pfSense vs. OPNSense?

[garm]

Those of us who took the bait and switch and upgraded to Plus Home/Lab for free are now expected to pay $400 annual to continue to receive updates.. if you want to go back to CE you need to do a fresh install.. so I will do that, but won’t install pfSense CE…

 

[Arwen]

To be somewhat fair, if 3rd party companies are selling hardware with pre-loaded pfSense, AS AN OFFICIAL pfSense firewall & router, they are probably loosing money. And possibly getting support calls from people that have no legal right to support, (of that type).

Imagine if a company started selling TrueNAS servers, both hardware & pre-loaded with software to small businesses. Possibly even implying support was available. Then, when those small business customers had problems, it might be a mess to because the small business might say: "Hey you, you wrote TrueNAS, I NEED support, I paid for support, so give it to me NOW!".

 

[Apollo]

They linked the reason.

Yes, but why?
The Community edition is still available free.
All I was able to understand is that the pfSense Plus is going license based or something.

Sorry, last 2 post didn't show up on my end until I posted a follow up.

 

[garm]

Well.. we where promised Plus Home/Lab would be free for the foreseeable future (guess that's a couple of months at Netgate) and they did the change over the weekend without communicating it to the community.. There is no way back from Plus to CE without a fresh install and the Plus backups are not compatible with CE.. They MAY (will!) not continue to support existing Plus Home/Lab deployments..

Im not saying they did anything wrong.. Im saying Im installing OPNSense because I have absolutely no trust in Netgates willingness to make me a good product, CE is probably next up on the chopping block and we wont know about it until the heads already off...

 

[danb35]

I NEED support, I paid for support

...and the answer would surely be, "then go back to whoever you paid, because it wasn't us."

The problem as I see it is that Netgate/Rubicon/ESF/whatever they're calling themselves any more wants to call themselves an open-source software company for whatever reason(s), but doesn't want to behave like one. It's been noted for a number of years (and I think I linked to this up-thread) that they don't actually release all their source. We all know about the fit they threw when OPNsense forked. The impression I and many others got when they came out with "pfSense Plus" was that CE was a dead end and wouldn't be updated any more. And as is shown once again, they've repeatedly shifted the goal posts to the point where they just aren't trustworthy.

if 3rd party companies are selling hardware with pre-loaded pfSense, AS AN OFFICIAL pfSense firewall & router

Is that happening? If it is, I'd agree that it's a problem, and that (presuming they haven't authorized it) it's illegal. But there are lots of ways of addressing that activity that don't involve penalizing all their users.

 

[Jailer]

Well this really sucks although I'm not at all surprised. I too took the bait and upgraded to plus at the beginning of 2023 because it appeared that netgate was no longer (or VERY infrequently) going to offer updates to the CE version. I'm not looking forward to having to do a fresh install but I guess this gives me an excuse to upgrade my aging hardware. Might as well if I'm going to have to start fresh and my fresh start will be OPNsense.

I'm in the same boat as @danb35 I just don't trust netgate at all at this point. Past behavior is very indicative of future behavior and I can see where this one is going.

And thanks @garm for putting this on my radar.

ETA: Now does anyone have any suggestions for a decent low power board with IPMI, supermicro preferred. Internet speeds are low for me so I don't need something with a lot of power.

 

[danb35]

does anyone have any suggestions for a decent low power board with IPMI, supermicro preferred.

Ditto, and if Supermicro, X10 generation or newer (to avoid needing Java for the virtual console). My Aliexpress special firewall appliance really does work fine, but I miss IPMI during the reboots (which aren't that frequent, but still...).

 

[probain]

Ditto, and if Supermicro, X10 generation or newer (to avoid needing Java for the virtual console). My Aliexpress special firewall appliance really does work fine, but I miss IPMI during the reboots (which aren't that frequent, but still...).

A PiKVM then maybe?

 

[danb35]

I didn't have a lot of luck the last time I played with PiKVM, but it's been a while--maybe it's time to take another look at it.

 

[probain]

I didn't have a lot of luck the last time I played with PiKVM, but it's been a while--maybe it's time to take another look at it.

It's cheaper than $399/year at least

 

[Ericloewe]

Is that happening? If it is, I'd agree that it's a problem, and that (presuming they haven't authorized it) it's illegal. But there are lots of ways of addressing that activity that don't involve penalizing all their users.

I can imagine it being a thing with all the chinese mini-PCs with several NICs that are floating around eBay and AliExpress... But yeah, it feels like a made-up problem.

It's cheaper than $399/year at least

Only if it lasts more than six months!

ETA: Now does anyone have any suggestions for a decent low power board with IPMI, supermicro preferred. Internet speeds are low for me so I don't need something with a lot of power.

Occasionally, somebody dumps a bunch of Supermicro short-depth 1Us with A1SRi boards (mostly C2758, but even a C2558 would be plenty, I imagine). The only serious catch is that you will most likely need to deal with repairing the board to work around the C2000 LPC clock issues - Supermicro may still be offering free repairs, but if they don't it's just a pair of bodge resistors. The bad news is that they're 0402s, so good magnification and a steady hand are desirable (I had neither and had a terrible time).

 

[probain]

Asrock Rack, has a bunch of mini & micro ATX boards
link

 

[danb35]

I can imagine it being a thing with all the chinese mini-PCs with several NICs that are floating around eBay and AliExpress

I mean, it is the case that sellers are using pfSense in the product titles. For just one example:

https://www.aliexpress.us/item/3256805970246322.html

That example also names OPNsense and OpenWRT in its product title, but pfSense is the very first word. I suppose someone might infer from that that it's an "official pfSense system", but its naming other products right alongside pfSense would seem to make that inference unreasonable. I'm not aware of anyone who's outright claiming (falsely) to be selling "official pfSense systems," though there's no doubt a lot I'm not aware of.

Does this violate ESF's trademark policy? Quite possibly. Is it honest marketing? Iffy at best. But I don't think anyone could look at that listing and reasonably conclude that it comes with official support from whoever the gods of pfSense are now.

Edit: OTOH, I don't see iX getting worked up about things like this (which looks like a pretty good deal, if a little dated at this point):

Supermicro 4U 36 Bay Storage Server 2.4Ghz 12-C 128GB 1x1280W Rails TrueNAS ZFS | eBay

Type 4U LFF Server (36x) LFF Bays. Model Supermicro SuperStorage 6047R-E1R36L CSE-847E16. Rails Included. If this happens, don't worry, we will stand behind our products! Condition Tested 100% Working.

www.ebay.com

 

[Ericloewe]

OTOH, I don't see iX getting worked up about things like this (which looks like a pretty good deal, if a little dated at this point)

Yeah, I think that's a key point here. Their behavior is well outside the norm, as far as a norm exists. It's the sort of stunt you expect from the likes of IBM.

 

[danb35]

Their behavior is well outside the norm

That's been the case for quite some time.

 

[Whattteva]

I’m reviving this dead horse, I stuck with PFSense through all their shit because I believed they made a solid product and looked out for me. I even took the bait and upgraded to their Free Plus version.

Now I’m switching to OPNSense…

I was in this same boat and really tried to stick it out with them. I finally called it quits because of this bug. My post is at the very bottom of the thread. To make long story short, they have a bug that's been open since 2017 and just blames Unbound for it and refuses to fix it. It's BS of course, as Unbound works perfectly fine on OPNsense (what I currently use) with the same exact setup.

Frequent unbound restarts

@thiasaef said in Frequent unbound restarts: Netgate can't (or won't) rewrite unbound for that. I agree and I would not whine about it if a) 2.4.5-p1 was ...

forum.netgate.com

 

[Arwen]

If you want external remote console access, I use a network attached dual serial device. Then have 1 port go to my media server, (which is in a different room that I am in.) Grub, Linux kernel and OS can be set to use serial as the console. Or both serial & video.

Some boards intended for embedded use even support BIOS access over serial ports.

The company that made my current, and prior media servers, have new models that have optional support for 1Gbps over SPF+;

fitlet3 specifications

Download fitlet3 datasheet Intel Atom x6425E Intel Celeron J6413 Intel Atom x6211E 4 Core | Base: 2.0 GHz, Boost: 3.0 GHz | TDP: 12 W 4 Core |

fit-iot.com

Tensor-I22 specifications

Datasheet Order Contact us

fit-iot.com

And of course at least 2 other 1Gbps Ethernet over copper.

The first is smaller, slower, and definitely fewer options. Neither PC is cheap, but the build quality is so good that I still have & use my current media server from 2015.

I wish they would come out with an AMD model again, and one with ECC support.

 

[MrGuvernment]

It does suck, knock on wood, I have been using PFSense CE for 15 or so years and not had any issues with the usage it was in place for (production environments , and home networks) They certainly are not super fast on updates to CE, so long as they patch security flaws, and things keep working, awesome, but there is that voice in my head aswell wondering what is next. Are they making enough money now from their devices and subscriptions, now they can cut off the very people that made them the company they are literally by using pfsense and pushing it to everyone they know...

 

[Apollo]

Here is a link to Lawrence Systems describing the process of migrating back to pfSense CE with the config used with pfSense Plus:

How to Convert From pfsense plus 23.05 to pfsense CE 2.7

https://lawrence.video/pfsenseMy forum discussion around licence changeshttps://forums.lawrencesystems.com/t/pfsense-licensing-changes/19029/37Connecting Wit...

www.youtube.com

 

[NickF]

Shameless plug

pfSense Licensing changes

Lets start by asking ourselves a simple question. pfSense, who are you? Do you love pfSense? I think I have resolved both of these questions, and the answer is yes. I’ve used Netgate hardware in production in real life for many purposes. It’s good. TAC, even TAC lite, is a great value add. Plus...

forums.lawrencesystems.com