pfSense Licensing changes

Lol. I don’t know why you are so bent out of shape that a lot of people disagree with you on this matter. It may not be a lot but it is used in the enterprise world. It also runs in the enterprises myself and others maintain. Just like XCP-ng, you don’t hear much about them, but I have implemented them in enterprises and Tom has mentioned that he has deployed them to big clients. And no I am not talking about small to medium sized businesses either.

Just because they have their label (Cisco, Palo Alto, Juniper, etc) that it is there for only enterprise and anything else is an abomination and cannot be classified as such. But of you ask me its a bunch of over priced devices and licenses for about the same functionality that most people will use it for compared to pfsense. Pfsense might not do some abilities like IDS/IPS as a palo alto would, but frankly I would go a step further and say that IDS/IPS and SSL inspection need to be on the endpoint anyway. We use bitdefender for all those needs. So with that out of the way what other functions does a firewall need to do? well then we are back down to routing, NAT’ing and VPN’s, which is what all the players are doing. So you do you want to dump thousands upon thousands to have name brand to say its “enterprise”? Not me when I can get the same functionalities as the “big dawgs”.

Have at it!

Parroting what Tom says in videos doesnt mean its all the way accurate.
Im in no way bent out of shape on this. I understand completely that this is the home lab space. The needs are different than what is required at an enterprise level but its just so odd that people think that free software is in any way comparable to what an enterprise pays for.
Security should be done at the firewall AND endpoint. Having a firewall perform threat prevention while having an endpoint software scanning for threats should be the goal. The idea that it’s 100% on the endpoint is just ridiculous. Security in Depth is the goal.
But again, your entire rant boiled down to essentially dismissing major players in the security space and that’s fine but its not reality.

I was very specific with my question was I not?

You stated that have CVEs they refuse to fix…Which ones have they acknowledged are security vulnerabilities and did not fix? Please list them

I can send you links with Palo Alto CVEs
I can send you links with Cisco CVEs
I can send you links with pfSense CVEs

We can spat all day on here, but at the end of the day you disagree what what I am saying and I disagree what what you are saying. We aren’t going to change our minds on the matter. We can just leave it as it is and let the people decide. :slight_smile:

completely agree.
With $7B in revenue for Palo Alto networks - the people decided :person_shrugging:

BTW, I enjoyed the black hat link about the pre-auth RCE on SSLVPNs.
Thank you for sharing.

I keep telling them that and a long history of doing stupid things with admin level accounts. They think they are just wonderful, compared to Cisco. Arista (Untangle) would probably be a better choice at this level.

Also this is the same department that told me I couldn’t set up Guacamole when our students were all working from home because Guac had an open CVE, the CVE was fixed 2 weeks before they told me it wasn’t allowed. One of those people left, so maybe I have a chance now to use better resources than they provide (which is almost nothing).

I was greeted by another update from OPNsense today, in the notes was this (Figured I’d post it here, since this seems to be one of the main focuses):

This update also includes FreeBSD security advisories and assorted fixes. We are aware of OpenSSL 1.1.1 CVE-2023-5678 and we are already testing builds based on OpenSSL 3 which can be available in 24.1 when it does not negatively impact overall operation. We also expect fixes for version 1 to be available sooner, but without OpenSSL providing such fixes directly the roundtrip time is likely going to increase for them.

So at least they are posting somewhat of a roadmap.

I’m really considering just purchasing the TAC Lite license. $129/yr is incredibly reasonable for me and my production-ish workload, and with the discount from Tom’s video bringing it to $99 for the first year it becomes an even easier to swallow pill. I host a number of services including gaming servers, VPN, a web server, and streaming services (for a few friends). So it’s really the gateway for my home AND lab and if it goes down, the fiancé comes crying (among others). I’ve been using pfSense for the better part of a decade, I know it’s solid, and I’ve never had problems with it. I’m not switching to another platform, but would consider reverting to CE.

The one piece I’m failing to grasp, and forgive me if this has already been discussed, is how the annual renewal piece comes into play. If I purchase the TAC Lite license now, will I stop receiving updates in Nov/Dec of next year if I don’t renew? And how does the renewal work? Am I expected to install a new registration key each year, or is there an option to ‘renew’ an active registration key? Anyone have any documentation on this? Couldn’t find it upon a search.

To the “pfSense is not an enterprise solution” crowd: I’ve now worked for 2 very large shops that used pfSense in some capacity. I won’t say their names, but think the 3 letters that come to mind when you think gaming (gambling)/movies/entertainment, and the software company that comes to mind when you think of virtual app and desktop delivery.

Yes, the $129 licence will have to be purchased each year and the licence key updated.

Although with my Home Router (ZimaBoard) I did Downgrade from Plus to CE, today my Home Router is offering the Previous Plus Release (23.05.1) as an “Upgrade” from CE (in addition to CE’s Release Candidate).


Does anyone know if running the Previous Plus Release will a “Free” Option???

Not sure what they will do in the future, but it would appear that right now the old Home & Lab licences are being honored.

Latest update went fine

I am worried thought that this could be a move to diverge plus from CE and force more current plus users to start the subscription.

Thinking to switch back to CE sooner rather than later.

Might go for the two you license with the tac-lite code. I’ve been told they add the period on top of what you already have. My current TAC-Lite that I got is due to expire in April.

Parents are on 2.7 atm, but I may look at the UXG-Lite for them or failing that just use the provided Linksys MX4200.

Or just use CE, if your unsure whether paying for TAC lite is worth it.

I don’t understand why everyone thinks they need to move away from pfsense CE. CE has just been updated to OpenSSL 3 and the new DHCP server. There is no indication that it will be discontinued any time soon, and in my opinion it is still a perfect solution for advanced home users and also for small businesses that don’t need support and don’t want to pay for a licence.

And here we go again, this time towards the other extreme, and again I get the feeling it’s just to avoid CE. Why? I mean, CE is definitely a lot better than a UXG lite, and worlds better than any Lynksys router provided by the ISP. Whether you need the extra features of pfsense is another matter, of course.

TAC-Lite is only $99 atm for a year, peanuts. So the flexibility etc.

My parents don’t have anything complex, it’s more about simplicity, laziness re the Linksys setup. No port forwards, no VPNs and so forth. pfsense is there since I put it in a few weeks back and working fine, just need to sort out VPN config for remote access. Ran out of time.

Yeah sure, it has a few nice extras, and if you don’t mind paying for it, and dealaing with licence keys, it’s fine I guess. :slight_smile:

Then Unifi could indeed be a good middle ground. Not sure what the VPN options specifically on the UXG lite are though.

Indeed re the flexibility and a few nice extras etc. For pittance it’s the flexibility. I’ve got QAT hardware and such.

The UXG-Lite is still coming soon for the UK and based on Unifi’s handling of UK PSUs with some of their devices I’m not expecting to see it before the end of 2023. Plenty of time for further reviews and good ole Unifi bugs.

VPN options I think are WG, OpenVPN etc. It would be managed via my CK remotely.