1.
pfSense 2.4 & SG-1000 Preview
November 2016 Hangout
Jim Pingle

2.
About this Hangout
● Project News
● pfSense 2.4 Preview
– OS Changes
– Known Issues
– Cleanup
– Notable Bug Fixes
– New features
– Installer Run-Through
● SG-1000 Preview
– Hardware Specs
– Case Design
– Performance
– Use Cases

3.
Project News
● 2.4 BETA snapshots available!
– Still a couple missing items under active development
● SG-1000 preorders still open
● Support is now 24x7
– Initial response SLA down to 8 hours
● Book only subscription for $24.70 per year, online HTML version
● Enterprise support tiers coming
– Lower SLA options (2, 4, 8hr)
– Advanced hardware replacement
– Complementary professional services consultation
– Training discounts
– ...and more depending on the level of support selected
– Incidents being phased out

4.
pfSense 2.4 Preview
OS Changes
● Upgrade of base OS to FreeBSD 11.0-RELEASE
● Added support for the SG-1000 ARM-based
system
● Started using the FreeBSD installer instead of the
old style installer (installation procedures have all
changed)
– The installer now supports UEFI
– The installer now supports ZFS

5.
2.4 - OS Changes
● 32-bit hardware support has been removed!
– pfSense 2.4 will not work on 32-bit (x86/i386) Intel architecture
systems
– 64-bit x86-64 (“amd64”) or SG-1000 system is required to run
pfSense 2.4
– Nearly all hardware sold in the last 10 years is 64-bit capable
– Other projects have already dropped 32-bit images, or are
planning to in the near future
– We plan to maintain security updates on 2.3.x for at least a year
for those who need time to transition to 64-bit hardware or SG-
1000

6.
2.4 - OS Changes
● NanoBSD has been removed!
– There are no NanoBSD images for pfSense 2.4 of any size
– Outlived its usefulness
– Due to disk and OS changes on FreeBSD 10/11, its advantages were no longer worth
the effort
– Larger disks make it impractical
– Use a full install instead
● Install to SD/CF from a bootable memstick or optical disc image
● Works for nearly all systems, including SG firewalls, APU, and so on
– Activate the option to put /var and /tmp in RAM if disk wear is a concern
– If the system has no console and no way to boot the installer, install in another
system and move the disk
– Work is in progress to investigate the possibility of upgrading 64-bit NanoBSD installs
in-place to a full install

7.
2.4 - Known Issues
● Some work yet to go on 2.4
● Captive Portal is missing a mixed table with IP and MAC addresses,
which means it cannot send MAC address as username to RADIUS
● Captive Portal is missing statistics, so RADIUS accounting will not
receive data
● Issues with /var and /tmp in RAM at bootup
– Do not activate the option yet
● Issues with CARP maintenance mode and VIPs being removed
● Full list of regressions here:
https://redmine.pfsense.org/projects/pfsense/issues?query_id=61
● All will be addressed before 2.4-RELEASE

8.
2.4 - Cleanup
● As a part of the effort for moving things forward, a lot of outdated and incorrect code has
been removed, renovated, or replaced
● Numerous outdated or unnecessary FreeBSD patches have been removed, bringing us
closer to a stock FreeBSD base
● Replaced local copies of PHP PEAR libraries with packaged versions from their original
sources, rather than including them directly in our tree
– This required updating several areas of our code to accommodate changes that had happened in
the upstream libraries
– Notable libraries that were replaced: pear, pear-XML_RPC2, pear-Net_IPv6, pear-Crypt_CHAP,
pear-Mail, pear-Net_Growl
● Removed all references to GLXSB (it was 32-bit only, e.g. ALIX)
● Removed all references and code for handling NanoBSD
– Including calls to conf_mount_ro/conf_mount_rw!
● Converted the last remaining services using MPD 4.x or older to MPD 5 so the older
version could be left behind

9.
2.4 - New Features
● Wireless
– FreeBSD 11 contains an updated 802.11 stack that behaves differently
– Wireless interfaces must now be created on the Wireless tab before they can be
assigned (like VLANs, GRE, GIF, etc)
● OpenVPN
– Added option to OpenVPN to block outside DNS for Windows 10 clients (Requires
OpenVPN 2.3.9 or later)
● Prevents client DNS requests from leaking to non-VPN DNS servers
● Use with caution; Some clients are not compatible, some configurations may require outside
DNS
– Added a compression option to OpenVPN to cope with clients that do not have
LZO compiled in
– Improved the display of the cipher list and made it compatible with the new output
from OpenVPN

10.
2.4 - New Features
● Dynamic DNS
– Changed CloudFlare and GratisDNS to use separate hostname and domain
name entries, to better handle domains with several components (e.g.
host.co.in)
– Added IPv6 support to CloudFlare
– Added a custom field for an external IP checking service (Services > Dynamic
DNS, Check IP Services tab) so you can use your own or an alternate check
● DHCP
– Added an option to specifically disable BOOTP
– A URL may now be entered for the TFTP server
● Captive Portal
– Rewritten to work without multi-instance IPFW patches

11.
2.4 - New Features
● Improved the detail shown on the ARP table
– Now shows the type of ARP entry and status/expiration
– Helps spot hosts that may be down (“incomplete”) and other misc
ARP-related issues
● Added support for NTP “pool” directive which makes it much
easier to keep accurate time without having to specify multiple
servers manually.
● Added options to the console reboot menu to reboot into
single user mode, or to force a filesystem check for diagnostic
purposes
● … and more!

12.
2.4 - Notable Bug Fixes
● Bug affecting limiters+NAT rules has been fixed
– Limiters+pfsync is still an issue
● Fixed handling of XMLRPC with a username other than “admin”
– You can create a separate sync account and give it the “System - HA node sync”
privilege
● Fixed handling of static ARP when creating or editing DHCP static mappings
● Fixed issues with snort, squid (clamav), and squidGuard when /var and /tmp
are in RAM
● Fixed issues loading PHP extensions
– FreeBSD port was redesigned upstream to better handle loading order and module
availability
● Fixed DHCP Relay

13.
2.4 Installer
●
Documentation updates are in progress
●
“Auto” options automatically create partition layouts, but are not fully
automatic installation options
– We are still looking into a Quick/Easy install option with the new installer
●
Install process is fairly simple, mostly picking the disk and accepting
defaults
●
Several partition scheme choices
– Depends on BIOS/filesystem type
– GPT is best for most cases, BIOS or UEFI, MBR for older systems
●
RAID/mirroring is supporting using ZFS, no installer option for gmirror
●
Swap size should be 2x RAM if there is sufficient disk space
● Run-through 2.4 installer (time allowing)

14.
SG-1000 Preview
Overview
● Small footprint
● ARM-based
● Very low power
– 2.5W idle
● Runs pfSense (naturally)
● Cost is $149 USD
– Includes a one-year subscription to pfSense Gold ($99 value)
● Preorder now, ships as soon as pfSense 2.4 is ready
– Very soon now!

15.
SG-1000 Hardware Specs
● TI AM3352 ARM Cortex-A8 600 MHz, single core with crypto accelerator (driver pending)
● 512MB DDR3 Non-ECC
● 4GB eMMC Flash on board
● SD card socket for more storage, locking cover style
● 2 x 1GbE on RJ45
– Real 1Gbit/s ports, not 10/100 ports
– Ports are on a switch internally
– Each port is isolated on separate internal VLANs by the chip
– Can use VLAN tags to address additional networks
● 1x 2.0 USB OTG port, can use a Micro-B male to USB A female cable or other OTG options
– Not currently bootable, but can be used to connect other USB devices like external storage, wireless, GPS
● Micro USB console, like other SG devices
● Power is 5V DC, MAX 2.5A. Barrel connector, ships with a compatible PSU
– Only draws 2.5W idle
– Possible, but not practical, to power via USB, would need a barrel connector adapter + tablet style amperage output from a
charger.
● Expansion connector: GPIO, I2C, UART, Analog In

16.
SG-1000 Case Design
● Case measures 1" x 2” x 3” (24mm x 51mm x
78mm)
● Vented case, designed for passive cooling
● Anodized aluminum
● Available in red or black

17.
SG-1000 Performance
● Throughput numbers are improving as development
continues
– >100Mbit/s running pfSense
– Current tests are ~120-130Mbit/s
– No VPN performance metrics yet
● Packages are being evaluated
– Most work fine, especially if they are PHP-based
– Some do not compile or are not feasible on ARM currently
● snort/suricata
– Some compile/run but ultimately may not be practical
● squid, depending on settings (definitely no clamav given RAM limits)

18.
SG-1000 Use Cases
● Small footprint / low space needs
● SOHO, Small Networks, Small Branch Office, Remote Employees
● Portable firewall, e.g. plug between laptop and untrusted network
● Managed Service Providers (MSP) endpoint in a client
● Internal firewall/router for network segments in a small/medium businesses
● Home Office / Remote User VPN
● IoT Security Endpoint – Segment IoT devices away from the rest of a
network
● IPMI or other management port Firewall
● … anything else that might need a firewall at moderate throughput with a
low power draw!

19.
Conclusion
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc