Should You Upgrade To pfsense 2.5?

41 thoughts on “Should You Upgrade To pfsense 2.5?”

• pfSense Plus 21.02.2 and pfSense CE 2.5.1 Release Candidates Available for Testing
  https://www.reddit.com/r/PFSENSE/comments/m6ejy9/pfsense_plus_21022_and_pfsense_ce_251_release/

  https://forum.netgate.com/topic/161017/nordvpn-openvpn-not-supported-on-pfsense-2-5/21

  https://redmine.pfsense.org/projects/pfsense/roadmap

  State matching problem with reponses to packets arriving on non-default WANs
  https://redmine.pfsense.org/issues/11436

  WireGuard Removed from pfSense March 2021
  https://youtu.be/uGNorRLefBg

  Firewalls With Working Wireguard: OPNSense, VyOS and Untangle.
  https://youtu.be/VDD163WFYc4

  ⏱️ Timestamps ⏱️
  0:00 pfsense 2.5 Upgrade
  0:22 Wireguard Removal
  1:06 OpenVPN changes
  2:46 State Matching Non Defualt WAN
  4:16 Unbound and Service Watchdog

• I'm happy I didn't upgrade just now! That State matching non default WAN would have been problematic for me. I have 2 WANs, one for my home, and one for my business. QUite a bit of port forwarding on the business one non default).

• I'm sticking with 2.4.5 until I finished messing with OPNSense in my test lab. Then I'm going to switch it over.

• Pfsense has failed us. Who will replace them on the throne? Untangle is too basic for me. I’ll try VyOS

• I enjoy Tom's videos for their high educational value although I don't follow pfSense generally. However, this new Ars Technica post https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/ would make me very leery about using any critical products based on FreeBSD or sold by Netgate. It will be enlightening to see how the downstream corporate FreeBSD users react.

• I should learn from my past mistakes….. Stick with 2.4….. 2.5 is a complete cluster [BLEEP}. I got sucked in to the STABLE part. Nothing but problems (I have an almost default install). Its a glorified router with no VPN or anything. NAT, DHCP, DNS, Gateway….. should be easy as pie (is in 2.4)…. now not so much in 2.5. Live and learn. Thanks for the TUTs Tom… appreciate them.

• snort from pfSense+ doesn’t work in my SG-3100. What kind of testing did pfSense do?

• Much appreciated. I'll have to checkout the watchdog. Always helps to get some perspective.

• Thinking about moving to OPNSense….

• Hmmm, already upgraded both my firewalls, so far working, good. I suppose I got my upgrade before Wireguard was removed, but I'm not using that anyway. But one thing that got fixed was the issue I had with Wan monitoring and that i'm happy about.

• Thanks. Not upgrading, ever.

• I'm getting cold-feet installing pfsense for the first time with all this pfsense drama. ☹

• I only have problems since I've installed 2.5, I would only recommend to hold until it get's more mature

• I had unbound consistantly restart BEFORE the 2.5 update. There is a 3 year old bug where it does not play nice with pfblocker(still not fixed as netgate just ignores it as far as i can tell). Ill find the original post with bbcan177. You have to go in to the code and change stuff.

  Also i wouldn't use servicewatchdog with pfblocker dnsbl as that might cause issues.

  https://amp.reddit.com/r/PFSENSE/comments/6k1v8t/unbound_crashes_frequently/

• Not if you have an IPSEC VPN tunnel, it doesn't work, the 2.51rc seems to though

• Oh, boy. Thank you Tom for a very timely video. Although I now have seriously less hair than a week ago, I understand why things are not working.

  My update is set to update to stable release. And nothing was marked RC. So I had the firewall updated to latest software before going on with the install.
  XG-1537 with an extra SFP+ card. 2 x WAN and 2 X Lan. 4 VLANs. And not able to route anything through the non-default WAN.
  Our current version is 21.02-RELEASE-p1 (amd64)
  
  built on Mon Feb 22 09:39:51 EST 2021
  
  FreeBSD 12.2-STABLE

  How far back do we need to roll it and how do we roll back? I will of course start to dig around online 🙂

• still camping to 2.4.4-p3.

• pfSense, unbound defaults to restarting on every dynamic DHCP refresh, which I consider bad practice, this was already disrruptive to DNS uptime before 2.5, but 2.5 of course made it bad enough to be widely noticable. I suggested on redmine they disable it by default, but they want to keep it on. I think the plan is now to roll back to a old unbound version instead.

• Whoops … 😳😂

• as i understand it, unbound restarts every time a dhcp release renews. something about that causes it to fail. unchecking the option that adds dhcp leases into dns lookup has stopped the problems for some people. i updated the unbound package but still has problem. i havent seen any since unchecking the box. the watchdog didnt help, or at least didnt help enough, still had dns die with that setup.

• Should you upgrade to PFSense I say No I tried it you make a simple change you who network goes down I tried it so bad it isn't funny really bad setup design I had to factory reinstall PFsense to get back in GUI bad Design Terrible Software PFSense is a Joke with a advanced config like mine bad design

• I haven't had a problem with unbound crashing, but it doesn't auto start at boot up. Once I manually start it, it's not a problem.

• What happened with the usual intro??? I missed the "we got new shirts… well, randomly!"

• Thanks for the video. You mentioned rolling back to a previous version. I had trouble with that. Just briefly, how do you do that? Are you talking image backup before hand, or a config backup or what? Thanks!

• 21.02 broke ipsec vpn on multiple 3100s for me, flashed them back to 2.4.5 and am chilling

• pfSense Plus 21.02.2? They really didn't waste time differentiating between versions again. So much for the code consolidation ideal of FreeNAS to TrueNAS Core.🤔

• Relax Tom and remember to breathe. Ignore the belly-achings of fanboys. You do you.

  In my experience, the unbound service failing to restart or crash has something to do with pfblocker updating the block lists. It crashes once every month or 2.

• Still upnp broken? (2 games at same time can't play due to getting strict Nat on second game/console)

• Unbound is failing for me. This video helped confirm I am not crazy. Adding watchdog tonight.

• The dual Wan problem is not an edge case. I start using pfsense for the multi Wan use and now is broken😭

• I use fqdn identification for my IP SEc tunnel and all of that broke. I have 12 sites in a mesh configuration and I'm glad I only upgraded one of them. Redoing 144 tunnels twice would have been quite annoying

• There was a restart issue with unbound that was fixed with a newer version. Unbound would exit with a signal 11. This was a problem with DHCP updates and pfBlockerNG.

  I waited until that was fixed before I upgraded.

  There is a minor issue with IPv6 gateway monitoring. The workaround here is to manually set the IP to monitor against. Netgate has acknowledged this issue. Also, I find the stability of IPv6 to be better after the upgrade.

  When I did my update, I tried to do a reload as I wanted to change the drive to use ZFS. The installer would not create the ZFS filesystem, so I rebooted from the drive and did an in-place upgrade.

• I’ve updated to the newest version of pfsense tonight and have lost all internet access. Even after rebooting the pfsense box again still made no difference, was all working fine until I did the update.

• Just upgraded to 2.5.0. NOIP dyndns broken.

• Thanks keep us updated on this.

• I think you downplayed the unbound issue a little bit.. DNS is a major part of a firewall, how is it possible that this bug made it into "stable" pfsense? AFAIK they were even aware of this before release.. This and the whole WG fiasco really make me question my trust into netgate.
  By the way, our AD Server is running DNS but it still forwards the queries to pfsense so we can use pfblocker – we're probably not the only ones with this setup..

• With any big upgrade like this it's definitely worth waiting. 2.4 came out in 2018, 2.5.0 just now in 2021. That's a big jump between the highest major level of the product. Definitely wait until 2.5.1 is released as stable and even then give it 2 weeks, see if they need a 2.5.2 etc

• Funny I upgraded to 2.5 and ubound keep crashing and using cpu at 100%, what I realize is that if watchdog and pfblockerg are active the issue happened. The only way to stop this was to remove unbound from watchdog. It did not happened on 2.4.

• I did not seem to have the unbound problem until I activated Snort and/or pfBlocker but it may have just been a coincidence rather than an interference/compatibility problem between unbound and one of the extra security measures. Though, this might be a place to look for that bug.

• Will Wireguard support be removed in 2.5.1?
  So I guess the reason question is, should you upgrade to 2.5.1 🙂

• From NetGate's reddit post: Speedy and thoroughly tested releases!

  Yeah! Really?! 2.5.0 was worse than an Alpha release… And they shipped that as Business+ or whatever…
  Reddit is boiling hot with bug reports coming from all sides. Greedy bastards!

  Have a hardware upgrade to do by the end of the week and I will definitely do a software upgrade too – install OPNsense!

Comments are closed.