Navigating to Buy pfSense +

JeGr

@Bob-Dig said in Navigating to Buy pfSense +:

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

I'd agree for most things, but I also know (and I'm surprised myself) several power users, that loved helping test versions and submitting bugs etc. with Plus that will get stranded when no Plus subscription for home/lab use is possible anymore. That's a really bad move for development issues. Also many - me included - power users use Plus as a few functions are locked behind that version, like QAT support in hardware (which OPNsense hasn't locked into their business version) and if you have a gigabit line (fibre is coming to more and more people) and want to run a VPN on your hardware supporting all those bells and whistles (like QAT) it doesn't work in CE.

So if next CE gets QAT and stuff unlocked - OK, then it'll really be a nothingburger as then it's only the faster updates and I could ignore that at home. No problem. But for those with large labs like us that tests various configs etc. in labs on the appropriate versions and in various setups, that is a huge blow :(

Would really like to see at least a possibility for netgate partners to still get Lab versions so they can test shit for their customers instead of being left stranded to using hardware (sorry, we can't afford dozens of hardware boxes to stay on different versions to test things through) or cloud images that where we don't control the data. That would effectively disable every testing and debugging method we currently have and also disable ways to produce and test packages against the Plus versions as we can't test them anymore. :(

Edit: Also - OpenVPN DCO. Taking both out and effectively pushing them behind a paywall now - and one that is quite high without a home user level license - is really exactly that, what people have been afraid the whole time. And as both things are simply available in FreeBSD as well as in other firewalls makes it that much harder to argument for your case.

bingo600

@Bob-Dig said in Navigating to Buy pfSense +:

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

I don't really need/use any of the Plus features (Boot ENV is nice , but i can make my own snapshot if needed).
My issue is that i have doubts regarding CE being maintained, and also if CE will survive .... Since it has become clear that Plus is where the BIG money is.

If you aren't a "Home user" this is a smart move, as 2 years of subscription will pay for a 6100.
Netgate have efficiently "killed all Corp White Boxes" in one move, despite a clear promise of a soft "$129" transition period.

If i were to get new HW for the company, i'd certainly recommend Netgate HW.
But what will be next ......
I can't recommend a business that makes 180 degree turns all the time.

And IMHO Netgate have made a "Redhat RHEL --> Fedora" on the "Home Plus" users ....

My Corp Network team has been "hovering" on my lab, wanting to switch to Firepower (we have a huge discount).
Until now i have been able to fight them off. But maybe not for long with the new pricing.

I'll be looking at the "Dark side", and test during the next weeks.

I keep hearing a phrase that pops up ... It's not 42, but : Goodbye and thanx for all the F...

/Bingo

michmoor

Everyone here is making very valid points and kudos to being more logical than on the Reddit space.
That said this entire fiasco was so poorly communicated that its a bit unnerving.

$399/yr for Boot environments is not a good sell. Cool feature but pay walling it behind that price point is illogical. Not really sure who thought that was a good idea instead of sticking to their own stated price point of 129/yr. I hope that changes but yikes.
I implement Netgate devices so I'm unaffected but i do have empathy for the large homelab and personal use end-users out there. I know other implementors who push Netgate because of the experience they had at home (which is a value add to Rubicon) but this has them thinking...If they can change the terms all of a sudden then whose to say they wont do it with paying customers? There is precedent set now. That's a very fair critique which is why having a good communication strategy before pushing any changes is a good idea but as history as shown especially recently, Rubicon/Netgate really struggles with this critical part of their business. I am continuously baffled why they choose(it's a choice at this point) not to engage with the user base.

[edit] Thinking about why they choose not to communicate i think its largely because they dont have to. Within the limited area that they operate in [certainly not in the F500 or 1000 companies i serve on occasion] and who their competition is where are people going to go? Sure you got the other *sense out there but for businesses who care about price point, the lowest im willing to go vendor-wise is honestly Netgate. Still not a reaosn not to engage.

[edit2] One last edit. This couldve been avoided a year ago if pfsense+ was only available on Netgate hardware. Trying to upgrade custom builds to this Plus version turned out to be a mistake obviously and purposely pushing customers to do it was also not smart. Now we are where it shouldve been from the beginning. pfSense+ is available only on Netgate hardware (nobody is paying 399 to upgrade) while CE can be used on your whitebox hardware. Totally fair.
Seriously tho, they need to get better at messenging....

NollipfSense

@JeGr said in Navigating to Buy pfSense +:

So if next CE gets QAT and stuff unlocked - OK, then it'll really be a nothingburger as then it's only the faster updates and I could ignore that at home. No problem. But for those with large labs like us that tests various configs etc. in labs on the appropriate versions and in various setups, that is a huge blow :(

Excellent point, thanks for sharing!

NollipfSense

@michmoor said in Navigating to Buy pfSense +:

That said this entire fiasco was so poorly communicated that its a bit unnerving.

Agree, we're all friends of Netgate and communication is what keep relationships growing...

wgstarks

Just in case anyone hasn’t seen it, Netgate has made an official announcement.
link text

Cylosoft

@Bob-Dig said in Navigating to Buy pfSense +:

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

Exactly. If CE is maintained then who cares. Run CE at home and move on. Really the $129 option is more about supporting development than getting me features. If Netgate doesn't want the support from the home uses that's their decision.

SteveITS

@machbot said in Navigating to Buy pfSense +:

@mfld said in Navigating to Buy pfSense +:

I just hope the config.xml versioning is the same between 23.05.1 and 2.7.0-CE

It is, I trialed a restore earlier and all went well, no errors.

For reference to @mfld and others, there is a chart linked on:
https://docs.netgate.com/pfsense/en/latest/backup/restore-different-version.html
-> https://docs.netgate.com/pfsense/en/latest/releases/versions.html

23.09 will have a newer config file version.

I have absolutely no insight behind the scenes, but it seems logical to me that there was some reason why the $129 subscription wasn't going to work long term. Otherwise payment seems like an easy way to "fix" the issue of "unauthorized redistribution." For instance I've seen numerous posts about Plus unregistering after hardware changes trigger a change in the person's NDI.

michmoor

@SteveITS
I think its two things that needs to be addressed

1. Pricing back to the stated price of 129.
2. The harder part but clearly theres an issue with tracking registration. If cloning the image circumvents the process then it wasn't a good process to begin with. Not sure how other companies are handling this but obviously installing or swapping a NIC shouldnt invalidate a license but it does.

As i mentioned before I think where we are now its probably the best way to have access to Plus. If you want/need plus get the official hardware otherwise you are on CE. I say keep it like this.

Darkk

@SteveITS said in Navigating to Buy pfSense +:

For reference to @mfld and others, there is a chart linked on:
https://docs.netgate.com/pfsense/en/latest/backup/restore-different-version.html
-> https://docs.netgate.com/pfsense/en/latest/releases/versions.html

23.09 will have a newer config file version.

I have absolutely no insight behind the scenes, but it seems logical to me that there was some reason why the $129 subscription wasn't going to work long term. Otherwise payment seems like an easy way to "fix" the issue of "unauthorized redistribution." For instance I've seen numerous posts about Plus unregistering after hardware changes trigger a change in the person's NDI.

Yep, without the ability to get the updated token due to hardware changes unless we fork out for the $399/yr subscription isn't going to go well for home/lab users. I personally wouldn't mind paying $129/yr for TAC Lite as I want to support it. FYI I do buy Netgate appliances for our branches at work so I know those won't be affected by the changes.

I am just more concerned for folks like me who uses this for home labs. I've been using pfsense (used to be pfDNS in the early days) for 15+ years so want to keep using it for my home lab.

Also, I saw a post on Facebook which brought me here so no doubt there will be posts there as well.

jrey

@SteveITS said in Navigating to Buy pfSense +:

Plus unregistering after hardware changes trigger a change

So since that can't happen on a Netgate sourced device ..

Will Netgate be taking steps to mitigate the possible actual discloser of the coveted NDI by all packages that appear in the available packages list?

The entire NDI value has been a scatter broadcast to various "open source" servers for a long time and therefore represents a problem. One could only guess how that could be compromised should the NDI list fall to the wrong hands (inadvertent or otherwise)

It strikes me as odd that you have a setting the allows an opt-out protecting it from yourself, but yet allow packages to broadcast it anywhere they want.

login-to-view

on the one hand "security" and "NDI value" - on the other, opens trench coat - psst ya wanna buy a watch.

as I also said else where earlier today, but worth repeating on this thread:

Understood, I had not read the recent blog post to which you refer,

It won't impact me. I'm licensed. It will certainly impact a lot of "home" users and impact (likely in a negative fashion) and Netgate's ability to solicit and maintain the support of the open source concept.

The device and software (packages) on it are good, but not that good, that if push comes to shove, I wouldn't just unplug the device and move to something else.

I could give specific examples of packages that get installed, and likely on a lot of devices, that are simply full of security holes and/or out and out are subject to potential failures that can lead to security issues (that's open source). That's the risk and the game.

Netgate will likely come to a fork in the road where they have to decide (stay open or closed) good and bad in each of those, both them and users.

disclaimer, I have no vested interest in Negate. Could continue to "run" with or without their device and/or software. They will obviously proceed in a direction they feel best for their model. And users will ultimately do the same.
I've already crossed the bridge regarding the use of Netgate in certain situations, because of those potential failures and in those cases we use just use different products

Amodin

Well, this frankly sucks.

I just got here after being with Astaro/Sophos for over 20 years and after they EOL'd their UTM, I decided to make a switch to pfSense Plus, because it appeared that avoiding CE was the right thing to do.

Looks like it's time to go fishing again, and I just got here. Gotta call my friends and warn them about this as well... I brought them with me and now I feel responsible for finding a new solution.

michmoor

@Amodin why cant you do CE?
What specifically was a feature you needed on Plus that you cant get on CE?

Darkk

@Amodin said in Navigating to Buy pfSense +:

Well, this frankly sucks.

I just got here after being with Astaro/Sophos for over 20 years and after they EOL'd their UTM, I decided to make a switch to pfSense Plus, because it appeared that avoiding CE was the right thing to do.

Looks like it's time to go fishing again, and I just got here. Gotta call my friends and warn them about this as well... I brought them with me and now I feel responsible for finding a new solution.

I wouldn't jump ship just yet. The Plus version on white box device will continue to operate. Just it'll be a question of getting updates without a "paid" subscription in the future. If Netgate offers either $50 or $129 per year subscription for updates I think it'll work well with the home lab community. I think the $50/yr will be easy pill to swallow for non-commercial home labs. So it's wait and see what Netgate decides to do.

GPz1100

@Amodin Same here. Seven year user of UTM home. I haven't even begun the change over yet. Not sure what direction to go now.

I have an instance with the plus token already installed, but even it's direction is unclear. NG's blog post wasn't entirely clear what happens to pre-existing plus installation long term. Will it mirror the commercial plus version of be castrated of certain features/updates.

As for PF hardware changes, it appears the entire algorithm is based on nic mac address and quantity. That is, changing a mac breaks the token. Doesn't even matter if that nic is physical or virtual (tested both ways). Not sure how the resellers were getting away with cloning, unless they're burning the same mac's into all of their boxes.

Good luck!

SteveITS

@michmoor said in Navigating to Buy pfSense +:

What specifically was a feature you needed on Plus that you cant get on CE?

That's my basic question in all this. And more importantly, what other solution does have that missing feature?

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Darkk

@jrey said in Navigating to Buy pfSense +:

The device and software (packages) on it are good, but not that good, that if push comes to shove, I wouldn't just unplug the device and move to something else.

I could give specific examples of packages that get installed, and likely on a lot of devices, that are simply full of security holes and/or out and out are subject to potential failures that can lead to security issues (that's open source). That's the risk and the game.

To be honest this is true on any security device. Taking someone like me who manages Fortigate firewalls in our enterprise environment I've had my fair share of their recent security fiasco and constant update after update in short period of time. I was like why aren't they QA'ing their code before releasing it? Who knows.

Point is even bigger companies like Fortinet have their own set of issues. Cisco and few others. It's the home lab community like us with pfsense that help test and report bugs. Even suggest new features.

Bob.Dig

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and

But it has been said in the past, something like "laying it in the hands of the community..." which isn't a real thing.

GPz1100

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Steve, I've seen this happen with sophos UTM (both home and commercial product). For the last many years, new features have been minimal to none. Mainly security and some bug fixes. I'd say it's even fair to say the platform has been on life support for many years now (as a user of it for 7). Earlier this year sophos finally announced an EOL date - 6/2026. Three years from now. While support/updates are minimal, at least there is some support.

I have a feeling the same will be seen with the CE version. NG's press release used the term "may". By now we all know what "may" really means.

Amodin

@michmoor said in Navigating to Buy pfSense +:

@Amodin why cant you do CE?
What specifically was a feature you needed on Plus that you cant get on CE?

It's really not about 'features' at this point, it's principles. I don't need the boot environment feature.

From my understanding while researching a new solution after deciding to get out of Sophos, CE is apparently an afterthought of sorts and doesn't stay consistently updated. Plus was more updated to stay current, that's important to me. I don't want to use something that I use for a solution that isn't being updated.
You're missing all the buzzy PR word usage they are applying to CE and this continued use of Plus. There's no question in my mind that free/home use is going to be phased out down the road. They of course won't come out and say that - dangling carrots and all. I get it - it's a business model that generates revenue. I'm not interested in paid support - if I have a problem, I'll fix it on my own, wait for a fix if it's not mission critical or replace it.

The community that is faithful to this project are the ones that are paying the price because of resellers. Instead of tackling the problem, they are tackling the user-base. I have a problem with that. Like I said, principles.

@GPz1100 said in Navigating to Buy pfSense +:

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Steve, I've seen this happen with sophos UTM (both home and commercial product). For the last many years, new features have been minimal to none. Mainly security and some bug fixes. I'd say it's even fair to say the platform has been on life support for many years now (as a user of it for 7). Earlier this year sophos finally announced an EOL date - 6/2026. Three years from now. While support/updates are minimal, at least there is some support.

I have a feeling the same will be seen with the CE version. NG's press release used the term "may". By now we all know what "may" really means.

This right here. I left Sophos for this very reason - empty promises and about principle. I understand them wanting to EoL the UTM product, really I do. But they were pushing their users into something that many of us proved to them wasn't ready and their new product is absolutely sub-standard. They ignored us, and continue to flounder like fish out of water, IMHO.