Navigating to Buy pfSense +

michmoor

@chigh09 ive always stressed in these forums as well on reddit that communication has shown to be a very difficult task for this company to do which is baffling considering they have a marketing department.
That said, i think a blog post with some clarity should be done asap but i dont understand why its not happening.
Im running official Netgate hardware at home and i need things cleared up as well.
Also does this in any way play into why 23.09 is delayed with no official reasoning as to why?

mfld

@michmoor said in Navigating to Buy pfSense +:

i think a blog post with some clarity should be done asap

It is out and it is very disappointing.

Many hours spent testing stuff, trying to help improve the product by trying to submit useful stuff to redmine.

Years of wondering why pfSense Gold was scrapped. Some of us gladly made payments - I think it was 49 bucks - but the company decided they don't want the money anymore.

Many months of begging for the $129.00 TAC lite on white boxes to be launched. If they are being financially disadvantaged by shitty conduct of white box vendors and MSPs why is this $129.00 TAC lite not being launched? It was promised! I know so many people who have the budget ready to get the $129.00 TAC lite key for their mini pc at their house.

I dropped a few pfSense plus installs at family / friend's homes on white-boxes and I told everyone "this option will cost ~12 bucks a month going forward, it is free this year only. If you want to avoid having to pay $129.00 a year next year we have to install pfSense-CE."

Most were OK with it and ready to pay based on my recommendation.

So strange. You worry about cash-flow but you refuse to take money from those who love the company and product and have been begging to pay. You did not even try to launch the $129.00 option. You'd be surprised how many subs you would have gotten with little to no overhead.

TL;DR: Feeling betrayed.

I hope 23.05.1 config.xml work well on 2.7.0-CE.

AdriftAtlas

I've championed pfSense at my workplace and as a result we have deployed close to a dozen Netgate appliances.

At home I run pfSense Home+Lab in a VM on a mini pc. Both as my primary router and as a testbed for changes to deploy on our corporate firewalls. While I would be willing to personally pay a reasonable fee per year to support the project I will not pay $400.

I used to run pfSense CE and upgraded to Plus because it was free for home users and CE was being neglected. Now I'm probably going to have to go back to CE.

The question is what do I do long term as CE will effectively become increasingly neglected. Maybe move to OPNsense or possibly one of the Linux distributions?

More importantly, I'll caution my workplace about pfSense going forward.

This is akin to Google pulling the rug out of GSuite Legacy home users and attempting to charge them $6 a month per user. The community backlash was significant enough that they reversed course. I hope this follows a similar path.

Vyatta used to be a popular firewall. Used to be...

mfld

@AdriftAtlas said in Navigating to Buy pfSense +:

I've championed pfSense at my workplace and as a result we have deployed close to a dozen Netgate appliances.

Right!? The Kool-Aid works. I drank it all up. Generated a sale or two. Set expectations with people that "this will cost 129 a year starting next year" if it was not a Netgate device. Even just home users who need to dial into work for WFH - I told them you can use CE or be ready to pay starting next year. Some chose CE, many said "cool, thats fine".

I used to run pfSense CE and upgraded to Plus because it was free for home users and CE was being neglected. Now I'm probably going to have to go back to CE.

I just hope the config.xml versioning is the same between 23.05.1 and 2.7.0-CE

The question is what do I do long term as CE will effectively become increasingly neglected. Maybe move to OPNsense

Nah. Unlikely you will like monthly breaking changes or stuff like OpenVPN Advanced config option saying "This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting." while at the same time not exposing tls-crypt to the GUI (has been fixed now but was the case for years). The only way the other xxSense is any useful is if you subscribe for the enterprise branch. Which is... similarly priced to the TAC lite I have been begging to buy months.

or possibly one of the Linux distributions?

More likely :)

More importantly, I'll caution my workplace about pfSense going forward.

This is akin to Google pulling the rug out of GSuite Legacy home users and attempting to charge them $6 a month per user.

On the upside we won't need to make any effort anymore to reproduce bugs and try make sensible redmine reports. Can just make a TAC ticket and not give a damn. /s

machbot

@mfld said in Navigating to Buy pfSense +:

I just hope the config.xml versioning is the same between 23.05.1 and 2.7.0-CE

It is, I trialed a restore earlier and all went well, no errors.

ScottishTom

Honestly, this just sounds like "we have a really bad way of registering software that is open to abuse, as a result we're taking away what we promised you".

Really disappointed, again both for work and in homelab I have several pfSense instances, will be looking at migration options if there's not a sensibly priced alternative announced very quickly.

mvikman

I will see how long my current "Home Plus" installation will work and update, but I'm also going to be testing OPNsense and planning migration for the eventual death of my "Home Plus" license.

fireodo

It's a pity that there is nothing in between free/TAC-Lite and TAC-Pro.

Again my 2 cents.

Bob.Dig

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

JeGr

@Bob-Dig said in Navigating to Buy pfSense +:

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

I'd agree for most things, but I also know (and I'm surprised myself) several power users, that loved helping test versions and submitting bugs etc. with Plus that will get stranded when no Plus subscription for home/lab use is possible anymore. That's a really bad move for development issues. Also many - me included - power users use Plus as a few functions are locked behind that version, like QAT support in hardware (which OPNsense hasn't locked into their business version) and if you have a gigabit line (fibre is coming to more and more people) and want to run a VPN on your hardware supporting all those bells and whistles (like QAT) it doesn't work in CE.

So if next CE gets QAT and stuff unlocked - OK, then it'll really be a nothingburger as then it's only the faster updates and I could ignore that at home. No problem. But for those with large labs like us that tests various configs etc. in labs on the appropriate versions and in various setups, that is a huge blow :(

Would really like to see at least a possibility for netgate partners to still get Lab versions so they can test shit for their customers instead of being left stranded to using hardware (sorry, we can't afford dozens of hardware boxes to stay on different versions to test things through) or cloud images that where we don't control the data. That would effectively disable every testing and debugging method we currently have and also disable ways to produce and test packages against the Plus versions as we can't test them anymore. :(

Edit: Also - OpenVPN DCO. Taking both out and effectively pushing them behind a paywall now - and one that is quite high without a home user level license - is really exactly that, what people have been afraid the whole time. And as both things are simply available in FreeBSD as well as in other firewalls makes it that much harder to argument for your case.

bingo600

@Bob-Dig said in Navigating to Buy pfSense +:

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

I don't really need/use any of the Plus features (Boot ENV is nice , but i can make my own snapshot if needed).
My issue is that i have doubts regarding CE being maintained, and also if CE will survive .... Since it has become clear that Plus is where the BIG money is.

If you aren't a "Home user" this is a smart move, as 2 years of subscription will pay for a 6100.
Netgate have efficiently "killed all Corp White Boxes" in one move, despite a clear promise of a soft "$129" transition period.

If i were to get new HW for the company, i'd certainly recommend Netgate HW.
But what will be next ......
I can't recommend a business that makes 180 degree turns all the time.

And IMHO Netgate have made a "Redhat RHEL --> Fedora" on the "Home Plus" users ....

My Corp Network team has been "hovering" on my lab, wanting to switch to Firepower (we have a huge discount).
Until now i have been able to fight them off. But maybe not for long with the new pricing.

I'll be looking at the "Dark side", and test during the next weeks.

I keep hearing a phrase that pops up ... It's not 42, but : Goodbye and thanx for all the F...

/Bingo

michmoor

Everyone here is making very valid points and kudos to being more logical than on the Reddit space.
That said this entire fiasco was so poorly communicated that its a bit unnerving.

$399/yr for Boot environments is not a good sell. Cool feature but pay walling it behind that price point is illogical. Not really sure who thought that was a good idea instead of sticking to their own stated price point of 129/yr. I hope that changes but yikes.
I implement Netgate devices so I'm unaffected but i do have empathy for the large homelab and personal use end-users out there. I know other implementors who push Netgate because of the experience they had at home (which is a value add to Rubicon) but this has them thinking...If they can change the terms all of a sudden then whose to say they wont do it with paying customers? There is precedent set now. That's a very fair critique which is why having a good communication strategy before pushing any changes is a good idea but as history as shown especially recently, Rubicon/Netgate really struggles with this critical part of their business. I am continuously baffled why they choose(it's a choice at this point) not to engage with the user base.

[edit] Thinking about why they choose not to communicate i think its largely because they dont have to. Within the limited area that they operate in [certainly not in the F500 or 1000 companies i serve on occasion] and who their competition is where are people going to go? Sure you got the other *sense out there but for businesses who care about price point, the lowest im willing to go vendor-wise is honestly Netgate. Still not a reaosn not to engage.

[edit2] One last edit. This couldve been avoided a year ago if pfsense+ was only available on Netgate hardware. Trying to upgrade custom builds to this Plus version turned out to be a mistake obviously and purposely pushing customers to do it was also not smart. Now we are where it shouldve been from the beginning. pfSense+ is available only on Netgate hardware (nobody is paying 399 to upgrade) while CE can be used on your whitebox hardware. Totally fair.
Seriously tho, they need to get better at messenging....

NollipfSense

@JeGr said in Navigating to Buy pfSense +:

So if next CE gets QAT and stuff unlocked - OK, then it'll really be a nothingburger as then it's only the faster updates and I could ignore that at home. No problem. But for those with large labs like us that tests various configs etc. in labs on the appropriate versions and in various setups, that is a huge blow :(

Excellent point, thanks for sharing!

NollipfSense

@michmoor said in Navigating to Buy pfSense +:

That said this entire fiasco was so poorly communicated that its a bit unnerving.

Agree, we're all friends of Netgate and communication is what keep relationships growing...

wgstarks

Just in case anyone hasn’t seen it, Netgate has made an official announcement.
link text

Cylosoft

@Bob-Dig said in Navigating to Buy pfSense +:

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

Exactly. If CE is maintained then who cares. Run CE at home and move on. Really the $129 option is more about supporting development than getting me features. If Netgate doesn't want the support from the home uses that's their decision.

SteveITS

@machbot said in Navigating to Buy pfSense +:

@mfld said in Navigating to Buy pfSense +:

I just hope the config.xml versioning is the same between 23.05.1 and 2.7.0-CE

It is, I trialed a restore earlier and all went well, no errors.

For reference to @mfld and others, there is a chart linked on:
https://docs.netgate.com/pfsense/en/latest/backup/restore-different-version.html
-> https://docs.netgate.com/pfsense/en/latest/releases/versions.html

23.09 will have a newer config file version.

I have absolutely no insight behind the scenes, but it seems logical to me that there was some reason why the $129 subscription wasn't going to work long term. Otherwise payment seems like an easy way to "fix" the issue of "unauthorized redistribution." For instance I've seen numerous posts about Plus unregistering after hardware changes trigger a change in the person's NDI.

michmoor

@SteveITS
I think its two things that needs to be addressed

1. Pricing back to the stated price of 129.
2. The harder part but clearly theres an issue with tracking registration. If cloning the image circumvents the process then it wasn't a good process to begin with. Not sure how other companies are handling this but obviously installing or swapping a NIC shouldnt invalidate a license but it does.

As i mentioned before I think where we are now its probably the best way to have access to Plus. If you want/need plus get the official hardware otherwise you are on CE. I say keep it like this.

Darkk

@SteveITS said in Navigating to Buy pfSense +:

For reference to @mfld and others, there is a chart linked on:
https://docs.netgate.com/pfsense/en/latest/backup/restore-different-version.html
-> https://docs.netgate.com/pfsense/en/latest/releases/versions.html

23.09 will have a newer config file version.

I have absolutely no insight behind the scenes, but it seems logical to me that there was some reason why the $129 subscription wasn't going to work long term. Otherwise payment seems like an easy way to "fix" the issue of "unauthorized redistribution." For instance I've seen numerous posts about Plus unregistering after hardware changes trigger a change in the person's NDI.

Yep, without the ability to get the updated token due to hardware changes unless we fork out for the $399/yr subscription isn't going to go well for home/lab users. I personally wouldn't mind paying $129/yr for TAC Lite as I want to support it. FYI I do buy Netgate appliances for our branches at work so I know those won't be affected by the changes.

I am just more concerned for folks like me who uses this for home labs. I've been using pfsense (used to be pfDNS in the early days) for 15+ years so want to keep using it for my home lab.

Also, I saw a post on Facebook which brought me here so no doubt there will be posts there as well.

jrey

@SteveITS said in Navigating to Buy pfSense +:

Plus unregistering after hardware changes trigger a change

So since that can't happen on a Netgate sourced device ..

Will Netgate be taking steps to mitigate the possible actual discloser of the coveted NDI by all packages that appear in the available packages list?

The entire NDI value has been a scatter broadcast to various "open source" servers for a long time and therefore represents a problem. One could only guess how that could be compromised should the NDI list fall to the wrong hands (inadvertent or otherwise)

It strikes me as odd that you have a setting the allows an opt-out protecting it from yourself, but yet allow packages to broadcast it anywhere they want.

on the one hand "security" and "NDI value" - on the other, opens trench coat - psst ya wanna buy a watch.

as I also said else where earlier today, but worth repeating on this thread:

Understood, I had not read the recent blog post to which you refer,

It won't impact me. I'm licensed. It will certainly impact a lot of "home" users and impact (likely in a negative fashion) and Netgate's ability to solicit and maintain the support of the open source concept.

The device and software (packages) on it are good, but not that good, that if push comes to shove, I wouldn't just unplug the device and move to something else.

I could give specific examples of packages that get installed, and likely on a lot of devices, that are simply full of security holes and/or out and out are subject to potential failures that can lead to security issues (that's open source). That's the risk and the game.

Netgate will likely come to a fork in the road where they have to decide (stay open or closed) good and bad in each of those, both them and users.

disclaimer, I have no vested interest in Negate. Could continue to "run" with or without their device and/or software. They will obviously proceed in a direction they feel best for their model. And users will ultimately do the same.
I've already crossed the bridge regarding the use of Netgate in certain situations, because of those potential failures and in those cases we use just use different products