Is CE really slower with (security) updates compared to plus ?

stephenw10

Updates to the patches package for security issues are usually released to both at the same time.

Plus has more frequent updates compared to CE. Actual security issues are addressed for both though.

Patch

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

is the CE really that much slower than the plus subscription

Both products are supposedly being worked on however no CE snap shots have been available for over 9 months. So while development is said to be occurring for the "Open source" CE product only Netscape employees can access it. The CE version can not be independently compiled as it requires some Netscape components

Netgate's proprietary plus software is a good product which is well supported, so a reasonable choice if If you are comfortable with proprietary software. However Negate demonstrated throttling access to CE maintenance / development make it's future far less viable.

Security patches are released in a timely fashion however you may want more maintenance than that for your new firewall software choice.

+DS_DV+

thats what i worry about since the HomeLab Licences was killed.
I can relate with the Reasons of fraudulent use.

But i looked at github for CE and there is no recent release as well.
(https://github.com/pfsense/pfsense/tags last release 2021)
I also looked for a few CVEs and found quite a few days diffrence between plus and ce :(
For example:

OpenSSL 1.1.1 is no long supported & Systems must be upgraded to supported version to 3
Fixed in pfsense Plus November 06, 2023
Netgate Releases pfSense Plus Software Version 23.09 6
Fixed in pfsense CE November 16, 2023
Netgate Releases pfSense CE Software Version 2.7.1 7
Fixed in OPNSense 24.1.1 released Feb 6 2024
OPNsense 24.1.1 released

Source: https://forums.lawrencesystems.com/t/why-i-am-not-using-opnsense/21450

tbh i would like to switch especially due to the "boot environment" feature which i know and love from truenas.

But for some over 100Bucks a year is a price tab that is hard to justify if you essentially only have a PC Laptop and Smartphone.

Ofc i could go for openwrt or stay with opnsense but i would love to get faster security as well ^^

Patch

@DS_DV to understand what is occurring it is useful to understand Netgate has taken the opposite direction to OPNsense.

OPNsense have a commercial restricted access version which uses the free version for testing (similar to Proxmox) as a result functionality is first added to the free open source version, then when it is stable it is released to the commercial version.

In contrast Netgate now just develop the propriety (Plus) version. Then when they feel like it they later release / back port the features they want to release to the CE version. This approach removes all benefit of the CE version to Negate, leaving it only as competition and a burden to support. It's only value to Netgate I can see is it lets them claim pfsense is open source and limits concentrated user backlash. Time will see how long it lasts.

History so far
CE v2.7.0 and plus v23.05 & v23.05.1 were released in Jun 2023 with 103 + 14 common redmine issues. 13 v2.7.0 added plus in v23.09

CE v2.7.1 and plus v23.09 was released in Nov 2023 with 132 common redmine issues. 5 v2.7.1 added to plus in v23.09.1

CE v2.7.2 and Plus and v23.09.1 were released in Dec 2023 with 19 common redmine issues.

Plus v24.03 was released in Apr 2024 with 108 redmine issues in common with unavailable CE v2.8 and 2 issues possibly in later CE version CE-Next

Plus v24.08 has 94 redmine issues in common with unavailable CE v2.8 and 27 issues possibly in later CE version CE-Next

+DS_DV+

@Patch

@Patch said in Is CE really slower with (security) updates compared to plus ?:

In contrast Netgate now just develop the propriety (Plus) version. Then when they feel like it they later release / back port the features they want to release to the CE version. This approach removes all benefit of the CE version to Negate, leaving it only as competition and a burden to support. It's only value to Netgate I can see is it lets them claim pfsense is open source and limits concentrated user backlash. Time will see how long it lasts.

this is what confused me since i use proxmox / opnsense.

but afaik they have to somewhat publish their code foss since its a requirement for using freebsd.

and of course one can conspire that due to their "bad history" pfsense is not willing to push too much too fast upstream since "OPNsense is just pfsense CE with nicer GUI" (big big quotes).

but i fear they might end up in an apple situation where they barely apply to the foos rules by pushing "just enough" FOSS updates.

On the other hand iirc they are a big commit and donation giver for FreeBSD.
So i guess maybe the FreeBSD License does not require complete FOSS builds?

irdk :/

maybe i just start with CE and look how it plays out.

Patch

@DS_DV my understanding is they do push upstream well making many valuable contributions to FreeBSD.

What is far less clear is release / continued development of pfsense CE (as opposed to the proprietary pfsense Plus)

+DS_DV+

@Patch i would love to hear a license expert for foss software on that ^^
but i get the point that they have to make money somehow and as long as they push upstream i think i am ok with that

Gertjan

@DS_DV

Is CE really slower with (security) updates compared to plus ?

Are you ready for a reality fact check up ?
And believe me, this one is scripted : you'll get an answer without having to go to look for yourself.

Start here : read :

Auto update check, checks for updates to base system + packages and sends email alerts

Then do as told : Install the pfSense cron package.
Create the script.
Set up a cron task : have it executed like one a day or every 12 hours.
Make sure you have the pfSense Notification system activated.

and now : wait ....

In nearby future you will receive a notification from your pfSense : an update is avaible !!
This can be :
pfSense itself.
One or more pfSense GUI packages - one of these : System > Package Manager > Installed Packages
And ... wait for it .... one or more FreeBSD 'pfSense' core packages, also known as the binary packages.

So, if a ssh (or un bound, or curl, or whatever) FreeBSD package needs a security update, you will know it.
To install these : you'll need console (or way better : SSH) access, and use

13) Update from console

or, the old fashioned way

pkg upgrade

I'm pretty sure CE receives as much 'security' updates as Plus .... but as people don't see them ... so it doesn't exists ?!?

+DS_DV+

@Gertjan thank you for the tutorial <3
arent automatic updates the default O.O

on OPNsense there are drop downs for that in the gui.
my configuration looks sth like that:

do you really have to play custom PHP scripts into the OS to get auto updates?
Or is it just for notifications?

I use an RSS reader and have the update announcement feed for that in my "updates feed".
I would assume pfsense would also have several RSS Feeds for changelogs and announcements (:

slu

@DS_DV
oh auto update of my main router, not thanks, that would be a nightmare.

Gertjan

@slu

Yeah, metoo.

@DS_DV

Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.
Maybe ok for the light bulb.

Auto interface reset ?
Like the pfSense 'watchdog', that's a like applying a sledgehammer to solve a headache. Talk to your medicine, he will convince you to use other solutions.

JonathanLee

Get plus it’s amazing,
Comes with cloud backup, boot environments, tac support for firmware. Runs smooth

Patch

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

do you really have to play custom PHP scripts into the OS to get auto updates?
Or is it just for notifications?

That's for notification of updates.

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

Blog posts that CE is much slower when it comes to updates and patches.
Essentially you need pfsense plus if you need fast security updates

Security updates are done via a "System_Patches" package which is easily loaded in pfsense. It has been my experience that these are typically released promptly for both CE and plus. I suspect Netgate don't want a reputation for a "current" product with significant security vulnerabilities.

In contrast the demonstrated trajectory for ongoing general maintenance and feature releases is far less reassuring for CE.

Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.

+DS_DV+

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.

i am the exact opposite (:
everything that has internet connectivity needs to get update/upgraded asap for me.

And i cant and want to have to run to all my systems just to keep checking every day if there is an update. I dont have the time for that its my homelab.

And even if it was work my boss would kill me for that timewaste XD

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

Auto interface reset ?

My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying

@JonathanLee said in Is CE really slower with (security) updates compared to plus ?:

cloud backup, boot environments, tac support

i dont use clouds (except my own self hosted computer) and i dont need TAC as far as i am aware (:
While OpenVPN importer and Boot environments are nice i dont know if i can spare 10bucks a month for those features ^^ (we will see)

In general i dont mind a bit of initial work. But the upkeep resources have to be as minimal as possible (automated) (:

@Patch said in Is CE really slower with (security) updates compared to plus ?:

Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.

as a person looking to switch from OPNsense i agree that are exactly my feelings

Gertjan

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

i am the exact opposite (:

And you can, your opinion is yours. You should :) it

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

even if it was work my boss would kill

He will come after you when the companies router goes down for a maintenance update during that most important video conference call.

Simple example : You're the pilot, the plane ditched, lots of losses, and you say to the FAA : its wasn't me, the plane was on auto (pilot) mode.
You will get ...... well, no more flying for you.
The thing is : if there is a guy, and a machine, who will have the final discussion, the final responsibility ? The admin, or the 'device' ?
You are still in doubt, ok, go visit a local court house for a while.
Machines are always acquitted. people get send to jail.

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying

Aahhhh, so you, and don't forget the boss, do not like it when machine take the initiative.
An upstream 'ISP' link that gets renewed or re negotiated, and you can notice it, I get it, that's not ok. I wouldn't even try to 'patch' this bad ISP behavior.
Just for my own curiosity : what ISP is this ? Is this some modem coax setup ?

+DS_DV+

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

He will come after you when the companies router goes down for a maintenance update during that most important video conference call.

my solution is to do it day lie at midnight.

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

what ISP is this ? Is this some modem coax setup ?

its Telekom a shitty german provider or to be more precise a reseller.
but afaik its done with any DSL provider i know of and apparently most fiber optic providers as well (:

with coax/docis i only hear about trouble and non working connections / connection losses all over the day no matter if its private or business.
i myself only had it for roughly 1 year to bridge a dsl gap but i denied any payment because the quality was so bad xD

slu

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

its Telekom a shitty german provider or to be more precise a reseller.

German Telekom only stop/reconnect the PPPoE session after 180 days, it's a problem of the reseller...