Development snapshots of pfSense Plus software version 22.05 have now reached the BETA stage and contain a few recent significant enhancements that we at Netgate have been developing for this release. These enhancements include OpenVPN Data Channel Offload, ZFS Boot Environments, and moving Captive Portal from IPFW to PF. These features are now at a point where they are ready for wider testing and feedback from users. Keep in mind, however, that this release is still under development and has a potential for instability.
See our upgrade guide to get started with best practices information.
Customers running pfSense Plus software, or the Factory Edition of pfSense software version 2.4.5-p1 and older, can upgrade in-place automatically to the beta version of pfSense Plus software version 22.05.
OpenVPN Data Channel Offload
Netgate has been working to develop and integrate support for OpenVPN Data Channel Offload (DCO) into FreeBSD and the upcoming release of pfSense Plus software version 22.05. OpenVPN DCO allows for huge performance gains when processing encrypted OpenVPN data by reducing the amount of context switching that happens for each packet. DCO accomplishes this by keeping most of the data handling tasks in the kernel rather than repeatedly switching between kernel and user space for encryption and packet handling. This makes the overall processing of each packet more efficient while also potentially taking advantage of hardware encryption offloading support in the kernel. DCO also adds support for multi-threaded encryption, allowing for even more performance gains.
DCO is not a change to the protocol, it is a change in how an endpoint processes encrypted data. Thus, DCO is beneficial even when only one endpoint is capable of DCO. That said, tunnels employing DCO on all peers will see the most benefit. With DCO on only one peer the performance improvement can still be notable but not as significant as the gains with DCO support on both endpoints.
DCO support is a per-tunnel option and it is not automatically enabled by default for new or upgraded tunnels. Existing tunnels will continue to function as they did in the past. DCO can be enabled for both new and existing tunnels by using a simple checkbox option on OpenVPN server and client instances. The current best practice is to create a new tunnel with DCO to minimize the chance of problems with existing clients.
There are some limitations in OpenVPN DCO generally and in the current DCO implementation on FreeBSD/pfSense software, including:
- Encryption is limited to AES-256-GCM. Future versions will support other AEAD ciphers such as ChaCha20-Poly1305.
- DCO support requires a TLS-based tunnel, such as SSL/TLS, SSL/TLS+User Auth, or User Auth.
- DCO support is only present in OpenVPN 2.6.0 which is not yet at release stage. It has been stable enough in our testing for general use, however.
- Using a /30 tunnel network for peer-to-peer tunnels (one server with one client) can be potentially problematic with DCO. There are problems with the code for this mode in OpenVPN which can lead to instability. Also the client must be using at least OpenVPN 2.5.0 which is present on pfSense Plus software version 21.02 and later or pfSense CE software version 2.5.0 and later. These restrictions do not apply to client/server mode (one server capable of handling multiple clients).
- Some features are not compatible with DCO or are not relevant with DCO. These options include explicit exit notify, inactivity timeouts, UDP fast I/O, and send/receive buffer sizes.
- There are issues with tracking per-peer data usage which may be resolved before the release. Until that is resolved, peer data usage on the OpenVPN status will not reflect the actual amount of data transferred between peers.
OpenVPN DCO will be available exclusively on pfSense Plus software.
ZFS Boot Environments
ZFS Boot Environments, recently previewed in a Youtube Video, make major changes and upgrades safer by taking snapshots of key filesystem areas, allowing the firewall to be rolled back to an earlier known good state if the user encounters problems with a configuration change, upgrade, or other potentially problematic situation.
The upgrade process automatically creates new snapshots and administrators can create them manually as well. Administrators can then restore a previous boot environment snapshot using the GUI or even the boot loader menu which makes quickly recovering from unforeseen issues a breeze.
ZFS Boot Environments will be available exclusively on pfSense Plus software.
Captive Portal Moving from IPFW to PF
On past releases Captive Portal required IPFW because PF lacked features necessary to fully implement Captive Portal functionality. However, using IPFW came at a price of performance loss due to having two packet filters loaded and running traffic through both. The firewall also used IPFW to manage traffic shaping for limiters via DUMMYNET.
Netgate has developed new features in PF, including the ability to perform layer 2 filtering, which now allow PF to fully handle all of the requirements for Captive Portal. Similar development also allows limiter pipes to be managed without the use of IPFW.
With this work in place there is no need for traffic to be processed by multiple packet filters, which will increase performance when using Captive Portal and/or Limiters.
This work is available on development snapshots of both pfSense Plus and pfSense CE software.
Other Notable Changes
- Fix for UPnP and multiple game systems
- New gateway state killing options for smoother failover
- Firewall/NAT rule usability improvements such as buttons to toggle multiple rules and copy rules to other interfaces
For more information, see the Release Notes and Redmine.
Please note, as stated here in March 2019, AES-NI is not required to run pfSense software version 2.5.0; this also applies to pfSense Plus software version 22.05.
OpenVPN Shared Key Tunnels Deprecated
In related news, OpenVPN has announced the deprecation of shared key tunnels, also known as static key tunnels. In the past, shared key tunnels had been popular for quick site-to-site setups as they did not require certificates. OpenVPN 2.6.0 still includes support for shared key tunnels but it logs a warning about the feature being deprecated. Support for shared key tunnels will be removed from future OpenVPN releases. Start migrating all existing shared key tunnels to SSL/TLS tunnels now. Do not wait and be surprised later when the tunnels fail after a future upgrade. Additionally, when making new OpenVPN tunnels, do not make any new shared key tunnels. See https://forum.netgate.com/post/1026997 for additional details.
IMPORTANT: Proceed with caution when upgrading pfSense Plus software while COVID-19 travel restrictions are in effect.
During this time of travel limitations, remote upgrades of pfSense Plus software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.
All components of the base system and packages will be reinstalled by the upgrade process. This must be done to ensure that the firewall contains a consistent set of packages from the same build environment, even if their versions did not change. This process will increase the time required for the upgrade to complete.
Warnings and error messages are likely to occur while the upgrade is in process. In particular, errors from PHP and package updates may be observed on the console and in logs. In nearly all cases these errors are a harmless side effect of the inconsistent state of the system during the upgrade from changes in the operating system, libraries, and PHP versions. Once the upgrade completes, the system will be in a consistent state again. Only errors which persist after the upgrade are significant.
Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.
Once the firewall detects that an upgrade is available, do not update packages before initiating the upgrade! Either remove all packages, or do not update packages before running the upgrade.
The upgrade will take several minutes to complete. Exact time will vary based on download speed, hardware speed, and other factors such as installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading, it could take 10-20 minutes or more for the upgrade process to complete. The firewall may reboot several times during the process. Monitor the upgrade from the firewall console for the most accurate status view.
If the update check fails, or the update does not complete, run pkg install -y pfSense-upgrade to ensure that pfSense-upgrade is present.
Consult the Upgrade Guide for additional information about performing upgrades to pfSense Plus software.
Reinstalling for ZFS Features
Just as a reminder to the above, ZFS is the default file system going forward. We encourage each user to consider if ZFS is right file system for your needs. To take advantage of ZFS boot environments, the firewall must use ZFS for its filesystem.
Upgrading To The New Release
Updating from an earlier release to this release is possible via the usual methods. Before upgrading to a development snapshot, take a configuration backup and have installation media on hand for the current stable release version.
From the GUI:
- Navigate to System > Update
- Set Branch to Latest Development Snapshots
- Click Confirm to start the upgrade process
From the console or ssh:
- Select the Latest Development Snapshots branch in the GUI as above
- Use option 13 OR select option 8 and run
Users already running 22.05 development snapshots can upgrade in-place to BETA with a regular upgrade, no special action is necessary.
A firewall running the BETA version can later upgrade to RC and RELEASE through the regular upgrade process. There is no need to reinstall to use the RELEASE version unless the administrator chooses to do so in order to obtain the latest ZFS dataset layout.
See Upgrade Troubleshooting for the most up-to-date information on working around upgrade issues.
If the update system does not offer an upgrade to the current release, or the upgrade will not proceed, take the following steps:
- Navigate to System > Updates
- Set Branch to Latest Development Snapshots
- Refresh the repository configuration and upgrade script by running the following commands from the console or shell:
pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
This pfSense Plus software release is ready for testing in a lab or non-production environment. Should any issues arise, please post to our forum.
Obtaining pfSense Software Source Code
pfSense Plus software is derived from FreeBSD and pfSense CE software with additional proprietary changes. The source code for the upstream projects is freely and publicly available from the same repositories as pfSense CE software:
- Main pfSense CE software repository - the web GUI, back end configuration code, and build tools.
- FreeBSD source - the operating system source code, with patches against the FreeBSD base.
- FreeBSD ports - the FreeBSD ports used.
To install or reinstall a release version of pfSense Plus software, contact Netgate TAC to obtain the installation media and include the Netgate Device ID of the hardware.
Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.
Supporting the Project
Our efforts are made possible by the support of our customers and the community. You may support this work through one or more of the following:
- Purchase an official appliance direct from Netgate. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
- Purchase TAC support which provides you with direct access to Netgate Global Support.
- Purchase a professional services arrangement which provides to our most senior engineers for more complex projects outside the scope of TAC support.