PFsense continues to mature, but loses critical parts along the way…



  • I have used PFsense for over a decade now.

    Upgraded every time and rebuilt many times on new hardware.
    I have built many of these units for businesses and continue to do so.

    However this latest version of the platform (2.3.x) has really tripped me up.
    I'm not alone in this feeling.

    I know that at its core, the 2.3 platform is more mature than ever before, but it has lost many of its most important features.

    I know that the plugin library had to be pruned due to inactivity by the lack of continued development, but PFsense 2.3x hasn't made arrangements for replacing the most powerful and used plugins prior to making that change.

    PFsense does exactly what a firewall should.  It's very good at it and in its field, its extremely hard to beat.

    The main things that have hurt my ability to continue to use and recommend it are centered around the following things…
    (Many used to be plugins)

    • RRD Graphs no longer portable - emailable, etc. (Although they are pretty)

    • Per device-user tracking

    Furthermore, PFsense still has long standing bugs and clankyness that hasn't ever been addressed…

    • Email alerts still flood administrators on WAN failures

    • No way to fail BACK to original WAN configuration once failed links are back up

    I wont pretend to understand the challenges the development team(s) face, however it seems that no one is focusing on keeping their eye on the administrator facing reporting, monitoring and alerting functions of the platform.

    Without this being a priority, which would be a CLOSE second to core firewall functionality, this product starts to look like it's standing still next to its competition, (in some cases falling behind).

    I know the plugin community was strong at one point, and this is what kept PFsense a leader, but now that the plugin community activity has cooled off, PFsense is exposed as a lesser platform.

    The PFsense team MUST start a process of continual improvement that focuses squarely on the usability and forensic aspects of a firewall.

    Yes, focusing on the core functions of security are critical, but that's expected from ANY firewall.  Any firewall can do these things.

    The PFsense team should list the things that are the most popular and usable in the world of firewalls and UTM's.  THey must ensure these things are available, work well, and do no harm.  (e.g. the email spam on WAN failure)

    You must focus on what makes the BEST platform to manage the flow of data through this device.

    Ask "What makes an EXCELLENT firewall?", and list those features without regard to if you feel that you have the resources to make happen.  THEN, you have the bar set right where it needs to be and you can start working on ways to gt to that level.

    Where you cannot get to the "bar" find mitigations for this risk that you cannot get there.  Perhaps this is where the plugin community can help.

    Let everything else become an outcome of this process.

    You will then have a firewall that is just as secure (if not more secure) than you have today, but it will be fronted by the things that administrators truly NEED to have and even many of the things they have WANTED all in one place.

    Don't rely on the plugin community so much without picking up the most popular plugins and adopting them over time and folding them into the platform natively.

    Had this been happening, when you pruned the plugin list, we would still have all the inspection and reporting functions we had before, only this time as native PFsense features.

    This is an easily solvable problem, and you simply need to change how you are thinking about building a firewall/UTM appliance.

    PFsense can be the powerhouse of open source firewall distros and keep that position forever, each time innovating where others stagnate.

        • EOL

  • Rebel Alliance Developer Netgate

    @burnsl:

    I know that the plugin library had to be pruned due to inactivity by the lack of continued development, but PFsense 2.3x hasn't made arrangements for replacing the most powerful and used plugins prior to making that change.

    Such as? All of the most popular and maintained packages have been converted. If a package was not brought forward it was not maintained, broken in some way, or did not belong on a firewall.

    @burnsl:

    • RRD Graphs no longer portable - emailable, etc. (Although they are pretty)

    To accommodate that would require massively increasing the size of the installed system to include the ridiculous current dependencies of rrdtool's GRAPH capability. Our hands are tied here. We could not keep using such an old/outdated version of rrdtool any longer. If you need graphs e-mailed, graph the data using SNMP in a proper NMS. The package was always a stopgap for that. We'd love to have kept the graphs in a format that could be e-mailed – we've even run tests with e-mailing the current graphs -- but it just does not work properly.

    @burnsl:

    • Per device-user tracking

    Use ntopng. We had numerous users report bandwidthd bricked their firewalls and it had not seen an upstream update in over 3 years. If someone can prove it would be stable on 2.4, we might consider bringing it back.

    @burnsl:

    • Email alerts still flood administrators on WAN failures

    We have some ideas on how to help that, but we've had more pressing issues to address in the meantime.

    @burnsl:

    • No way to fail BACK to original WAN configuration once failed links are back up

    That's one of those ideas that sounds easy on paper, but is not at all as easy as it appears. Some things can fail back (e.g. OpenVPN and IPsec with a gateway group interface). What it doesn't do is cut everyone off and disrupt connections when a WAN recovers. At best it cuts off working connections multiple times, and If a gateway is unstable that would be a usability nightmare.

    @burnsl:

    I wont pretend to understand the challenges the development team(s) face, however it seems that no one is focusing on keeping their eye on the administrator facing reporting, monitoring and alerting functions of the platform.

    We are keeping our eyes in appropriate places, though you may not agree with what those are. You're seeing one aspect of pfSense – how you use it only, and we see how the entire world uses it.

    We have fixed hundreds of bugs and added many features, and brought several areas of the firewall out of the stone ages. Overall it's a much more secure and usable platform because of it.

    If you'd prefer to see attention on other areas, feel free to contribute in some way, submit pull requests with fixes for bugs you feel are important, or provide feedback on tickets that need it, etc.

    As time goes on some pieces that were not doing their job adequately are being replaced or modernized, and occasionally that does mean something gets lost, but we do not make those decisions lightly.



  • Per device-user tracking

    Use ntopng.

    Maybe I haven't found the right set of config options, but I've never seen ntopng as being useful for this.  Brightly-coloured ribbons swishing from side to side while hostnames hop around.  How about a nice, simple list of all active IPs in the last n hours, with a bandwidth total per IP address and a realtime number?  Wait, I just described bandwidthd…



  • Jimp,

    Thanks for taking the time to reply to each point.

    Let me say however, that while I agree that you are spot-on with your account of what was done and why, that doesn't address the concerns I bring up.

    Perhaps I am being too wordy or just plain vague, something I do from time to time.

    PFSense has and continues to be a good firewall, however it is losing its standing as the leading Open Source solution in its category.
    This is mainly because the category itself is changing.

    Firewalls are now a thing that is largely considered a basic service.
    Managing access at the edge of the Internet is a simple and expected function today.

    PFSense can not continue to simply be a "great firewall" and stay in focus to the user base.

    The UTM or NGFW (Next Gen Firewall) is nearly the defacto standard for managing traffic.
    Firewall functions like the ones PFsense provides are just a component part of these new platforms.

    the good news is that you are imminently qualified to keep up with this trend and stay in the forefront of the Open Source firewall category.

    In my opinion, the PFSense team needs to seriously consider the role that your device plays in the daily life of a network administrator.

    Ease of use, combined with monitoring and at-a-glance visual reporting and accurate alerting.
    To be more specific…

    • Application Awareness,

    • Stateful Inspection,

    • Integrated Intrusion Protection System (IPS),

    • Identity Awareness (User and Group Control),

    • Bridged and Routed Modes,

    • The ability to utilize external intelligence sources

    Nearly ALL of these things were available in the previous generation with the correct plugins applied.

    Let me end by saying that overall, the PFSense team has done a remarkable job of keeping the base code healthy and secure.
    However, the REAL value came from the features that were achievable using plugins.

    Feel free to go back and read the reviews 1+ years ago and beyond.
    you will see that the authors highlighted the plugin community as the series of "killer apps" that set PFsense above the rest of the pack.

    My advice is to realize that the firewall aspects of protection are now expected and no longer a significant accomplishment.
    Focus on the customer facing role of the platform and what it can do to EASE the daily life of the administrators and those that are protected by the platform.

    Design backwards from there and you will once again prove PFSense is THE standard in Open Source firewall (and moving forward NGFW) solutions.

    You have ALL the parts you need, and many experienced developers and community members to leverage for this effort.
    That includes myself - someone who designs platforms and customer facing infrastructure software solutions daily.

    Once you do this, your team can offer more than simple Gold Support options.
    The number of managed services that you could provide (like cloud / managed threat protection) are nearly limitless.

    All this without having to invent much in the way of "new" technology - remember PFSense has had most of this before at various times.


Log in to reply