By Ivor Kreso
The upcoming pfSense® 2.4.4 update will not only bring bug fixes and security updates, but many new and exciting features. We’re proud and happy to present an overview of the new features and changes in 2.4.4, just as we did in our previous highlights blog post from almost exactly a year ago with pfSense version 2.4.
AutoConfigBackup is now free for all!
Starting with pfSense version 2.4.4, AutoConfigBackup is integrated within pfSense and available for free to every pfSense user. When enabled, every time a change is made, ACB automatically makes a secure, remote backup of the pfSense configuration. The new ACB integration is a complete rewrite of the old ACB package, previously only available for Gold subscribers. A lot of work went into making sure the new package provides secure backups while complying with GDPR regulations.
A major improvement is visible only “under the hood”. pfSense version 2.4.4 is running on the current stable FreeBSD version, 11.2-RELEASE. That brings many security and stability improvements, including updates to OpenSSL and OpenSSH, as well as broader hardware support for pfSense. Running supported FreeBSD version is important as it provides the latest security patches directly from our FreeBSD upstream. For life-cycle information visit supported FreeBSD releases page.
With FreeBSD 11.2 as a base, pfSense version 2.4.4 brings Intel C3000 support. While we began to offer C3000 based pfSense appliances, XG-7100 1U and its desktop version earlier this year, for it to work the drivers had to be backported from FreeBSD 11-CURRENT. This meant that the C3000 support prior to version 2.4.4. was device-specific and only vetted with our appliances. With version 2.4.4, pfSense now supports many of the available C3000-based systems.
pfSense version 2.4 brought support for our first ARM appliances, SG-1000 and SG-3100, both based on a 32-bit ARM architecture. Starting with version 2.4.4, pfSense will support several ARM64-based appliances we are developing. Stay tuned for more information about our upcoming ARM64 appliances!
PHP 7.2 now used by default
The pfSense development team has been busy upgrading the pfSense WebGUI to PHP 7.2. While the PHP changes are “under the hood”, i.e., not visible to most end users, it was a large effort to convert all PHP bits to 7.2, as PHP 5.6 will not have security support and reach End of Life after December 31, 2018.
Hybrid pfSense installer!
Another great upcoming pfSense feature are hybrid installer images. Starting with version 2.4.4, the pfSense memstick installer can also be used as a CD/DVD image. In case your virtualization software doesn’t boot the image, simply rename the .img to .iso to boot. The hybrid installer is already available with latest 2.4.4 pfSense snapshots.
Major IPsec improvements
We’re happy to announce that IPsec features have been greatly improved with 2.4.4! A brand new and major feature is Routed IPsec using Virtual Tunnel Interfaces (VTI). This allows IPsec traffic to be directed using the system routing table rather than Phase 2 security associations. Routed IPsec VTI was recently revealed and covered in a June 2018 pfSense Hangout by Jim Pingle. That, and all other hangouts from the past year, will be available for free starting with pfSense 2.4.4-RELEASE on our Netgate® YouTube channel.
A default gateway can now be a part of a group. In previous pfSense versions default gateway switching didn’t have any particular order, and users didn’t have control over which gateways were picked upon outage. With version 2.4.4, users can specify in a group which gateway to use first, second, third, etc.
Also improved is gateway monitoring. Users can now set the gateway monitoring probe interval to a much higher value. This is very useful with low bandwidth connections such as mobile networks / 3G / 4G.
New DNS Resolver features
2.4.4 brings many new options within DNS resolver, which now has its own status page! When using DNS resolver, pfSense can now act as a DNS over TLS server.
While by default DNS Resolver will use the webConfigurator SSL certificate, we recommend importing a Let’s Encrypt certificate so it could validate against the hostname from local clients.
If you read our DNS over TLS with pfSense blog post, the same can be achieved in a much simpler way by enabling both options under the DNS Query Forwarding section on the DNS Resolver configuration page. This feature requires DNS over TLS capable DNS servers defined under System > General first.
Small changes that make a big difference
If a system administrator has not changed the default password, pfSense will now display a warning.
Checking for updates can now be done directly from within the pfSense setup wizard.
SSH can now require both password and public key for added security.
We’re excited to share these major updates with our community. Many new features and security improvements are coming with pfSense version 2.4.4. Soon, the usual “New features and changes” page will provide more detail.
From all of us at Netgate, we would like to thank our contributors – developers, testers, and translators – who, as always, selflessly help progress pfSense.