 Time here for more systems and let's talk about PF Sense 2.5 or PF Sense plus 2102 Confusing as I have two version numbers to remember now Anyways, the PF Sense plus or PF Sense 2.5 community edition, whichever one you're using The updates to this should you update to it? What are some of the changes in terms of problems you may run into and let's talk about some of those edge cases The first one I want to address is the fact that wire guard has been removed from the project I brought this up on another video and for those you that haven't seen it Feel free to go watch that video because no need to address it again here But anyways not to get off topic what is on topic is the release candidates that are coming up and the insight that I Don't have into them. This has been coming up as well. Should I wait for the release candidate? Sure. Yes If you have a problem that will be addressed and release candidate The answer is yes They have a long list of issues that are being addressed and release candidates But because I'm not a reseller or any insider that has some deep knowledge of what's going on inside of Neckator PF Sense, I don't know when they're coming out is many better than you do now Despite people that seem to think that I am affiliated more deeply with them than I am. I am not I am just a user But I also happen to make a lot of videos on PF Sense and many other topics for tools that we use on this channel But let's get right back on topic here now that we adjust this and talk about the edge cases One of the big ones has come up a lot is people who use privacy-oriented VPNs There are fixes for the upgrade. So if you upgrade from 2.4 to 2.5 Yes, this does seem to break the nature of it appears to be cipher changes that are made in these VPNs So the new version of open VPN some of the ciphers don't line up and someone commented on this link here Like for Nord VPN that Nord VPN has now updated their documentation to include PF Sense 2.5. So there are like I said workarounds now This is much more of a home user or I would say maybe a tech enthusiast thing where they want to Get around region lock for certain content They want to watch or just privacy or into VPNs in general those use cases So this is not as much something that really affected us Upgrading our clients on the business side and we have a combination of clients We manage we have a clients that are co-managed as and they have the internal IT and they contact us for support this issue really hasn't come up and it's actually been from a User standpoint for people who are remote VPNing in like the remote workforce users on open VPN It's only been a couple instances where they were using a slightly older cipher that didn't translate to the new 2.5 Change a cipher redownload open VPN problem solved moving on So that was a some of the minor problem But of course this is where there's a lot of noise of people complaining about it not working But it is a lot of it around this particular thing here check the neck eight forums If there's a solution for the solution with the problem you're running into The one reason that we can't upgrade certain clients This is a big one right here and this is not resolved not even currently in the release candidates By the time the release candidates get to full release this should be resolved But this may be a reason that you don't want to upgrade it all and it's a state-matching problem with responses To packets arriving on non-default WAN So if you have a default WAN and you have a port forward on a non-default WAN so secondary connection with a port forward to it and You have someone coming in on that secondary non-default WAN with a port forward to a device behind it You have a problem. It will send the packets back out the main default route So this is kind of an edge case. This is certainly not something everyone has we had a client one That had this setting so this prevented us from upgrading as always before you upgrade be prepared have a backup Be ready to roll back. So we just rolled them back. This is how we solved that problem We rolled it forward and the problem was just well, we didn't read this part because we didn't expect this problem So we didn't find it until after we rolled forward contact a neck eight They linked us to this problem right here. So we rolled them back to the previous version So this is something that if you have this case, yeah, don't upgrade This is definitely a problem that needs to be solved and after the Updates should be resolved once they get these will they're in release candidate novel once they get to full release now The next issue is Something let's talk about how to do a workaround for not a patch. This is the unbound problem This has been a puzzling one because we did not experience this with our system This is currently running a release candidate by the way that doesn't have the unbound problem completely fixed But we're doing some testing in our lab here. If you go here to service watchdog You can add things under service watchdog to restart a service if it fails Unbound, there's some bugs in it. I'm not exactly sure what the Causes because a few of the clients we've upgraded even though we've put this in just in case there hasn't been an issue at all Our system seems to do it once a week. We have it restarting unbound, but it doesn't do it every day I've heard some people say it happens every hour to them. I have not dove into every detail I know the easy solution is add a service watchdog. It'll restart unbound if it stops It's a workaround. It's not the best workaround But it's a workaround that will keep unbound up and running and uncheck the notify box If you're someone who doesn't want it to notify you every time a service fails so far as the only other the only two issues that we've really had the default gateway one and the Problem with unbound but that's still that problem of them unless I said some clients It doesn't seem to affect at all and in some of our clients It's kind of irrelevant because well, they have Windows domain controllers and in the business world That's Windows domain controller living in their means Windows domain controller gets to be the DNS and DHCP So it kind of went unnoticed and a handful of the upgrades we did for some of our business class Just kind of the nature things are not even using the DNS inside of here So not an issue all together for the business use case upgrade now They I will leave a link to all this This is all the open bugs currently that are getting fixed in the release candidates And There's you know quite a bit going on here. They have a change log over here I'll leave a link to so you can see if these are some of the other issues you've had specifically like the fixed the aliases This is kind of a weird one It's not one we noticed but it is something I'll bring up because it enough people have brought it up If you rename an in-use alias, it doesn't properly go everywhere It's supposed to and rename that in the firewall. So if you named an alias, which for us because we're upgrading in place We're not resetting up a firewall. I'm changing aliases all the time We didn't really run into this as a problem, but at least I'll bring that one up There's a few other bugs and certificates That are definitely kind of annoying and there's some specific cases where people had some problems with IP sec We didn't run into this But that's also because things like the IPv6 We're not using and we just didn't have these particular scenarios What we did do though was we have in our own System here and a few of our clients that are running things like HAProxy that worked perfectly fine No issues at all with HAProxy. We had no problems with less encrypt automatically renewing certificates tied to HAProxy We had no problems of free radius and open VPN using all the modern ciphers So what on it you should upgrade still comes down to do you have those use cases? I feel though more the homelab users and the people who are Really into some of those privacy VPNs are people that seem to have some of the most problems and they have the most edge cases Especially people who passed and this has come up with consulting We've done a bunch of extra parameters in the extra parameters of open VPN Those extra parameters may or may not work with the new version of opn open VPN The biggest thing I can do is tell you to turn your log verbosity up really high read through the logs to figure out Oh, I'm adding an extra function that was now, you know deprecated function in the new version of VPN That's where you can kind of trace you some of those problems do your own testing always do backups before you do this So my opinion on what I should upgrade is if you have business use case It seems to be less affected But do please read through all the different change logs that I'll leave links to because that's ultimately That it's depends as I said at the beginning the video It depends on your use case for us most of our business clients Let's use the more basic functions of it and that works perfectly fine. Those issues haven't really come up We do have site to site with open VPN that works fine We've had site to site with IP sec that works fine We had just the one client who had things coming in on that other one And yeah, it was just easier to roll them back until that particular issue is resolved So that one is the only one that we've run into that's an absolutely no go The unbound one is more of an annoyance But for those of you in business that you know have Windows domain is the middle It's the master controller for all of your DNS. It's kind of it becomes a non-issue It's knowing if it crashes, but it's not something that the end users have any notice of so to speak So up to you ultimately, of course the decision is yours I'm just here to provide information and point you in some direction on some of these things I'm looking forward to the release candidates I'll keep playing with our lab here and when they go into full production But I wish I had a better thing than when they come. I don't have a date I don't know or have any special insight. I'm like you I'll be on Reddit discussing this Please spend some time in a net gate forums just reading through things Sometimes that's how I find out about more of these problems if they're not problems I'm having as I just go through and spend a lot of time reading through there and look at some of the interesting use cases People have and some of the unique things that are using pfSense for and yeah That's the all I really have to say about that the other drama for wire guard Which I know someone's gonna leave comments on this video for leave them on the other video because that's where I actually discussed wire guard for now wire guard It doesn't exist inside of pfSense as far as I'm concerned. It exists on other platforms. I still have a Love for the wire guard tool itself. It'd be cool when it gets back into the pfSense project I mean, I have no idea when that was gonna be I am Is in the dark as all of you may be on that except for maybe someone watching this knows more than I do But it's it's not me. Thanks And thank you for making it to the end of this video if you enjoyed this content Please give it a thumbs up. If you like to see more content from this channel Hit the subscribe button and the bell icon to hire a sure project head over to Lawrence systems calm and click on the Hire us button right at the top to help this channel out in other ways There's a join button here for YouTube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the descriptions of all of our videos Including a link to our shirt store where we have a wide variety of shirts and new designs come out Well randomly so check back frequently And finally our forums forums that Lawrence systems comm is where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thank you again, and we look forward to hearing from you in the meantime check out some of our other videos