A couple noob questions



  • a) There are a couple of things that make pfSense only workable for my setup starting with the 2.0 version. Does it make sense to buy a copy of the pfSense book, or should I wait until there's an updated version out for 2.0, given that I'll never use 1.x. Or in other words: how far reaching are the differences?

    b) When installing packages, the list of packages shows for which platform a package is meant. So if it e.g. says platform 1.2.3 does that mean for 1.2.3 ONLY or 1.2.3 OR HIGHER, INCLUDING 2.0 ? Or does it mean: TESTED on 1.2.3, anything else is trial and error, you may get lucky or it may as well mess up your setup? In other words, how safe is it to install packages that are not listed as being for the 2.0 platform?

    c) how stable is the update mechanism? While I understand that you currently don't recommend using pfSense 2.0 for production use, obviously a bunch of people are doing just that, because otherwise you'd not getting any real-world testing done. I can deal with all sorts of hick-ups, but one of the machines I'd install pfSense on would be at a colocation hosting company somewhere a thousand miles away. So as long as updating through the web interface (either manually or through the autoupdater) is considered production quality stable, I'm good. But if updating is still hit or miss or might undergo major, incompatible changes, etc. then I'll clearly have to hold off on using pfSense at that particular location, since I can't just hop into an airplane to go there and fix things…



  • @rcfa:

    a) There are a couple of things that make pfSense only workable for my setup starting with the 2.0 version. Does it make sense to buy a copy of the pfSense book, or should I wait until there's an updated version out for 2.0, given that I'll never use 1.x. Or in other words: how far reaching are the differences?

    At first appearance pf2.0 looks very much the same, but you soon find some pretty huge differences. If you're not doing anything amazingly clever with pfSense, ie just having a basic 2 NIC LAN <-> WAN firewall router, the differences are minimal. Once you begin to use things like the load balancer, QoS (Traffic shaping), or VPN options of pfSense 2.0, they have practically been totally re-engineered from scratch so they're very different.

    @rcfa:

    b) When installing packages, the list of packages shows for which platform a package is meant. So if it e.g. says platform 1.2.3 does that mean for 1.2.3 ONLY or 1.2.3 OR HIGHER, INCLUDING 2.0 ? Or does it mean: TESTED on 1.2.3, anything else is trial and error, you may get lucky or it may as well mess up your setup? In other words, how safe is it to install packages that are not listed as being for the 2.0 platform?

    The packages shown in the list are specific to the platform. Currently since pf 2.0 is still in beta, it allows practically all packages to be downloaded regardless of compatibility issues so people can do what they do with betas: test them. Once pf2.0 goes to RC and finally RELEASE, then you can expect the packages to be tailored to what only works with pf2.0. See the sticky for the status of packages.

    @rcfa:

    c) how stable is the update mechanism? While I understand that you currently don't recommend using pfSense 2.0 for production use, obviously a bunch of people are doing just that, because otherwise you'd not getting any real-world testing done. I can deal with all sorts of hick-ups, but one of the machines I'd install pfSense on would be at a colocation hosting company somewhere a thousand miles away. So as long as updating through the web interface (either manually or through the autoupdater) is considered production quality stable, I'm good. But if updating is still hit or miss or might undergo major, incompatible changes, etc. then I'll clearly have to hold off on using pfSense at that particular location, since I can't just hop into an airplane to go there and fix things…

    The updated snapshots for pf2.0 aren't digitally signed as doing that is a pain. This means updating from the web interface doesn't work. If however you SSH into the pf2.0 box and select option 13 to update from the console, you'll get some pretty scary messages saying the image isn't signed, but you have the option to override this and download and update the 'firmware' of pfSense on both nano and full versions.

    As you can see from the stickies though pf 2.0 is not for production use, so using it in a colo machine would be unwise. It is beta software still, and there are naturally a few issues with it still. I too am keen to flash my production installations but there are 2 issues stopping me from doing this right now. YMMV with your specific setup - so my advice is test by setting it up in a VM and double-NAT-ing at all your locations before fully committing to it. That said however, the pf team have come on leaps and bounds in the last 3 months and while I certainly don't speak for the dev team, my personal opinion is we won't be waiting very long for 2.0 RC1…


Log in to reply