pfSense adding WireGuard VPN and pfSense Plus

pcmoore

Active Member
Apr 14, 2018
128
41
28
New England, USA
Granted this is a negative take, but I've seen enough press releases like this that I suspect pfSense CE has now started down the path of software death with steadily decreasing feature and bug-fix updates. It looks like pfSense Plus is now The Way with some no/low-cost options for us home lab folk. This excerpt from the FAQ is most interesting:
11. Can I get pfSense Plus for my own hardware or virtual machine?

Today, pfSense Plus 21.02 is only available on Netgate appliances, AWS, and Azure platforms.

We plan to make pfSense Plus available for use on 3rd party hardware and select virtual machines by June 2021, if not sooner.

There will be a no charge path for home and lab use, and a chargeable version for commercial use.
Not only does Netgate plan to support pfSense Plus on third party platforms, they also plan a no-charge path for home/lab use. At this point I have to wonder if this is simply a semi-polite way for Netgate to drop the Open Source / Community obligations with pfSense CE?
 

pcmoore

Active Member
Apr 14, 2018
128
41
28
New England, USA
I switched over to OPNsense a long time ago to get wireguard support.
It's definitely worth considering ...
I've been debating that for some time now, but I don't look forward to migrating my pfSense configuration. Are there any tools to help import an existing pfSense config into OPNsense?
 

Vesalius

Active Member
Nov 25, 2019
199
148
43
I switched over to OPNsense a long time ago to get wireguard support.
It's definitely worth considering - OPNsense® a true open source security platform and more - OPNsense® is a true open source firewall and more
OPNsense wireguard is a slower user space implementation right? No real benefit over openvpn in speed. Op sense is still pretty far behind the latest FreeBSD kernel, so it may be a while before they get optimal wireguard speed.

netgate isn’t perfect, but to their credit they did a lot of the heavy lifting to get wireguard in the FreeBSD kernel and are now going live with their work in pfSense 2.5
 
Last edited:

niekbergboer

Active Member
Jun 21, 2016
140
53
28
45
Switzerland
What is the current state of VirtIO networking when running pfsense as a guest? On 2.4, IIRC, you'd still need to switch off the various offloading features on pfSense. Has the FreeBSD kernel improved on that point?
 

sth

Active Member
Oct 29, 2015
348
78
28
At this point I have to wonder if this is simply a semi-polite way for Netgate to drop the Open Source / Community obligations with pfSense CE?
I suspect it is, the CE version still exists but receives less development and new features go into the more restrictively licensed plus version. It stops forks leveraging Netgates development efforts
 

i386

Well-Known Member
Mar 18, 2016
2,971
943
113
33
Germany
I am not sure what to think about "premium" version of open source software, especially with the news about elasticsearch & amazon in the last few days (and before that with mongodb)...
 

zer0sum

Well-Known Member
Mar 8, 2013
687
351
63
OPNsense wireguard is a slower user space implementation right? No real benefit over openvpn in speed. Op sense is still pretty far behind the latest FreeBSD kernel, so it may be a while before they get optimal wireguard speed.

netgate isn’t perfect, but to their credit they did a lot of the heavy lifting to get wireguard in the FreeBSD kernel and are now going live with their work in pfSense 2.5
It should still be faster than OpenVPN, even thought it's in user space at the moment :)

Kernel implementation will happen just after pfsense once it get's back ported to HardenedBSD, so it should be 21.1.x early this year.
 

pcmoore

Active Member
Apr 14, 2018
128
41
28
New England, USA
I am not sure what to think about "premium" version of open source software, especially with the news about elasticsearch & amazon in the last few days (and before that with mongodb)...
As someone who has been employed for ~15 years to work primarily on Open Source software projects, my experience has been that the most successful endeavors - in terms of project longevity/community, customer satisfaction, and business profitability - have come from projects where the profit comes not from the software itself but from an adjacent value-add. Things like proper enterprise level support, well supported hardware, etc.

Of course there is a lot more nuance to it if you dig deep, but that's my elevator pitch :)
 

RTM

Well-Known Member
Jan 26, 2014
867
325
63
I suppose it all comes down to how much it is going to cost.
Given they cancelled the old pfSense Gold subscription system, I imagine it will be more expensive than that used to be.

I doubt I personally will be making much use of a the no-charge "home/lab" path, as I like being able to do commercial work, should I want to, from my network, without having to consider I am using not for profit licenses.

At the end of the day, I am not too thrilled about this announcement, I was hoping to see API functionality soon, and this all makes it sound like if they make one it will be behind a paywall.

I believe they should have given us some more detail on the cost of the program, so we did not have all this FUD. It seems awfully similar to what IBM/Red Hat did with CentOS.
 

Pri

Active Member
Jul 30, 2014
124
52
28
The things they've announced about pfSense+ features sound really great, things myself and others have wanted for a long time.

But... this new version that has all this new great stuff is closed source which feels like a betrayal of the project. They keep saying on reddit that the community edition will continue to be available but they're also saying all the new features people want will be in the pfSense+ version ... which is closed.

This just feels like they put the community version on death watch to me. The thing is I'm happy to pay for community edition. I'm not looking at this as open source = $ free. I'm looking it at we get a better product when we can all view and contribute to the code, we get more security when we can pay to have the code audited by a professional overseer etc

My other concern is what happens in 2-3 years from now when they do something the community really doesn't like with pfSense+. We can't just fork it and continue it in a direction we prefer because years of development at that point will have been closed off from us.

Their rationale for making pfSense+ closed source seems all over the place. On the FAQ they are talking about protecting current forks of pfSense community edition from the drastic changes they're planning with pfSense+. To that I think .. why not just start a brand new open source repository called pfSense+?

But then on reddit they are saying that the additions to pfSense+ that the community edition won't have are "netgate value adds" indicating they don't want to share their new code for business reasons.

Two completely different reasons and the second one I do understand but they also have to understand that doing this to pfSense that has been open source the entire time (except for these so-called FE builds on their own appliances) is not a good look. You can't put the genie back in the lamp.

Many of us in the pfSense community have contributed in the ways that we can. I've personally created threads that explain how to do complex things with pfSense. I've even had Netgates own employees link their own customers to my guides for the firewall (how to setup load-balanced OpenVPN clients with complex rules, safety and privacy guides, dns leak guides etc).

And I made these guides not just because I loved the product but because I felt like I was helping to push people towards using an open source product and accomplish the things they wanted without having to turn to a closed source appliance, that was important to me.

So now what? I guess I just shift to OPNsense now. Start recommending it, deploying it, making guides for it.. I'm honestly saddened that Netgate doesn't understand what they have, all the enthusiasm people have for it being open and a true community driven effort to make it popular.

Now it's just another in a long list of closed source firewalls.
 
  • Like
Reactions: tommybackeast

kapone

Well-Known Member
May 23, 2015
1,056
626
113
All I can say is...it is their choice to do what they want.

That said, it is our choice to do what we want.

Time will tell which choices were better for everybody.
 

beren

New Member
Oct 25, 2018
12
1
1
It should still be faster than OpenVPN, even thought it's in user space at the moment :)

Kernel implementation will happen just after pfsense once it get's back ported to HardenedBSD, so it should be 21.1.x early this year.
Looks like the official version can be used experimentally in opnsense now, according to https://www.reddit.com/r/OPNsenseFirewall/comments/mh7utb