 Tom here from Orange Systems and PF Sense Plus 22.05 has been released. This is not going to have a simultaneous release though with the CE or Community Edition, and I wanted to put that up front here for people wondering a couple of questions around this, including can you go back to the Community Edition if you did one of those in-place upgrades from the CE to PF Sense Plus, then PF Sense Plus 22.05. I bring it up like that because people want to be able to go back and forth or they're worried that the license that comes with a PF Sense Plus that comes for free when you get an arcade hardware or you have a free homelab edition or you can buy a support edition of PF Sense Plus, could you go back to Community Edition or are they so divergently different that you can't? And I actually did confirm and test this that there's no problem going from 22.05 back to Community Edition. Next, let's talk about the differences, which I have a video where I've talked about this before but of course, well, you can skip watching that video and we'll just cover real quick the differences right now between PF Sense Plus and PF Sense CE. Also, we'll cover that PF Sense CE is still being developed. Don't worry, they're not abandoning it. It's still being developed simultaneously with PF Sense Plus. So we'll cover that when we cover some of the release notes because you'll see some of the things that are similar between them. But the main differences between these two right now, and by the way, NETGATE, if you're listening and loved to make a place on your website where you can just compare the two, that'd be great. So I can link to it. But for now, these are the ones as far as I can remember off of my previous video and the new things added. And that is going to be the open VPN import tool is only in plus. So is QAT Crypto, ZFS widget, AWS VPN wizard, IPsec export, Apple profile, IPsec export, Windows PowerShell, ZFS boot environments that's new in 22.05 and open VPN data channel offload DCO. That's also going to be a PF Sense Plus feature only. And that's new to 22.05. So those are the current differences if you're considering moving to the plus edition. As I said, you can get it as a in place upgrade with your CE. And if you don't like it, you can go back to CE. It doesn't seem to break anything other than you'll lose access to those extra features that I had mentioned. Now, before we dive into details of this video, let's first, are you an individual or company looking for support on a network engineering storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structure, cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in hiring us but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. And now back to our content. The first place I want to start is right here in their very visible, without a login, red mine issue report. So you can really see exactly what's being done, what changes were made, and there's quite a few changes that were applied to the 2105 plus edition. And you'll notice somewhat in parody, there's similar issues that were on the resolve closed list here for the 2.7 edition, that's the CE edition. So you can still see there's tons of active development here, pages of it matter of fact of closed issues that have, you know, all been fixed and resolved. There's still some open issues that, you know, need to be resolved so they have not finished the CE edition. But as I said, they're still being developed absolutely in parallel for those wondering it's very visible here. Now the first feature highlight is going to be data channel offload. And this is a really interesting feature. So we're going to go ahead and click on it and go right to the open VPN page on it. And essentially what's going on here is context switching limits the performance you can get by going in user space versus kernel space, that context switching has a performance cost to it. Data channel offload is not a new version of open VPN is a different implementation to the way the data channel is offloaded within the kernel. That gate did some work to bring this in a PF sense. But to give you an idea on a Linux client Linux server basis, here is the results of 2950 and speed from open VPN DCO versus your tunnel speed normally here versus when one client has DCO and the server has DCO or vice versa. So you have a couple of different scenarios, but when both systems use it, and this is going to be new, and it's currently beta, which is open VPN 2.6, they did integrate it into the PF sense system, you get the most benefit. So you may not get anything right away from this. It's kind of the groundwork laid for some future performance enhancements. But this is pretty awesome. The next and the one that we're going to be demoing here, there's also a demo by Christian McDonald, one of the developers, he talks about this as well a little bit more in depth than I will. His YouTube video is really clear on this. It's the ZFS boot environments. I love that they moved to make ZFS default on both community edition and PF sense plus ZFS is great for a integrity firewall system that just does a great job of recovering itself from maybe random power outages and things like that that sometimes happen with firewalls, unfortunately, and you want them to always boot up in a good state. ZFS is wonderful for integrity and not having many problems regarding that. In addition, those ZFS snapshots can be used to create boot environments, which is also a great enhanced feature. And this boot environment feature will demo it, but it's just really slick being able to create essentially snapshots to reboot the system and into whatever version you want and just jump back and forth between them very simply. They also moved captive portal to IPFW to PF on the past releases captive portal required IP firewall because PF lack features necessary to fully intimate captive portal functionality. However, using IPF came with the price of performance loss to do two packet filters loading and running traffic through both the firewall also use IPFW to manage traffic shaping via dummy net. So they did some reengineering. If you're a captive portal user, we don't really have many of these out in the field. Keptaportals is kind of a one off thing and I try to avoid them unless they're really necessary. Some people try to use them a lot more than I think they should. But hey, now that they've made some updates to it, you'll get some faster performance out of it. A few other notable changes fix for you PNP and multiple gaming systems. New gateway state killing options are from the failover. That's always welcome. And firewall net rule usability improvements such as buttons to toggle multiple rules and copy multiple rules that are interfaces. I'll show that that's actually kind of a nice feature. I just want to jump back over here to red mine and remind people that yes, some of these features targeted 2.7 plus target version 2205. This is that UPNP feature. So if you're on CE and you can go through all these resolve close, this is why I said there's a lot of process going on in tandem where they're targeting these updates and changes to both versions of PF sense, both the PF sense plus version and the PF sense CE version. Now I have my lab system spun up here running 2205 PF sense plus. And the first thing I want to talk about is the boot environment. Now this was set up with ZFS. If you have a system that doesn't have ZFS, this feature isn't going to be available. And the only way to get ZFS is going to be please back up first, grab your config file, reload PF sense, upload config file. And by default, when you reload PF sense, whether it's community edition or plus, they both will default to ZFS. So you can have a ZFS file system on there and just restore your config file, even if that config file was built without ZFS config file doesn't care of what file system the underlying OS was built on top of. But to get this feature working doesn't need to be ZFS. This is my default base version. And you can see here, if we do a little mouse over, we'll zoom in a little bit, make it easier to see, we have next boot environment is going to be this one, it is set to be default. So we can quick create a new boot environment and we can edit it. We'll just call it quick demo. Don't really need to give a description, but you can, you can put whatever you want in there. This is the one we're working on, but this right here is a frozen point in time of what this system looks like. So I can revert to it. How do you revert to it? Well, we can just click this and make it the next boot environment and reboot. Or we can temporarily make it the boot environment by a one time reboot. So we can actually just do quick demo and one time reboot to it. Matter of fact, let's go back, hit quick, create a couple more times. And as you see a create a couple of these, maybe you want different snapshots for different reasons. When you go back to do the one time, you'll actually see the list in there. So the different versions. This is really fun for a lab environment, because it's very quick to create these entire snapshots without even grabbing the config file. It's a file system level snapshot. And what do I mean by that? Well, we go system boot environments, and let's get rid of the extra ones I don't need. We're just going to delete these real quick. We'll leave this quick demo one. It's a snapshot before we made any changes. What change are we going to make? Well, let's load this as a change. As we go down here, we see there's a package needs to be update. I purposely left this package not up to date. So I could hit confirm here, wait for the package initialize, and it's going to go ahead and done. Now if we go back to boot environments, and we want to move over to the demo, the demo was the before I did that update. So currently the system is 100% up to date. But because this isn't just a config change, this is a file system update. If we go ahead and set this to be the active boot environment, or we can just do the one time, we'll do the one time real quick here. So we want quick demo one time to be booted. And we'll hit submit. And before we go and let it completely boot back up, I want to show you the boot environment options. And you can see active is going to be this one right here. But you can actually change these right in the menu, we're not going to change anything, we're gonna go ahead and let it finish booting up into that. So hit one, and just let it finish booting with the default parameters. But it's going to boot that version that was a snapshot prior to us doing that update. Now the system is booted back up. And we go down here. And we see that the sudo has not been updated because, well, we're on that other boot slice here. So we go back over to this boot environment. And you can see the difference in the difference in sizes, well, probably about the size of that sudo update that was on there. Now we can go back to this as the default boot environment, which technically it is, this is what it's running on now, because we didn't change it to be the default. The advantages of doing these one time environments, or in the instance where you may have a problem, where you want to do something that you're not sure if it's going to cause the same, the system to be an unbootable state, you can then change our demo here, like this, the next boot environment will be this quick demo one. Now we can make all the changes we want. If those changes lock us out of the firewall and that firewall happens to be remote or even if it's local, just unplugging the firewall and plugging it back in means this is the demo one that will come back up next time. So that way you can make a whole lot of changes. And if somehow that change status leaves you in an unknown state, like for example, if you were to disable a firewall rule to lock yourself out, just rebooting the firewall will bring it back to this state. But once you're done committing all the changes, make sure you set to the proper boot environment for each one, pretty straightforward, I think, and how they set this up. And we're going to go ahead and keep the quick demo one as it and get rid of this one, delete it, okay. And now this is the default boot environment, which means I should probably update that sudo package again over here. So this is now the default one, pretty easy to do. I like the simplicity of it. Now let's talk about the firewall rule update. We can go here and we're on LAN and this rule doesn't exist on LAN too. And if I'd like to copy this rule or many rules, but we'll just do one to keep it simple. And I want to copy this rule, where do I want to copy to I need the same rule over here and paste. Now on LAN to this rule exists over here without me having to go through and recreate it. It's got a couple extra settings at the bottom. Even the advanced settings that I did down here are now pulled over into this rule and you hit apply and you're done. You can now copy this over if you have many different segments, a whole lots of different subnets on your system, you can copy this rule over and makes it a lot easier. I like it. It's a simple change, but you know, not happen to duplicate the rule, edit and change it to the different interface is a pretty cool feature. Next thing is the open VPN data channel offload. I have not done, but a little bit of testing with it right here. I need to get a new version of open VPN setup in order to make this work properly, I believe, but it's just a checkbox. If you're wondering where the DCO enabled data channel offload for this instance, that's it. You turn it on or off on a per open VPN basis. All the other settings say the same, but of note, there are certain things that are not compatible. So if you had different ciphers selected, those ciphers cannot be selected for like your fallback right now is set to GCM 256 GCM. You can't have a different fallback if you're turning that on, as it's noted in the release notes of this, there are certain specific things that only work with DCO at this time, but there are more algorithms that will be supported in the future. Now, as far as rolling this out to all of our clients, it is June 28th of 2022. This was released on June 27th. That means we haven't really had a lot of time to get it rolled out to everyone. PF Sense plus or the community edition, both you have to log in and manually upgrade. So when people ask, how do we get all of our clients updated? Well, it's a project. We make sure we have backups, everything which we always do, and then we make sure we run around updating all these and make sure the update goes well scheduling the time of the client because well, there's some downtime for this update to be applied. We did it on our systems first because I want to make sure we're testing everything. Our system currently at our office runs HAProxy, runs the ACME service for certificates, runs WireGuard and OpenVPN, although we didn't test the Dantel channel offload in-house yet on our systems, the upgrade went fine and all the services work perfectly fine inside our production systems. We've tested some of our lab systems and a handful of other systems that were kind of in the process of deploying for clients. We're pushing all the upgrades to these. Looking forward to these updates and looking forward to the boot environments because that'll make upgrading these systems that are mostly remote or just the fact that you don't want to go onsite or something goes wrong a little bit better because the upgrade process itself for version upgrades will take advantage of the ZFS boot environments in PF Sense Plus. Leave your comments and thoughts down below. I'll leave links to the blog post and a red mind post and my other videos I've done on PF Sense. Thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly, so check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.