 Time here for more in systems and PF Sense 2.5 community edition has been released alongside PF Sense plus 2102 and this is where I want to segue a little bit to clear up a little bit of confusion between PF Sense plus and the PF Sense community edition now This is actually something that happened in January is when they made the announcement I didn't do any dedicated video to it because I don't like wild speculation until we have a little bit more information But I figured this is something we're gonna have to address now I'll leave everything time index below for those you that are already aware of PF Sense plus and just want to skip ahead to the New features coming in the new version of PF Sense But if you want to go into the details and many people have been asking my opinion on this Well, that's where I'm gonna start but before we do that Let's first feel like to learn more about me or my company head over to Lawrence systems comm if you like to hire Sharp project there's a hires button right at the top if you like to help keep this channel Sponsor-free and thank you to everyone who already has there is a join button here for YouTube and a patreon page Your support is greatly appreciated if you're looking for deals or discounts on products and services We offer on this channel check out the affiliate links down below They're in the description of all of our videos including a link to our shirt store We have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently and finally our forums forums dot Lawrence systems comm is where you can Have a more in-depth discussion about this video and other tech topics you've seen on this channel now back to our content So PF Sense Plus 2102 release and PF Sense CE 2.5 release now available and if you don't know what PF Sense Plus is I'll leave this article right here that announces PF Sense Plus essentially what netgate is doing is creating a Slight diversion and I say slight because this actually isn't much different than what they were doing before People just didn't really recognize it and it's outlined in this article that I'm not going to get too in-depth on But let's at least share Tom's thoughts on this when you buy a netgate appliance. It comes with FE factory edition of PF Sense when you buy a Appliance that is not PF Sense that you want to load or build your own hardware Whatever you want to do you download the CE or community edition the community edition is still what the community edition is PF Sense Plus is an option to load on the netgate hardware Well with the exception of the arm ones the arm ones There's not a compiled version of the community edition for the arm devices But when you're dealing with x86 devices like this SG 5100 I can either load Well, which it has on there right now, which is now called PF Sense Plus But it used to be factory edition now it's PF Sense Plus and that is a slightly enhanced version It's still the open source project with a few extra add-ins that are going to be targeted towards businesses as of right now February 2021 with this new release. There's very little divergence between the two code bases There's not much being added in the roadmap laid out is that they're going to be adding more things into PF Sense Plus that are going to be targeted at people who run businesses like myself who manage hundreds of firewalls and that we You know sometimes need a few enhanced features that may not be targeted at general community users now They've talked about how much the pricing structure is going to be basically which is free for people using netgate devices And a paid Type of subscription service for people that would like to use it and use those enhanced features and roll their own hardware This is actually a pretty popular solution where people want to run these in virtual stacks or they want to run them just on their own custom-built stack of hardware that they have and You know want those enhanced business features? Then this is what PF Sense Plus is I don't really see this as necessarily a bad thing Of course where the doom and gloom comes in as people thinking they're abandoning the PF Sense You know community edition version and I'll actually leave you the article over here from serve the home Assuming netgate keeps PF Sense Community Edition alive and well then the community will likely not notice much of a difference It may create more interest in some alternatives But this is the nature of announcement like this and I actually you know, I'll leave a link to this whole article They talk about on January 21st some of the upcoming features in PF Sense. They also have a released article for the release version they just released yesterday on talking about the new version of PF Sense and So I really agree with a lot of what they're saying there and we have to kind of wait and see I'm just very logical when I go through these things and go alright. What are they going to do? Are they going to kill it off? I don't think so I don't they would matter of fact one of things about netgate if you didn't know is they Contribute a lot of code to the open source community matter of fact wire guard Which people are so excited about got into the BSD kernel because dollars flowed out of netgate to sponsor the project literal money had to come out of netgate and people complaining who download PF Sense for free and You know hating on netgate for their hardware, whatever weird reasons. I see some unusual comments all the time But that being said That money that went into development benefited the BSD community as a whole so anyone running the new BSD kernel gets Advantage aware of it They actually sponsor a lot of projects and other people had commented about people and the the nature of the open source community that contributes to PF Sense Actually to my knowledge everyone contributing code to PF Sense is on the netgate payroll as well So that will of course lead to more people to speculate well in that case They're probably just going to kill off giving away anything for free because they're trying to get the you know Subscription money and push more hardware. I don't see it part of the popularity of PF Sense And this actually goes to other popular projects True NAS being one of them offering an enhancement and a paid version for support and offering a free version You can download really keeps your product out there and in high usage in the market And when they share a very similar code base with the exception of a few add-ons are going to do for PF Sense plus based on a Roadmap they have you end up with a massive user testing base who come up with a lot of scenarios and give you a lot of feedback Participate in a lot of forums and keep the interest going in the product So I don't see them as killing this but feel free to wildly speculate get your cap Sock ready hate me for it or whatever Tell me that it's the end of all things open source and some of the other weird comments and that I've been getting tagged in on Twitter All right, that'll actually get to the fun part of what's new in PF Sense That's the part I really wanted to talk about But one last part I want to get out of the way though. What's new in PF Sense and what's new in PF Sense plus? I bring that up because There are the diversions and this is of course the first segue where there's something different But this right here lays it out There's very very little that's different and the very little that's different is support for Intel quick assist technology known as QAT So there's some crypto acceleration tools including safe excel In some ip sec profile export. Let me actually show you that over here So this is an sg 5100 loaded and we go to vpn and we have the aws vpc vpn export An export for apple profile ip sec export for windows And if we go over here to the community edition and we click on vpn Those are missing there. There's the Big differences right now between the two versions the other differences if you see that here it says community edition There's a plus community plus. Um, yeah pretty much You're looking at the same thing. So whether or not you should load the pf sense plus edition Because you have a net gate or you want to swap out your net gate to run the Community edition you're not really missing a whole lot. There's not a lot on there that's dramatically different between the two Versions. All right. Now we can scroll down past that and now we can get to the long list of things that are in here The base os upgrade is now free bsd 12.2 stable open ssl upgrade to 1 1 performance improvements performance improvements I would describe as if you're not familiar with the dashboard when you go back and forth to the dashboard The dashboard loads faster. I noticed that's at least one thing that was listed in the errata for some of the enhancements They've done some tuning and it doesn't seem to pause even when there's a network cable disconnected Which is sometimes if you took out when it would sometimes pause a little bit There's little tweaks like that when it they say in performance improvements The big one of course is wire guard wire guard is a new vpn layer 3 protocol designed for speed and simplicity This is the one of those things that a lot of people are excited about and this is what I mentioned Neck gate actually sponsored this project to be put into the bsd kernel So any service any device using bsd kernel not just bf sense can take advantage of wire guard They've done some ip second enhancements now I have been reading through the blog post and reading through things like reddit and notice a few people had commented I think one or two about problems when they upgraded From 2.4 to 2.5 and problems that occurred with ip sec there might be something there I don't know. There's not enough people that I seen posting about it to dive into it We have not because it's only been out for a day pushed this all out to our clients to really deal with any issues We did update a few systems here. We've updated this sg 1100. I updated the sg 2100 at my house I updated the sg 5100 here. We've updated our lab system all those updates went fine Several of them had vpns the vpns work fine But they were open vpn and the wire guard vpn that I had set up from the release candidates and moved into full release that seemed to transfer over but the ip sec vpns We don't have any in our lab at the moment when we did the upgrade So I don't know if there's any real issues with it, but it's new. So, you know, this is the fun of finding out Open vpn 2.5 now mandates cipher negotiation But also tries to be friendly to older ciphers because they've now updated to the new version here Chacha 20 poly 1305 is now supported. That's a pretty new cipher. And yes, it's the same one used by wire guard They've updated the certificate manager And this is one of those things about wild speculation that is This needs to be reiterated several years ago Aes and I Was suggested that it might be necessary in the 2.5 version of pf sense That has been one of the most confusing things of people telling me they switched from pf sense to something else Because they were going to require aes 2.5 several years down the road It's now several years down the road and that thing didn't happen Because it became kind of an unnecessary step to require aes and even at the time of the announcement processors of the aes had been around for Seven years with that extra instruction set so you could easily pick up old hardware And people didn't seem to like my opinion suggesting that that it was going to Destroy and be the end of pf sense and cause everybody to switch But it certainly caused a lot of confusion. I think they regret even suggesting they were looking at that on the road map, honestly Now they did make a couple changes here to things like the open bgp They got rid of a couple extras and they're consolidating right here. So if you're a bgp user, please make note of that And upgrade notes, let's talk about this little section right here Proceed with caution before upgrading pf sense Not just because of the issues that are going on right now in february 18th in texas But also, you know, just be careful when you're upgrading also do not update packages before upgrading This is one of those things that gets people in trouble quite a bit. They will go and try to update the packages When there's a new release what happens is the new release is release 2.5 Let's say you're on 2.4 and you go. Hey, let's log in. Oh before I update to the new operating system version Should I update the packages first? No, because sometimes the package updates were targeted at the new version So if you update packages and are expecting to find 2.5 I think they're working on a way to stop it from even happening But right now you could potentially break things if the package has a dependency that's in 2.5 Therefore you should always upgrade the operating system to the latest version So which is 2.5 now And then it'll auto update the packages and if any packages need update after you did the update Well, then you can update them when you're on the latest release of pf sense. So that's all in this here Now let's dive into though the actual interface and what it looks like some of the changes And I will also be leaving a link to this because there is obviously more than just that You're probably thinking this was kind of light. This was a highlight reel This is the detail and this is all the changes which is really extensive. There's not just a few things changed There's a lot in here And we're going to talk about a few of them and show you like the wire guard interface and what it looks like here So let's start by going over to wire guard Go to vpn go to wire guard And yes, this is the new wire guard interface now I did a video in the release candidate and it pretty much looks the same as it did in the Nightlies than the release candidate. There hasn't been a ton of change to it. It works perfectly fine I don't really have any issues with it. It is going to require those some new tutorials, of course to get this set up I did a video on how to build your own wire guard server in linux much of that conceptually works the same It's the nuances of knowing where to put things in here I do like the fact that they added the copy button right here So you can just copy a key go into the other system. We're going to edit the pier And just paste it in I do like the simplicity of that for setting it up It also has the option to hit generate and you can Overwrite your current keys or when you first set up a new one, which will go here to The wire guard and add a new tunnel You can just have it generate the keys right away on the fly like that So pretty straightforward and it keeps creating interfaces wg0 wg1 so on and so forth And uh, I found it pretty intuitive overall. I think they did a nice job implementing this Now let's go on to packages What's new over there and it wasn't mentioned in the release But there's a couple things that I thought were interesting one of them was zeke now They did mention of course the change in the bgp routing packages But the zeke is a well, I didn't see it mentioned and zeke is a passive open source network traffic analyzer It detects specific attacks including those defined by signatures of events as well as unusual activity This is not necessarily in a replacement for your IPS systems like sericata or snort Zeke is a way to enhance some of that and perform some intelligence data on it And let me explain you have the option to choose the interface here And by the way, I have not gone through and really used this but I kind of wanted to show people It looks like they have a control config here They also have the zeke clustering options so enable zeke cluster where these proxy hosts are and where if you have something tied in This is actually the way they are implemented in larger security stacks Then we have zeke scripts that you can add and this is where it's going to get a lot more advanced This isn't like just a drop in replacement This is an enhancement tool that if you're already familiar with using zeke Which I am not particularly familiar which is why some of these menus are a little bit foreign to me I've used zeke when it's already been configured in something like security again I have not used zeke as a standalone product, but I really think it's cool if they added it in here Next over on the packages if we go back over the package manager is node exporter And what this is is a way to export data from pfSense over to prometheus Haven't used this one yet either, but I thought it was cool to see it in here I know a lot of people have asked me and it's just not really something I plan to use anytime in the near future But I know people like prometheus now you have the option to turn on Enable node export choose the interface and be able to set up a list import here And the collectors for prometheus to be able to send data out To where I think prometheus actually reaches in and gets the data of not particularly familiar with it In case you didn't know but for those of you that are familiar with prometheus And have come up with ways to get data in and out of pfSense using it This is going to probably make it a lot easier for you So I thought those were worth mentioning on there Now one big change that wasn't really in the announcement, but it's in the release notes here And that's all the changes to logging the changes system logging to use plain text and log rotation versus the old binary clog format And many of you may have not even been familiar with the clog format because you're either exporting the logs out of pfSense Or you're just not looking at them from the command line But that's the way they were doing it previously that's been deprecated and now they're using if you're familiar with linux the more Popular I would say plain text formats on there. There's also some Minor differences on there. They increase the number of log lines they display by default And the only thing I didn't see that I didn't load fresh to confirm But as far as I know they still when you go to status system logs I always go to settings and I say show log entries reversed newest on top I don't like my newest log entries on the bottom to me that doesn't make sense But nonetheless, you can always check that box, but they have changed them now. I already had some existing settings I had changed from the default so those didn't get overwritten But it They did make some of those changes as noted in there for when you are setting up new So your old settings seem to carry over perfectly fine from the in-place upgrade But if you're doing it new those new they have some new defaults They also have done this when you go to system you have general Gateways routing dns resolve or wireless gooey server and os boot information They've just parsed it out a little bit different. And I think this is great Especially this part right here because when you're booting up a system You want to know the details of what happened in boot and rather than going to the Command line typing d message and sorting it out or trying to dig through it when it was kind of consolidated Breaking these things out is really nice Including if you just want to know what was going on with the ui and what changes and here's all the tom wandering around And the changes and the nginx logs So this is also kind of welcome the way they did this here Now a couple things they did that might make the gaming people happy are the improved handling of upnp with multiple gaming systems I do not have multiple gaming systems, but there was actually a forum post I seen just the other day of people having multiple xboxes and some challenges Hopefully this solves those challenges with upnp and whatever gaming system you might be using Also kind of related, but I thought was just somewhat amusing is the traffic shaper offering this feature It's the added google stadia port range for traffic shaper wizard And I just feel as though this is going to be something short-lived So they've added google stadia here, which to me is almost amusing if you're not familiar with google stadia It's the service that google is going to do for streaming games that well a lot of people kind of feel is perhaps Not going to really come to life and google may end up killing it. But hey, at least they added it But more importantly, they do have we councils and xbox steam playstation councils ea origin and battle net And this is all part of the when you run the traffic shaping wizard So if you want to do a little bit of traffic shaping around those games, they've added some updated ports on there Now traffic shaping is something people want me to dive deep into but it's kind of a challenge because some things Don't get caught by the traffic shaper and some things maybe as things change It just becomes kind of a pain I will leave a link to just so you can understand traffic shaping better mark ferman did a video on it And it has the animations that explain traffic shaping I always tell people to watch that first so they understand what traffic shaping really does because he added not just how to do it In pf sense, but specifically how the traffic shaping works and how it arranges packets I'll leave a link to that video I've referenced it before Now one last little thing I don't want to skip over because this actually is something that's come up with several of our Large installs that we've done is if you reboot pf sense You will break the authentication for all the different people who have already authenticated against the captive portal and that's Definitely a pain in a butt when you have several thousand people hitting a captive portal for authentication And so they added the option so that captive portal may choose to remove or retain logins across reboot That way when someone's authenticated across captive portal Then you will end up with them Surviving a reboot because telling well, I think one of the clients has 4 000 people in there telling them to log back in Because they had to reboot the firewall because of an update. Well, that could be kind of Well, not fun. Nonetheless, when everyone at a large complex has to do that also related is tls 1.3 So this was actually added to the web UI, which then in Turn is also added to captive portal. So both of them now have 1.3 So we're going to continue testing and updating systems and Getting ready to produce new tutorials and new videos that long list. I'll leave a link to All the different changes because there are quite a few It's more than just the little highlights that they shared on the neck gate blog post But that's always the challenge is figuring out, you know How many features to add and how to list them out in a blog post before the blog post becomes as long as the actual detailed feature list So if you have the time read through that whole feature list There might be a few other things that really affect you that I skipped over that are pretty exciting But I covered the ones that I think are well at least a highlight reel for what we're looking at on there And I'm sure there's more nuance to it that we'll find as we move along going. Oh, yeah That is neat that that works now where this little feature has been added I'll leave links to everything I mentioned here the serve the home post the Nuttgate posts and everything else and have fun upgrading. Oh the question is going to come up all the time. Should I upgrade? I say yes, I'll leave that up to you though. Make sure you have a backup in place Make sure you've downloaded the xml file and are ready in case it goes wrong But a short answer is yes, I'm definitely upgrading all of our systems What we're going to be rolling these out as we have time to do so making sure that If we have to execute a backup plan, you know to replace it that we have it available And of course in the next coming weeks, we have our own systems and we have a lot of complicated Deployments, those are going to be the real test of the Upgrade because doing something simple like these couple devices with a couple of vpns or even mind at home is easy When you get into really complicated ones We've set up with policy routing and a she proxy that can be a little bit more of a tricky battle And I've already seen a couple people say they had issues with the policy routing I don't know we haven't upgraded any systems yet that have policy routing to Find out if that's an issue the psense forums are going to be a place to post that that's where the developers hang out That's where the developers are looking for issues and going to be posting solutions to those problems So that's going to be the place if you post on this youtube video going I upgraded and now this weird error keeps coming up I'm probably not the best person to ask and they'll try to respond to youtube comments But that's why they have the netgate forums dedicated to this and you may find other people That've had the same problem and you may find the solution over there Leave a link to the netgate forums in case you weren't aware they existed. Thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurance systems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos. They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time