HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability

jimp · Feb 13, 2019, 7:30 PM

Currently if a firewall is tracking development snapshots it is running pfSense 2.4.5-DEVELOPMENT on FreeBSD 11.2-RELEASE-p8 and the snapshots have been reasonably stable, but that is about to change.

pfSense 2.4.5 snapshots have been shut down so that we can prepare for the master branch to be switched over to pfSense 2.5.0 running on FreeBSD 12.x. The version bump to 2.5.0 was warranted due to the operating system moving to a new major version. Given the base OS change there is likely to be instability at this early stage as we find and fix things that are not working as we need them to be on FreeBSD 12.x. Undoubtedly there will be other OS and driver changes that we must account for, and that type of testing and debugging is the primary purpose of development snapshots.

We are moving to FreeBSD 12.x for a variety of reasons. Primarily to keep current with FreeBSD releases, but also to pick up newer drivers, improvements to ARM support, pf, carp, UFS, ZFS, Amazon EC2, ntp, and more.

We will be testing these snapshots internally first and then enabling them for public access when they are ready for wider testing.

Once this changeover occurs, users on pfSense 2.4.5 snapshots will be offered an update to a 2.5.0 snapshot. Exercise caution before applying this update. Do not use these snapshots in production without testing in a lab setting first.

The most significant impact for users that we can predict at this point will be packages. Several packages are failing to build on FreeBSD 12 due to changes in the base OpenSSL. Notably, squid and net-snmp do not build against the base OpenSSL, as well as relayd in the base system, among others. Some of these will temporarily be built against OpenSSL from ports until the other issues can be addressed.

Additionally, the master branch of the git repository will now contain code for pfSense 2.5.0 / FreeBSD 12, so do not gitsync from a pfSense 2.4.5 snapshot. A full update to 2.5.0 is required.

The original plan was to include a RESTCONF API in pfSense 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense 2.5.0 will not require AES-NI.

johnpoz · Feb 13, 2019, 8:02 PM

So you mention openssl, so this brings in 1.1.1 and the ability to to do tls 1.3 I take it? To the gui and with ha proxy ssl offload I would hope.

jimp · Feb 13, 2019, 8:14 PM

@johnpoz said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

So you mention openssl, so this brings in 1.1.1 and the ability to to do tls 1.3 I take it? To the gui and with ha proxy ssl offload I would hope.

Yes, the base version of OpenSSL on FreeBSD 12.0-RELEASE is 1.1.1a at the moment, not sure if the one on snapshots will be that or slightly newer.

johnpoz · Feb 13, 2019, 8:33 PM

Nice ! And ssh 7.8 sweet! Big jump from 7.5

stephenkwabena · Feb 16, 2019, 8:44 AM

Thanks guys that now pfsense 2.5.0 will not required AES-NI processor. It was driving some us away from pfsense but now is not require, pfsense is the best... I love you guys for listening to us.

vectr0n · Feb 18, 2019, 4:31 AM

The most significant impact for users that we can predict at this point will be packages. Several packages are failing to build on FreeBSD 12 due to changes in the base OpenSSL. Notably, squid and net-snmp do not build against the base OpenSSL, as well as relayd in the base system, among others. Some of these will temporarily be built against OpenSSL from ports until the other issues can be addressed.

With regard to net-snmp as per this commit message it was fixed to build with the base openssl version.

jimp · Feb 18, 2019, 4:42 AM

@vectr0n said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

With regard to net-snmp as per this commit message it was fixed to build with the base openssl version.

It still fails with DTLS enabled, even with the current port. If that fixed it, it broke again in some other way.

webdawg · Feb 21, 2019, 4:04 PM

@stephenkwabena said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

Thanks guys that now pfsense 2.5.0 will not required AES-NI processor. It was driving some us away from pfsense but now is not require, pfsense is the best... I love you guys for listening to us.

I am still willing to bet that it will eventually require AES-NI.

https://www.netgate.com/blog/more-on-aes-ni.html

jimp · Feb 21, 2019, 4:46 PM

Eventually, yes, once we engineer and write the RESTCONF API. That isn't going to be in 2.5.0, however.

MarcoP · Feb 21, 2019, 4:52 PM

In System Update, should I leave it set to 2.4 snapshots or should I change it to 2.4 stable.

jimp · Feb 21, 2019, 4:54 PM

@marcop said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

In System Update, should I leave it set to 2.4 snapshots or should I change it to 2.4 stable.

Depends on what you want. If you don't want to be offered the 2.5.0 upgrade yet, set it to stable. If you want to pick up 2.5.0 snapshots when they are ready, then leave it set to snapshots.

MarcoP · Feb 21, 2019, 4:56 PM

@jimp great thanks, 2.5.0 will be then

behemyth · Feb 28, 2019, 8:11 PM

Out of sheer curiosity, do you guys have any idea of when the 2.5 images will be out for testing?

jimp · Feb 28, 2019, 8:18 PM

No ETA but it's getting closer. We have it upgrading and booting OK, but still a few more kinks to work out in our internal testing and then it should be ready for wider alpha testing.

strangegopher · Mar 3, 2019, 7:16 AM

Can we expect new images by April?

jimp · Mar 4, 2019, 1:44 PM

@strangegopher said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

Can we expect new images by April?

Almost certainly sooner than that, but we don't like to overpromise. They're getting closer.