Is pfsense slowly but steadily dying?



  • Well, I don't mean to be offensive, but I just started wondering about that.

    From the outside it could seem coordinated development is slowly stalling - i mean 2.1 release have been a long time coming, and it seems much further away now than it did 6 months ago.

    Next up is this forum. It also seems to be slowly stalling with only neewbee's like myself asking questions about basic stuff and a few dedicated supporters doing what they can to help. Shouldn't a forum like this be swarming with experts and dev's?

    Please don't take this the wrong way. I'm just trying to get a sense of where pfsense is today.


  • Banned

    I think youre right. The thing that is worrying me is that the core elements like IDS/IPS is not working and causes a lot of issues. Furthermore, it seems like people are mending things all the time instead of doing it right the first time.

    Maybe its the lack of info from the core team that makes it frustrating, but things are always one or two generations of FreeBSD behind when released. Also the time it takes for fix'es to get into the binary's is frustrating. Here i am thinking of Snort. Wasting a lot of time at admin level to get it working and when someone like Bmeeks step up to the plate and does it, it can take a week before the package is updated. Not good enough nowadays imho!

    I know its free and I appreciate it, but no matter how free it is, it should work with the offered packages everytime and not as it is now.



  • Well, I don't think it's dying at all! 2.1-BETA1 works fine for me in production, and as I find annoying things I can fix most of them (because its interpreted PHP/Java…) and submit a pull request. It's in a build within a day or 2. Those doing the commits are good at reviewing the stuff and making sure it fixes things and doesn't break stuff.
    For those with big and critical sites I can see that it would be a hassle not having more regular official releases. Stuff happens - 2.0.3 is waiting on a FreeBSD thing to happen that for whatever reason seems stuck. 2.1 will be claiming some wide support of IPv6 - so that means it can't be released until all the pieces of the puzzle are known to be working together. That can be annoying for sites that run only formal releases in production. There are good things in 2.1 that already work fine, but those sites can't allow themselves to use it.
    I guess for the future, it would be good to:

    1. Have regular (3-monthly?) x.x.n point releases of bugfixes - that contain whatever has been fixed, rather than waiting too long for other fixes that are "coming" on the never-never.
    2. Make the main releases 2.2 2.3 etc have less major change planned - e.g. 2.2 could be aimed at just changing up to FreeBSD (9 or 10), and whatever little changes happened to be also done would be released with it, but don't try to do too much in 1 release.

    On the forum issue, after a few years, if the product works, then the forum already contains the answers to 99% of questions. So people don't need to post - they read silently. Maybe the forum slowing down to a steady pace indicates the product works ;)

    Packages are going to be an issue for the core team - I know that the other guys in my organisation (who don't understand the way this sort of freeware is developed) just think that if the package is listed in "Available Packages" that they can click on it, it will install, and they can select any options they like from the GUI without breaking anything. They think that the package developer will have cross-validated all input combinations... When they play and it goes wrong they say "pfSense is nonsense". That requires some thought from the core team - maybe having a set of "approved/validated" packages that are known-good that a user can select from. And putting more testing in place for those packages. Of course it also needs voluntary resources from skilled people who are using the packages.

    Enough said - everyone, you can take this software free, so please contribute back with whatever skills you have - coding, documentation, forum help... (and I guess the core team needs some cash to run servers and test gear and buy food :)



  • @keyser:

    Well, I don't mean to be offensive, but I just started wondering about that.

    From the outside it could seem coordinated development is slowly stalling - i mean 2.1 release have been a long time coming, and it seems much further away now than it did 6 months ago.

    The people at FreeBSD.org were criticized for it taking so long for FreeBSD 9.1 to hit RELEASE status, that it had lagged behind the projected release date schedule. people became impatient when it wasn't released on the date posted. In the end it was seen better to iron out the bugs before releasing it. If there are still bugs in the current release of pfSense I'm sure they are being addressed in the most expedient way possible. I haven't encountered any problems on my installation to speak of.

    The official notification of the availability of pfSense 2.0.2-RELEASE wasn't made until 12-21-12, which was only 3 months ago. FreeBSD usually only releases an upgrade on a yearly basis,unlike Linux distos who are seen by some to roll out a new release just because it seems about time to do so. FreeBSD 9.0 had a release date of January 2012, it was December 2012 before 9.1 was officially released.

    Next up is this forum. It also seems to be slowly stalling with only neewbee's like myself asking questions about basic stuff and a few dedicated supporters doing what they can to help. Shouldn't a forum like this be swarming with experts and dev's?

    So you're concerned people aren't devoting enough of their free time here answering questions?



  • Okay, well that indicates that perhaps the project is more alive than I thought - which is excellent because i really like pfsense.

    But i also agree that maybe there should be some more frequent and less massive releases.
    Are we talking a year or two before 2.1 goes stable release?

    Regarding this forum it was only an observation. I'm certainly in no position to expect anything from the developers and hardcore users.



  • I follow the project looking on github:
    https://github.com/pfsense/

    And I can see that there is development of pfsense and packages 7 days a week. There are changes on saturday and sunday. I don't think that is common on other projects, isn't it ?

    And if I remember correct it was intended to implement FreeBSD 9.0 on pfsense 2.0.x but FreeBSD had some problems and it didn't make sense to use it for pfsense. So they went to FreeBSD 8.3 and go the big step to implement IPv6. And it makes no sense to release a product which contains just the half of IPv6 just to get out a new release faster. So functions need more time than others.



  • We're one of the most active open source projects in the world, and the #1 most active open source firewall distro. With a company behind it that's added 3 more full time staff in the last 6 months and continues to grow every year. Far from dying, things in 2013 are moving faster than they ever have.

    2.1 is days away from RC1, and if we released it today it would have less open bugs on it than any release we've ever put out in our 8.5 year history. We've had the equivalent of more than one full time person on open source development alone this entire year.

    By every measure, we're growing, doing more than we ever have before, and continue to do so. Any impression otherwise just isn't backed up by reality in any way, shape or form.



  • @keyser:

    Shouldn't a forum like this be swarming with experts and dev's?

    It is.

    The bulk of what happens on the project today is done by people on our payroll. I pay people dozens of hours every month to help people here for free. The rest of the time they have to do things people actually pay us to do or we would have died long ago, rather than thriving. As with any open source project, there are more people who need hand holding than we could ever possibly accommodate. Experts are always in high demand on every forum, and newbs who won't even read the FAQ are always in significantly higher supply. This forum is no different than any other similar one, in fact there are a lot of great expert volunteers here who make it better than many in that regard.

    Want guaranteed response, all the assistance you want, and a direct line to the experts? See the support link in my sig. Otherwise, you get what people have time for, which on every Internet forum in the world is hit and miss.



  • Hi cmb
    Thanks for the pep-talk :-) You have convinced me that nothing is dying. Not that I had that feeling. But after reading this question I did stop up and wonder and has to read the posts in here.

    BR. Anders



  • @cmb

    That is very good news from the source itself.

    I can only express my deepest admiration for the product you have created so far. Kudos

    -Keyser



  • What is needed is dedicated dev and test environments. Any changes required first need to be done in dev environment to ensure it works. Not just for the core pfSense build but also for packages that are introduced into pfSense OR being patched/updated. Once the development is done move it to the test environment for at least a few days to undergo rigorous testing before its stamped as good for production.

    Today packages are being updated on the fly and pushed to public without undergoing proper testing. Just doing offline testing or testing on the developers machine does not guarantee it will work for everyone.

    In my opinion, everyone is doing a great job but pfSense has reached at such global scale now that it is in need of Quality Control for both the core and packages.



  • You should always keep in mind that the package system is an addon. It is not a main part of development.
    Of course there are packages which are maintained by the pfsense core team but not all.

    It could be a possibility to separate the packages which are maintained by the core team and other which are maintained by forum users and/or external developers.


  • Netgate Administrator

    @cmb:

    This forum is no different than any other similar one

    I have to disagree with that, in a positive way.
    This is by far the best on-line community I have ever been involved with. Almost everybody here seems to be relatively polite and appreciative. Most other forums seem to degenerate into useless arguing at the drop of a hat. The last complaint thread I read the poster even politely labelled it 'rant'.  ;)

    Steve



  • @stephenw10:

    This is by far the best on-line community I have ever been involved with.

    Agreed.  Many times I will bring non-pfsense issues to the 'general discussion' forum here even before posting to the appropriate forum.  The knowledge, willingness to help and etiquette here are fantastic.


  • Rebel Alliance Developer Netgate

    cmb already answered most of this, but there are a few things I thought I'd chime in on:

    @keyser:

    From the outside it could seem coordinated development is slowly stalling - i mean 2.1 release have been a long time coming, and it seems much further away now than it did 6 months ago.

    How did you reach that conclusion? There are many commits every day on the repository, and activity in the ticket system - all can be seen at http://redmine.pfsense.org/activity/

    We have also released 2.0.2 about three months ago, and 2.0.3 will be out as soon as we can sort out the pending OpenSSL issue. 2.1 is taking a while because IPv6 is no small task, and adding it (and the many other features in 2.1) introduced or exposed other things that need fixed.

    We have more contributed pieces of code now than ever as well, since the move to github made it much easier for people to contribute.

    @Supermule:

    I think youre right. The thing that is worrying me is that the core elements like IDS/IPS is not working and causes a lot of issues. Furthermore, it seems like people are mending things all the time instead of doing it right the first time.

    Snort is a package, not "core element" – it may be core to you, but it's not core to the project in the sense that it is part of the base system. With a package like snort we can never win. If we keep it up-to-date, people complain that the rules are broken for non-subscribers or that changes introduced something they didn't expect or changed behavior. If we keep it stable, people complain that it isn't up to date. Snort is working right now, but the official rules for non-VRT-subscribers don't work because those rules run on a 30-day delay. That is completely irrelevant to our package, really. It works fine with the Emerging Threats rules.

    @Supermule:

    Maybe its the lack of info from the core team that makes it frustrating, but things are always one or two generations of FreeBSD behind when released.

    We have to be a generation or two behind FreeBSD because we desire stability, and our code/patches take time to adapt, test, and stabilize. If we updated whenever FreeBSD released, we'd never have releases since we'd always be working on patches. We tried targeting FreeBSD 9.x for pfSense 2.1 but it just was not viable at the time, and now it's too far long in the release cycle. We might be targeting FreeBSD 10.x for pfSense 2.2 if it's viable.

    @Supermule:

    Also the time it takes for fix'es to get into the binary's is frustrating. Here i am thinking of Snort. Wasting a lot of time at admin level to get it working and when someone like Bmeeks step up to the plate and does it, it can take a week before the package is updated. Not good enough nowadays imho!

    Again, snort is a package and has -zero- to do with the base system code or updates. We have submissions for changes to snort from several sources, but the quality of the code isn't always up-to-par. Time does not always allow for us to make regular changes to the packages unless there is an outside force, such as rule formats being obsolete, and that is usually better anyhow because it keeps the package stable. If a community member contributes changes, and the code is good, we happily accept the contribution.

    @keyser:

    Okay, well that indicates that perhaps the project is more alive than I thought - which is excellent because i really like pfsense.

    But i also agree that maybe there should be some more frequent and less massive releases.
    Are we talking a year or two before 2.1 goes stable release?

    Did you miss 2.0.1? 2.0.2? and the pending 2.0.3? We have been putting out fairly regular releases, at least one per year the last few years, and 2.0.3 is only going to be a few months after 2.0.2, and 2.1 will be shortly after since, as cmb mentioned, it will be RC1 very shortly.

    @asterix:

    What is needed is dedicated dev and test environments. Any changes required first need to be done in dev environment to ensure it works. Not just for the core pfSense build but also for packages that are introduced into pfSense OR being patched/updated. Once the development is done move it to the test environment for at least a few days to undergo rigorous testing before its stamped as good for production.

    Today packages are being updated on the fly and pushed to public without undergoing proper testing. Just doing offline testing or testing on the developers machine does not guarantee it will work for everyone.

    In my opinion, everyone is doing a great job but pfSense has reached at such global scale now that it is in need of Quality Control for both the core and packages.

    That may be a nice thing to have in the long run, but that would take years to develop a testing platform capable of doing unit testing on the system to handle even a majority of common functions. There is no way we can feasibly reproduce every possible configuration combination and test interactions on that scale. We test what we can, and in some cases, it doesn't matter if we ran it in a lab environment for days, we'd be unlikely to find issues that users would spot in seconds just because there are millions of different ways to configure the system and we can't feasibly test them all. I'd love to see some automated testing, and that is definitely on our radar, but it's not a cure-all and will never find every potential issue.

    As for the forum, as my post count shows, there are some of us who are on here practically every day helping where we can. If I don't respond to a thread it's usually because (1) others are already handling it, (2) it's a common question answered in the FAQ/docs or something I feel could be handled by others, (3) It's a complex topic that I could answer, but do not have the time to devote to a forum post about, or (4) a general lack of time. For #3/#4, the best choice is to reach out to commercial support, but I don't post that in such threads because I don't want to be too spammy (my signature is enough for that… :-)

    And the community we have here is great, no doubt about that!


  • Netgate Administrator

    Aren't you supposed to be on holiday Jim?  ;)

    Steve


  • Rebel Alliance Developer Netgate

    I was, Mon/Tue. Back now :-)



  • @jimp:

    We might be targeting FreeBSD 10.x for pfSense 2.2 if it's viable.

    Based on anecdotal evidence from the FreeBSD mailing-lists and forums, it seems that 10.x works pretty well as a router / firewall, e.g.

    http://lists.freebsd.org/pipermail/freebsd-net/2013-March/034984.html

    carp regression in 9.1 ?
    Eugene M. Zheganin emz at norma.perm.ru
    Mon Mar 18 11:10:31 UTC 2013

    On 18.03.2013 14:23, Damien Fleuriot wrote:

    I'm afraid I can't afford 10.x, this is for production, although I acknowledge the problems you're faced with.

    Regarding 8.x, this is a guest VM running on proxmox 2.3 which doesn't support stock 8.x (need the virtio kernel option, I'll get a thread reference when I hit work).

    This is of course up to you to decide, but I feel like I should
    encourage you - 10.x isn't that scary as it seems to be. I also run it
    on a production (though my production may be not as harsh as yours), -
    this is a main router for a LAN consisting of 500+ machines, it also
    runs a squid proxy with 200+ active users (AD integrated, winbind,
    kerberos and stuff) and a HFSC traffic shaper. Plus, a bunch of routing
    protocols - ospf, ospfv3 and a load of network services like
    SMTP/HTTP/DHCP. Plus, it's a zfs installation.

    At least, after upgrade from 9.1-STABLE to a random -CURRENT I didn't
    notice any degradation, only improvements. I had all of your fears right
    before the upgrade, none of it became real.


  • Rebel Alliance Developer Netgate

    That sounds promising, but then we thought 9.0 was as well but there were issues with some of our patches, and some other things that were introduced. The diversions in pf on 10.x and newcarp and such may make it more difficult to adapt our code to run there, but it will happen in due time. There is a massive amount of work that goes into adjusting everything for a new version. People seem to have a misconception that it's just a matter of changing the compile target and poking at it a bit. If only it were really that easy…


  • Banned

    But shouldnt you change YOUR code to match the 10.x release and not the other way round? Otherwise we will see things difficult to mend and update??


  • Rebel Alliance Developer Netgate

    @Supermule:

    But shouldnt you change YOUR code to match the 10.x release and not the other way round? Otherwise we will see things difficult to mend and update??

    That's exactly what I said. We have to change our code (patches, mostly) to work with 10.x. Some things in 10.x will require massive adjustments in our code to let them function.

    But that's really a topic for another thread.


  • Banned

    Sorry mate! I read it the wrong way :D

    Enjoy your easter!



  • I love PfSense and I'm telling everyone that I know about it. I'm using it in a lot of applications that prior to the project I would have used a Cisco Router. I will be making a donation today! Thanks PfSense for all the hard work that you do.


Locked