Is CE really slower with (security) updates compared to plus ?

Gertjan

@DS_DV

Is CE really slower with (security) updates compared to plus ?

Are you ready for a reality fact check up ?
And believe me, this one is scripted : you'll get an answer without having to go to look for yourself.

Start here : read :

Auto update check, checks for updates to base system + packages and sends email alerts

Then do as told : Install the pfSense cron package.
Create the script.
Set up a cron task : have it executed like one a day or every 12 hours.
Make sure you have the pfSense Notification system activated.

and now : wait ....

In nearby future you will receive a notification from your pfSense : an update is avaible !!
This can be :
pfSense itself.
One or more pfSense GUI packages - one of these : System > Package Manager > Installed Packages
And ... wait for it .... one or more FreeBSD 'pfSense' core packages, also known as the binary packages.

So, if a ssh (or un bound, or curl, or whatever) FreeBSD package needs a security update, you will know it.
To install these : you'll need console (or way better : SSH) access, and use

13) Update from console

or, the old fashioned way

pkg upgrade

I'm pretty sure CE receives as much 'security' updates as Plus .... but as people don't see them ... so it doesn't exists ?!?

+DS_DV+

@Gertjan thank you for the tutorial <3
arent automatic updates the default O.O

on OPNsense there are drop downs for that in the gui.
my configuration looks sth like that:

do you really have to play custom PHP scripts into the OS to get auto updates?
Or is it just for notifications?

I use an RSS reader and have the update announcement feed for that in my "updates feed".
I would assume pfsense would also have several RSS Feeds for changelogs and announcements (:

slu

@DS_DV
oh auto update of my main router, not thanks, that would be a nightmare.

Gertjan

@slu

Yeah, metoo.

@DS_DV

Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.
Maybe ok for the light bulb.

Auto interface reset ?
Like the pfSense 'watchdog', that's a like applying a sledgehammer to solve a headache. Talk to your medicine, he will convince you to use other solutions.

JonathanLee

Get plus it’s amazing,
Comes with cloud backup, boot environments, tac support for firmware. Runs smooth

Patch

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

do you really have to play custom PHP scripts into the OS to get auto updates?
Or is it just for notifications?

That's for notification of updates.

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

Blog posts that CE is much slower when it comes to updates and patches.
Essentially you need pfsense plus if you need fast security updates

Security updates are done via a "System_Patches" package which is easily loaded in pfsense. It has been my experience that these are typically released promptly for both CE and plus. I suspect Netgate don't want a reputation for a "current" product with significant security vulnerabilities.

In contrast the demonstrated trajectory for ongoing general maintenance and feature releases is far less reassuring for CE.

Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.

+DS_DV+

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.

i am the exact opposite (:
everything that has internet connectivity needs to get update/upgraded asap for me.

And i cant and want to have to run to all my systems just to keep checking every day if there is an update. I dont have the time for that its my homelab.

And even if it was work my boss would kill me for that timewaste XD

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

Auto interface reset ?

My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying

@JonathanLee said in Is CE really slower with (security) updates compared to plus ?:

cloud backup, boot environments, tac support

i dont use clouds (except my own self hosted computer) and i dont need TAC as far as i am aware (:
While OpenVPN importer and Boot environments are nice i dont know if i can spare 10bucks a month for those features ^^ (we will see)

In general i dont mind a bit of initial work. But the upkeep resources have to be as minimal as possible (automated) (:

@Patch said in Is CE really slower with (security) updates compared to plus ?:

Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.

as a person looking to switch from OPNsense i agree that are exactly my feelings

Gertjan

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

i am the exact opposite (:

And you can, your opinion is yours. You should :) it

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

even if it was work my boss would kill

He will come after you when the companies router goes down for a maintenance update during that most important video conference call.

Simple example : You're the pilot, the plane ditched, lots of losses, and you say to the FAA : its wasn't me, the plane was on auto (pilot) mode.
You will get ...... well, no more flying for you.
The thing is : if there is a guy, and a machine, who will have the final discussion, the final responsibility ? The admin, or the 'device' ?
You are still in doubt, ok, go visit a local court house for a while.
Machines are always acquitted. people get send to jail.

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying

Aahhhh, so you, and don't forget the boss, do not like it when machine take the initiative.
An upstream 'ISP' link that gets renewed or re negotiated, and you can notice it, I get it, that's not ok. I wouldn't even try to 'patch' this bad ISP behavior.
Just for my own curiosity : what ISP is this ? Is this some modem coax setup ?

+DS_DV+

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

He will come after you when the companies router goes down for a maintenance update during that most important video conference call.

my solution is to do it day lie at midnight.

@Gertjan said in Is CE really slower with (security) updates compared to plus ?:

what ISP is this ? Is this some modem coax setup ?

its Telekom a shitty german provider or to be more precise a reseller.
but afaik its done with any DSL provider i know of and apparently most fiber optic providers as well (:

with coax/docis i only hear about trouble and non working connections / connection losses all over the day no matter if its private or business.
i myself only had it for roughly 1 year to bridge a dsl gap but i denied any payment because the quality was so bad xD

slu

@DS_DV said in Is CE really slower with (security) updates compared to plus ?:

its Telekom a shitty german provider or to be more precise a reseller.

German Telekom only stop/reconnect the PPPoE session after 180 days, it's a problem of the reseller...