2.5.2 or 2.6.0 ? I need to fix multiwan bug on production systems

Luca De Andreis

Hello everybody,

I have several firewalls in single WAN mode and I use PfSense 2.5.1, other firewalls in production use an old PfSens 2.4.5p1 because they have multi WAN or WAN && MPLS.
The development of version 2.6.0 is just over 50%, I saw that a version 2.5.2 was proposed in the roadmap.

Does anyone have any anticipations on the line that will be followed? I would like to update 2.4.5p1 versions to eliminate several security problems (old openssl libraries, old openvpn, etc.).

Veru thanks

NollipfSense

@luca-de-andreis It's difficult to provide an answer without a disclaimer. So, it would be up you and your skill level to make the decision. The only suggestion I can give is for you to upgrade to v2.5.1 on the production machine and, tries that unless your lab test has proven problematic with your multi-ISPs.

Cool_Corona

Do NOT upgrade to 2.5.1. I run 2.5.0 no issues in vm's on multiwan setups.

I am glad I didnt upgrade...

Luca De Andreis

Mmmmm

On 2.5.0 (and 2.5.1) the security problem on openssl minor that 1.1.1k persist, the same for openvpn minor that 2.5.2.
PfSense 2.5.0 has a bug with HA on a non standard tcp 443 port for replication.

I would not like to upgrade to a 2.6.0 snapshot version (which solves all the above problems). This is why I would be interested to know if a 2.5.2 release is planned in a short time since 2.6.0 has a development level of 50%.

KOM

@luca-de-andreis JimP said yesterday that pf+ 21.05 is a week or two away. I imagine that CE edition will be in a similar timeframe.

Cool_Corona

@kom I am afraid that you wont see CE edition upgraded right away...

KOM

@cool_corona Oh? Why not?

Cool_Corona

@kom Because its the last to get the updates since its free and not a paid subscription.

KOM

@cool_corona I don't understand what you mean. They're built from the same codebase and all the updates are free for everyone who uses pfSense, no matter what your subscription status. pf+ 21.02 and CE 2.5.0 came out at the same time, as did 21.02.1 and CE 2.5.1. I have not read anything from Netgate saying that future CE releases would come after pf+.

dotdash

@kom
I'd guess he's reacting to the fact that Plus is fixed, and CE is still broken. If I read the bug tracker correctly, that's because the bug manifested in Plus first but not CE. After it was fixed in Plus, the bug was discovered in 2.5.1 Netgate should have made this clear, but they don't seem to want to address the fact that 2.5.1 is broken for a lot of users. IMHO, they should have at least posted a warning not to upgrade if you use port forwarding on multiple WANs. I would have been happier if they just applied the fix to 2.5.1 and released it as 2.5.2

Patch

@kom said in 2.5.2 or 2.6.0 ? I need to fix multiwan bug on production systems:

I don't understand what you mean. They're built from the same codebase and all the updates are free for everyone who uses pfSense, no matter what your subscription status.

Netgate announced their business strategy going forwards in this thread Announcing pfSense plus and associated blog
@patch said in Announcing pfSense plus:

As for PfSense open source product, the future does not look bright

Historically, pfSense FE and pfSense Community Edition (CE) have been closely related ... In 2021, they will begin to diverge from one another ... Netgate will focus most of its efforts on pfSense Plus ... pfSense CE ... security vulnerability protection ... 2) hardware support updates, and 3) bug fixes ... upgrade path to pfSense Plus (? nagware)

From Announcing pfSense Plus blog

anticipate there will be a 2.6 release in 2021 to provide 1) the necessary upgrade path to pfSense Plus for instance types beyond those already covered, 2) hardware support updates, and 3) bug fixes.

KOM

@dotdash Huh, I wasn't aware that the multi-wan issue was working in pf+ (I don't have that scenario.) I'm sure they're aware of the issue but yes they could be a little more forward about their plans. This glitch aside, I still don't see anything to make me believe that CE won't be updated along with pf+.

@Patch I'm aware of that blog entry. Nothing in it says anything about CE releases lagging behind pf+. The only thing that could be read in a negative light would be "The frequency of this support will be evaluated on an ongoing basis" but that's ambiguous at best. Then there's this:

"We plan to make pfSense Plus available for use on 3rd party hardware and select virtual machines by June 2021, if not sooner.

There will be a no charge path for home and lab use and a chargeable version for commercial use."

AKEGEC

@kom we were hoping that Netgate learn from the pass mistakes. Like Wireguard incident, without involving the author(s). Let's be honest, that was a fckng sh*t move.

Patch

@kom said in 2.5.2 or 2.6.0 ? I need to fix multiwan bug on production systems:

Nothing in it says anything about CE releases lagging behind pf+

My reading of the blog and associated threads is; at some time, valuable pfSense functions will be described as new program features rather than bug fixes. When this happens, and what functionality is described in this manner, we can all guess at, but I think it is fairly certain it will happen.

The concern is looking at what Netgate have not committed to do, rather that what they have said they will do.

KOM

@patch said in 2.5.2 or 2.6.0 ? I need to fix multiwan bug on production systems:

valuable pfSense functions will be described as new program features rather than bug fixes

The blog didn't say anything of the sort. They did say that pf+ would get some value-added specialized features (like those two wizards) that CE won't. That's it. Everything else you're just pulling out of the air. And if it really bothers you that much then move to pf+ when it becomes generally available.

Cool_Corona

@kom Select virtual machines....

Its the same shit that VmWare pulls on updates to the Hypervisor.

You cant run Server 2019 unless you upgrade and to your surpirse... an Enterprise Plus License as we run, is VERY expensive in a large clustered setup.

So yeah.... this will definately make OpnSense a viable option for a LOT of people going forward.

Or reviving that old M0n0wall brand once more.

vjizzle

Hi. It concerns a lot of people how Netgate is handling the multi-wan bug. The bug existed in pfsense+ and was squashes within days there. Understandable because that is their commercial line. About Netgate treating pfsense CE the same as pfsense + (the famous blog where they explain it) is already not true. They have been sitting on the multiwan fix for months now, it is solved for pfsense+ line…leaving CE branch behind. Read between the lines kinda thing goin on.

vjizzle

@cool_corona I did a small test with opnsense and multi-wan with port forwarding for openvpn did not work there. From what I read on their forums it is kinda a hit-and-miss depending on which build they use. Same goes for untangle. It could be me off course with my limited knowledge. But for now in the land of the blind one eye is king :(