2.2 seems like a big step forward…

rcfa

Just a general bit of feedback. It seems that 2.2 performs considerably better, and a variety of services perform much better, so the combination of updated packages, new OS, php, etc. seems to make a huge difference.

Dansguardian and Snort never ran quite right, they ran without tons of error messages after the upgrade. In the mean time I replaced Snort with suricata, which has seemingly an amazingly low overhead: running on four interfaces and with blocking enabled it uses much less CPU than snort on two without blocking.

Trim support seems to work fine, too. A checkbox under advanced configuration would be the icing on the cake, but as long as it works, I'm happy.

Frankly, I was nearly shitting my pants hitting the upgrade button, because one of the devices in a colo probably a 1000 miles away, and any issue would have required a plane trip or many days of downtime (and FedEx) to fix. Big sigh of relief seeing that things work better now than ever.

Only issue, so far is the status widget for the IPSec links, but that's mostly a cosmetic issue, since I'll immediately know when that link is down (as it's my main internet connection, the ISP only provides the pipe for that IPSec link).

So pretty much a big thumbs up for this almost release!

The only question I have, is how does the situation with L2TP-over-IPSec look like? Does it work now? If so, anyone written a small config tutorial, because it would seem the settings aren't "neatly in one place" as one's used to from the various L2TP clients (e.g. iOS, etc.)

jimp

There are a couple threads on L2TP+IPsec that have config examples but we do not yet have one officially blessed configuration.

Once we do, it'll be up on the Wiki. Same with IKEv2

stephenw10

@rcfa:

Frankly, I was nearly shitting my pants hitting the upgrade button, because one of the devices in a colo probably a 1000 miles away…

Braver than me.  ;)

phil.davis

@stephenw10:

@rcfa:

Frankly, I was nearly shitting my pants hitting the upgrade button, because one of the devices in a colo probably a 1000 miles away…

Braver than me.  ;)

Mine are all within 500km range, but some over 3600m passes now covered in snow. After first checking that the particular build installs fine on my home Alix and OpenVPN links come up first time, then there is no trouble upgrading remote sites. On nanoBSD the upgrade process is very good at bailing out if there is any error in writing the new slice, mounting it, copying over /boot/loader.conf.local … So far I have never had an uncontactable remote upgrade - the remote system reboots on the new slice, the OpenVPN links come back up a few minutes later and all is well.
No need to keep toilet paper on hand ;)

stephenw10

Yep, that's a good reason to run identical hardware everywhere. You can at least test extensively and be confident you won't have any incompatibility issues. However just rebooting a remote box, even one that has been running faultlessly is no guarantee it will come back up.  Call me old fashioned but I like to have toilet paper at all times.  ;) (at least until I get an IPv6 addressable bidet  ;D)

Edit: Even that may not be safe.  ::)

Steve

Harvy66

Colo plus IPMI = win for remote management.

Guest

Used to operate the Netgate servers co-located in San Jose when I lived in Hawaii.  5000 mile plane trip if I screwed the pooch.  (Only happened once.)