25.4 is EOL so I will be upgrading to 25.10. But I noticed quite an important change: from ipfw to pf. Now, both work in a fundamentally different way (first/last rule match wins for instance). Is this change seamless? Any other gotchas?
The main firewall does /not/ change from pf to ipfw. Some components have always used ipfw, like the traffic shaper or captive portal. There is not breaking change hidden in the upgrade, feel free to do it.
If you have a captive portal it may be worth waiting for 25.10.2. The IPFW to PF transition hit performance limitations that are going to be fixed by reversing the statistics migration to IPFW in 25.7.10 community and then 25.10.2 early next year.
Otherwise there's no fundamental changes. StrongSwan changed a default setting that needs a configuration amendment for Checkpoint interoperability is the worst think we've seen so far and the impact is minimal and the cause external (although we had to add another algo that wasn't selectable in the GUI before).
Cheers,
Franco
OK. Thanks both. The change popup mentioned the ipfw to pf thing, but I must have misunderstood. Anyway, waiting for 25.10.2 is probably fine for me. My OPNsense router is a SPOF in my small setup (the key elements in my landscape are failover etc, but not the router), so I am a bit careful/conservative.