To do 23.09 or not? That's the question.
-
@Ramosel
@mdthibodeau said in To do 23.09 or not? That's the question.:That said I recreated them all, each would work as I created them, but as I would create the next the one before would stop working. It didn't appear to be a rule failure as I modified a rule to pass the traffic to the newly created known gateway and it would function.
Yes, I recreated all three. And like I said, as I would build them they would work until the next was built as I have a total of three. I run Plus and not CE, not sure how that would apply.
-
This post is deleted! -
@mdthibodeau said in To do 23.09 or not? That's the question.:
I run Plus and not CE, not sure how that would apply.
You had mentioned in your post that you were having thoughts about the licensing issues.
@mdthibodeau said in To do 23.09 or not? That's the question.:
I still have to decide if I'm continuing on with pfSense or not with the latest licensing issues.
I was just saying that if one of your choices (rather than paying license fees) was to drop back to CE, you'd still have to rebuild your VPN clients as I believe it is inevitable they will include OpenSSL 3.x in that version as well.
-
@Ramosel I understand now. My decision will only be pfSense+ or something non-pfSense. I love the product and trust the product, but I can't say that I trust the leadership decisions. That said, I have no issue paying for a Plus license - however Netgate has continued to be poor at giving all the information (as if they are making decisions on the fly - which in my opinion is pretty bad). They still haven't addressed white box users and the transferability of a TAC Lite license. I've been told they would allow for a "one time courtesy" transfer or if there is hardware failure. The problem is those are simply things I've read that are hearsay and not direct from Netgate. Once I can get some answers to the outstanding questions I have from Netgate then I can make a better informed decision on the direction I'm going to go, however CE will not be it.
To the original issue I had - as I stated - after upgrading I did rebuild my VPN clients. The issue wasn't that they didn't function after I rebuilt them. Again, I have three. I would rebuild #1 and #1 would work. I would then rebuild #2 and #2 would work, but #1 would fail. Continuing, I would rebuild #3 and #3 would work, but #1 and #2 would not work. I can test this as I have rules that direct certain traffic through each of these VPNs. When all three were built out any rules that would direct traffic through #1 and #2 would obviously fail. However, if I modified any of those rules to instead direct traffic out #3 they would work. So, the rules themselves are not failing. Also, after all three were rebuilt - all showed as connected and gateways up. So, I'm not really sure what the issue there is.
-
Kind of moot for a lot of folks I suspect. I was one of the fools who upgraded to pfSense+ a year ago. I would have been happy to support the project for $129/year. Then after the debacle last week, I downgraded to CE. Now I don't need to worry about more Netgate nonsense or TAC Lite pricing going up & down like an elevator.
-
@KOM That's fair. I just hope Netgate realizes that they broke a lot of trust with a lot of people and at some point will either have to openly come out and actually apologize or lose user base. Without trust, you may have a person that continues to use your product - but they are always looking at other options while never recommending your product vs being invested in and backing your product. That's just my two cents though.
-
@mdthibodeau Once upon a time I used to admire & support Apple, Microsoft, Bill Gates, Canonical, Elon Musk, RedHat, Reddit and many others. Then after seeing the shitty side for long enough, I got a bad taste in my mouth for them all. I'm pretty close to that point with Netgate. I don't relish throwing away 10+ years of knowledge and experience but it gets to the point where the philosophy, ethics and morals of a company just don't align with me anymore. I used to be a major contributor here years ago but pulled back after I started being displeased with Netgate. So many hours in these forums helping users on my own time for free. Now I just lurk. I used to recommend pfSense but I don't do that anymore either.
-
@KOM said in To do 23.09 or not? That's the question.:
I used to be a major contributor here years ago but pulled back after I started being displeased with Netgate. So many hours in these forums helping users on my own time for free. Now I just lurk. I used to recommend pfSense but I don't do that anymore either.
I've often wondered where you were... and yeah, you helped me a lot in my early days with pfSense, even when not a direct contact. Thanks! and hope you are well.
I agree but I also know in these times running a small business these days if fraught with issues and crap one shouldn't even need to worry about. Jamie and Jim have had their share of great moves and a few dumb ones. I do think they had to do something about this 3rd party thing... but not sure their first reaction was the best. The ones I really feel sorry for are the ones who bought the 3rd party boxes with the + software thinking they had something else. Oh, well.. Caveat Emptor!
-
@michmoor said in To do 23.09 or not? That's the question.:
OS upgrade went through without an issue.
Got to say I'm really feeling the lease utilization screen.......
Took me a bit to find that (cuz I was lazy and didn't scroll down through all my devices on the first place I looked).
That will be quite handy, I just wish they had put it at the top... or at least given us the option to put it at the top. Nice "at a glance" readout.
-
@mcury said in To do 23.09 or not? That's the question.:
It seems that this version is using less RAM in comparison to 23.05.1 ?
I saw your post this last night but I wanted to wait before I responded.... I was hoping you were right, and it seems you are.
Up until 23.05.1 my system (sg-4860 with 8G RAM) had run with about 15-18% RAM use consistently. After 23.05.1 mem usage bumped up to 22-24% consistently. I looked and played with all sorts of settings, finally reverting back to my original config and just figured it's the new normal. It's been 22-24% for months now. Immediately after this update my system was reporting 55% but after a few pfBlockerNG updates it dropped into the low 30s. It's run a few more hours and it's down to 15% right now. They fixed something!!
-
@Ramosel I'm observing something around 10-15% less RAM usage in my system.
-
@chudak May be an issue with "URL (IPs)" aliases not working:
https://forum.netgate.com/topic/183882/unresolvable-source-alias-after-upgrade-to-23-09/16 -
if your need use X25519 for openvpn, then 23.09 default not support it
-
@yon-0 said in To do 23.09 or not? That's the question.:
then 23.09 default not support it
That is more of openvpn thing than any specific issue with 23.09 is it not?
-
need edit openvpn.inc file allow x25519 cert. delete pfsense limit it code. This is an example after deletion
foreach ($a_cert as $cert) { $properties = array(); $propstr = ""; $ca = lookup_ca($cert['caref']); $purpose = cert_get_purpose($cert['crt'], true);
-
Also I can't find out why the LAN interface cannot be routed out of the WAN interface.
-
Noticed two things.
If you upgraded from previous versions to 23.09, If you run zpool scrub pfSense, it will say that: Some supported and requested features are not enabled on the pool.
The pool was OK with 23.05.1, but now getting this message.
So, I decided to perform a clean install just to confirm and now this message is gone.Second thing I noticed is that the storage IO is lower with this version, I'm not sure if its because I switched from ISC to KEA, but I'm getting around 40% reduction in the writes.
[23.09-RELEASE][root@pfsense.home.arpa]/root: iostat -x extended device statistics device r/s w/s kr/s kw/s ms/r ms/w ms/o ms/t qlen %b nda0 0 5 0.7 34.5 0 0 0 0 0 0 pass0 0 0 0.0 0.0 0 0 0 0 0 0
As you can see above, 34.5 while before upgrading, it was around 52.
-
@all
#metoo, why wait if I can click on Upgrade right now ?
Don't.
Before hitting Upgrade, take 2 minutes to prepare :
A backup of the config file,
I've the ZFS file system, So I created a "23.09" Boot Environments - and booted into it.
Step 2 eliminates step 3 : before every major system upgrade, reboot your pfSense first, and while doing so, look at the console output. Even if its all "chinese" for you.When done - and as promised, you're 2 minutes later : hit de Upgrade button.
For people that like to have some assurance : check if you have than ISO ready on USB drive, so you can go back whatever happened.
Further more : consider yourself not ready to upgrade if you've found anything that you didn't understand while reading - all - these :If you like to know more - go here.
Edit : for me it's 23.09 since last Monday.
Even my VPN remote access works fine.I've checked all the logs files since, and found just this one :
I'm using a Netgate 4100 :
-
@mcury said in To do 23.09 or not? That's the question.:
If you run zpool scrub pfSense, it will say that: Some supported and requested features are not enabled on the pool.
Is this the pool upgrade note as mentioned in the release notes, under "danger"? :)
-
I think I am going to hold off for about a month on my SG-5100 cause if it ain't broke don't fix it.