Questions about the future of pfsense 2.7 CE
-
@michmoor Also not realizing that they must update that package to see any new patches.
Perhaps some sort of check on the patches page for newer? (y/n) and a link to the package manager page. Thinking out loud…
-
With much interest I follow this topic. I also am a ten-year pfsense CE user. I love the pfSense platform and I don't want to switch to OPNSense or something similar. I am content with the features CE offers and I don't need anything more.
On the other hand, I want my network to be safe. I would also like to know what the future will be for CE. I don't really care about extra features, but I do care about security updates.
I wouldnt mind paying a fee for security updates, but it would be nice to know what will happen to CE, so I can make a educated dicision.
Thanks!
-
@gwabber looks like this was answered you can install the System_Patches package using the package manager. Once installed you will find a new menu option under the system menu called patches. I believe this will help all of us moving forward.
-
@Nitrobeast Thats true! But I meant for the longer term, if Netgate will keep supporting CE.
-
@michmoor said in Questions about the future of pfsense 2.7 CE:
ir question but i think its safe to say that CE is what i would describe as being in "maintenance mode". Short of system patches, I would not put much thought on when 2.8 will be released. They are working
The only feature I would like is vxlan but this is not a priority. Which I do not believe is not going to make it in pfsense.
-
@Nitrobeast said in Questions about the future of pfsense 2.7 CE:
It seems that in the last 2 years the CE edition is no longer maintained. At this point I am looking for an explanation and guidance for the future ...
The pubic access to daily build has been blocked since late 2023
pfsense Community v2.8 has become a vaporware product which currently contains the majority of the pfsense redmine changes for the over 16 months through to July 2025If you are happy forever with v2.7.2 then there is no problem. If you want a firewall system with maintained features then looking at alternatives for the future is probably sensible.
-
@Patch said in Questions about the future of pfsense 2.7 CE:
v2.8 has become a product which currently contains the majority of the pfsense redmine changes for the over 16 months through to July 2025
Is there a lot missing from this list of patches currently available in 2.7.2?
Workaround for SSH CVE-2024-6387 (After applying, restart the SSH Daemon or reboot., FreeBSD-SA-24:04.openssh)
Fix Packet Capture not working on Tailscale interfaces (Redmine #15145)
Fix potential local file include via DNS Resolver Python Module Script include mechanism (pfSense-SA-24_01.webgui, Redmine #15135)
Fix potential stored XSS via services_acb_settings.php "frequency" paramter (pfSense-SA-24_02.webgui, Redmine #15224)
Fix potential XSS due to PHP error display formatting issues (After applying, reboot or use console/ssh menu options 11/16 to restart PHP and the GUI, pfSense-SA-24_03.webgui, Redmine #15263, Redmine #15264)
Fix Potential XSS from jquery-treegrid unit testing files (Once applied, this patch may not offer a revert option, pfSense-SA-24_04.webgui, Redmine #15265)
Add State Policy Global Option and per-rule option. (Default remains floating in this patch, must opt into if-bound behavior, Trigger a filter reload after applying to activate, Interface-bound states have issues in PF with reply-to which can only be solved by upgrading to newer version, Redmine #15173, Redmine #15183)
Automatically use floating states for IPsec rules (After applying, reload the filter or reboot., Redmine #15430)
Automatically use floating states on IPsec VTI (After applying, reload the filter or reboot., Redmine #15606)
Fix overly lenient permissions on tmpfs RAM disk for /var (After applying the patch, reboot the device, Redmine #15054)
Fix users with Deny Config Write privilege being able to trigger some VLAN interface operations (Redmine #15282)
Fix users with Deny Config Write privilege being able to trigger some QinQ interface operations (Redmine #15318)
Fix OpenVPN forming invalid route statements for empty local networks (After applying, edit/save affected entries or reboot, Redmine #14919)
Fix DNS Resolver host overrides ignoring all aliases if first entry had a domain set but no hostname (Redmine #14942)
Fix Kea handling of FQDN entries for NTP servers, add input validation to prevent them from being added (Redmine #14991)
Fix Kea DHCP PHP error from WINS server value (Redmine #14996)
Fix removing an IPsec Phase 1 entry either removing the wrong Phase 2 entries or leaving orphaned Phase 2 entries in the configuration (Redmine #15171)
Fix reordering IPsec Phase 2 entries resulting in a malformed configuration (If this patch offers both Apply and Revert actions, do not Revert, Redmine #15384)
Fix a PHP error when generating a notification after detecting a malformed configuration (Redmine #15157)
Fix /etc/rc.local script content being executed at login instead of during boot sequence (Redmine #10980)
Fix status_interfaces.php missing several values for SFP modules (Redmine #15112)
Fix inability to configure dual stack IPsec tunnels to accept connections from any remote address of either address family (Redmine #15147)
Workaround for Terrapin SSH Attack (After applying the patch, reboot or restart the SSH daemon, FreeBSD-SA-23:19.openssh, Terrapin Attack) -
Oh, c'mon guys, the future is near
Remember the time gap between pfSense CE 2.6.0 and 2.7.0 ?
It was more than 14 months [2022-02-14 -> 2023-06-29]
In that time gap, there were 4 releases of pfSense + [22.05 -> 22.05.1 -> 23.01 -> 23.05]
Since pfSense CE 2.7.2 [2023-12-07] there were only 2 releases of pfSense + [24.03 -> 24.11]
Next 2 pfSense + releases are 25.03 -> 25.07 so pfSense CE 2.8.0 will be released in 2025-07-XX
https://docs.netgate.com/pfsense/en/latest/releases/versions.html
-
@emikaadeo according to the releases page even 2.7.1 is still supported.
I just hope CE continues as a secure open source option.
-
Oh boy. Here we go again.
Literally every year we have youtubers predicting the future of CE version by saying 2.x is the last version. And then comes the army of forum users starting threads like these and complain. And then Netgate releases next CE version, and they make everyone look silly. Then next year comes, and new "2.8 CE is last version" craze starts. It just never ends...
-
@emikaadeo said in Questions about the future of pfsense 2.7 CE:
Next 2 pfSense + releases are 25.03 -> 25.07 so pfSense CE 2.8.0 will be released in 2025-07-XX
25.07 is just the latest plus version on redmine.
The problem with pfsense CE is the development model chosen for pfsense plus. In business which have a sustainable free open source version and a concurrent paid version, they use the free home/lab users as beta testers for their commercial customers. It's a win win arrangement.
In contrast Netgate have chosen to block public access to the "common code" between CE & plus. This removes all ongoing benefit Netgate receive from CE, and leave only the brand harm they would receive from abrupt and official termination of their open source product. The CE version becomes a direct competitor to their paid plus version with virtually no benefit to the plus version.
Their demonstrated behaviour as such is commercially sound provided commercial customers are willing to be beta testers and the business customers don’t mind bugs on product releases. It is because of this I recommend CE users are aware of alternatives and have a plan which does not rely on meaningful future CE development.
-
@Patch said in Questions about the future of pfsense 2.7 CE:
@emikaadeo said in Questions about the future of pfsense 2.7 CE:
Next 2 pfSense + releases are 25.03 -> 25.07 so pfSense CE 2.8.0 will be released in 2025-07-XX
25.07 is just the latest plus version on redmine.
The problem with pfsense CE is the development model chosen for pfsense plus. In business which have a sustainable free open source version and a concurrent paid version, they use the free home/lab users as beta testers for their commercial customers. It's a win win arrangement.
In contrast Netgate have chosen to block public access to the "common code" between CE & plus. This removes all ongoing benefit Netgate receive from CE, and leave only the brand harm they would receive from abrupt and official termination of their open source product. The CE version becomes a direct competitor to their paid plus version with virtually no benefit to the plus version.
Their demonstrated behaviour as such is commercially sound provided commercial customers are willing to be beta testers and the business customers don’t mind bugs on product releases. It is because of this I recommend CE users are aware of alternatives and have a plan which does not rely on meaningful future CE development.
Can you, or anyone else in this thread, tell me exactly what is wrong with current CE version ? Are there any bugs or critical vulnerabilities that make CE version unusable ? Please let me know.
-
@nimrod said in Questions about the future of pfsense 2.7 CE:
Can you, or anyone else in this thread, tell me exactly what is wrong with current CE version ? Are there any bugs or critical vulnerabilities that make CE version unusable ? Please let me know.
Please read the thread from the top.
Boils down to the use of the patch package.Ce is as secure as Plus is.
-
@netblues personally I did not even know about it. Now that I am aware of it the package is being installed on all my CE firewalls.
-
-
@netblues said in Questions about the future of pfsense 2.7 CE:
Boils down to the use of the patch package.
Precisely, install that and then select to "Apply All" and you get all those patches I pasted into the post earlier.
-
@nimrod said in Questions about the future of pfsense 2.7 CE:
Can you, or anyone else in this thread, tell me exactly what is wrong with current CE version ?
Development of CE directly opposes Netgate's commercial interest. Other than overt security flaws as they do not want their name on a product known overt security (hence the patch updates).
But the 105 issues form v24.03, 122 from v24.11, and currently 70+ from 25.03. are bared from CE (even snapshot) access for a reason.
There are currently also 4 issues from 24.11, 3 issues from 25.03 and 19 issues 25.11 which MAY be released in some CE version after 2.8
Netgate are doing this because they really do not want anyone to use CE. It is in their commercial interest to ensure it quietly dies.Which is why is said, if you are happy with 2.7.2 (and critical security fixes) forever then you have no issue. However if you want a firewall with ongoing development (actually accessible to use) then it is wise to consider other options.
-
@Patch Other options being for you 5 figures solutions 4 sure.
You are most probably confusing enhancements with security issuesCe version will continue to exist at least for this reason: As a free entry level security product that anyone can tinker with.
Microsoft did the same by allowing "free" use of its products at homes.
The rest is history.
Asking for $129 for the bells and whistles version isn't exactly making money
On the other hand we have all seen the chinese boxes that were sold with the free evaluation version of plus preinstalled.So, no it won't go away, anytime soon, and for the few that stumble upon unbearable issues the fix is simple
Just $129.
As for lab use, which is still a corner situation, perhaps a limited time evaluation version could also work. -
@Patch said in Questions about the future of pfsense 2.7 CE:
@nimrod said in Questions about the future of pfsense 2.7 CE:
Can you, or anyone else in this thread, tell me exactly what is wrong with current CE version ?
Development of CE directly opposes Netgate's commercial interest. Other than overt security flaws as they do not want their name on a product known overt security (hence the patch updates).
But the 105 issues form v24.03, 122 from v24.11, and currently 70+ from 25.03. are bared from CE (even snapshot) access for a reason.
There are currently also 4 issues from 24.11, 3 issues from 25.03 and 19 issues 25.11 which MAY be released in some CE version after 2.8
Netgate are doing this because they really do not want anyone to use CE. It is in their commercial interest to ensure it quietly dies.Which is why is said, if you are happy with 2.7.2 (and critical security fixes) forever then you have no issue. However if you want a firewall with ongoing development (actually accessible to use) then it is wise to consider other options.
What are you doing on these forums then ?
-
Asking for $129 for the bells and whistles version isn't exactly making money
$129/year is more gross income over time than selling a $700 router once (which has a cost). Or if projecting, a new router every 7-10 years.
One could perhaps argue white box installs generate more support tickets. Netgate would know that. $xx/year without any support whatsoever could solve that I suppose. However That risks “I paid and it doesn’t work” complaints.
