To do 23.09 or not? That's the question.

mdthibodeau

I upgraded to 23.09 and started having problems with my VPN clients that were connected. I run three VPN clients as I pass traffic to various locations based on geography. That said I recreated them all, each would work as I created them, but as I would create the next the one before would stop working. It didn't appear to be a rule failure as I modified a rule to pass the traffic to the newly created known gateway and it would function. Rather than dig a deeper hole I ended up reverting back to 23.05.1. I still have to decide if I'm continuing on with pfSense or not with the latest licensing issues - so I'll stick at 23.05.1 at the moment until I decide how I want to proceed.

Ramosel

@mdthibodeau said in To do 23.09 or not? That's the question.:

I upgraded to 23.09 and started having problems with my VPN clients that were connected.

Have you read through the release notes for 23.09? There are some specific sections on the new OpenSSL regarding changes to algorithms and ciphers that are no longer supported. You may need to change or rebuild your VPN clients to get them to work. I would imagine the OpenSSL 3.0x upgrade will be in the CE version as well due to security issues.

mdthibodeau

@Ramosel
@mdthibodeau said in To do 23.09 or not? That's the question.:

That said I recreated them all, each would work as I created them, but as I would create the next the one before would stop working. It didn't appear to be a rule failure as I modified a rule to pass the traffic to the newly created known gateway and it would function.

Yes, I recreated all three. And like I said, as I would build them they would work until the next was built as I have a total of three. I run Plus and not CE, not sure how that would apply.

HuskerDu

This post is deleted!

Ramosel

@mdthibodeau said in To do 23.09 or not? That's the question.:

I run Plus and not CE, not sure how that would apply.

You had mentioned in your post that you were having thoughts about the licensing issues.

@mdthibodeau said in To do 23.09 or not? That's the question.:

I still have to decide if I'm continuing on with pfSense or not with the latest licensing issues.

I was just saying that if one of your choices (rather than paying license fees) was to drop back to CE, you'd still have to rebuild your VPN clients as I believe it is inevitable they will include OpenSSL 3.x in that version as well.

mdthibodeau

@Ramosel I understand now. My decision will only be pfSense+ or something non-pfSense. I love the product and trust the product, but I can't say that I trust the leadership decisions. That said, I have no issue paying for a Plus license - however Netgate has continued to be poor at giving all the information (as if they are making decisions on the fly - which in my opinion is pretty bad). They still haven't addressed white box users and the transferability of a TAC Lite license. I've been told they would allow for a "one time courtesy" transfer or if there is hardware failure. The problem is those are simply things I've read that are hearsay and not direct from Netgate. Once I can get some answers to the outstanding questions I have from Netgate then I can make a better informed decision on the direction I'm going to go, however CE will not be it.

To the original issue I had - as I stated - after upgrading I did rebuild my VPN clients. The issue wasn't that they didn't function after I rebuilt them. Again, I have three. I would rebuild #1 and #1 would work. I would then rebuild #2 and #2 would work, but #1 would fail. Continuing, I would rebuild #3 and #3 would work, but #1 and #2 would not work. I can test this as I have rules that direct certain traffic through each of these VPNs. When all three were built out any rules that would direct traffic through #1 and #2 would obviously fail. However, if I modified any of those rules to instead direct traffic out #3 they would work. So, the rules themselves are not failing. Also, after all three were rebuilt - all showed as connected and gateways up. So, I'm not really sure what the issue there is.

KOM

Kind of moot for a lot of folks I suspect. I was one of the fools who upgraded to pfSense+ a year ago. I would have been happy to support the project for $129/year. Then after the debacle last week, I downgraded to CE. Now I don't need to worry about more Netgate nonsense or TAC Lite pricing going up & down like an elevator.

mdthibodeau

@KOM That's fair. I just hope Netgate realizes that they broke a lot of trust with a lot of people and at some point will either have to openly come out and actually apologize or lose user base. Without trust, you may have a person that continues to use your product - but they are always looking at other options while never recommending your product vs being invested in and backing your product. That's just my two cents though.

KOM

@mdthibodeau Once upon a time I used to admire & support Apple, Microsoft, Bill Gates, Canonical, Elon Musk, RedHat, Reddit and many others. Then after seeing the shitty side for long enough, I got a bad taste in my mouth for them all. I'm pretty close to that point with Netgate. I don't relish throwing away 10+ years of knowledge and experience but it gets to the point where the philosophy, ethics and morals of a company just don't align with me anymore. I used to be a major contributor here years ago but pulled back after I started being displeased with Netgate. So many hours in these forums helping users on my own time for free. Now I just lurk. I used to recommend pfSense but I don't do that anymore either.

Ramosel

@KOM said in To do 23.09 or not? That's the question.:

I used to be a major contributor here years ago but pulled back after I started being displeased with Netgate. So many hours in these forums helping users on my own time for free. Now I just lurk. I used to recommend pfSense but I don't do that anymore either.

I've often wondered where you were... and yeah, you helped me a lot in my early days with pfSense, even when not a direct contact. Thanks! and hope you are well.

I agree but I also know in these times running a small business these days if fraught with issues and crap one shouldn't even need to worry about. Jamie and Jim have had their share of great moves and a few dumb ones. I do think they had to do something about this 3rd party thing... but not sure their first reaction was the best. The ones I really feel sorry for are the ones who bought the 3rd party boxes with the + software thinking they had something else. Oh, well.. Caveat Emptor!

Ramosel

@michmoor said in To do 23.09 or not? That's the question.:

OS upgrade went through without an issue.

Got to say I'm really feeling the lease utilization screen.......

Took me a bit to find that (cuz I was lazy and didn't scroll down through all my devices on the first place I looked).

That will be quite handy, I just wish they had put it at the top... or at least given us the option to put it at the top. Nice "at a glance" readout.

Ramosel

@mcury said in To do 23.09 or not? That's the question.:

It seems that this version is using less RAM in comparison to 23.05.1 ?

I saw your post this last night but I wanted to wait before I responded.... I was hoping you were right, and it seems you are.

Up until 23.05.1 my system (sg-4860 with 8G RAM) had run with about 15-18% RAM use consistently. After 23.05.1 mem usage bumped up to 22-24% consistently. I looked and played with all sorts of settings, finally reverting back to my original config and just figured it's the new normal. It's been 22-24% for months now. Immediately after this update my system was reporting 55% but after a few pfBlockerNG updates it dropped into the low 30s. It's run a few more hours and it's down to 15% right now. They fixed something!!

mcury

@Ramosel I'm observing something around 10-15% less RAM usage in my system.

SteveITS

@chudak May be an issue with "URL (IPs)" aliases not working:
https://forum.netgate.com/topic/183882/unresolvable-source-alias-after-upgrade-to-23-09/16

yon 0

if your need use X25519 for openvpn, then 23.09 default not support it

johnpoz

@yon-0 said in To do 23.09 or not? That's the question.:

then 23.09 default not support it

That is more of openvpn thing than any specific issue with 23.09 is it not?

yon 0

@johnpoz

need edit openvpn.inc file allow x25519 cert. delete pfsense limit it code. This is an example after deletion

foreach ($a_cert as $cert) {
		
		$properties = array();
		$propstr = "";
		$ca = lookup_ca($cert['caref']);
		$purpose = cert_get_purpose($cert['crt'], true);

yon 0

Also I can't find out why the LAN interface cannot be routed out of the WAN interface.

Screenshot of pf- Diagnostics_ Traceroute.jpg

mcury

Noticed two things.

If you upgraded from previous versions to 23.09, If you run zpool scrub pfSense, it will say that: Some supported and requested features are not enabled on the pool.
The pool was OK with 23.05.1, but now getting this message.
So, I decided to perform a clean install just to confirm and now this message is gone.

Second thing I noticed is that the storage IO is lower with this version, I'm not sure if its because I switched from ISC to KEA, but I'm getting around 40% reduction in the writes.

[23.09-RELEASE][root@pfsense.home.arpa]/root: iostat -x
                        extended device statistics
device       r/s     w/s     kr/s     kw/s  ms/r  ms/w  ms/o  ms/t qlen  %b
nda0           0       5      0.7     34.5     0     0     0     0    0   0
pass0          0       0      0.0      0.0     0     0     0     0    0   0

As you can see above, 34.5 while before upgrading, it was around 52.

Gertjan

@all

#metoo, why wait if I can click on Upgrade right now ?
Don't.
Before hitting Upgrade, take 2 minutes to prepare :
A backup of the config file,
I've the ZFS file system, So I created a "23.09" Boot Environments - and booted into it.
Step 2 eliminates step 3 : before every major system upgrade, reboot your pfSense first, and while doing so, look at the console output. Even if its all "chinese" for you.

When done - and as promised, you're 2 minutes later : hit de Upgrade button.

For people that like to have some assurance : check if you have than ISO ready on USB drive, so you can go back whatever happened.
Further more : consider yourself not ready to upgrade if you've found anything that you didn't understand while reading - all - these :

If you like to know more - go here.

Edit : for me it's 23.09 since last Monday.
Even my VPN remote access works fine.

I've checked all the logs files since, and found just this one :

I'm using a Netgate 4100 :