Pfsense CE 2.7.0 Release (?)

michaellacroix

Anyone know when CE 2.7. will be out of beta and the official release? I'm curios when or if netgate will let you upgrade from ce 2.7.0 to 23.01. Thanks

nimrod

@michaellacroix

It would be out when its ready. There is no definitive date. Progress tracker is here.

fireodo

@michaellacroix said in Pfsense CE 2.7.0 Release:

Anyone know when CE 2.7. will be out of beta and the official release? I'm curios when or if netgate will let you upgrade from ce 2.7.0 to 23.01. Thanks

2.7.0 Roadmap

cellobita

I don't expect to see it anytime soon. The number of outstanding issues has been growing; previously it went down over the weeks prior to an actual release. It is now quite clear to me that Netgate is gently pulling the plug on CE and focusing on Plus.

michaellacroix

@cellobita Thanks

My hope is to be able to do a clean install of 23.01 soon without having to use CE 2.6.
I have frontier fiber so if I did that now I would need to use a netgraph script and it becomes a whole thing.

Cool_Corona

@cellobita Thats why we are moving away to OPNsense... many more releases and much better support.

cellobita

@cool_corona I've been considering the same path. I really like pfSense - have been using it over the last twelve years or so - but I think that OPNsense is now a credible (perhaps even preferable) alternative. Most of my clients here in Brazil have slashed their IT budgets post-pandemic, and moving to Plus and a paid annual license is a non-starter.

SteveITS

@michaellacroix said in Pfsense CE 2.7.0 Release:

when or if netgate will let you upgrade from ce 2.7.0 to 23.01

@rcoleman-netgate said in Upgraded from 2.6.0 CE to Plus. Now I'm stuck.:

As of this afternoon [yesterday] you can go from 2.6RELEASE to 23.01 directly.

slu

@cellobita said in Pfsense CE 2.7.0 Release:

Most of my clients here in Brazil have slashed their IT budgets post-pandemic, and moving to Plus and a paid annual license is a non-starter.

Do not understand this really, buy the hardware from Netgate and you don't have any costs.
And OPNsense business has also costs, so be fair here.

Cool_Corona

@slu But the release, support and patch windows are much shorter and the users are much better supported on the forum.

slu

@cool_corona
it's up to you to moving...

Yes the patch time is in my eyes sometimes to long, I agree in this point.

stephenw10

@michaellacroix said in Pfsense CE 2.7.0 Release:

I'm curios when or if netgate will let you upgrade from ce 2.7.0 to 23.01.

It is now possible to upgrade from 2.7 to 23.01 but if you're planning to do that you should use a version that is running the same php version as 23.01(8.1). So before 2.7 went to php82 which means the Feb 15th snap or earlier.

If you're running a later snap with php82 and you upgrade to 23.01 you will (currently) need to do a forced pkg reinstall afterwards to get the required php81 modules.

Hopefully an update to pfSense-upgrade will remove that problem shortly.

Steve

cellobita

@slu I'm not complaining or being unfair, merely stating what I believe to be a fact: with the introduction of Plus, the release pace of CE has been severely impacted - BTW, Netgate's hardware is definitely not cheap in Brazil. So, when a credible, free alternative exists, under active development, capable of running on hardware that my client already has, and able to do what he expects of a routing/firewall platform (esp. multiple WAN links and WireGuard support), I'd be remiss if I did not point that out to him.

michaellacroix

@stephenw10
Thanks Steve, good to know.

michaellacroix

@stephenw10

Hey Steve, I wonder how the pfsense developers are going to reconcile that? My guess is there will be a coordinated effort to get both CE and plus on the same php version on a public release?

stephenw10

Yes, the Plus dev branch is also on php82 it's just not public at the moment.

michmoor

@cellobita is OPNsense (Desico) hardware any cheaper? If it’s the same or more then I’m not understanding why cost is an issue.
Secondly if cost is an issue then why can’t a white box server be purchased and Pfsense + installed?
The conversation around costs seems to be largely nonsensical. IT budgets are slashed….I get that…but is the cost of a Dell 610 let’s say that much more expensive than a Desico(Opnsense)?

Lastly the conversation about updates is largely nonsensical as well. As I always ask and never get a good answer “What specific vulnerability that is present in pfsense that the development team has been made aware and are not addressing?”. Please post the CVEs as well.

cellobita

@michmoor Thank you for your input - I understand the points you are making.

All my remaining deployments of pfSense are currently running on standard white boxes - their hardware specs more than enough; I wouldn't be buying dedicated hardware from OPNsense, but simply migrating to their open source, community edition software, which has no upfront cost.

I believe that over time the delta between CE and Plus is bound to get bigger; I'm not trying to convince anyone here - and have a profound respect for pfSense, having used it on dozens of clients since 2010 (my earliest deployment was on version 1.2.3) -, just present my two cents.

nimrod

@michmoor said in Pfsense CE 2.7.0 Release:

Please post the CVEs as well.

There is no such thing. People became too spoiled. Their logic is "if its not getting updated, its abandoned".
I also like conspiracy theories where people think that rising number of outstanding issues is actually Netgate`s trick to force people to switch to + version. I laughed.

No one is forcing anyone to use pfSense. If you are not happy with it, just make a transition and switch to something else. Saying that you are going to switch to alternative solution is not going to make 2.7 come out faster. No one cares.

You should be happy that release has been pushed back. It means that someone somewhere is working hard on fixing bugs. For you. For free.

Be more grateful.

michmoor

@cellobita no one knows how big a delta will be between CE and Plus. The death of CE comes up every few months when there is an OS update so I’m not surprised.
Pfsense+ is free. Just like CE. So why aren’t you upgrading to Plus? I really have no idea what the fuss is about.

Netgate has a small but dedicated development team. I’m sure there is a laundry list of things that are planned or in the works. It’s all about prioritization.

I’m still waiting on what specific update you think needs applied to pfsense. CVEs…The update argument is ridiculous to be frank.

michmoor

@cellobita said in Pfsense CE 2.7.0 Release:

@slu I'm not complaining or being unfair, merely stating what I believe to be a fact: with the introduction of Plus, the release pace of CE has been severely impacted - BTW, Netgate's hardware is definitely not cheap in Brazil. So, when a credible, free alternative exists, under active development, capable of running on hardware that my client already has, and able to do what he expects of a routing/firewall platform (esp. multiple WAN links and WireGuard support), I'd be remiss if I did not point that out to him.

You are just contradicting yourself. You admitted you use whitebox hardware. Why bring up the cost of Netgate? You’re saying pfsense project is not in active development but you see the 2.7 roadmap. What are you complaining about here??

cellobita

@michmoor I was under the impression that they are going to start charging for it - "The cost will increase to $129/yr for commercial use in the future." - but English is not my native language, so perhaps I misunderstood the meaning of this.

Anyway, I am not - repeat, NOT - making the case for widespread adoption of OPNsense or migration from pfSense, just considering the specific situation for my clients.

I am grateful to have a choice, even if it means staying on CE, all things considered.

cellobita

@michmoor As I said, English is not my native language - I don't consider my previous posts to constitute a complaint, just an opinion. In Portuguese they aren't necessarily the same thing.

SteveITS

@michmoor Plus is only free for home/lab use.

For small business use it would break even pretty quickly to buy Netgate hardware instead of a license.

Re: delta, there wasn’t much that garnered my attention until boot environments. Which exist in 2.6 just don’t have a GUI. So it isn’t that large yet.

cellobita

@steveits Thank you. I now have enough varied opinions to better assess my choices, so I'm dropping monitoring of this thread. Best wishes to all here.

Dobby_

@michaellacroix said in Pfsense CE 2.7.0 Release:

Anyone know when CE 2.7. will be out of beta and the official release? I'm curios when or if netgate will let you upgrade from ce 2.7.0 to 23.01. Thanks

pfSense roadmap and you will be informed in time.

Perhaps I will be wrong with that thinking, but.....

pfSense+ coasts for business

pfSense+ 129/€ per year (Whitebox)
SIM card fee for LTE failback ?
Snort rules 399 $ per year
Blacklists from iblocklist.com 10 $ per year
Securiteinfo ClamAV signatures 99$ per year

On top addons

Blacklists from wellfedintelligence?
Spamhaus antispam lists fee?
GeoIP blocking fee?
Radius Server fee?
Tailscale fee?

Spending

for pfBlocker-NG
for Squid, lightsquid & SquidGuard

All in all, more or less 640 $/€ per year, if you compare this to other UTM devices licenses you may end up higher or lower pending on the entire dimension of the hardware.

SuperServer E300-9D-8CN8TP ~2200 €
(barebone price and for HA it will double)
Supermicro SuperServer E300-9A-16CN8TP ~1600 € (barebone price and for HA it will double)

Using that hardware range ain`t you license fees around 1500 € - 3000 € each year for a commercial UTM!
(The price will double for HA)

Endian, Untangle, ClearOS, RouterOS and VyOS have all their own business model, no one complains about it!
You take it or you leave it.

This post is deleted!

Cool_Corona

@phil_d I am still on 2.5.2 for that reason.

VLAN's doesnt play well with 2.6.0 and no update in sight.

stephenw10

What issue are you seeing with VLANs in 2.6?

Is it still there in a 2.7 snapshot?

michmoor

@phil_d do you think network drivers developed by Netgate devs should be given out for free? If so why?
Also do you think a business that provides security products do so without making a profit?
I’m genuinely curious why people like you get upset over a business making money from the work they do and then said business has the audacity to make a product for free.
So weird people complain about a free product and then get upset enough to complain , for free, on vendors website and then mention they are moving to a competitor who is also free and relies on the development work done by the company they are leaving.

This post is deleted!

michmoor

@phil_d You stated you're moving to OPNsense. The OPNsense team uses the work that Netgate put in [2.5G intel drivers] and they will eventually put that code into their own hardware which they sell for profit.
Is that fair?
There is no bait and switch done here. Both CE and Plus are being worked on. The redmine is available to see the progress on CE. As I made mentioned in another post , there were over 400 bugs resolved in CE. I dont understand the viewpoint that they are moving to a proprietary software delivery model. The facts are not lining up so far with your assumptions.

Now, if you want to make the argument that supporting two code versions has a negative effect on feature releases and code quality due to limited resources.... that would be a fair critique.

This post is deleted!

stephenw10

This is not the right place for this discussion. It's not a support question.

michmoor

@stephenw10 agreed.

Dobby_

Actual situation from the 2023-04-12
pfSense Roadmap

Version 2.7.0
Future pfSense CE software release

543 Tickets total
458 Tickets closed
85 Tickets open
89% of all work reached

pfSense Plus - 23.05
Release targeted for May 2023

12 Tickets total
4 Tickets closed
8 Tickets open
41% of all work reached

pfSense Plus - 23.09
Release targeted for September 2023

No Tickets open

pfSense make one big step with two greater changes
such PHP 8.x and FreeBSD 14.0 and also for more
then "one" CPU architecture.

OPNSense is walking step by step and only for one CPU architecture. But at one day they also have to change to FreeBSD 14.0 and also to PHP 8.x as I see it.

Before Netgate were selling their own hardware, there where ca. ~2.000.000 installations world wide counted,
after selling teir own hardware this amount was growing
to nearly 3.000.000 installations. (Old numbers not actual)

So why they should letting fall the CE version? Because it
is nearly something of 75 % of all installations? I personally don´t think so! And is the gain (w/ sales) not giving them right? I mean that they are on the right way?

Patch

@dobby_ said in Pfsense CE 2.7.0 Release:

Actual situation from the 2023-04-12
pfSense Roadmap

Version 2.7.0
Future pfSense CE software release

543 Tickets total
458 Tickets closed
85 Tickets open
89% of all work reached

pfSense Plus - 23.05
Release targeted for May 2023

12 Tickets total
4 Tickets closed
8 Tickets open
41% of all work reached

pfSense Plus - 23.09
Release targeted for September 2023

No Tickets open

The figures above for the Plus versions are incorrect or at least misleading. All CE item are also included in one of the plus versions. To see the actual plus counts a search on redmine for open and closed tickets for each plus version is required.

For example https://redmine.pfsense.org/projects/pfsense/issues?per_page=100&query_id=186

pfSense Plus - 23.05 has
59 Open tickets
44 Closed tickets
103 total tickets

Stewart

I'm also curious about the 2.7.0 release primarily because it is needed to support the i226-V chips from Intel and it seems most of the whitebox vendors have replaced the i225 with i226. Timing is a little frustrating on that front.

I also want to point out that Roadmap is simply a snapshot in time.
23 days ago it showed:

Version 2.7.0
Future pfSense CE software release
543 Tickets total
458 Tickets closed
85 Tickets open
89% of all work reached

Now it shows

Version 2.7.0
Future pfSense CE software release
563 Tickets total
508 Tickets closed
55 Tickets open
91% of all work reached

So, over the last 23 days there have been 20 new tickets generated and 50 tickets closed. That's over 2 per day which is steady progress. Overall they are 30 tickets closer to completion. While it shows only 2% points higher 9% of the outstanding tickets were closed.

stephenw10

Quite a few of those open tickets will be long term issues that can be moved to the next version when we branch for 2.7 so it's not entirely accurate.

Steve

Stewart

@stephenw10 I was just pointing out that to many people it seems like it's taking a long time for 2.7.0 to come out and the needle isn't moving (only going from 89%-91% in this case). In this thread there are complaints, talk of jumping ship, and accusations of motivations. I just don't get it. When you look at the numbers over time it is clear the developers are working hard and getting things done. I know the Roadmap is accurate but it is just a snapshot in time. If you don't compare it to what it has shown in the past you don't see just how far it has come and you'd think it's been stagnant at 90% for a month, which isn't the case. If some of those tickets will be addressed in later patches and releases then it's even closer.

The only reason I personally care about 2.7.0 is for the i226 support. If that support was added to 2.6.0 I wouldn't even be reading up on 2.7.0. I don't need another version number to feel like I'm keeping up. Many of my boxes skipped the 2.5.x line entirely (due to the pandemic and the DNS issues early on) and have gone from 2.4.x to 2.6.0. I trust the team and the project.

One side note, should we read into the fact that no new subversions of 2.6 were released? Is the goal to have a main version like 2.6.0 and just update via the new(ish) patch manager instead of minor releases? Or is just coincidental because the focus went into 2.7.0 with all its major changes?