Is CE really slower with (security) updates compared to plus ?

+DS_DV+

@Patch i would love to hear a license expert for foss software on that ^^
but i get the point that they have to make money somehow and as long as they push upstream i think i am ok with that

Gertjan

@DS_DV

Is CE really slower with (security) updates compared to plus ?

Are you ready for a reality fact check up ?
And believe me, this one is scripted : you'll get an answer without having to go to look for yourself.

Start here : read :

Auto update check, checks for updates to base system + packages and sends email alerts

Then do as told : Install the pfSense cron package.
Create the script.
Set up a cron task : have it executed like one a day or every 12 hours.
Make sure you have the pfSense Notification system activated.

and now : wait ....

In nearby future you will receive a notification from your pfSense : an update is avaible !!
This can be :
pfSense itself.
One or more pfSense GUI packages - one of these : System > Package Manager > Installed Packages
And ... wait for it .... one or more FreeBSD 'pfSense' core packages, also known as the binary packages.

So, if a ssh (or un bound, or curl, or whatever) FreeBSD package needs a security update, you will know it.
To install these : you'll need console (or way better : SSH) access, and use

13) Update from console

or, the old fashioned way

pkg upgrade

I'm pretty sure CE receives as much 'security' updates as Plus .... but as people don't see them ... so it doesn't exists ?!?

+DS_DV+

@Gertjan thank you for the tutorial <3
arent automatic updates the default O.O

on OPNsense there are drop downs for that in the gui.
my configuration looks sth like that:

do you really have to play custom PHP scripts into the OS to get auto updates?
Or is it just for notifications?

I use an RSS reader and have the update announcement feed for that in my "updates feed".
I would assume pfsense would also have several RSS Feeds for changelogs and announcements (:

slu

@DS_DV
oh auto update of my main router, not thanks, that would be a nightmare.

Gertjan

@slu

Yeah, metoo.

@DS_DV

Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.
Maybe ok for the light bulb.

Auto interface reset ?
Like the pfSense 'watchdog', that's a like applying a sledgehammer to solve a headache. Talk to your medicine, he will convince you to use other solutions.

JonathanLee

Get plus it’s amazing,
Comes with cloud backup, boot environments, tac support for firmware. Runs smooth

Patch

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

do you really have to play custom PHP scripts into the OS to get auto updates?
Or is it just for notifications?

That's for notification of updates.

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

Blog posts that CE is much slower when it comes to updates and patches.
Essentially you need pfsense plus if you need fast security updates

Security updates are done via a "System_Patches" package which is easily loaded in pfsense. It has been my experience that these are typically released promptly for both CE and plus. I suspect Netgate don't want a reputation for a "current" product with significant security vulnerabilities.

In contrast the demonstrated trajectory for ongoing general maintenance and feature releases is far less reassuring for CE.

Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.

+DS_DV+

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.

i am the exact opposite (:
everything that has internet connectivity needs to get update/upgraded asap for me.

And i cant and want to have to run to all my systems just to keep checking every day if there is an update. I dont have the time for that its my homelab.

And even if it was work my boss would kill me for that timewaste XD

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

Auto interface reset ?

My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying

@JonathanLee said in Is CE really slower with (security) updates compared to plus ?:

cloud backup, boot environments, tac support

i dont use clouds (except my own self hosted computer) and i dont need TAC as far as i am aware (:
While OpenVPN importer and Boot environments are nice i dont know if i can spare 10bucks a month for those features ^^ (we will see)

In general i dont mind a bit of initial work. But the upkeep resources have to be as minimal as possible (automated) (:

@Patch said in Is CE really slower with (security) updates compared to plus ?:

Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.

as a person looking to switch from OPNsense i agree that are exactly my feelings

Gertjan

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

i am the exact opposite (:

And you can, your opinion is yours. You should :) it

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

even if it was work my boss would kill

He will come after you when the companies router goes down for a maintenance update during that most important video conference call.

Simple example : You're the pilot, the plane ditched, lots of losses, and you say to the FAA : its wasn't me, the plane was on auto (pilot) mode.
You will get ...... well, no more flying for you.
The thing is : if there is a guy, and a machine, who will have the final discussion, the final responsibility ? The admin, or the 'device' ?
You are still in doubt, ok, go visit a local court house for a while.
Machines are always acquitted. people get send to jail.

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying

Aahhhh, so you, and don't forget the boss, do not like it when machine take the initiative.
An upstream 'ISP' link that gets renewed or re negotiated, and you can notice it, I get it, that's not ok. I wouldn't even try to 'patch' this bad ISP behavior.
Just for my own curiosity : what ISP is this ? Is this some modem coax setup ?

+DS_DV+

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

He will come after you when the companies router goes down for a maintenance update during that most important video conference call.

my solution is to do it day lie at midnight.

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

what ISP is this ? Is this some modem coax setup ?

its Telekom a shitty german provider or to be more precise a reseller.
but afaik its done with any DSL provider i know of and apparently most fiber optic providers as well (:

with coax/docis i only hear about trouble and non working connections / connection losses all over the day no matter if its private or business.
i myself only had it for roughly 1 year to bridge a dsl gap but i denied any payment because the quality was so bad xD

slu

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

its Telekom a shitty german provider or to be more precise a reseller.

German Telekom only stop/reconnect the PPPoE session after 180 days, it's a problem of the reseller...

chrcoluk

For me a firewall appliance is better with less updates. When CE updates were more frequent years ago, I used to skip some of them as I found it too frequent, security updates do get pushed to the system patches package though.

I agree the way Netgate do it is odd where they put untested code in plus and then CE gets it later, which is the opposite to what others do, microsoft insider, proxmox etc. But I dont think CE is going anywhere as it would kill the brand, assuming you configure the firewall correctly which is basically local access only by a single user, plus maybe some whitelisted IP addresses for that user then most security issues are not actually an issue.

If I was a paid customer on plus, I would want free users to test the code for at least a few months first and very infrequent updates, no more than once or twice a year.

bmeeks

@chrcoluk said in Is CE really slower with (security) updates compared to plus ?:

security updates do get pushed to the system patches package though.

Not necessarily. Some updates require new kernel code and that can only happen with an update to pfSense itself (such as a full version or sub-version upgrade). There are things that might be patched via the System Patches package, but not everything. You must pay attention to security notices to see which ones require a full pfSense upgrade in order to be protected.

bmeeks

@chrcoluk said in Is CE really slower with (security) updates compared to plus ?:

If I was a paid customer on plus, I would want free users to test the code for at least a few months first

This will become increasingly not possible as the feature sets in Plus and CE diverge. If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?

The whole idea is to offer different and more desirable features in Plus to encourage folks to pay for that option. Thus it stands to reason that over time less and less code will be shared between CE and Plus, so CE users can't be the test bed for Plus.

chrcoluk

@bmeeks Oh I never said that, I am talking about code that is shared between the two.

Patch

@bmeeks said in Is CE really slower with (security) updates compared to plus ?:

If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?

That is exactly what Proxmox and OPNsense do.

bmeeks

@Patch said in Is CE really slower with (security) updates compared to plus ?:

That is exactly what Proxmox and OPNsense do.

Not sure I am understanding the connection to the current topic in your statement.

Neither Proxmox nor OPNsense are pfSense. In my mind, that's like saying McDonald's puts a toy in their Happy Meal; therefore every vendor should put a toy in whatever they are selling .

Each vendor has their own reasons for doing what they do. Netgate has decided how they want to develop and market pfSense CE and pfSense Plus. They have apparently chosen to add some features to just Plus only in what I assume is an attempt to make purchasing the Plus license more desirable (or buying a Netgate appliance that automatically comes with a Plus license).

Obviously they will benefit financially more from a Plus license purchase than they would from someone downloading and using a free copy of CE with the exact same features as Plus. If CE and Plus were exactly the same, then only an idiot would buy Plus . Therefore I expect Plus and CE to continue to diverge in fairly significant ways. Already one has Boot Environments while the other does not. I assume the new Multi-Instance Management will be a Plus-only feature. There are also certain crypto driver acceleration enhancements in Plus that do not exist in CE. I expect these differences to continue to expand over time.

stephenw10

I subscribe to Proxmox because it's the right thing to do. But also because it's an easy value proposition for me. I use it continually, the cost is reasonable.

skogs

You guys are having a real hard time staying on topic.
Security updates are not 'behind'. Done.

Feature/Release updates ... that is an entirely different discussion. One that is even more useless when you start talking about what proxmox, microsoft, red hat, or anybody else is doing.

Plus - promising some centralized management of multiple devices, maybe some 2 factor someday, ... actual guy to call/ticket to get assistance...

CE - normy home lab without enterprise multi-device management, probably no extra special auth options, no support tickets.
There is a page for this.

It really isn't that hard...but it is wildly off topic. I only add this additional off topic post because we as a community are wildly making things up in here.

Patch

@skogs said in Is CE really slower with (security) updates compared to plus ?:

Security updates are not 'behind'. Done.

Some security updates are not behind

@bmeeks said in Is CE really slower with (security) updates compared to plus ?:

Not necessarily. Some updates require new kernel code and that can only happen with an update to pfSense itself (such as a full version or sub-version upgrade).

Others not so up to date.

@bmeeks said in Is CE really slower with (security) updates compared to plus ?:

If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?

Because home lab CE can be used as a test bed for the enterprise version. That is a viable option

@Patch said in Is CE really slower with (security) updates compared to plus ?:

That is exactly what Proxmox and OPNsense do.

@bmeeks said in Is CE really slower with (security) updates compared to plus ?:

The whole idea is to offer different and more desirable features in Plus to encourage folks to pay for that option. Thus it stands to reason that over time less and less code will be shared between CE and Plus, so CE users can't be the test bed for Plus.

Which is why pfsense CE is EOL. Using the model Negate have chosen, open source pfsense is not maintainable and will die as that is what Negate actions indicate.