Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability

    Messages from the pfSense Team
    8
    16
    14.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      Currently if a firewall is tracking development snapshots it is running pfSense 2.4.5-DEVELOPMENT on FreeBSD 11.2-RELEASE-p8 and the snapshots have been reasonably stable, but that is about to change.

      pfSense 2.4.5 snapshots have been shut down so that we can prepare for the master branch to be switched over to pfSense 2.5.0 running on FreeBSD 12.x. The version bump to 2.5.0 was warranted due to the operating system moving to a new major version. Given the base OS change there is likely to be instability at this early stage as we find and fix things that are not working as we need them to be on FreeBSD 12.x. Undoubtedly there will be other OS and driver changes that we must account for, and that type of testing and debugging is the primary purpose of development snapshots.

      We are moving to FreeBSD 12.x for a variety of reasons. Primarily to keep current with FreeBSD releases, but also to pick up newer drivers, improvements to ARM support, pf, carp, UFS, ZFS, Amazon EC2, ntp, and more.

      We will be testing these snapshots internally first and then enabling them for public access when they are ready for wider testing.

      Once this changeover occurs, users on pfSense 2.4.5 snapshots will be offered an update to a 2.5.0 snapshot. Exercise caution before applying this update. Do not use these snapshots in production without testing in a lab setting first.

      The most significant impact for users that we can predict at this point will be packages. Several packages are failing to build on FreeBSD 12 due to changes in the base OpenSSL. Notably, squid and net-snmp do not build against the base OpenSSL, as well as relayd in the base system, among others. Some of these will temporarily be built against OpenSSL from ports until the other issues can be addressed.

      Additionally, the master branch of the git repository will now contain code for pfSense 2.5.0 / FreeBSD 12, so do not gitsync from a pfSense 2.4.5 snapshot. A full update to 2.5.0 is required.

      The original plan was to include a RESTCONF API in pfSense 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense 2.5.0 will not require AES-NI.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      V 1 Reply Last reply Reply Quote 5
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        So you mention openssl, so this brings in 1.1.1 and the ability to to do tls 1.3 I take it? To the gui and with ha proxy ssl offload I would hope.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        jimpJ 1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate @johnpoz
          last edited by

          @johnpoz said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

          So you mention openssl, so this brings in 1.1.1 and the ability to to do tls 1.3 I take it? To the gui and with ha proxy ssl offload I would hope.

          Yes, the base version of OpenSSL on FreeBSD 12.0-RELEASE is 1.1.1a at the moment, not sure if the one on snapshots will be that or slightly newer.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Nice ! And ssh 7.8 sweet! Big jump from 7.5

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              stephenkwabena
              last edited by

              Thanks guys that now pfsense 2.5.0 will not required AES-NI processor. It was driving some us away from pfsense but now is not require, pfsense is the best... I love you guys for listening to us.

              W 1 Reply Last reply Reply Quote 1
              • V
                vectr0n @jimp
                last edited by

                The most significant impact for users that we can predict at this point will be packages. Several packages are failing to build on FreeBSD 12 due to changes in the base OpenSSL. Notably, squid and net-snmp do not build against the base OpenSSL, as well as relayd in the base system, among others. Some of these will temporarily be built against OpenSSL from ports until the other issues can be addressed.

                With regard to net-snmp as per this commit message it was fixed to build with the base openssl version.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  @vectr0n said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

                  With regard to net-snmp as per this commit message it was fixed to build with the base openssl version.

                  It still fails with DTLS enabled, even with the current port. If that fixed it, it broke again in some other way.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • W
                    webdawg @stephenkwabena
                    last edited by

                    @stephenkwabena said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

                    Thanks guys that now pfsense 2.5.0 will not required AES-NI processor. It was driving some us away from pfsense but now is not require, pfsense is the best... I love you guys for listening to us.

                    I am still willing to bet that it will eventually require AES-NI.

                    https://www.netgate.com/blog/more-on-aes-ni.html

                    1 Reply Last reply Reply Quote 1
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Eventually, yes, once we engineer and write the RESTCONF API. That isn't going to be in 2.5.0, however.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 1
                      • M
                        MarcoP
                        last edited by

                        In System Update, should I leave it set to 2.4 snapshots or should I change it to 2.4 stable.

                        jimpJ 1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate @MarcoP
                          last edited by

                          @marcop said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

                          In System Update, should I leave it set to 2.4 snapshots or should I change it to 2.4 stable.

                          Depends on what you want. If you don't want to be offered the 2.5.0 upgrade yet, set it to stable. If you want to pick up 2.5.0 snapshots when they are ready, then leave it set to snapshots.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            MarcoP @jimp
                            last edited by

                            @jimp great thanks, 2.5.0 will be then

                            1 Reply Last reply Reply Quote 0
                            • B
                              behemyth
                              last edited by

                              Out of sheer curiosity, do you guys have any idea of when the 2.5 images will be out for testing?

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                No ETA but it's getting closer. We have it upgrading and booting OK, but still a few more kinks to work out in our internal testing and then it should be ready for wider alpha testing.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 2
                                • S
                                  strangegopher
                                  last edited by

                                  Can we expect new images by April?

                                  jimpJ 1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate @strangegopher
                                    last edited by

                                    @strangegopher said in HEADS UP: Snapshots moving to pfSense 2.5.0 on FreeBSD 12, expect initial instability:

                                    Can we expect new images by April?

                                    Almost certainly sooner than that, but we don't like to overpromise. They're getting closer.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 4
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.