pfSense 2.2 Preview - pfSense Hangout November 2014

1. pfSense 2.2 Preview November 2014 Hangout Jim Pingle

2. Project Notes ● pfSense 10-year anniversary! ● 2.2 rapidly nearing RC stage ● FreeBSD Journal article on 2.2 pending ● Verizon Cloud Marketplace launched with support for pfSense ● Ongoing Wiki Updates

3. 2.2 Overview ● Many many updates ● Base OS Upgrade ● FreeBSD 10.x ● Under-the-hood changes ● IPsec ● OpenVPN ● DNS Resolver ● CARP ● Outbound NAT ● Package System ● Translations ● GEOM Mirrors ● Firewall ● Much, much more!

4. Base OS Upgrade Tracking ● Lagged behind for many years, not good for us or users ● For 2.2 development we tracked 10-STABLE, adjusting as needed ● Now caught up and seeking ways to streamline the process in the future ● Getting patches into FreeBSD base where possible to reduce differences ● Getting port alterations back into FreeBSD ports to reduce differences

5. FreeBSD 10.x Improvements ● PF improvements – SMP-friendly. Fine-grained locking and multi-core CPU utilization – Speed improvements, XXHASH changes by George Neville-Neil, 3% improvement overall in the worst case scenario Real-world loads likely faster ● Virtualization support as a guest – Improvements in virtio for most Linux-vased hypervisors – Xen PVHVM in kernel (watch out for disk and NIC device ID changes!) – Hyper-V working well out of the box (except CARP) – bhyve, though it has not been tested much ● New CARP ● Updated drivers for 10Gbit/s NICs and others ● Improved driver support for additional wireless cards ● 802.11n support! ● Much more, see FreeBSD Release Notes

6. Under-the-hood ● PHP up to 5.5.x ● PHP changed from FastCGI to PHP-FPM ● Many other daemons updated ● Captive portal DB moved to sqlite ● Default serial speed 115200 ● No “embedded” kernel on amd64 – No longer necessary – Reduces problems with differences in the kernels – i386 still has embedded kernel for ALIX and others

7. IPsec ● FreeBSD Foundation and Netgate worked jointly to have FreeBSD developer John-Mark Gurney add AES-CTR and AES-GCM ( Galois/Counter Mode ) modes – AES-GCM is an authenticated encryption algorithm, ideal for protecting packetized data, because it has minimum latency and minimum operation overhead – Acceleration for same w/AES-NI crypto(9) framework ● Ermal updated FreeBSD IPsec for RFC 4106 and RFC 4543 (GCM in IPsec ESP, Galois MAC in ESP and AH) ● Both ends must support the same settings to utilize the new tunneling modes and acceleration!

8. IPsec (continued) ● Switched from racoon to strongswan for keying – IKEv2 (still in progress) – L2TP+IPsec (still in progress, but works for some, see forum) – Multi-threaded – Up to 20,000 tunnels on suitable hardware – ECDH groups and ECDSA certs/signatures for IKEv1 and IKEv2 ● Works w/Suite B from Windows Vista/7/8/2008/2012 and later – More flexible logging and debugging ● Advanced options moved to their own tab under VPN > IPsec

9. OpenVPN ● Clients can have user/pass credentials for use with VPN providers or other "remote access" style VPNs – These clients can also be set to not use a certificate only when a user/pass is set ● Client-Specific Overrides enhanced significantly ● Compression settings expanded ● Authentication Digest drop-down ● New options for Disable IPv6, route-nopull, route-noexec, log verboseness selector, etc ● Cryptographic Acceleration behavior changed since OpenSSL will natively use AES-NI in a better/faster way than using the crypto(9) support in FreeBSD with the AES-NI module loaded

10. DNS Resolver ● Unbound integrated into base system, no longer a package – Same as FreeBSD 10, which removed BIND from base in favor of Unbound ● Default for new installs changed to Unbound, under Services > DNS Resolver ● Upgrades still keep DNS Forwarder (dnsmasq) but can switch at any time ● Unbound brings better DNSSEC support, enabled by default ● Forwarding mode optional (off by default), talks directly to roots – Forwarding mode still required for Multi-WAN, or default GW switching ● Still supports host and domain overrides, registering DHCP leases, etc ● Improved scalability ● Improved performance with large cache sizes

11. CARP ● New CARP in FreeBSD ● CARP VIPs no longer have their own interface at the OS level ● Single VIP can be in its own subnet, 3 IPs are no longer strictly required, but still recommended – With a single IP, the secondary may not be able to fetch updates or packages unless it is master ● Maintenance mode for persistent demotion of master / disable of slave – Useful for upgrades or hardware issues that might not otherwise work as desired

12. Outbound NAT ● Manual Outbound NAT works like it always has ● Automatic Outbound NAT performs the same but also now displays the list of NAT networks on the outbound NAT screen ● New Hybrid Outbound NAT mode uses Automatic Outbound NAT rules but also respects rules added to the list – PBX outbound static port – Sending some traffic out a VIP – "Do not NAT" rule for a public subnet on internal interface ● Disable NAT mode – Works the same as the old method of Switching to Manual + Deleting all rules – More intuitive and less work

13. Package System ● Packages are signed when built and the signature is verified before install, much like firmware updates – Packages that fail the test will not be installed – Signing check can be disabled with a setting if needed, but not recommended ● Warnings displayed for non-default package servers – Does not stop developers from using their own servers, but alerts the user that they are using an unofficial package source that is not trusted – Hopefully cuts down on people accidentally/unknowingly using third-party repositories like Lusca which can break other packages and introduce security issues ● Tabs for displaying certain categories of packages ● "xml" button actually useful now, reinstalls XML files and related dependencies like .inc files (no binaries). "pkg" button reinstalls all.

14. Translations ● New translations for Japanese and Turkish from the community (Thanks!) ● New translation server coming soon at https://translate.pfsense.org - Submissions welcome! ● Language can be changed under System > General ● Full list is now: English, Portuguese (Brazil), Turkish, and Japanese (Portions still pending)

15. GEOM Mirrors / Software RAID ● Management GUI in 2.2 to change existing mirrors, located at Diagnostics > GEOM Mirrors – Only displayed on systems that had a gmirror present at boot time ● No longer need to manually run commands in ssh to manage a gmirror RAID setup ● Allows rebuilding an array when replacing a drive, or adding an additional drive to an existing array ● Allows deactivating drives in an array for extra upgrade safety (Drive can be reactivated after successful upgrade) ● Mirrors are monitored and an array in a non-normal state will generate alert e-mails using the notification settings – Alerts are sent when a mirror is degraded, rebuilding, recovering, etc

16. Firewall Rules and Logs ● Firewall log raw format has been rewritten to be a single line in an easy-to-parse format – For those who need remote syslog in a predictable format for third-party log parsing (e.g. Splunk) ● Format is documented on wiki: https://doc.pfsense.org/index.php/Filter_Log_ Format_for_pfSense_2.2 ● Format is subject to change before 2.2- RELEASE

17. Firewall Rules and Logs ● Firewall rules each have a unique tracker ID that is also in the logs, so that rule descriptions for matching traffic may be looked up in a persistent fashion – In older versions, the rule IDs changed on each filter reload and may not have lined up, so log messages often referenced outdated rule numbers ● "This Firewall (self)" macro in firewall rule destinations (Interface tabs, port forwards) and source (Floating tabs) used to match any address on the firewall interfaces/VIPs ● Interface macros like "LAN net" now also include any static route networks on those interfaces

18. GUI Certificate ● Certificate generation for the GUI is now more unique/specific and to not use default/generic values when creating the GUI certificate – Firefox 31 and beyond have a bug in the new PKIX validation that breaks GUI access if you have visited more than a small number of devices that use the old style default certificate – Firefox 33 removed the option to disable PKIX so now the only option is to use another browser or manually fix the cert. Visit https://bugzilla.mozilla.org/show_bug.cgi?id=1056341 and vote the bug up! – pfSsh.php playback generateguicert

19. Misc ● Adjustable Log sizes ● Adjustable Config History count ● Widescreen theme ● Disk usage in sys info widget shows all disk slices now ● Can download or reset custom captive portal pages ● Additional DynDNS providers ● NTP options expanded/enhanced, support for more GPS devices ● Packet capture boolean logic in Host (and: a,b; or: c|d), negation for protocol, host, and port

20. Conclusion ● Lots more on the wiki at https://doc.pfsense.org/index.php/2.2_New_F eatures_and_Changes – The wiki article will be updated periodically as development on 2.2 finalizes ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc