Questions about the future of pfsense 2.7 CE
-
I have looked and looked, and it is not clear as to what the future is for pfsense 2.7 CE or greater. Is there plans to continue to maintain or update the community edition or is the community on their own. It seems that in the last 2 years the CE edition is no longer maintained. At this point I am looking for an explanation and guidance for the future ...
-
@Nitrobeast
its a fair question but i think its safe to say that CE is what i would describe as being in "maintenance mode". Short of system patches, I would not put much thought on when 2.8 will be released. They are working on it based on the redmines but its not the priority. So could be 2025 could be 2026....Plus has the ~3month release cycle of updates and fixes.Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@Nitrobeast This is asked a lot.
The issues with 2.8 are being closed. As an outsider I would guess 2.8 will be released in the not distant future. There are patches out so 2.7.2 is being maintained.My take on it is it should be released when it is ready, not based on a date. MS, Apple and others release on a date and chase problems. It is better to chase problems then release.
-
@michmoor fair I was just looking to see if there is any future in the CE edition. I like pfsense a lot it is in my opinion one of the best around.
-
@Nitrobeast If you are needing a feature or a fix it is frustrating how long it takes. If you are not needing anything it is a good time to let the uptime clock tick so you can show your friends how stable pfSense is and how few security patches it needs.
I do not miss the days of replacing store bought routers every few years because they no long patch them and there is a serious security issue. -
@AndyRH I value pfsense I have been using it since 1.1 and I tell you it is well built. I just want to make sure it is not a dead project. I see the plus version gets so many fixes and updates that I get concerned that this is the stepchild "figure of speech" product no one wants to manage anymore.
-
@Nitrobeast We all see the same thing. It is a valid fear. Being a bit paranoid myself I bought a used 7100 when they announced the split. I have several IT friends running 2.7.2 which is why I pay attention to the CE side.
-
Yup, be sure to run and update the System Patches package and apply the recommended patches. That gets you fixes between releases.
-
@stephenw10 Thank You I did not know about this ...
-
@stephenw10 Are there future plans on making the system updates package an integrated part of the software? Seems there are users who just miss it completely which i get.
-
We were just discussing that! The patches package has evolved significantly from it's original intent. It will change in some way. That might be including it by default but things are still in flux
-
@michmoor Also not realizing that they must update that package to see any new patches.
Perhaps some sort of check on the patches page for newer? (y/n) and a link to the package manager page. Thinking out loud…
-
With much interest I follow this topic. I also am a ten-year pfsense CE user. I love the pfSense platform and I don't want to switch to OPNSense or something similar. I am content with the features CE offers and I don't need anything more.
On the other hand, I want my network to be safe. I would also like to know what the future will be for CE. I don't really care about extra features, but I do care about security updates.
I wouldnt mind paying a fee for security updates, but it would be nice to know what will happen to CE, so I can make a educated dicision.
Thanks!
-
@gwabber looks like this was answered you can install the System_Patches package using the package manager. Once installed you will find a new menu option under the system menu called patches. I believe this will help all of us moving forward.
-
@Nitrobeast Thats true! But I meant for the longer term, if Netgate will keep supporting CE.
-
@michmoor said in Questions about the future of pfsense 2.7 CE:
ir question but i think its safe to say that CE is what i would describe as being in "maintenance mode". Short of system patches, I would not put much thought on when 2.8 will be released. They are working
The only feature I would like is vxlan but this is not a priority. Which I do not believe is not going to make it in pfsense.
-
@Nitrobeast said in Questions about the future of pfsense 2.7 CE:
It seems that in the last 2 years the CE edition is no longer maintained. At this point I am looking for an explanation and guidance for the future ...
The pubic access to daily build has been blocked since late 2023
pfsense Community v2.8 has become a vaporware product which currently contains the majority of the pfsense redmine changes for the over 16 months through to July 2025If you are happy forever with v2.7.2 then there is no problem. If you want a firewall system with maintained features then looking at alternatives for the future is probably sensible.
-
@Patch said in Questions about the future of pfsense 2.7 CE:
v2.8 has become a product which currently contains the majority of the pfsense redmine changes for the over 16 months through to July 2025
Is there a lot missing from this list of patches currently available in 2.7.2?
Workaround for SSH CVE-2024-6387 (After applying, restart the SSH Daemon or reboot., FreeBSD-SA-24:04.openssh)
Fix Packet Capture not working on Tailscale interfaces (Redmine #15145)
Fix potential local file include via DNS Resolver Python Module Script include mechanism (pfSense-SA-24_01.webgui, Redmine #15135)
Fix potential stored XSS via services_acb_settings.php "frequency" paramter (pfSense-SA-24_02.webgui, Redmine #15224)
Fix potential XSS due to PHP error display formatting issues (After applying, reboot or use console/ssh menu options 11/16 to restart PHP and the GUI, pfSense-SA-24_03.webgui, Redmine #15263, Redmine #15264)
Fix Potential XSS from jquery-treegrid unit testing files (Once applied, this patch may not offer a revert option, pfSense-SA-24_04.webgui, Redmine #15265)
Add State Policy Global Option and per-rule option. (Default remains floating in this patch, must opt into if-bound behavior, Trigger a filter reload after applying to activate, Interface-bound states have issues in PF with reply-to which can only be solved by upgrading to newer version, Redmine #15173, Redmine #15183)
Automatically use floating states for IPsec rules (After applying, reload the filter or reboot., Redmine #15430)
Automatically use floating states on IPsec VTI (After applying, reload the filter or reboot., Redmine #15606)
Fix overly lenient permissions on tmpfs RAM disk for /var (After applying the patch, reboot the device, Redmine #15054)
Fix users with Deny Config Write privilege being able to trigger some VLAN interface operations (Redmine #15282)
Fix users with Deny Config Write privilege being able to trigger some QinQ interface operations (Redmine #15318)
Fix OpenVPN forming invalid route statements for empty local networks (After applying, edit/save affected entries or reboot, Redmine #14919)
Fix DNS Resolver host overrides ignoring all aliases if first entry had a domain set but no hostname (Redmine #14942)
Fix Kea handling of FQDN entries for NTP servers, add input validation to prevent them from being added (Redmine #14991)
Fix Kea DHCP PHP error from WINS server value (Redmine #14996)
Fix removing an IPsec Phase 1 entry either removing the wrong Phase 2 entries or leaving orphaned Phase 2 entries in the configuration (Redmine #15171)
Fix reordering IPsec Phase 2 entries resulting in a malformed configuration (If this patch offers both Apply and Revert actions, do not Revert, Redmine #15384)
Fix a PHP error when generating a notification after detecting a malformed configuration (Redmine #15157)
Fix /etc/rc.local script content being executed at login instead of during boot sequence (Redmine #10980)
Fix status_interfaces.php missing several values for SFP modules (Redmine #15112)
Fix inability to configure dual stack IPsec tunnels to accept connections from any remote address of either address family (Redmine #15147)
Workaround for Terrapin SSH Attack (After applying the patch, reboot or restart the SSH daemon, FreeBSD-SA-23:19.openssh, Terrapin Attack)
