How are packages supported
-
@JonathanLee said in How are packages supported:
Netgate products when I purchased them advertised proxy use.
Thats why im saying to be very careful about the packages you install and rely on. It is not clear what is supported internally and what isnt.
This site here can be a guide:https://www.netgate.com/supported-pfsense-plus-packagesBut as I mentioned above any package that has "Maintained by Netgate" you can install, submit redmines and get developer movement (in my experience).
Any package that doesn't explicitly say it's maintained by netgate but instead has nothing or has "Netgate TAC Support can only assist with the installation of this package." that is a package you dont want installed as there is no internal support for it. That includes Suricata/Snort/pfBlockerNG,HA Proxy. So if your business relies on any of those packages find an alternative because there isnt support for them at all. Purchasing a TAC subscription doesnt give you that at all which is very scary. Whats the point then if i can pay to get openvpn support but the best i can do for a Snort bug is go to the forums to seek out the maintainer's assistance? You have to hope that they are available but then you just paid $500USD for a subscription that doesnt cover your use case. Very confusing.What makes this all confusing and maybe just a tad backhanded is the marketing clearly makes it seem that these are supported features: https://www.netgate.com/pfsense-features
This is far from true as we are learning with Squid. The threat prevention section needs a huge and bolded asterisks because it can technically do it but there is no support for it. Install at your own risk.
one last edit. In the package supported section it states "Netgate supports packages maintained in-house and others that have been proven to work well with our software."
This is somewhat true. There are quite a few feature requests and bugs open for pfBlockerNG but who supports it? The redmine tickets are unassigned but you could reach out to the maintainer via Paetron. So what is the official pathway to get package support for it? Do I pay the TAC subscription and still open a redmine? Do i reach out via Paetron? This is a popular package but there is no clear pathway for support.
Again, this is all very confusing and the marketing + documentation needs to be clear.Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@michmoor said in How are packages supported:
This is far from true as we are learning with Squid
Maybe it's just me, but when I look at "squid" (here ?) it isn't a surprise that that project is bigger as the entire 'pfSense' (I'll exclude the FreeBSD kernel part for 'reasons').
I've no difficulties at all to understand that Netgate can't just 'do what has to be done' to take care of any "squid" issues.
I've seen it with Debian, an OS I'm using daily for our server needs : if a package exist for something I need to do, that fine. It did happen many times that packages get removed while I was using them because the Debian authorities had their reasons, mostly because 'non maintained' or pure 'non addressed security concerns by the authors'. -
@michmoor said in How are packages supported:
There are quite a few feature requests and bugs open for pfBlockerNG but who supports it? The redmine tickets are unassigned but you could reach out to the maintainer via Paetron. So what is the official pathway to get package support for it? Do I pay the TAC subscription and still open a redmine?
I currently have a ticket open with TAC to find out what their recommend replacement for SquidGuard is. The solution they have recommended is to use pfBlockerNG, however, in the same reply they explicitly stated that pfBlockerNG is not supported so if you choose to use it assume that you are on your own.
-
@AlternateShadow
Yep. pfBlocker isnt a great alternative to Squid when talking about per-client filtering and looking into a URL path to see content and detect viruses.
Funny enough i have a Redmine ticket for a feature request for pfblocker to do per-network filtering similar to what pi-hole can do [groups/clients] but because redmine doesn't seem to be the best way to reach out and get the support i guess is to use pateron?? i dont know..why is pfblockerNG listed in redmine then? This is confusing.But the TACs response lines up with what i see the support model being which truthfully isnt great. Again the TAC support page says it supports pfsense plus software....but what does that mean? 3rd party packages?
-
@Gertjan
I think the conversation is pivoting to more with what my concerns are. Dropping support for a package is one thing but indicating you have support in marketing materials but you really dont is another.
Support of whats in the repo is not clear. -
Every one of the community packages for me worked perfectly. I purchased this as an educational tool, as PfSense was taught by a Professor in class. The packages where not covered only the access control lists. But the packages is also what makes Netgate shine. I am very thankful to the team that made them. Me yeah, I am stuck at 23.05.01 as it was the last version that worked for me. I still recommend PfSense. I started on Cisco PIX systems years ago.
Now that I am in computer science, this educational tool still has much to offer. No code is hidden, everything is accessable, any errors you can submit to Redmine for review, there is a very positive community.
Sure I am sad about Squid, but once I get more skillsets I am sure going to try to help. I have some feature requests in on Redmine that would improve Squid's easofacess.
Again, support will come and go packages will come and go. I am sure support will come back.
Netgate has what big tech doesn't, clear visibility and understanding with open source code nothing is hidden, and a community to help. It doesn't hide what it's doing, it doesn't empty a home users wallet. It's affordable for to purchase an official appliance, yes it's a pain to configure at times packages like Squid.
We have to remember every package is someone donated time, they didn't get paid for it. They just want to help. Packages are altruistic.
-
@michmoor said in How are packages supported:
why is pfblockerNG listed in redmine
All packages are. Also Netgate devs do occasionally fix things in non-Netgate-maintained packages.
https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-pfBlockerNG :
I totally get the points raised. I would just observe that the point of open source is a community effort, so is this entirely under Netgate's control/purview, or not. Would it be great if there were multiple people working on each add-on package? Sure...the "hit by a bus" scenario. Is everyone on this thread able and/or willing to contribute time and expertise? No. I'm sure it's only a small percentage of programmers.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS maybe that's why it's open source, very few understand, and less so can program for it. The hit by bus situation is like a time bomb as many of the 80s original programs are retiring, and lot's of companies didn't expect to have to explain closed source tools maybe this is what forced their hand. Let's face it cyber security needs are growing everyday, and the original ideas the code could also be lost without new talent. The foundation was layed, but it still needs to be built upon to keep up with nation state actors.
Security vs Support vs need for new talent vs new equipment vs trust vs regulations. It's a balancing act on a tightrope that needs guardrails at the same time.
Where is the next generation? Are many caught up in smartphones gaming technology? I want to help, but again there is a learning curve, what tools are use to debug so on, how can it be tested? The list of questions for a computer science student just grows and grows.
-
@SteveITS said in How are packages supported:
https://www.reddit.com/r/chaoticgood/comments/mjsmv9/gamer_gets_himself_hired_just_so_he_can_fix_a_bug/
ROTFL. I love that. hahaha.
Sometimes man...You have to just take matters into your own hands.
I appreciate the commitment that was had there. Pro moves -
Take me for example I hate the privacy abuse with the advertising, I do not like this panopticon feeling. I hate looking up something and for days after it's advertised on every website after. It's absolutely absurd and abusive, California makes laws and advertising companies don't care. I block it out now and it probably pisses someone in big tech off to a point they want to break tools or publicly release lists of vulnerabilities. Is California law making the rules or angry big tech? Do some users block out every single advertisement? Edge browser now does that for you, so again now Microsoft is allowing users to block out all advertising. It's like a wild West in places. I don't care about advertising, I just hate companies that flat ignore opt outs, and keep profiling users like we have no rights.
Leading to what tools and packages should even be allowed for users?
-
@SteveITS said in How are packages supported:
Is everyone on this thread able and/or willing to contribute time and expertise?
What about those of us who contribute money? I'm paying netgate to contribute their time and expertise so I don't have to. My criticism is that there seems to be a discrepancy between what they are selling to their customers and what they are delivering.
-
https://redmine.pfsense.org/issues/14998
This would simplify Squid. I want to help add some code to Squid for this, as soon as I get more experience.
-
@AlternateShadow I agree as I was under the impression Snort's maintainer was paid for his work. I would have donated my Snort subscription cost directly to him knowing this now. But I can't do that, it has no Donation button in Redmine or GitHub. He deserves it. I felt so bad when I learned he donated his time to support it unpaid. It's so professional, clean it's amazing. It was misleading for me.
-
I wish someone from Netgate could respond here and set expectations.
Im looking at the site and it says that pfsense can do Threat Prevention. But what it really means is you can install it but theres no support for it.
So if im a business im thinking to myself looking at the website. I can get hardware for a good price and i can get TAC for a good price that should cover me as i roll this out in my datacenter.
But that same business will discover that there are a ton of caveats. Threat Prevention bugs or features arent supported and you cant open a TAC case for help on that. The correct and accurate response would be to go to the forums and ask for the maintainers help...
Now the business is wondering why it paid money for a TAC sub where it shouldve instead given the money to the maintainer. Also why is the business relying on unsupported packages even though the website made it seem its part of the overall pfsense package?So whos wrong in that situation? The business or Netgate. The answer is obvious but this is the slippery slope of advertising a package you have no control over.
It needs to be clear to the consumer here. If i bought a SG-6100 in October of 2023 because i am running it in a K12 location and im using Squid...suddenly i get a notification that Squid is being removed from the repo what do i do? Up until recently, Proxy capability was listed on the website. At best this poor marketing. At worst this is shady. -
what is this entire thread on about?
from netgate.com home page's description of pfSense+:
"Ideal for home, remote worker, business, and service provider network connectivity and protection
• Equipped with many router and firewall features typically found only in expensive commercial routers
• Flexible VPN solution options
• Known for robustness and stability
• Highly extensible with 3rd party packages to support block lists, content filtering, intrusion prevention, policy-based routing and more
• Easy to install and maintain via web GUI
• Available for premises and cloud deployment"emphasis added.
-
We must remember the website is dynamic .. It actually advertised Proxy, and IPS/IDS
It has been removed this is why I thought Bill Meeks was getting paid.
There was also another website that had an image of a family a couple years ago that talked about web caching also said nothing about 3rd party.
https://www.netgate.com/pfsense-plus-applications/content-filtering
-
This post is deleted! -
So yes, it was advertised to me directly from Netgate. As a student I thought YES this is what I need we are talking about this and doing labs with Palo Alto firewalls with this right now. I used my grant to get the firewall from Netgate because of this advertisement seen here.
a year later...
Who knows, I just wish I could have given my subscription to Snort rules to Bill and kept the free rules now that I know this.
This is why I am stuck on 23.05.01, they changed the platform because of some issues. It took a lot of years for me to get it working correctly. Kind of sad.
Make sure to upvote
-
They really need a donate to maintainer button somewhere that would make it clear.
-
@JonathanLee i personally wouldn't share that story if it were me. it certainly doesn't land, in my opinion, the way you seem to think it should.
"pfSense Plus software enables web (HTTP and HTTPS) proxy functions via Squid [ . . . ], SquidGuard [ . . . ] and Lightsquid [ . . . ] packages."
emphasis added.
the home page read exactly the same as i've quoted on January 21, 2023.
the Complete List of Supported Packages of the same date indicated that only Lightsquid was "Maintained by Netgate." both Squid and SquidGuard were noted as "Netgate TAC Support can only assist with the installation of this package. Netgate Professional Services can assist with custom configurations."
