25.4 to 25.10 Business Edition upgrade. Seamless (esp. firewall)?

Started by gctwnl, December 12, 2025, 05:17:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 12, 2025, 05:17:41 PM
25.4 is EOL so I will be upgrading to 25.10. But I noticed quite an important change: from ipfw to pf. Now, both work in a fundamentally different way (first/last rule match wins for instance). Is this change seamless? Any other gotchas?
December 12, 2025, 05:25:02 PM #1
The main firewall does /not/ change from pf to ipfw. Some components have always used ipfw, like the traffic shaper or captive portal. There is not breaking change hidden in the upgrade, feel free to do it.
Hardware:
DEC740
December 12, 2025, 10:16:55 PM #2
If you have a captive portal it may be worth waiting for 25.10.2.  The IPFW to PF transition hit performance limitations that are going to be fixed by reversing the statistics migration to IPFW in 25.7.10 community and then 25.10.2 early next year.

Otherwise there's no fundamental changes.  StrongSwan changed a default setting that needs a configuration amendment for Checkpoint interoperability is the worst think we've seen so far and the impact is minimal and the cause external (although we had to add another algo that wasn't selectable in the GUI before).


Cheers,
Franco
December 13, 2025, 10:38:05 PM #3
OK. Thanks both. The change popup mentioned the ipfw to pf thing, but I must have misunderstood. Anyway, waiting for 25.10.2 is probably fine for me. My OPNsense router is a SPOF in my small setup (the key elements in my landscape are failover etc, but not the router), so I am a bit careful/conservative.
December 15, 2025, 10:34:33 AM #4
If there are performance issues they seems to be very limited ?
For our guest and private mobile subnets there where no notificable changes for our guests and employees usages since update to 25.10 but instead a very nice SSO Login possibily I setup in October upgraded to this version ;-)

* You should be check your new autogenerated firewall rules so you can deactivate your old ones as documented and test them.
* And you should be aware that the CP Portal Page has new API endpoints so you need to rebuild your CP page(s).
  The template ZIP has to be taken not from documentation link which offers also still the outdated package for download
  but from CP Template page within /ui/captiveportal => right bottom the button right to the Add [ + ] button
  there is a download button very good "hidden" to get the actual default page template to download.
December 15, 2025, 01:03:53 PM #5
Performance degradation is linear, starting to be noticeable at around 500 parallel clients, but it also depends on the hardware in use.


Cheers,
Franco
Print
Go Up Pages1
User actions