Kitz Forum

Broadband Related => Broadband Technology => Topic started by: Alex Atkin UK on February 12, 2021, 05:11:55 PM

Title: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 12, 2021, 05:11:55 PM
Testing out pfSense 2.5.0 as its now hit release candidate.

So far I'm having problems getting gateway monitoring to work on Plusnet, for some reason the IP I was using before isn't getting a ping response.  This is possibly related a long-standing issue I had with my configuration though, I can't ping out of the Plusnet WAN from pfSense and I have no idea why, but before it WAS at least working for gateway monitoring.

The only other issue is my AirVPN clients failed as one of the custom options they tell you to set is now deprecated in OpenVPN, so I simply removed that option.
Title: Re: pfSense 2.5.0 RC now available
Post by: underzone on February 12, 2021, 07:20:35 PM
My in place upgrade went well  ;D

Code: [Select]
2.5.0-RC (amd64)
built on Fri Feb 12 03:07:06 EST 2021
FreeBSD 12.2-STABLE

The system is on the latest version.
Version information updated at Fri Feb 12 19:15:49 GMT 2021
Title: Re: pfSense 2.5.0 RC now available
Post by: Wera on February 13, 2021, 10:58:42 AM
I will probably stick with 2.4.5 for now. Its working well and is stable. I have tried 2.5 a couple of times on the bleeding edge versions and they worked fine, but it doesn't have any "must haves" for me that would require an update as yet.
Title: Re: pfSense 2.5.0 RC now available
Post by: tickmike on February 14, 2021, 02:24:29 PM
Mine is still on the old one, do you have to click >system>update to install it.
I'm newish to pfs. :-\
Title: Re: pfSense 2.5.0 RC now available
Post by: Jon21 on February 14, 2021, 03:26:21 PM
Mine is still on the old one, do you have to click >system>update to install it.
I'm newish to pfs. :-\
You do yeah. You'll need to change the branch to "Next stable version (2.5.0RC).
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on February 15, 2021, 02:26:48 PM
There was an issue on 2.5.x that was broken for a year where dummynet was sending traffic to a blackhole on WAN interfaces but mysteriously was fine on LAN.

Then they had some kind of code crunch just before the RC and they fixed it in one direction, sadly its still broken on inbound traffic but pfsense still consider the bug fixed as almost everyone uses it on outbound matching only.

Having been using 2.5 for a year in a datacentre, that was/is the only problem I had with it.

2.5 is a bit of a unknown, as some who may not be aware netgate are now going to focus on their commercial product which is forking away from the community edition, they will still offer code contributions and still supervise the project, but as to how much attention it gets moving forward only time will tell.

I will be testing the commercial product on the dummynet bug as I am curious if that will work on there.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 15, 2021, 08:12:34 PM
Isn't the commercial version supposed to be focusing on cloud management?  I must say that bothers me.

Not only that it seem illogical for small businesses to have everything cloud based, but also how is that supposed to work if pfSense is what allows access to the cloud so if it breaks if you lose access to it?

I'm still not a huge fan of Cloud based anything.  Case in point, I recently decided to integrate my Google Calendar into my Intranet home page (its displayed permanently on monitors in two different rooms in my house for network/server monitoring) using their PHP code sample, and its just suddenly stopped working with no indication of why.  I have no clue how to even begin debugging this, there are no error messages coming back from the API and nothing in the cloud portal (there seems to be little you can actually do/see in there) to suggest its been blocked either.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on February 15, 2021, 08:53:08 PM
They are claiming the initial release isnt much different to what the CE is, just a few small enhancements, but over time the gap will grow.

More info here.

https://www.netgate.com/blog/pfsense-plus-pfsense-ce-dev-insights-direction.html

Also they adopting rapid development (something I am not a fan off but seems its industry wide practice now), pfsense plus will be very rapid, CE not quite so rapid but still very frequent compared to historical levels.  Hopefully they will adopt a longer period than 6 months support for each major release.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 15, 2021, 09:12:13 PM
Well I use Fedora, so not exactly a stranger to rapid development.  Although it does seem a risky approach for a router OS.

Maybe we will have to jump to OPNSense at some point, would be kinda annoying.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chunkers on February 16, 2021, 08:41:09 AM

Maybe we will have to jump to OPNSense at some point, would be kinda annoying.
I have been thinking the same thing, I have played around with OPNsense a few times and I like the WebUI better but found that pfSense handles my load balancing better, this guy makes an interesting comparison (https://teklager.se/en/pfsense-vs-opnsense/) between the two OS. .

C
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on February 16, 2021, 10:59:31 AM
Oh yeah the opnsense UI is very nice  I already use opnsense on 3 devices, my home setup with it been complex I have just been too lazy to attempt to move it.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 18, 2021, 09:46:44 PM
pfSense 2.5.0 RELEASE is now out!

I have been thinking the same thing, I have played around with OPNsense a few times and I like the WebUI better but found that pfSense handles my load balancing better, this guy makes an interesting comparison (https://teklager.se/en/pfsense-vs-opnsense/) between the two OS. .

C

I guess once I have FTTP and load balancing wont matter any more, it could be a good time to look into it.  Though I do have a spare Atom PC I could install it on to have a look.

Although ZFS and pfBlockerNG are things I'm quite fond of.
Title: Re: pfSense 2.5.0 RC now available
Post by: underzone on February 18, 2021, 10:17:58 PM
pfSense Plus 21.02-RELEASE and pfSense CE 2.5.0-RELEASE Now Available
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 19, 2021, 05:50:09 AM
Still can't figure out why I can neither ping nor traceroute out of the Plusnet gateway from pfSense but it WILL work from the LAN.

More frustrating is apparently just turning off gateway action didn't work, it still marks the gateway offline in the gateway group unless I disable monitoring entirely.  This makes it harder to figure out if I ever fix gateway pinging as I can't have it enabled and use the Internet properly.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chunkers on February 19, 2021, 08:45:09 AM
The 2.5.0-RELEASE update popped up for me yesterday so I ran it and it seems to have installed pretty smoothly, the only two things I have noticed so far are :

C
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 19, 2021, 09:04:58 PM
NTP is fine here.

sudo ntpdate router.lan
19 Feb 18:29:57 ntpdate[5804]: adjust time server 192.168.1.254 offset +0.000004 sec

OpenVPN clients (specifically to AirVPN UK) seem less stable than before though, but I have gateway action off for those as didn't want the firewall bouncing if the VPN is having issues.  I thinks its some quirk with the AirVPN client configuration rather than a pfSense problem.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 22, 2021, 07:56:06 PM
I've been able to move my IoT WiFi over to pfSense directly as FreeBSD 12 supports 802.11n on the integrated WiFi card.  This was actually one of the improvements I was expecting from the new release so glad to see it works.

It still seems much slower than the nanoHD (but different channel so could be crosstalk related) but fine for IoT devices.

It means once I move to WiFi 6 I will be able to properly test how that functions on 2.4Ghz by ONLY having WiFi 6 clients on it.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on February 25, 2021, 02:42:45 PM
If anyone has unbound instability on 2.5, a fast tracked update has been pushed in, can be updated with the following command.

'pkg upgrade -fy unbound; pfSsh.php playback svc restart unbound'
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 25, 2021, 03:19:07 PM
Well I seem to have solved the Plusnet monitoring issue when I changed the default gateway to one where all gateways are tier 1.

For some reason when I had it set to the gateway group that has both DSL as tier 1 and LTE as tier 2, that wasn't working correctly.  It blocked anything specifically directed out of the Plusnet WAN from the pfSense box, plus never fell back to LTE even when both modems were switched off.  Discovered that yesterday when my drop wire was being replaced.

Its really bizarre as it makes no sense that setting it to the gateway group where everything is tier 1 would make a difference, especially as monitoring WAS working for LTE which is what you'd think "might" break when it was set to tier 2.  I wonder if just changing the default gateway has somehow fixed a configuration glitch.

Can't say I've noticed any problems with Unbound though.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on February 25, 2021, 04:28:30 PM
Unbound has so far been ok for me as well, but since is a lot of noise about it on netgate, I thought I would post it just in case.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on February 25, 2021, 08:27:38 PM
Yeah its good to know, I'd expect a minor update to bring that patch into the main branch shortly.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 11, 2021, 07:46:05 PM
I have started to have problems which might be Unbound related as I think its DNS lookups failing on the LAN.

Strange thing is, Unbound is always running when I check the router.  Installed the update to see if it fixes it.
Title: Re: pfSense 2.5.0 RC now available
Post by: displaced on March 12, 2021, 12:39:15 AM
Did this upgrade last night.

I’ve disabled unbound and use bind9 instead.  After the upgrade and reboot, bind had stopped and its config option was missing from the Services menu.

Package Manager still showed bind as being installed, but I clicked ‘reinstall’ and everything came back. No loss of configuration, luckily.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 12, 2021, 01:25:45 AM
You don't use pfBlockerNG?  That's a big reason people use pfSense rather than say OPNsense.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on March 17, 2021, 05:11:12 PM
This doesnt make good reading for Netgate.

https://arstechnica.com/gadgets/2021/03/in-kernel-wireguard-is-on-its-way-to-freebsd-and-the-pfsense-router/

Not sure I would want to be using the wireguard implementation in 2.5.

Also seems 2.5.1 is on the horizon.

--

Looking into it all, I think I will be following Martin on to opnsense for home router, I already am using it on other devices anyway so the migration shouldnt be a big thing hopefully.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 17, 2021, 07:20:48 PM
That's a depressing read, especially if you carry on down the comments.
Title: Re: pfSense 2.5.0 RC now available
Post by: underzone on March 17, 2021, 07:49:49 PM
Netgate really are proving themselves SO wrong in their decision to go closed source in the future.

If it was closed source now, then Jason Donenfeld couldn't have looked and seen that the wireguard code was crap and fixed it for them.

I am also mulling OPNsense like you guys.

Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on March 17, 2021, 08:19:36 PM
Also trying to talk sense into pfsense leaders on open unbound issue, they want to roll back to an old version instead of simply disabling dhcp registration by default.

I will update the forum on how my migration to opnsense goes.  I do remember Martin telling me you can still load ASN lists etc, into opnsense using its built in functions.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 17, 2021, 10:53:23 PM
To me, dynamic DHCP registration is just a bad idea to begin with.  What does it do if the hint from the client is the same name as an existing host?  The whole idea opens up any client on the LAN to being able to mess with the entire LAN infrastructure which just seems bad.

I understand how that is acceptable for home use, but then anyone using pfSense should be thinking outside the box to begin with and so having static DHCP entries to deal with the problem should be a none-issue.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on March 18, 2021, 09:14:48 AM
Agreed, even before this issue I had it turned off, and its usually one of the first things I advise people to do, as the option has always been problematic and makes little sense.
Title: Re: pfSense 2.5.0 RC now available
Post by: hushcoden on March 18, 2021, 01:19:46 PM
Also trying to talk sense into pfsense leaders on open unbound issue, they want to roll back to an old version instead of simply disabling dhcp registration by default.
Are you mentioning any of those settings as per my attachment?
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 18, 2021, 03:14:44 PM
Yes, were talking about Register DHCP leases as it requires Unbound to restart every time a client requests a DHCP lease which means for a moment all DNS on the network fails.

Its far better to use Register DHCP static mappings and give your clients a fixed IP address, that way it doesn't have to keep adding/removing them as they are the same every time.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on March 18, 2021, 03:16:01 PM
Yes "DHCP Registration"

Sadly the proposal has already been rejected, instead they rolling back to a older version of unbound which we dont know if would solve the issue either, as a lot more in pfsense 2.5 has changed than just the unbound version.

DHCP Registration in general I would keep turned off even without the recent problems that have been reported.  It will cause a mini DNS outage and flush DNS cache every time a dynamic DHCP lease is updated.

Every single person on netgate's forum I advised to turn it off reported back everything DNS related was fixed.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 18, 2021, 03:21:32 PM
What's the new problem with DHCP Registration anyway?  As far as I can tell its ALWAYS been broken on Unbound due to requiring a restart every time a client gets a new lease.  Unbound was presumably never designed to have real-time live updates.

This option only makes sense for dnsmasq where it works seamlessly because the same client handled DNS and DHCP.   It makes perfect sense there as dnsmasq is for people who don't want the complexity of Unbound so are more likely to need the tiny benefit registering DHCP leases gives.

Anyone who DOES want the complexity of Unbound should know better than to let random clients mess with the DNS server.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on March 18, 2021, 03:23:49 PM
The new problem is instead of just been temporarily down for maybe 1-30 seconds for a restart (can be quite long is using large DNSBL lists on a slow device), it is actually staying down, and failing to restart.

The problem doesnt seem to occur with DNSBL reload, I think thats because the pfblockerng dev reloads unbound with just a rehash instead.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 18, 2021, 03:37:19 PM
It worries me about them "rolling back" as I had TONS of problems with Unbound not restarting after a WAN bounced, firewall restart or DNSBL reload a few years back.  So they could end up making the problem worse.
Title: Re: pfSense 2.5.0 RC now available
Post by: underzone on March 18, 2021, 05:42:27 PM
Now Netgate are 'cancelling' one of the devs who helped in the wireguard recode:

"I'd like to set the record straight. Netgate personnel were involved in part with my announcement of removal."

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006522.html
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 18, 2021, 07:26:09 PM
It just keeps getting better and better.  A nice slow sarcastic clap for Netgate.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on March 19, 2021, 11:49:28 AM
Now Netgate are 'cancelling' one of the devs who helped in the wireguard recode:

"I'd like to set the record straight. Netgate personnel were involved in part with my announcement of removal."

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006522.html

After Netgate requested the fixed code be pulled (as well as their own code), I do wonder now if wireguard even has a future in FreeBSD, potentially it wont happen as politics can hold things up for years, I hope this is not the case and the fixed implementation comes back, but this announcement isnt good at all and makes my fear more likely to become a reality.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 20, 2021, 12:21:41 AM
Presumably the user level version can still be used, just vastly less efficient.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on March 20, 2021, 11:40:44 AM
I checked unbound and I already have the latest version without doing the extra update command, I think people who updated to 2.5.x late got the latest by default as thats what in the repo.

The user version of wireguard from what I understand can still be used in FreeBSD (although now has no maintainer), and in opnsense which is what they had already added.  pfSense I think is just using the kernel version that is based on the pfSense patch.
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 20, 2021, 09:04:25 PM
I was curious to maybe try Wireguard for my fixed links, but its not the end of the world.

I'm more bothered about their attitude to fixing problems, pissing off devs and rolling back to potentially broken versions of Unbound to fix a feature that arguably shouldnt exist for security reasons to begin with.
Title: Re: pfSense 2.5.0 RC now available
Post by: underzone on March 20, 2021, 11:22:00 PM
I have now installed OpenWrt instead of pfsense on my fancy x64 PC hardware.
WOW it is fast and super lightweight, performance is great!

Installation instructions, if you fancy trying it too:

Flash this with rufus or etcher to a USB pendrive (extract it first):
https://downloads.openwrt.org/releases/19.07.7/targets/x86/64/openwrt-19.07.7-x86-64-combined-ext4.img.gz

Boot it up (with a monitor connected) and set a new root password with: passwd
Set a static LAN IP address with: vim /etc/config/network
Then enter: service network reload
Now you can SSH in, and load the web interface.

In the web interface set up your WAN settings (PPPoE for me, Plusnet 80/20).
For BT/Plusnet VDSL2 etc, you need to add this to your PPPoE interface (in the web UI): Physical Settings, Custom Interface, ptm0.101

OpenWrt has Cake, Smart Queue Management (Common Applications Kept Enhanced) which is way better than FQ_Codel.
And best of all - it is Linux based, as I know naff all when it comes to FreeBSD.

To install Cake, SSH in and enter:
opkg update
opkg install luci-app-sqm

Then reboot & then it will appear in the web interface under: Network.
After setting Bandwidth to 85% of my max, I set Queue Discipline to: cake, piece_of_cake.qos

To enable 1500 MTU (baby jumbo frames aka RFC 4638) when using a suitable modem, set in the web interface: Override MTU to: 1522 (Interfaces - WAN - Advanced Settings)

This channel has loads of tips:
https://www.youtube.com/c/VanTechCorner/videos

My bufferbloat test from http://www.dslreports.com/speedtest is now always:
Overall A+  BufferBloat  A+  Quality  A+       ;D

Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 21, 2021, 02:20:22 AM
I used OpenWRT BEFORE pfSense, the problem is its a PITA to upgrade particularly as I don't trust booting off USB sticks for something I need to be reliable.

Also I found web pages "felt" like they loaded quicker on pfSense.  But power consumption is much much lower on OpenWRT.  FreeBSD has crap power management, but then arguably you don't want a router clocking up and down anyway as that introduces latency.

I agree with the idea that BSD is better for a router in general, the packet filtering is better apart from the lack of Cake/SQM.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on March 21, 2021, 12:01:31 PM
I was curious to maybe try Wireguard for my fixed links, but its not the end of the world.

I'm more bothered about their attitude to fixing problems, pissing off devs and rolling back to potentially broken versions of Unbound to fix a feature that arguably shouldnt exist for security reasons to begin with.

I proposed the change here and it was rejected. https://redmine.pfsense.org/issues/11316

Underzone, I agree on cake as well, sadly seems no hunger for anyone to get in FreeBSD (meaning also not in opnsense/pfSense).
Title: Re: pfSense 2.5.0 RC now available
Post by: Alex Atkin UK on March 21, 2021, 08:08:58 PM
I actually have one of my old TP-Link WDR3600 on my friends cable connection and despite the fact its now underpowered for the package they've got, not heard any complaints from him except when its an actual problem with Virgin themselves causing the connection to fail.

I'd always recommend OpenWRT with Cake on the fastest consumer router they can find, for anyone who doesn't have fancy requirements.

I didn't want to use x86 for him as I already had a backup PC up there and it kept failing, he would never go and check on it.  Its really not an ideal place as its in a loft that gets HOT in summer, but keeping all the networking up there stops his dad messing with it.  He is one of those people who has a nasty habit of pulling cables and pressing buttons while not knowing what on earth he is doing.

I'm shocked its still working as it must be over 10 years now, I'd expect all the capacitors to be failing.
Title: Re: pfSense 2.5.0 RC now available
Post by: Chrysalis on May 03, 2021, 05:34:08 AM
Got a decent opnsense config on my old pfsense box, I will probably be moving the internet cable over very soon to do some testing and then all is well will move the install to the faster hardware.