Two big announcements on the pfSense front this week. First, the popular router/firewall/ VPN appliance is adding WireGuard VPN. Second, Netgate, the company supporting pfSense is changing its model to support pfSense Plus.
pfSense adding WireGuard VPN
The first big pfSense feature added this week is WireGuard VPN. WireGuard is a fairly fast and easy-to-setup Layer 3 VPN which means it is quickly becoming popular. Linux distributions have been working on the software for some time, but pfSense has been notably behind. That is changing with the new pfSense 2.5 release.
This is a huge feature that STH readers are going to be interested in. The Netgate/ pfSense team had to do work to get this to run on FreeBSD which reminds us that there are quite a few features that are now present in Linux where FreeBSD support comes much later. We are also going to note that this works in both pfSense Community Edition and the new pfSense Plus that we will discuss next.
pfSense Plus Coming
On the pfSense Plus side, it is a bit more interesting. Effectively what pfSense is doing is first rebranding pfSense Factory Edition (FE) to pfSense Plus, leaving pfSense Community Edition (which currently exists) alone. The current pfSense FE is what you may have seen on our Netgate SG-5100 Firewall and Network Appliance. This is the version of pfSense that comes on Netgate/ pfSense official hardware and in cloud instances.
Netgate is effectively doing something similar to what iXsystems did with rebranding FreeNAS to TrueNAS Core. There is a base functionality, then the ability to upgrade to a higher-level feature set. pfSense CE will continue, but pfSense Plus will be where a lot of the exciting development is going.
pfSense, at its heart, still stems from the m0n0wall project. While they have diverged over time, the world has changed. These days getting new NIC support, QuickAssist support, and even the WireGuard support mentioned above in FreeBSD require additional work by the Netgate team. At some point in the longer-term Netgate is going to have to weigh staying with FreeBSD versus moving to Linux. Netgate also needs features such as multi-instance management from a single pane of glass. To execute on that roadmap, Netgate needs revenue, which is why we are getting the divergence.
There is likely some risk that a new feature you want will be in the pfSense Plus version instead of the community version. Netgate has been addressing that in the FAQ. That is the same type of risk we see with the move to TrueNAS Core. At the end of the day, keeping the open-source userbase is a huge marketing vehicle for the project, so keeping the projects alive is important. Netgate told STH they plan to effectively keep the Community Edition similar to what is currently out there with enhancements over time, but the more rapid feature build-out will happen for pfSense Plus. This is a revenue play.
We are going to have an excerpt from today’s Netgate Blog Post around the FAQ at the bottom of this article so you can read more about it.
Assuming Netgate keeps pfSense Community Edition alive and well, then the community will likely not notice much of a difference. It may create more interest in some alternatives, but that is the nature of an announcement like this. One item we are looking forward to is the option to get a license to the Plus version on one’s own hardware. If the concept is to get many customers by offering a low-cost license structure, then this could be a very interesting option. If the license cost for this is extremely high, then it will make the jump from CE to Plus extreme and that will alienate a lot of folks. Time will tell how this holds over time.
For many, the biggest part of this announcement is going to be that pfSense 2.5 is going to be released in February 2021. We covered the pfSense 2.4 release in October 2017 so this has been a long time to wait for another major dot release. pfSense 2.3 was released in April 2016. pfSense 2.2 was released in January 2015. It is good to get a new version out since that is a very long wait.
Below we have the pfSense Plus Launch FAQ. We are keeping a copy here if you want to use it as a reference for what was promised at the outset, and how the project tracks over time.
pfSense Plus Launch FAQ
Here is the FAQ we received from the Netgate team around the time of launch. We suggest looking to the official FAQ for any updates:
1. What is pfSense Plus?
pfSense Plus is the new name of Netgate’s productized version of pfSense software, previously referred to as pfSense FE. It will be made available to Netgate appliance and CSP customers, and over time, will have an evergreen secure networking feature set, performance enhancements, and manageability advancements not available through pfSense CE releases or project code. The product will become more powerful, flexible and easy to use over time, as it is re-architected to move beyond the limitations of pfSense open source software.
2. Why did Netgate make this change?
There are two primary reasons.
First, demand for new secure networking features, performance improvements, management and automation capabilities outstrip the capabilities of existing software design, which dates to 2004.
Second, the code changes necessary to deliver the above capabilities will be disruptive to users of the open-source code base – especially those dependent upon private forks for their own needs. pfSense has a smorgasbord of features and functions that Netgate will need to update, replace, or delete. These code modifications will not always immediately serve the open-source community. Rather than force the community to quickly follow, Netgate can better serve its customers and the broader community by moving the pfSense Plus stack forward to support product advancement, without disrupting the code base that community members rely upon today.
3. What happens to pfSense FE?
pfSense FE – the historic fork of the pfSense open-source project that Netgate has pre-installed on its appliances, and via public cloud service providers – will be replaced with pfSense Plus.
Existing Netgate customers running pfSense FE will be able to upgrade to pfSense Plus from the user interface.
4. When will pfSense Plus be available?
The first release of pfSense Plus will be available in February, 2020, as Release 21.02. The ‘year.month’ release numbering convention aligns with that of TNSR – Netgate’s
high-performance software router product – since its first release in 2018. We have come to
prefer this approach, as our customers can easily identify the relative currency of their operating software.
5. Are pfSense Plus Release 21.02 and pfSense CE Release 2.5 the same thing?
Initially, they are close, but over time they will diverge. pfSense Plus Release 21.02 will be based on pfSense Release 2.5, with added crypto offload for IPsec using QuickAssist Technology (QAT) or EIP-97. Other historical differences will remain, i.e., pfSense Plus will also continue to include an AWS VPC Wizard, and an Apple IPsec Wizard.
In subsequent releases, pfSense Plus will increasingly diverge from pfSense CE – leveraging a newer and more robust secure networking software stack, which allows for feature, performance, and manageability expansion well beyond the limitations of the current stack.
6. What kinds of new capabilities are envisioned?
pfSense Plus will grow to incorporate features – like the following – requested by our end-user and managed service provider customers:
- Business level dashboard/reporting
- 11ac and 802.11ax wireless access point support
- Improved packet filter performance
- New GUI architecture
- GUI / device control separation, which facilitates multi-instance management
- Modernized look and feel
- Zero Touch Provisioning for easier drop ship of unprovisioned appliances
We expect to publish a high-level roadmap soon. If you would like to be informed when it becomes available, simply sign up here. Further, we are always open to product / feature input. We actively monitor for, and solicit, this input through our social media channels and user surveys.
7. Will pfSense CE releases continue?
Here is what to expect relative to the pfSense project, and Netgate-provided CE releases therein:
- Netgate will continue providing stewardship and resources for the pfSense project, just as it has since 2012
- pfSense project code will continue to be available on GitHub, and will remain Apache
- Netgate will continue to support the project with code contributions, particularly with respect to security vulnerability protection, FreeBSD related updates, common code,
- While Netgate will focus most of its efforts on pfSense Plus, there will continue to be releases, snapshots, and updates of pfSense CE
- The frequency of this support will be evaluated on an ongoing As an example, we already anticipate there will be a 2.6 release in 2021 to provide 1) the necessary upgrade path to pfSense Plus for instance types beyond those already covered, 2) hardware support updates, and 3) bug fixes.
8. Will pfSense Plus releases come out on a more regular basis than pfSense CE Releases did historically?
Yes. Going forward, pfSense Plus customers will be able to reliably manage their IT infrastructure changes around three releases per year – planned for January, May, and September.
9. Does this mean Netgate is abandoning its open source heritage?
Absolutely not. Nothing has changed about our strong belief in, and commitment to, open source software. This is best expressed by specific evidentiary statements:
- We are proud of our long heritage of giving back significant financial sponsorship, engineering and test resources, and upstreamed code to numerous open-source projects. Our project list includes Clixon, DPDK, io/VPP, FreeBSD, Free Range Routing (FRR), Linux, pfSense, and strongSwan.
- Netgate currently employs or contracts many developers with roles in the FreeBSD, pfSense, Clixon, and VPP/FD.io Their contributions and responsibilities include development, administration, maintenance, release engineering, and foundation board membership. These developers, and many more at Netgate are regular contributors to these projects.
- Netgate directly co-sponsors feature Very recent examples of contribution include: kernel-resident WireGuard, QAT and EIP-97 crypto-offload, and Intel i225 ethernet drivers for FreeBSD, and a VRRP plugin for FD.io’s VPP.
10. What if I am running pfSense on a CSP partner platform, e.g., Amazon or Azure?
If you are running a paid instance on either CSP partner platform, it is, by definition pfSense FE.
pfSense Plus will be offered on Amazon and Azure marketplaces at the same prices as Factory Edition is offered today. Pricing varies based on the underlying cloud compute instance. Both cloud service providers (CSPs) have their own software longevity policies. You may continue running your current pfSense FE instance into perpetuity. You will not be forced off. However, if you upgrade a deployed CSP virtual machine instance of pfSense, it will be upgraded to pfSense Plus 21.02. Further, new CSP virtual machine instances going forward will only be pfSense Plus releases.
11. Can I get pfSense Plus for my own hardware or virtual machine?
Today, pfSense Plus 21.02 is only available on Netgate appliances, AWS, and Azure platforms.
We plan to make pfSense Plus available for use on 3rd party hardware and select virtual machines by June 2021, if not sooner.
There will be a no charge path for home and lab use, and a chargeable version for commercial use. (Source: Netgate)