Netgate TNSR New Licensing Model and Gets A Trial Edition

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

RTM

Well-Known Member
Jan 26, 2014
956
359
63
This is a big step forward, but it is also a long way from replacing pfSense.
As I understand it TNSR is not able to do stateful packet inspection, so while it would be a decent router/VPN appliance I believe it is a long way from being a pfSense replacement.
 
  • Like
Reactions: Patrick

Rain

Active Member
May 13, 2013
278
124
43
If you're looking to move away from pfSense (or OPNSense, ect) and can live without a GUI, I recommend giving VyOS a spin (try one of the rolling releases for the most up-to-date version; you can always build the current stable release from source if you want as well).

It is, without question, more complicated to set up and get used to than pfSense, but advanced configurations that are cumbersome (or impossible) to implement in pfSense are usually fairly straight forward with VyOS.

I haven't tried TNSR yet, so I cannot compare the two.
 

blinkenlights

Active Member
May 24, 2019
157
67
28
I was about to post how it was good to see Netgate supporting the hobbyist community again and using a common sense licensing model, then I read this: "Effectively, one gets a 6-month evaluation period. After that, the evaluation is effectively locked-out so you cannot make configuration changes or reboot." o_O

Nope, sorry, even my home firewall needs to come back online after a power outage, internet outage, or planned maintenance. I think most people, especially those with kids doing virtual school and/or spouses doing remote work, would agree.
 

blinkenlights

Active Member
May 24, 2019
157
67
28
If you're looking to move away from pfSense (or OPNSense, ect) and can live without a GUI, I recommend giving VyOS a spin (try one of the rolling releases for the most up-to-date version; you can always build the current stable release from source if you want as well).
It is interesting to see Netgate adopt the opposite pricing strategy of VyOS. In the VyOS world, free users get the rolling updates while subscription users ($1,139 entry level) get the stable version but, as you pointed out, it is possible to build the stable version from source. With TNSR, free users do not get the rolling updates but subscription ($499 entry level) users do.

My $0.03... even with 500/500 fiber service and multi-10 Gbps internal networks, my use case is nowhere the point where VyOS or TNSR would yield a noticeable performance or latency improvement over pfSense.
 
  • Like
Reactions: Rain

Rain

Active Member
May 13, 2013
278
124
43
My $0.03... even with 500/500 fiber service and multi-10 Gbps internal networks, my use case is nowhere the point where VyOS or TNSR would yield a noticeable performance or latency improvement over pfSense.
Depends on what your use-case is, really. Among other things, Site-to-Site VPNs, BGP/OSPF, and traffic policies, are easier to implement in VyOS, in my opinion.

One feature pfSense is severely lacking is something similar to VyOS's "commit-confirm" and a separation from the current, running configuration and the saved configuration. With pfSense, while infrequent and usually (but not always!) user error, I've applied changes that lock, or otherwise block access to, the system. This is particularly hard to deal with, especially if the system is remote; asking someone to go reboot it won't even help (the changes are already saved).

With VyOS, you commit your changes before saving them. If something completely breaks, just reboot the machine. Optionally, if you're making configuration changes on a remote machine, you can "commit-confirm" to commit the changes. Then, if you don't "confirm" the changes in 10 minutes, the machine automatically reboots and loads the previous configuration, allowing you to reconnect. You can also roll back to previous, known-working configuration versions or VyOS versions fairly easily. This is similar to managed switches with a "running config" and a "saved config." You don't realize how nice this is until the first time it saves you from a major headache!

TNSR has the same functionality (TNSR docs), but pfSense completely lacks it.
 
Last edited:

blinkenlights

Active Member
May 24, 2019
157
67
28
Depends on what your use-case is, really. Among other things, Site-to-Site VPNs, BGP/OSPF, and traffic policies, are easier to implement in VyOS, in my opinion.

One feature pfSense is severely lacking is something similar to VyOS's "commit-confirm" and a separation from the current, running configuration and the saved configuration. With pfSense, while infrequent and usually (but not always!) user error, I've applied changes that lock, or otherwise block access to, the system. This is particularly hard to deal with, especially if the system is remote; asking someone to go reboot it won't even help (the changes are already saved).

With VyOS, you commit your changes before saving them. If something completely breaks, just reboot the machine. Optionally, if you're making configuration changes on a remote machine, you can "commit-confirm" to commit the changes. Then, if you don't "confirm" the changes in 10 minutes, the machine automatically reboots and loads the previous configuration, allowing you to reconnect. You can also roll back to previous, known-working configuration versions or VyOS versions fairly easily. This is similar to managed switches with a "running config" and a "saved config." You don't realize how nice this is until the first time it saves you from a major headache!

TNSR has the same functionality (TNSR docs), but pfSense completely lacks it.
Fair enough, but my use case does not require site-to-site VPNs, BGP/OSPF, traffic policies, or even remote management (home network with two dozen devices, rarely spike internet usage above 160 Mbps - can only max out the service with synthetic speed tests). I've been running substantially the same rules and packages for several years.

Let me rephrase the section you quoted:

My $0.03 - for my use case, TNSR does not provide $499/year of benefits :D