pfSense Licensing changes

Fair enough. I don’t dismiss that. They deserve to make money. If they want to maintain a fork (Plus) of their own, that’s fine. I’m only calling for a kernel panic if the development of the actual product we care about (pfsense CE) is threatened. These two forks (PLUS vs fork-sense) can be collaborative, this is a challenge to my peers to help me build a mechanism for the organic growth of the pfsense CE project. I don’t see this response as short-sighted. Maybe, it’s, perhaps, just too long-sighted.

I have the highest respect for the amount of work that goes into the development of pfSense. I may be uniquely qualified to hold that opinion. But that also doesn’t mean any community action I promote matters.

This is a Sparta (THIS IS SPARTA) moment for me. Nothing has changed today, but I view Netgate’s announcement as Xerxes’ messenger. You can raise an army, but the few die-hard pfSense lovers like myself will defend the projects spirit. I imagine there’s much more to come from Netgate, and I hope they don’t send their messengers back over here.

Again, this is all just theoretical at this point. I see no motion to act just yet.

I had been considering moving to lab… lucky break, not just because of this change, but because searching I came across the unbelievable behaviour of one ceo called jamie thompson from the time opnsense forked … can’t imagine buying any netgate product now knowing I’d be “contributing” to his salary, yuk

… coming weeks will be moving over all pfsense installs over to opnsense, unlike most people prefer the pFsense UI compared to OPNsense UI and the long time between updates, oh well still worth moving over whilst that guy is still in charge!

Surely they wouldn’t do that… They would be better off updating CE, than changing their mind yet again. No one will ever trust them if they can’t make a decision and stick to it. No way would I want to install plus again, only to have them change their mind again in 6 months. What’s that saying, “Fool me once, shame on you, Fool me twice, shame on me…”

I agree, this move is not good for the people in the home lab space that tried the plus licence. This is a much less an issue in the business space where people are using Netgate hardware.

The bigger issue is the lack of alternatives out there. There used to be a lot of options but now https://www.ipfire.org/ and https://openwrt.org/ are the only active open source firewall that I am aware of and they don’t even come close to the features and flexibility in both pfsense & OPNsense.

I am completely aware of https://vyos.io/ and they are really focused on the enterprise space and is not likely ever be a suitable option for the home lab enthusiast.

IMHO, folks need to relax a bit. From what I can tell CE isn’t going anywhere. Yes, things seem to be a bit confusing, but there are always two sides of a story. The guys who make pfSense have to survive or there won’t be a pfSense for folks to complain about. I’m a 30 year IT vet and pfSense is not one of the vendors Enterprises would typically choose from, however I have been using it personally for home lab for the last 5 years and think it is a terrific solution. As far as talk about going from BSD to linux, yeah I thought the same, however TrueNAS folks have a version called Scale which runs on Ubuntu. I never thought that would happen either and yet… I’ve also switched over to the Scale version and it hasn’t been a big deal. TBH, things have worked better. Re: Tom’s alternative post… I used openwrt and variants like OpenTomato, etc… for a decade and they have their own issues. I haven’t done OPNsense yet, however one of the guys I worked with years ago appeared to be close to the BSD scene and knew about the rift between folks and how they left pfSense to create OPNsense. I’m not going to get into that, because hard to really know what’s been going on unless you hear the other side of the story. pfSense works great for me and unless I have a serious reason for switching, I’ll be using it for the foreseeable future. The only complaint or should I say achilleas heel appears to be the large XML file it uses to store config and I guess maybe it’s lack of an API. I have tried some add-on experimental API solutions, but also by those folks who made them underscore that you need to create waits or pauses in your automation, because they say it takes time for config changes to be written to the XML file and performing fast back-to-back changes causes problems.

I’m not sure if this helps anyone, but just my thoughts.

Lets start by asking ourselves a simple question. pfSense, who are you? Do you love pfSense? I think I have resolved both of these questions, and the answer is yes.

I’ve used Netgate hardware in production in real life for many purposes. It’s good. TAC, even TAC lite, is a great value add. Plus is worth it for many circumstances.

But I don’t always need or want support. I reserve the right to hack the missing features I may need or want back into the CE codebase. I’ve used, in a pinch, dozens of pfsense firewalls in production. Don’t always have money professionally to do things the “right way”. Pfsense is as close as it gets, and I’m not confident Opnsense can be that stepping stone for me in all circumstances. The other options Tom Lawrence mentioned are just not good options for many use cases. Things like WRT were born out of a pet project of hacking consumer routers. Things like VyOS are great but more complicated than pf.

Thats what this thread is about from my perspective. I’m a professional first and a home user second.

Everything is going cloud first. I’m not on that train. As a community and as individuals we need to stem the tide. There is an erosion of good low-cost on-prem options. This cannot occur. We must hold steadfast against the corporate trend of no one owning anything. If anything, I think now is time to hedge our bets.

Enterprise products exist because people have more money than time. Open source products exist because people have more time than money. Each have their purpose, and pfSense lives in both camps. My only purpose is to ensure that it always does. Sacrifice is sometimes necessary. Freedom may be more valuable than convenience, other times it may be the other way around.

I also live in both camps. I sometimes have more money than sense, and other times have more sense than money. My only purpose is to ensure that it always remains viable in both. I think I can help, if my help is needed. Lets holdfast for now, and watch. Join me if you care.

Agree or disagree, I’d love to hear the thoughts of others here in Tom’s world. I have a unique respect for this community. If you all thing I should sit down and shut up, I will respect that.

I’d be interested in knowing if you all here would be if you would be interested in sponsoring, promoting, or somehow supporting a community fork of pfsense. I’m not sure now is the time for a fork, but I am actually spending significant brain cycles trying to fix my problem with Netgate, if one exists. This is not a call to action, but rather, I am seeking individuals of like mind.

I am a hacker. I use that term as a millennial who has probably bastardized Stallman’s meaning of the word. But that’s who I am. Netgate has the right to make money. We have the right to enforce change if Netgate doesn’t kick stuff back to the community. (648) Free software, free society: Richard Stallman at TEDxGeneva 2014 - YouTube

Is it happening? : PFSENSE (reddit.com)

pfSense Licensing changes - Networking & Firewalls - Lawrence Systems Forums

Petition · A Community pfSense Fork · Change.org

(2) Let’s all Pause for a moment and Consider the state of pfsense | ServeTheHome Forums

Let’s all Pause for a moment and Consider the state of pfsense - Software & Operating Systems - Level1Techs Forums

Don’t use dirty language like that here… They use something that is actually stable, Debian. As a TrueNAS user I’ll say I’ve been much happier with Scale than Core.

I’ve never thought of openwrt or Tomato as anything more than alternative router firmware, rather than a full fledged firewall option? Am I under estimating these projects?

LOL. I’m trying to reserve my own opinion about Ubuntu, which appears to be more so like yours. Also - openwrt/Tomato, etc… yeah… alternative router firmware… pushing the edge of what the hardware can do imho. I don’t see it as full fledged firewall either. Since switching to pfSense, I now just use an EnGenius EWS377APv3 AP, and all it does is AP… with the ability to have numerous virtual APs on separate VLANs, which is useful.

Fair enough. I’m just here to remind folks that the road less traveled, ie a community fork, remains a viable option if better alternatives don’t exist for our use cases.

I also maintain that my time is valuable and learning something new has an opportunity cost. I’d rather invest that time in hacking features back into CE than trying to start fresh. This is because I respect the fact that edge cases exist.

wholeheartedly agree with regards to learning something new. My lab work with docker & k8ts and IaC has indeed pushed my need for firewall with an API. Nowadays, you typically get an API with some kind of cloud management of your equipment, which has service fees. Also, those APIs typically don’t give you the depth of config settings you need. They typically trend on the safe side or should I say limited functionality.

It depends on your affinity for CLI and use-case but openwrt can be a “full fledged firewall option”. Sadly not everything can be done via the webui but it covers the basics, the rest is accessible the usual way via the cli.

OpenWRT is not a viable option for many use cases. Its lineage traces back to folks who hacked the WRT54G. Thats great and all, I loved it and used DD-WRT for many many years. But more enterprise stable and ready designs should still exist, even if with limited or no support. OpenWRT is not that.

I had quite a few routers running openwrt before i jumped to pfsense. Those things only rebooted if i updated them or there was a power outage so id say stability is not a concern even on low-powered consumer garbage…

And that is exactly the problem. Everyone would like to have a community version that is free and includes all the features of the Plus version, but no one is willing to do the enormous amount of work that would be required to make it happen.

It’s one thing to fork the CE version and hack together a few features from the Plus version and integrate them. It’s another thing to maintain and subsequently develop the fork. OPNsense is able to do this mainly because there is a company behind the project that sells licences which generate a continuous cash flow.

What might work, though, are community extensions for pfSense CE that add some of the Plus features to it. But in my experience, plug-ins developed by the community are often abandoned fairly quickly because the developers no longer have time or interest to maintain them, and after the devs have abandoned them there comes a point where they are no longer compatible with the latest version of the base product, or even worse, they become a security risk.

Or you can just learn the cli. Then you have two things no company can take away from you.

GUI’s make it easy, and easy has a cost. Give netgate their due, they make a good product at a very competitive price.

And Tom is right, there isn’t a great alternative out there. The business side of me says they should raise the collective price for a full feature easy fw. They are leaving too much money on the table. Especially with the fan base they have. Hell, they can probably get brownie points for raising prices on their users.

Its funny. I think I have weaved a very compelling narrative thread across multiple similar conversations. That thread fairly well postulates that “we need to build a better firewall”

Why wont you all help me do it?

Here’s a few reasons why I think this won’t work…

1. There are huge differences between wanting something and really needing something. Also many of the cry babies on Reddit, either don’t have money to support such a project or don’t want to spend any money, which is one of the reasons for their outcry in the first place

2. Personally, I have no reason to switch to something else because pfSense CE does everything I need it to do. And if they discontinue it at some point, I would probably switch to OPNsense.

3. No offense, and I could be wrong of course, but based on your posts here and on Reddit, I think you massively underestimate how much work such a fork would involve.

4. Even if you were able to hack together a fork with a new logo and boot manager after a sprint of one to two weeks, I wouldn’t use it in production, because I simply wouldn’t trust in it, neither in terms of security (I mean we are talking about a firewall/router distribution here which is normally used as an edge device), nor in terms of future-proofing (more on this in the next point)

5. In order to maintain such a project in the long term you need to be always on top of things, meaning you need a continuous flow of revenue, either to be able to do it full time by yourself and/or to pay at least one or two core developers. Again, we’re talking about a fully fledged Router/Firewall OS/Distribution here, and not about another markdown editor.

I’m willing to donate both time and money to such a project. Each has value. I want to contribute both.

Sure. It does. I agree. but perhaps it could be improved. It’s core values are exactly right. Theres alot of work that has already been done that is not in pfsense. Some of that work should be merged into pfsense. Theres value in a traffic cop who would decide if additional/new features should be merged in. That cop should not exclusively be netgate.

Do I? What do you know about me? Can you back up your statement? The suspected criticism is valid, but I think I will prove you wrong. This is a long term play, not a short term play. I need short term shock and awe to get some attention shined on an important situation. So, if anything, I am playing a game with fire here. But that doesn’t mean I don’t know its on fire.

Fair enough. Thats why I wouldn’t do it alone. I need partners. I am seeking partners. We can do this.

Again, this is a “WE” thing. I dont want to do shit alone. I am looking for like minds. Of course thats what I am saying. Dont use the jump to conclusions mat.

As I thought they would, they brought back the TAC for $129 a year and admitted that mistakes were made. I will do a video soonish on this topic.

Thanks. Good enough for me.