pfSense Licensing changes

Networking & Firewalls
122

I am doing a live stream today at 6:15 EST to cover the changes and answer some questions.

1 Like
123

Watch the live stream. Thanks for being the adult in the room. I think I made my point known, I think it may have been a positive influence on this situation, but I am glad better ideas prevailed.

I appreciate you @LTS_Tom

124

Cmonā€¦ Ive been a network engineer for a long time and only worked at enterprises specifically in the Fintech space but i have done contracting work specifically around 2009 when the market crashed for midsize firms and i have never seen a pfSense in the wild. Not saying they dont exist but to say large enterprises use themā€¦iā€™ll bet dollars to donuts there is absolutely no enterprise that has a budget that wont go as low as Fortigate or as high as Palo. If the existing fleet is Cisco then expect Firepower. There is no way an entry-level firewall is in an enterprise of any size.

125

I understand now. I hope for that not to be the case, Indeed it could turn into a slippery slope.

126

Iā€™m surprise that it has been two years since I last logged in to the forum. Just watched your live stream, and I guess it doesnā€™t hurt to share a bit of my opinion here.

I agree more or less 90% of what you said. Itā€™s surprise that you are somehow caught in the crossfire between Netgate and the community. I have always thought that the homelab mindset can be troublesome when Dunning-Kruger effect kicks in.

  • Many want you to ditch pfSense, just because they hate it, while your MSP and your clients are perfectly happy with the solutions.
  • Many wants to burn down Netgate, be it via a fork, a new solution, or whatever, without even considering the initiation process and what comes afterward.

Currently, my company (SMB) are paying $20k + annually just for licensing, not counting what are of my scope. Some of the payments are for open-source or open-core solutions. In the end, business needs profit to operate, and business pays for what they think are justifiable for operation. In my lab, I also use and pay for what I think is justifiable for my SDE and SysOps journey. If something does not work out, just moves on.

Then what about the other 10% of my opinion? It is from a community perspective, Netgate did a horrendous job in this whole story.

  • Suddenly announce license change out of the blue.
  • State it is due to ā€œthird-party marketā€, but penalize the home lab community.
  • Suppress a portion of people comment on media platforms when people speak against them, and have some of their staffs defensively argue back.

Sure, there employees are good people. I have never met one of them before, but from your description, I trust they are good people. That said, Netgate history, as a corporate entity, is very bad on a community side. I guess this is nothing new in corporate and enterprise world, but I personally feel your videos really undertaking this aspect of the saga.

2 Likes
127

According to Debian and Suse this CVE only affects OpenSSL 3.x. OpenSSL 1.1.1 is explicitly mentioned as not vulnerable.

https://security-tracker.debian.org/tracker/CVE-2023-5363

https://www.suse.com/security/cve/CVE-2023-5363.html

And OpenSSL itself, while not explicitly stating that 1.1.1 isnā€™t vulnerable, is saying:

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue

So I think itā€™s relatively safe to say that 1.1.1 is not affected by this specific issue.

Nevertheless, I certainly agree with you that the OPNsense developers should update to version 3.x as soon as possible. Unfortunately, FreeBSD has not yet updated the package, and even for FreeBSD 14 the current status is still ā€œplannedā€:

https://wiki.freebsd.org/OpenSSL

128

Iā€™ve seen one install at the various organizations Iā€™ve worked for and itā€™s use case is for the guest network access on a separate WAN circuit. Even charities Iā€™ve done work for have been Fortinet, PA customers etc. Iā€™ve not seen Sophos in the wild for their firewalls and never seen an Untangle. Re Netgate and Untangle, not sure what their market penetration is outside of the US etc.

This brings me to another point, Netgateā€™s reseller market in the country I live in is dire. The resellers they do have donā€™t respond to sales enquiries, at which point the product thoughts get dropped. For me if there is a drive to expand their channel partner network selling Netgate appliances and such then more sales and such.

The case studies of old are sadly not there in the security space these days detailing what the customer deployed it for and such. Understandably so.

One of the companies I worked for turned down a case study offer when they were choosing a WiFi vendor and there was substantial discount offering.

I can think of lots of large vendors who have moved the goal posts as the market isnā€™t working in their favor due to xyz. Typical example I can think of is with the high core counts on CPUs now I can think of several vendors who amended the rules re number of core vs physical CPUs and so on.

129

They donā€™t implicitly list unsupported versions, only current versions and 1.1.1 is EOL.

130

Cooling down - thanks for the live stream Tom BTW.

Summary Netgate screwed up and apologised - hope lesson learned.

So options seem to remain

  1. Pay up $99 for year one at least with TACLITE code - BTW is the code quickly transferable when the hardware breakdown?
  2. Rollback - which I think is even easier than Tom suggests - ā€œrecover configā€ option pulls existing config off the box? Missing a few features - boot configs (nice to have) and patches (already fixed one issue with that on previous release)
  3. Buy a NetGate appliance - in UK this seems a somewhat more difficult thing to do - one reseller with poor reviews? Break even after a year or three, depending on box.
  4. Jump ship - not a lot of choice for software alternatives - as to to hardware options - TBA. And a pile of learning while still trying to keep the family happily connected (WFH, Surfing, Streaming, Gaming and OpenVPNing)

Would love if they were to align licence/TAC model across own hardware and appliances - eg if the $129 licence was a one year TAC Lite + ongoing free updates in line with the appliance - e.g up to say 5 years typical lifetime?

Also would be nice if it covered two (active/passive) devices to allow for quick swap in emergency.

Inclining to 1) for the easy life (access to any patches that pop up) and I can spend longer evaluating the alternativesā€¦

PS: BSD getting too niche to be viable long term - which makes finding good Dev people harder, new hardware support expensive etc?? Expect Linux to win completely eventually!?!

131
  1. itā€™s a year of support so I donā€™t see why you canā€™t swap it to different hardware
  2. If you are not using plus features this is a fine solution
  3. Not sure how much it matters what the reviews say if you are not using that reseller for support, not sure how much Netgate direct is in the UK
  4. There are not really any free alternatives that offer the feature set of pfsense and the documentation

The problem is bigger than FreeBSD being niche, the challenge is building, testing and maintaining a secure up to date firewall is hard and this has killed off the many other open source firewall projects that used to exist for both FreeBSD & Linux.

132

Yes, unfortunately that is true, and therefore I had to rely on circumstantial evidenceā€¦ :wink:

What makes me confident, though, is that the Debian maintainers also seem to think that 1.1.1 is unaffected, otherwise they would have to backport the fix to Old Stable (Bullseye). See the note at the bottom of CVE-2023-5363

Notes

[bullseye] - openssl (Vulnerable code not present)
[buster] - openssl (Vulnerable code not present)

Other Linux distributions like Suse or Ubuntu also seem to think that 1.1.1 isnā€™t vulnerable, and the CVE hasnā€™t appeared in the FreeBSD Security Advisory list which also supports my assumption that 1.1.1 isnā€™t affected,

So, while I canā€™t be a 100% sure, Iā€™m pretty confident that 1.1.1 is not affected by this CVE.

133

That is compounded by most home-laberā€™s perceived need to enable every feature and package known to man. That was me many moons ago. There wasnā€™t a button I didnā€™t want to click.

In time I realized I didnā€™t need all that crap. Just basic blocking and tackling from the firewall is good enough. That and tight DNS filtering and general logging if you want to make a difference. Move to the end-point if you want to really improve security.

I say all this to point out that building and maintaining a sufficient cli firewall is not insurmountable. Half the junior admins in here should be able to do it over a long weekend. Spend a weekend and be free of this stuff forever.

Hopefully you (or Jay) do a video about how to setup a cli firewall someday. I bet a lot more of your audience would watch that than you think. Should be simple for you to do, have a long shelf life, and be a true value to the community.

EDIT: if you do this and you use linux (why wouldnā€™t you?), please for godā€™s sake use nftables.

134

Web based UI for firewalls are so popular for the same reason not everyone codes in assembly language.

Manually managing a firewall from the command line is great for datacenter or cloud systems, but not a realistic option for a home lab unless the purpose of that home lab is to learn how things work or get a job at a datacenter or cloud level deployment.

You are correct the basics to get routing and maybe dhcp would not be too hard, but managing NAT rules and more complex VPN and routing setups makes it much more complex.

135

I just did the license purchase and received the confirmation with a new registration string. Since you canā€™t re-register an existing device there is one thing you will need to do and that is to contact support to apply your current device ID to the new license you just purchased. Netgate turned this around in about 15 minutes.

As a Home user with a lab and leveraging advanced features such as Suricata, ntopng, etc paying about $100 a year is reasonable. I always believe in donating to opensource projects in a value for value model and $100 a year is worth having a highly reliable and customizable firewall.

136

On the blog page there is a link for existing installs in which you provide your NID and the registration is automatically applied.

1 Like
137

As a cynic, I donā€™t believe they simply made a mistake. I think it was intentional and they rolled the plan back away from the backlash. Even certain wording in their apology speaks to the sins of the past and I feel that they think much like Redhat recently said about the leeches with CentOS.

And much like the CentOS changes, this Netgate issue will pass, one way or another. Sorry, canā€™t help being cynical here, hopefully history will not prove me right. But I have a feeling this is an Oracle moment about to happen (Open Solaris).

If they want to stem the sales of the illegal units, then they will need to send the key every time a unit boots or checks for updates. When they see numerous IP addresses with the same key, then they need to look at the ā€œpersonā€ that purchased the key. And maybe they need to lock up the illegal devices with a message that says the key they bought was illegal and hereā€™s a big discount code to get your individual legal key. Yup, telemetry sucks, but they may need to do something like this to combat the illegal resellers. I saw an ad for one on either Amazon or ebay last night and they overtly listed Plus as being included.

Iā€™ve had open projects stolen and sold out of China before, it sucks. Things you put forward for the community to make for themselves, then some jerk makes a small amount of money off this niche thing you created is just an insult. It didnā€™t stop me completely from releasing projects, but certainly slowed down my efforts. None of these things were in the IT realm and long time ago for most things, all hobby stuff.

138

Current Reddit thread w.r.t. changing hardware and NDI seems to indicate that Netgate wants new licence and more Ā£Ā£Ā£ each time NDI changes.

Pretty useless for emergency hotswap especially as features diverage between CE and plus and certainly problematic for some VM test/dev/production scenarios - I know snapshot, backup/restore etc, but license should be more flexible - a time limited demo would likely fix some of these?

139

Or just use the pfsense CE that does not have any licence tied to it.

2 Likes
140

I know, but itā€™s just another company with a useless licensing policy, Iā€™ve dealt with Microsoft et al. enterprise licensing long enough (decades!!) to realise they are all capable of hamstringing a good product with a stupid licencing scheme!

1 Like
141

For me the biggest issue is how the communication was handled for this whole situation. Had this been announced then implemented with a clear path forward i would not be questioning if i want to stay on pfsense after my next hardware upgrade. Im on community edition so in no way effected but i will be watching how they handle communication with users going forward.