Software-update: pfSense CE 2.8 bèta

Na lange stilte is er eindelijk weer eens een nieuwe versie van de Community Edition van pfSense uitgekomen, echter nog wel een bètaversie. Dit pakket is gebaseerd op het besturingssysteem FreeBSD en richt zich op router- en firewalltaken. Het is verkrijgbaar in de gratis Community Edition en een Plus-uitvoering, die voorheen als Factory Edition werd aangeboden. Het is in 2004 begonnen als een afsplitsing van m0n0wall vanwege verschillende visies bij de ontwikkelaars en in de loop van de jaren uitgegroeid tot een router- en firewallpakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. De releasenotes voor deze uitgave kunnen hieronder worden gevonden.

Call for Testing: pfSense Community Edition 2.8 Beta

Netgate is pleased to announce the release of the Beta of pfSense Community Edition version 2.8. Now it’s your turn to help us test this latest iteration of our popular open-source firewall and routing software. This beta release brings a host of new features, enhancements, and fixes, and your feedback is crucial to ensuring a rock-solid final release.

Warning:

Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process. To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade. Before upgrading, pay particular attention to the Pre-Upgrade Tasks section of the Upgrade Guide. The most crucial points are noted in this section, but the best practice is to follow all of the precautions noted in the Upgrade Guide.

Legacy Serial Consoles

After upgrading, older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. Devices may require manual intervention.

Low Memory Hardware

Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running. For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade. Rebooting before attempting the upgrade can also be beneficial.

Release Information

This pfSense CE 2.8 Beta builds on the robust foundation of its predecessors, introducing improvements designed to enhance performance, security, and usability. While the full changelog is still being finalized, here are some highlights you can explore in this beta:

• PHP has been upgraded from 8.2.x to 8.3.x
• The base operating system has been upgraded to FreeBSD 15-CURRENT
• This version of pfSense CE software includes a new kernel-based PPPoE backend, ``if_pppoe``. This will replace the current MPD-based implementation.
  • This new backend is more efficient and enables much faster speeds over PPPoE interfaces.
  • This new PPPoE backend is not active by default in this version, but can be enabled with the global option under System > Advanced on the Networking tab <if_pppoe_option>`.
  • This backend will be enabled by default on future versions of pfSense software.
  • The ``if_pppoe`` backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.
• The default State Policy has been changed from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing, as well as with High Availability state synchronization on non-identical hardware. Workarounds are in place to fall back to Floating states in certain cases, such as IPsec/VTI. The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab. There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.
• This release includes support for enhanced gateway recovery "fail back" by optionally clearing states from lower tier gateways when a more preferred gateway recovers.
• This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation to MMC which has been followed by an installation to an add-on SSD without clearing the MMC contents.
• This release includes support for High Availability in the Kea DHCP daemon. This implementation has several advantages over the older ISC DHCP implementation, including:
  • Supports HA for DHCPv4 and DHCPv6.
  • Simplified HA setup, all in one place on each node for each type.
  • Works in hot standby mode, which is more reliable.
  • Can synchronize lease data over the SYNC interface for security and ease of use, and can optionally encrypt the sync data for added protection.
• This release includes support for DNS Registration of DHCP client hostnames from the Kea DHCP daemon to the Unbound DNS Resolver
  • DNS records are updated dynamically on-the-fly, they do not require a resolver restart and are not disruptive.
  • Supports DNS Registration for DHCPv4 and DHCPv6
  • DNS Registration can be configured on a per-interface or global manner, with the ability to enable or disable specific interfaces as needed.
  • DNS records are not limited to the system domain name. DNS Registration honors the domain name on the DHCP settings for each interface and on static mappings.
  • DNS records are accurate/updated on both high availability peers
  • Static mappings can be registered when Kea starts (similar to ISC) or when a static mapping client obtains a lease.