How are packages supported

michmoor

@Gertjan @SteveITS
Thank you both for the feedback. Really appreciate it.
The goal of my post was to figure out what the delineation is for support of packages within pfsense.
How should the community view them? Should we rely on them when operating a business? Squid has/does have many challenges but there are businesses that rely on it. Should they have an expectation that the package will be supported (regardless of upstream CVEs that seem to have been mostly addressed)?
What about all the other packages such as HA Proxy or FRR? @Gertjan I love your analogy with the Apple store.
If FRR doesnt address certain CVEs does pfsense now no longer have dynamic routing support? Just seems like a fine line between support of a package and removal of it and thats concerning.

AlternateShadow

After being a long-time user and Netgate customer I finally registered on this forum just to reply to this thread, after I came across it while dealing with the Squid situation. In my industry we don't much care about caching but the kind of url filtering provided by SquidGuard is a nonnegotiable requirement.

My expectations for what packages Netgate should support are pretty simple. If the features being advertised to sell their products on pages like this

https://www.netgate.com/pfsense-features

this

https://www.netgate.com/tnsr-vs-pfsense-software

and this

https://shop.netgate.com/products/1541-base-pfsense

depend on a package, Netgate has a responsibility to their customers to provide some level of support for that package.

This thread is the first time I've seen the supported packages page @michmoor linked to in the original post and the fact that they don't even provide TAC support for many of the packages underlying the key features they are advertising is really telling. After years of being happy with their products, using them internally and recommending them to others, this is the first time I'm considering removing them from the shortlist of vendors for our next deployment. We're still trying to figure out how to replace SquidGuard, but if we can't figure out how to do that within pfsense we'll likely rip out all the current installs and replace them with something else as well.

michmoor

@AlternateShadow
This is entirely the reason why i started this conversation. There is a gray area here where there are packages that are being advertised but arent really supported.

Take for example threat prevention - Snort/Suricata. Its advertised as a feature of pfsense. But what is not stated is that its maintained by a single individual who does so out of respect to the open source community which i truly appreciate. The problem is when that volunteer decides to no longer be active in maintaining the package. Now what? Who pushes feature requests? Who does bug fixes? Why advertise a feature that essentially you dont support even under a TAC subscription? Its really odd.
The takeaway i have is that any package that specifically says "Maintained by Netgate" that is the package you can safely install. Any package that does not have that is not supported and should not be installed at all - that means Squid / Suricata/ Snort / pfblockerNG / HA Proxy - basically all the popular packages because they are not at all supported under a TAC subscription which makes them pointless to have on a production system.

In summary, package support is a very gray area on pfsense. Some are advertised within the marketing material but have no official support even if you pay for suppot from Netgate.

AlternateShadow

In my opinion, if you want an example of how this should be handled by a company with a very similar business model, just look at ixSystems with TrueNAS. The features used to advertise the software are part of the core that they maintain and then it is made clear that additional functionality is also available via plugins:

"You can also expand its functionality with a variety of free plugins, like Plex Media Server, NextCloud, Zoneminder surveillance, and many others."

I don't know specifically what kind of support they provide for plugins, but the important thing is that it is clear from the beginning what is part of the product they are providing and what isn't. As a result, everyone can set they're expectations appropriately.

Netgate's approach makes me imagine a car company selling me a sports car and then when the brakes fail saying "Sorry, those pads are made by Brembo so we don't support them." That's an entirely fair response if I added the pads as an aftermarket accessory, but it is another thing entirely if the car was advertised and sold as coming with Brembo pads as OEM equipment.

michmoor

@AlternateShadow
I agree.
For comparison here is how packages are supported elsewhere as well
https://docs.opnsense.org/support.html
This is a much better and very clear documented way of telling a community where the support is and is not. Right now, Netgate is very ambiguous with the support as we see with plugins like Squid.

This is not a discussion of which platform is better but simply how the support of the platform and its packages are carried out.
I used the term gray-area when it comes to netgate plugin support and im being nice when writing that but your description is accurate about the brakes on a sports car.

JonathanLee

@AlternateShadow Netgate products when I purchased them advertised proxy use. The Vector W8 I mean firewall was sold to me with the K&N air filter and the Brembo breaks I mean Proxy web caching support.

michmoor

@JonathanLee said in How are packages supported:

Netgate products when I purchased them advertised proxy use.

Thats why im saying to be very careful about the packages you install and rely on. It is not clear what is supported internally and what isnt.
This site here can be a guide:https://www.netgate.com/supported-pfsense-plus-packages

But as I mentioned above any package that has "Maintained by Netgate" you can install, submit redmines and get developer movement (in my experience).
Any package that doesn't explicitly say it's maintained by netgate but instead has nothing or has "Netgate TAC Support can only assist with the installation of this package." that is a package you dont want installed as there is no internal support for it. That includes Suricata/Snort/pfBlockerNG,HA Proxy. So if your business relies on any of those packages find an alternative because there isnt support for them at all. Purchasing a TAC subscription doesnt give you that at all which is very scary. Whats the point then if i can pay to get openvpn support but the best i can do for a Snort bug is go to the forums to seek out the maintainer's assistance? You have to hope that they are available but then you just paid $500USD for a subscription that doesnt cover your use case. Very confusing.

What makes this all confusing and maybe just a tad backhanded is the marketing clearly makes it seem that these are supported features: https://www.netgate.com/pfsense-features

This is far from true as we are learning with Squid. The threat prevention section needs a huge and bolded asterisks because it can technically do it but there is no support for it. Install at your own risk.

one last edit. In the package supported section it states "Netgate supports packages maintained in-house and others that have been proven to work well with our software."
This is somewhat true. There are quite a few feature requests and bugs open for pfBlockerNG but who supports it? The redmine tickets are unassigned but you could reach out to the maintainer via Paetron. So what is the official pathway to get package support for it? Do I pay the TAC subscription and still open a redmine? Do i reach out via Paetron? This is a popular package but there is no clear pathway for support.
Again, this is all very confusing and the marketing + documentation needs to be clear.

Gertjan

@michmoor said in How are packages supported:

This is far from true as we are learning with Squid

Maybe it's just me, but when I look at "squid" (here ?) it isn't a surprise that that project is bigger as the entire 'pfSense' (I'll exclude the FreeBSD kernel part for 'reasons').
I've no difficulties at all to understand that Netgate can't just 'do what has to be done' to take care of any "squid" issues.
I've seen it with Debian, an OS I'm using daily for our server needs : if a package exist for something I need to do, that fine. It did happen many times that packages get removed while I was using them because the Debian authorities had their reasons, mostly because 'non maintained' or pure 'non addressed security concerns by the authors'.

AlternateShadow

@michmoor said in How are packages supported:

There are quite a few feature requests and bugs open for pfBlockerNG but who supports it? The redmine tickets are unassigned but you could reach out to the maintainer via Paetron. So what is the official pathway to get package support for it? Do I pay the TAC subscription and still open a redmine?

I currently have a ticket open with TAC to find out what their recommend replacement for SquidGuard is. The solution they have recommended is to use pfBlockerNG, however, in the same reply they explicitly stated that pfBlockerNG is not supported so if you choose to use it assume that you are on your own.

michmoor

@AlternateShadow
Yep. pfBlocker isnt a great alternative to Squid when talking about per-client filtering and looking into a URL path to see content and detect viruses.
Funny enough i have a Redmine ticket for a feature request for pfblocker to do per-network filtering similar to what pi-hole can do [groups/clients] but because redmine doesn't seem to be the best way to reach out and get the support i guess is to use pateron?? i dont know..why is pfblockerNG listed in redmine then? This is confusing.

But the TACs response lines up with what i see the support model being which truthfully isnt great. Again the TAC support page says it supports pfsense plus software....but what does that mean? 3rd party packages?

michmoor

@Gertjan
I think the conversation is pivoting to more with what my concerns are. Dropping support for a package is one thing but indicating you have support in marketing materials but you really dont is another.
Support of whats in the repo is not clear.

JonathanLee

Every one of the community packages for me worked perfectly. I purchased this as an educational tool, as PfSense was taught by a Professor in class. The packages where not covered only the access control lists. But the packages is also what makes Netgate shine. I am very thankful to the team that made them. Me yeah, I am stuck at 23.05.01 as it was the last version that worked for me. I still recommend PfSense. I started on Cisco PIX systems years ago.

Now that I am in computer science, this educational tool still has much to offer. No code is hidden, everything is accessable, any errors you can submit to Redmine for review, there is a very positive community.

Sure I am sad about Squid, but once I get more skillsets I am sure going to try to help. I have some feature requests in on Redmine that would improve Squid's easofacess.

Again, support will come and go packages will come and go. I am sure support will come back.

Netgate has what big tech doesn't, clear visibility and understanding with open source code nothing is hidden, and a community to help. It doesn't hide what it's doing, it doesn't empty a home users wallet. It's affordable for to purchase an official appliance, yes it's a pain to configure at times packages like Squid.

We have to remember every package is someone donated time, they didn't get paid for it. They just want to help. Packages are altruistic.

SteveITS

@michmoor said in How are packages supported:

why is pfblockerNG listed in redmine

All packages are. Also Netgate devs do occasionally fix things in non-Netgate-maintained packages.

https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-pfBlockerNG :

I totally get the points raised. I would just observe that the point of open source is a community effort, so is this entirely under Netgate's control/purview, or not. Would it be great if there were multiple people working on each add-on package? Sure...the "hit by a bus" scenario. Is everyone on this thread able and/or willing to contribute time and expertise? No. I'm sure it's only a small percentage of programmers.

https://www.reddit.com/r/chaoticgood/comments/mjsmv9/gamer_gets_himself_hired_just_so_he_can_fix_a_bug/

JonathanLee

@SteveITS maybe that's why it's open source, very few understand, and less so can program for it. The hit by bus situation is like a time bomb as many of the 80s original programs are retiring, and lot's of companies didn't expect to have to explain closed source tools maybe this is what forced their hand. Let's face it cyber security needs are growing everyday, and the original ideas the code could also be lost without new talent. The foundation was layed, but it still needs to be built upon to keep up with nation state actors.

Security vs Support vs need for new talent vs new equipment vs trust vs regulations. It's a balancing act on a tightrope that needs guardrails at the same time.

Where is the next generation? Are many caught up in smartphones gaming technology? I want to help, but again there is a learning curve, what tools are use to debug so on, how can it be tested? The list of questions for a computer science student just grows and grows.

michmoor

@SteveITS said in How are packages supported:

https://www.reddit.com/r/chaoticgood/comments/mjsmv9/gamer_gets_himself_hired_just_so_he_can_fix_a_bug/

ROTFL. I love that. hahaha.
Sometimes man...You have to just take matters into your own hands.
I appreciate the commitment that was had there. Pro moves

JonathanLee

Take me for example I hate the privacy abuse with the advertising, I do not like this panopticon feeling. I hate looking up something and for days after it's advertised on every website after. It's absolutely absurd and abusive, California makes laws and advertising companies don't care. I block it out now and it probably pisses someone in big tech off to a point they want to break tools or publicly release lists of vulnerabilities. Is California law making the rules or angry big tech? Do some users block out every single advertisement? Edge browser now does that for you, so again now Microsoft is allowing users to block out all advertising. It's like a wild West in places. I don't care about advertising, I just hate companies that flat ignore opt outs, and keep profiling users like we have no rights.

Leading to what tools and packages should even be allowed for users?

AlternateShadow

@SteveITS said in How are packages supported:

Is everyone on this thread able and/or willing to contribute time and expertise?

What about those of us who contribute money? I'm paying netgate to contribute their time and expertise so I don't have to. My criticism is that there seems to be a discrepancy between what they are selling to their customers and what they are delivering.

JonathanLee

https://redmine.pfsense.org/issues/14998

This would simplify Squid. I want to help add some code to Squid for this, as soon as I get more experience.

JonathanLee

@AlternateShadow I agree as I was under the impression Snort's maintainer was paid for his work. I would have donated my Snort subscription cost directly to him knowing this now. But I can't do that, it has no Donation button in Redmine or GitHub. He deserves it. I felt so bad when I learned he donated his time to support it unpaid. It's so professional, clean it's amazing. It was misleading for me.

michmoor

I wish someone from Netgate could respond here and set expectations.

Im looking at the site and it says that pfsense can do Threat Prevention. But what it really means is you can install it but theres no support for it.

So if im a business im thinking to myself looking at the website. I can get hardware for a good price and i can get TAC for a good price that should cover me as i roll this out in my datacenter.
But that same business will discover that there are a ton of caveats. Threat Prevention bugs or features arent supported and you cant open a TAC case for help on that. The correct and accurate response would be to go to the forums and ask for the maintainers help...
Now the business is wondering why it paid money for a TAC sub where it shouldve instead given the money to the maintainer. Also why is the business relying on unsupported packages even though the website made it seem its part of the overall pfsense package?

So whos wrong in that situation? The business or Netgate. The answer is obvious but this is the slippery slope of advertising a package you have no control over.
It needs to be clear to the consumer here. If i bought a SG-6100 in October of 2023 because i am running it in a K12 location and im using Squid...suddenly i get a notification that Squid is being removed from the repo what do i do? Up until recently, Proxy capability was listed on the website. At best this poor marketing. At worst this is shady.