- pfSense 2.2 is nearing release candidate stage with many updates including a base OS upgrade to FreeBSD 10, improvements to IPsec, OpenVPN, DNS resolver, CARP, outbound NAT, package system, and more.
- Notable changes include switching to Unbound for the DNS resolver, new CARP implementation, AES-GCM support for IPsec, easier outbound NAT configuration, signed packages, and updated firewall logging format.
- Other updates include new GEOM mirror management GUI, wider FreeBSD driver support, expanded NTP options, and various performance, stability, and usability improvements.
2. Project Notes
● pfSense 10-year anniversary!
● 2.2 rapidly nearing RC stage
● FreeBSD Journal article on 2.2 pending
● Verizon Cloud Marketplace launched with
support for pfSense
● Ongoing Wiki Updates
3. 2.2 Overview
● Many many updates
● Base OS Upgrade
● FreeBSD 10.x
● Under-the-hood
changes
● IPsec
● OpenVPN
● DNS Resolver
● CARP
● Outbound NAT
● Package System
● Translations
● GEOM Mirrors
● Firewall
● Much, much more!
4. Base OS Upgrade Tracking
● Lagged behind for many years, not good for us or users
● For 2.2 development we tracked 10-STABLE, adjusting
as needed
● Now caught up and seeking ways to streamline the
process in the future
● Getting patches into FreeBSD base where possible to
reduce differences
● Getting port alterations back into FreeBSD ports to
reduce differences
5. FreeBSD 10.x Improvements
● PF improvements
– SMP-friendly. Fine-grained locking and multi-core CPU utilization
– Speed improvements, XXHASH changes by George Neville-Neil, 3% improvement overall in the
worst case scenario Real-world loads likely faster
● Virtualization support as a guest
– Improvements in virtio for most Linux-vased hypervisors
– Xen PVHVM in kernel (watch out for disk and NIC device ID changes!)
– Hyper-V working well out of the box (except CARP)
– bhyve, though it has not been tested much
● New CARP
● Updated drivers for 10Gbit/s NICs and others
● Improved driver support for additional wireless cards
● 802.11n support!
● Much more, see FreeBSD Release Notes
6. Under-the-hood
● PHP up to 5.5.x
● PHP changed from FastCGI to PHP-FPM
● Many other daemons updated
● Captive portal DB moved to sqlite
● Default serial speed 115200
● No “embedded” kernel on amd64
– No longer necessary
– Reduces problems with differences in the kernels
– i386 still has embedded kernel for ALIX and others
7. IPsec
● FreeBSD Foundation and Netgate worked jointly to have
FreeBSD developer John-Mark Gurney add AES-CTR and
AES-GCM ( Galois/Counter Mode ) modes
– AES-GCM is an authenticated encryption algorithm, ideal for
protecting packetized data, because it has minimum latency and
minimum operation overhead
– Acceleration for same w/AES-NI crypto(9) framework
● Ermal updated FreeBSD IPsec for RFC 4106 and RFC 4543
(GCM in IPsec ESP, Galois MAC in ESP and AH)
● Both ends must support the same settings to utilize the new
tunneling modes and acceleration!
8. IPsec (continued)
● Switched from racoon to strongswan for keying
– IKEv2 (still in progress)
– L2TP+IPsec (still in progress, but works for some, see forum)
– Multi-threaded
– Up to 20,000 tunnels on suitable hardware
– ECDH groups and ECDSA certs/signatures for IKEv1 and IKEv2
● Works w/Suite B from Windows Vista/7/8/2008/2012 and later
– More flexible logging and debugging
● Advanced options moved to their own tab under VPN >
IPsec
9. OpenVPN
● Clients can have user/pass credentials for use with VPN providers or
other "remote access" style VPNs
– These clients can also be set to not use a certificate only when a user/pass is
set
● Client-Specific Overrides enhanced significantly
● Compression settings expanded
● Authentication Digest drop-down
● New options for Disable IPv6, route-nopull, route-noexec, log
verboseness selector, etc
● Cryptographic Acceleration behavior changed since OpenSSL will
natively use AES-NI in a better/faster way than using the crypto(9)
support in FreeBSD with the AES-NI module loaded
10. DNS Resolver
● Unbound integrated into base system, no longer a package
– Same as FreeBSD 10, which removed BIND from base in favor of Unbound
● Default for new installs changed to Unbound, under Services > DNS
Resolver
● Upgrades still keep DNS Forwarder (dnsmasq) but can switch at any time
● Unbound brings better DNSSEC support, enabled by default
● Forwarding mode optional (off by default), talks directly to roots
– Forwarding mode still required for Multi-WAN, or default GW switching
● Still supports host and domain overrides, registering DHCP leases, etc
● Improved scalability
● Improved performance with large cache sizes
11. CARP
● New CARP in FreeBSD
● CARP VIPs no longer have their own interface at the OS level
● Single VIP can be in its own subnet, 3 IPs are no longer
strictly required, but still recommended
– With a single IP, the secondary may not be able to fetch updates or
packages unless it is master
● Maintenance mode for persistent demotion of master / disable
of slave
– Useful for upgrades or hardware issues that might not otherwise
work as desired
12. Outbound NAT
● Manual Outbound NAT works like it always has
● Automatic Outbound NAT performs the same but also now displays
the list of NAT networks on the outbound NAT screen
● New Hybrid Outbound NAT mode uses Automatic Outbound NAT
rules but also respects rules added to the list
– PBX outbound static port
– Sending some traffic out a VIP
– "Do not NAT" rule for a public subnet on internal interface
● Disable NAT mode
– Works the same as the old method of Switching to Manual + Deleting all rules
– More intuitive and less work
13. Package System
● Packages are signed when built and the signature is verified before install,
much like firmware updates
– Packages that fail the test will not be installed
– Signing check can be disabled with a setting if needed, but not recommended
● Warnings displayed for non-default package servers
– Does not stop developers from using their own servers, but alerts the user that
they are using an unofficial package source that is not trusted
– Hopefully cuts down on people accidentally/unknowingly using third-party
repositories like Lusca which can break other packages and introduce security
issues
● Tabs for displaying certain categories of packages
● "xml" button actually useful now, reinstalls XML files and related
dependencies like .inc files (no binaries). "pkg" button reinstalls all.
14. Translations
● New translations for Japanese and Turkish from the
community (Thanks!)
● New translation server coming soon at
https://translate.pfsense.org - Submissions
welcome!
● Language can be changed under System >
General
● Full list is now: English, Portuguese (Brazil),
Turkish, and Japanese (Portions still pending)
15. GEOM Mirrors / Software RAID
● Management GUI in 2.2 to change existing mirrors, located at
Diagnostics > GEOM Mirrors
– Only displayed on systems that had a gmirror present at boot time
● No longer need to manually run commands in ssh to manage a gmirror
RAID setup
● Allows rebuilding an array when replacing a drive, or adding an
additional drive to an existing array
● Allows deactivating drives in an array for extra upgrade safety (Drive
can be reactivated after successful upgrade)
● Mirrors are monitored and an array in a non-normal state will generate
alert e-mails using the notification settings
– Alerts are sent when a mirror is degraded, rebuilding, recovering, etc
16. Firewall Rules and Logs
● Firewall log raw format has been rewritten to be
a single line in an easy-to-parse format
– For those who need remote syslog in a predictable
format for third-party log parsing (e.g. Splunk)
● Format is documented on wiki:
https://doc.pfsense.org/index.php/Filter_Log_
Format_for_pfSense_2.2
● Format is subject to change before 2.2-
RELEASE
17. Firewall Rules and Logs
● Firewall rules each have a unique tracker ID that is also in
the logs, so that rule descriptions for matching traffic may be
looked up in a persistent fashion
– In older versions, the rule IDs changed on each filter reload and
may not have lined up, so log messages often referenced
outdated rule numbers
● "This Firewall (self)" macro in firewall rule destinations
(Interface tabs, port forwards) and source (Floating tabs)
used to match any address on the firewall interfaces/VIPs
● Interface macros like "LAN net" now also include any static
route networks on those interfaces
18. GUI Certificate
● Certificate generation for the GUI is now more
unique/specific and to not use default/generic values
when creating the GUI certificate
– Firefox 31 and beyond have a bug in the new PKIX validation
that breaks GUI access if you have visited more than a small
number of devices that use the old style default certificate
– Firefox 33 removed the option to disable PKIX so now the
only option is to use another browser or manually fix the cert.
Visit https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
and vote the bug up!
– pfSsh.php playback generateguicert
19. Misc
● Adjustable Log sizes
● Adjustable Config History count
● Widescreen theme
● Disk usage in sys info widget shows all disk slices now
● Can download or reset custom captive portal pages
● Additional DynDNS providers
● NTP options expanded/enhanced, support for more GPS
devices
● Packet capture boolean logic in Host (and: a,b; or: c|d),
negation for protocol, host, and port
20. Conclusion
● Lots more on the wiki at
https://doc.pfsense.org/index.php/2.2_New_F
eatures_and_Changes
– The wiki article will be updated periodically as
development on 2.2 finalizes
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc