25.4 to 25.10 Business Edition upgrade. Seamless (esp. firewall)?

gctwnl · December 12, 2025, 05:17:41 PM

25.4 is EOL so I will be upgrading to 25.10. But I noticed quite an important change: from ipfw to pf. Now, both work in a fundamentally different way (first/last rule match wins for instance). Is this change seamless? Any other gotchas?

Monviech (Cedrik) · December 12, 2025, 05:25:02 PM

The main firewall does /not/ change from pf to ipfw. Some components have always used ipfw, like the traffic shaper or captive portal. There is not breaking change hidden in the upgrade, feel free to do it.

franco · December 12, 2025, 10:16:55 PM

If you have a captive portal it may be worth waiting for 25.10.2. The IPFW to PF transition hit performance limitations that are going to be fixed by reversing the statistics migration to IPFW in 25.7.10 community and then 25.10.2 early next year.

Otherwise there's no fundamental changes. StrongSwan changed a default setting that needs a configuration amendment for Checkpoint interoperability is the worst think we've seen so far and the impact is minimal and the cause external (although we had to add another algo that wasn't selectable in the GUI before).

Cheers,
Franco

25.4 to 25.10 Business Edition upgrade. Seamless (esp. firewall)?

gctwnl

December 12, 2025, 05:17:41 PM

Monviech (Cedrik)

December 12, 2025, 05:25:02 PM #1

franco

December 12, 2025, 10:16:55 PM #2