pfSense 2.2 发布

I’m happy to announce the release of pfSense® software version 2.2! This release brings improvements in performance and hardware support from the FreeBSD 10.1 base, as well as enhancements we’ve added such as AES-GCM with AES-NI acceleration, among a number of other new features and bug fixes. Jim Thompson posted an overview of the significant changes previously.

In the process of reaching release, we’ve closed out 392 total tickets (this number includes 55 features or tasks), fixed 135 bugs affecting 2.1.5 and prior versions, fixed another 202 bugs introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to 10.1, changing IPsec keying daemons from racoon to strongSwan, upgrading the PHP backend to version 5.5 and switching it from FastCGI to PHP-FPM, and adding the Unbound DNS Resolver, and many smaller changes.

The following shows a graphical representation of the past year of 2.2 development, by redmine ticket stats.

Security Fixes

This release contains four low-impact security fixes.

• openssl update for FreeBSD-SA-15:01.openssl
• Multiple XSS vulnerabilities in web interface. pfSense-SA-15_01
• OpenV*N update for CVE-2014-8104
• NTP update FreeBSD-SA-14:31.ntp – though these circumstances don’t seem to impact pfSense.

New Features and Changes

The list of new features and changes in 2.2 is available here. We encourage everyone to review this list before upgrading.

pfSense software is Open Source

For those who would like the source changes in full detail, the main repo is available on Github, and the tools repo is freely available for immediate access after completing an ICLA or CCLA and submitting a License Agreement.

Upgrade Considerations

As always, you can upgrade from any prior release directly to 2.2. The Upgrade Guide covers everything you’ll need to know for upgrading in general. There are some areas where you will want to exercise additional caution with this upgrade.

Clear your Browser Cache After Upgrade

Due to CSS and JavaScript changes, forcing your browser to clear its cache or doing a forced reload (shift+refresh) is a good idea after upgrading. If you see any cosmetic problems in the web interface post-upgrade, a stale browser cache is the likely reason.

Packages

While the most popular packages should be fine, lesser-used ones may not have been updated by their maintainer, or may not be well-tested and have issues. If you’re dependent on packages, we encourage you to test your combination of packages before upgrading in production.

IPsec

The change from racoon to strongSwan as the IKE keying daemon brings a variety of enhancements, including IKEv2 support, AES-GCM and more. As with any significant change in this area, caution is warranted especially if you’re doing anything atypical. The types of problems that may be encountered fall into three categories.

• Behavior changes triggering bugs in remote endpoint – It’s possible behavior changes between strongSwan and racoon will trigger bugs in the remote endpoint. The only confirmed instance of this we have seen is an issue in racoon with aggressive mode and NAT-D. If you have remote IPsec endpoints that are pfSense 2.1.5 or earlier, and are using aggressive mode, you’ll want to change those to main mode (all other settings can be left as is). Main mode is preferable for site to site V*Ns anyway.
• Problems with rekeying with multiple phase 2 entries on a single phase 1 in some cases with IKEv1 – while many circumstances with multiple P2s on a single P1 work fine, there is an outstanding rekeying problem in some circumstances. Especially where you have several P2s on a single P1, we advise caution on upgrading at this time. Where both endpoints support IKEv2, changing from IKEv1 to IKEv2 will prevent this from being an issue. We have an open bug on this which we expect to have addressed in a future 2.2.1 release.
• Behavior changes where an incorrect configuration that worked before no longer will – There may be things that worked with racoon which were technically not configured correctly, but still worked. The only instance of this we’ve seen is for mobile IPsec clients, where Internet traffic could pass in some circumstances without having specified 0.0.0.0/0 as the local network in the mobile phase 2 configuration. If your mobile IPsec clients need to access the Internet via IPsec, your mobile phase 2 must specify 0.0.0.0/0 as the local network.

Heads up for Xen users

The FreeBSD 10.1 base used by pfSense 2.2 includes PVHVM drivers for Xen in the kernel. This will cause Xen to automatically change the disk and network device names during an upgrade to pfSense 2.2, which a hypervisor should not do but Xen does. The disk change can be worked around by running /usr/local/sbin/ufslabels.sh before the upgrade to convert the fstab to UFS labels rather than disk device names. The NIC device change will require an interface re-assignment to the xn interfaces. Note there have been significant performance issues reported in Xen with this NIC change. You will likely want to change your Xen setup to not use the PVHVM NICs for your pfSense VMs.

Download

Downloads are available on the mirrors as usual.

Downloads for New Installs

Downloads to Upgrade Existing Systems – note it’s usually easier to just use the auto-update functionality, in which case you don’t need to download anything from here. Check the Firmware Updates page for details.

Supporting the Project

Our efforts are made possible by the support of the community. We encourage you to support our efforts via one or more of the following.

• Gold subscription – Immediate access to past hang out recordings as well as the 2.1.5 version of the book in PDF, mobi and epub formats after logging in to the members area. Of particular interest may be November’s recording, “New and Improved Features in pfSense 2.2.” While functionally most things haven’t changed in 2.2, we’ve started work on that update. Draft  versions will be made available to members as work progresses.  We expect the first draft to release within a week or so.
• Commercial Support – Purchasing support from us provides you with direct access to the pfSense team.
• Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.
• pfSense Store – stickers, apparel, pre-loaded USB sticks, and hardware direct from the source. Our pre-installed appliances are the fast, easy way to get up and running with a fully-optimized system. All are now shipping with 2.2 release installed.

Tags: releases

This entry was posted by Chris Buechler on Friday, January 23rd, 2015 at 7:50 pm and is filed under Announcements, Releases, Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

10 Responses to “pfSense 2.2-RELEASE Now Available!”

1. Mahdi HedhliSays:
   January 23rd, 2015 at 8:38 pm

   Chris, what about official Hyper-V support!? Thought that was in the pipeline for 2.2

2. ThomasSays:
   January 23rd, 2015 at 8:39 pm

   First! Auto-Update downloading!

3. NickSays:
   January 23rd, 2015 at 8:44 pm

   exciting to see things move forward hopefully the MIPS Version of 2.2 follows shortly behind this release so i can get pfsense loaded on my EdgeRouter Lite thanks for all your hard work!

4. Chris BuechlerSays:
   January 23rd, 2015 at 8:54 pm

   Mahdi: Hyper-V support was added, that’s a part of the FreeBSD 10.1 base (though we’ve also added some additional fixes from Microsoft, like making CARP work properly). Lots of folks on the forum have reported good results with Hyper-V.

5. JordanSays:
   January 23rd, 2015 at 8:57 pm

   L2TP+IPsec is huge! Thank you!

6. EricSays:
   January 23rd, 2015 at 9:22 pm

   Excellent work! I appreciate the hard work all the devs put into this.

   Thank you!

7. thiagocSays:
   January 23rd, 2015 at 9:25 pm

   Congrats to the team!

8. gareginSays:
   January 23rd, 2015 at 9:38 pm

   whats the support status for running pfsense as a KVM guest?

9. jigglywigglySays:
   January 23rd, 2015 at 9:46 pm

   I’m happy to report nanobsd 2.2 vga x64 is working great. I upgraded from 2.1.5 and I don’t see any issues.

   The new interface is nice, and I’m going to see if the schedules in firewall rules work correctly this time.

10. Mahesh ChowtaSays:
    January 23rd, 2015 at 9:47 pm

    Thank you …

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website