Navigating to Buy pfSense +

wgstarks

Just in case anyone hasn’t seen it, Netgate has made an official announcement.
link text

Cylosoft

@Bob-Dig said in Navigating to Buy pfSense +:

If the CE gets Updates too then it is kind of a nothing burger at this point, we knew that a change would be coming someday...
Now I hope that the day, the "old" home tier doesn't get any updates anymore, it can be reverted to a CE!

Exactly. If CE is maintained then who cares. Run CE at home and move on. Really the $129 option is more about supporting development than getting me features. If Netgate doesn't want the support from the home uses that's their decision.

SteveITS

@machbot said in Navigating to Buy pfSense +:

@mfld said in Navigating to Buy pfSense +:

I just hope the config.xml versioning is the same between 23.05.1 and 2.7.0-CE

It is, I trialed a restore earlier and all went well, no errors.

For reference to @mfld and others, there is a chart linked on:
https://docs.netgate.com/pfsense/en/latest/backup/restore-different-version.html
-> https://docs.netgate.com/pfsense/en/latest/releases/versions.html

23.09 will have a newer config file version.

I have absolutely no insight behind the scenes, but it seems logical to me that there was some reason why the $129 subscription wasn't going to work long term. Otherwise payment seems like an easy way to "fix" the issue of "unauthorized redistribution." For instance I've seen numerous posts about Plus unregistering after hardware changes trigger a change in the person's NDI.

michmoor

@SteveITS
I think its two things that needs to be addressed

1. Pricing back to the stated price of 129.
2. The harder part but clearly theres an issue with tracking registration. If cloning the image circumvents the process then it wasn't a good process to begin with. Not sure how other companies are handling this but obviously installing or swapping a NIC shouldnt invalidate a license but it does.

As i mentioned before I think where we are now its probably the best way to have access to Plus. If you want/need plus get the official hardware otherwise you are on CE. I say keep it like this.

Darkk

@SteveITS said in Navigating to Buy pfSense +:

For reference to @mfld and others, there is a chart linked on:
https://docs.netgate.com/pfsense/en/latest/backup/restore-different-version.html
-> https://docs.netgate.com/pfsense/en/latest/releases/versions.html

23.09 will have a newer config file version.

I have absolutely no insight behind the scenes, but it seems logical to me that there was some reason why the $129 subscription wasn't going to work long term. Otherwise payment seems like an easy way to "fix" the issue of "unauthorized redistribution." For instance I've seen numerous posts about Plus unregistering after hardware changes trigger a change in the person's NDI.

Yep, without the ability to get the updated token due to hardware changes unless we fork out for the $399/yr subscription isn't going to go well for home/lab users. I personally wouldn't mind paying $129/yr for TAC Lite as I want to support it. FYI I do buy Netgate appliances for our branches at work so I know those won't be affected by the changes.

I am just more concerned for folks like me who uses this for home labs. I've been using pfsense (used to be pfDNS in the early days) for 15+ years so want to keep using it for my home lab.

Also, I saw a post on Facebook which brought me here so no doubt there will be posts there as well.

jrey

@SteveITS said in Navigating to Buy pfSense +:

Plus unregistering after hardware changes trigger a change

So since that can't happen on a Netgate sourced device ..

Will Netgate be taking steps to mitigate the possible actual discloser of the coveted NDI by all packages that appear in the available packages list?

The entire NDI value has been a scatter broadcast to various "open source" servers for a long time and therefore represents a problem. One could only guess how that could be compromised should the NDI list fall to the wrong hands (inadvertent or otherwise)

It strikes me as odd that you have a setting the allows an opt-out protecting it from yourself, but yet allow packages to broadcast it anywhere they want.

on the one hand "security" and "NDI value" - on the other, opens trench coat - psst ya wanna buy a watch.

as I also said else where earlier today, but worth repeating on this thread:

Understood, I had not read the recent blog post to which you refer,

It won't impact me. I'm licensed. It will certainly impact a lot of "home" users and impact (likely in a negative fashion) and Netgate's ability to solicit and maintain the support of the open source concept.

The device and software (packages) on it are good, but not that good, that if push comes to shove, I wouldn't just unplug the device and move to something else.

I could give specific examples of packages that get installed, and likely on a lot of devices, that are simply full of security holes and/or out and out are subject to potential failures that can lead to security issues (that's open source). That's the risk and the game.

Netgate will likely come to a fork in the road where they have to decide (stay open or closed) good and bad in each of those, both them and users.

disclaimer, I have no vested interest in Negate. Could continue to "run" with or without their device and/or software. They will obviously proceed in a direction they feel best for their model. And users will ultimately do the same.
I've already crossed the bridge regarding the use of Netgate in certain situations, because of those potential failures and in those cases we use just use different products

Amodin

Well, this frankly sucks.

I just got here after being with Astaro/Sophos for over 20 years and after they EOL'd their UTM, I decided to make a switch to pfSense Plus, because it appeared that avoiding CE was the right thing to do.

Looks like it's time to go fishing again, and I just got here. Gotta call my friends and warn them about this as well... I brought them with me and now I feel responsible for finding a new solution.

michmoor

@Amodin why cant you do CE?
What specifically was a feature you needed on Plus that you cant get on CE?

Darkk

@Amodin said in Navigating to Buy pfSense +:

Well, this frankly sucks.

I just got here after being with Astaro/Sophos for over 20 years and after they EOL'd their UTM, I decided to make a switch to pfSense Plus, because it appeared that avoiding CE was the right thing to do.

Looks like it's time to go fishing again, and I just got here. Gotta call my friends and warn them about this as well... I brought them with me and now I feel responsible for finding a new solution.

I wouldn't jump ship just yet. The Plus version on white box device will continue to operate. Just it'll be a question of getting updates without a "paid" subscription in the future. If Netgate offers either $50 or $129 per year subscription for updates I think it'll work well with the home lab community. I think the $50/yr will be easy pill to swallow for non-commercial home labs. So it's wait and see what Netgate decides to do.

GPz1100

@Amodin Same here. Seven year user of UTM home. I haven't even begun the change over yet. Not sure what direction to go now.

I have an instance with the plus token already installed, but even it's direction is unclear. NG's blog post wasn't entirely clear what happens to pre-existing plus installation long term. Will it mirror the commercial plus version of be castrated of certain features/updates.

As for PF hardware changes, it appears the entire algorithm is based on nic mac address and quantity. That is, changing a mac breaks the token. Doesn't even matter if that nic is physical or virtual (tested both ways). Not sure how the resellers were getting away with cloning, unless they're burning the same mac's into all of their boxes.

Good luck!

SteveITS

@michmoor said in Navigating to Buy pfSense +:

What specifically was a feature you needed on Plus that you cant get on CE?

That's my basic question in all this. And more importantly, what other solution does have that missing feature?

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Darkk

@jrey said in Navigating to Buy pfSense +:

The device and software (packages) on it are good, but not that good, that if push comes to shove, I wouldn't just unplug the device and move to something else.

I could give specific examples of packages that get installed, and likely on a lot of devices, that are simply full of security holes and/or out and out are subject to potential failures that can lead to security issues (that's open source). That's the risk and the game.

To be honest this is true on any security device. Taking someone like me who manages Fortigate firewalls in our enterprise environment I've had my fair share of their recent security fiasco and constant update after update in short period of time. I was like why aren't they QA'ing their code before releasing it? Who knows.

Point is even bigger companies like Fortinet have their own set of issues. Cisco and few others. It's the home lab community like us with pfsense that help test and report bugs. Even suggest new features.

Bob.Dig

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and

But it has been said in the past, something like "laying it in the hands of the community..." which isn't a real thing.

GPz1100

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Steve, I've seen this happen with sophos UTM (both home and commercial product). For the last many years, new features have been minimal to none. Mainly security and some bug fixes. I'd say it's even fair to say the platform has been on life support for many years now (as a user of it for 7). Earlier this year sophos finally announced an EOL date - 6/2026. Three years from now. While support/updates are minimal, at least there is some support.

I have a feeling the same will be seen with the CE version. NG's press release used the term "may". By now we all know what "may" really means.

Amodin

@michmoor said in Navigating to Buy pfSense +:

@Amodin why cant you do CE?
What specifically was a feature you needed on Plus that you cant get on CE?

It's really not about 'features' at this point, it's principles. I don't need the boot environment feature.

From my understanding while researching a new solution after deciding to get out of Sophos, CE is apparently an afterthought of sorts and doesn't stay consistently updated. Plus was more updated to stay current, that's important to me. I don't want to use something that I use for a solution that isn't being updated.
You're missing all the buzzy PR word usage they are applying to CE and this continued use of Plus. There's no question in my mind that free/home use is going to be phased out down the road. They of course won't come out and say that - dangling carrots and all. I get it - it's a business model that generates revenue. I'm not interested in paid support - if I have a problem, I'll fix it on my own, wait for a fix if it's not mission critical or replace it.

The community that is faithful to this project are the ones that are paying the price because of resellers. Instead of tackling the problem, they are tackling the user-base. I have a problem with that. Like I said, principles.

@GPz1100 said in Navigating to Buy pfSense +:

@SteveITS said in Navigating to Buy pfSense +:

I think some people are interpreting this change as "CE is going away" which has not been said and I very much doubt is the case.

Steve, I've seen this happen with sophos UTM (both home and commercial product). For the last many years, new features have been minimal to none. Mainly security and some bug fixes. I'd say it's even fair to say the platform has been on life support for many years now (as a user of it for 7). Earlier this year sophos finally announced an EOL date - 6/2026. Three years from now. While support/updates are minimal, at least there is some support.

I have a feeling the same will be seen with the CE version. NG's press release used the term "may". By now we all know what "may" really means.

This right here. I left Sophos for this very reason - empty promises and about principle. I understand them wanting to EoL the UTM product, really I do. But they were pushing their users into something that many of us proved to them wasn't ready and their new product is absolutely sub-standard. They ignored us, and continue to flounder like fish out of water, IMHO.

Darkk

@Amodin said in Navigating to Buy pfSense +:

It's really not about 'features' at this point, it's principles. I don't need the boot environment feature.

From my understanding while researching a new solution after deciding to get out of Sophos, CE is apparently an afterthought of sorts and doesn't stay consistently updated. Plus was more updated to stay current, that's important to me. I don't want to use something that I use for a solution that isn't being updated.
You're missing all the buzzy PR word usage they are applying to CE and this continued use of Plus. There's no question in my mind that free/home use is going to be phased out down the road. They of course won't come out and say that - dangling carrots and all. I get it - it's a business model that generates revenue. I'm not interested in paid support - if I have a problem, I'll fix it on my own, wait for a fix if it's not mission critical or replace it.

The community that is faithful to this project are the ones that are paying the price because of resellers. Instead of tackling the problem, they are tackling the user-base. I have a problem with that. Like I said, principles.

Well, as for resellers I think Netgate made it too easy to get the free licenses as it's automated on the website without any kind of verification. If it's manual process via Netgate sales it might resolve it?

sic0048

This whole announcement just seems strange and short sighted on Netgate's part. First, it's important to realize that it really only affects individuals and small companies/organizations. Larger companies using Netgate are already paying for a higher tier of Tac licensing. Second, Netgate must understand that these individuals and smaller companies/organizations are not going to convert to a higher tier of Tac licensing. It simply isn't worth it for them and they will quickly find a cheaper alternative. I don't think Netgate actually expects any of them to pay up. (If they do, see my second conclusion below).

Of course you can buy a Netgate appliance and get a lifetime (of the device) license of Tac-Lite for free. At first glance, this might appear like a pure money grab on Netgate's part by pushing these individuals and small companies/organizations to buy their appliances. But the fact is that long term, Netgate would make a lot more money selling yearly $129 Tac-Lite licenses on white box devices than they will by selling their own appliances. The appliance does not provide annual revenue and the profit margins are lower due to the manufacturing costs of the appliance (ie selling a $599 appliance doesn't produce $599 in profit for Netgate). Meanwhile a yearly licensing fee has extremely high margins (as in it's nearly 100% pure profit) and provides a source of yearly income.

At best, all Netgate is going to do is push a lot of individuals and small companies/organizations to purchase a Netgate appliance for between $189-$599. This will result in a small increase in short term profitability, but it also means they will never see another dime from those users because there is no annual licensing fee required with those appliances. At worst, Netgate is pushing those clients away to the competition all while alienating them as well. That group also tends to be very vocal on social media and I honestly think the back lash, while it won't last forever, is actually going to cost Netgate more than any of the small bump in profitability they might see through appliance sales. Alternatively, they could have started charging the $125 annual Tac-Lite license and collected that from a large number of users each year and not alienated a large portion of their user base.

This leads me to just three logical conclusions. #1 Netgate is so cash strapped that they would rather monetize a couple years worth of license fees at once by forcing people to purchase one of their appliances instead of capitalizing on a yearly licensing fee. If that is true, it doesn't bode well for the long term sustainability of the company. #2 The leadership of Netgate is literally out of their minds. I have no idea who would have run the financial numbers on this decision and decided it was worth doing. #3 Netgate is planning on changing to a "large company" solution only. They will eventually drop pfSense CE because it costs too much money to maintain with zero benefit to the company once they put all of their focus on the "white whale" companies.

While I would love to believe that conclusion #2 is true, I suspect conclusion #3 is what will ultimately play out. I haven't been one to think that Netgate was "going to drop CE" until now, but I 'm guessing that within 3-5 years CE will effectively be unsupported and Netgate will have priced things to the point that only large companies are using pfSense.

marcg

Hoping that Netgate reconsiders and creates an affordable whitebox license for home users. Paying for value is fair. I'd personally be willing to pay $129/year and continue to be a promoter of pfSense+ in my professional & personal communities.

$399/year would more than double many (most?) home users' yearly spend on networking gear. Switching from a whitebox to a Netgate box to drop support costs to the (soon to be) $129/year TAC Lite subscription isn't a clear win from a total cost perspective either. Smaller whiteboxes suited for home use -- handful of 2.5 Gbps ports with good performance -- are substantially less expensive and varied from a price/performance perspective than Netgate's comparable offerings.

I switched to pfSense+ for L3 from another vendor's product (the other vendor includes a perpetual zero-cost license with equipment purchase). pfSense+ provided functionality and performance not available with that other equipment. My network is "better" in a number of ways with pfSense+, but it's not clear to me that it's $399/year better.

Perhaps there are technical mechanisms that could ensure a less expensive home entitlement isn't abused: just as an example, limiting the state table to 10k states.

Viper_Rus

23.09.b.20231023.1701 will this be the last version for Plus (Home) or will they at least give us the final version 23.09? And what version of CE can I upgrade to? As I understand it, the CE config is older.
Personally, I am not bothered by this situation if we are given the opportunity to switch to CE without any problems.

Amodin

@marcg said in Navigating to Buy pfSense +:

Hoping that Netgate reconsiders and creates an affordable whitebox license for home users. Paying for value is fair. I'd personally be willing to pay $129/year and continue to be a promoter of pfSense+ in my professional & personal communities.

$399/year would more than double many (most?) home users' yearly spend on networking gear. Switching from a whitebox to a Netgate box to drop support to the (soon to be) $129/year TAC Lite subscription isn't a clear win from a total cost perspective either. Smaller whiteboxes suited for home use -- handful of 2.5 Gbps ports with good performance -- are substantially less expensive and varied from a price/performance perspective than Netgate's comparable offerings.

Perhaps there are technical mechanisms that could ensure a less expensive home entitlement isn't abused: just as an example, limiting the state table to 10k states.

While I wouldn't be against even paying a small yearly fee, I'd like to address your technical limitations as well:

Sophos did this and you had (HAD) two options - either use UTM and your IP limitation was at 50 IPs, or go to their SFOS solution, have unlimited IPs, but the hardware limitations were in place - being allowed to run minimal (read substandard) hardware limits (4-core, 6GB limits) for their new solution turned it into an overstuff pack mule trying to climb a 50-degree incline. So, the 50 IP limit seemed like still the better choice - then they discontinued that product allowing it altogether and made no accommodation for the only solution available now through Sophos.

So, you may have fantastic hardware, but limited so badly, Snort doesn't even run at an acceptable pace, and per Sophos standards, wouldn't even update the backend appropriately to the point where NIC drivers were never allowed to be updated, no updates to the inner workings utilized with their solution, such as Snort being mutli-threaded now at Version 3, while Sophos still runs 32-bit Snort. Things like this are the death of teeter-tottering, back and forth which makes the user even more bitter about being limited. It's NOT a decent solution. A better solution for this issue would be better management of licensing, quite frankly.