pfSense 2.4-Release Milestone for the Popular Firewall Platform

[Rohit Kumar]

After a year and a half of development pfSense 2.4-Release is out, a major milestone for the popular open source firewall platform

The post pfSense 2.4-Release Milestone for the Popular Firewall Platform appeared first on ServeTheHome.

Continue reading...

 

[MiniKnight]

So ARM is now on the official stable release? We got one of those SG-1000's. The comment in this article is spot on. We're using ours as the firewall for a Raspberry Pi 3 cluster. ARM end-to-end and under 30W.

Does this mean I can use the RPi3 as pfSense now? Or only Netgate supported?

 

[ttabbal]

Good timing for me. I should be receiving some SSD boot drives today to replace the aging laptop HDDs I have in a few boxes. I like the ability to use ZFS as well, even without redundancy, at least I get some warning of issues.

It looks like I should be able to take a backup on the existing machine, install fresh on a new ZFS, restore the config on the new version.

 

[PigLover]

So ARM is now on the official stable release? We got one of those SG-1000's. The comment in this article is spot on. We're using ours as the firewall for a Raspberry Pi 3 cluster. ARM end-to-end and under 30W.

Does this mean I can use the RPi3 as pfSense now? Or only Netgate supported?

Should be a yes. But just because you can doesn't mean you should...

In addition to just being 100mbit, RPi3 uses USB2.0 to Ethernet Bridge to support the Ethernet port. Because of that networking is pretty impaired (not likely to reach full wire speed, will be PPS limited on small packets, and bi-directional traffic may be troublesome).

The SG-1000, OTOH, uses separate USB3.0 port from the ARM SoC for the Ethernet bridge for each GigE port. On a pure throughput basis should be able to hit 960kbps (almost 1Gb) pretty easily. Processing the packet filters on the little SoC will obviously prevent full-rate pfSense traffic - but at least you aren't "fighting the wire" like you would be with the RPi3.

BTW, the Odroid C2 also uses the USB3.0 port for its GigE Ethernet bridge. So if you want pfSense in an RPi form factor there is a path. Assuming, of course, you can get BSD/pfSense to load on the Odroid. The Odroid XU4 might make a good choice too - but the kinda odd Big/Little core design might make BSD/pfSense support even more difficult.

 

[Biren78]

I was reading the release notes and it sounds like there's only 2 ARM supported boxes now that netgate sells.

It'll prob work, but you'll be in the abyss of support. You've gotta value your time more than troubleshooting boot errors for hours to save a few bucks.

 

[moblaw]

Just upgraded from pre official 2.3.4 - 2.4 it took approx. 15min - with 2 ssd's in raid0. Some install takes place upon reboot, besides that, everything went smooth. Had to restart 2 services, snort and haproxy. AES-NI now shows in system info. (Hyper-VM machine) 7 vcpu.

 

[PigLover]

Just upgraded from pre official 2.3.4 - 2.4 it took approx. 15min - with 2 ssd's in raid0. Some install takes place upon reboot, besides that, everything went smooth. Had to restart 2 services, snort and haproxy. AES-NI now shows in system info.

What host platform?

 

[gigatexal]

SSDs in raid0 on your firewall? Crazy!

What's this about 802.11 improvements? Are we finally getting AC support?

 

[Patrick]

SSDs in raid0 on your firewall? Crazy!

If your firewall goes down, it is always a bad day.

 

[Limeray]

Is anyone else having unusually high cpu and memory utilization? Before the update pfSense was always idling on 5-10% cpu and 500 mb ram and now it constantly uses 60% cpu and 2gb (98%) of ram.

 

[moblaw]

Is anyone else having unusually high cpu and memory utilization? Before the update pfSense was always idling on 5-10% cpu and 500 mb ram and now it constantly uses 60% cpu and 2gb (98%) of ram.

I also do see higher CPU usage, it peaks around 60%, before it would peak at 35% ish. Memory is the same.

 

[nthu9280]

If your firewall goes down, it is always a bad day.

Couldn't agree more... Speaking from my recent experience. At least mine was home use only.

Sent from my Nexus 6 using Tapatalk

 

[StevenDTX]

I deployed a 2.4 VM last night and it's working well. I will be working off of it for a couple weeks while I RMA my SuperMicro board for the C2000 fix.

 

[Limeray]

I also do see higher CPU usage, it peaks around 60%, before it would peak at 35% ish. Memory is the same.

Apparently it was the SNMP service for me. Once i disabled it, the cpu usage was back to normal. Still the memory consumption is quite high.

 

[Mam89]

I was playing with the idea of deploying a pfsense in a cost conscious customer location, but upon testing the squid/squidguard packets were pretty broken for me... If they can fix that I'd love to use it as openvpn is great!

 

[MiniKnight]

@Limeray are you using ZFS for storage? That uses memory right?

@Mam89 any idea why? We've got many people here and there's many on pfSense forums with that setup.

 

[Mam89]

I'm not really sure honestly. It could easily be a misconfig on my part as I set it up off some older documentation. The issue would occure with ssl dpi enabled with squidguard, I got it functional after intial setup, but any addition of blacklists or changed/customized setting for blocks would block everything. Upon reversion of the settings it would stay blocked for some reason. The only way to get traffic flowing again was the removal entirely of both squid/squidguard.

 

[MiniKnight]

I find when that happens to me, I'm usually the root cause

 

[Patrick]

Upgraded a lab node to 2.4. Working well thus far.

 

[RTM]

It is great that 2.4 have been released, hopefully that makes us one step closer to QAT acceleration.

BTW, the Odroid C2 also uses the USB3.0 port for its GigE Ethernet bridge.

Are you sure about this?

The block diagram suggests that the SoC has a MAC that connects to a Realtek PHY.
Perhaps you are thinking about the XU3/4 where the NIC is indeed USB 3 based?