The pfSense Plus Software 24.03 release is a feature/function leap forward for Enterprise use cases on-premises and in the cloud.
Default Password Control: In response to mandates from the US and international regulatory bodies’ mandates, pfSense Plus software version 24.03 now implements stringent measures regarding default passwords. As part of Netgate’s commitment to best practices, we strongly advise all pfSense users to adopt this change proactively.
Enhanced Update Process Using ZFS Snapshots: This release introduces significant improvements to the software update mechanism, leveraging the capabilities of the ZFS file system to bolster stability and minimize downtime throughout the update process. If necessary, administrators have the flexibility to revert to a predetermined environment quickly, enhancing the overall manageability and resilience of the system. This feature also simplifies remote upgrades with automatic fail-back to a previously known good boot image should the upgrade fail to boot.
Packet Data Flow Export: A notable addition to this release is the capability to export packet flow data to external collectors via the NetFlow v5 or IPFIX protocol.
Upgraded VPN Capabilities: Netgate is excited to announce Mobile Group Pools and performance enhancements. With the introduction of Mobile Group Pools, users access a dedicated tab to configure additional address pools and, if necessary, a DNS server, which benefits larger organizations.
Updated IPsec-MB Kernel Module: Netgate focused on reducing processing overhead and enhancing performance by updating the IPsec-MB kernel module (iimb.ko) to Intel's latest upstream version 1.5.
High Availability on AWS: Netgate is excited to announce the release of High Availability (HA) for pfSense Plus software on AWS. With HA on AWS, customers can meet uptime requirements and internal SLAs while safeguarding mission-critical operations within AWS.
pfSense Plus Software High Availability (HA) in AWS
Netgate's pfSense® Plus software is gaining traction among enterprise and government clients for its robust features, especially in AWS deployments. Recognizing the mission-critical need for uninterrupted services, Netgate introduces HA for pfSense Plus on AWS.
This innovative solution employs a dynamic primary/secondary firewall setup across different AWS availability zones. Both firewalls maintain identical settings through seamless configuration synchronization, ensuring consistent performance.
Powered by the resilient CARP protocol, these firewalls communicate consistently, detecting any outage and enabling swift failover in case of a primary firewall failure.
AWS availability zone subnets have separate Layer 3 IP addresses, thus breaking typical CARP (First Hop Redundancy Protocol) FHRP, which mandates floating IP addresses from shared Layer 3 subnets. Netgate's pfSense Plus leverages an AWS Public Elastic IP as the floating IP and AWS REST APIs to re-allocate the AWS Public Elastic IP from the primary appliance WAN interface to the secondary appliance in case of failover. For outbound traffic, pfSense Plus leverages AWS REST APIs to change the VPC route table to point to the secondary device as the next hop for outbound traffic. This ensures uninterrupted access for external users.
With Netgate's HA solution in AWS, enterprise and government clients can rest assured that their uptime requirements and internal SLAs are met, safeguarding mission-critical operations within AWS.
For a full technical implementation guide, please refer to our documentation, blog, and our video.
ZFS Boot Environments Deep Dive Video
Christian McDonald is back with an all-new deep dive into the ZFS Boot Environments feature in pfSense Plus Software version 24.03. It is easier than ever to update pfSense Plus while your system stays online. Hold your breath and dive in to learn more about this feature in pfSense Plus v24.03.
pfSense Plus Software Tip - Dynamic Crypto Offload (DCO)
Netgate engineers in our Technical Assistance Center (TAC) often find clients are underutilizing the full potential of pfSense+ on their Netgate appliances. To maximize VPN performance on pfSense Plus, it's crucial to enable hardware acceleration features like Dynamic Crypto Offload (DCO) and leverage Intel's Improved Internet Message Bus (IIMB). DCO optimizes VPN throughput by offloading encryption tasks from the CPU to specialized hardware, significantly reducing CPU utilization and improving latency. This enhancement benefits OpenVPN connections, where DCO leverages hardware acceleration to streamline cryptographic operations.
IIMB enhances IPsec and VPN performance using assembly-written cipher implementations that leverage extended instructions in Intel processors. Netgate incorporates IIMB functions to take advantage of SIMD extensions, further optimizing VPN operations. Enabling these technologies within pfSense Plus is easily accomplished through the GUI. The images below show how to ensure efficient and secure VPN connections without excessive strain on the CPU.
In summary, organizations can achieve improved VPN performance and scalability by enabling hardware acceleration features such as DCO and leveraging technologies like IIMB within pfSense Plus. These optimizations effectively offload cryptographic tasks from the CPU to specialized hardware, reducing latency and enhancing overall VPN throughput. Implementing these enhancements through the GUI simplifies the process, ensuring VPN connections operate efficiently and securely on pfSense Plus deployments.
Netgate CTO and co-founder Jim Thompson joined peers from Google, ARM, and Microsoft to present a webinar on DPDK and hyperscaling in the cloud. TNSR leverages DPDK and VPP to achieve 100+ Gbps of throughput on commodity servers. Netgate tested 37 Gbps of single-stream TCP IPsec (AES-GCM-128) VPN throughput using software-only encryption on an Intel™ Xeon™ Platinum 8470. This was accomplished using a single core and scales with more cores and streams.
TNSR uses the Unbound Domain Name System Resolver to handle DNS resolution and client queries. Unbound is a recursive caching DNS resolver that validates DNS data integrity with DNSSEC and supports query privacy using DNS over TLS.
By default, Unbound acts as a DNS resolver, directly contacting root DNS servers and other authoritative DNS servers in search of answers to queries. Unbound also acts as a DNS Forwarder, sending all DNS queries to specific upstream servers.
By employing Unbound as a DNS resolver or forwarder, TNSR enhances the efficiency and security of DNS resolution processes. Unbound's recursive caching capabilities reduce query latency by storing previously resolved DNS records locally, leading to quicker responses for subsequent queries.
Furthermore, Unbound's support for DNSSEC validation ensures the authenticity and integrity of DNS data, mitigating risks associated with DNS spoofing and cache poisoning attacks. The option to enable DNS over TLS also enhances privacy and confidentiality by encrypting DNS traffic between clients and Unbound, protecting against eavesdropping and tampering.
These features collectively contribute to a more resilient and secure networking environment, supporting reliable and trustworthy communication across the network. Implementing Unbound within TNSR underscores the importance of robust DNS resolution practices in safeguarding network integrity and ensuring optimal performance for users and applications.
For more information and configuration examples, refer to DNS Resolver.
Netgate 4200 Max Introduction
The Netgate 4200 Max is the ideal network solution for small and medium businesses. It offers an excellent price-to-performance ratio, flexible connectivity, advanced security features, a high-performance VPN, and more.
The Netgate 4200 Max comes with 128GB NVMe SSD storage preinstalled (upgraded from the 8GB eMMC storage of the Netgate 4200). Additional storage may be used to support logging intensive packages, increase ZFS snapshots frequency, and preserve more of your previous boot environments. It has blazing-fast performance thanks to its 4-core Intel Atom® C1110 CPU running at 2.1 GHz. The Netgate 4200 Max achieves benchmark results in routing, firewall, and IPsec VPN up to three times faster than the Netgate 4100.
The Netgate 4200 Max is priced at $649 and is available for shipment in May 2024.
Dive into the Netgate 4200 with Tom Lawrence from Lawrence Technology Systems. From unboxing to performance testing, Tom also explores its specs, production setup, CPU capabilities, VPN performance, and the nuances of EMMC memory. Get the full scoop by watching his detailed review.
pfSense Software Ranked #1 Firewall Solution on PeerSpot
We are excited to announce that pfSense software is the#1 ranked firewall solution on Peerspot, a leading peer review site for enterprise technology. Placing first on Peerspot is a testament to the high performance, reliability, and affordability that pfSense software provides as a firewall, VPN, and router solution for networks of all sizes. It validates that our work is essential and appreciated. Thank you to our customers for your support – we couldn't have done it without you!
pfSense Takes Home 40 Awards in the G2 Spring Report
In addition to ranking #1 on Peerspot, pfSense software received 40 awards in the G2 Spring 2024 report. These include Enterprise, Mid-Market, and Small Business awards in Best Results, Best Relationship, Best Usability, Most Implementable, and Users Most Likely to Recommend for both the Firewall Software and Business VPN groups. We would like to thank our community for their continued support and feedback, contributing to these achievements.
Technical Assistance Center
The Netgate Technical Assistance Center (TAC) provides technical assistance with pfSense Plus software & TNSR. Every Netgate Security Gateway and cloud instance comes with TAC Lite included. TAC Lite offers Zero-to-Ping assistance, ensuring a smooth setup and configuration. Zero-to-Ping assistance will get your Netgate appliance with pfSense Plus & TNSR software, AWS, or Azure firewall connected to the Internet and one client on the same network online.
In addition to TAC Lite, TAC Professional and TAC Enterprise levels are available for faster response times and a much wider variety of assistance topics. Regardless of support level, TAC is here 24/7/365 to help.
Netgate Holiday Schedule
As the holidays near, please be aware that Netgate will be closed on the following dates except for Technical Support. Considerations should be made for possible delays due to these closures:
May 27- Memorial Day
July 4- Independence Day
July 5- Independence Day
September 2- Labor Day
November 28- Thanksgiving
November 29- Thanksgiving
December 24- Christmas Eve
December 25- Christmas
Our 24/7/365 Global Support Technical Assistance Center (TAC) is fully staffed and operational for all holidays. The engineering, sales, manufacturing, and shipping teams will be off for the holidays listed above.
We Want Your Feedback
Thank you for subscribing to the Netgate newsletter, and for your continued support of Netgate and our products. We are always looking for ways to improve and value your feedback. If you have suggestions, please reply to this email, contact us, or send an email to mktg@netgate.com. You can also talk to us on social media, or visit our forum.
%201000px-1.png?upscale=true&width=600&upscale=true&name=Netgate%20Logo%20White%20(horizontal)%201000px-1.png)
.png?upscale=true&width=1120&upscale=true&name=G2%20Spring%20(1).png)
