2.2-ALPHA Snapshots Available
-
For those who want to live on the bleeding edge, 2.2-ALPHA snapshots are up for testing at http://snapshots.pfsense.org/
Update URLs for use in firmware update settings:
http://snapshots.pfsense.org/FreeBSD_stable/10/amd64/pfSense_HEAD/.updaters/
http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/Be aware there are some rough edges but many things should function. That said, you should not expect to use these in production yet. Lab environment or tinkering only at this stage.
In particular, CARP, IPsec, and Wireless are good testing targets.
-
thanks devs!
keep up the good work!
-
thanks a lot guys
-
Is there any information out there detailing the changes/features expected in 2.2?
I know the base is being upgraded from FreeBSD 8.3 to 10 but other than that, what all is different in 2.2 from 2.1? -
php-fpm instead of php in general.
More optimal usage of fcgi in general to avoid careless forking around.
strongswan instead of ipsec-tools.
Apart that not many other changes apart improvements in general and getting to FreeBSD 10.
-
i going for use pfsense dialy , but iĀ want update pfsense alls day ā¦
but i get this error in update manager ...sorry bad english
thanks
-
Outbound NAT - in 2.2 you can keep Automatic Outbound NAT and then add some extra manual rules, thus having a "hybrid" outbound NAT. That will help when adding new LAN-style interfaces, changing LAN-style subnet numbersā¦ The automatic outbound NAT rules can regenerate themselves without the user having to think, and still have the option to have a couple of extra special rules.
This is a bit of code I am planning to test out and use. -
i going for use pfsense dialy , but iĀ want update pfsense alls day ā¦
but i get this error in update manager ...Copy the path from the first message on this thread exactly. You have the wrong URL.
-
I've also made a few changes/additions to OpenVPN, the server options and client-specific overrides.
Eventually we'll have a page with a list of changes like for other versions
-
-
@ermal:
php-fpm instead of php in general.
More optimal usage of fcgi in general to avoid careless forking around.
strongswan instead of ipsec-tools.
Apart that not many other changes apart improvements in general and getting to FreeBSD 10.
And for the first time in a very long time, pfSense will be somewhat in-sync with the mainline FreeBSD tree.
FreeBSD 10 also has a much-improved 'pf'.
The "not many other changes" was intentional.Ā By limiting the scope we stayed out of the mess that bogged down the 2.1 release.
The method used: Set an achievable goal; Meet it.Ā Repeat.
-
Any planned improvements regarding better AES-NI support and performance?
-
any idea if there will be ECMP support?
it could enable loadbalancing when dealing with dynamic routing protocols like ospf, bgp, rip.
might it even help to solve the issue's with loadbalancing certain services like squid? What are the devs thoughts about this?thanks
-
Any planned improvements regarding better AES-NI support and performance?
It's in development but is not likely to make 2.2. More news on that will come later.
-
any idea if there will be ECMP support?
it could enable loadbalancing when dealing with dynamic routing protocols like ospf, bgp, rip.
might it even help to solve the issue's with loadbalancing certain services like squid? What are the devs thoughts about this?It's on our radar but not terribly important for 2.2 (see above, re: narrow scope) but if we stick to the plan then 2.3 won't be far off and it may make it there.
-
THANK YOU for this.
IGB drivers seem to perform flawlessly with minimal tuning and various routing quirks have vanished.
-
Any planned improvements regarding better AES-NI support and performance?
It's in development but is not likely to make 2.2. More news on that will come later.
The issue isn't "AES-NI" support.Ā The issue is that AES-GCM isn't implemented in FreeBSD.
We're fixing that, but as jimp said, it's unlikely to make 2.2.
-
Any planned improvements regarding better AES-NI support and performance?
"Support for AES-NI instruction and intrinsics has been added to gcc. The aesni module has been improved to use pipelining when possible. This results in a significant speed up for AES-XTS and AES-CBC decrypt. " according to: https://wiki.freebsd.org/WhatsNew/FreeBSD10#Kernel.2C_hardware_support_.26_other_low_level_improvements
-
@ermal:
strongswan instead of ipsec-tools.
Does that mean we'll get IKE v2? I'm getting a bit tired of connecting to ASAs and having their admins make comments about having to "downgrade" their equipment.
@gonzopancho:
The "not many other changes" was intentional.Ā By limiting the scope we stayed out of the mess that bogged down the 2.1 release.
The method used: Set an achievable goal; Meet it.Ā Repeat.
Rapid, iterative development.Ā That's the way to go.Ā Glad to hear this.
-
"Support for AES-NI instruction and intrinsics has been added to gcc. The aesni module has been improved to use pipelining when possible. This results in a significant speed up for AES-XTS and AES-CBC decrypt. " according to: https://wiki.freebsd.org/WhatsNew/FreeBSD10#Kernel.2C_hardware_support_.26_other_low_level_improvements
I assume that 2.2 is built with LLVM and not gcc. LLVM has had AESNI for a few years now.
-
I saw one of the first posts mentions that you wanted CARP tested.
I can install this on my home setup secondary router and enable CARP again, should you be able to sync between 2.2 and 2.1-RELEASE (i386)?
-
@ermal:
php-fpm instead of php in general.
This is a fairly big improvement for memory usage.
On a 256mb system (ie ALix2d3), it should be safe enough to turn opcode caching back on which provides a nice performance win.
-
GitsyncĀ Ā Ā master?Ā Or other??
:)
-
GitsyncĀ Ā Ā master?Ā Or other??
:)
Master, until it gets branched. Gitsync is only marginally useful these days though.
-
Thanks!Ā Ā 8)
Just trying to break things until someone goes over and kicks the snapshot server.Ā ;D
-
unable to install package SQUID 2.7 and squidguard
ERROR: No digital signature! If you are SURE you trust this PBI, re-install with āno-checksig option.
-
Hi
Are 64bit snapshots stopped?
Thanks
-
We have been focused on getting 2.1.2 out to fix Heartbleed. 2.2 snaps will be back around soon.
-
@ermal:
strongswan instead of ipsec-tools.
Will settings be automatically migrated for ipsec tunnels, or does the move mean setting up the tunnels from scratch?
Having a very peculiar problem with my connection that started showing up since i started using the 2.1.1 betas, and that has been sticking around since then, so testing a different ipsec stack sound temptingā¦
-
Greetings All,
My first question can be ignored. I realize this is not possible as packets can only hold the next hop. I was working with someone and we basically assumed that it could work because some other devices let you create these route statement, but it turns out the only reason it was allowed was for documentation purposes and it shows that as usual pfSense is doing it correctly.
[IGNORE]
- Will pfSense ever allow for route creation with a remote gateway. e.g. If my default gateway is 1.1.1.1 and through it I can reach 2.2.2.2 and I want to create a route to 3.3.3.0/24, I can set most other business class routers and firewalls like Cisco ASAs so that 3.3.3.0/24 can be reached via 2.2.2.2 without having an IP in the same subnet as 2.2.2.2.
Is this a FreeBSD limitation? Is the fix a simple kernel flag or can the kernel be compiled to allow for this?
Additionally, I get that this can be an issue for multi-wan, but I would guess there is a way to deal with that as BSD is the basis for many high-end routers out there that support multi-wan.
Would the solution would be to have a rule that pushes traffic to 3.3.3.0/24 through the correct interface, using the default routing table. This is no big deal with the current setup as with multi-wan currently you have to create rules for all traffic that needs to use the default routing table.
The real technical challenge is when 2.2.2.2 can be reached via multiple WAN interfaces something has to be created to push this traffic through the active WAN with the highest priority.
[/IGNORE]- A More simple multi-WAN setup. Currently you have to create rules to use multi-WAN setups which means that you have to create separate rules for internal traffic. The idea is that the admin could specify multiple WANs as default with the LB and Failover metrics and all traffic to default would be sent down the appropriate WAN without special rules. Maybe other systems allow for this by creating their own IP stack with a routing table system that allows for this, so maybe it's not possible with stock BSD.
I believe that FreeBSD supports multiple routing tables. Could route-to be used with fibs or is there something that could replace route-to for use with fibs?
e.g. If a user has two wans pfSense could create two fibs. Each fib has all the same routes, I understand this would require code, except the default route for fib0 is the first WAN and the default route for fib1 is the second WAN. Then something like a gateway group could be created for the fibs. This would eliminate the need to create separate rules for local traffic which is required when using gateway groups.
Thanks,
Rhongomiant
-
"Support for AES-NI instruction and intrinsics has been added to gcc. The aesni module has been improved to use pipelining when possible. This results in a significant speed up for AES-XTS and AES-CBC decrypt. " according to: https://wiki.freebsd.org/WhatsNew/FreeBSD10#Kernel.2C_hardware_support_.26_other_low_level_improvements
I assume that 2.2 is built with LLVM and not gcc. LLVM has had AESNI for a few years now.
Support in LLVM / gcc only helps get the code compiled.Ā Neither compiler will "recognize" the various modes of AES being compiled and magically emit the correct instruction sequence.
AES-XTS / AES-CBC are useful for storage.Ā For IPSEC, typically AES-CTR mode is used (with SHA256 as a MAC).
Since IPSEC wants both crypto and MAC, you don't get a lot of speedup running AES-CTR mode.Ā Thus the coming implementation of AES-GCM, which allows one to do the crypt and MAC parts in one flow, rather than two passes.
Early results say that we should be able to come close to filling a 10Gbps pipe.Ā Certainly IPSEC at 1Gbps becomes possible, assuming hardware able to support same is used.
-
@gonzopancho:
"Support for AES-NI instruction and intrinsics has been added to gcc. The aesni module has been improved to use pipelining when possible. This results in a significant speed up for AES-XTS and AES-CBC decrypt. " according to: https://wiki.freebsd.org/WhatsNew/FreeBSD10#Kernel.2C_hardware_support_.26_other_low_level_improvements
I assume that 2.2 is built with LLVM and not gcc. LLVM has had AESNI for a few years now.
Support in LLVM / gcc only helps get the code compiled.Ā Neither compiler will "recognize" the various modes of AES being compiled and magically emit the correct instruction sequence.
AES-XTS / AES-CBC are useful for storage.Ā For IPSEC, typically AES-CTR mode is used (with SHA256 as a MAC).
Since IPSEC wants both crypto and MAC, you don't get a lot of speedup running AES-CTR mode.Ā Thus the coming implementation of AES-GCM, which allows one to do the crypt and MAC parts in one flow, rather than two passes.
Early results say that we should be able to come close to filling a 10Gbps pipe.Ā Certainly IPSEC at 1Gbps becomes possible, assuming hardware able to support same is used.
What about OpenVPN ? Will it see the same performance improvements as IPSEC?
-
Hello Everybody,
first of all thanks for the good job done by developers!
I wonder if in 2.2-ALPHA Snapshots is it working the IPv6 support in captive portal (which I read and verified was not available in 2.1.x)?
Thanks again
Dario
-
Do you intend to add support for mini-jumbo frames ie 2508 byte packets for better PPPoE support on UK FFTC circuits?
-
Is there any doc with a short list of changes/improvements in each snap? Just a couple of lines would let everyone know what to test and when not to expect changes in the issues at hand.
-
Is there any doc with a short list of changes/improvements in each snap? Just a couple of lines would let everyone know what to test and when not to expect changes in the issues at hand.
There is not a specific changelog that is written since the snapshots are automated. You can get an idea by checking the commit logs on github or by watching https://redmine.pfsense.org/projects/pfsense/activity
-
2.2-ALPHA (i386) built on Thu May 22 22:15:16 CDT 2014 FreeBSD 10.0-STABLEI did manage to install this snapshot on a Parallels for Mac virtual machine and initial impression is that it works. However, the first install went bad because I resetted the virtual machine during the interface set up to add a second interface to the virtual machine. This caused the system think that the interface set up was already done but no config.xml configuration was saved and the system was unusable after that.
Note that I'm using vtnet interfaces for both WAN and LAN so they seem to be working fine when used with Parallels for Mac.
-
On the same snapshot I do have working IPv6 connectivity with SLAAC on WAN but the WAN_DHCP6 gateway keeps showing "Pending" and does not show any stats for the gateway.
-
Please start individual threads for issues, this is just an announcement thread not meant for troubleshooting.
