Main conrainer

2.2 Release Candidate now available!

We are proud to announce pfSense® software version 2.2 Release Candidate is now available! This should be a short release candidate cycle, so we encourage you to try it out ASAP to help us with the final push to release. Jim posted a good overview of the significant changes previously. A more comprehensive list of changes can be found on the 2.2 New Features and Changes page.

In the process of getting to an RC status for 2.2, we’ve closed out 310 total tickets, (this number includes 49 features or tasks), fixed 108 bugs affecting 2.1.5 and prior versions, fixed another 153 bugs which were introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to FreeBSD 10.1, changing IPsec keying daemon from raccoon to StrongSwan, moving the PHP backend from FastCGI to PHP-FPM, updating to PHP 5.5 and changing from dnsmasq to the Unbound DNS Resolver.


New Installs


As always, every previous version can be upgraded directly to 2.2-RC. See the Upgrade Guide for general upgrade guidance applicable to all versions including 2.2-RC.

Feedback, Questions, Need Help?

Report your experiences, or get help with problems on the 2.2 board of the forum.

2.2 release status

We’re getting an increasing number of “When will 2.2-RELEASE happen?” queries.    In an attempt to answer the question for a more general audience, we’ve put together some data.

pfSense® software version 2.2 started with a few seemingly simple goals:

  1. move the base to a very recent version of FreeBSD.
  2. update the IPsec stack to include AES-GCM, and IKEv2.
  3. update PHP to something more recent than what is used in pfSense software version 2.1.

These seemingly simple goals produced a lot of work.  When we re-launched the 2.2 project in October 2013, we estimated that it would take 9-10 months, producing a release in April or May of 2014.   We had no way of knowing that we would end up producing a train of 5 additional releases based on pfSense software version 2.1, starting with 2.1.1 in early April, which was immediately followed by 2.1.2 to fix the “Heartbleed” issue, then 2.1.3, 2.1.4 and 2.1.5 during the following 139 days.  And three weeks after the 2.1.5 release, we finally got pfSense 2.2 into a BETA release.

We are now close enough to a 2.2-RELEASE that we can state with some certainty that FreeBSD 10.1-RELEASE will serve as the base for pfSense 2.2-RELEASE.  In order to transparently support both IKEv1 and IKEv2 we moved from ipsec-tools to strongSwan, taking advantage of its monolithic IKEv1/IKEv2 daemon.  And the PHP backend has been switched from FastCGI to PHP-FPM, while PHP has been updated to version 5.5(.19).

But meeting these three seemingly innocuous goals opened a plethora of issues.   BIND is no longer a part of FreeBSD, so we switched to Unbound.  While the initial work on this was done by a community member, we’ve had to fix a number of real issues with the result since entering BETA.  For the past 60 days it’s been heads down, opening tickets, and getting them resolved by fixing bugs, then re-testing the result.

Open/Closed tickets - last 90 days

Open/Closed tickets – last 90 days

Below you can find a bit more of the internal data that drives the decisions on the release process.   We are now, likely, days away from a “release candidate” for pfSense software version 2.2.  You can help by running a snapshot (several of us have been doing so since the 2.2 BETA), or the RC series and reporting any issues you find.

Past year - total tickets by status

Total Tickets by Status – Past Year.


Past year - open-closed percent tickets by status

Open/Closed tickets, last year


Past 90 days - changes by user

Changes by user – Past 90 days

November Hangout Announcement

Our monthly pfSense hangout has been scheduled! Please make note that because of the Thanksgiving holiday, we will have the event on Tuesday, November 25, 2014 at 1PM CST. Log-in to your portal account on the day of the event for details on how to join us. This month’s topic is: New and Improved Features in pfSense 2.2. Your host will be Jim Pingle

Here is a preview of the hangout:

Happy 10th Birthday to pfSense!

Ten years ago today, the domains were first registered, marking the birth of the project as we know it. We began on a server named “projectx” a few months prior, going public after settling on a name on November 5, 2004. We’ve come incredibly far since then, having grown to one of the most widely used network firewall distributions in the world, with every metric we can count continuing to grow further.

Thanks to everyone who’s made the past decade possible. The best is yet to come!

pfSense October Hangout Announcement

We’re happy to announce the pfSense Gold Hangout for October 2014!

The older ALIX-based appliances (i.e. m1n1wall) are a tremendously popular and successful product. But as one might expect, this product is rapidly approaching its end of life (EOL). It’s successor, the VK-T40E is taking its place as the leader in small, form-factor, low power, entry level pfSense firewall appliances for small business, SOHO, and remote branch office environments.

Our October Hangout will cover the process for upgrading from an older ALIX unit to its successor, the VK-T40E. We will talk about upgrade precautions, how to make the move easier, common pitfalls, and deploying the new device.

When: Friday, October 24, 2014 @ 1PM Central US Time Where: Check your portal account on the day of the event for the link to join us Who: This event will be hosted by Jim Pingle

Mark your calendar and we look forward to seeing you!

In order to join us, you must be a pfSense Gold subscriber.

Subscribe to Gold Here!

Get your VK-T40E here

Here is a preview of the hangout:

faster pf

As I’ve written elsewhere, we are starting to focus on performance in pfSense 2.2 and beyond.  The first project was to implement AES-GCM with AES-NI acceleration (on CPUs that support it) for IPSec.   This project was accomplished in partnership between the FreeBSD Foundation, ESF, and Netgate, and has been stable in pfSense 2.2 snapshots for several weeks.

If your CPU is able to process AES-NI instructions, I encourage you to try it out.

The next investigation, as the title to this post implies, is to improve the speed of pf.   The first thing was to measure the existent performance.  So we (as Netgate) enlisted the help of George Neville-Neil, who wrote a tool called “Conductor“.

One of the first things we noticed was that the Jenkins hash in FreeBSD 10 seems to take a lot of time.  XXHASH is demonstrably faster than Jenkins, and gives a measurable performance gain to pf.

While the patch won’t be available to FreeBSD 10.1 (it’s too late in the process for that), we can make it available in pfSense 2.2, and same will be in the next set of snapshots.  Performance will likely be most measurable above 1Gbps.

Two things:

  • I emphasize that this is an early result.
  •  Please test and let us know.



pfSense and the CVE-2014-6271 (“shellshock”) bash exploit.

tl;dr: If you’re having shell problems I feel bad for you son. I got 99 problems but bash ain’t one.

If you’ve not heard, Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations, this vulnerability is exploitable over the network.

NIST has assigned a CVSS of 10 CVE-2014-6271.  POCs are starting to appear.

So the question becomes, “is pfSense affected?”

The short answer is: Unlikely, though there are three packages which could lead to an exploit. The base system of pfSense does not include bash.  Since bash isn’t on the system, the problem is reduced to packages.

Three packages are affected, and only one is commonly used.  The affected packages are:

  • Anyterm — This package contains bash in its binaries which are in the git repo, not a .pbi or .tgz. This package will simply be retired as it is unmaintained and rarely used.  We will review all packages, and any which contain binaries which we have not built from source will be removed or re-engineered such that we can compile from source.
  • Freeswitch-dev — Runs pkg_add for bash. This package is not actively maintained, and can likely be safely removed from the list of packages with minimal community impact.
  • FreeRADIUS2  — Adds bash via pkg_add using FreeBSD’s 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). We’re looking into the best way to fix it.
  • Mailscanner –– Includes bash also, will be fixed shortly.

Given the lack of impact to pfSense software version 2.1.5 or the pfSense 2.2-BETA images, no fix is required, so we don’t plan any release in response to this issue.

UPDATE: Affected packages have been updated or removed. Full details are in the security announcement which was posted this afternoon. -jimp

September 2014 Hangout

The monthly pfSense Hangout is upon us. For September, 2014, the topic will be “Advanced OpenVPN Concepts”. This month’s host will be Jim Pingle. The hangout will happen this Friday, September 26 at 1PM Central US time.

OpenVPN is one of the most frequently used features within pfSense. This month, Jim will dive a little deeper to cover some of the more obscure and complex pieces of this feature.

The pfSense Hangout is an exclusive benefit for our Gold subscribers. Subscribers will find the meeting link after logging in to the members section. If you’re not yet a subscriber, sign up now and you’ll get immediate access. If you can’t make the live event, the video and audio recording and slides are available for members to download within a few hours of the session’s completion.

By subscribing to Gold, you are also helping to keep the project alive! We staff developers, a support team, engineers and other functions on a full time basis so we can keep bringing you a quality product!

Here is a preview of the hangout:

pfSense 2.2 enters BETA!

The 2.2 release has now reached the beta milestone. This means the release is feature complete, a comprehensive list of new features and changes can be found here, and should stay relatively stable throughout the remainder of the development process. That’s not to say it’s production ready though, our developers are using it in production and have been for months, but unless you have a solid understanding of the underlying system and can manually verify the configuration, 2.2 is not yet for you (young padawan).

If you have a non-critical environment where you can try it out, you can find the latest build on the snapshot server. Please report your experiences on the 2.2 board on the forum. Note that snapshots have the risk of changes being made in the source very frequently, and you may get a snapshot from a point in time that caught part but not all of certain changes.

Known Issues

The most current list of known issues marked as “Feedback” are either believed to be resolved but need more testing, or need further details to be able to replicate and resolve – feel free to add comments to any of those tickets if you can test the specific scenario described. Those marked as “New” are outstanding issues. We welcome contributions, if you can provide a fix for any of the open issues. Before opening a new ticket there, please post to the 2.2 board on the forum where we can help quantify the issue. Before reporting problems, ensure you’re on the latest snapshot, it’s very possible the issue you found is already fixed in our git repository. You can see all commits here.

Important upgrade warning

You can upgrade from 2.1.x to 2.2 just as with any other release, BUT, you cannot downgrade from 2.2 to 2.1.x. And after you upgrade, your configuration will be converted to a format that is usable only on 2.2. If you do upgrade, get a backup first so you can reinstall if needed. Several of the features in 2.2 were revamped to the extent that a change in configuration formatting was necessitated.

Proceed with caution! Expect things to be broken, this is not production-ready for most scenarios for non-developers, but development is moving along rapidly, and we would appreciate feedback from those in a position to test things (and potentially break their network).

September’s pfSense Fundamentals and Practical Application Course

Last weekend pfSense University had another successful pfSense Fundamentals and Practical Application Course, co-taught by Co-Founder Chris Buechler and Principal Engineer George Phillips. We had attendees from across the globe and from varying industries attend this two day course which includes a hands on lab. Not only is this a great venue to learn the complexities of pfSense, but it’s an opportunity to meet some of the pfSense team as well as share notes with other talented pfSense users. Look forward to more courses in the future.

Chris and George doing some hands on training.

Note the free coffee.

Chris assisting while George teaches.

George assisting while Chris teaches.