- pfSense 2.2 is nearing release candidate stage with many updates including a base OS upgrade to FreeBSD 10, improvements to IPsec, OpenVPN, DNS resolver, CARP, outbound NAT, package system, and more. - Notable changes include switching to Unbound for the DNS resolver, new CARP implementation, AES-GCM support for IPsec, easier outbound NAT configuration, signed packages, and updated firewall logging format. - Other updates include new GEOM mirror management GUI, wider FreeBSD driver support, expanded NTP options, and various performance, stability, and usability improvements.

1. pfSense 2.2 Preview
November 2014 Hangout
Jim Pingle

2. Project Notes
● pfSense 10-year anniversary!
● 2.2 rapidly nearing RC stage
● FreeBSD Journal article on 2.2 pending
● Verizon Cloud Marketplace launched with
support for pfSense
● Ongoing Wiki Updates

3. 2.2 Overview
● Many many updates
● Base OS Upgrade
● FreeBSD 10.x
● Under-the-hood
changes
● IPsec
● OpenVPN
● DNS Resolver
● CARP
● Outbound NAT
● Package System
● Translations
● GEOM Mirrors
● Firewall
● Much, much more!

4. Base OS Upgrade Tracking
● Lagged behind for many years, not good for us or users
● For 2.2 development we tracked 10-STABLE, adjusting
as needed
● Now caught up and seeking ways to streamline the
process in the future
● Getting patches into FreeBSD base where possible to
reduce differences
● Getting port alterations back into FreeBSD ports to
reduce differences

5. FreeBSD 10.x Improvements
● PF improvements
– SMP-friendly. Fine-grained locking and multi-core CPU utilization
– Speed improvements, XXHASH changes by George Neville-Neil, 3% improvement overall in the
worst case scenario Real-world loads likely faster
● Virtualization support as a guest
– Improvements in virtio for most Linux-vased hypervisors
– Xen PVHVM in kernel (watch out for disk and NIC device ID changes!)
– Hyper-V working well out of the box (except CARP)
– bhyve, though it has not been tested much
● New CARP
● Updated drivers for 10Gbit/s NICs and others
● Improved driver support for additional wireless cards
● 802.11n support!
● Much more, see FreeBSD Release Notes

6. Under-the-hood
● PHP up to 5.5.x
● PHP changed from FastCGI to PHP-FPM
● Many other daemons updated
● Captive portal DB moved to sqlite
● Default serial speed 115200
● No “embedded” kernel on amd64
– No longer necessary
– Reduces problems with differences in the kernels
– i386 still has embedded kernel for ALIX and others

7. IPsec
● FreeBSD Foundation and Netgate worked jointly to have
FreeBSD developer John-Mark Gurney add AES-CTR and
AES-GCM ( Galois/Counter Mode ) modes
– AES-GCM is an authenticated encryption algorithm, ideal for
protecting packetized data, because it has minimum latency and
minimum operation overhead
– Acceleration for same w/AES-NI crypto(9) framework
● Ermal updated FreeBSD IPsec for RFC 4106 and RFC 4543
(GCM in IPsec ESP, Galois MAC in ESP and AH)
● Both ends must support the same settings to utilize the new
tunneling modes and acceleration!

8. IPsec (continued)
● Switched from racoon to strongswan for keying
– IKEv2 (still in progress)
– L2TP+IPsec (still in progress, but works for some, see forum)
– Multi-threaded
– Up to 20,000 tunnels on suitable hardware
– ECDH groups and ECDSA certs/signatures for IKEv1 and IKEv2
● Works w/Suite B from Windows Vista/7/8/2008/2012 and later
– More flexible logging and debugging
● Advanced options moved to their own tab under VPN >
IPsec

9. OpenVPN
● Clients can have user/pass credentials for use with VPN providers or
other "remote access" style VPNs
– These clients can also be set to not use a certificate only when a user/pass is
set
● Client-Specific Overrides enhanced significantly
● Compression settings expanded
● Authentication Digest drop-down
● New options for Disable IPv6, route-nopull, route-noexec, log
verboseness selector, etc
● Cryptographic Acceleration behavior changed since OpenSSL will
natively use AES-NI in a better/faster way than using the crypto(9)
support in FreeBSD with the AES-NI module loaded

10. DNS Resolver
● Unbound integrated into base system, no longer a package
– Same as FreeBSD 10, which removed BIND from base in favor of Unbound
● Default for new installs changed to Unbound, under Services > DNS
Resolver
● Upgrades still keep DNS Forwarder (dnsmasq) but can switch at any time
● Unbound brings better DNSSEC support, enabled by default
● Forwarding mode optional (off by default), talks directly to roots
– Forwarding mode still required for Multi-WAN, or default GW switching
● Still supports host and domain overrides, registering DHCP leases, etc
● Improved scalability
● Improved performance with large cache sizes

11. CARP
● New CARP in FreeBSD
● CARP VIPs no longer have their own interface at the OS level
● Single VIP can be in its own subnet, 3 IPs are no longer
strictly required, but still recommended
– With a single IP, the secondary may not be able to fetch updates or
packages unless it is master
● Maintenance mode for persistent demotion of master / disable
of slave
– Useful for upgrades or hardware issues that might not otherwise
work as desired

12. Outbound NAT
● Manual Outbound NAT works like it always has
● Automatic Outbound NAT performs the same but also now displays
the list of NAT networks on the outbound NAT screen
● New Hybrid Outbound NAT mode uses Automatic Outbound NAT
rules but also respects rules added to the list
– PBX outbound static port
– Sending some traffic out a VIP
– "Do not NAT" rule for a public subnet on internal interface
● Disable NAT mode
– Works the same as the old method of Switching to Manual + Deleting all rules
– More intuitive and less work

13. Package System
● Packages are signed when built and the signature is verified before install,
much like firmware updates
– Packages that fail the test will not be installed
– Signing check can be disabled with a setting if needed, but not recommended
● Warnings displayed for non-default package servers
– Does not stop developers from using their own servers, but alerts the user that
they are using an unofficial package source that is not trusted
– Hopefully cuts down on people accidentally/unknowingly using third-party
repositories like Lusca which can break other packages and introduce security
issues
● Tabs for displaying certain categories of packages
● "xml" button actually useful now, reinstalls XML files and related
dependencies like .inc files (no binaries). "pkg" button reinstalls all.

14. Translations
● New translations for Japanese and Turkish from the
community (Thanks!)
● New translation server coming soon at
https://translate.pfsense.org - Submissions
welcome!
● Language can be changed under System >
General
● Full list is now: English, Portuguese (Brazil),
Turkish, and Japanese (Portions still pending)

15. GEOM Mirrors / Software RAID
● Management GUI in 2.2 to change existing mirrors, located at
Diagnostics > GEOM Mirrors
– Only displayed on systems that had a gmirror present at boot time
● No longer need to manually run commands in ssh to manage a gmirror
RAID setup
● Allows rebuilding an array when replacing a drive, or adding an
additional drive to an existing array
● Allows deactivating drives in an array for extra upgrade safety (Drive
can be reactivated after successful upgrade)
● Mirrors are monitored and an array in a non-normal state will generate
alert e-mails using the notification settings
– Alerts are sent when a mirror is degraded, rebuilding, recovering, etc

16. Firewall Rules and Logs
● Firewall log raw format has been rewritten to be
a single line in an easy-to-parse format
– For those who need remote syslog in a predictable
format for third-party log parsing (e.g. Splunk)
● Format is documented on wiki:
https://doc.pfsense.org/index.php/Filter_Log_
Format_for_pfSense_2.2
● Format is subject to change before 2.2-
RELEASE

17. Firewall Rules and Logs
● Firewall rules each have a unique tracker ID that is also in
the logs, so that rule descriptions for matching traffic may be
looked up in a persistent fashion
– In older versions, the rule IDs changed on each filter reload and
may not have lined up, so log messages often referenced
outdated rule numbers
● "This Firewall (self)" macro in firewall rule destinations
(Interface tabs, port forwards) and source (Floating tabs)
used to match any address on the firewall interfaces/VIPs
● Interface macros like "LAN net" now also include any static
route networks on those interfaces

18. GUI Certificate
● Certificate generation for the GUI is now more
unique/specific and to not use default/generic values
when creating the GUI certificate
– Firefox 31 and beyond have a bug in the new PKIX validation
that breaks GUI access if you have visited more than a small
number of devices that use the old style default certificate
– Firefox 33 removed the option to disable PKIX so now the
only option is to use another browser or manually fix the cert.
Visit https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
and vote the bug up!
– pfSsh.php playback generateguicert

19. Misc
● Adjustable Log sizes
● Adjustable Config History count
● Widescreen theme
● Disk usage in sys info widget shows all disk slices now
● Can download or reset custom captive portal pages
● Additional DynDNS providers
● NTP options expanded/enhanced, support for more GPS
devices
● Packet capture boolean logic in Host (and: a,b; or: c|d),
negation for protocol, host, and port

20. Conclusion
● Lots more on the wiki at
https://doc.pfsense.org/index.php/2.2_New_F
eatures_and_Changes
– The wiki article will be updated periodically as
development on 2.2 finalizes
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc