Is CE really slower with (security) updates compared to plus ?
-
@Patch said in Is CE really slower with (security) updates compared to plus ?:
In contrast Netgate now just develop the propriety (Plus) version. Then when they feel like it they later release / back port the features they want to release to the CE version. This approach removes all benefit of the CE version to Negate, leaving it only as competition and a burden to support. It's only value to Netgate I can see is it lets them claim pfsense is open source and limits concentrated user backlash. Time will see how long it lasts.
this is what confused me since i use proxmox / opnsense.
but afaik they have to somewhat publish their code foss since its a requirement for using freebsd.
and of course one can conspire that due to their "bad history" pfsense is not willing to push too much too fast upstream since "OPNsense is just pfsense CE with nicer GUI" (big big quotes).
but i fear they might end up in an apple situation where they barely apply to the foos rules by pushing "just enough" FOSS updates.
On the other hand iirc they are a big commit and donation giver for FreeBSD.
So i guess maybe the FreeBSD License does not require complete FOSS builds?irdk :/
maybe i just start with CE and look how it plays out.
-
@DS_DV my understanding is they do push upstream well making many valuable contributions to FreeBSD.
What is far less clear is release / continued development of pfsense CE (as opposed to the proprietary pfsense Plus)
-
@Patch i would love to hear a license expert for foss software on that ^^
but i get the point that they have to make money somehow and as long as they push upstream i think i am ok with that -
Is CE really slower with (security) updates compared to plus ?
Are you ready for a reality fact check up ?
And believe me, this one is scripted : you'll get an answer without having to go to look for yourself.Start here : read :
Auto update check, checks for updates to base system + packages and sends email alerts
Then do as told : Install the pfSense cron package.
Create the script.
Set up a cron task : have it executed like one a day or every 12 hours.
Make sure you have the pfSense Notification system activated.and now : wait ....
In nearby future you will receive a notification from your pfSense : an update is avaible !!
This can be :
pfSense itself.
One or more pfSense GUI packages - one of these : System > Package Manager > Installed Packages
And ... wait for it .... one or more FreeBSD 'pfSense' core packages, also known as the binary packages.So, if a ssh (or un bound, or curl, or whatever) FreeBSD package needs a security update, you will know it.
To install these : you'll need console (or way better : SSH) access, and use13) Update from console
or, the old fashioned way
pkg upgrade
I'm pretty sure CE receives as much 'security' updates as Plus .... but as people don't see them ... so it doesn't exists ?!?
-
@Gertjan thank you for the tutorial <3
arent automatic updates the default O.Oon OPNsense there are drop downs for that in the gui.
my configuration looks sth like that:
do you really have to play custom PHP scripts into the OS to get auto updates?
Or is it just for notifications?I use an RSS reader and have the update announcement feed for that in my "updates feed".
I would assume pfsense would also have several RSS Feeds for changelogs and announcements (: -
@DS_DV
oh auto update of my main router, not thanks, that would be a nightmare. -
Yeah, metoo.
Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.
Maybe ok for the light bulb.Auto interface reset ?
Like the pfSense 'watchdog', that's a like applying a sledgehammer to solve a headache. Talk to your medicine, he will convince you to use other solutions. -
Get plus it’s amazing,
Comes with cloud backup, boot environments, tac support for firmware. Runs smooth -
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
do you really have to play custom PHP scripts into the OS to get auto updates?
Or is it just for notifications?That's for notification of updates.
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
Blog posts that CE is much slower when it comes to updates and patches.
Essentially you need pfsense plus if you need fast security updatesSecurity updates are done via a "System_Patches" package which is easily loaded in pfsense. It has been my experience that these are typically released promptly for both CE and plus. I suspect Netgate don't want a reputation for a "current" product with significant security vulnerabilities.
In contrast the demonstrated trajectory for ongoing general maintenance and feature releases is far less reassuring for CE.
Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.
-
@Gertjan said in Is CE really slower with (security) updates compared to plus ?:
Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.i am the exact opposite (:
everything that has internet connectivity needs to get update/upgraded asap for me.And i cant and want to have to run to all my systems just to keep checking every day if there is an update. I dont have the time for that its my homelab.
And even if it was work my boss would kill me for that timewaste XD
@Gertjan said in Is CE really slower with (security) updates compared to plus ?:
Auto interface reset ?
My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying
@JonathanLee said in Is CE really slower with (security) updates compared to plus ?:
cloud backup, boot environments, tac support
i dont use clouds (except my own self hosted computer) and i dont need TAC as far as i am aware (:
While OpenVPN importer and Boot environments are nice i dont know if i can spare 10bucks a month for those features ^^ (we will see)In general i dont mind a bit of initial work. But the upkeep resources have to be as minimal as possible (automated) (:
@Patch said in Is CE really slower with (security) updates compared to plus ?:
Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.
as a person looking to switch from OPNsense i agree that are exactly my feelings
-
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
i am the exact opposite (:
And you can, your opinion is yours. You should :) it
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
even if it was work my boss would kill
He will come after you when the companies router goes down for a maintenance update during that most important video conference call.
Simple example : You're the pilot, the plane ditched, lots of losses, and you say to the FAA : its wasn't me, the plane was on auto (pilot) mode.
You will get ...... well, no more flying for you.
The thing is : if there is a guy, and a machine, who will have the final discussion, the final responsibility ? The admin, or the 'device' ?
You are still in doubt, ok, go visit a local court house for a while.
Machines are always acquitted. people get send to jail.@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying
Aahhhh, so you, and don't forget the boss, do not like it when machine take the initiative.
An upstream 'ISP' link that gets renewed or re negotiated, and you can notice it, I get it, that's not ok. I wouldn't even try to 'patch' this bad ISP behavior.
Just for my own curiosity : what ISP is this ? Is this some modem coax setup ? -
@Gertjan said in Is CE really slower with (security) updates compared to plus ?:
He will come after you when the companies router goes down for a maintenance update during that most important video conference call.
my solution is to do it day lie at midnight.
@Gertjan said in Is CE really slower with (security) updates compared to plus ?:
what ISP is this ? Is this some modem coax setup ?
its Telekom a shitty german provider or to be more precise a reseller.
but afaik its done with any DSL provider i know of and apparently most fiber optic providers as well (:with coax/docis i only hear about trouble and non working connections / connection losses all over the day no matter if its private or business.
i myself only had it for roughly 1 year to bridge a dsl gap but i denied any payment because the quality was so bad xD -
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
its Telekom a shitty german provider or to be more precise a reseller.
German Telekom only stop/reconnect the PPPoE session after 180 days, it's a problem of the reseller...
-
For me a firewall appliance is better with less updates. When CE updates were more frequent years ago, I used to skip some of them as I found it too frequent, security updates do get pushed to the system patches package though.
I agree the way Netgate do it is odd where they put untested code in plus and then CE gets it later, which is the opposite to what others do, microsoft insider, proxmox etc. But I dont think CE is going anywhere as it would kill the brand, assuming you configure the firewall correctly which is basically local access only by a single user, plus maybe some whitelisted IP addresses for that user then most security issues are not actually an issue.
If I was a paid customer on plus, I would want free users to test the code for at least a few months first and very infrequent updates, no more than once or twice a year.
-
@chrcoluk said in Is CE really slower with (security) updates compared to plus ?:
security updates do get pushed to the system patches package though.
Not necessarily. Some updates require new kernel code and that can only happen with an update to pfSense itself (such as a full version or sub-version upgrade). There are things that might be patched via the System Patches package, but not everything. You must pay attention to security notices to see which ones require a full pfSense upgrade in order to be protected.
-
@chrcoluk said in Is CE really slower with (security) updates compared to plus ?:
If I was a paid customer on plus, I would want free users to test the code for at least a few months first
This will become increasingly not possible as the feature sets in Plus and CE diverge. If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?
The whole idea is to offer different and more desirable features in Plus to encourage folks to pay for that option. Thus it stands to reason that over time less and less code will be shared between CE and Plus, so CE users can't be the test bed for Plus.
-
@bmeeks Oh I never said that, I am talking about code that is shared between the two.
-
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?
That is exactly what Proxmox and OPNsense do.
-
@Patch said in Is CE really slower with (security) updates compared to plus ?:
That is exactly what Proxmox and OPNsense do.
Not sure I am understanding the connection to the current topic in your statement.
Neither Proxmox nor OPNsense are pfSense. In my mind, that's like saying McDonald's puts a toy in their Happy Meal; therefore every vendor should put a toy in whatever they are selling .
Each vendor has their own reasons for doing what they do. Netgate has decided how they want to develop and market pfSense CE and pfSense Plus. They have apparently chosen to add some features to just Plus only in what I assume is an attempt to make purchasing the Plus license more desirable (or buying a Netgate appliance that automatically comes with a Plus license).
Obviously they will benefit financially more from a Plus license purchase than they would from someone downloading and using a free copy of CE with the exact same features as Plus. If CE and Plus were exactly the same, then only an idiot would buy Plus . Therefore I expect Plus and CE to continue to diverge in fairly significant ways. Already one has Boot Environments while the other does not. I assume the new Multi-Instance Management will be a Plus-only feature. There are also certain crypto driver acceleration enhancements in Plus that do not exist in CE. I expect these differences to continue to expand over time.
-
I subscribe to Proxmox because it's the right thing to do. But also because it's an easy value proposition for me. I use it continually, the cost is reasonable.