I bought a 2yr TAC lite. My fear is if my white box dies before the 2 years, will I be able to build another white box and use my new NDI?
I will assume you can still use it, but that is a good question for their sales people for a more concise answer.
So did the rollback to CE. Super straight forward and it brought all my customisations back in without issue. What is interesting is I seem to now have a slight improvement in throughput latency and the CPU is not ramping up to 30%+ randomly like it was before. I cannot explain it but I will take that as a win.
1 Like
Rolled back to CE , due to an hardware issue on the PFSense unit (failed harddrive)
Installed CE, and restore the backup via GUI - No issues at all
1 Like
Clonezilla the drive? Might be worth a test if you have another box to try the clone on, that is, assuming they show you if the license is working or blocked somewhere in the web GUI.
Bummer. I guess I thought you would find this fun. And easier.
But if the viewers donāt want it, I understand.
Hello,
I have just started to ponder about playing with THE REAL firewall. Iāve been using UDM Pro for over 3 years. Whenever I consider trying out new tech, I like to do online research for a bit as thatās part of fun and hobby.
Iāve actually started doing this couple weeks ago, and then saw this PfSense Plus license discussion in real time. Prior to this, I have narrowed down my option to PfSense or OPNSense, and almost decided on PfSense.
Not knowing any detail about PfSense vs. OPNSense functionality difference, Iād like to ask group here couple, pure curiosity questions. Basically, I am fairly neutral in position at the moment as I havenāt tried or purchased either system.
Iāve read things that some users are upset about Netgate and I can see how one can be upset about the recent, first license termination announcement.
But if you could put those upset feelings aside, can you please answer couple objective questions for someone like myself who is just looking for better product for my home.
- Official hardware comparison
I have been considering a possibility of purchasing official hardware.
When comparing two official products with similar specifications, it looks to me as if Netgate is better priced/value.
For example, for 10Gbps system, I see Netgate 6100 and OPNSense DEC740. The comparably listed specs have both Firewall and IPsec VPN throughputs are higher on PfSense while they are priced cheaper. Am I missing something here?
- PFSense Community Edition vs. OPNSense
If Iāve decided to not go with official hardware route, my primary PFSense option seems to be Community Edition.
In this case, besides favorable UI on OPNSense, is there any actual feature PfSense CE edition be missing when compared to OPNSense?
Thank you very much
As I had pointed out earlier in the thread the security of OPNsense is more questionable because they have a smaller team and they are running an older unsupported version OpenSSL and donāt have any clear timeline as to when that wil be fixed.
Beside the UI differences they mostly have the same major functions but you will find more tutorials, writes ups, and documentation for pfsense than OPNSense.
1 Like
Not about the viewers, itās just reality. Iām guessing if you really wanted to do this, you can already drop into a shell and configure either *sense firewall, just like you can runn pretty much everything in XCP-NG from a shell.
This is extremely true, Iāve looked and there is 1/10 or less OPNsense content out there.
Not sure what you are getting at.
On the ābusinessā reality, I think Tom is right. pfsense is the only real game in town for this part of the market. And with this market dominance they are leaving too much money on the table. This whole episode proves that.
Capitalism will not allow a free lunch for long. Either the existing management slowly raises prices directly (or indirectly by slowly deprocating CE), or a venture fund is going to buy them and do it for them. Their market value will become too cheap relative to the revenue opportunity they have. Itās just business.
Learn the cli and walk away from all this or pay up. Either way the āeffective costā for a FW in this market space is going up. Directly or indirectly.
Just so everyone is aware. I messaged netgate sales and they will do a one time transfer of the pfSense subscriptions to another unit as a courtesy in case your white box has a failure.
What causes a Netgate Device ID change, drive change or any additional hardware?
Iām using a Intel(R) Atomā¢ CPU C3508 @ 1.60GHz atm which supports QAT, so if I wanted to leverage that Iād have to purchase a TAC-Lite support.
My freshly built XG210 Rev2 says it has TAC-Lite support until 2024, but my XG125Rev3 running plus only has community. I must have done something different when I āpurchasedā originally.
I wonder if theyāll transfer 
If Iām opting for the more āfeatureā rich Opnsense, Iāll just run Sophos XG Home TBH.
Do whatever you feel that fits your needs.
1 Like
Just worked out the difference as to why one is licensed TAC_Lite, it was free at one point and I registered that route rather than a homelab license. I wonder if theyāll transfer it 
Theyāve just transfered a valid license for me, so all good. XG230 Rev2 can now be sold off blank.
āCmonā¦ Ive been a network engineer for a long time and only worked at enterprises specifically in the Fintech space but i have done contracting work specifically around 2009 when the market crashed for midsize firms and i have never seen a pfSense in the wild. Not saying they dont exist but to say large enterprises use themā¦iāll bet dollars to donuts there is absolutely no enterprise that has a budget that wont go as low as Fortigate or as high as Palo. If the existing fleet is Cisco then expect Firepower. There is no way an entry-level firewall is in an enterprise of any size.ā
Well, I beg to differ. It really comes down to where you worked and FinTech is just a small vertical. I ran through hundreds of pfsense install (big and small) in many types of enterprises also big or small. Companies that have a real network & security group (not contracted consultants) doesnāt rely on one unique brand - they have multiple in use ājust in caseā. And I have seen pfsense box next to CheckPoints firewalls quite often.
Also, maybe in 2009 Fortigate was low on the listā¦ but how things have changed since then for them. But pfsense is still around defending what Palo, Cisco or Fortinet canāt in times of needs.
Ubuntu 22.x and up uses OpenSSL 3.0. 20.x was using 1.1.1.
That wasnāt my point.
The point I was trying to make is that OpenSSL 1.1.1 is not affected by the CVE Tom has mentioned, but only the 3.x versions.
Below you will find the same links as in my previous post, including the relevant passages from the linked security advisories.
Unfortunately, the OpenSSL project itself doesnāt publish public security advisories for deprecated versions of OpenSSL which is why we have to rely on the information published by the maintainers of the various downstream distributions.
Ubuntu: https://ubuntu.com/security/CVE-2023-5363
Author Note mdeslaur appears to only affect 3.x releases
Debian: https://security-tracker.debian.org/tracker/CVE-2023-5363
[bullseye] - openssl (Vulnerable code not present)
[buster] - openssl (Vulnerable code not present)
SUSE: CVE-2023-5363 | SUSE
SLES15-SP4-CHOST-BYOS openssl-1_1 Not affected
By the way: These distributions are usually backporting security fixes to older versions of their packages, if these packages are still used in an active LTS release of the distro. So if this CVE would affect 1.1.1, there would likely have been a fix for it as well.
I certainly remember firewall ātrainingā in the early 2000s that it was a multi vendor approach, so your front end firewall was a different vendor to your backend / next layer firewall.
I imagine this approach is still the popular approach within āenterpriseā organisations? Iām not in that area of infra these days, wish I had stayed in that area, but I moved back to my first love of the other infra 
I have to knowā¦What specifically can pfsense protect that a Palo Alto canāt. I have to knowā¦
1 Like