Main conrainer

pfSense 2.2-RELEASE Now Available!

I’m happy to announce the release of pfSense® software version 2.2! This release brings improvements in performance and hardware support from the FreeBSD 10.1 base, as well as enhancements we’ve added such as AES-GCM with AES-NI acceleration, among a number of other new features and bug fixes. Jim Thompson posted an overview of the significant changes previously.

In the process of reaching release, we’ve closed out 392 total tickets (this number includes 55 features or tasks), fixed 135 bugs affecting 2.1.5 and prior versions, fixed another 202 bugs introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to 10.1, changing IPsec keying daemons from racoon to strongSwan, upgrading the PHP backend to version 5.5 and switching it from FastCGI to PHP-FPM, and adding the Unbound DNS Resolver, and many smaller changes.

Read the rest of this entry »

pfSense University On-line Now Accepting Registrations

After months of preparation and high customer demand for official pfSense training on-line, Netgate, the home of the pfSense project, is very excited to announce that we are now accepting registrations for our first on-line classes to he held in February and March, 2015. pfSense University is the ONLY place in the world to get your OFFICIAL pfSense training.

We are currently offering TWO separate classes

  • pfSense Fundamentals and Practical Application
  • pfSense Advanced Application

Each class is approximately 8 hours in length and will cover common usage scenarios, deployment considerations, step by step configuration guidance, and best practices. Both courses will enhance your skills and abilities to install, configure and support pfSense in your environment. There will be hands-on, instructor-led labs throughout the course!

Important items to note: (please read carefully)

Due to the way the curriculum and lab environment flows from the Fundamentals course to the Advanced course, the Advanced course is not being offered as a stand-alone class at this time. The Advanced class is OPTIONAL, and we encourage you to take it to enhance your skills even more. However, if you wish to take the Advanced class, you must sign up for the Fundamentals class that is scheduled for the previous Friday. The Advanced class will be offered as a stand-alone at some point in the future.

For example:

  • If you wish to take the ADVANCED class on Monday, February 9, you MUST have already signed up for the FUNDAMENTALS class on Friday, February 6.
  • If you wish to take the ADVANCED class on Monday, February 23, you MUST have already signed up for the FUNDAMENTALS class on Friday, February 20.
  • If you wish to take the ADVANCED class on Monday, March 30, you MUST have already signed up for the FUNDAMENTALS class on Friday, March 27.

If classes fill up quickly, more will be added. If the class you wanted is no longer available, keep checking the web site!

Class size is limited to 10 people. The introductory price for the Fundamentals class is $599. The introductory price for the Advanced class is $499

Introductory Discount!

Apply the corresponding code to the Fundamentals class you are signing up for to take advantage of a $100 discount. This makes your cost for the Fundamentals class only $499!

  • pfSense Fundamentals and Practical Application (February 6, 2015) $100 Discount: EBB1E63F81
  • pfSense Fundamentals and Practical Application (February 13, 2015) $100 Discount: 187585D919
  • pfSense Fundamentals and Practical Application (February 20, 2015) $100 Discount: BD9EFDEEEE
  • pfSense Fundamentals and Practical Application (February 27, 2015) $100 Discount: 6F84AC8926
  • pfSense Fundamentals and Practical Application (March 13, 2015) $100 Discount: 30A289C4C0
  • pfSense Fundamentals and Practical Application (March 27, 2015) $100 Discount: 7AC9652AA3

If the discount code for the class you select does not work, that indicates it is full. We will change the status on the web page as soon as we can to indicate that.

Students who register for classes will receive an e-mail on or around February 1 with instructions on how to connect to the virtual classroom!

All students who complete a course will receive a certificate of completion from pfSense.


Please send any questions to

NTP Project security vulnerabilities

Today the Network Time Foundation announced 6 security vulnerabilities in the reference NTP implementation, which serves as the NTP client and server in pfSense software. These are largely not applicable here, however we’re still investigating potential impact.

  1. Weak default key in config_auth() – this applies only to old NTP versions not used in any current or recent pfSense release, and is in an area that isn’t possible to enable in pfSense.
  2. non-cryptographic random number generator with weak seed used by ntp-keygen – this also applies only to old versions, and is in an area that isn’t possible to enable in pfSense.
  3. Buffer overflow in crypto_recv() – this applies only to an area that isn’t possible to enable in pfSense.
  4. Buffer overflow in ctl_putdata() – this applies only where control messages are allowed from untrusted hosts, which isn’t possible to configure in pfSense.
  5. receive(): missing return on error – this is a bug that doesn’t appear to have any ability to affect system integrity, hence has no security impact.
  6. Buffer overflow in configure() – this is applicable, however appears to be strictly denial of service. Where you have the NTP server enabled, clients that are permitted by your firewall rules (by default, and in general, only internal hosts) could crash the NTP service.

The bug reports on are marked as private, leaving specific, authoritative details a bit lacking. If you have any information beyond the above, or that contradicts the above, please email us at security at At this time, we don’t believe this poses any significant risk for pfSense users. We’ll update this post should anything change.

2.2 Release Candidate now available!

We are proud to announce pfSense® software version 2.2 Release Candidate is now available! This should be a short release candidate cycle, so we encourage you to try it out ASAP to help us with the final push to release. Jim posted a good overview of the significant changes previously. A more comprehensive list of changes can be found on the 2.2 New Features and Changes page.

In the process of getting to an RC status for 2.2, we’ve closed out 310 total tickets, (this number includes 49 features or tasks), fixed 108 bugs affecting 2.1.5 and prior versions, fixed another 153 bugs which were introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to FreeBSD 10.1, changing IPsec keying daemon from raccoon to StrongSwan, moving the PHP backend from FastCGI to PHP-FPM, updating to PHP 5.5 and changing from dnsmasq to the Unbound DNS Resolver.


New Installs


As always, every previous version can be upgraded directly to 2.2-RC. See the Upgrade Guide for general upgrade guidance applicable to all versions including 2.2-RC.

Feedback, Questions, Need Help?

Report your experiences, or get help with problems on the 2.2 board of the forum.

2.2 release status

We’re getting an increasing number of “When will 2.2-RELEASE happen?” queries.    In an attempt to answer the question for a more general audience, we’ve put together some data.

pfSense® software version 2.2 started with a few seemingly simple goals:

  1. move the base to a very recent version of FreeBSD.
  2. update the IPsec stack to include AES-GCM, and IKEv2.
  3. update PHP to something more recent than what is used in pfSense software version 2.1.

These seemingly simple goals produced a lot of work.  When we re-launched the 2.2 project in October 2013, we estimated that it would take 9-10 months, producing a release in April or May of 2014.   We had no way of knowing that we would end up producing a train of 5 additional releases based on pfSense software version 2.1, starting with 2.1.1 in early April, which was immediately followed by 2.1.2 to fix the “Heartbleed” issue, then 2.1.3, 2.1.4 and 2.1.5 during the following 139 days.  And three weeks after the 2.1.5 release, we finally got pfSense 2.2 into a BETA release.

We are now close enough to a 2.2-RELEASE that we can state with some certainty that FreeBSD 10.1-RELEASE will serve as the base for pfSense 2.2-RELEASE.  In order to transparently support both IKEv1 and IKEv2 we moved from ipsec-tools to strongSwan, taking advantage of its monolithic IKEv1/IKEv2 daemon.  And the PHP backend has been switched from FastCGI to PHP-FPM, while PHP has been updated to version 5.5(.19).

But meeting these three seemingly innocuous goals opened a plethora of issues.   BIND is no longer a part of FreeBSD, so we switched to Unbound.  While the initial work on this was done by a community member, we’ve had to fix a number of real issues with the result since entering BETA.  For the past 60 days it’s been heads down, opening tickets, and getting them resolved by fixing bugs, then re-testing the result.

Open/Closed tickets - last 90 days

Open/Closed tickets – last 90 days

Below you can find a bit more of the internal data that drives the decisions on the release process.   We are now, likely, days away from a “release candidate” for pfSense software version 2.2.  You can help by running a snapshot (several of us have been doing so since the 2.2 BETA), or the RC series and reporting any issues you find.

Past year - total tickets by status

Total Tickets by Status – Past Year.


Past year - open-closed percent tickets by status

Open/Closed tickets, last year


Past 90 days - changes by user

Changes by user – Past 90 days

November Hangout Announcement

Our monthly pfSense hangout has been scheduled! Please make note that because of the Thanksgiving holiday, we will have the event on Tuesday, November 25, 2014 at 1PM CST. Log-in to your portal account on the day of the event for details on how to join us. This month’s topic is: New and Improved Features in pfSense 2.2. Your host will be Jim Pingle

Here is a preview of the hangout:

Happy 10th Birthday to pfSense!

Ten years ago today, the domains were first registered, marking the birth of the project as we know it. We began on a server named “projectx” a few months prior, going public after settling on a name on November 5, 2004. We’ve come incredibly far since then, having grown to one of the most widely used network firewall distributions in the world, with every metric we can count continuing to grow further.

Thanks to everyone who’s made the past decade possible. The best is yet to come!

pfSense October Hangout Announcement

We’re happy to announce the pfSense Gold Hangout for October 2014!

The older ALIX-based appliances (i.e. m1n1wall) are a tremendously popular and successful product. But as one might expect, this product is rapidly approaching its end of life (EOL). It’s successor, the VK-T40E is taking its place as the leader in small, form-factor, low power, entry level pfSense firewall appliances for small business, SOHO, and remote branch office environments.

Our October Hangout will cover the process for upgrading from an older ALIX unit to its successor, the VK-T40E. We will talk about upgrade precautions, how to make the move easier, common pitfalls, and deploying the new device.

When: Friday, October 24, 2014 @ 1PM Central US Time Where: Check your portal account on the day of the event for the link to join us Who: This event will be hosted by Jim Pingle

Mark your calendar and we look forward to seeing you!

In order to join us, you must be a pfSense Gold subscriber.

Subscribe to Gold Here!

Get your VK-T40E here

Here is a preview of the hangout:

faster pf

As I’ve written elsewhere, we are starting to focus on performance in pfSense 2.2 and beyond.  The first project was to implement AES-GCM with AES-NI acceleration (on CPUs that support it) for IPSec.   This project was accomplished in partnership between the FreeBSD Foundation, ESF, and Netgate, and has been stable in pfSense 2.2 snapshots for several weeks.

If your CPU is able to process AES-NI instructions, I encourage you to try it out.

The next investigation, as the title to this post implies, is to improve the speed of pf.   The first thing was to measure the existent performance.  So we (as Netgate) enlisted the help of George Neville-Neil, who wrote a tool called “Conductor“.

One of the first things we noticed was that the Jenkins hash in FreeBSD 10 seems to take a lot of time.  XXHASH is demonstrably faster than Jenkins, and gives a measurable performance gain to pf.

While the patch won’t be available to FreeBSD 10.1 (it’s too late in the process for that), we can make it available in pfSense 2.2, and same will be in the next set of snapshots.  Performance will likely be most measurable above 1Gbps.

Two things:

  • I emphasize that this is an early result.
  •  Please test and let us know.



pfSense and the CVE-2014-6271 (“shellshock”) bash exploit.

tl;dr: If you’re having shell problems I feel bad for you son. I got 99 problems but bash ain’t one.

If you’ve not heard, Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations, this vulnerability is exploitable over the network.

NIST has assigned a CVSS of 10 CVE-2014-6271.  POCs are starting to appear.

So the question becomes, “is pfSense affected?”

The short answer is: Unlikely, though there are three packages which could lead to an exploit. The base system of pfSense does not include bash.  Since bash isn’t on the system, the problem is reduced to packages.

Three packages are affected, and only one is commonly used.  The affected packages are:

  • Anyterm — This package contains bash in its binaries which are in the git repo, not a .pbi or .tgz. This package will simply be retired as it is unmaintained and rarely used.  We will review all packages, and any which contain binaries which we have not built from source will be removed or re-engineered such that we can compile from source.
  • Freeswitch-dev — Runs pkg_add for bash. This package is not actively maintained, and can likely be safely removed from the list of packages with minimal community impact.
  • FreeRADIUS2  — Adds bash via pkg_add using FreeBSD’s 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). We’re looking into the best way to fix it.
  • Mailscanner –– Includes bash also, will be fixed shortly.

Given the lack of impact to pfSense software version 2.1.5 or the pfSense 2.2-BETA images, no fix is required, so we don’t plan any release in response to this issue.

UPDATE: Affected packages have been updated or removed. Full details are in the security announcement which was posted this afternoon. -jimp