New Features in pfSense Plus version 22.01 and pfSense CE version 2.6.0!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tommy here from lauren systems and pf sense 2.6 has been released and i know what you're saying anytime there's a big point released shouldn't we be a little bit worried i'm always cautious i always back up but hey you know you got to test these things you got to figure out there's any bugs and get them fixed to get them addressed so right away the moment it was released i started updating systems i had played with the beta previously i had followed and i'll leave links to them christian mcdonald's videos he's one of the developers at netgate who has a youtube channel who also puts out some of the errata what's going on there and i'm going to say they did a great job on this version we had some bugs with the way dual wan operated which was the big one with the 2.5 they don't seem to have any of those problems matter of fact i've updated some of the more advanced configuration systems as in openvpn with free reuse authentication along with wireguard site-to-site combined with multi-routes and multiple interfaces and also having you know peer-to-peer set up in there so a good mix of challenges and all these systems worked perfectly fine yes some were ce and some were plus and that's actually a new announcement that we'll be talking about is you can now convert your community edition into plus and you can register as a lab or as a home user and get it for free and they do have support and enterprise support level options as well you don't have to do this this is an option but they're giving you an option if you aren't using netgate hardware which already includes support the taclight support comes with the netgate hardware if you built your own pfsense but you'd also like to buy support whether you virtualized it or you know have it as a hardware install you can now do that and we'll talk about that later in this video before we dive into all these details if you want to learn more about me my company hover to lawrences.com if you like to hire share project there's a hires button right at the top which includes network consulting if you want to support this channel other ways affiliate links down below to get your deals and discounts on products and services we talk about on this channel now let's start here at the reddit post where they say we are excited to announce the release of pfsense plus software 2201 and community edition version 2.6 so the ce edition is going to continue on the naming scheme of 2.5 2.6 etc and then the plus version is going to use the year month for the releases i kind of wish they would have kept them the same for i don't know my own sanity's sake but i imagine it makes sense to doing it because as soon as you say we're talking about the two point x you know we're talking about community edition or when you talk about 22 dot you know we're referring to the year month of the release of the plus edition so i'm sure there's maybe some debate but for now that's the way the naming scheme is now they have all the release notes in redmine and a lot of people here commenting on things and i have been on reddit a long time yes that's me posting right here sometimes people weren't sure if i had a reddit account i do i've been on there since the narwhals bacon at midnight but right here is the update information i shared on reddit i've updated systems that are running cerakata aj proxy free radius wire guard pf blocker xavix and ntop now the one problem i ran into was this right here xavix agent 5.2 which was the latest on the 2.52 and now they've moved to xavix agent 5.4 this i think is what the cause i'm assuming because i removed it and it worked i would give me a failure to upgrade but not really any reason but as soon as i looked at the packages i realized that oh yeah i'm just running a xavix version that is not supported now because it would put a red exclamation point on there basically to let me know there's not that package in the package repository anymore simply deleting the package was able to resolve it did the upgrade and then you load 5.4 and by the way unless you tell the packages not to the default is actually to save all the settings for a particular package this meant when i loaded the new version of xavix everything loaded right back in all my settings connected to my xavix server and started doing all the updates again barely an inconvenience at all no issues there now one thing i noted was this is really a me use case maybe some of you have a use case for this i've also tested system using open vpn and policy routing but i'm also not able to disable a vpn when it's assigned to an interface there's actually a bug that was in pfsense now being able to do that you shouldn't have been because now you're breaking the interface that you assigned by not having a vpn attached to it anymore by disabling it so you create a bad situation inside of pfsense but for my lab i did this so i could create a few different vpns only connect them on an as needed basis uh for lab things and not have to do it i'm just being lazy and should different should have different xml files to restore my layout to different configurations but i could just do it with the checkbox and deal with the errors that were in there so this has actually been stopped but fyi if you're wondering because this is all based on input validation you can actually modify the xml file and break the pf sense in the way that they tried to stop you from breaking it but it was interesting that you could still go back and do it by editing the xfl xml file manually which yes i will be doing a future video on that of all the fun things you can do by importing and exporting xml files to move them between systems and not just doing selective restore but let's not get too far off topic let's talk about the big thing people want to know about is this being able to migrate from the community edition right to version 2201 of psense plus they are offering now a no-cost non-commercial home lab license for those of you interested in pf sense plus edition now there's only a few different features i'll leave the link to that to the couple extra features you get with pf sense plus which also now includes a zfs widget which is kind of neat we'll cover that in some of the new updates that came in here but i wanted to cover this because you can still continue using ce they're not abandoning ce they're just giving you the option to do pfsense plus if you're interested because it allows for a couple different support options now if you have netgate hardware no change the support options are the same it's still free when you buy naked hardware which is the taclite but you have the option for home or lab registration right here for non-commercial use in home or lab and they got little details here down below i'll let you go over and read the fine print so don't spend too much time on this but no charge for valuation license or white box or virtualization image no charge for upgrade from pf's and ce software forum community support and the xml files are the same so you can switch back and forth you can try it and say it's not for me but the xml file is the same either way just for those of you that are curious right now they're offering tack light support for zero dollars per year and of course then they have it right here looks like it's going to be 129 a year in the future not right now so if you're interested in trying this this gives you their attack light support if you need the tac pro or attack enterprise support they have these listed very big bold clear pricing on here i'm also going to leave that link to mention to christian mcdonald's video where he even shows how the process looks like in doing the in-place upgrade i want to encourage people to watch the video because christian being a developer is really really knowledgeable about pf sense even more so than me and i encourage people to watch some of the videos to cover some of the details including i'll leave a link to his video where he talks about the zfs widget but let's cover what's new in this version now but maybe take a moment to talk about what's not new and that's the upgrade process let's pause here for a moment because this is a really important pre-upgrade task list make a backup and have a plan there's a good one like maybe download ahead of time the file you need in case you have to reload it in case something goes wrong because if your firewall breaks and you don't have internet downloading it's rather difficult and requires more of your time a little bit of pre-planning to download things in head a time is great if you're running a virtualize a vm snapshot saves you a lot of time pre-upgrade reboot i express this all the time not just for psense but just in general if you can do a pre-upgrade reboot that way you are not conflating different issues like because you're uptime on your firewall maybe for so long that you didn't realize that there was some problem that you would only find on reboot so before also compounding things and adding an upgrade to the process reboot it if a reboot's fine great no file system errors no check was needed then do the upgrade and this one right here despite the misinformation that gets repeated you do not have to remove the packages this is often confused and many people like to comment on my forums on this and the netgate forums and occasionally on youtube either this is either not remove all packages either removal packages or leave the packages alone i choose the leave packages alone with the exception that i noted where the xavix package because 5.2 is no longer available it stopped the upgrade process so i did remove that particular package to let the upgrade go forward not a big deal if you do remove them you can it's just not a necessity on there and upon reboot after the install it will update all the packages for you now on to the list of new features and changes there's a few security things here based on what i've read though looking through the details they all required a user to already have authentication to your pf sense to get these addressed essentially something that i haven't probably done any videos about but it's a cool feature of pf senses you can create users that are restricted instead of having full admin to a specific section that's where this can be a problem where they have access to something but then are able to bypass a level of input standardization and push something somewhere else or push a bad parameter on there essentially that's what these address so they do require based on everything i've looked at here a user to have authentication in order to exploit these so while yes i always think security issues should be directly addressed they're not like a hurry up and patch right now before you know someone finds this out and remotely exploits or even internally exploits it ideally you should have end users locked out of even the ability to find the web interface but this does require them to be authenticated into the web interface in order to leverage these particular issues based on looking through the errata in here now there's a lot of cool things they did but one of the really neat ones is making zfs the default this is something i'm really looking forward to a lot of enhancements around referencing that christian mcdonald video which i'll leave a link to he talks a lot about the underhood changes with cfs so zfs being really popular on my channel because i talk a lot about true nas is a copy on write file system so it's going to offer better resiliency for things like accidentally pulling the plug out without properly shutting things down and recovering from that so i like that with zfs it also is going to affect log compression if a system is using zfs it does not have to have log compression on because zfs itself can have compression i think this will actually help everything all over the place that has a lot of data storage needs on pfsense now you have done at least one video talking about this because zfs has been an option just not the default option when you installed pfsense when i built a firewall a custom one for xavier we put several drives in set it up with zfs the reason for that was because he has a lot of packet capturing he was doing for some cyber security work and having all that storage right on pf sense combined with doing it in zfs is actually be very handy now you cannot do an in place it is not possible to change ufs to zfs in place reinstallation of pf sense is required for this but it's not that big of a deal is you just back up the config file reload it with zfs and then reload your config file and everything will go back to normal as far as functioning and working after a few minutes once it reboots and downloads all the packages and configurations so it's actually not that hard to do because the xml file doesn't care what your underlying file system is so if you like to do this because you didn't set your system up before on there you just use the default ufs i actually recommend it it's a you know another layer of protection on there plus the compression i got a couple of them i have to reload in the future soon too this one may create a little bit of confusion the default password hash in the user manager has been changed from bcrypt to sha 512 and someone might be asking isn't shot older or less secure this is actually a compliance they have it outlined here and it is for things that need to be protected up to top secret requiring sha 384 or higher so 512 is higher it is a secure protocol yes there's old versions of shot that are less secure sha 512 is secure they have the details here for those you that want to read into it and understand why that change was made but there are well many times pf sense has been used in government and other places that have to be at a certain level of compliance with which algorithms were used that seemed to be why that change was made now there's a ton of smaller changes that are in here especially under ipsec so many things were fixed so there's a lot of enhancements in here that i thought were pretty nice that they've been a lot of work for optimization in here it's not necessary to make it substantially faster but faster for editing faster for bringing up the tunnels there's a lot of little details and nuance that was done in here i don't do as much ipv6 since wire guard came out we're starting to move a lot more to site to site tunnels being done over wire guard but they're for interoperability reasons we still have plenty of ip sec tunnels out there a lot of times we have ipsec set up on our client because the endpoint they're connecting to only offers ipsec for you know different companies that they interact with now one particular package i want to mention that got an update because i recently did a video on this this is end top this is now community version 5. now before it was running on 4 and it was that update notice that wouldn't go away yes that was really annoying that was a few people brought that up in my video now with pfsense ce and with pf sense plus both of them are running the newer version five of end top png so maybe i'll do an updated video because there's a few new features in here but it works really well i haven't had any problems with it this is actually more specifically my wife's computer right now and the different breakdowns of where the traffic is going and hey you notice the annoying update message isn't there anymore that's constantly asking me to update to the later version of it so finally that's been updated so i'm pretty excited about this new version because so far everything has gone so smooth i'm hoping it goes just as smooth for you but just in case as i said during the upgrade process don't just have a backup but have a backup plan because occasionally things go wrong this is a lot of systems that we have to update we're going to be rolling this through our clients i'll if i run into a problem i'm always very public with information follow me on twitter youtube you can find me on reddit where i occasionally post as well but follow all the other people and read it in that particular post that i have linked down below because the overall experience most people have seem to be very positive with it doesn't mean there's not some edge case that you may particularly have that may have some problems with 2.6 but refer back to backup plan all the links everything i talked will be down below and thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a short project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you

Info

Channel: Lawrence Systems

Views: 63,592

Rating: undefined out of 5

Keywords: LawrenceSystems, pfsense plus, pfsense plus vs pfsense, pfsense plus software, pfsense plus vs pfsense ce, pfsense plus vs community edition, pfsense 2.6 features, pfsense 2.6, pfsense 2.6.0, pfsense 2.6 roadmap, pfsense 2.6.0 download, pfsense 2.6 stable, pfsense 2.6 freebsd version, pfsense 2.6 release candidate, pfsense 2.6.0 wireguard, pfsense 22.01, pfsense firewall

Id: BadR6Q8EKRI

Channel Id: undefined

Length: 15min 54sec (954 seconds)

Published: Tue Feb 15 2022