Navigating to Buy pfSense +

michmoor

Everyone here is making very valid points and kudos to being more logical than on the Reddit space.
That said this entire fiasco was so poorly communicated that its a bit unnerving.

$399/yr for Boot environments is not a good sell. Cool feature but pay walling it behind that price point is illogical. Not really sure who thought that was a good idea instead of sticking to their own stated price point of 129/yr. I hope that changes but yikes.
I implement Netgate devices so I'm unaffected but i do have empathy for the large homelab and personal use end-users out there. I know other implementors who push Netgate because of the experience they had at home (which is a value add to Rubicon) but this has them thinking...If they can change the terms all of a sudden then whose to say they wont do it with paying customers? There is precedent set now. That's a very fair critique which is why having a good communication strategy before pushing any changes is a good idea but as history as shown especially recently, Rubicon/Netgate really struggles with this critical part of their business. I am continuously baffled why they choose(it's a choice at this point) not to engage with the user base.

[edit] Thinking about why they choose not to communicate i think its largely because they dont have to. Within the limited area that they operate in [certainly not in the F500 or 1000 companies i serve on occasion] and who their competition is where are people going to go? Sure you got the other *sense out there but for businesses who care about price point, the lowest im willing to go vendor-wise is honestly Netgate. Still not a reaosn not to engage.

[edit2] One last edit. This couldve been avoided a year ago if pfsense+ was only available on Netgate hardware. Trying to upgrade custom builds to this Plus version turned out to be a mistake obviously and purposely pushing customers to do it was also not smart. Now we are where it shouldve been from the beginning. pfSense+ is available only on Netgate hardware (nobody is paying 399 to upgrade) while CE can be used on your whitebox hardware. Totally fair.
Seriously tho, they need to get better at messenging....

NollipfSense

@JeGr said in Navigating to Buy pfSense +:

So if next CE gets QAT and stuff unlocked - OK, then it'll really be a nothingburger as then it's only the faster updates and I could ignore that at home. No problem. But for those with large labs like us that tests various configs etc. in labs on the appropriate versions and in various setups, that is a huge blow :(

Excellent point, thanks for sharing!

NollipfSense

@michmoor said in Navigating to Buy pfSense +:

That said this entire fiasco was so poorly communicated that its a bit unnerving.

Agree, we're all friends of Netgate and communication is what keep relationships growing...

wgstarks

Just in case anyone hasn’t seen it, Netgate has made an official announcement.
link text

Cylosoft

@Bob-Dig said in Navigating to Buy pfSense +:

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

Exactly. If CE is maintained then who cares. Run CE at home and move on. Really the $129 option is more about supporting development than getting me features. If Netgate doesn't want the support from the home uses that's their decision.

SteveITS

@machbot said in Navigating to Buy pfSense +:

@mfld said in Navigating to Buy pfSense +:

I just hope the config.xml versioning is the same between 23.05.1 and 2.7.0-CE

It is, I trialed a restore earlier and all went well, no errors.

For reference to @mfld and others, there is a chart linked on:
https://docs.netgate.com/pfsense/en/latest/backup/restore-different-version.html
-> https://docs.netgate.com/pfsense/en/latest/releases/versions.html

23.09 will have a newer config file version.

I have absolutely no insight behind the scenes, but it seems logical to me that there was some reason why the $129 subscription wasn't going to work long term. Otherwise payment seems like an easy way to "fix" the issue of "unauthorized redistribution." For instance I've seen numerous posts about Plus unregistering after hardware changes trigger a change in the person's NDI.

michmoor

@SteveITS
I think its two things that needs to be addressed

1. Pricing back to the stated price of 129.
2. The harder part but clearly theres an issue with tracking registration. If cloning the image circumvents the process then it wasn't a good process to begin with. Not sure how other companies are handling this but obviously installing or swapping a NIC shouldnt invalidate a license but it does.

As i mentioned before I think where we are now its probably the best way to have access to Plus. If you want/need plus get the official hardware otherwise you are on CE. I say keep it like this.

Darkk

@SteveITS said in Navigating to Buy pfSense +:

For reference to @mfld and others, there is a chart linked on:
https://docs.netgate.com/pfsense/en/latest/backup/restore-different-version.html
-> https://docs.netgate.com/pfsense/en/latest/releases/versions.html

23.09 will have a newer config file version.

I have absolutely no insight behind the scenes, but it seems logical to me that there was some reason why the $129 subscription wasn't going to work long term. Otherwise payment seems like an easy way to "fix" the issue of "unauthorized redistribution." For instance I've seen numerous posts about Plus unregistering after hardware changes trigger a change in the person's NDI.

Yep, without the ability to get the updated token due to hardware changes unless we fork out for the $399/yr subscription isn't going to go well for home/lab users. I personally wouldn't mind paying $129/yr for TAC Lite as I want to support it. FYI I do buy Netgate appliances for our branches at work so I know those won't be affected by the changes.

I am just more concerned for folks like me who uses this for home labs. I've been using pfsense (used to be pfDNS in the early days) for 15+ years so want to keep using it for my home lab.

Also, I saw a post on Facebook which brought me here so no doubt there will be posts there as well.

jrey

@SteveITS said in Navigating to Buy pfSense +:

Plus unregistering after hardware changes trigger a change

So since that can't happen on a Netgate sourced device ..

Will Netgate be taking steps to mitigate the possible actual discloser of the coveted NDI by all packages that appear in the available packages list?

The entire NDI value has been a scatter broadcast to various "open source" servers for a long time and therefore represents a problem. One could only guess how that could be compromised should the NDI list fall to the wrong hands (inadvertent or otherwise)

It strikes me as odd that you have a setting the allows an opt-out protecting it from yourself, but yet allow packages to broadcast it anywhere they want.

on the one hand "security" and "NDI value" - on the other, opens trench coat - psst ya wanna buy a watch.

as I also said else where earlier today, but worth repeating on this thread:

Understood, I had not read the recent blog post to which you refer,

It won't impact me. I'm licensed. It will certainly impact a lot of "home" users and impact (likely in a negative fashion) and Netgate's ability to solicit and maintain the support of the open source concept.

The device and software (packages) on it are good, but not that good, that if push comes to shove, I wouldn't just unplug the device and move to something else.

I could give specific examples of packages that get installed, and likely on a lot of devices, that are simply full of security holes and/or out and out are subject to potential failures that can lead to security issues (that's open source). That's the risk and the game.

Netgate will likely come to a fork in the road where they have to decide (stay open or closed) good and bad in each of those, both them and users.

disclaimer, I have no vested interest in Negate. Could continue to "run" with or without their device and/or software. They will obviously proceed in a direction they feel best for their model. And users will ultimately do the same.
I've already crossed the bridge regarding the use of Netgate in certain situations, because of those potential failures and in those cases we use just use different products

Amodin

Well, this frankly sucks.

I just got here after being with Astaro/Sophos for over 20 years and after they EOL'd their UTM, I decided to make a switch to pfSense Plus, because it appeared that avoiding CE was the right thing to do.

Looks like it's time to go fishing again, and I just got here. Gotta call my friends and warn them about this as well... I brought them with me and now I feel responsible for finding a new solution.

michmoor

@Amodin why cant you do CE?
What specifically was a feature you needed on Plus that you cant get on CE?

Darkk

@Amodin said in Navigating to Buy pfSense +:

Well, this frankly sucks.

I just got here after being with Astaro/Sophos for over 20 years and after they EOL'd their UTM, I decided to make a switch to pfSense Plus, because it appeared that avoiding CE was the right thing to do.

Looks like it's time to go fishing again, and I just got here. Gotta call my friends and warn them about this as well... I brought them with me and now I feel responsible for finding a new solution.

I wouldn't jump ship just yet. The Plus version on white box device will continue to operate. Just it'll be a question of getting updates without a "paid" subscription in the future. If Netgate offers either $50 or $129 per year subscription for updates I think it'll work well with the home lab community. I think the $50/yr will be easy pill to swallow for non-commercial home labs. So it's wait and see what Netgate decides to do.

GPz1100

@Amodin Same here. Seven year user of UTM home. I haven't even begun the change over yet. Not sure what direction to go now.

I have an instance with the plus token already installed, but even it's direction is unclear. NG's blog post wasn't entirely clear what happens to pre-existing plus installation long term. Will it mirror the commercial plus version of be castrated of certain features/updates.

As for PF hardware changes, it appears the entire algorithm is based on nic mac address and quantity. That is, changing a mac breaks the token. Doesn't even matter if that nic is physical or virtual (tested both ways). Not sure how the resellers were getting away with cloning, unless they're burning the same mac's into all of their boxes.

Good luck!

SteveITS

@michmoor said in Navigating to Buy pfSense +:

What specifically was a feature you needed on Plus that you cant get on CE?

That's my basic question in all this. And more importantly, what other solution does have that missing feature?

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Darkk

@jrey said in Navigating to Buy pfSense +:

The device and software (packages) on it are good, but not that good, that if push comes to shove, I wouldn't just unplug the device and move to something else.

I could give specific examples of packages that get installed, and likely on a lot of devices, that are simply full of security holes and/or out and out are subject to potential failures that can lead to security issues (that's open source). That's the risk and the game.

To be honest this is true on any security device. Taking someone like me who manages Fortigate firewalls in our enterprise environment I've had my fair share of their recent security fiasco and constant update after update in short period of time. I was like why aren't they QA'ing their code before releasing it? Who knows.

Point is even bigger companies like Fortinet have their own set of issues. Cisco and few others. It's the home lab community like us with pfsense that help test and report bugs. Even suggest new features.

Bob.Dig

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and

But it has been said in the past, something like "laying it in the hands of the community..." which isn't a real thing.

GPz1100

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Steve, I've seen this happen with sophos UTM (both home and commercial product). For the last many years, new features have been minimal to none. Mainly security and some bug fixes. I'd say it's even fair to say the platform has been on life support for many years now (as a user of it for 7). Earlier this year sophos finally announced an EOL date - 6/2026. Three years from now. While support/updates are minimal, at least there is some support.

I have a feeling the same will be seen with the CE version. NG's press release used the term "may". By now we all know what "may" really means.

Amodin

@michmoor said in Navigating to Buy pfSense +:

@Amodin why cant you do CE?
What specifically was a feature you needed on Plus that you cant get on CE?

It's really not about 'features' at this point, it's principles. I don't need the boot environment feature.

From my understanding while researching a new solution after deciding to get out of Sophos, CE is apparently an afterthought of sorts and doesn't stay consistently updated. Plus was more updated to stay current, that's important to me. I don't want to use something that I use for a solution that isn't being updated.
You're missing all the buzzy PR word usage they are applying to CE and this continued use of Plus. There's no question in my mind that free/home use is going to be phased out down the road. They of course won't come out and say that - dangling carrots and all. I get it - it's a business model that generates revenue. I'm not interested in paid support - if I have a problem, I'll fix it on my own, wait for a fix if it's not mission critical or replace it.

The community that is faithful to this project are the ones that are paying the price because of resellers. Instead of tackling the problem, they are tackling the user-base. I have a problem with that. Like I said, principles.

@GPz1100 said in Navigating to Buy pfSense +:

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Steve, I've seen this happen with sophos UTM (both home and commercial product). For the last many years, new features have been minimal to none. Mainly security and some bug fixes. I'd say it's even fair to say the platform has been on life support for many years now (as a user of it for 7). Earlier this year sophos finally announced an EOL date - 6/2026. Three years from now. While support/updates are minimal, at least there is some support.

I have a feeling the same will be seen with the CE version. NG's press release used the term "may". By now we all know what "may" really means.

This right here. I left Sophos for this very reason - empty promises and about principle. I understand them wanting to EoL the UTM product, really I do. But they were pushing their users into something that many of us proved to them wasn't ready and their new product is absolutely sub-standard. They ignored us, and continue to flounder like fish out of water, IMHO.

Darkk

@Amodin said in Navigating to Buy pfSense +:

It's really not about 'features' at this point, it's principles. I don't need the boot environment feature.

From my understanding while researching a new solution after deciding to get out of Sophos, CE is apparently an afterthought of sorts and doesn't stay consistently updated. Plus was more updated to stay current, that's important to me. I don't want to use something that I use for a solution that isn't being updated.
You're missing all the buzzy PR word usage they are applying to CE and this continued use of Plus. There's no question in my mind that free/home use is going to be phased out down the road. They of course won't come out and say that - dangling carrots and all. I get it - it's a business model that generates revenue. I'm not interested in paid support - if I have a problem, I'll fix it on my own, wait for a fix if it's not mission critical or replace it.

The community that is faithful to this project are the ones that are paying the price because of resellers. Instead of tackling the problem, they are tackling the user-base. I have a problem with that. Like I said, principles.

Well, as for resellers I think Netgate made it too easy to get the free licenses as it's automated on the website without any kind of verification. If it's manual process via Netgate sales it might resolve it?

sic0048

This whole announcement just seems strange and short sighted on Netgate's part. First, it's important to realize that it really only affects individuals and small companies/organizations. Larger companies using Netgate are already paying for a higher tier of Tac licensing. Second, Netgate must understand that these individuals and smaller companies/organizations are not going to convert to a higher tier of Tac licensing. It simply isn't worth it for them and they will quickly find a cheaper alternative. I don't think Netgate actually expects any of them to pay up. (If they do, see my second conclusion below).

Of course you can buy a Netgate appliance and get a lifetime (of the device) license of Tac-Lite for free. At first glance, this might appear like a pure money grab on Netgate's part by pushing these individuals and small companies/organizations to buy their appliances. But the fact is that long term, Netgate would make a lot more money selling yearly $129 Tac-Lite licenses on white box devices than they will by selling their own appliances. The appliance does not provide annual revenue and the profit margins are lower due to the manufacturing costs of the appliance (ie selling a $599 appliance doesn't produce $599 in profit for Netgate). Meanwhile a yearly licensing fee has extremely high margins (as in it's nearly 100% pure profit) and provides a source of yearly income.

At best, all Netgate is going to do is push a lot of individuals and small companies/organizations to purchase a Netgate appliance for between $189-$599. This will result in a small increase in short term profitability, but it also means they will never see another dime from those users because there is no annual licensing fee required with those appliances. At worst, Netgate is pushing those clients away to the competition all while alienating them as well. That group also tends to be very vocal on social media and I honestly think the back lash, while it won't last forever, is actually going to cost Netgate more than any of the small bump in profitability they might see through appliance sales. Alternatively, they could have started charging the $125 annual Tac-Lite license and collected that from a large number of users each year and not alienated a large portion of their user base.

This leads me to just three logical conclusions. #1 Netgate is so cash strapped that they would rather monetize a couple years worth of license fees at once by forcing people to purchase one of their appliances instead of capitalizing on a yearly licensing fee. If that is true, it doesn't bode well for the long term sustainability of the company. #2 The leadership of Netgate is literally out of their minds. I have no idea who would have run the financial numbers on this decision and decided it was worth doing. #3 Netgate is planning on changing to a "large company" solution only. They will eventually drop pfSense CE because it costs too much money to maintain with zero benefit to the company once they put all of their focus on the "white whale" companies.

While I would love to believe that conclusion #2 is true, I suspect conclusion #3 is what will ultimately play out. I haven't been one to think that Netgate was "going to drop CE" until now, but I 'm guessing that within 3-5 years CE will effectively be unsupported and Netgate will have priced things to the point that only large companies are using pfSense.