pfSense 21.05 Available Soon & pfSense CE 2.5.2 BETA Snapshots Available Now

enthu19

@dennis_s seems like in 2.5.2 CE Beta, the multi-wan NAT issue is still not addressed.

JeGr

@enthu19 said in pfSense 21.05 Available Soon & pfSense CE 2.5.2 BETA Snapshots Available Now:

@dennis_s seems like in 2.5.2 CE Beta, the multi-wan NAT issue is still not addressed.

@dennis_s Could you check on that? If that is not addressed, we would have MANY pissed of customers at hand with MultiWAN setups not working. And the other half already angry of about many problems that are still happening with IPsec and crypto problems! That has to be addressed.

JeGr

Sorry, no edit is striking again ;)

Also would be interesting to hear about

1. Token Registration: So how will the process be and what exactly will a token for "Plus" cost and will it cost more then once? (Hidden subscription etc.)

2. How much behind (guesstimate) will 2.5.2 be after 21.05 release? As stated in my last post we have a great deal of angry or upset customers since the 2.5 update series. MultiWAN bug, Crypto bug, IPsec bugs, that hurt us and our/your reputation deeply. So having a counter against that with a light at the end of the tunnel would be nice!

3. Your blog post is quite vague about the openvpn-client-export package. Is that modification about importing ovpn Files "Plus only" and so will the ovpn-client-export be the first package to "officially differ" between CE and Plus or will those changes come to CE, too? That's causing another stir from many customers and users and your post is quite "open to inerpretation" again. So clarification would be nice.

Thanks!
\jens

JeGr

@enthu19 said in pfSense 21.05 Available Soon & pfSense CE 2.5.2 BETA Snapshots Available Now:

@dennis_s seems like in 2.5.2 CE Beta, the multi-wan NAT issue is still not addressed.

My quick testing this afternoon says otherwise. A simple HTTP forwarding from two different WANs to a webserver behind a pfSense running on 2.5.2 Beta showed the NGINX test page on both IP1:80 / IP2:80 the same way with state hits on both rules and rule tabs. So I'd cautiosly say that is working again.

KOM

Only a few hours left before they will have to rename it to 21.06

JeGr

@kom I for myself didn't understand 21.05 at all, as they talked about ~3 releases a year and after 21.02 the logical next would be 21.06 and 21.10 to get to a 3-release cycle anyway

pfSense4ME

Hello:

I'm confused as well and I believe other are as well (maybe they're just not expressing it). Here is my reasoning; in January of 2021 Scott Long posted to the Blog an article titled "pfSense Plus and pfSense CE: Dev Insights and Direction" (https://www.netgate.com/blog/pfsense-plus-pfsense-ce-dev-insights-direction.html), in which he states in paragraph 9 the following:

"In order to keep us driving towards our goals, I’m making changes in the organization to move us to a regular release cadence for pfSense Plus. In the past, a release was made “when it’s ready”, and that meant anywhere from 2 days to 10 months in between, with no outward rhyme or reason. It’s not lost on me that we’ve been promising pfSense 2.5 for a very long time, and the delays have been frustrating for our followers. While the engineer in me strives for perfection and wants to wait until every feature is implemented and every bug is fixed, the product manager in me knows that a regular, predictable release schedule is even more important. Thus, we’ll do three major releases a year: January (delayed slightly this year due to everything starting up), May, and September. We may also do minor releases in-between these times to address important bugs and security issues."

Specifically the part "we’ll do three major releases a year: January (delayed slightly this year due to everything starting up), May, and September."

To be frank May is gone. and yet no major revision (his words). Some might argue 2.5.x was a rewrite and thus unexpected bugs (or features) were introduced that were unexpectant. But what about testing (especially for a rewrite)? Or the beta period? Or when it was set as RC? I don't use the multi-WAN but there is no way I believe that issue was somehow overlook in testing or in beta or even during RC phase given how many do in fact use that particular feature. (Note to developers: add complete multi-WAN testing BEFORE releasing future versions! Be sure to include ALL aspects of access including OpenVPN!)

If you look at the Roadmap (https://redmine.pfsense.org/projects/pfsense/roadmap) it shows 2.5.2 as still having 117 issues with 49 still open as of this writing. And the Roadmap is weird... I've seen where there were only a few items for 2.5.2, then 2.5.2 disappeared and everything was on 2.6, then 2.5.2 reappeared with revolving a number of issues.

If one claims you can't follow the Roadmap, then my response is why have it at all? Watch the Roadmap for a few days, seriously, and notice how the closed items do NOT increment at all. I have a hard time believing on that list there not at least a few items that are simple fixes, or at least one fix is done in a given week, yet nothing is done (or the appearance of no progress is represented).

Paragraph 10 discusses 2.6 being released mid-year "... We’re already planning a pfSense CE 2.6 release in mid-2021. ..." My first reaction is don't hold your breath. Why? Look at the Roadmap again, 39 issues and 0 closed. Thus, according to the Roadmap NOTHING has been done on 2.6, but it will be ready by mid-year! Some may argue but they are still working on 2.5.2. And if they can't finish 2.5.2 in short order , how are they going to accomplish 2.6 by mid-year as Mr. Long indicated? At this point roll 2.5.2 into 2.6..0 and save face!

Oh, but wait... 2.6 going to be a major release. Weird, the general methodology for software revision is Major.Minor.bugfix, or at least that the way it was taught to me when I was learning about IT/software. That makes me wonder what pfSense 2.x was compared to 1.2.x? Enormous revision. My point being 2.6 is really in fact a minor revision and pfSense Plus (or is it pfSense+) should be slapped with 3.0 in order to make a clear demarcation.

To me it's weird how other software developers (example: Ubuntu) routinely release their software on a schedule but for pfSense this is a challenge. Ok, harsh, as it was pfSense's first attempt at meeting a deadline. Yet the "it's ready when it's ready" never set well with me, yet pfSense deemed it to as a mantra, and thus I was excited to read Mr. Long's approach was to abandon that philosophy and adopt a more routine software update schedule. That is also why I believe everyone also was so excited with Mr. Long's expected release schedule. But, they are no Microsoft either, and yet Microsoft can release Windows 10 on a pretty regular schedule. And, that software HAS to get it right or there is HUGE consequences for Microsoft. Yet they do accomplish this feat.

The way it is going now, based on my observations thus far, no way will they make the 3-release cycle Mr. Long was hoping to achieve (... the product manager in me knows that a regular, predictable release schedule is even more important. Thus, we’ll do three major releases a year: January (delayed slightly this year due to everything starting up), May, and September. ...) May is gone... strike 1.

I'm not trying to start a flame war, nope, just expressing some raw feelings as to this subject.

vjizzle

@pfsense4me Hi! All good points you make my friend. Indeed the "ready-when-it's-ready" has always been the way Netgate was doing things....I stopped questioning that a long time ago when I choose pfSense because hey!...I don't need my firewall update that frequent when there is nothing to patch and everything is running secure and stable! I like my firewall to be boring :).

I believe the best release ever is still 2.4.5 p1. At this point I'm hoping Netgate fixes the bugs in 2.5.x and somewhere down the line allows me to upgrade to pfSense Plus with my own hardware. The price you pay for their hardware is just plain stupid for what you get. If the fee to upgrade is reasonable I will upgrade to Plus in order to support Netgate but I know there is a drop-in alternative for me when that does not happen.

pfSense4ME

@vjizzle Hello:

I totally understand about your philosophy regarding stable, secure and boring, I get it, truly I do. But... when the overwhelming attitude is (actually, more like being chastised) why aren't you on the most recent? You have to be on the most recent because it protects against vulnerabilities not included in previous releases. You don't want you system(s) exposed to these vulnerabilities do you? Blah, blah, blah. YET, the pfSense developers are VERY QUICK to remove ALL traces of ANY previous version, for the reason mentioned. Not only that, they also remove ALL previous versions of any previous package manager applications for anything not on the most recent release.

It's such a double standard, yet pfSense developers want it both ways and take a VERY defensive attitude for any rebuttal about going back to a previous version. I looked but I can't find it, so maybe others in the know can chime in (with verifiable info, and/or links), as to this question: What version of FreeBSD is the current version of pfSense based? If it is not 12.2 or 13.x, then how can pfSense be so fast to point out vulnerability issues when the base (IE: FreeBSD) is updated for the same partial reasoning. Further, if the developers claim compatibility issues with the latest, then how in the world is not the rest of the planet using FreeBSD as a core having the same issues (Example: TrueNAS), yet somehow they trudge on. I also feel the same way with the PHP for pfSense, if it's not on the latest. Again, why not? Last I knew, most newer versions of software (including Operating Systems) are backwards compatible. To my mind, this holds no logic.

As far as the pfSense plus (pfSense+) flavor I'm (very) concerned. pfSense has indicated nothing will change for the home, hobby, or lab user, including the ability to easily upgrade/convert to plus (...we plan to make the licensing of pfSense Plus completely free for home, hobby, and lab use. ..., ...and we will be including a seamless transition mechanism to go from CE to Plus. ..., https://www.netgate.com/blog/pfsense-plus-pfsense-ce-dev-insights-direction.html). But what defines a home, hobby, or lab user? pfSense has given no explanation as to how they define a home, hobby, or lab user to date. Is it the number of IP addresses? I currently have 74 static IP addresses over 4 VLans. I don't even dare count the dynamic addresses. If the home, hobby, or lab usage is based on IP addresses and/or VLans I'm toast!

As far as their hardware. No. Just no way in the world would I want an Atom processor or less (model XG-7100 1U or lower) when compared to an i5 or i7 at the same speed and core count and the same amount of RAM for a lot less dollars! Taking it a bit further just using a "generic" system with more CPU power, more RAM expandability, RAID capability if desired, and the ability to add 4 port (intel NIC), and I still come in with dollars in my pocket. Sure, I believe in supporting the pfSense project, but I also have to put food on the table. Granted, if the price differential was less than $50, I might consider. But the difference is considerably more. Example: I currently am using a Dell Optiplex 7010 with a i5-3570 (yep, 4 cores) @ 3.4GHz with 32Gig RAM and 500Gig SSD, Intel 4 port and 2 port NIC with onboard Intel NIC (so basically the same NIC count) . It's load average is basically always at 0.25, 0.26, 0.21, and so far everything I have thrown at it and it does not even flinch, on a CPU that is 8 generation old! I paid less than $300 five years ago. For those that claim power consumption cost... valid to a point. Take the $300 minus current base cost of the XG-7100 (forget that my system has 4x as much RAM), factor in the cost to run each respective unit and that is how much money I can spend on energy. I'm OK with it.

It is also weird to me there is such a gap from an Atom based system to a Xeon based system (XG-7100 to XG-1537). Where is the i3, i5, i7, or i9 variant? And the model numbering scheme makes no sense to me. How is it that a 7100 has a less powerful CPU than a 1537? Did Intel get it wrong with its i3, i5, i7, i9 scheme? You know right away the bigger the number the more processing capability/performance. Now if the the XG-1537 was labeled an XG-15037, that would make logical sense. It would also give a gap for the i-series of processors if pfSense decided to expand upon the CPU gap from an Atom CPU to a Xeon CPU.

Much like you I have kept my options open, and continue to do so. I've done it with the hardware but I may have to do it with the software much to my chagrin.

vjizzle

@vjizzle make valid points indeed. Yes I find the overall attitude from Netgate towards fixing bugs very disappointing. I hope they improve that. I can say that I see they are moving towards the right direction these past days. We now have at least a 2.5.2 version beta, so someone is listening at Netgate! I hope that someone gets more influence in leading the company, a solid roadmap and proper release cycle!

In the meantime I have setup a test vm for 2.5.2 beta and I can say the result is promising. I immediately discovered a bug and someone from netgate immediately checked it and confirmed the bug AND made a redmine for it. This is the pace we are looking for Netgate and if you keep this up more and more people will gladly help

dennis_s

@jegr Sorry just saw this notification...let me check on these for you.