pfSense Plus 24.03 update: ZFS Snapshots, Packet Flow Export & More!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
pfSense plus 2403 was released yesterday on April 23rd of 2024 I was doing some testing with the release candidate and now I have updated a few production systems to the final release without issue in this video I'm going to cover the new pfSense plus features such as their new update process the new packet data flow exporter VPN enhancements and more so let's get [Music] started are you an individual or Forward Thinking company looking for expert assistance with network engineering storage or virtualization projects perhaps you're an internal it team seeking help to proactively manage monitor or secure your systems we offer comprehensive Consulting Services tailored to meet your specific project needs whether you require fully managed or co-managed IT services our experienced team is ready to step in and help we specialize in supporting businesses that need it Administration or it team seeking an extra layer of support to enhance their operations to learn more about any of our services head over to our website and fill out the hire us form at Lauren systems.com let us start crafting the perfect it solution for you if you want to show some extra love for our Channel check out our swag store and affiliate links down below that will lead you to discounts and deals for products and services we discuss on this channel with the ad read out of the way let's get you back to the content that you really came here for now before we get into release notes I want to talk about the update process itself and what I have running on my system this particular one is a 4200 but I have updated an 8200 and I've updated my virtual systems that are running inside of XC PNG all of them have gone fine of note one thing I would recommend doing remove snort or sraak cotta if you're running those don't worry the settings don't go anywhere as long as you don't check the box to tell them to delete you can simply go to the package manager and remove them because that seemed to make the update take a whole lot longer um it's just the way it handles that part of the process but if you remove it the update goes faster and then just reinstall it once it's updated I did some systems with and some system without big speed difference between them but what am I running on here and this actually accounts for each of the systems I have artwatch I have ha proxy and top NG open VPN for users open VPN as a privacy VPN snort on this system Sak cotta on another tail scale ha proxy Acme wire guard sight to sight and traffic totals all these function perfectly fine no issues with the update and this is for both systems I also on the other system have free radius running for user auen openvpn that's working as well so I've tested all the systems I can test and haven't found any bugs with it but it was working in the release candidate so I kind of figured it release in the production version but those are important details to note I will also note that they've been enhanced to a new version and top NG and if you're not familiar with this I've done a video you'll find link down below but it's just a facelift because it's well a slightly new version so there's a couple different features in here including a few updates to the main traffic dashboard as well slightly new visuals on this top flow talker chart that shows up right here yeah and it auto updates in kind of a cool way I like the way these flows look you're going to find this netgate blog post link down below that covers the major features and changes the first one is going to be introducing password control in response to mandates from various regulatory bodies both in the US and internationally pfSense 2403 now implements stringent measures regarding default password essentially when you try to use the default password you can actually change the default password and set it back to the default password it just annoys you to change it now it's going to be more forcible about that uh sometimes we have to protect users from themselves but hey I think that's a good update this is my favorite update enhanced update process using ZFS snapshots ZFS snapshots or as it's referred to system boot environments and PFS Plus have been around for a little while this is an enhancement again to that where when there's an update it grabs a snapshot of the working boot environment and then updates that boot environment and then sets it to be the next active boot environment then a check is done because it will reboot the firewall it will try to run off of that boot environment the Watchdog timer will see if it boots if it does not it will revert back to the known good working one and recover the system if you do a lot of remote updates as we do to a lot of PFS systems this is a welcome update just in case one of those updates don't go well and I think this is really really cool at the same time they've also enhanced the configuration history so clicking on this just takes you to the configuration history as it looked before under diagnostics for backup history but the difference being we now can look at configuration history from different environments and this is actually a really nice feature because here is the current settings that we're doing in the active one but we can actually go back and look for maybe before the 24 update and see previous things that were done so it's able to go back forth and look within the change history of other boot environments and we can see where Eric was changing something back in 423 prior to me updating it and then you can export or revert this one back to that config I think this is just a really cool enhancement there's a lot of engineering on the back end that makes this front end really easy to use but B is it welcome because it allows easy experimentation and also the confidence that you can snapshot things to a given point in time and simply rebr the firewall back to that point in history the next feature is packet data flow export a notable addition to this release is the capability to export packet flow data to external collectors with netf flow V5 or ipix protocol now you find this under firewall packet flow data you can click the box to enable it you can track by default which means turn on the fire hose essentially all rules will get packet flow data and you can export it make sure you have something that can handle the volume of data that your system May produce or you can set this on a per rule basis by scrolling down going under display Advanced choose packet flow data and you can say always track or never track this particular rule or back to use the global defaults now I already have set up a packet flow exporter sending things to greylog I'll go ahead and edit and show you what these look like I just called it send the gy log it's enabled where do you want it to Source from the internal IP ranges in case you have a specific land that you want it to come from then we have the source Port if needed you can leave it blank for random this is the IP address of my gry log server this is the destination port for my G log server and I've chose ipix because that's natively supported but if you have a net flow collector you can choose that as well one thing I like is that you can add more than one exporter this is a nice feature in case you have many different exporters you want to send all the data to for the different collectors and I just really like this enhancement quite a bit it gives you a lot of data that you can then pull into other systems very easily Gateway recovery this is for people who have the Dual Wan setup where you have a backup internet connection and it gives you more fine green control of how the backup connection and fail back to a primary Gateway after downtime this is the huge part because I've covered this in my way failor videos where there's always a challenge because connections want to stay where they are you can now force them back over maybe it's not a big deal that they're on the secondary connection but if you have as it notes Here metered links or a slower connection you want people to fail back as quickly as possible when the primary Gateway comes back this is a way to get more granular on the controls for that they also have an entire blog post detailing out the different scenarios for it so go ahead and click that and it walks you through a little bit more enhanced details on there which of course now I have to do an updated Gateway video because well there's more features to talk about here when you're building these different failover groups on here and how you want the failover states to be enhanced State policy default change for increased Security theault State policy and pfSense 2403 software and later releases are changing from floating States to interface bound States they have a blog post where we'll dive more in detail on that read through that blog post to see if you have a special use case with multiple Wan where it may cause a problem if not for most people this won't be a big change now these upgraded VPN capabilities center around IP SEC for those of you wondering is IP SEC dead here in 2024 absolutely not there's some kernel enhancements here the mobile kernel adjustments the addition of AVX 512 and avx2 ensuring smoother operations and improved efficiency this is really important because IPC is still widely used it's going to be the most interoperable VPN when you're connecting site to site and we have many clients doing this that don't have a PF Sense on both ends they may have a PF sense but they have to connect somewhere that does not so yes IPC is used quite a bit it's nice to see that they're still regular enhancements and updates coming for it so for those you that are relying on it and especially those who have had it for a long time we don't go around changing it just because another VPN such as wire guards available we have a lot of clients that have this established and so this is a welcome speed boost by software through these extra enhancements that are coming out now that's all I have for pfSense plus 2403 for those of you wondering how you get pfSense plus there are two options you can buy neate Hardware which comes free with pfSense Plus or you can buy a subscription to run it on your own Hardware the current price on it here in April 2024 is $12 a year and I think1 129 a year is a reasonable price for a firewall that has this many features that being said the C version is still coming out the 2.7 is the current as of this video 2.8 is on the road map there's a lot of bug fixes a lot of changes coming to that version as well and of course I'll be covering it on my channel as well so like And subscribe to see that content and also of note the newsletter that I have if you're looking for a way to keep up with some of the videos I do and the changes and all the different technology stuff that I kind of throw into that newsletter and my thoughts on it go ahead and head over to La systems.com subscribe to that if you're looking for a more in-depth discussion this and other topics head over to my forums forums. laen systems.com where we can engage more there and thanks [Music]
Info
Channel: Lawrence Systems
Views: 15,086
Rating: undefined out of 5
Keywords: LawrenceSystems, pfsense firewall, pfsense plus, pfsense update, pfsense router, pfsense (software), pfsense upgrade, network security, pfsense backup, pfsense firewall rules, pfsense firewall rules best practices, pfsense firewall tutorial, pfsense plus 24.03
Id: W7GBx5F_2UQ
Channel Id: undefined
Length: 10min 26sec (626 seconds)
Published: Wed Apr 24 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.