So, I’m confused.



  • Ok, so I know this is a pfsense forum and any response will weighted this way. And I’m not trying to start any flame wars.
    I’m new to both pfsense and other *senses available. I’ve not tried out any of them yet, but have been reading around trying to find “the best” (I’m sure they’d all do the job) it’s just which community do I go with.

    Initially i was planning on picking up one of the bigger pfsense boxes. And I’m still leaning that direction.
    One of the big drawing cards for going that route is the open source aspect. Yet I started reading claims by other senses on places like reddit that pf isn’t true open source etc and is leaning towards corporate dominance and vendor lock-in. And I highly doubt it but now I can’t shake the bad feelings about corporate overlords pushing an agenda.
    I then find myself asking if I want to buy into the hardware.
    Basically the whole debate and infighting between the two groups kinda scares me away from trying either.

    I really don’t know what to do. Is pfSense and others just using the open source name to sell products?

    Not sure if I should say the company name here but I currently use little black boxes with a U on them. And I honestly can’t complain too much. There’s a few things I can’t seem to do with them specifically use them as a client in a VPN with dynamic ip, which is behind a carrier grade NAT. So I’ve been trying to look for alternatives. Pf seems to be the one with the most features and flexibility.

    What are your guys thoughts should I look into pf more or look for alternative. I don’t want to waste my time. If i get no response to this post, I’ll know the community isn’t active or willing to help a newcomer. Or if I get flamed or removed for asking well, I’ll know to look elsewhere. If so, any suggestions on which community to join and who to hand money to?

    My whole network and it’s planned expansions include multiple buildings across our ranch and it’s various outbuildings. With ties to another ranch of ours up the road. Traffic on the network includes video streaming, cameras, and VoIP. The planned system will include several 3kw wind generators solar and even backup generators. We get heavy snow and ice storms with power outages and downed lines.

    Anyways that’s where I’m coming from and where my network is going.

    Thoughts?



  • So full disclosure: I do not work for nor have I ever been employed by pfsense, Netgate or any subsidiary thereof..

    I'm a user and try to contribute where I can.

    pfsense is open source no matter what you hear or read. It is protected from some other projects whom would attempt and who have stolen the code without giving credit where credit is due.

    The pfsense name is protected by law from others that would try and use it for their own profit. These facts seem to have upset some and they have turned to a smear campaign.

    https://www.pfsense.org/getting-started/

    https://docs.netgate.com/pfsense/en/latest/general/comparison-to-commercial-alternatives.html

    https://docs.netgate.com/pfsense/en/latest/general/can-i-sell-pfsense.html

    Good luck and welcome!



  • Everything you read is pretty much FUD from competitors, some of whom are leeches who profit from Netgate's work and give nothing back. You have one group that installs pfSense on their own hardware and then sells them as pfSense boxes, which is against the license. Their poor hardware and crappy support reflects badly on Netgate since people may not realize they're not using genuine Netgate hardware. Then you have others who forked pfSense years ago, which would be impossible if it weren't open source. What some have said is that it's not easy to configure the exact build environment you need to fully compile pfSense from source, that's not Netgate's obligation nor is it a requirement of the license.

    As for community, all you have to do is look at the activity here and the replies. Questions get answered fairly quickly by joe shmoe users like me who help out because they believe in the project. There is also paid support, and bundled support if you buy a Netgate device.



  • @KOM Thanks for the response. That’s kinda the impression I was getting. It seems like netgate is the ones doing the major if not all the heavy lifting in programming because they can afford to and have the resources in talent to do so.
    I currently run FreeBSD on my server, and it’s performed above and beyond any of the other Linux distrais I’ve tried, not trying to knock any district it’s just to me FreeBSD seems to just work and make much more logical sense in file layout not to mention ZFS which I love.

    What’s this I hear about the competition using “hardened” BSD vs what pf uses?

    Also, what’s the whole FUD going around about pf having a messy tangled codebase that’s not clean.

    Something doesn’t track when I read those claims, any thoughts on those points?



  • @clem16 said in So, I’m confused.:

    What’s this I hear about the competition using “hardened” BSD vs what pf uses?

    No idea. They might be basing it on OpenBSD perhaps?

    Also, what’s the whole FUD going around about pf having a messy tangled codebase that’s not clean.

    No idea, I'm a user and not a developer. Besides, if this were the case, it would affect ALL pf/*BSD projects so nobody would have any specific advantage there. What is your focus? Are you looking to compile from source or start developing patches or packages?



  • @chpalmer Thank you for your reply and links. They’ve cleared up a few questions I had, but had not specifically asked.
    Another question, if I install pf or buy one of the official boxes, which I’ll probably do.
    Will I be bombarded by “upgrade to paid support” or nag screens of any kind?
    The website and links state no artificial limitations, but are there adverts that users are hit with constantly that they must ignore or purchase to make go away. I’m a bit of “perfectionist” and that would drive me batshit crazy.


  • Rebel Alliance Netgate Administrator

    No.

    We value your privacy as much you do.



  • If you buy, you get support by default. If you build your own and install the community edition, it has all the same functionality for the most part without any limits. IIRC there are at least one custom package that's only available to those who buy, an AWS wizard or something, I don't really care about it.

    And as Chris said, they don't harass you to give them money. No nags or anything like that. There is some sort of disclaimer dialog that appears after you first connect to WebGUI after initial installation but that's it. They hope that the product speaks for itself, and that you will like it enough to purchase hardware down the line.



  • @KOM I’m actually looking at simply purchasing one of the boxes and running it at the head of my home ranch network.
    I’m looking for a workhorse. But as time permits tinkering, but not be required to tinker just to get basic functionality.

    I’ve been burned before by a Linux distro I’ll not specifically name that after installation I spent more time on their forum looking up and parsing out how to do simple operations like say mounting a disk or other such simple nonsense that’s automatically done or simple in the BSDs but in the name of flexibility and configurability left to the user.

    Thing is, yeah. I love to tinker, but tinker when times available, not be required to to get something critical like a router and firewall functional and keep it functional.

    Right now I run FreeBSD and I build all my packages using poudrière from source on a separate dedicated machine.

    Does pfsense still keep a separation of base system functionality?
    Is pfsense considered a package on top of the base or integrated into it?
    If it’s on top would I be able to build it as part of my poudrière build routines. Or is it part of the base?



  • Does pfsense still keep a separation of base system functionality?

    I believe so.

    Is pfsense considered a package on top of the base or integrated into it?

    Not originally but I believe that is what they have moved to.

    If it’s on top would I be able to build it as part of my poudrière build routines. Or is it part of the base?

    No idea, that would be a better question for the Development forum.



  • @KOM thanks everyone for the replies. I’ll do more reading and researching. I think I’ll pull in a copy of pf and poke with it before I grab a official box for the network, but I probably will end up using it.
    I’ll be around may be asking more questions to get a good handle on things. I do appreciate all the replies and hopefully as I become more familiar I’ll someday be able to help out around here.


  • Rebel Alliance Netgate Administrator

    @KOM said in So, I’m confused.:

    If you buy, you get support by default.

    To clarify:

    You get HARDWARE support. We stand behind the devices we make.

    You can elect to purchase technical Support from our Global Support Team.


  • Netgate Administrator

    It's much more a collection of packages than it used to be but it isn't a package (or set of) that can be installed onto FreeBSD.
    We have a modified base: https://github.com/pfsense/FreeBSD-src

    Steve



  • @stephenw10 thanks for the reply! I wasn’t planning on putting it on a vanilla version of FreeBSD. I was thinking more on the “how is it put together, and designed” side of things with an eye towards how to keep updated.


  • LAYER 8 Global Moderator

    @clem16 said in So, I’m confused.:

    eye towards how to keep updated.

    You read the release notes, follow any special update instructions that are given.. But pretty much you click the little icon that shows up on your gui when there is a new version available..

    Or you never update - and be like some users and come here asking how to do xyz when they are running version 2.0.1 from 2011 time frame ;)

    Also make sure you check the package manager every now and then for any package updates - which again require a click of an icon..



  • Package updates should really have their own dashboard alert.


  • LAYER 8 Global Moderator

    Agreed.. Should be a widget you can put on the main page or something - has anyone bothered to put in a feature request?

    But I am normally on pfsense gui prob almost every day... Not for stuff I am doing but taking screenshot or looking up something specific for a user here, etc. ;) Every few days I will stop by the package manager page... Or if catch a forum post about an update - ie caught that acme was updated here, so went in and updated it..


  • Netgate Administrator

    Like the package widget you mean? 😉

    Selection_624.png

    Steve


  • Rebel Alliance Netgate Administrator

    You should update that. ;)


  • LAYER 8 Global Moderator

    Exactly!!! Stephenw10 - Exactly, forgot about that wiget... But when you have a lot of installed packages it takes up a lot screen space... Be easier if took up smaller space and alerted to check the package manager for update(s)

    When it takes up a lot of screen space - just easier to check the page itself ;)


  • Netgate Administrator

    I agree an alert for 'package updates are available' would be nice.



  • Yes, that monster Packages widget is way too big. A singe line under the pfSense upgrade line would be sufficient: "Package updates are available" as a link to the Installed Packages page.



  • @luckman212 posted an awesome solution to this. It's not an official solution, but I love it.
    https://forum.netgate.com/topic/137707/auto-update-check-checks-for-updates-to-base-system-packages-and-sends-email-alerts
    I like that I get an email when an update to a package is available. I also get notified about updates to packages which are not in the package manager. This helps with patching any potential vulnerabilities in between releases.


  • LAYER 8 Global Moderator

    Yeah that should prob be rolled right into base of pfsense if you ask me ;) Haven't tried it out yet -- but just reading the thread seems like a no brainer winner to me.... Not sure how I missed that thread?



  • @clem16 To give you another user testimonial... pfSense has transformed our network in the office. To help keep costs down, I originally had pfSense installed on an old first gen i5 based PC. This was almost 2 years ago. That setup has worked flawlessly for our small office setup and has gone above and beyond any expectations I had. I recently upgraded to a new PC due to future proofing for the AES-NI requirement coming. Restoring all settings and configs on the new PC was as simple as it gets.
    In general, the webGUI is so intuitive and pfSense just works right out of the box. No need for tinkering, but there is tons of room for tinkering at your own pace. For the most part, I have been able to learn and tinker as needed all while keeping the office running and not taking the whole network down. I feel like I learning something new almost every time I work with pfSense or look through the forums.
    The official documentation is an incredibly good resource. https://docs.netgate.com/pfsense/en/latest/book/index.html
    This community is very active and helpful. Users are always helpful and contribute. Posts here and the email notification contribution mentioned above are perfect examples of that.

    P.S. If I had the budget I would have definitely went with official Netgate hardware. Mainly just to help support the cause.



  • @Raffi_ Yeah, it seems to be great just from the bit of poking I’ve done. I’ve known about the project now for years, I’ve just never up and tried it. Even if I’m doing it for just myself and family farms I’d rather do it “right” do it once and be done till hardware needs to be changed.
    Running on an old PC just seems like a bit of a hack. I did this way back in the day when all the farm could use was dialup running on an old smoothwall server I was able to dial and disconnect remotely. But those days are long gone and we’ve moved to satellite which is expensive but great. It just seems messy to have an old computer sitting there siphoning power and buzzing fans... been there felt that pain... so yeah, probably looking at official hardware partially to make sure everything not user computer related is contained in a rack. Neatly and tidily... so the OCD itch doesn’t happen to begin with.

    As it stands right now my satellite modem is suspended from the ceiling via a nail driven into a rafter... the itch is excruciating... but I don’t want to spend money on tidying up unless I do it right... and it’s working... so to make any changes I need to take apart.
    I’d rather do one large change, network the house and property for 10gig way overkill for home network but hey. Why not...

    But yeah. I think it’s time to look into pf a little deeper as it’ll probably open up a ton of possibilities over my current setup. We will see, I’m not in any HUGE rush ill just spend some time working and dump a few paychecks on it. 6-7k should spice things up. At least that’s kinda where I plan to start the budgeting.



  • @clem16 PS... incase anyone was wondering and looking at that as odd... I’m in a unique situation that offers me quite a few possibilities to play with stuff like this. The farm owns quite a bit of heavy machinery I can use to build building to building to tower networks for wifi and even fiber to POE connected cameras just to play with for fun. So I can easily knock down trees with D7 CAT pull them around with a skidder, run in lines with a ditch witch behind the cat, things that would normally cost thousands to hire a company to do I can do myself for the price of fuel and time + materials.
    So yeah, still in planning and researching stages. So all the input I can get is helpful. Plans always change, and the final project is never exactly as on paper. But I might as well have fun building on paper first the “perfect” network before I drop cash on actually doing it.



  • The only updating issues I've had stem from 1 of 3 packages: pfBlocker, Squid, and Snort/Suricata. If I remove them, upgrade, and then reinstall them I have no problems. If I don't, somehow inevitably some db is missing or it won't complete the update without manual interaction because it gets stuck, or there is a php issue, or... I just know if I pull those out it's smooth every time. When you install them back in they pick right up where you left off so there is no re-configuring.

    And I can tell you this. Everyone and their dog always blames the network for everything. Hosted VoIP sounds bad? Blame the network. FTP not working? Blame the network. SMB not connecting to a scanner? Blame the network. Burned your breakfast eggs? Most certainly the network! I deal with it what feels like every day (more like several times a month) but I can tell you this: For all the blame it gets, not once has it ever been our pfSense firewalls (unless Suricata is blocking them).


  • LAYER 8 Global Moderator

    @Stewart said in So, I’m confused.:

    And I can tell you this. Everyone and their dog always blames the network for everything.

    Sing it Brother ;)



  • @johnpoz I can sing it in R&B, Pop, Hip-Hop, and Country. Still working on Rap but it doesn't sound quite right... Maybe we should form a pfBand...


Log in to reply