pfSense Licensing changes

Good luck. Fortigate still have CVE’s that they refuse to fix, but you probably have no control over what the university wants to use. They are pretty pricey though unless you don’t need any of their modules (AV, IDS/IPS, etc.) and you just need to route traffic and setup VPN tunnels.

what are enterprises using?

25 results in a LinkedIn search with the majority of them consulting agencies isnt the flex you think it is.

Look its not about arguing the merits of any platform. The issue i find is that the homelab space very often conflates what businesses actually use. I’ve seen it many times on Reddit where someone would bring up that pfSense is exactly like a Palo because its running Suricata. Cmon…
I dont think many users of pfSense really understand that the majority of their favorite packages (PFblocker,Suricata/Snort, HA Proxy) are all maintained by volunteers. So the moment that the maintainer decides not to work on your favorite package is the moment that package dies. No business should rely on that type of instability. So on top of it being a NAT box, it also doesn’t have formal (Netgate) support for popular packages. This is why Squid and Squidguard receive no love. Take a look at the redmines open for Squid. The majority of them are unassigned because obviously there is no maintainer. We’re talking about regressions in the package that break connectivity that aren’t being looked at.
So you can send me job search links showing me which consulting agency wants a pfSense expert but the reality is that if you do a search for Cisco or SRX or Palo the results are higher because businesses require stability and support of a project that isnt maintained by freelancers.
I would lastly say that the core pf project (what you install without any 3rd party packages, just the base) , that is supported by Netgate and if thats all a business cares about then thats great and paying $129/yr is fantastic for them. Cant go wrong.

1 Like

Lets stop the fud here. Which specific CVE that Fortinet has acknowledged and refuses to fix. Please list those.

Stop parroting things. Does Fortigate appliances have CVEs? Yes. Does every vendor have CVEs? Yes.
Does that mean businesses shouldnt use any appliance that has had CVEs? No.

Lol. I don’t know why you are so bent out of shape that a lot of people disagree with you on this matter. It may not be a lot but it is used in the enterprise world. It also runs in the enterprises myself and others maintain. Just like XCP-ng, you don’t hear much about them, but I have implemented them in enterprises and Tom has mentioned that he has deployed them to big clients. And no I am not talking about small to medium sized businesses either.

Just because they have their label (Cisco, Palo Alto, Juniper, etc) that it is there for only enterprise and anything else is an abomination and cannot be classified as such. But of you ask me its a bunch of over priced devices and licenses for about the same functionality that most people will use it for compared to pfsense. Pfsense might not do some abilities like IDS/IPS as a palo alto would, but frankly I would go a step further and say that IDS/IPS and SSL inspection need to be on the endpoint anyway. We use bitdefender for all those needs. So with that out of the way what other functions does a firewall need to do? well then we are back down to routing, NAT’ing and VPN’s, which is what all the players are doing. So you do you want to dump thousands upon thousands to have name brand to say its “enterprise”? Not me when I can get the same functionalities as the “big dawgs”.

Have at it!

Parroting what Tom says in videos doesnt mean its all the way accurate.
Im in no way bent out of shape on this. I understand completely that this is the home lab space. The needs are different than what is required at an enterprise level but its just so odd that people think that free software is in any way comparable to what an enterprise pays for.
Security should be done at the firewall AND endpoint. Having a firewall perform threat prevention while having an endpoint software scanning for threats should be the goal. The idea that it’s 100% on the endpoint is just ridiculous. Security in Depth is the goal.
But again, your entire rant boiled down to essentially dismissing major players in the security space and that’s fine but its not reality.

I was very specific with my question was I not?

You stated that have CVEs they refuse to fix…Which ones have they acknowledged are security vulnerabilities and did not fix? Please list them

I can send you links with Palo Alto CVEs
I can send you links with Cisco CVEs
I can send you links with pfSense CVEs

We can spat all day on here, but at the end of the day you disagree what what I am saying and I disagree what what you are saying. We aren’t going to change our minds on the matter. We can just leave it as it is and let the people decide. :slight_smile:

completely agree.
With $7B in revenue for Palo Alto networks - the people decided :person_shrugging:

BTW, I enjoyed the black hat link about the pre-auth RCE on SSLVPNs.
Thank you for sharing.

I keep telling them that and a long history of doing stupid things with admin level accounts. They think they are just wonderful, compared to Cisco. Arista (Untangle) would probably be a better choice at this level.

Also this is the same department that told me I couldn’t set up Guacamole when our students were all working from home because Guac had an open CVE, the CVE was fixed 2 weeks before they told me it wasn’t allowed. One of those people left, so maybe I have a chance now to use better resources than they provide (which is almost nothing).

I was greeted by another update from OPNsense today, in the notes was this (Figured I’d post it here, since this seems to be one of the main focuses):

This update also includes FreeBSD security advisories and assorted fixes. We are aware of OpenSSL 1.1.1 CVE-2023-5678 and we are already testing builds based on OpenSSL 3 which can be available in 24.1 when it does not negatively impact overall operation. We also expect fixes for version 1 to be available sooner, but without OpenSSL providing such fixes directly the roundtrip time is likely going to increase for them.

So at least they are posting somewhat of a roadmap.

I’m really considering just purchasing the TAC Lite license. $129/yr is incredibly reasonable for me and my production-ish workload, and with the discount from Tom’s video bringing it to $99 for the first year it becomes an even easier to swallow pill. I host a number of services including gaming servers, VPN, a web server, and streaming services (for a few friends). So it’s really the gateway for my home AND lab and if it goes down, the fiancé comes crying (among others). I’ve been using pfSense for the better part of a decade, I know it’s solid, and I’ve never had problems with it. I’m not switching to another platform, but would consider reverting to CE.

The one piece I’m failing to grasp, and forgive me if this has already been discussed, is how the annual renewal piece comes into play. If I purchase the TAC Lite license now, will I stop receiving updates in Nov/Dec of next year if I don’t renew? And how does the renewal work? Am I expected to install a new registration key each year, or is there an option to ‘renew’ an active registration key? Anyone have any documentation on this? Couldn’t find it upon a search.

To the “pfSense is not an enterprise solution” crowd: I’ve now worked for 2 very large shops that used pfSense in some capacity. I won’t say their names, but think the 3 letters that come to mind when you think gaming (gambling)/movies/entertainment, and the software company that comes to mind when you think of virtual app and desktop delivery.

Yes, the $129 licence will have to be purchased each year and the licence key updated.

Although with my Home Router (ZimaBoard) I did Downgrade from Plus to CE, today my Home Router is offering the Previous Plus Release (23.05.1) as an “Upgrade” from CE (in addition to CE’s Release Candidate).


Does anyone know if running the Previous Plus Release will a “Free” Option???

Not sure what they will do in the future, but it would appear that right now the old Home & Lab licences are being honored.

Latest update went fine

I am worried thought that this could be a move to diverge plus from CE and force more current plus users to start the subscription.

Thinking to switch back to CE sooner rather than later.

Might go for the two you license with the tac-lite code. I’ve been told they add the period on top of what you already have. My current TAC-Lite that I got is due to expire in April.

Parents are on 2.7 atm, but I may look at the UXG-Lite for them or failing that just use the provided Linksys MX4200.