Upgrading to pfSense 2.7.1 | pfSense+ 23.09 - What you need to know before the upgrade!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you haven't yet upgraded to uh pfSense 2.7.1 if you're using the Community Edition or 23.0.1 if you're using pfSense plus with the recent changes you might be a little bit concerned and hopefully this video will give you a little bit of peace of mind and show you what to expect should you upgrade well yes of course um can it cause you some problems it depends if you're using openvpn mainly with older encryption algorithms then yes it can cause you a problem um if you've got openvpn server running and you've got 20 50 100 clients and using older encryption algorithms or older passes then yeah they will break and your clients will break and they'll no longer be able to connect I'm going to walk through the major changes we'll have a look at the issues with the uh changing from ISC DHCP server to to the new Kio one which I do suggest that you hold off on for the time being because there are quite a few issues with that it's got basic functionality and by basic I mean basic but right now let's see what we need to do to get you on 2.7.1 and Jump Right [Music] In you scroll down to major changes and features op SSL upgraded to 3.0.12 it was an essential change because 1.1.1 has reached end of life and will no longer receive security patches for vulnerabilities this means that a number of older weaker encryption and has hash algorithms have been removed and security certificates based on these older weaker hashes have been deprecated so there's a blog post on this topic which they recommend you read before upgrading what it boils down to encryption algorithms removed from openvpn include ARA Blowfish cast 5 D DSX idea rc2 rc5 seed and sm4 hash algorithms removed from open openvpn include md4 mdc2 sm3 and whirpool so if you're using any of these algorithms in your current openvpn configuration things will break and you need to address this before upgrading to 2.7.1 another point is that the ISC DHCP server is being deprecated in favor of the Kia DHCP server it's got basic functionality in 2.7.1 but it's not feature complete and there's a blog post on that so I'll address that later it's not really a big concern at the moment because it's an opting feature you can still carry on using the ISC dhp DHCP for now so we'll take a look at that in a bit bit uh it's easy enough to change over if you want but there are a couple of issues with it so we need to look at them before moving over the other major changes PHP upgraded to 8.2.1 um and the operating system been upgraded as well so let's take a look at openvpn and exactly what might break this system is currently on 2.7.0 so the older encryption and hash algorithms are still in this system and if we take a look at uh open vpm to add a server okay so the server configuration if you've got already got your server configured then you need to check this first so data encryption algorithms here for your server configuration all listed now the ones that are being deprecated obvious all these sm4 the C the RC 5S RC 2s idea DS they're all going to be removed in 2.7.1 so if we open VPN server uses these you need to address this seriously before upgrading because all your clients will be locked out so you can check like there and again your certificates could have an issue so let's take a look at the certificate open SSL 3.0 no longer supports certificate signed with sha1 or over older week cashes the minimum is sha256 so if you're open if you open VPN certificates are using that it's going to they're going to fail which is listed here so if an openvpn instance is using a weak certificate the instance is disabled as there's no viable General automated recovery method so again you need to make sure your certificates are up to scratch open VPN P using sha1 certificates will fail but such issues must be corrected on the pairs so you need to deal with um reissuing certificat or whatever on the pairs here um other consumers of certificate such as add-on packages may be similarly affected um and can automatically be adjusted let's head over and take a look at the uh actual certificate so if you go into system certificates and certificates um if we press this information icon I know this is not an open VPN certificate I'm just showing you how to have a look so you can see the signature digest for this is rsh sha256 if um you're showing sh1 in here then you're going to have to um reissue the certificate and reissue it to all the clients so that really could be a headache and the same with your certificate authorities so if you go into system certificates authorities if your s if your signature digest shows RSA sha1 that's going to break your clients as well so that's another thing you need to address so what this system says uh it's on the latest version so we're going to go into system into update and I'm going to change this to latest stable release I'm going to go ahead and confirm this okay that took a while but we seem to uh be back so let's try and log back in so we on 2.7.1 um it's showing 2.3.0 9 is available because this used to have the uh plus version on it but I reinstalled it with um c not sure why it's showing 2.3.2 on9 is available um anyway let's go back into vpm and open vpm and I'm just going to obviously I've got no server set up on here but I just want to go back and take a look at these features now if we have a look here um you'll see and notice that this list is now a lot shorter than what it was so basically all the um deprecated encryption algorithms have been removed um so that would have caused you an issue if you was using that and you had clients using that um let me just switch back just readdressing the certificate I've just gone back into certificate authorities now you'll notice where it says um signature digest it's highlighted in yellow showing that uh it's a weak digest so that's not no longer usable it's pointless discovering it after the upgrade though you want to check that before the upgrad is it showing you how to do that previously finally let's address this uh Kia DH CP issue so there's a Blog on the topic I'll leave links in the description to um all these resources so it's got basic functionality but it's missing the following DHCP server features so local DNS resolve forwarder registration for static and dynamic DHCP clients remote DNS server registration um DHCP ipv prefix delegation High availability failover lease statistics and graphs and custom DHCP options um so at this stage I would upgrade to 2.7.1 but I'd stick on the ISC DHCP server and just follow the updates again I'll leave the links in the description but just follow how that's going on and basically wait for that to be become a bit more stable and what it is if you've not already upgraded to 2.7.1 or 23.0.1 I hope this video helps I do this stuff so you don't have to because I'm doing on a daily basis if this video was useful please hit that like button consider subscribing to the channel um if you hit the notifications icon you'll get notifications of any new videos that we do we appreciate any support we can get for the [Music] channel
Info
Channel: Sheridan Computers
Views: 5,028
Rating: undefined out of 5
Keywords: pfsense, upgrading pfsense, pfsense 2.7.1, pfsense plus 23.09, pfsense kea dhcp, pfsense isc-dhcp, pfsense openssl, pfsense setup, pfsense openssl 3, pfsense upgrade, pfsense firewall, pfsense plus, pfsense (software), pfsense router, pfsense update
Id: Y5Pt83QGZZA
Channel Id: undefined
Length: 10min 32sec (632 seconds)
Published: Wed Nov 22 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.