Sorry I’m new here but I’ve been following Tom’s videos for quite a while and started using pfSense and OPNsense so that I can do a custom FW setup on a PC that I can’t do with an appliance, etc since I can put in hardware I want (e.g. SFP cards, quad cards, etc).
Anyway, it came to my attention while talking to some folks in another forum that pfSense 2.4.5-P1 is based on FreeBSD11.3 which is EOL and it looks like Netgate has pulled all pfSense 2.5.0 development branch code from github but I see a master branch that was modified 5 days ago in the src tree.
Anyway I saw Tom preview the 2.5.0 Development release back in late 2019 but you would have thought they would have more consistent rollout, communication about it, etc They have installer images up on pfsense.org with daily snapshots but no code branches for 2.5.0 specifically on either site.
Anyway, OPNsense seems to be more actively developing stuff but even their latest 20.7.7 version is based on FreeBSD 12.1 which is apparently going EOL by end of Jan 2021.
I’m not sure how FreeBSD/Hardened(Free)BSD rolls out updates and if they can do in place upgrades like RedHat does with minor release upgrades (and supposedly they can do major release upgrades as well but I wouldn’t trust that to be honest at this point).
Seems that the current 12.2 is EOL after 3 months so I don’t think either of these projects is going to want to forklift the OS every 3 months in order to do a currency upgrade so I hope there is some sort of rolling upgrade process.
Anyway with Tom being an MSP that uses this sort of gear quite a lot would be interested to hear his thoughts and what it means for support - but I guess he’s already at an impasse for OS support since 11.3 is already EOL but I guess Netgate would only really support the pfSense framework on top of the OS anyway and point fingers at the FreeBSD developers who would then turn around and say it is EOL.
I switched from pfSense to OPNsense to see if I can get better performance/resolve some issues with network connectivity local to my ISP but OPNsense is lacking in some tools and consistency compared to pfSense and I’m used to the pfSense GUI now. Perhaps OPNsense will incorporate these things into the front end over time since it is a pfSense fork.
Anyway wondering if I trade the ease of use for more up to date project.
Not dead, but carefully developed. Home users love that Opensense is always adding the latest tings with plenty of updates. MSP’s who manage many things and many firewalls prefer stable and secure.
I can appreciate that. I think home owners want stable and secure as well.
Looking forward to see what happens with pfSense in the future.
I think the issues I am experiencing are ISP related as they changed my traffic shaping profiles so perhaps pfSense may be worth keeping for features if I get a stable connection.
Question: is FQ_CODEL meant more for just levelling out traffic to consistent speed? I see the OPNsense implementation is quite different.
I do believe CODEL is an algorithm that addresses bufferbloat. I’ve been running it awhile now, in real terms I’ve noticed that internet browsing is much more snappier, it’s very noticeable.
I don’t want to start a war or anything here, but stay away from OPNsense. The frequency of updates is not directly proportianal to the code quality nor anything else running. I went away from that firewall because of basic functionnality issues and strange behaviors that not other firewalls (really ANY) has.
And thus it is unusable in a production environment whereas pfSense is.
Just to touch on the current release of pfSense. I found this thread on the Netgate forum, in which a Netgate developer gives this answer:
pfSense 2.4.5-p1 is not running FreeBSD 11.3-RELEASE, it’s running FreeBSD 11.3-STABLE@r357046, which is closer to 11.4 than 11.3.
The main advantage to moving to 11.4 is for security patches from upstream, which we can always apply manually if needed. We employ several FreeBSD developers, so such changes are not typically problematic.
If something comes along which needs addressed, we’ll address it.
Hope this helps clarify this certain point in your post.
PfSense is mature and stable, not dead. In the enterprise world, you don’t mess with stability and security for the sake of the latest buzzword or fad.
If you interested in always using the latest fad/buzzword thing, OPNSense is for you…although part of my day job involves CJIS (criminal justice/law enforcement) systems that have strict standards and require me to regularly attend training from various state and federal 3 letter agencies to keep up on those…after a training session last year (pre-COVID), I was talking to the state 3 letter agency presenter about this, and he made a case for OPNSesne being more secure than pfSense because of some of the later standards used and more active releases, but I think the less mature cobbling together of the components leaves a high probability of leaving holes open, not to mention the loss of reliability because of the frequent update downtime (original discussion was about if pfSense can be used in the CJIS environment, which is a grey area).
Those “3 letters agency” are probably being led astray because of the HardenedBSD being used which fixes security holes that are already corrected in the FreeBSD main code line.
I’ve been using pfSense since late spring 2020, I also considered openSense, but realized I really didn’t need anymore bells and Whistles…lol. When I upgraded my ISP to their higher speeds (from 300/15 to 750/100) I had to do a bit of traffic shaping before I seen the results with the speed that I was paying for. I’ve become more familiar with pfSense ( thanks to Tom and his videos), I like the slow and steady way of pfSense.
The logical step for netgate would be not to kill pfsense, but to experiment new features on it and when those changes become stable, then to move them to TNSR. A model similar to Fedora and Redhat.
There is basically nothing in common between PFSense and TNSR. And I mean that seriously. It isn’t like TrueNAS Core and TrueNAS Scale, where they are using mostly the same middleware and completely the same UI.
@brwainer this supports my argument, as it is difficult for any company to maintain two separate development streams. Eventually, they will either merge the two products into one, or kill one of the two. I believe that they will not choose to kill pfsense because of its strong brand name in the market.
GPL is a “copyleft” license, which means anyone who uses GPL licensed sources must provide the sources and means to build the resulting binaries to the end user, and is also encouraged to “upstream” improvements that they make.
BSD is a “copyfree” license, which means anyone can just take and use it as they please, and they don’t have to provide anything to end users.
Windows NT used parts of the BSD TCP/IP stack and a bunch of programs (nslookup being one). Apple OSX is BSD based. (In both these cases BSD refers to the OS or one of its distributions). Neither of these companies has done any significant upstreaming of improvements to BSD-licensed projects, including FreeBSD or any other “BSD” distribution nor the BSD kernel. All of Microsoft’s recent open-source work has been with projects that are GPL, Apache, or other copyleft licenses.
Netgate does a lot of work directly in the BSD kernel and the FreeBSD distribution, as does iXSystems. This means that if they make a networking or storage related improvement, they are submitting the work at approximately the same time it is submitted for use internally. Companies like Red Hat and Microsoft do the same for the Linux kernel.
The things in that article that are mentioned as being changed from GPL licensed code to BSD licensed alternatives are not related to what NetGate or PFSense uses BSD for. And even if they were, all this means is that companies (these two or others) no longer have to provide the source for those parts to end users. It does show that BSD is continuing to move in the opposite direction license-wise from Linux, meaning that companies are less and less encouraged to contribute to the BSD kernel and distros. They are free to take it and not look back, the way Apple did. This encourages companies to use BSD over GPL, but means that for BSD (kernel/OS) to progress the companies need to recognize it is in their self-interest to provide development.
Thanks for that info. I started using pfsense back in September. Have not regertted it. I also I caught my typo “through” should have been “throw”. Hey spell check grammer check… oh well! Love the fourms!
Most of the consensus seems to convey that NetGate has sold out the open source community by trying to make this closed source and only contributing common functionality which will likely be few and far from now on. Most people suggest that pfSense CE will be killed off in about 2 years and it will be like RedHat and CentOS.
I guess from their perspective they are not making money with the CE version and hence why they are moving in this direction but it is going to annoy a lot of people that supported their project for home use and then adopted in commercial settings.
So much for Tom admiring/supporting Open Source firewalls because it dies with pfSense+ and perhaps as a MSP selling NetGate boxes it doesn’t matter but I think most others are annoyed with this decision.
As stated in the article: “Netgate is effectively doing something similar to what iXsystems did with rebranding FreeNAS to TrueNAS Core. There is a base functionality, then the ability to upgrade to a higher-level feature set.”
The community edition will still be developed and will retain all of the current features and even more once 2.5 is out of beta. The long term is a wait and see just like it is WITH ANY OTHER BUSINESS. Like IX Systems, Netgate does not have a big marketing budget like some of the really big vendors so they rely on having a good quality CE edition of their software so I think they will keep it going as they have done for years.
From their FAQ’s as of today, there will be no new features from 2.5 onward. Beyond 2.6 which will simply give users an “update” button to flip to their closed source, pfsense will just live as it is. I wonder if this is partially in response to the community’s knee-jerk reaction to require AES-NI. Maybe they don’t want to put up with that type of crap again (trying to modernize and getting shit for it).
Plus will diverge and be a totally different product than pfsense as with m0n0wall. I think however, they should’ve given it a whole new name. Including pfsense in the title is good for marketing but it is misleading to everyone else.
My biggest concern will be the lack of package/addon developers. Will they move to creating packages that they could potentially make money from? (Assuming Plus will treat packages similar to untangle) Or just simply lose interest?
At least Plus will be free for home users who want new features. I just feel disgruntled, as a majority of closed source firewalls end up kind of shitty. The “leaders” like cisco, are clunky and over-complicate simple things. Palo Alto I feel, has done a good job - the rest have felt like hot garbage.