1.
December 2015 pfSense Hangout
Jim Pingle
Not long from now on a firewall very, veryNot long from now on a firewall very, very
close to you….close to you….

2.
pfSense 2.3 Preview
● Project News
● OS Improvements
● Build System Overhaul
● Package System Overhaul
● Update Management Overhaul
● GUI Overhaul
● Removed Obsolete Items
● Other Notable Changes
● Changes Before Release
● Tour of the new GUI
● Q&A

3.
Project News
● 2.2.6 is coming with some crash fixes and other
minor but beneficial changes
● 2.3 is getting into the final stretch
– Beta any day now
– Snapshots at https://snapshots.pfsense.org/
– Many packages are being converted/updated for
Bootstrap
– Still a few things to address
● Keep an eye on the blog

4.
pfSense 2.3
● Tried to keep the scope limited, focusing most
on three items:
– Build system
– Use of pkg(ng)
– GUI Conversion to Bootstrap
● Lots of work involved to get to that stage
without dropping features
● Longer road but worth the effort to do it right

5.
OS Improvements
● Moved to a 10.2 base (really 10-STABLE)
– May be 10.3 by -RELEASE time
● tryforward() support to get nearly all of the performance of fastforwarding with IPsec
enabled
– Most people, especially those using IPsec, should see a significant packet processing gain
– Those who had fastforwarding on and no IPsec should have nearly the same performance (bar
other changes)
● AES-NI improvements
– >900Mbit/s IPsec observed in real-world conditions with UDP
● netmap support enabled
– Can be used for fast inline packet processing by packages (e.g. snort)
– Eventually can be leveraged for forwarding traffic
● bhyve support enabled, eventually can be used for:
– Packages in child VMs
– Network Function Virtualization

6.
Build System Overhaul
●
Elimination of the -tools repository
●
Patches are gone, now applied as changes on a vendor branch of FreeBSD
– Much easier to move to a new FreeBSD version, only needs minor work and testing
●
pfPorts are gone, now applied in a clone of FreeBSD-ports
●
Build scripts are now in the pfSense repository
● Build systems, snapshot building, etc all saw major changes to be simpler, more robust, etc.
●
Builder setup is largely automated and scripted, less to go wrong
●
Build system is getting closer to FreeBSD style but not quite there yet, that is the ultimate
goal
● Old way was to spam the builder with installed binaries and copy what was needed to
compose an image. New way is to build everything like a package and install the packages
into a destination directory.
– Much less error prone and friendlier to the builder, builders were easier to break before and a lot more
work to keep updated
– Much less likely to result in odd behavior
– No more copy lists or having to tweak the builder itself to have certain things installed as before

7.
Package System Overhaul
●
PBIs are gone, everything is now a package using pkg(ng)
– No more XMLRPC to fetch package info from pfSense servers, all handled via pkg
– No need for communication with pfSense servers during package install as before
●
Packages use a format similar to FreeBSD ports, and all exist in a clone of the FreeBSD-ports
repository
●
Packages are (will be) signed for authentication
●
No more special handling of PBI format
●
Because packages are in a new/separate repo now, code for maintaining backward
compatibility is not necessary, leading to even more possible cleanup.
●
Packages are (re)built automatically by Poudriere when the version in the Makefile is changed
●
No more mismatched dependencies
●
Package files may be copied for offline installation
– Need to have the txz file(s) for the pkg and also for dependencies
●
Package search in GUI
●
For more information on developing packages for pfSense 2.3 and converting existing
packages, see https://forum.pfsense.org/index.php?topic=103481.0

8.
Update Management Overhaul
● No more "full update" or "full slice" upgrades that unnecessarily overwrite the
whole system
– For 2.3 these style files are still available for those coming from older versions.
● Base, kernel, everything is now a pkg!
● Updates are handled via pkg, checking/updating components as necessary
– NanoBSD duplicates current slice then upgrades the alternate slice, then changes
● Removed "Firmware" nomenclature, now only referred to as "Update"
● Updating base or packages from the GUI or command line works identically
● Update process works a bit differently behind the scenes:
– Old method basically overwrote everything from a tarball and then rebooted
– Now the kernel is upgraded, then system rebooted
– Base is updated before the boot fully starts, then packages, and so on
– Boot process completes with the fully up-to-date system

9.
GUI Overhaul
● Converted the entire GUI to Bootstrap
– Single bullet point but a HUGE undertaking!
– Completely new look
● Cleaned up a lot of code, option text, etc
● More accessible for those using screen readers, etc.
● Removed old style themes, introduced new CSS-based themes
● JavaScript and CSS refactoring, moved items to more convenient locations, etc
● More use of AJAX updating in widgets and other places
● Better use of icons and action buttons rather than the old confusing icon set (now using font-
awesome icons)
● File names fixed up for pages incorrectly named (e.g. diag_logs.php => status_logs.php)
● More consistent handling of most logs (single page, common filtering options, etc)
● Notices in the GUI have been improved
● More consistent handling of breadcrumbs and page titles
● Menu that follows as you scroll (in progress)

10.
Removed Obsolete Items
● The PPTP VPN Server has been completely removed. The protocol has been
broken for over three years. A longer explanation has been posted on the
forum.
– The PPTP WAN client remains for use with ISPs still using PPTP.
● Layer 7 classification support has been removed from the traffic shaper.
– It was rarely used, had been broken for all of 2.2.x, had absurdly high CPU usage, and
snort filters better/faster
● WEP support has been removed from Wireless interfaces
– No reason to still be using this in this day and age. If it is still needed, use external AP.
● DES support has been removed from IPsec
– It should not be used, it is not secure
● fifolog support (not clog, older alternate log storage)
– Nobody used it, and it never worked properly (would not read current data from logs)

11.
Other Notable Changes
● Apinger removed, switched to dpinger (yay)
– One process per gateway
– Improved calculation, bugs fixed, etc
● OpenVPN default topology changed to “subnet” (no
longer “net30”)
– Upgrades will stay the same, should be beneficial overall
● PHP 5.6
● Added the ability to disable PV NICs/disks on Xen
(came from FreeBSD)

12.
Changes Before Release
● Still a number of tickets to address, bug fixes, etc
(e.g. Limiters + pfsync)
● RRD overhaul
– Moving to D3
– Removing “GRAPH” support from RRDTool to reduce
dependencies with new version
– Better color/graph design
– Mostly so rrdtool 1.4 can be used, coexist with ntopng
● More refinements to look and feel

13.
Take a tour...
● Dashboard
● Responsive auto-adjusting width
● Normal and Dark themes
– pfSense 2.3 is like the force: It has a light theme, and a dark theme, and it binds
your network together
● Log display, filter panel
● Pie charts on Firewall Log Summary
● Firewall rules drag & drop
● New icons for actions
● Collapsible info panel on many pages
● Packages
– Available package search
– Install/Update changes

14.
Conclusion
● Questions? Pages to see?
● Where to now?
– 2.4, 3.0, beyond, https://blog.pfsense.org/?p=1588
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc
● Go see a certain movie (again, perhaps)