e. no back doors, don’t create gaping security holes), they can be accepted. What we need to do is classify them better, people seem to ignore the “status” label where a certain package may be labeled alpha and hence should never be installed for anything other than test purposes on a test system, people click away and install anyway. The alternative to not put them out there at all hides them from those who can help with fixes and development on the work in progress packages. So we’ll never go to a process where only approved packages are available, but at some point (probably post-2.0) we’ll differentiate between what we consider production-grade and non-production packages more obviously than we do now with the alpha/beta/stable labels.

  28. Scott Says:

    is carpdev support still targetting 2.0? I know it shouldn’t be your problem (I’ve been hoping to see it in FBSD for quite a while), but I heard you guys were making some progress towards it.

  29. Mark Says:

    I downloaded a copy of 2.0 and popped it on a VirtualBox VM. Wow – nice job, guys! Lots of really cool things. I like the things you can do now from the firewall log with the easy rule thing. Way cool! I also like the rss feed thing, but I could not get it to save. Is there a trick to that? Otherwise, brilliant work!

  30. Fred Stephani Says:

    pfSense is awesome! With the implimentation of Layer 7 rules will the hardware requirements of 2.0 go up? I can hardly wait for 2.0… woot!

  31. Chris Buechler Says:

    Fred: Not completely sure yet but it doesn’t seem to make much difference at all, for the average user it won’t increase hardware requirements.

  32. Chris Buechler Says:

    Scott: no carpdev in RELENG_8, we have more resources to get things like that done now, but won’t be til post-2.0.

  33. Maxim Hansen Says:

    Gaaah! Almost can’t wait until you guys declare 2.0 production ready! We tried it en (rather early) BETA, and already were amazed by the new features!
    Greatly appriciated is the new load balancer!

    Thanks for all the hard work!

    (I bought the book btw, great stuff! Any plans on publishing a revision based on 2.0?)

  34. Richard Eaton Says:

    Thanks guys for such an amazing product, really excited at the new features coming in 2.0 especially the freeNAS / Samba possibility, that will be fantastic for the smaller users who prefer an “all in one box” solution.
    Really hope the “bug” fixing process is nearing an end, just a shame i know next to nothing on coding so am unable to help, however i do recommend your product on to anyone needing captive portal solutions.
    Keep up the good work.

  35. Chris Buechler Says:

    Richard: Not sure where you found that but there is no FreeNAS or Samba integration, we don’t believe you should ever build such an all in one box (though if someone wants to contribute such a package, we would add it to the repository, there isn’t anyone working on any such thing at this time). The two projects are difficult to integrate (someone was working on it years ago and abandoned the work), and that’s a bad role to combine on one system.

  36. Doug Says:

    Awesome work. Pfsense continues to be the ultimate solution for nearly any size. The only request I would have would be an SSL vpn (web facing browser login type deal). But I wouldn’t trade it for any other distro regardless! Thanks Chris!

  37. Pfsense – With out doubt a very good software firewall | FreeBSD - the unknown Giant Says:

    [...] please leave a comment. We’ll be adding to it as we review the list more in the coming days. (source) Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this [...]

  38. Clayton Ross Says:

    Man I know it not a popular idea, but to me a free nas package would be so nice, at home I run a little VIA board with Pfsense and a Atom board with free nas for my file server, it would be great to be able to reduce the need for two boxes. No one would want this stuff it’s just nude pics of me ;D
    I also run a few Pfsence boxes at work that connect our sites together via fiber and those nodes would be ideal freenas boxes, but hey I see the reason why not to do it if the router is on the internet, but not are routers are and I can think of lots of reason to run freenas.

  39. D.M. Geurts Says:

    What about virtio drivers for running pfSense in a VM? would love to have pfSense run more efficiently on Virtualbox. Also would love to see CARP working in Virtualbox but am assuming that that is not due to pfSense…

  40. Biffen Says:

    Chris; m0n0wall recently addes a hardware monitor option to show temperatures etc. Is this something that you will add, or possibly something the new widget system could provide?

  41. rhy7s Says:

    Data instead of time based voucher generation for the captive portal would be a great addition. Thanks for the work done thus far.

  42. Chris Buechler Says:

    rhy7s: lots of companies already do data limits in that fashion with 1.2.x, that’s something you need a RADIUS server for.

    Biffen: no plans for that at this time, that monitor supports very few hardware platforms. if a good sensor framework makes it into FreeBSD we’ll use it. We won’t be adding anything like that for 2.0.

    D.M.: yeah that’s limits of virtualbox networking AFAIK. There doesn’t appear to be any virtio drivers for BSD, we generally recommend VMware ESX for good performance.

    Clayton: as I said, we would gladly add it if someone wants to contribute it. It’s a ridiculous amount of work, and would have to run in a jail as the two would stomp all over each other otherwise.

    Doug: there aren’t any open source solutions along those lines, and all the commercial ones are absolutely horrid what they do to your network stack. You really don’t want one. OpenVPN is SSL VPN, done right, not a nasty proprietary hack.

  43. rcfa Says:

    Is there going to be a way to prioritize routes? Policy routes?

    Here’s why: I need to have the default route go out over a tunnel (VPN, PPTP, L2TP, GRE), but of course the tunnel needs a route, too. So I need to be able to sort routes based on priority.

    Also, policy based routing would be great, e.g. route outgoing http requests through NAT directly to the ISP provided connection, everything else route through the tunnel, etc.

    Another issue: assign interfaces by MAC address. Plays a role with USB NICs, which may end up with different interface names upon reboot, based on the order in which they happen to respond/be recognized by the OS during boot, or based on which port they happen to be plugged into or which other USB devices happen to be present/removed (keyboard, mouse, etc.)

    Lastly: is there a plan to support DisplayLink USB displays or a VNC console? The reason I ask is this: the computer I’m going to be using for this is some small Atom 330 based thing, which mostly is going to run headless. But it seems to be close to impossible this day and age to find a cheap 8-10″ VGA LCD display for the occasional console access. The only reasonably priced small-sized LCD screens seem to be the USB DisplayLink based ones, and I really don’t want to haul a 20″+ screen into the basement if for any reason I have to do a few things on the console (like relaunch the web interface or enable/disable ssh access, etc.)

  44. rcfa Says:

    ugh, a couple more things, although obviously not for 2.0
    a) I use a Zotac IONITX-L-E board, which supports the NVidia ION chipset’s RAID functionality, but BSD seems to have trouble with that. Obviously a BSD and not a pfSense issue, but it would be nice to be able to use a hardware RAID since I’m going to use two 8GB CF cards with a SATA adapter. In the mean time GEOM will have to do.
    b) similarly, the ION is largely going to be unused. Is there any effort underway anywhere to do a CUDA/OpenCL crypto lib? It would be awesome if the GPU could be used as a crypto accelerator for VPN traffic, etc. Basically, these low-power Aton 330/ION boards should be able to handle rather sizable networks (dual core, 64-bit, 4GB RAM) only potential bottleneck is significant crypto processing, but there’s that unused GPU sitting there being idle…

  45. rcfa Says:

    One more thing :)
    There’s only a means to SET UP a GEOM mirror in the install mode, no selection to DESTROY a GEOM mirror. Problem is, if for some reason the storage devices don’t play well with each other, it’s impossible to install pfSense on the drives, because the left-over GEOM setup will cause issues. The only way to fix this is to format/partition the drives with some other OS before going back to attempting a pfSense install…

  46. Erik Fonnesbeck Says:

    rcfa:

    Assigning by MAC address shouldn’t be too hard to do. I think there are only a couple settings in the configuration that would need to be updated at boot to fix the configuration before other code runs that depends on those settings.

    For accessing the console, if it has a serial port I suppose you could use a null-modem cable to connect it to an old laptop with a serial port or to any other laptop with an adapter to connect it to a USB port on the laptop. You may even be able to find some kind of portable serial terminal with a built-in LCD display. If the system does not have a serial port, I’m not sure what you could get that would be inexpensive and would work, though.

  47. itwerx Says:

    Wow, fantastic list! Really looking forward to the multi-interface QoS!
    Also, does “IP Alias type Virtual IPs” mean we can have Virtual IPs outside the range of the original IP subnet?
    I.e. can we do CARP in single-public-IP scenarios by having the “real” primary interface IPs be non-routable and the public IP be virtual instead?

  48. Daniel Golan Says:

    I have to say that this is my favorite open source firewall
    I recently but the book and its simply grate and must have book when working with firewall’s
    My Q is this dues PFsense Will support the option for SSL VPN via the web browser

  49. TJ Says:

    Already running it in production, passing over 100Mb/s .
    I only wish for a web browser SSL VPN and a better filtering/sorting of firewall log entries. Nat src, Nat dest, total bytes, etc.
    For a firewall admin a fw device is as good as its log entries management.:-)
    Great job guys!!

  50. chpalmer Says:

    Thanks Guys!

  51. chrisw Says:

    Just a few suggestions:
    OSPF, BGPD and add options to NTPD like timezone.

  52. Chris Buechler Says:

    chrisw: BGP and OSPF are both available in 1.2.3 (and 2.0) in packages.

  53. Max Ens Says:

    This a great job squid with tcp_outgoing_address works so no need more load balance this better for distrbuite the traffic great job guys!!

  54. Damian Fantini Says:

    Hi, anybody know how to setup this feature:
    http://blog.pfsense.org/?p=35&cpage=1#comment-7048

    If anybody can help me I will greatfull.

    thanks

  55. Angel Sandoval Says:

    Chris, first I want 2 thank you for this great work.
    Im wondering if you have ever considered implement some kind of WAN Optimization mechanism like trafficsqueezer or WanProxy.
    It would be great in high latency/poor bandwidth scenarios.

    Thanks!!

  56. Jits Says:

    WOW!!! That IS an impressive list!
    Um, does this mean a new book is in the works?

    I can’t wait to see the day when y’all get tired, and greedy and sell-out this fantastic software to a great big, and even more greedy company who will promptly flush it down the toilet for piece of mind against their suffering bottom line because of their piece of shit firewall with back doors for Israeli, American, British, and Australian paranoid intelligence services, y’know…like Zone Alarm and Checkpoint.

  57. Jon Scruggs Says:

    Will 2.0 allow me to use the Traverse Solos multi-port ADSL2+ PCI card? I think it uses the San driver on OpenBSD. Is there something similar for PFSense? Also, is the Atheros AR9220 chipset supported for Wireless N cards?

    Thanks.

  58. Frank Pikelner Says:

    I’m another in need of IPv6 support in pfsense. This has been a long priority for us and something that has been available in m0n0wall for sometime. Would very much appreciate anything that could be done to accelerate IPv6 in pfsense.

  59. Paul Says:

    Someone mentioned an web page accessible SSL VPN. Just my two cents, but depending on how you want access, I have found the best way to allow web access is to set up an NX server and use the NX web client. You can pass a user directly to any Linux app, or RDP, maybe citrix.

    check out nomachine.com, but use the freenx port for the server.

  60. John Klimek Says:

    I’m also really, really hoping for an integrated web-based SSL VPN…

  61. bob Says:

    hello all;
    good job team.

    i can’t see logout botton.

  62. Belthazar Says:

    bob,

    Under System options you will find the logout function.

  63. Jeremy Says:

    Please build with a ZFS-aware bootstrap loader! ZFS **GREATLY** increases the life of now completely affordable multiple GB NAND flash devices or even 16-32GB USB flash modules.

  64. GruensFroeschli Says:

    Jeremy: This is what the nanoBSD version is for.
    It mounts everything read-only (except when writing down configuration-changes)

  65. Scott512 Says:

    Hi all,

    a LNS fonctionnality wil be very great ! (and LAC too, if you have time ;-) )

    Thanks All, Pfsense rocks !

  66. Ermal Says:

    Scott for 2.1 probably for 2.0 i think its too late.

  67. dooby Says:

    Thanks Chris B !!!!!

    Your pfSense is just AWESOME!!!!!!

    dooby

  68. Jigar Says:

    Hi all. Thanx for the very good work !!! Keep it up ;)
    1- I’d like to know how the L7-Filtering is processed.
    2 – Is IPSec XAuth support mean Mode-Config support too ? (dhcp other ipsec, dynamically send taffic end-points according to user autentication, RFC1918 IPs send, etc ? )

  69. Ant Says:

    In pfsense 2.0 able to use captive portal use multiple lan and each lan difference type of authentication ?

    sample : LAN1 authen –> Radius server A
    LAN2 authen –> LDAP
    LAN3 authen –> Radius server B
    LAN4 authen –> Local user
    LAN5 no athen

    Something like that

    Ant,

  70. Chris Buechler Says:

    Ant: No. You can enable captive portal on multiple interfaces but they must all use the same config and authentication

  71. Scott512 Says:

    An other functionnality will be welcome:

    3G backup with USB 3G key (like Huawei), If the xDSL break down, we can use the 3G access to backup the connection

  72. Lars Hupfeldt Says:

    2.0 looks great. Multiple Wireless configurations was one of things I was really missing.

    I hope it will be released soon though, so that you guys can get to work on the carpdev feature. Having more that one public IP is not really an option for me, as my ISP requires me to change to their “business” product, which cost about 300$ a month, as opposed to the 15$ I’m paying now. A bit much for a couple of IP addresses.

  73. mynullvoid Says:

    Policy Based Routing (PBR) please…. when I have multiple WAN, I hope that I can do route based on destination IP/URI for which WAN to be used (perhaps certian WAN requires Port REDIRECT for proxy)

  74. Chris Buechler Says:

    mynullvoid: we’ve had PBR for something like 5 years now, in every stable release we’ve ever put out.

  75. mrguitar Says:

    I’m super excited about the big 2.0 release; I can’t wait! Thanks to all the developers for their hard work.
    Cheers,

  76. mynullvoid Says:

    Chris Buechler: sorry I don’t get you, please review http://forum.pfsense.org/index.php/topic,24563.msg127610.html#msg127610

  77. TellusCitizen Says:

    Something I really wish to see evolve is monitoring tools for larger deployments. I use ntop on a mid size national intranet (14 sites + VPN) to monitor them in real-time.

    Running into limits of this tool; the lack of https (tho I do tunnel it over VPN), lack of centralized loging tools and support for push/publish centralized settings.

    I really like what watchguard has on this.

    And something else I miss. Ok so this might be legacy mayhem but I find it really useful: PXE server. Honest, the hours I have saved having default user and UBCD (www.ultimatebootcd.com) images on tap!

  78. mrguitar Says:

    TellusCitizen: PXE is really simple for pfsense 1.2.2 & 1.2.3. Just install Mcrane’s TFTP package and configure DHCP correctly. You can also setup a tftp server the usual FreeBSD way on 2.0 but you’ll need to change the default config which is a tftp proxy (if I remember). It’s not too tough, but I prefer to have my tftp elsewhere on the network. Good luck.

  79. vcondria Says:

    I’m a missionary for pfSense. I preach it all around.
    Is it possible to have the functionality of transparent mode squid and shaper out of the box? You know it is not working without complicated changes, or am I outdated?
    cheers and keep up the gorgeous work!

  80. Robert Pöhler Says:

    PFsense is really one of the best and most secure firewalls I’ve ever seen. I really trust this product and always. It combines the secure BSD plattform with a perfect built application. I am very happy to get the 2.0 for first test networks.

  81. Charlie Says:

    This is great, we are replacing our Cisco gear with PfSense, 1.2.3 and it just beautiful. great work guys.

  82. PfSenseUsR Says:

    Great Stuff! All in for the HTTPS/SSL VPN. That would be perfecting this solution. Check out the different options that e.g. an adito fka SSL explorer has. No need to forward the whole network through HTTPS. Supply single forwarded ports would be one nice option, Other would be to just do forward internal web sites through the HTTPS portal. That would probably be a smaller dev effort than going the whole nine yards with the full VPN network forwarding. (and would not be that ugly) What do you think the dev effort would be? Thanks again!!!

  83. Cameron Joyce Says:

    You guys do some awesome work. I have been running PFSense on a Firebox X700 in a test lab, but could never use it in production because of watchdog timeout issues. Now with the latest build released on 6/24 it is incredibly stable and I have only seen 2 watchdog timeouts in the last 8 hours. Great job again to all devs and beta testers involved.

  84. Chris Buechler Says:

    Cameron: you can thank FreeBSD developers for that, we have nothing to do with drivers. :) I’m not sure that’s changed much or at all recently actually, there’s something atypical with the NICs in those Fireboxes.

  85. nazir Says:

    Thanks a lot u guys, PFsense is the best opensource product that i have, i wondering if some monitoring tools like nagios + centreon + smstools.
    So we just have to put USB GSM modem to make anything alert via sms.

    tq in advance

  86. Jason Says:

    The user management feature is super critical to us as it is make or break for us to continue using pfSense. With PCI, HIPPA and other requirements, having a single administrator is simply not an option. The fact that it will have LDAP integration is just icing on the cake.

  87. John Says:

    When will IPV6 be included???

  88. Chris Buechler Says:

    John: see above: “IPv6 will not be supported in 2.0, it’ll be one of the first things added after 2.0 release. Latest info always available here: http://doc.pfsense.org/index.php/Is_there_IPv6_support_available

  89. Hans Andersson Says:

    I am using v.1.2.3 and it works great. But my WIFI card drops the connection every 5 minutes. Will there be a better support for my WIFI card? Linksys WMP54G-eula _v4.1-qi-60214 TE.
    Or should I change card/get an access point?

  90. Chris Buechler Says:

    Hans: that’s outside of our control, some cards work better than others, dependent on the driver. The switch from FreeBSD 7.2 to 8.1 brings more and improved wireless drivers so that may resolve it for you.

  91. Hans Andersson Says:

    Thanks for a fast answer. I hope BSD 8.1 has improved support or else I’ll switch the card because I’m NOT going to switch firewall. This is definitely the best one. Keep up the good work.

  92. djnux17 Says:

    what about antispam feature on pfsense, something like the endian firewall

  93. Rene Pitayataratorn Says:

    We have been using pfsense now for about 2 years – it does almost everything out of the box. Great work – FreeBSD REALLY IS the safer platform for a security gateway.

    There is one thing though: Squid tends to hang very often since 1.2.x times and we have tested 2.0 Beta 1 to 3 now and found that it still does tend to hang under typcial heavy loads caused by video streams and large downloads. Also the squidGuard feature stopped to do any filtering when we updated to 2.0 Beta 3. Is this a known bug? Maybe adding video cache would be a good thing.

    Btw. are there any plans to make the outbound multi-WAN loadbalancing a bit more fine grained in control – i.e. make it possible to do stats and set priority by protocol / protocol – load distribution / user / policy / affinity or Layer 7?

    Sorry of this was the wrong place to post this.

  94. Manohar Karlapalem Says:

    Hi,
    Are you planning to include SOAP (or any other equivalent) based services to control the firewall apart from the existing web GUI in the near future? A SOAP based service would be really beneficial to write software on top of pfsense.

  95. chris Says:

    im wondering would it be too much for a separation of sorts.?? what im looking to do is have a divider where the inbound traffic goes to one card and the outbound traffic goes to another?? is this possible in current version?? will it be available in the future.?? love this software meanwhile..really stable..

  96. Flavio Says:

    chris

    I don’t think it would work, specially if there are 2 IP addresses involved. A connection entering one card (with it’s own IP) and leaving from another would have a very high chance of being discarded or seen as a man-in-the-middle attack. And having the same IP with different MAC Addresses would also create havoc on your network.

    If you intended to have a card replying external access (for example a DNS server on the firewall machine or somethinf on that line) and another for connections starting from the inside of the network (your LAN), that would work and is already implemented as Policy Routing.

    Flavio

    PS: Looking forward to final version as FreeBSD 8.1 has been released.
    PS2: What a great software you have, belongs to the “Just Works” category (very well, I may add).

  97. Chris Buechler Says:

    Manohar: aside from our existing XML-RPC capabilities, which aren’t exactly perfect for those kinds of scenario, no we don’t have any plans for anything along those lines at this time. Patches welcome though.

  98. Pong Says:

    I’m still waiting the package on pfsense for limit for the work station specifically not using traffic shaper. you cant limit the band width one by one or customize.

  99. Pong Says:

    Ang also the pacakges how to aggregate the speed of to isp.

  100. Chris Buechler Says:

    Pong: re: “limit the bandwidth one by one or customize”, it’s already there in 2.0 with limiters. We’ve already deployed it on several production installs for ISPs.

    As for aggregating the speed of two ISPs, we do that as much as the laws of networking allow (or your ability to use BGP allows).

  101. Marcel Manzardo Says:

    Great product but we have one major feature missing. Support for Xen Server.
    Will there be a Xen Server appliance or a way to install the Xen Server Tools?
    Without Xen Tools there is no LiveMotion possible which limits pfSense significantly.
    Any comments would be greatly appreciated.

    Marcello

  102. Chris Buechler Says:

    Marcel: That’s dependent on FreeBSD and its Xen support, there is always ongoing work there but I don’t know where things stand at the moment. We use entirely VMware, mostly ESX, for testing, development, build servers, and some hosting. Don’t really work with Xen much, and we don’t have any Xen servers. That could be changed if you’re willing to put money towards it, email me if so (cmb at pfsense dot org).

  103. mynullvoid Says:

    My pfsense is acting as a gateway, but I also have another gateway if the destination IP matches some IP I stated. The problem I got is that that another gateway requires traffic to pass a proxy server:port, can the version 2 do it?

  104. Chris Buechler Says:

    mynullvoid: ask on the 2.0 board on the forum

  105. kanicus Says:

    First of all, thanks for this great software, I bought the book by amazon and it was a very interesting tool. I think that a really nice tool for Pfsense 2.0 could be the possibility to mark or tag some traffic as prioritary, like VoIP, to process first on ISP routers and avoid jitter and delay problems on VoIP links that goes into the OpenVPN tunnels. Typically VoIP traffic is not ciphered and security is not waranteed, recently lot of people started to use OpenVPN tunnels to transport VoIP links with more secutity, but then, all traffic priority tagging is lost(not really lost, is inside the tunnel and lose his effect), We would need to be able to raise priority of all UDP on 1194 for example (all voip dedicated tunnel), with lot of hardware delay higher than 100-110 is enought to dont understand anything, we need to be able to lower delay with proper voip tagging.

    thanks !

  106. Reza Says:

    Will there be any support for T1 cards? I would like to be able to terminate a T1 connection directly into a pfSense machine versus having to add something like an Adtran in front of pfSense.

    Thanks for all the hard work guys, you’ve made a wonderful product thus far.

  107. Chris Buechler Says:

    Reza: no plans at this time. If we had someone to provide funding for the hardware and time needed to add such support it could happen.

  108. Haralambos Prodromidis Says:

    DOES ANYONE KNOW, when PfSense 2.0 is about to be released for production use?

    Thank you in advance for any reply… ANYONE

  109. Chris Buechler Says:

    Haralambos: Read the post, that’s the most anyone knows.

  110. Joseph Brower Says:

    Chris: What hardware would you need to be able to begin work on T1 stuff?

  111. Chris Buechler Says:

    Joseph: we’d need T1 cards that are supported in FreeBSD. If any are, I’m not sure offhand. Plus, as importantly or more so, we need the money to cover the time. It’s really not a project we can take on right now, we’re focused on finishing 2.0 and that won’t be included. Definitely something we’d like to revisit in the future though.

  112. joseph brower Says:

    keep me posted chris. after this release it might be nice to get it on the roadmap.

  113. Gage Says:

    I’d like to add these feature for easy setup and able to increase speed on dual wan. Example, If you have two same 50/10 to become 100/20 in dual wan with bonding connections or load balancer.

  114. Chris Buechler Says:

    Gage: in most scenarios that’s impossible because of how networking functions. Outside of tunneling all your Internet traffic out a datacenter with much more bandwidth, though that’s very expensive and makes latency much worse which will reduce performance of some things, or another option is bonding with your ISP via BGP or MLPPP, which isn’t an option for most people. Aside from those two scenarios it’s impossible to get the combined throughput of two Internet connections on a single TCP/UDP/any other protocol connection (use a download manager that opens multiple connections and you get the total throughput of them all).

  115. Apostolos Hadjicharalambous Says:

    It would be nice if you could add multiple sources, destinations or services in the same rule.

  116. Chris Buechler Says:

    Apostolos: you already can, that’s what aliases are for

  117. itwerx Says:

    @Marcel – easy to migrate pfSense VMs “live”, just set up a secondary in parallel on the next VM host and sync them via CARP. Then when you kill the first VM the other will take over automatically/transparently.

    @Chris/Reza – we might have some spare T1 cards

    @Hans – all Linksys devices, (including the low-end Cisco rebranded ones), are prone to overheating and random drop-outs. (Just try a better card! :)

    @Nazir – pfSense is Cisco-compatible in SNMP. Just use a Cisco MIB in your monitoring system and you’ll get more than enough info for typical alerting purposes.

  118. bsdwiz Says:

    One thing that I think is keeping this out of reach for large enterprises is that pfsense does not have a centralized management interface. In an enterprise like the company I work for where we have 80+ firewalls it’s just a management nightmare to touch all firewalls to admin them. So we use checkpoint… Other than that this is (by far in my opinion) the best OpenSource firewall project out there, and what better underlying OS then FreeBSD? Keep up the good work and looking forward to the 2.0 Release.

    Thanks for pfsense!

  119. Capone Says:

    Hey Guys! Amazing product!!

    I would like to add to the wishlist!

    1. Better SATA to CF support. Had loads of trouble with SATA to CF…but fine with IDE to CF. Even with Pfsense 2.0 beta.

    2. Need the embedded version to support standard VGA/keyboard output… like the Hacom Pfsense version.

    Thanks guys! Looking forward to pfsense 2.0!

  120. Chris Buechler Says:

    Capone: for #1 you need to try that with FreeBSD 8.1 and report any problems to the appropriate FreeBSD list, we don’t have any control over that nor do we develop anything related to that.

    bsdwiz: that’s sort of like saying FreeBSD can’t be used in large enterprises because it doesn’t have a centralized management interface. It does, it’s a matter of choosing something and using it. Though there would definitely be some custom programming involved regardless of your choice (but people do have large deployments with custom centralized management). We’ll have some news on that topic in the next year or so.

  121. Evert Westman Says:

    I have set up 4 pfsense system and everything running fine, for two of the system i have prepared indenticaly standby pfsense in case of failure.
    Never used for two year….

    Is it possible in 2.0 to import a local user database with prepared user password.

  122. Peter Wu Says:

    Thanks Chris, a really powerful product that we like. Great job!

    Our Pfsense firwall works very well here. And we do like your integrated Packages, like Squid, too.

    Now we’re wondering whether it’s fine to integrate the WANProxy into Pfsense as a Package? WANProxy runs well on FreeBSD platform so we believe that it should be OK to make smooth integration. It will be very helpful to accelerate certain applications via WAN transmission.
    WANProxy’s URL: http://wanproxy.org/

    Thank you, Chris!

  123. Chris Buechler Says:

    Peter: sure, you can add that as a package.

  124. Peter Wu Says:

    Thank you Chris for the comments!

    But will it be possible to integrate the said WANProxy as a package in 2.0? If so, many people can enjoy this useful function.

    Thank you!

  125. Chris Buechler Says:

    Peter: if you want to create a package, you’re certainly welcome to submit one and we’ll get it committed. If you want us to, if you’re willing to pay for it we can definitely make that happen, just email me (cmb at pfsense dot org) to discuss further. Otherwise, we have no plans of adding that in the near future.

  126. James Reid Says:

    Hi Chris,

    Can we have another status update on how far down the track 2.0 has reached? Is it likely that it will still be released “this year”? Can you give us a little insight into what’s happening other than “lot’s of testing”?

    Is there anything that those of us who are more end users of pfsense can do to help?

    I’m trying to pitch this more in a “please can you help us appreciate what’s happening” context!

    Thanks.
    James.

  127. Chris Buechler Says:

    You can see what’s still remaining at redmine.pfsense.org. We expect RC1 soon.

  128. Michael Says:

    Can we use the Load Balancing / Wan Failover with SQUID? I hope will be possible now.

  129. pong Says:

    same question

    Can we use the Load Balancing / Wan Failover with SQUID? I hope will be possible now.

  130. Chris Buechler Says:

    pong: yes

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply