pfSense 2.1-RELEASE now available!

September 15th, 2013 by Chris Buechler

I’m proud to announce the release of pfSense 2.1, and our new Gold Subscription! The 2.1 book and our AutoConfigBackup service, available for years to support subscribers, are immediately available today to Gold subscribers. See this post for details. Onto the release!

This release brings many new features, with the biggest change being IPv6 support in most every portion of the system. There are also a number of bug fixes, and touch ups in general. It’s making its way to the mirrors now, and should be on all of them by end of day Sunday. The complete list of significant changes follows, and can also be found here including more details. If you want to see every single individual change, check out RELENG_2_1 commits in our github here and the 469 completed tickets in our redmine here.

Security Updates

Three FreeBSD security advisories are applicable to prior pfSense releases. These aren’t remotely exploitable in and of themselves, but anyone who can execute arbitrary code on your firewall could use one or more of these to escalate privileges.
FreeBSD-SA-13:13.nullfs
FreeBSD-SA-13:12.ifioctl.asc
FreeBSD-SA-13:09.ip_multicast.asc

IPv6 Support
IPv6 Added to many areas of the GUI. At least the following areas/features are IPv6-enabled. Others may work as well

  • Aliases (Firewall) – Aliases can contain both IPv4 and IPv6, only addresses relevant to a given rule will be used
  • CARP RA
  • CARP Failover
  • DHCP Server w/Prefix Delegation
  • SLAAC WAN
  • 6to4 WAN
  • 6to4 WAN w/Prefix Delegation
  • 6rd WAN
  • 6rd WAN w/Prefix Delegation
  • DHCP6 WAN
  • DHCP6 WAN w/Prefix Delegation
  • DHCPv6 Relay
  • DNS Forwarder
  • Firewall Rules
  • Gateway Groups/Multi-WAN
  • Gateway Status (apinger)
  • GIF Tunnels
  • GRE Tunnels
  • GUI Access
  • IPsec
  • L2TP
  • Network Prefix Translation (NPt)
  • NTP
  • OpenVPN
  • Packet Capture
  • PPPoE WAN
  • Router Advertisements
  • Routing
  • Server LB
  • Static IP
  • Syslog (remote)
  • Limiters (dummynet pipes)
  • Virtual IPs – IP Alias
  • Virtual IPs – CARP
  • DNS from RA
  • Accept RA when forwarding
  • Auth via RADIUS
  • Auth via LDAP
  • XMLRPC Sync
  • RRD Graphs
  • DHCP Static Mapping – Works by DUID
  • DynDNS (HE.net hosted DNS, RFC2136, custom)
  • MAC OUI database lookup support for NDP and DHCPv6. (Was already present for DHCP leases and ARP table) requires the nmap package to be installed to activate

NOTE: Unlike earlier snapshots, BETA, etc, currently we do NOT flip the “Allow IPv6″ checkbox on upgrade, to preserve existing behavior. To activate IPv6 traffic, a user will have to flip this setting manually.

Packages

  • PBI (push button installer) package support – all of a package’s files and dependencies are kept in an isolated location so packages cannot interfere with one another in the way that was possible on 2.0.x and before using tbz packages
  • RIP (routed) moved to a package
  • OLSRD moved to a package
  • Unbound moved back to a package (Will try integration again for 2.2)
  • Increase the verboseness of the package reinstallation process in the system logs for a post-firmware-update package reinstallation operation

OS/Binary/Supporting Program Updates

  • Based on FreeBSD 8.3
  • Updated Atheros drivers
  • OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc
  • PHP to 5.3.x
  • OpenVPN to 2.3.x
  • Added mps kernel module
  • Added ahci kernel module
  • Updated ixgbe driver
  • Many other supporting packages have been updated

Dashboard & General GUI

  • Switch from Prototype to jQuery
  • Improved navigation and service status in the GUI (shortcut icons in each section to quickly access config, logs, status, control services, etc)
  • Multiple language support, a mostly-complete translation for Brazilian Portuguese is included
  • Read-only privilege to create a user that cannot modify config.xml
  • Dashboard update check can be disabled
  • Fixed theme inconsistencies between the login form and other parts of the GUI
  • Various fixes to pages to reduce potential exposure to certain CSRF/XSS vectors
  • Updated CSRF Magic
  • Set CSRF Magic token timeout to be the same as the login expiration
  • Added IE Mobile for WP8 to list of browsers that get an alternate theme at login
  • Truncate service status so long package descriptions cannot break formatting of the status table
  • Many fixes to HTML/XHTML to improve rendering and validation
  • Added a note to the setup wizard letting the user know that it can be canceled at any time by clicking the logo image
  • Make dashboard update check respect nanobsd-vga
  • Firewall Logs Widget filtering and column changes
  • Added totals for some dashboard widget meters (memory, swap, disk usage)
  • Changed dashboard display for states and mbufs to be meters, and to show usage as a percentage
  • Update dashboard mbuf count via AJAX
  • Show a count and layout of CPUs in the dashboard if multiple CPUs are detected

Captive Portal

  • Multi instance Captive Portal
  • Multiple Captive Portal RADIUS authentication sources (e.g. one for users, one for cards)
  • Logic fixes for voucher encryption
  • Many optimizations to Captive Portal processing, including a database backend and moving functions to a php module to improve speed
  • Optional Captive Portal user privilege
  • Add checks to make sure CP hard timeout is less than or equal DHCP server default lease time, to avoid issues with CP sessions being valid for incorrect IPs, and users switching IPs while they should still be connected to the portal
  • Fixes for captive portal voucher syncing on HTTPS with a custom port
  • Fixes for custom Captive Portal files leaving symlinks on the filesystem after files were removed
  • Added MAC OUI database lookup support to CP status (requires nmap package to be installed)

OS/System Management

  • Ability to select serial port speed
  • Added a manual way to enable TRIM if someone needs it
  • Added a manual way to trigger a fsck on reboot
  • AES-NI support (Cryptographic Accelerator feature on new Intel/AMD CPUs) — Still experimental, not supported by some areas of the OS yet.
  • Support for certain thermal sensors via ACPI, coretemp, and amdtemp
  • System startup beep can be disabled
  • Separate powerd setting for when on battery
  • Add optional ability to change the size of RAM disks for /var/ and /tmp/ for systems that have RAM to spare
  • Add optional ability for full installs to use RAM disks for /var/ and /tmp/ as is done on NanoBSD. Reduces overall writes to the media, should be more SSD-friendly
  • Use a custom sysDescr for snmp similar to m0n0wall’s format.
  • Added tunable to allow disabling net.inet.udp.checksum – disabling UDP checksums can improve performance, but can also have negative side effects
  • Added an mtree database with the correct default permissions, owner, sha256 sum, and some other information that is used to verify file permissions post-install and post-upgrade
  • APC is not started for PHP unless the system has over 512MB RAM, to reduce memory usage on systems with low RAM

Multi-WAN

  • DynDNS multi-WAN failover
  • IPsec multi-WAN failover
  • OpenVPN multi-WAN failover
  • Changed descriptions of the values for gateway monitoring
  • Display apinger (gateway monitoring daemon) as a service when it is enabled
  • Fixes for apinger to reload via SIGHUP properly, to avoid unnecessary restarts and loss of gateway status data
  • “State Killing on Gateway Failure” now kills ALL states when a gateway has been detected as down, not just states on the failing WAN. This is done because otherwise the LAN-side states were not killed before, and thus some connections would be in limbo, especially SIP.
  • Due to the change in its behavior, “State Killing on Gateway Failure” is now disabled by default in new configurations and is disabled during upgrade. If you want the feature, you’ll have to manually re-enable it post-upgrade.

NTP

  • NTP daemon now has GPS support

IPsec

  • More IPsec hash algorithms and DH key groups added, “base” negotiation mode added
  • Mobile IPsec supports separate “split DNS” field and doesn’t just assume the default domain for split DNS domains
  • Properly ignore disabled IPsec phase 2 entries
  • NAT before IPsec (1:1 or many:1) outbound
  • Set default Proposal Check setting to Obey for mobile IPsec
  • LDAP and RADIUS are now possible authentication sources for IPsec mobile xauth
  • Delete the SPDs for an old IPsec entry when it is disabled or removed
  • Manage active SPDs on CARP secondary during sync
  • Add an option to force IPsec to reload on failover, which is needed in some cases for IPsec to fail from one interface to another.

OpenVPN

  • OpenVPN can accept attributes from RADIUS via avpairs for things like inacl, outacl, dns-server, routes
  • OpenVPN checkbox for “topology subnet” to use one IP per client in tun mode
  • OpenVPN local/remote network boxes can accept multiple comma-separated networks
  • OpenVPN status for SSL/TLS server instances can now display the routing table for the VPN instance
  • OpenVPN now allows selecting “localhost” as the interface
  • Gateways are created for assigned OpenVPN server instances as well as clients
  • OpenVPN instances can run on the same port on different interfaces
  • OpenVPN status page now has service controls to show the status of the daemon running each instance, and allow for stop/start/restart from that page
  • Changed wording of the error displayed when a daemon is not running or the management interface of OpenVPN cannot be reached for an instance
  • OpenVPN client-specific Override cleanup fixes
  • Fixed double-click to edit of OpenVPN Client-Specific Overrides

NAT/Firewall Rules/Alias

  • Aliases separated into tabs for Hosts, Ports, and URLs to improve manageability
  • NAT reflection options re-worded to be less confusing
  • Adjustable source tracking timeout for Sticky connections
  • Firewall rules now support matching on ECE and CWR TCP flags
  • Filtering on ECE and CWR TCP flags is now possible
  • Added ICMP to protocol list when creating rdr (port forward) rules
  • Keep proper positioning of duplicated outbound NAT rules
  • When using the + at the top of Outbound NAT rules, add the rule to the top of the list and not the bottom
  • Fix ordering of interface group rules in the ruleset
  • Track time and user@host which created or updated a firewall, NAT port forward, or outbound NAT rule. If timestamp records are present, display them at the bottom of the rule page when editing. Have the created time/user pre-filled for automated rules such as NAT port forward associated rules and the switch from automatic to manual outbound NAT
  • Fix generation of manual outbound NAT rules so that localhost and VPN rules are not unnecessarily duplicated
  • Prevent using “block” for an alias name, as it is a pf reserved keyword
  • Allow TCP flags to be used on block or reject rules, since they are also valid there
  • Updates/fixes to DSCP handling
  • Allow advanced options state-related parameters to be used for TCP, UDP and ICMP — Formerly only allowed on TCP
  • Respect ports found in rules when policy route negation rules are made
  • Do not include disabled OpenVPN networks in generated policy route negation rules

Certificates

  • Improved denoting of certificate purposes in the certificate list
  • Imported CRLs can be edited and replaced
  • Can set digest algorithm for CA/Certs (sha1, sha256, etc)
  • Default digest algorithm is now SHA256
  • Show CA and certificate start and end dates in the their listings
  • Correct tooltip description when adding a certificate
  • Relax input validation on a CA/Cert description since it is only used cosmetically in pfSense and not in the actual CA/cert subject
  • Allow removing blank/empty CA and Cert entries

Logging

  • More system log separation, Gateways, Routing, Resolver split into their own tabs
  • Firewall logs can now be filtered by many different criteria
  • Firewall logs can be sorted by any column
  • Firewall logs can optionally show the matching rule description in a separate column or in between rows
  • Firewall logs now show an indicator icon if the direction of a log entry is OUT rather than IN
  • Add popup DNS resolution method to firewall log view
  • Reduced logging output from IGMP proxy
  • Reduced logging output from DynDNS
  • Relocated filterdns logs to the resolver log file/tab
  • Relocated DHCP client logs to the DHCP tab
  • Fix system script logging so the correct script filename is printed in the log, rather than omitting the script name entirely
  • Add independent logging choices to disable logging of bogon network rules and private network rules. Add upgrade code to obey the existing behavior for users (if default block logging was disabled, so is bogon/private rule blocking)
  • Add a checkbox to disable the lighttpd log for people who don’t want their system log full of messages from lighttpd in some cases where they are filling the log unnecessarily

Notifications

  • Add the ability to disable Growl or SMTP notifications but keep their settings intact, so the mail settings can be used for other purposes (packages, etc)
  • Add a test button to selectively test Growl or SMTP notifications without re-saving settings
  • Do not automatically generate a test notification on saving notification settings, as there are now individual test buttons

High Availability (CARP, pfsync, XML-RPC)

  • High Availability Synchronization options (Formerly known as “CARP Settings” under Virtual IPs Promoted to its own menu entry, System > High Avail. Sync
    • This is to make it easier to find, as well as make its purpose more clear. “CARP” is a part of High Availability, as is XMLRPC/pfsync state synchronization, but it’s a bit of a misnomer to refer to the sync settings as CARP
  • Ensure that the user does not remove only the last IP alias needed for a CARP VIP in an additional subnet
  • Disable pfsync interface when state synchronization is not in use
  • Fixed issues with DHCP server config synchronization ordering on secondary nodes
  • Restart OpenVPN servers when CARP transitions to master (clients were already restarted), otherwise if CARP was disabled, the servers would never recover
  • Removed the automatic pfsync rule, since the documentation always recommends adding it manually, and to add it behind the scenes with no way to block it can be counter-productive (and potentially insecure). If you did not follow the documentation and add your own pfsync or allow all rule on the sync interface, your state synchronization may break after this upgrade. Add an appropriate rule to the sync interface and it will work again.
  • Allow XMLRPC to sync IP Alias VIPs set to Localhost for their interface
  • In DHCP leases view, use the internal interface name (lan/opt1/etc) for the failover pool name, rather than a number. In certain cases the number can get out of sync between the two nodes, but the interface names will always match
  • Print the user-configured interface description next to the DHCP failover pool name, rather than only the internal name (lan/opt1/etc)
  • Add option to synchronize authentication servers (RADIUS, LDAP) via XMLRPC

NanoBSD

  • Fixes for conf_mount_ro/conf_mount_rw reference checking/locking
  • Diag > NanoBSD now has button to switch media between read/write and read-only
  • Diag > NanoBSD now has a checkbox option to keep the media read/write
  • Fixed an issue with NanoBSD time zones not being properly respected by all processes the first reboot after a firmware upgrade

DHCP Server

  • DHCP can support multiple pools inside a single subnet, with distinct options per pool
  • DHCP can allow/deny access to a DHCP pool by partial (or full) MAC address
  • DHCP static mappings can have custom settings for gateway, DNS, etc
  • DHCP static mappings can optionally have a static ARP entry created
  • Fix Dynamic DNS updates from DHCP (ISC changed the config layout and requires zone declarations)
  • When crafting DHCP Dynamic DNS zones, do not use invalid DNS servers for the IP type (e.g. skip IPv6 DNS servers, because the DHCP daemon rejects them)
  • Added a config backup section choice for DHCPv6

Traffic Shaper

  • Schedules can now be used with limiters
  • Traffic shaper queues view updated
  • CoDel AQM Shaper Discipline
  • Allow PRIQ queues to be deleted.
  • Limiters now allow the user to set the mask they want to use, rather than assuming masking will always be per-IP. This allows per-subnet limits and similar
  • Limiters now allow setting masking for IPv6
  • Limiters now allow setting a burst size. This will pass X amount of data (TOTAL, NOT a rate) after an idle period before enforcing the limit

DNS Forwarder

  • In DNS forwarder, DNS query forwarding section with options for sequential and require domain
  • Allow a null forwarding server in DNS Forwarder domain overrides to ensure that queries stay local and never go outside the firewall
  • Add DNS Forwarder option to not forward private reverse lookups
  • DNS Forwarder domain overrides can now specify a source address for the query, to help resolve hostnames over VPN tunnels
  • DNS Forwarder now can change the port upon which it listens, for better cohabitation with other DNS software such as tinydns or unbound, if both are needed
  • DNS Forwarder now has an option to select the interfaces/IP Addresses upon which it will respond to queries
  • DNS Forwarder can now be set to only bind to specific IPv4 IPs (the underlying software, dnsmasq, does not support selectively binding to IPv6 IPs)
  • Improved handling of some dnsmasq custom config options

User Manager

  • Configurable RADIUS authentication timeout in User Manager
  • Print the error message from LDAP in the log for a bind failure. Helps track down reasons for authentication failures
  • Re-enable admin user if it’s disabled when ‘Reset webConfigurator password’ option is used.
  • Restrict maximum group name length to 16 characters or less (OS restriction)
  • Added option to UTF-8 encode LDAP parameters to improve handling of international characters
  • CDATA protected LDAP fields in config to avoid invalid XML with international characters

DynDNS

  • Fixed handling of DynDNS 25-day update and add ability to configure update interval
  • Added DynDNS No-IP Free Account Support
  • Add AAAA support to RFC2136 updates
  • Add cached IP support to RFC2136, add GUI button to force update for single host
  • Fix double click row to edit for RFC2136
  • Add option to RFC2136 to find/use the public IP if the interface IP is private. (Off by default to preserve existing behavior on upgrade)
  • Add server IP column and cached IP display to RFC2136 host list
  • Include RFC2136 hosts in DNS rebinding checks
  • Include both dyndns and RFC2136 hosts in referer check

Graphs

  • Add ability to reverse-resolve IPs on Status > Traffic Graph in the rate table
  • Add ability to filter local or remote IPs on Status > Traffic Graph in the rate table
  • Change maximum values for RRD throughput to account for 10G links. Previous maximums would have caused blank spots on the graph during periods of high throughput
  • Fixes to RRD data resolution/retention
  • Added RRD Graph for mbuf clusters
  • Changed default RRD graph colors to be more visually distinct to help avoid ambiguity between multiple values on the same graph

Misc

  • Add option to the packet capture page to control whether or not promiscuous mode is used on the NIC. Rarely, NICs can have issues with promiscuous mode
  • Make parent interface and all VLANs share MTU
  • Fix cellular signal strength indicator
  • Fix PPP config cleanup when removing an interface
  • Disallow adding IP Alias or CARP VIP that would be the network or broadcast address of a subnet
  • Diagnostics > Sockets page to show open network sockets on the firewall
  • Diagnostics > Test Port page to perform a simple TCP connection test to see if a port is open
  • The pftop page has additional options to display more detailed information and sort it
  • Fixed conflict between static IP and static route in the same subnet
  • Do not apply static ARP entries to disabled interfaces
  • Do not allow bridge members to be assigned to itself
  • Changed Diag > Ping to use more available source addresses (CARP VIPs, IP Alias VIPs, OpenVPN interfaces, IPv6 Link-Local IPs)
  • Changed Diag > Traceroute to use more available source addresses (CARP VIPs, IP Alias VIPs, OpenVPN interfaces, IPv6 Link-Local IPs)
  • Changed shell prompt to not force background color, to be kinder to those not using black as a background in their terminal
  • Add a field to allow rejecting DHCP leases from a specific upstream DHCP server.
  • Updated the help system to handle some recent added files for 2.x and clean out some old/obsolete files
  • Allow selecting “Localhost” as an interface for IP Alias VIPs – this way you can make IP Alias VIPs for binding firewall services (e.g. Proxy, VPN, etc) in routed subnets without burning IPs for CARP unnecessarily
  • Updated list of mobile service providers
  • Fix max length for WPA passphrase. A 64-char passphrase would be rejected by hostapd and leave an AP in an open state
  • Added MSS clamping to the setup wizard
  • Add a setting to configure the filterdns hostname resolution interval (defaults to 300s, 5 minutes)
  • Omit IP mismatch warnings (e.g. behind a port forward, VPN IP, etc) if HTTP_REFERER protection is disabled
  • Fixes for selecting/detecting PPP devices such as 3G/4G modems
  • Rather than doing auto-detection to find serial PPP devices, use a glob when listing potential PPP serial devices
  • Prevent sshlockout from a crash/coredump if a format string like %s is present in the buffer
  • Fix SMART to see adaX devices
  • Fix SMART interpretation of output from SCSI devices
  • Fixed display of user SSH keys when present
  • Updated p0f database from FreeBSD
  • Fix UPnP Interface name selection to show the configured description entered by the user
  • Allow setting the external UPnP interface (must be default route WAN)
  • Fix Diag > Tables AJAX fadeOut after deletion for rows with CIDR mask format
  • Improve Diagnostics > Routes to fetch output via AJAX and have configurable filtering and sizes. Improves handling of large routing tables, such as a full BGP feed
  • When deleting or renaming a virtual server from the Load Balancer (relayd) manually clean up the NAT rules it leaves behind to avoid conflicts
  • Many, many bug fixes
  • Various fixes for typos, formatting, input validation, etc

SH/PHP Shell Scripts

  • Git package for gitsync is now pulled in as a pfSense-style PBI package
  • Added playback shell scripts added to enable/disable CARP
  • Added playback shell scripts to add and remove packages from the command line
  • Added playback shell script to remove shaper settings
  • Added playback shell script to control services from the command line
  • Add a simple CLI mail script capable of sending an SMTP message using echo/piped input. (Uses SMTP notification settings for server details)
  • Added a script to convert a user’s filesystem from device names to UFS labels, for easier portability in case the disk device changes names (e.g. adX to adY, adX to daY, or adX to adaX). ONLY FOR FULL INSTALLS. NanoBSD already uses labels

Download

Files for new installs and updates can be found on the mirrors.

New installs

Updates

 

Upgrade Information

As always, upgrade information can be found in the Upgrade Guide.

 

112 Responses to “pfSense 2.1-RELEASE now available!”

  1. NimaMHD Says:

    Really good news, This is huge changes. Well Done Team.

  2. Franco Fichtner Says:

    Congratulations, great work! :)

  3. pfSense 2.1 in den nächsten 48 Stunden zu erwarten | Got tty? Says:

    […] Chris Buechler 11:07 Uhr auf Google+ 2.1-RELEASE Gold […]

  4. doktornotor Says:

    Congrats on this cool release!

  5. Szop Says:

    Well done guys, those are good news! Keep going :)

  6. Humphrey Says:

    Thanks for all the hard work. Really appreciate pfsense. Very Robust.

  7. josh4trunks Says:

    I get “The image file is corrupt.” when trying to update my pfsense box

  8. Dennis Says:

    Nice, will try when I get home.

  9. darxmurf Says:

    Thanks folks for this update !
    Good job !

  10. Montanini Says:

    Very very Nice !!!! Tks !

  11. NL Says:

    Thx for the work!!!
    We love the pfSense team!

  12. dbots Says:

    Great work guys !
    Thank you.

  13. Troels Just Says:

    Fantastic timing, guys! I was planning to buy a Soekris net6501 in a month or two, 2.1 could not have come at a better time! ;)

  14. vince Says:

    Good job, thanks for this great upgrade.

  15. Stephan Wagner Says:

    I appreciate most the IPv6 integration. But also many other improvements make it the greatest and most usable psSense release ever.

    Great work, Stephan

  16. bigforo Says:

    Thanks… Great news!

  17. Sun Says:

    Nice work!

  18. Liceo Says:

    Well done, guys! When there is an official Hyper-V build available?

  19. Ümit Özyürek Says:

    Good job all, i will update and try pfsense 2.1 soon. I am really excited!

  20. Julian Says:

    Great!

  21. Mario K. Says:

    Thanks for this great update! :)

  22. Juve Says:

    Just awesome work !
    Thank you guys.

  23. samhamm Says:

    Congratulations Chris and team, and thank you for the great product.

  24. Luiz Gustavo Costa Says:

    Very good notice !!!

    Gold Team ! nice work !

    Thanks

  25. LilTimmy Says:

    Dang. That’s quite the upgrade list. I’ll definitely be purchasing gold too. Thanks guys

  26. Graham Says:

    That’s an impressive list of updates! Thanks so much to all who contributed. I can’t wait to try this release!

  27. Silverio Chiaradia Says:

    Huge & nice work.

    Thanks.

  28. acald Says:

    My, you guys have been busy. Awesome!

  29. dpoganski Says:

    Many thanks to all that put this all together!

  30. M. Says:

    Awesome….

  31. Moto Says:

    Great Job Guys .. This is a first class product.

  32. Dan Lundqvist Says:

    Have followed and somewhat contributed (with bug and bug correction
    testing) in the 2.1 beta track and have now upgraded to the final.
    Just waiting for the updated book to be available and will make an order
    there as well. Thanks for an amazing product.

    Thinking of going Gold even if it is a bit steep cost for me as private user, but I would like to support good software.

    Thanks Chris and all others who make this software what it is.

    Best regards
    Dan Lundqvist
    Stockholm, Sweden

  33. Daryn Says:

    Awesome Job. Thanks for all the hard work!!!

  34. Sam Kear Says:

    Very excited to see PBI support for packages!

  35. caapsoft Says:

    GREAT NEWS!

  36. Brian Says:

    Looking really nice so far on my home install. Fairly smooth upgrade (except for the package reinstallation; it didn’t do anything and I had to manually reinstall all 2 of them).

    I plan on upgrading our cluster at work (still in development) tomorrow.

  37. Mat Says:

    So happy that I can now update that -BETA/-RC to -RELEASE.
    Thank you guys!

    Oh, and in terms of drivers: pfSense also ships with updated mfi(4) for all those people who have LSI RAID controllers, not only mps (HBA) :-)

  38. Lyndon Says:

    WOW ! – my first ever install of PFSense
    From a shorewall / ubuntu back ground
    This looks great so far
    IPTABLES moving to PF
    If all good we will be donating $ and signing up for GOLD subscrition – we believe in supporting the great work of others when they provide it for free

  39. Thomas Says:

    Good News and great work. I hope Pfsense will have soon also NIC Support for Realtek 8111G.

  40. freebee Says:

    Outstanding work!. This was a long road and now reach the excellence. Congrats.

  41. Sha'ul Says:

    Will the book for 2.1 be released publicly or will it only be available to subscribers?

  42. Teg Bains Says:

    This is excellent news. Thanks for all the great work!

  43. Rafael Says:

    Installed and working well. We’ve been looking forward to this release for a long time. Thank you.

  44. Sherif Abozekry Says:

    very nice

    UPDATING NOW FROM v 2.1 RC1

  45. Abid Says:

    Cant wait to try the new release! I hope dhcp management gets easier in 2.1

    Thanks for the hard work!

  46. storkus Says:

    Thank you again, Chris and the rest of the team, for this WONDERFUL software!

  47. RB Says:

    This is really good news !! I cant wait to upgrade.

    I have 2.0.3 running on a Routermaxx 8 Port Gigabit Core i7 Router with a 500G hard drive serving over 2000 clients on a wireless network. It works like a dream, we also have, DHCP, Squid and Squid guard running at the same time.

  48. Anton Says:

    Awesome release. Pfsense is the best pc based router ever. Flexibility and functions implemented better then in commercial products. Thank you!

  49. Bob Says:

    Great job….upgrade went smoothly (from 2.0.3)
    Looking forward to reviewing changes…

  50. Christian M. Grube Says:

    Great News and thanks for the work.
    Well done

  51. [FreeBSD] PfSense 2.1-RELEASE now available Says:

    […] / Blog / Website This release brings many new features, with the biggest change being IPv6 support in […]

  52. itd Says:

    Great! That’s good news! We’ve impatiently been waiting for the final release, although we’ve successfully been running our fw’s on the 2.1 beta and rc releases for quite some time. Somehow it simply feels better with a final release (psychology ;-).

    Thanks!

  53. targat Says:

    good news

  54. Ekalil Says:

    Good News! Congratulations to all team and I am look forward to for the update.

  55. Bryan Manske Says:

    Astounding! Excellent work, gentlemen! Thank you!

  56. gabrielsoltz Says:

    excelent! thank you very much!

    right now testing it.

  57. pfSense 2.1 RELEASE Lançado Oficialmente | pfSense-BR Says:

    […] o pfSense 2.1versão final foi lançado oficialmente neste último final de semana. Dentre as muitas novidades desta versão, podemos […]

  58. QuebecOS » pfSense 2.1 Says:

    […] team de pfSense annonce la sortie de pfSense en version 2.1 en même temps que la possibilité d’acheter la version […]

  59. Chris Buechler Says:

    josh and anyone else seeing “The image file is corrupt.” – that’s what happens if you’re still pointing towards the snapshot server for updates. If you’ve been tracking 2.1 snapshots via auto-update, you’ll need to go to System>Firmware, Settings tab, and pick the appropriate stable release from the drop down there.

  60. Oscar Says:

    WARNING!!! after upgrade from 2.0.3 to 2.1 ssh password is not the same of webconfigurator!

    ssh password is the default (pfsense)

  61. Fernando Says:

    Why you guys deleted my post?

    I keep saying 39764daae4fdff920e8ac567b9015bfb (from http://updates.pfsense.org/_updaters/latest.tgz) is:

    2.1-BETA1 (i386)
    built on Wed Sep 11 18:16:50 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    Yes, BETA. It should be “RELEASE”.

  62. dagoberto Says:

    Excellent job guys.

  63. Corey Says:

    I love it, I love it, I love it.

    Kiss this Cisco!

    Thanks for your work guys!

  64. adhi Says:

    thanks

  65. Chris Buechler Says:

    Fernando: We didn’t delete your post, I don’t see any previous posts from you. That URL does not have 2.1-BETA1. Open up that tgz and check /etc/version, it’s 2.1-RELEASE. What I’m guessing happened there is you have gitsync after upgrade enabled, and you haven’t fixed your gitsync for RELENG_2_1, so it applied what it had cached from git. Turn off the gitsync after upgrade and upgrade again. System>Firmware, Settings tab. If that’s not the case, post to the forum or mailing list for help.

  66. Chris Buechler Says:

    Oscar: that’s not true. The password for SSH always matches the web user’s password. Post specifics to the forum or mailing list and maybe it’ll be apparent why that happened to you.

  67. Nohan Says:

    Great news!! I was waiting this release, congratulations guys!!
    “Good Job!” – Hancock =)

  68. Обзор pfSense 2.1 | Rezor666 Says:

    […] Теперь перейдем к pfSense. Новая версия pfSense получила большую часть нововведений и исправления багов, ознакомиться с перечнем изменений можно на сайте Pfsense. […]

  69. jose ycogo Says:

    just upgraded from 2.0.3 to 2.1!!! excellent job guys! really love the interface and its new functions.

  70. sujyo1 Says:

    This is excellent news…Good work guys…keep going… Thanks for all the great work!…

  71. pfSense 2.1 | Blog do Brandi Says:

    […] No ultimo dia 15 foi lançado oficialmente a versão 2.1 do pfSense, a qual traz uma série de melhorias e novidades, vale a pena conferir a lista das novidades! […]

  72. Srinivas Goli Says:

    Good News! Congratulations to all team and I will update my pfsense tommorow and ThanK you people again.

    Goli Srinivas

  73. Nels Says:

    Nice release! Upgrade went well, no issues experienced after a thorough testing.

  74. Jonathan DeWitt Says:

    Updated from 2.0.3 to 2.1-RELEASE and now traffic will not move between subnets which are on separate interfaces (VLANS). Even when turning PF off completely, I get nothing. Others may want to be prepared for some difficulty when upgrading. I will be re-building the box, as I cannot figure out the problem.

    Love pFsense, keep up the good work.

  75. Nitesh Says:

    Thanks for the GR8 work

  76. srk3461 Says:

    Congratulations team, and thank you for the great product.

  77. Amirkabir Says:

    Thank you very much!

  78. Gentlemen, Start Your NGINX | TechSNAP 128 | Jupiter Broadcasting Says:

    […] pfSense 2.1-RELEASE now available! […]

  79. Ryan B Says:

    Any chance to change Temperatures to Fahrenheit?

  80. pfSense kini dengan versi 2.1 | Sumber Terbuka Dot NetSumber Terbuka Dot Net Says:

    […] http://blog.pfsense.org/?p=712 […]

  81. MX with TTX | BSD Now 3 | Jupiter Broadcasting Says:

    […] pfSense 2.1-RELEASE is out […]

  82. pfSense Makes Sense | LAS s28e09 | Jupiter Broadcasting Says:

    […] pfSense 2.1-RELEASE now available! […]

  83. nsfw Says:

    Two hours in and the message:
    Packages are currently being reinstalled in the background.
    doesn’t seem to go away with the spinning hard drive.

  84. Jared Dillard Says:

    nsfw, I would recommend looking for a solution over at forum.pfsense.org

  85. Rob Says:

    Very nice! Keep up the good work guys!

  86. ArcticLab.org Says:

    Out of our test networks that run pfSense, systems have been upgraded from 2.0.3 to 2.1. We will soon update production segments. The upgrade went smoothly on our Soekris 5501s and our custom built servers with Dual Xeon Quads with Intel Server NICs. All our pfSense based systems use the NanoBSD “embedded” images and boot from CF.

    Thanks to all for everyone’s contributions.

    Best wishes to the project.

    P.S. The “Gold Subscription” offers a way to include more clients / customers over the previous support tiers.

  87. Steve-o Says:

    Thanks, although I’m not understanding why IPv4+IPv6 joint filtering is limited to UDP, TCP, and ICMP when one has to now copy & paste existing rules and have one set for IPv4 and another for IPv6.

  88. Chris Buechler Says:

    Steve-o: we allow there what the underlying software allows. I’d like to abstract that from the user in a future version so most any firewall rule can be v4+v6.

  89. pfSense 2.1 Released - pfSense Setup HQ Says:

    […] are many other new features, but you can read about all of them at the pfSense Digest blog. You can download the pfSense 2.1 at qubenet’s pfSense […]

  90. jerusalem181 Says:

    well done ,people we have support them (team) with alot of things.
    thanks alot

  91. #DJERFY.com – pfSense 2.1 Says:

    […] découvrir l’ensemble de ces nouveautés, c’est par ici […]

  92. pfSense 2.1, pfSense Gold Subscription and ESF | FreeBSD News Says:

    […] Buechler has announced pfSense 2.1, a free, powerful, open source firewall and security […]

  93. Mark Ehle Says:

    FYI – when I upgraded from 2.0.3 to 2.1, the IP address of your PXE boot next server gets dropped and nothing will PXE-boot until you put in an IP address in. This happened on both the firewalls that I boot things over the wire.

    Not a big problem, but if you use this DHCP feature, be aware that this upgrade is not 100% seamless.

  94. Harshal Says:

    Great Work buddy…………..

  95. Tips und Tricks zur Pfsense | Mein PC spinnt! Says:

    […] eine neue Pfsense Version raus ist, habe ich mich mal dran gesetzt und ein paar nützliche Sachen zusammen […]

  96. Worried User Says:

    Hi guys,

    I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so.

    Thank you
    Worried User

  97. Yavuz Says:

    pfsense 2.1

    radius2 package in traffic and bandwith section “Amount of Download and Upload Traffic” in bug not working.

    tested captive portal and freeradius2

  98. Chris Buechler Says:

    Worried User: and anyone else concerned about such things: No, we have not been approached by anyone to backdoor or otherwise compromise security of the project. See the list thread for more discussion. http://lists.pfsense.org/pipermail/list/2013-October/004763.html

  99. Chris Buechler Says:

    Yavuz: and any others, please report problems on the forum or mailing list where they can be followed up on and far more people see them. In general, RADIUS and CP with accounting work fine.

  100. Rick Moseley Says:

    My pfSense 2.0.3 box was running so well I just couldn’t bring myself to build another when I free’d up newer/better 64 bit hardware. I held it for a few months until the 2.1 Release version was out. New 64 bit box with 2.1 up and cooking well for a week now. One minor hiccup with pfBlocker but othewise a smooth transition. My thanks and congrats to the BSD Perimeter team!! When will the new book be on Amazon?

    Rick

  101. pfSense 2.1-RELEASE: Ya esta disponible | Gustavo Pimentel's GNU/Linux Blog Says:

    […] Buechler, en nombre del equipo de desarrollo de pfSense ha anunciado la liberación de pfSense 2.1-RELEASE así como la nueva Gold Subscription, el libro para la versión 2.1 y un servicio denominado […]

  102. Gheorghe Iftimi Says:

    A great team and a great job. They have made my life easier! Thanks for everything!

  103. Juri Says:

    Great work for the MASSIVE feature and upgrades list!!!
    +1 for an appliance for Hyper-V ;-)

  104. Syed Says:

    Great piece of work. Eagerly waiting for this realease!!!!!!!!!!!!!!!!

  105. amit Says:

    Hi ,

    i was wondering if Pfsense could be deployed on a cheap old system to make a poor mans AirPort Extreme (apple’s router+ usb drive share + printer share) ?? AirPort Extreme besides being a router can turn any external USB hard drive into a secure drive you can share across your Wi-Fi network. plus it can even connect a printer and share it wirelessly .(see attachment)

    I dont want to use pfsense as a firewall at all. basically as secure or unsecure as Apple Express .

    thanks

    amit

  106. jpace31 Says:

    Does anyone know if pfsense must to DHCP for UPNP to work?

  107. Khubaib Says:

    hi,
    upgrading of captiveportal is good

  108. Mr.wangmenglin Says:

    thanks,Very nice!

  109. Php Uzmanı Says:

    Good News! Congratulations to all team and I will update my pfsense tommorow and ThanK you people again.

  110. Helpdesk_Genesis Says:

    Awesome work and keep it up!…

    PFSense taken to new and better heights…

  111. JustACasual Says:

    Is it possible to put the date at the top of the articles? I had to scroll down pretty far to find the ” This entry was posted by Chris Buechler on Sunday, September 15th, 2013 at…”

    Thank you.

  112. Jared Dillard Says:

    I added the date under the header.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply