Is CE really slower with (security) updates compared to plus ?
-
@Gertjan said in Is CE really slower with (security) updates compared to plus ?:
Auto 'OS' upgrade ?
Imho, that's a no-go for my phone, firewall and car.i am the exact opposite (:
everything that has internet connectivity needs to get update/upgraded asap for me.And i cant and want to have to run to all my systems just to keep checking every day if there is an update. I dont have the time for that its my homelab.
And even if it was work my boss would kill me for that timewaste XD
@Gertjan said in Is CE really slower with (security) updates compared to plus ?:
Auto interface reset ?
My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying
@JonathanLee said in Is CE really slower with (security) updates compared to plus ?:
cloud backup, boot environments, tac support
i dont use clouds (except my own self hosted computer) and i dont need TAC as far as i am aware (:
While OpenVPN importer and Boot environments are nice i dont know if i can spare 10bucks a month for those features ^^ (we will see)In general i dont mind a bit of initial work. But the upkeep resources have to be as minimal as possible (automated) (:
@Patch said in Is CE really slower with (security) updates compared to plus ?:
Imo for a new project, if you are happy with pfsense plus then this is a good closed source product with a future so a reasonable choice. In contrast looking at the once open source pfsense CE for a new project, is a far more dubious choice as it's future is far less clear.
as a person looking to switch from OPNsense i agree that are exactly my feelings
-
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
i am the exact opposite (:
And you can, your opinion is yours. You should :) it
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
even if it was work my boss would kill
He will come after you when the companies router goes down for a maintenance update during that most important video conference call.
Simple example : You're the pilot, the plane ditched, lots of losses, and you say to the FAA : its wasn't me, the plane was on auto (pilot) mode.
You will get ...... well, no more flying for you.
The thing is : if there is a guy, and a machine, who will have the final discussion, the final responsibility ? The admin, or the 'device' ?
You are still in doubt, ok, go visit a local court house for a while.
Machines are always acquitted. people get send to jail.@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
My ISP does require this otherwise it will reconnect at a random time during the day which i find rather annoying
Aahhhh, so you, and don't forget the boss, do not like it when machine take the initiative.
An upstream 'ISP' link that gets renewed or re negotiated, and you can notice it, I get it, that's not ok. I wouldn't even try to 'patch' this bad ISP behavior.
Just for my own curiosity : what ISP is this ? Is this some modem coax setup ? -
@Gertjan said in Is CE really slower with (security) updates compared to plus ?:
He will come after you when the companies router goes down for a maintenance update during that most important video conference call.
my solution is to do it day lie at midnight.
@Gertjan said in Is CE really slower with (security) updates compared to plus ?:
what ISP is this ? Is this some modem coax setup ?
its Telekom a shitty german provider or to be more precise a reseller.
but afaik its done with any DSL provider i know of and apparently most fiber optic providers as well (:with coax/docis i only hear about trouble and non working connections / connection losses all over the day no matter if its private or business.
i myself only had it for roughly 1 year to bridge a dsl gap but i denied any payment because the quality was so bad xD -
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
its Telekom a shitty german provider or to be more precise a reseller.
German Telekom only stop/reconnect the PPPoE session after 180 days, it's a problem of the reseller...
-
For me a firewall appliance is better with less updates. When CE updates were more frequent years ago, I used to skip some of them as I found it too frequent, security updates do get pushed to the system patches package though.
I agree the way Netgate do it is odd where they put untested code in plus and then CE gets it later, which is the opposite to what others do, microsoft insider, proxmox etc. But I dont think CE is going anywhere as it would kill the brand, assuming you configure the firewall correctly which is basically local access only by a single user, plus maybe some whitelisted IP addresses for that user then most security issues are not actually an issue.
If I was a paid customer on plus, I would want free users to test the code for at least a few months first and very infrequent updates, no more than once or twice a year.
-
@chrcoluk said in Is CE really slower with (security) updates compared to plus ?:
security updates do get pushed to the system patches package though.
Not necessarily. Some updates require new kernel code and that can only happen with an update to pfSense itself (such as a full version or sub-version upgrade). There are things that might be patched via the System Patches package, but not everything. You must pay attention to security notices to see which ones require a full pfSense upgrade in order to be protected.
-
@chrcoluk said in Is CE really slower with (security) updates compared to plus ?:
If I was a paid customer on plus, I would want free users to test the code for at least a few months first
This will become increasingly not possible as the feature sets in Plus and CE diverge. If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?
The whole idea is to offer different and more desirable features in Plus to encourage folks to pay for that option. Thus it stands to reason that over time less and less code will be shared between CE and Plus, so CE users can't be the test bed for Plus.
-
@bmeeks Oh I never said that, I am talking about code that is shared between the two.
-
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?
That is exactly what Proxmox and OPNsense do.
-
@Patch said in Is CE really slower with (security) updates compared to plus ?:
That is exactly what Proxmox and OPNsense do.
Not sure I am understanding the connection to the current topic in your statement.
Neither Proxmox nor OPNsense are pfSense. In my mind, that's like saying McDonald's puts a toy in their Happy Meal; therefore every vendor should put a toy in whatever they are selling .
Each vendor has their own reasons for doing what they do. Netgate has decided how they want to develop and market pfSense CE and pfSense Plus. They have apparently chosen to add some features to just Plus only in what I assume is an attempt to make purchasing the Plus license more desirable (or buying a Netgate appliance that automatically comes with a Plus license).
Obviously they will benefit financially more from a Plus license purchase than they would from someone downloading and using a free copy of CE with the exact same features as Plus. If CE and Plus were exactly the same, then only an idiot would buy Plus . Therefore I expect Plus and CE to continue to diverge in fairly significant ways. Already one has Boot Environments while the other does not. I assume the new Multi-Instance Management will be a Plus-only feature. There are also certain crypto driver acceleration enhancements in Plus that do not exist in CE. I expect these differences to continue to expand over time.
-
I subscribe to Proxmox because it's the right thing to do. But also because it's an easy value proposition for me. I use it continually, the cost is reasonable.
-
You guys are having a real hard time staying on topic.
Security updates are not 'behind'. Done.Feature/Release updates ... that is an entirely different discussion. One that is even more useless when you start talking about what proxmox, microsoft, red hat, or anybody else is doing.
Plus - promising some centralized management of multiple devices, maybe some 2 factor someday, ... actual guy to call/ticket to get assistance...
CE - normy home lab without enterprise multi-device management, probably no extra special auth options, no support tickets.
There is a page for this.It really isn't that hard...but it is wildly off topic. I only add this additional off topic post because we as a community are wildly making things up in here.
-
@skogs said in Is CE really slower with (security) updates compared to plus ?:
Security updates are not 'behind'. Done.
Some security updates are not behind
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
Not necessarily. Some updates require new kernel code and that can only happen with an update to pfSense itself (such as a full version or sub-version upgrade).
Others not so up to date.
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?
Because home lab CE can be used as a test bed for the enterprise version. That is a viable option
@Patch said in Is CE really slower with (security) updates compared to plus ?:
That is exactly what Proxmox and OPNsense do.
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
The whole idea is to offer different and more desirable features in Plus to encourage folks to pay for that option. Thus it stands to reason that over time less and less code will be shared between CE and Plus, so CE users can't be the test bed for Plus.
Which is why pfsense CE is EOL. Using the model Negate have chosen, open source pfsense is not maintainable and will die as that is what Negate actions indicate.
-
so light off topic answer regarding the usual (Proxmox) vs the Pfsense Model.
the original question regarding the updates was asked due to me considering switching from opnsense to pfsense which i decided to do now.
Mainly because the faster security updates to pfsense compared to opnsense and the code pushed upstream by netgate.and while the ui and ux of pfsense is one of the worst i have had yet to use and especially compared to opnsense is just hard to grasp i have a conspiracy theory why they to a "revers model".
from a newbies perspective opnsense is pfsense with most of its premium features for free and a far far better ui and therefore a uncomparable ux.
this is mostly possible due to pfsense pushing so much of its development upstream. and when it lands there opnsense can "just use it".
so if pfsense would use the normal (proxmox) model they would loose a hughe part of the appeal.
since opnsense would be for many users the same features but with a far better experience.
and while i think the facet that pfsense is faster with security fixes and i also think it is really really nice that pfsense ui is also covered by their security patches it not the deciding factor for most.
tl;dr: pfsense does it reverse to 'combat' opnsense (:
PS: i dont get why Stuff is where it is in the pfsnese UI XD
i dont need fancy looks on a firewall gui but it has to be intuitive and legibile.
the reason why i still not finished my migration is that i always need to search for everything in pfsense where es in other products i can "just find it".-> so suggestion @netgate maybe offer an alternate menue layout with a more mainstream/traditional sorting?
-
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
Hello lovely Community,
Backgroundstory:
i am in the process of upgrading my old Zotac ZBOX CI323 to a Protectli V1410 with coreboot.
Even tho my ZBOX started with IPFire i migrated to OPNsense due to a few Features i needed.
And even tho i find OPNsense GUI far more intuitive and easy to use i also don't have my firewall behind a router anymore and directly connect it to my ISP via PPPoE.
Tom from Lawrence Systems made a point that pfsense is much faster when it comes to CVE fixes and patches.
Which now brought me to the point where i want to switch to pfsense with the new Hardware (:
But i often read on various (seo/llm) Blog posts that CE is much slower when it comes to updates and patches.
Essentially you need pfsense plus if you need fast security updates and zfs (which i use on all of my systems).tl;dr: is the CE really that much slower than the plus subscription?
with kind regards
+DS_DV+It's almost been one year since that latest pfSense CE 2.7.2 was released on Dec 6, 2023... It would be nice to see the next CE release for the free/open source software users of pfSense.
-
More than just general questions about pfSense this thread is starting to look like spam for the other product.
The people that I work for will not apply a "patch" to any device in our system until things are fully vetted. Its that kind of policy that has kept the 30k + employees from showing up to work only to be presented by that blue screen thing that happened recently..
Auto updates to a router are a bad idea in my book. The kind of thing I would fire people for if they instituted it into our equipment on their own accord. And I would be fired for allowing it. Of coarse you are free to your opinion on that matter and free to do what you want.. as long as you don't work under my employ..
I chose to use + here at my home shop because I want to help fund the work being done. The cost per year is trivial.. Most people in my state spend more than that a month on their lattes.. The $10 cost (paid annually) month is worth it to me. (that's the cost of a single 20oz latte at the bikini drive up down in town BTW.. )
I tried early on to help out on their forums over there but one of the primary's chose to publish the email address of another user for questioning the way they were at the time stealing code. The guys question wasn't even accusatory in as much as he was questioning some things that had been brought up. Gave me instant heartburn for their project. I called the primary out on it and never went back. -full disclosure.
Off my soapbox now to do some really exciting boring stuff.
As always.. YMMV
-
If it not broke don’t fix it. Right ? Maybe it doesn’t need a update unless it is an emergency and with that said the patches area has more of the fixes for that
-
@JonathanLee said in Is CE really slower with (security) updates compared to plus ?:
If it not broke don’t fix it. Right ? Maybe it doesn’t need a update unless it is an emergency and with that said the patches area has more of the fixes for that
pfSense Plus has had two releases this past year, 24.11 and 24.03, meanwhile the pfSense CE users have been left in the dust since December 6, 2023 with the last 2.7.2-RELEASE.
It does look like CE 2.8.0 is 89% "complete" towards it's release per it's roadmap, so maybe we will see it come out before the end of the year.
-
@joshgreyz said in Is CE really slower with (security) updates compared to plus ?:
It does look like CE 2.8.0 is 89% "complete" towards it's release per it's roadmap, so maybe we will see it come out before the end of the year.
That’s optimistic imo redmine 2.8 & 25.1 search which can be contrasted with not 25.1 then target version 25.1 only
The pessimistic outlook is even more pronounced if you look at historical availability of snapshots.
-
@joshgreyz
Again we're off topic. Security updates. Period.The other releases are mostly unrelated to what CE wants and needs. Only thing I can really think of is moving to new dhcp service...and that isn't exactly a severe security related thing just moving a very slight piece of the stack.
A large quantity of built in bsd vulns (of which there are few) don't exist here because they're compiled out - remember this is primarily a firewall/router that is designed to live in a hostile environment.
We're like 33 posts in and whining about release quantity. Specific patches are available when necessary, and they're available very quickly. Period.
@Patch yeah...development work is happening in areas that corp customers have been stating that are stoppers for a decade. Again...CE is not behind on security. You're measuring commits that include UI typos and saying that something that is completely unrelated to that is dead.
Moderators can we please lock this thread as it is literally just wandering in the desert complaining.