 Tom here from Lawrence Systems and PF Sense 2301 was released on February 15th of 2023. Today is February 17th of 2023 and I've updated some of our office systems and our lab systems and some other systems to test because we start rolling this out to customers pretty much immediately once we realize whether or not there's any issues. And so far I haven't found any issues that I would say would stop me from going forward. That being said, that's a few things that are really nuanced I want to talk about here to make sure you have a good upgrade experience. That first thing and the first step and there's a whole video on it linked down below is use the boot environments. Boot environments will greatly help you recover if something goes wrong or if you don't follow a step properly or the download breaks or something goes wrong with your whole update process. I didn't have too many problems but I was also testing and following some pretty good practices here to avoid many of those problems. Now they have a whole guide on how to do the upgrade. I recommend you follow it but if you want to know if Tom followed it exactly the answer is no. Kind of out of laziness but I'll tell you what I did do. I go ahead and reboot the firewall before I start the upgrade process. This helps eliminate any potential issues of maybe you have a drive that's ready to fail but you wouldn't know until you reboot it. But if you then add on top of that you load an update and that's the first time you rebooted it in nine months. Well that may be a problem where you didn't know there was going to be a problem. So as long as the firewall boots up fine before you start the upgrade you're good that at least eliminates that as a factor. Next I have that snapshot I create with a fully work inversion. Then I go ahead and remove a few packages. Now the packages are supposed to pretty much all be removed when you do these major upgrades to avoid the issue. Sometimes it works. Sometimes there's some hang up on there. It's really not a big deal to remove packages because the default install option on packages is to remember the settings. So if you remove a package and then reinstall that package all the configuration for that package for something like Saracada should come in there. Now when I say I didn't follow the instructions completely I just chose to remove a few packages that I thought might cause problems because I had problems when I was playing with the release candidate with these packages not following through when I did the in-place upgrade. So I did remove Saracada, PF blocker and top PNG and Xabix. Those are the only ones I chose to remove and then I created one more snapshot after I moved them because just in case I had to remove one more and the upgrade went bad but the upgrade went fine once I removed those packages on each system that I had tested. One thing I kind of note is I wish and maybe the developers will get around to this. There was a remove all packages button that would be really handier if I could checkbox remove them because the only reason I didn't remove all of them because I didn't want to tediously go through and do each one through the web UI. So I think just the way you can do it from the command line but I do follow the web UI I want to share the same experience as most users will have using it and hey that'd be cool if there's a checkbox. Once the upgrade was done then I went ahead and added those packages back in, made sure everything worked, rebooted the firewall one more time after the packages to make sure there was no errors when it restarted and now everything works. Now we're going to get into what my environment looks like but let's first jump over to what's new in PF Sense 2301 and we'll just cover the highlights and I'll leave of course links to all the details but we'll also then jump to the what doesn't work and a couple of known bugs as of today that have been reported but the good news is there's workarounds for these bugs and hey all that's linked down below. Now the first big major change and this is where there's just a lot of reworking under the hood here is the move to PHP 8.1 and FreeBSD main. This means FreeBSD is going to be at 14 as the underlying OS and PHP 8.1 is supported all the way till 2024 with the older PF Sense running the seven versions that are well end of life being sunset added support for Cha Cha Poly 1305 encryption. They did this with IPsec and with the OpenVPN DCO. Data channel offload is awesome. It is a substantial gain in speed for OpenVPN and that's a really nice thing because OpenVPN because it attaches to things like LDAP or radius and other methods of authentication maybe where you tie this into a business with Active Directory which is something we do. You're going to see OpenVPN for years to come and actually this kind of breeze a lot of new life into it in terms of performance and I think this is a great feature that they've added in here. Next, resolving previous issues that unbound. There's a whole write up down below where Christian McDonald was able to finally reproduce kind of an elusive bug that caused some problems and unbound and that's all been reworked so that does not occur again for those of you that were having the unbound crash continuing to improve captive portal which many people know I'm not the biggest captive portal fan because of the support problems it creates. I will note that this does not improve your experience that you'll have if you put captive portal on a Wi-Fi network with a lot of general public users on there especially if they have phones you'll run into weird issues with captive portal unrelated to PF Sense just because some phones don't process captive portal very well that's still my opinion on it but hey there's improvements on the way captive portal works and maybe I'll do an updated video on it since their PF Sense 23 is here and you know it's worth talking about. Updating a PF Blocker NG package to match the PF Blocker development version they are the same now so you want to load PF Blocker NG you don't need to load development version that was ahead of the other one so this is the version you load right now here um maybe I'll do an updated video because there's been some changes in PF Blocker but for the most part it looks enough the same that my previous videos will get you through setting it up if you're uncertain. Now I want to touch on topic that's been well a bit controversial to some people but I think this is a good thing they've moved to the new version of FreeBSD 14 some may go well FreeBSD 14 isn't completely released is it and you would be correct but the people at Netgate are code contributors upstream FreeBSD 14 is due out later this year as a whole operating system but this is PF Sense built as an appliance by the team at Netgate I feels are competent enough to build this in a stable manner with the latest version of BSD as a base this being an appliance means not everything is in there and the package repos it's pulling from are the ones provided by PF Sense so their customization of it kind of alleviates to me any worry that they're using a more new version than what would be considered current stable this also gives them access to the most up-to-date drivers for a variety of hardware this is something people have asked for and they're delivering on closer alignment to develop cycle of FreeBSD so we're developing future versions against similar branches avoidance of more complex and larger volumes of work anytime PF Sense software should change to a newer FreeBSD base ability to upstream our own changes and development to FreeBSD without a subsequent merge to older base lowering our technical debt this is actually something that really needs to be considered if you're contributing the latest updates and the latest changes you then not only get them in FreeBSD 14 then you have to if you were on a previous version bring those down and backport them in now they don't need to do that and do the merge into the old base they can now just have the new base so i think this is going forward going to save them a lot of time and it's also why it's taken so long undoubtedly to get to these newer releases because this is a lot of code reworking under the hood even though it doesn't give you visually a major change in PF Sense it gives you a base change that's pretty substantial and once again this is for both CE and the PF Sense Plus versions here that this is being done for now let's talk about some of the environments i'm testing in this one is my studio firewall which is not too complicated but it has a few things set up here we have just a single interface but we do have a privacy VPN so that's working perfectly fine connected to PIA i have my wire guard VPN connected to my office well other office i should say so that's working fine so we have the client instance here no issues with any of those settings then we have down here the handful of different networks and VLANs and no issues with any of that and i'm running on this one specifically snorks i wanted to try snorks a lot of people asked to snort work well i use snort at home and we use seracada at the office but all these packages loaded perfectly fine didn't run into any issues and i have n-top ng on this one moving over to our office system the office system has dual WAN so we get some load balancing going on we have ha proxy we've got dark stat we got our watch running we also have n-top png open vpn free radius seracada that we're running and seracada is working fine here there's something i'll get to about seracada moment a wire guard and zavik so all of these things running at the office here and no issues matter of fact i collapsed it so you don't see all their IP addresses but all the employees that remote in have been promoting in perfectly fine so this is a little bit more complicated setup using because we use the free radius to authenticate all the users but none of this seems to have any trouble we haven't had any usage issues in terms of the CPU usage being higher the memory being high of that i seen a question come up a little bit but i didn't see any change from before or after we loaded to say there's a substantial change in memory usage on there one of the things i will note this is our neck gate 8200 and i've been waiting for the 2301 to come out to do the review so this will be a long-term review actually been using this for a few months now and i'm really happy with 8200 so other video will be out soon but i i'm running a full production load on it for a few months so my thoughts on it are based on that all right now let's go to one more environment and this is virtualized inside of zen once again didn't have any problems with it we just have serocata running on it i just loaded it this morning to make sure it worked but all this was working didn't have a problem at all doing it in a zen environment now the ones we've tested in terms of devices in the office where some custom hardware setups just that we had laying around and then we loaded up a 3100 which we've been getting prepped and that'll go out to some clients some of the clients are close we'll probably just swap to 3100 and swap it out so there's a minimum amount of downtime and not having to remote in because the clients are close but whenever we can obviously we prefer to log in and do these remotely so the 3100 didn't seem to have a problem but let's get into doesn't have a problem except this one thing if you run into it and didn't do a fresh load because we had a lab setup we didn't encounter the error because we fresh loaded it because we can we'll just grab a new image and load it fresh but let's talk about what's not working now this particular problem was brought to my attention on our live stream but of course I looked through the forums and was reading through it this morning to see all the latest information and it looks like this was updated four minutes ago and there's basically some fixes for this what you're running into is certain scenarios such as if you didn't just fresh load like we did ours at our office you could run into a problem where it will not create the proper tunnel when you're setting up open vpn don't worry there's a fix you don't have to roll back updating it manually allows the starts allows the tunnels to start so pretty simple fix in here the notes in the forum posts and the bigger discussion is linked right inside of this and I've got this link down below system states graph no longer working now it still monitors other things such as the ping times and everything else I've done a video on using the system monitor to monitor your gateway ping times but it's not monitoring the states and you can see this person when they did the upgrade and I noticed this issue as well good news is there's a fix there's a ticket and there's a patch this is actually a really cool feature you may not know about in pf sense you can actually install a tool called system patches and then you can apply a patch number and this is a way for pf sense without you even reloading the system or reverting back to the old version pulls that patch and inserts it into your pf sense so this is actually pretty cool that there's a fix for it so if you care about the states and you don't want to wait till this gets fixed in a future version you can apply the fix today this was posted about 21 hours ago it looks like and there's still some discussion on it but nonetheless there's a fix for this if you care about the system states now I've covered what I found in the forums as of today recording this video but in terms of new features and changes and more detailed release notes there are a couple things they do note in here one of them is on using zfs the first boot post upgrade will appear to have a higher normal memory usage due to large volume of file activity that takes place during the upgrade process this is harmless and due to the zfs arc memory usage done a whole video on zfs arc regarding true nas it applies the same because this is also bsd based so the using zfs bsd you're going to get the same arc usage which is a good thing but it will show you using that extra memory for that reason one of the things that's kind of noteworthy in here though the netgate 1000 does not support free bsd 14 so that one's out and not an eligible for upgrade the pc i bus for the netgate 1120 and 100 model does not currently function in 2301 this means if you're trying to use those and using such as a wireless card in them you're going to have a problem none of us get further down the list because well there's a lot of things to cover in here and I need to keep the video somewhat brief here but there's plenty of things you should read through one though that hit me was this right here seracotta has an issue processing pass list entries containing a slash 31 subnets developers have a fixed prepare for testing which will be added to the package shortly after 23 ohm release see 13920 for detail so you can check the status of this this update will solve this problem if you have a pass list that has a slash 31 I think this actually came up where I was confused when it seemed like seracotta and wire guard weren't playing nice together but it's actually more specific than that it's when you have a pass list and you've set probably a peer to a slash 31 and added it to the pass list but this is something that is actively known and there's a fix that will well maybe by the time you're watching this is already available and it may not even affect you at all but just something I should note if you're doing one of these upgrades and that's all I have with the pfcents plus 2301 release and of course I have to address the elephant in a room is what about pfcents CE is it dead were those commenters right when they told us 2.6 would be the last release but they're also saying people think they told me 2.5 was their last release or something like that but I have played with and tested the 2.7 we have a couple of them running at the office because I liked it that's a CE a lot of people are still interested in that progress has been made it's running previous d14 it's based on PHP 8.1 sound familiar yes they do develop these in parity with each other the pfcents plus and the pfcents CE pfcents plus has a few extra things I think pfcents plus is great if you want to use it but if you are a diehard who only wants to use a CE version that's fine too there's a few differences I've got a video where I cover the differences on there of note you don't get the boot environments with your pfcents CE version but nonetheless 2.7 is available the images are there you can download them you can test them you can see how the progress has come on that the development team is working diligently to solve any problems with that particular version so I expect it to be released maybe soon but I don't have a crystal ball and her answer is a good one they don't release it until they feel it's stable so now that this is released and they're quashing some bugs I feel they'll get that release pushed out here relatively soon nonetheless leave your thoughts and comments down below if you have a bug to report head over to the neck gate forums and that's a great place to engage the developers to get those problems solved because complaining about them on twitter and tagging tom complaining about them youtube is the worst way to get them solved I just kind of struck my shoulders and go wow you have a bug is there a bug report and then someone usually tries to post the link and youtube comments eats the link so engage with the development team the forums are free join them my forums are free if you want to engage with me the neck gate forums are a great place to do some reading and engage with the developers over there and if you have a nice write up that's how we get bug solved as we work our way through them we make them reproducible we provide the evidence to the teams there and then they solve them so go ahead and get updating alright and thanks