 Tom here from Lawrence Systems and PF Sense Plus 21.02.2 and PF Sense CE or Community Edition 2.5.1 has been released now This is the first major update to really fix a lot of bugs since the release of the new PF Sense Plus and the PF Sense CE 2.5 series and we all know It's been a bumpy road there were a lot of little quirks and issues now We actually were able to upgrade many of our clients But there were certain conditions and well if you have those certain conditions You've been holding off on this update all together because those conditions made you essentially unable to update So let's talk about all the details What is changed in this new version and some of the major changes are really just the removal of wire guard as they said In their own words here out of an abundance of caution the kernel wire guard implementation has been removed from these releases That is one of the first things it really should be addressed. Yes wire guard has been completely removed currently from PF Sense I have no idea although people like to ask me on twitter and comment on my videos about do you know if it's coming back? I assume at some point they will I don't have any direct line of official statement from them other than what they post on their blog that I am Reading to you along with the update head over to reddit r slash PF Sense and you can see posts They go there you can head over to their forums They talk about it there or their blog which I'm reading from so I don't really know how to address it But one important thing before you do these updates is going to be That you remove wire guard and all wire guard configurations prior to the update the update will actually fail if you don't So that's really important and as always before you update make sure you have a backup make sure you have a downloaded copy of PF Sense CE or A ready image so you can get the image of whatever device you may have from neck gate You want to make sure you're prepared for these This is often people get into a panic because they just hopefully assume the update will go well also prior to update Reboot the system once that's just a generally good idea Reboot it once make sure it boots back up that way you're only dealing with one issue If you reboot it and it doesn't come back up prior to update Well, you have another problem that you need to address and if you would have updated and then rebooted You would have only found that problem and assumed the problem was because of the update That's actually just happened recently. So it's worth noting back to the actual changes of what is different now And more specifically what's fixed. So the big difference wire guard. What's fixed? I actually want to jump right on this one This is one of them that hung us up from updating a couple clients And this is the non-default wan routing issue and I was so happy to see this issue fixed This was like I said one of the problems we ran into with the client that has you know As one does some specially used cases and slightly different setups And they weren't just using the wan for a failover But that has been resolved so that part made me really happy Of course, the next thing is what about dns stability? Do I have to deal with that crashing now? This is a little bit less of an issue for some of our business clients because they're in windows environments and Windows environments require or to properly get them working Require that you have windows be the dns server for active directory So this wasn't always an issue in those environments and the work around the band-aid on it was to Use the watchdog service to tell dns to start every time it crashed Which seemed to be very frequent on some systems and less frequent on others But nonetheless definitely a problem that issue has been resolved now We only loaded this the other day. So this is a day after the release. We did load it on our production systems I've loaded on a handful of system our lab and so far None of them have had a problem with the dns crashing. So cross your fingers. Hope that's fixed But so far so good if you want to continue aiding and if there's some reason that it does fail Yes, I will probably do an update a video or follow me on twitter And I'll certainly be mentioning it or filing a bug report on this They also updated to the latest open ssl to address some of the cvs that are out related to that And the ip sec tunnel identifiers and a couple other issues with that. So there was a Issue with this that I only ran into a couple times where They wouldn't work when you did the upgrade it broke some of the ip sec tunnels you could rebuild them But there were certain conditions that would cause issues all of that's been resolved So now I guess it should work perfectly fine for doing an update from the version 2.4 The thing is anyone that we had that had this problem because we fixed and rebuilt the tunnels Didn't really matter so we can update those systems and the ip sec tunnels should keep working. So Those of you that held back or upgraded and rolled back now you should be able to do that now one of the things I thought was a little bit strange And I just didn't I don't think about this as much but this was definitely a big oversight Was the alias stuff people seem to be pretty upset about this I get it, but I never think to change aliases once I create them I changed the contents of an alias and this was an interesting problem because what would happen is if you created an alias And then you change the name of the alias it would not propagate to all the firewall rules where that alias was used or other places It was used. So you should create an alias. I Would normally as I said create an alias and not ever change the name of it because we'd purposely name the alias as part of the firewall setup when we're doing this for a client and then I would change the contents or You know propagate that alias and that's a great way to use it But everything about changing the name of it So I didn't notice this error, but I'm really happy that it's fixed that way If you do create a series of aliases and you go, oh I want to rename that alias and you've already used it everywhere That now has been addressed to that problem. Although I didn't see it often in my setups speak For the way we use it. Uh, it's definitely something I know a lot of people had a problem with Now before we get too far, let's talk about known issues in ira that they have right here There's a couple of edge cases where if you're using certain ciphers and aesni acceleration There are some problems apparently and I thought this was a weird issue I didn't run into it and all the systems we updated. Uh, I tried vpn it worked fine But there have work around so please read this and double check before you update if you're using these ciphers in this combination Also, if you're using the frr routing package, please note the change of the default on there to not automatically announcing And instead implicitly needing permission to do the route announcements and bgp There's those little details though that can really pull your hair out if you don't take the time to read this And I actually encourage people to read the entirety of this fix list And just in case you have some edge case on there But we've been continuing to update all of our systems here And all of them here went fine the few clients that we did the updates for it Of course all the lab systems have gone really well That does include the ones we have virtualized like this right here is currently running the 2.51 release and we did update several different random hardware devices We have here and all of those seem to take it perfectly fine the non neck gate ones running ce in front of me I have a neck gate sg 1100. We updated this. I've updated my 2100 at home I did that actually yesterday right away It you know because it's my home one and I'll inconvenience a few people up my house Worst case on that and I do a lot of this testing because I know the question comes up a lot Hey, is it safe to run this and people say, you know, I wait for A few people to tell me that are you know posting actively into forums or time to do a video on this I've already had a few people message me on Twitter like hey, Tom. Is it safe to upgrade? I'm doing all the testing as fast as I can and trying it on money devices I even had some protect tele devices and if you've seen my twitter post We updated for it. I didn't grab them because they're actually part of a project in the other room That's part of our lab that we're building out, but even those went perfectly fine. So You know so far. I'm going to say the upgrade process been smooth I think because this is a point one release that neck gate spent a lot of time just fixing things on It should go generally pretty smooth this 5100 and r5100 which runs a j proxy free radius multiple vpns Lots of routing rules many networks vlands and separate interfaces for a lot of different things Completely went smooth and fast matter of fact because I wanted to make sure it was done I did it during the workday with minimal disruption just kind of on a bet that it would you know Probably go smooth. I was gambling and my own staff were nervous But yeah, they just took a few minute break and it updated actually relatively fast and everything seems to be working perfectly fine I even told it to update the let's encrypt and hd proxy and all that restarted perfectly fine So it does seem to be working well But of course it depends on how adventurous you're feeling always do a backup first before you update But thus far. I think this bug fix release, which is I would should be titled more or less seems pretty solid Thus far granted. Yes. I know I've only been testing it for 24 hours roughly now I think it was just about 24 hours right now from the time of this recording that the update became available But I actually was testing some of the release candidate ones as well specifically with the lab system here and I updated from the release candidates that were Being tested where, you know, we troubleshot some of the things on here And that seemed to go very well and updating it to the full version So I think it's probably safe to upgrade Decide how critical things are or if you just want to wait a little bit longer But for those of you that sitting on 2.45 asking, you know, when should I do it? Because you wanted to skip that first initial release of the 2.5 or the, you know, PSN plus initial releases. I get it You know waiting You're right. Wait till that first point one release. And this isn't just a neck eight problem This is well many companies that have done things like this. Sometimes their first release of a major release is not Uh, not a lot of fun. It's for adventurous people who want to file bug reports and head over and You know document what went wrong because well, this is a community project still and community contributions back to it Are what helped get this project moving forward letting them know those edge cases and what they missed when they wrote these updates Which apparently was a lot as we see all the things that got fixed here But hey, this is the way forward and uh, yeah, if you want to update it go ahead and thanks And thank you for making it to the end of this video If you enjoyed this content, please give it a thumbs up If you like to see more content from this channel, hit the subscribe button and the bell icon To hire a sure project head over to laurance systems.com and click on the hires button right at the top To help this channel out in other ways, there's a join button here for youtube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the descriptions of all of our videos Including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly So check back frequently And finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thank you again, and we look forward to hearing from you in the meantime check out some of our other videos