Two big announcements on the pfSense front this week. First, the popular router/firewall/ VPN appliance is adding WireGuard VPN. Second, Netgate, the company supporting pfSense is changing its model to support pfSense Plus.
pfSense adding WireGuard VPN
The first big pfSense feature added this week is WireGuard VPN. WireGuard is a fairly fast and easy-to-setup Layer 3 VPN which means it is quickly becoming popular. Linux distributions have been working on the software for some time, but pfSense has been notably behind. That is changing with the new pfSense 2.5 release.
This is a huge feature that STH readers are going to be interested in. The Netgate/ pfSense team had to do work to get this to run on FreeBSD which reminds us that there are quite a few features that are now present in Linux where FreeBSD support comes much later. We are also going to note that this works in both pfSense Community Edition and the new pfSense Plus that we will discuss next.
pfSense Plus Coming
On the pfSense Plus side, it is a bit more interesting. Effectively what pfSense is doing is first rebranding pfSense Factory Edition (FE) to pfSense Plus, leaving pfSense Community Edition (which currently exists) alone. The current pfSense FE is what you may have seen on ourĀ Netgate SG-5100 Firewall and Network Appliance. This is the version of pfSense that comes on Netgate/ pfSense official hardware and in cloud instances.
Netgate is effectively doing something similar to what iXsystems did with rebranding FreeNAS to TrueNAS Core. There is a base functionality, then the ability to upgrade to a higher-level feature set. pfSense CE will continue, but pfSense Plus will be where a lot of the exciting development is going.
pfSense, at its heart, still stems from the m0n0wall project. While they have diverged over time, the world has changed. These days getting new NIC support, QuickAssist support, and even the WireGuard support mentioned above in FreeBSD require additional work by the Netgate team. At some point in the longer-term Netgate is going to have to weigh staying with FreeBSD versus moving to Linux. Netgate also needs features such as multi-instance management from a single pane of glass. To execute on that roadmap, Netgate needs revenue, which is why we are getting the divergence.
There is likely some risk that a new feature you want will be in the pfSense Plus version instead of the community version. Netgate has been addressing that in the FAQ. That is the same type of risk we see with the move to TrueNAS Core. At the end of the day, keeping the open-source userbase is a huge marketing vehicle for the project, so keeping the projects alive is important. Netgate told STH they plan to effectively keep the Community Edition similar to what is currently out there with enhancements over time, but the more rapid feature build-out will happen for pfSense Plus. This is a revenue play.
We are going to have an excerpt from today’s Netgate Blog Post around the FAQ at the bottom of this article so you can read more about it.
Final Words
Assuming Netgate keeps pfSense Community Edition alive and well, then the community will likely not notice much of a difference. It may create more interest in some alternatives, but that is the nature of an announcement like this. One item we are looking forward to is the option to get a license to the Plus version on one’s own hardware. If the concept is to get many customers by offering a low-cost license structure, then this could be a very interesting option. If the license cost for this is extremely high, then it will make the jump from CE to Plus extreme and that will alienate a lot of folks. Time will tell how this holds over time.
For many, the biggest part of this announcement is going to be that pfSense 2.5 is going to be released in February 2021. We covered the pfSense 2.4 release in October 2017 so this has been a long time to wait for another major dot release.Ā pfSense 2.3 was released in April 2016. pfSense 2.2 was released in January 2015. It is good to get a new version out since that is a very long wait.
Below we have the pfSense Plus Launch FAQ. We are keeping a copy here if you want to use it as a reference for what was promised at the outset, and how the project tracks over time.
pfSense Plus Launch FAQ
Here is the FAQ we received from the Netgate team around the time of launch. We suggest looking to the official FAQ for any updates:
1.Ā Ā Ā What is pfSense Plus?
pfSense Plus is the new name of Netgate’s productized version of pfSense software, previously referred to as pfSense FE. It will be made available to Netgate appliance and CSP customers, and over time, will have an evergreen secure networking feature set, performance enhancements, and manageability advancements not available through pfSense CE releases or project code. The product will become more powerful, flexible and easy to use over time, as it is re-architected to move beyond the limitations of pfSense open source software.
2.Ā Ā Ā Why did Netgate make this change?
There are two primary reasons.
First, demand for new secure networking features, performance improvements, management and automation capabilities outstrip the capabilities of existing software design, which dates to 2004.
Second, the code changes necessary to deliver the above capabilities will be disruptive to users of the open-source code base – especially those dependent upon private forks for their own needs. pfSense has a smorgasbord of features and functions that Netgate will need to update, replace, or delete. These code modifications will not always immediately serve the open-source community. Rather than force the community to quickly follow, Netgate can better serve its customers and the broader community by moving the pfSense Plus stack forward to support product advancement, without disrupting the code base that community members rely upon today.
3.Ā Ā Ā What happens to pfSense FE?
pfSense FE – the historic fork of the pfSense open-source project that Netgate has pre-installed on its appliances, and via public cloud service providers – will be replaced with pfSense Plus.
Existing Netgate customers running pfSense FE will be able to upgrade to pfSense Plus from the user interface.
4.Ā Ā Ā When will pfSense Plus be available?
The first release of pfSense Plus will be available in February, 2020, as Release 21.02. The āyear.monthā release numbering convention aligns with that of TNSR – Netgateās
high-performance software router product – since its first release in 2018. We have come to
prefer this approach, as our customers can easily identify the relative currency of their operating software.
5.Ā Ā Ā Are pfSense Plus Release 21.02 and pfSense CE Release 2.5 the same thing?
Initially, they are close, but over time they will diverge. pfSense Plus Release 21.02 will be based on pfSense Release 2.5, with added crypto offload for IPsec using QuickAssist Technology (QAT) or EIP-97. Other historical differences will remain, i.e., pfSense Plus will also continue to include an AWS VPC Wizard, and an Apple IPsec Wizard.
In subsequent releases, pfSense Plus will increasingly diverge from pfSense CE – leveraging a newer and more robust secure networking software stack, which allows for feature, performance, and manageability expansion well beyond the limitations of the current stack.
6.Ā Ā Ā What kinds of new capabilities are envisioned?
pfSense Plus will grow to incorporate features – like the following – requested by our end-user and managed service provider customers:
- Business level dashboard/reporting
- 11ac and 802.11ax wireless access point support
- Improved packet filter performance
- New GUI architecture
- GUI / device control separation, which facilitates multi-instance management
- Modernized look and feel
- Zero Touch Provisioning for easier drop ship of unprovisioned appliances
We expect to publish a high-level roadmap soon. If you would like to be informed when it becomes available, simply sign up here. Further, we are always open to product / feature input. We actively monitor for, and solicit, this input through our social media channels and user surveys.
7.Ā Ā Ā Will pfSense CE releases continue?
Here is what to expect relative to the pfSense project, and Netgate-provided CE releases therein:
- Netgate will continue providing stewardship and resources for the pfSense project, just as it has since 2012
- pfSense project code will continue to be available on GitHub, and will remain Apache
licensed
- Netgate will continue to support the project with code contributions, particularly with respect to security vulnerability protection, FreeBSD related updates, common code,
- While Netgate will focus most of its efforts on pfSense Plus, there will continue to be releases, snapshots, and updates of pfSense CE
- The frequency of this support will be evaluated on an ongoing As an example, we already anticipate there will be a 2.6 release in 2021 to provide 1) the necessary upgrade path to pfSense Plus for instance types beyond those already covered, 2) hardware support updates, and 3) bug fixes.
8.Ā Ā Ā Will pfSense Plus releases come out on a more regular basis than pfSense CE Releases did historically?
Yes. Going forward, pfSense Plus customers will be able to reliably manage their IT infrastructure changes around three releases per year – planned for January, May, and September.
9.Ā Ā Ā Does this mean Netgate is abandoning its open source heritage?
Absolutely not. Nothing has changed about our strong belief in, and commitment to, open source software. This is best expressed by specific evidentiary statements:
- We are proud of our long heritage of giving back significant financial sponsorship, engineering and test resources, and upstreamed code to numerous open-source projects. Our project list includes Clixon, DPDK, io/VPP, FreeBSD, Free Range Routing (FRR), Linux, pfSense, and strongSwan.
- Netgate currently employs or contracts many developers with roles in the FreeBSD, pfSense, Clixon, and VPP/FD.io Their contributions and responsibilities include development, administration, maintenance, release engineering, and foundation board membership. These developers, and many more at Netgate are regular contributors to these projects.
- Netgate directly co-sponsors feature Very recent examples of contribution include: kernel-resident WireGuard, QAT and EIP-97 crypto-offload, and Intel i225 ethernet drivers for FreeBSD, and a VRRP plugin for FD.io’s VPP.
10.Ā What if I am running pfSense on a CSP partner platform, e.g., Amazon or Azure?
If you are running a paid instance on either CSP partner platform, it is, by definition pfSense FE.
pfSense Plus will be offered on Amazon and Azure marketplaces at the same prices as Factory Edition is offered today. Pricing varies based on the underlying cloud compute instance. Both cloud service providers (CSPs) have their own software longevity policies. You may continue running your current pfSense FE instance into perpetuity. You will not be forced off. However, if you upgrade a deployed CSP virtual machine instance of pfSense, it will be upgraded to pfSense Plus 21.02. Further, new CSP virtual machine instances going forward will only be pfSense Plus releases.
11.Ā Can I get pfSense Plus for my own hardware or virtual machine?
Today, pfSense Plus 21.02 is only available on Netgate appliances, AWS, and Azure platforms.
We plan to make pfSense Plus available for use on 3rd party hardware and select virtual machines by June 2021, if not sooner.
There will be a no charge path for home and lab use, and a chargeable version for commercial use. (Source: Netgate)
11ac and 802.11ax wireless access point support only in Pfsense+ ? š Funny…
It will be probably available in OPNsense when it will hit FreeBSD..
“Does this mean Netgate is abandoning its open source heritage?” – Sorry but I am calling BS on their answer. If you are moving your development from open to closed I can NOT see your commitment to open source.
Also “….Second, the code changes necessary to deliver the above capabilities will be disruptive to users of the open-source code base….” well this never stopped RedHat or ProxMox or spcNG or …..
It is their product and their business strategy but at least be honest.
I guess the OpenSense guys got it right time ago.
Wireguard on pfSense is interesting … but what I really want is Wireguard on MikroTik RouterOS. Now *that* would be mind-bogglingly useful.
I tend to figure that, if they make all these changes to + and not to CE, then there will come a time when they’ve diverged enough that it will no longer make business sense for them to develop and support CE in a way that’s useful to most people.
I’ll wait and see what happens, but OPNSense just became a lot more attractive.
We absolutely will continue financial sponsorship, engineering and test resources, and upstreamed code to numerous open-source projects including pfSense CE. Upstream code is 100% visible, by definition.
However, the underlying software platform, GUI, and value-added future set of pfSense Plus is Netgate value add, (and Netgateās product) – which is fairly reserved for our customers.
@Stuart Yes the two products will diverge, but there are no plans to abandon pfSense CE. But to be clear, there will be a no-charge version of pfSense Plus available to home and lab users.
Kinda sad to see speculation of moving away from BSD to everything Linux. I seems to remember even Netflix is evaluating Linux on their Edge Appliance instead of FreeBSD.
@Ksec We have no intention of moving away from FreeBSD
When I read about pfSense+ and the move to a closed source project the first trigger in my head was of course: “Alright, let’s have a look at OPNSense”. I checked online a lot of feature comparison articles and community size+development pace. I will only make my mind when STH makes their own article comparing both and suggesting the right move.
“But to be clear, there will be a no-charge version of pfSense Plus available to home and lab users.”
Yet another version?
Whatever the answer, I should think history has shown that “separate but equal” is only the former.
I have frequently evaluated OPNsense, have mixed feelings for it, but Netgate continues to push me toward its competition.
Not sure if pfsense had a plugin for the Golang version of Wireguard, but OPNsense has that for a long time now.
The kernel based version may end up in version 21.7.
@Dennis – Netgate
What is going to happen to all the available packages (e.g. suricata, pfBlockerNG, haproxy)? Will those developers develop for both systems in time or will it be available only to the CE or only +?
IMHO good move and smart, but time will tell. Suggestion: Make a clear timeline with expectations. Get the package maintainers onboard.
Advice: make the + variant also available to prosumers/semi-professionals at home/SOHO with a monthly or annual subscription model a.k.a. Netflix/Disney+ model. So not only directly tied to your exclusive hardware appliance(s).
@Dennis – Netgate
Will pfSense+ in time have an AI/deep learning datamodel component to analyze/monitor data traffic inbound/outbound? That would be a terrific feature!
What’s the alternative OPNSense which is based on Linux?
While a lot of us will agree that Netgate is a for-profit business, they ought to earn money and do contribute a lot back upstream (thanks for all that), time has to tell how much effort they can and will invest into pfSense CE. For those who came to pfSense because of open code not always for tinkering with it but for trust and possibility of verification, pfSense+ won’t be it. I do already operate to much proprietary things here, so pfSense+ even for free doesn’t really look like what I’m looking for in a Firewall.
From a business perspective I’d fully understand if Netgate decided to fully focus on pfSense+ which is where they can definitively earn money and have control over the distribution model. The way Netgate tells us that they will continue with CE, while clearly stating their focus is on “+” leaves at least some degree of uncertainty, which leaves room for FUD.
Let’s see how CE 2.5 maintenance goes on in the next 1-2 years. I don’t hope pfSense+ goes the direction of a Bacula vs. Bacula Enterprise. Should they decide to fully focus on “+” and retire from CE development, I sincerley hope that they wil have the openness to clearly communicate timeframes when this happens so people can decide where they want to head to. Hint: Don’t do it like Red Hat. š
@Miha
Check out untangle – there’s a FOSS version with paid add-ons if you need. Not 100% open source, but runs on Linux and is great.
Miha, OpenWRT is the obvious one, Nethserver also works quite well as a pfsense replacement for a lot of use cases.
Was just reading about all the stupid and childish things the Netgate and the pfSense team has done to harass and smear OPNsense. Absolutely disgusting.
https://teklager.se/en/pfsense-vs-opnsense/
Was just reading about all the childish things the Netgate and the pfSense team has done to harass and smear OPNsense. Absolutely disgusting.
The comparison to iXsystems handling of FreeNAS -> TrueNAS Core is not correct. The simple answer for this change, was to get rid of duplicate code bases. So, the TrueNAS licensed and paid for product, will be the same source code tree as TrueNAS Core, the free version.
Their are some slight differences between the products, but they existed before. Like enclosure services are available on iXsystems hardware only, (unless you modify the code for your specific chassis). In addition, the cluster feature is a paid one, if I remember correctly. But, all that is reasonable in my opinion.
One thing FreeBSD & pfSense have, is ZFS. This is useful for easy mirroring when you want high availability, (at least against disk failures). And you get easy alternate boot environments, very useful for updates. Linux does not have such at present. Yes, Linux has mirroring, and yes it can be forced to have alternate boot environments. But, they are clumsy without ZFS. (I do use ZFS on my personal Linux computers, though it’s not installed that way from the distro…)
Speaking of Wireguard being implemented with the features into FreeBSD, I can guarantee it’ll first be present in OpenBSD (not 6.9 (new release almost around the corner, but will definitely be in 7.0, unless it can be downloaded into 6.9 after the initial install)). But for Linux, I’d say the first distro for the implementation will be Debian. Just a guess.
I think this is a great move for pFsense in the long run. Modern GUI , dashboard, single Mgmt pane for devices, ZTP etc. All these features that over would expect from business devices.
How would you secure and validate devices in ZTP ? Hardware certificates in a TPM ? Or perhaps device serial is enough for the first contact and a time window whenever it can be onboarded
@Pete Mitchell
For a security product I do not see often releases as a direct plus. Sure if they make releases to solve security related issues, but no one wants to update their router every 2 months.
Iām not against OPNsense, I have been a pfSense user for some years, this might finally push me to OPNsense. But their frequent releases are for me a bit worrying.
I understand this move from the business perspective, plus in the FAQ the plus will also have a free license for homelabbers which isn’t really a huge deal breaker for me at least for now. I’m using pfsense because it’s really easy to setup as a x86/PC based firewall, have strong function sets, and the idea of “ship it when it’s ready” instead of rolling release like OPNSense. The idea of it being open source isn’t really the largest selling point for me compared to the reasons mentioned before.
The only thing I’m afraid is that instead the way TrueNAS differentiate its product offerings, netgate is trying to pull an AOSP and slowly move more and more of its attractive, and sometimes important, but not core feature set to the propriety “plus”, rendering CE hard to use and requires way more extra mods to be up-to-date and useful in the long run. If that happens, then it’s really weird to see that a company is making good bucks on their product, doing a lot of contributions upstream(i.e. kernel mode wireguard in recent times), but their competition makes better utilization of the upstream contributions when we compare the open source part of the offerings. But let’s just see how 2.5/2.6 will play out for another year or two.
I recently started migrating some of my routers/firewalls to VyOS (https://vyos.io/).
It’s a Linux-based (Debian) distro, with firewall/routing features. Fully open-source as well, and it’s been around for a long time. Some of Ubiquiti’s routers are actually based on an old fork of it (Vyatta).
There’s a really good starting guide here – https://blog.kroy.io/2020/05/04/vyos-from-scratch-edition-1/ – or see the official VyOS documenation.
I’m also thinking about writing a porting guide from pfSense to VyOS.
This is unrelated to the current saga, and I still have a soft spot for pfSense – this was just for my own learning, and for some work requirements.
It’s difficult to forget pfSense’s sentiments towards open source. Take a look at how they bully OPNsense: https://old.reddit.com/r/OPNsenseFirewall/comments/93s8px/spreading_lies_20/.
Netgate definitely needs to update their website to remove the big āopen source securityā headline and the āWorldās Leading Open-Source firewall, VPN, and routerā reference due to this move to closed source.