pfSense 2.4-Release Milestone for the Popular Firewall Platform

4
PfSense 2.4 Dashboard
PfSense 2.4 Dashboard

At STH, we have used pfSense at various occasions for years. If you are looking for an open source VPN gateway, firewall, security, caching appliance this is the go-to distribution. Like many security appliances, pfSense has its roots in FreeBSD. FreeBSD has some absolutely great features. One that FreeBSD is not well known for hardware support on par with Linux. One example of this is that FreeBSD and ARM has come a long way, but we think Linux on ARM is more mature. With pfSense 2.4-RELEASE, Netgate, the company behind pfSense, has updated the project to FreeBSD 11 and brought official ARM support.

pfSense 2.4-RELEASE Supports ARM

Earlier in 2017, we had a chance to try the Netgate SG-1000. It is an extraordinarily compact ARM platform where you can count power consumption (in watts) on a single hand with fingers left over.

Netgate SG 1000 Three Quarter View
Netgate SG 1000 Three Quarter View

By forging ahead with ARM support, Netgate is able to bring pfSense firewalls based on low power ARM SoCs to market. the SG-1000 is an awesome device if you simply need a portable OpenVPN appliance or need to tuck one away in a lab or attached to a colo’d server for secure IPMI access. As much as we liked the Mikrotik hEX RB750Gr3 we kept going back to the SG-1000. ARM support is a big deal, even if it is on a limited set of devices for now.

pfSense 2.4-Release Major Changes

As an open source project, we suggest setting up a test machine and just trying the new version out. Our readers like summaries of changes so here is a list we got from the pfSense team:

  • FreeBSD 11.1-RELEASE as the base Operating System
  • New pfSense installer based on bsdinstall, with support for ZFS, UEFI, and multiple types of partition layouts (e.g. GPT, BIOS)
  • Support for Netgate ARM devices such as the SG-1000
  • OpenVPN 2.4.x support, which brings features like AES-GCM ciphers, speed improvements, Negotiable Crypto Parameters (NCP), TLS encryption, and dual stack/multihome
  • Translation of the GUI into 13 different languages! For more information on contributing to the translation effort, read our previous blog post and visit the project on Zanata
    WebGUI improvements, such as a new login page, improved GET/POST CSRF handling, significant improvements to the Dashboard and its AJAX handling
  • Certificate Management improvements including CSR signing and international character support
  • Captive Portal has been rewritten to work without multiple instances of ipfw

Additional benefits of FreeBSD 11.0 and 11.1 include:Security enhancements such as address space guards to address Stack Clash

  • Security enhancements such as address space guards to address Stack Clash
  • New and updated drivers for a variety of hardware
  • Updated 802.11 wireless stack
  • Updated IPsec kernel implementation
  • Support for Microsoft Hyper-V Generation 2 virtual machines, and other Hyper-V support improvements
  • Elastic Networking Adapter (ENA) support using the ena(4) FreeBSD driver for “next generation” enhanced networking on the Amazon EC2 platform

Now if we could only get upgrades without reboots!

If you want more information, head over to the pfSense page. We will be stepping up coverage now that this new major version has been released.

4 COMMENTS

  1. Nice,

    I don’t think existing ARM platforms are fast enough for me (I want full duplex OpenVPN gigabit performance) but it is good to see that the options are improving.

    That being said, that’s not to say you can’t have power sipping x86 pfSense builds. I built one using a Core i3-7100 on a mini-ITX board, which idles at 6W at the wall ((as measured on my Kill-A-Watt device).

    This is probably in large part due to the use of a mini-box PicoPSU-80 + 60W Adapter Power Kit which does a great job at keeping things VERY efficient. (and yes, even at 60W it can handle full load torture testing)

  2. the arm devices are toys. insufficient addon support. might as well use dd-wrt or asus merlin-wrt on a AC router

  3. Here is one that disappoints. No more 32bit x86 support. That’s a real shame there is still a lot of 32bit Atoms with enough juice around.

LEAVE A REPLY

Please enter your comment!
Please enter your name here