 Tommy here from Warrant Systems and PF Sense 2.6 has been released. And I know what you're saying, anytime there's a big point released, shouldn't we be a little bit worried? I'm always cautious, I always back up. But hey, you know, you got to test these things, you got to figure it out, there's any bugs and get them fixed, get them addressed. So right away, the moment it was released, I started updating systems, I had played with the beta previously, I had followed, and I'll leave links to them, Christian McDonald's videos, he's one of the developers at NETGate who has a YouTube channel who also puts out some of the errata what's going on there. And I'm going to say they did a great job on this version. We had some bugs with the way Dual WAN operated, which was the big one with the 2.5, they don't seem to have any of those problems. Matter of fact, I've updated some of the more advanced configuration systems, as in open VPN with free read authentication, along with wire guards, site to site, combined with multi routes and multiple interfaces, and also having, you know, peer to peer setup in there. So a good mix of challenges and all these systems worked perfectly fine. Yes, some were CE and some were plus. And that's actually a new announcement that we'll be talking about is you can now convert your community addition into plus and you can register as a lab or as a home user and get it for free. And they do have support and enterprise support level options as well. And you don't have to do this. This is an option, but they're giving you an option if you aren't using NETGate hardware, which already includes support. The tack light support comes with the NETGate hardware. If you built your own PF sense, but you'd also like to buy support, whether you virtualized it or, you know, have it as a hardware install, you can now do that. And we'll talk about that later in this video. Before we dive into all these details, if you want to learn more about me and my company, hebronalaurance.com, if you'd like to hire a short project, there's a hires button right at the top, which includes network consulting. If you want to support this channel the way is the affiliate links down below to get you deals and discounts on products and services we talk about on this channel. Now let's start here at the Reddit post where they say we are excited to announce the release of PF sense plus software, 2201 and community edition version 2.6. So the CE edition is going to continue on the naming scheme of 2.5, 2.6, et cetera. And then the plus version is going to use the year month for the releases. I kind of wish they would have kept them the same for, I don't know, my own sanity sake, but I imagine it makes sense to doing it because as soon as you say we're talking about the 2.x, you know, we're talking about community edition, or when you talk about 22.0, you know, you were referring to the year month of the release of the plus edition. So I'm sure there's maybe some debate, but for now that's the way the naming scheme is. Now they have all the release notes in red mine and a lot of people here commenting on things. And I have been on Reddit a long time. Yes, that's me posting right here. Sometimes people weren't sure if I had a Reddit account. I do. I've been on there since that our walls bacon at midnight. But right here is the update information I shared on Reddit. I've updated systems are running Saracota, HAProxy, Freeradius, Weigard, PF Blocker, Zavix and N-Top. Now the one problem I ran into was this right here, Zavix Agent 5.2, which was the latest on the 2.5.2. And now they've moved to Zavix Agent 5.4. This I think is what the cause I'm assuming because I removed it and it worked. I would give me a failure to upgrade, but not really any reason. But as soon as I looked at the packages, I realized that, oh, yeah, I'm just running a Zavix version that is not supported now, because it would put a red exclamation point on there basically to let me know there's not that package in the package repository anymore. Simply deleting the package, was able to resolve it, did the upgrade and then you load 5.4. And by the way, unless you tell the packages not to, the default is actually to save all the settings for a particular package. This meant when I loaded the new version of Zavix, everything loaded right back in all my settings connected to my Zavix server and started doing all the updates again, barely an inconvenience at all, no issues there. Now one thing I noted was this is really a B use case, maybe some of you have a use case for this. I've also tested system using open VPN and policy routing, but I'm also not able to disable a VPN when it's assigned to an interface. There's actually a bug that was in PF Sense. Now being able to do that you shouldn't have been because now you're breaking the interface that you assigned by not having a VPN attached to it anymore by disabling it. So you create a bad situation inside of PF Sense. But for my lab, I did this so I could create a few different VPNs and only connect them on an as needed basis for lab things and not have to do it. I'm just being lazy and should have different XML files to restore my lab to different configurations. But I could just do it with a checkbox and deal with the errors that were in there. So this has actually been stopped. But FYI, if you're wondering, because this is all based on input validation, you can actually modify the XML file and break the PF Sense in the way that they tried to stop you from breaking it. But that was interesting that you could still go back and do it by editing the XML file manually, which yes, I will be doing a future video on that of all the fun things you can do by importing and exporting XML files to move them between systems and not just doing select every store. But let's not get too far off topic. Let's talk about the big thing people want to know about is this being able to migrate from the Community Edition right to version 2201 of PF Sense Plus. They are offering now a no cost noncommercial home lab license for those of you interested in PF Sense Plus Edition. Now there's only a few different features. I'll leave the link to that to the couple extra features you get with PF Sense Plus, which also now includes a ZFS widget, which is kind of neat. We'll cover that in some of the new updates that came in here. But I wanted to cover this because you can still continue using CE. They're not abandoning CE. They're just giving you the option to do PF Sense Plus if you're interested because it allows for a couple different support options. Now if you have Nekate hardware, no change. The support options are the same. It's still free when you buy Nekate hardware, which is the Tac Lite. But you have the option for home or lab registration right here for noncommercial use in home or lab. And they got little details here down below. I'll let you go over and read the fine print so you don't spend too much time on this. But no charge for valuation license or white box or virtualization image, no charge for upgrade from PF Sense CE software, forum community support. And the XML files are the same. So you can switch back and forth. You can try it and say it's not for me, but the XML file is the same either way just for those of you that are curious. Right now they're offering Tac Lite support for $0 per year. And of course then they have it right here. It looks like it's going to be 129 a year in the future. Not right now. So if you're interested in trying this, this gives you their Tac Lite support. If you need the Tac Pro or Tac Enterprise support, they have these listed. Very big, bold, clear pricing on here. I'm also going to leave that link that I mentioned to Christian McDonald's video where he even shows how the process looks like in doing the in-place upgrade. I want to encourage people to watch the video because Christian being a developer is really, really knowledgeable about PF Sense even more so than me. And I encourage people to watch some of the videos to cover some of the details, including I'll leave a link to his video where he talks about the ZFS widget. But let's cover what's new in this version now, but maybe take a moment to talk about what's not new. And that's the upgrade process. Let's pause here for a moment because this is a really important pre-upgrade task list. Make a backup. Hand have a plan. There's a good one. Like maybe download ahead of time the file you need in case you have to reload it in case something goes wrong. Because if you're firewall breaks and you don't have internet, downloading it's rather difficult and requires more of your time. A little bit of pre-planning to download things ahead of time is great. If you're running a virtualize, a VM snapshot saves you a lot of time. Pre-upgrade reboot. I express this all the time, not just for PF Sense, but just in general. If you can do a pre-upgrade reboot, that way you are not conflating different issues like because you're uptime on your firewall, maybe for so long that you didn't realize that there was some problem that you would only find on reboot. So before also compounding things and adding an upgrade to the process, reboot it. If your reboot is fine, great. No file system errors. No check was needed. Then do the upgrade. And this one right here, despite the misinformation that gets repeated, you do not have to remove the packages. This is often confused and many people like to comment on my forums on this and the NetGate forums and occasionally on YouTube. Either, this says either not remove all packages, either remove all packages or leave the packages alone. I choose the leave packages alone with the exception that I noted where the Xabix package because 5.2 was no longer available. It stopped the upgrade process. So I did remove that particular package to let the upgrade go forward. Not a big deal. If you do remove them, you can. It's just not a necessity on there. And upon reboot, after the install, it will update all the packages for you. Now onto the list of new features and changes. There's a few security things here. Based on what I've read though, looking through the details, they all required a user to already have authentication to your PF sense to get these addressed. Essentially something that I haven't probably done any videos about, but it's a cool feature of PF sense is you can create users that are restricted instead of having full admin to a specific section. That's where this can be a problem where they have access to something, but then are able to bypass the level of input sanitization and push something somewhere else or push a bad parameter on there. Essentially, that's what these address. So they do require, based on everything I looked at here, a user to have authentication in order to exploit these. So while, yes, I always think security issues to be directly addressed, they're not like a hurry up and patch right now before, you know, someone finds this out and remotely exploits or even internally exploits it. Ideally, you should have end users locked out of even the ability to find the web interface, but this does require them to be authenticated into the web interface in order to leverage these particular issues based on looking through the errata in here. Now there's a lot of cool things they did, but one of the really neat ones is making ZFS the default. This is something I'm really looking forward to a lot of enhancements around referencing that Christian McDonald video, which I'll leave a link to. He talks a lot about the under the hood changes with CFS. So ZFS being really popular on my channel, because I talk a lot about TrueNAS is a copy on right file system. So it's going to offer better resiliency for things like accidentally pulling the plug out without properly shutting things down and recovering from that. So I like that was ZFS. It also is going to affect log compression. If a system is using ZFS, it does not have to have log compression on because ZFS itself can have compression. I think this will actually help everything all over the place that has a lot of data storage needs on PF Sense. Now you have done at least one video talking about this because ZFS has been an option, just not the default option when you installed PF Sense. When I built a firewall, a custom one for Xavier where we put several drives in, set it up with ZFS. The reason for that was because he has a lot of packet capturing he was doing for some cybersecurity work. And having all that storage right on PF Sense combined with doing it in ZFS is actually be very handy. Now you cannot do an in place. It is not possible to change UFS to ZFS in place. Reinstallation to PF Sense is required for this, but it's not that big of a deal is you just back up the config file, reload it with ZFS, and then reload your config file and everything will go back to normal as far as functioning and working after a few minutes once it reboots and downloads all the packages and configurations. So it's actually not that hard to do because the XML file doesn't care what your underlying file system is. So if you'd like to do this because you didn't set your system up before on there, you just use it about UFS, I actually recommend it. It's a, you know, another layer of protection on there plus the compression. I got a couple of knives to reload in the future soon too. This one may create a little bit of confusion. The default password hash in a user manager has been changed from Bcrypt to SHA 512. And someone might be asking, isn't SHA older or less secure? This is actually a compliance. They have it outlined here and it is for things that need to be protected up to top secret requiring SHA 384 or higher. So 512 is higher. It is a secure protocol. Yes, there's old versions of SHA that are less secure. SHA 512 is secure. They have the details here for those of you that want to read into it and understand why that change was made. But there are, well, many times PF Sense has been used in government and other places that have to be at a certain level of compliance with which algorithms were used. That seems to be why that change was made. Now there's a ton of smaller changes that are in here, especially under IPsec. So many things were fixed. So there's a lot of enhancements in here that I thought were pretty nice that they've been a lot of work for optimization in here. It's not necessarily to make it substantially faster, but faster for editing, faster for bringing up the tunnels. There's a lot of little details and nuance that was done in here. I don't do as much IPv6 since WireGuard came out. We're starting to move a lot more to site to site tunnels being done over WireGuard. But for interoperability reasons, we still have plenty of IPsec tunnels out there. A lot of times we have IPsec set up on our client because the endpoint they're connecting to only offers IPsec for different companies that they interact with. Now, one particular package I want to mention that got an update because I recently did a video on this. This is N-Top. This is now community version five. Now before it was running on four and there was that update notice that wouldn't go away. Yes, that was really annoying. That was the people brought that up in my video. Now with PF Sense CE and with PF Sense Plus, both of them are running the newer version five of N-Top PNG. So maybe I'll do an updated video because there's a few new features in here, but it works really well. I haven't had any problems with it. This is actually more specifically my wife's computer right now and the different breakdowns of where the traffic is going. And hey, you notice the annoying update message isn't there anymore that's constantly asking me to update to the later version of it. So finally that's been updated. So I'm pretty excited about this new version because so far everything has gone so smooth. I'm hoping it goes just as smooth for you, but just in case, as I said during an upgrade process, don't just have a backup, but have a backup plan because occasionally things go wrong. This is a lot of systems that we have to update. We're going to be rolling this to our clients. If I run into a problem, I'm always very public with information following me on Twitter, YouTube. You can find me on Reddit where I occasionally post as well, but followed all the other people in Reddit and that particular post that I have linked down below because the overall experience most people have seemed to be very positive with it. Doesn't mean there's not some edge case that you may particularly have that may have some problems with 2.6, but refer back to backup plan. All the links to everything I talked to will be down below and thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly, so check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.