This is a regularly scheduled release of pfSense® Plus software including new features, additional hardware support, and bug fixes.
pfSense Plus software version 22.05-RELEASE is now available. See our upgrade guide to get started with best practices information.
This release contains several significant enhancements, including OpenVPN Data Channel Offload, ZFS Boot Environments, and the migration of Captive Portal from IPFW to PF.
Customers running pfSense Plus software, or the Factory Edition of pfSense software version 2.4.5-p1 and older, can upgrade in-place automatically to pfSense Plus software version 22.05, as with any other previous upgrade.
Highlights
OpenVPN Data Channel Offload
Netgate has been working to develop and integrate support for OpenVPN Data Channel Offload (DCO) into FreeBSD and the release of pfSense Plus software version 22.05. OpenVPN DCO allows for huge performance gains when processing encrypted OpenVPN data by reducing the amount of context switching that happens for each packet. DCO accomplishes this by keeping most of the data handling tasks in the kernel rather than repeatedly switching between kernel and user space for encryption and packet handling. This makes the overall processing of each packet more efficient while also potentially taking advantage of hardware encryption offloading support in the kernel. DCO also adds support for multi-threaded encryption, allowing for even more performance gains.
DCO is not a change to the protocol, it is a change in how an endpoint processes encrypted data. Thus, DCO is beneficial even when only one endpoint is capable of DCO. That said, tunnels employing DCO on all peers will see the most benefit. With DCO on only one peer the performance improvement can still be notable but not as significant as the gains with DCO support on both endpoints.
DCO support is a per-tunnel option and it is not automatically enabled by default for new or upgraded tunnels. Existing tunnels will continue to function as they did in the past. DCO can be enabled for both new and existing tunnels by using a simple checkbox option on OpenVPN server and client instances. The current best practice is to create a new tunnel with DCO to minimize the chance of problems with existing clients.
DCO is currently an experimental feature. While testing has been successful in many scenarios during development, there is still a potential for instability or undesirable behavior.
There are some limitations in OpenVPN DCO generally and in the current DCO implementation on FreeBSD/pfSense software, including:
- Encryption is limited to AES-256-GCM. Future versions will support other AEAD ciphers such as ChaCha20-Poly1305.
- DCO support requires a TLS-based tunnel, such as SSL/TLS, SSL/TLS+User Auth, or User Auth.
- DCO support is only present in OpenVPN 2.6.0 which is not yet at release stage. It has been stable enough in our testing for general use, however. Given this status DCO remains experimental for the time being.
- DCO does not support using a /30 tunnel network for peer-to-peer tunnels (one server with one client).
- Some features are not compatible with DCO or are not relevant with DCO. These options include explicit exit notify, inactivity timeouts, UDP fast I/O, and send/receive buffer sizes. There may be some corner cases where one or more of these function, but in general the best practice is not to rely on them at this time.
- Peer data usage on the OpenVPN status will not reflect the actual amount of data transferred between peers.
pfSense Plus software software version 22.05 or later is required to use OpenVPN DCO. OpenVPN DCO is not available on pfSense CE Software.
ZFS Boot Environments
ZFS Boot Environments, recently previewed in a YouTube Video, make major changes and upgrades safer by taking snapshots of key filesystem areas, allowing the firewall to be rolled back to an earlier known good state if the user encounters problems with a configuration change, upgrade, or other potentially problematic situation.
The upgrade process automatically creates new snapshots and administrators can create them manually as well. Administrators can then restore a previous boot environment snapshot using the GUI or even the boot loader menu which makes quickly recovering from unforeseen issues a breeze.
ZFS Boot Environments will be available exclusively on pfSense Plus software.
Captive Portal Moving from IPFW to PF
On past releases Captive Portal required IPFW because PF lacked features necessary to fully implement Captive Portal functionality. However, using IPFW came at a price of performance loss due to having two packet filters loaded and running traffic through both. The firewall also used IPFW to manage traffic shaping for limiters via DUMMYNET.
Netgate has developed new features in PF, including the ability to perform layer 2 filtering, which now allow PF to fully handle all of the requirements for Captive Portal. Similar development also allows limiter pipes to be managed without the use of IPFW.
With this work in place there is no need for traffic to be processed by multiple packet filters, which will increase performance when using Captive Portal and/or Limiters.
This work is available on pfSense Plus software version 22.05 and development snapshots pfSense CE software version 2.7.0 and later.
Other Notable Changes
- Fix for UPnP and multiple game systems
- New gateway state killing options for smoother failover
- Firewall/NAT rule usability improvements such as buttons to toggle multiple rules and copy multiple rules to other interfaces
For more information, see the Release Notes and Redmine.
Important Information
Please note, as stated here in March 2019, AES-NI is not required to run pfSense software version 2.5.0; this also applies to pfSense Plus software version 22.05.
OpenVPN Shared Key Tunnels Deprecated
In related news, OpenVPN has announced the deprecation of shared key tunnels, also known as static key tunnels. In the past, shared key tunnels had been popular for quick site-to-site setups as they did not require certificates. OpenVPN 2.6.0 still includes support for shared key tunnels but it logs a warning about the feature being deprecated. Support for shared key tunnels will be removed from future OpenVPN releases. Start migrating all existing shared key tunnels to SSL/TLS tunnels now. Do not wait and be surprised later when the tunnels fail after a future upgrade. Additionally, when making new OpenVPN tunnels, do not make any new shared key tunnels. See https://forum.netgate.com/post/1026997 for additional details.
Upgrade Notes
IMPORTANT: Proceed with caution when upgrading pfSense Plus software while COVID-19 travel restrictions are in effect.
During this time of travel limitations, remote upgrades of pfSense Plus software should be carefully considered, and avoided where possible. Travel restrictions may complicate any repair of any issue, including hardware-related issues that render the system unreachable. Should these issues require onsite physical access to remedy, repair of the issue may not be possible while travel restrictions related to COVID-19 are in effect.
All components of the base system and packages will be reinstalled by the upgrade process. This must be done to ensure that the firewall contains a consistent set of packages from the same build environment, even if their versions did not change. This process will increase the time required for the upgrade to complete.
Warnings and error messages are likely to occur while the upgrade is in process. In particular, errors from PHP and package updates may be observed on the console and in logs. In nearly all cases these errors are a harmless side effect of the inconsistent state of the system during the upgrade from changes in the operating system, libraries, and PHP versions. Once the upgrade completes, the system will be in a consistent state again. Only errors which persist after the upgrade are significant.
Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.
Once the firewall detects that an upgrade is available, do not update packages before initiating the upgrade! Either remove all packages, or do not update packages before running the upgrade.
The upgrade will take several minutes to complete. Exact time will vary based on download speed, hardware speed, and other factors such as installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading, it could take 10-20 minutes or more for the upgrade process to complete. The firewall may reboot several times during the process. Monitor the upgrade from the firewall console for the most accurate status view.
If the update check fails, or the update does not complete, run pkg install -y pfSense-upgrade to ensure that pfSense-upgrade is present.
Consult the Upgrade Guide for additional information about performing upgrades to pfSense Plus software.
Reinstalling for ZFS Features
As a reminder to the above, ZFS is the default file system going forward. We encourage each user to consider if ZFS is right file system for your needs. To take advantage of ZFS boot environments, the firewall must use ZFS for its filesystem.
Upgrading To The New Release
Updating from an earlier release to this release is possible via the usual methods.
From the GUI:
- Navigate to System > Update
- Set Branch to Next stable version
- Click Confirm to start the upgrade process
From the console or ssh:
- Select the Next stable version branch in the GUI as above
- Use option 13 OR select option 8 and run
pfSense-upgrade
Users already running 22.05 development snapshots can upgrade in-place to this release the same way, select the Next stable version branch and then perform the upgrade. If a firewall is running a development snapshot of 22.05 its default behavior when upgrading is to remain on snapshots. Without selecting the Next stable version branch a development snapshot installation will upgrade to development snapshots of 22.09.
There is no need to reinstall to use the RELEASE version unless the administrator chooses to do so in order to obtain the latest ZFS dataset layout.
Upgrade Troubleshooting
See Upgrade Troubleshooting for the most up-to-date information on working around upgrade issues.
If the update system does not offer an upgrade to the current release, or the upgrade will not proceed, take the following steps:
- Navigate to System > Updates
- Set Branch to Latest Development Snapshots
- Refresh the repository configuration and upgrade script by running the following commands from the console or shell:
pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
Reporting Issues
This pfSense Plus software release is ready for use in production environments. Should any issues arise, please post to our forum or contact Netgate TAC for paid support.
Thank you!
Obtaining pfSense Software Source Code
pfSense Plus software is derived from FreeBSD and pfSense CE software with additional proprietary changes. The source code for the upstream projects is freely and publicly available from the same repositories as pfSense CE software:
- Main pfSense CE software repository - the web GUI, back end configuration code, and build tools.
- FreeBSD source - the operating system source code, with patches against the FreeBSD base.
- FreeBSD ports - the FreeBSD ports used.
Download
To install or reinstall a release version of pfSense Plus software, contact Netgate TAC to obtain the installation media and include the Netgate Device ID of the hardware.
Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.
Supporting the Project
Our efforts are made possible by the support of our customers and the community. You may support this work through one or more of the following:
- Purchase an official appliance direct from Netgate or from our worldwide reseller partner network. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
- Purchase TAC support which provides you with direct access to Netgate Global Support.
- Purchase a professional services arrangement which provides to our most senior engineers for more complex projects outside the scope of TAC support.