Let's all Pause for a moment and Consider the state of pfsense

Lets start by asking ourselves a simple question. pfSense, who are you? Do you love pfSense? I think I have resolved both of these questions, and the answer is yes.

I’ve used Netgate hardware in production in real life for many purposes. It’s good. TAC, even TAC lite, is a great value add. Plus is worth it for many circumstances.

But I don’t always need or want support. I reserve the right to hack the missing features I may need or want back into the CE codebase. I’ve used, in a pinch, dozens of pfsense firewalls in production. Don’t always have money professionally to do things the “right way”. Pfsense is as close as it gets, and I’m not confident Opnsense can be that stepping stone for me in all circumstances. The other options Tom Lawrence mentioned are just not good options for many use cases. Things like WRT were born out of a pet project of hacking consumer routers. Things like VyOS are great but more complicated than pf.

Thats what this thread is about from my perspective. I’m a professional first and a home user second.

Everything is going cloud first. I’m not on that train. As a community and as individuals we need to stem the tide. There is an erosion of good low-cost on-prem options. This cannot occur. We must hold steadfast against the corporate trend of no one owning anything. If anything, I think now is time to hedge our bets.

Enterprise products exist because people have more money than time. Open source products exist because people have more time than money. Each have their purpose, and pfSense lives in both camps. My only purpose is to ensure that it always does. Sacrifice is sometimes necessary. Freedom may be more valuable than convenience, other times it may be the other way around.

I also live in both camps. I sometimes have more money than sense, and other times have more sense than money. My only purpose is to ensure that it always remains viable in both. I think I can help, if my help is needed. Lets holdfast for now, and watch. Join me if you care.

Agree or disagree, I’d love to hear the thoughts of others here at L1. I have a unique respect for this community. If you all thing I should sit down and shut up, I will respect that.

I’d be interested in knowing if you all here would be if you would be interested in sponsoring, promoting, or somehow supporting a community fork of pfsense. I’m not sure now is the time for a fork, but I am actually spending significant brain cycles trying to fix my problem with Netgate, if one exists. This is not a call to action, but rather, I am seeking individuals of like mind.

I am a hacker. I use that term as a millennial who has probably bastardized Stallman’s meaning of the word. But that’s who I am. Netgate has the right to make money. We have the right to enforce change if Netgate doesn’t kick stuff back to the community. (648) Free software, free society: Richard Stallman at TEDxGeneva 2014 - YouTube

Is it happening? : PFSENSE (reddit.com)

pfSense Licensing changes - Networking & Firewalls - Lawrence Systems Forums

Petition · A Community pfSense Fork · Change.org

(2) Let’s all Pause for a moment and Consider the state of pfsense | ServeTheHome Forums

Or you could just use FreeBSD, feel free to contribute to ports if you feel anything is missing and/or can be improved.

I understand your position here, I do. Please Consider mine. Thats like putting the cart before the horse. I don’t have enough time in my life to reconcile those differences.

I’m confused here, what are you trying to accomplish if you’re not willing to review code? There is also Opnsense unless you’ve missed it still based on FreeBSD though…

I moved to vyos two years back… Problem fixed and watching the drama from the couch and eating popcorn…

Fair enough.
Cognitive dissonance is a powerful thing in individuals. I may have it here. But it exists in communities, and companies, too. I am merely raising that awareness here.

Honestly, I don’t even think I need PFSense Plus. But I have a Tac Lite subscription that comes with my Netgate product. I bought the SG-3100 from Netgate because a) I didn’t want to go through the trouble of trying to use old x86 hardware and configure it to work as a router/firewall b) I wanted an ARM device c) I also felt better about using the software because I gave value to Netgate in exchange for value. IMO, we need to rethink how we talk about cost and Open Source Software. FOSS is free as in Freedom, not free beer.

So to your point that Open Source software exists because people have more time than money is nonsense. Open Source software is free because consumers are conditioned to expect it to be free. A major side-effect is that many FOSS projects are underfunded and understaffed - which leads to less development being able to deliver a more polished experience which leads to people feeling like they have to spend more time using it. And so the feedback loop continues.

As for me, I am going to continue using PFSense Plus with my Tac Lite subscription. And when I upgrade my LAN to a 2.5G network, I will buy another Netgate Appliance.

Disagree. Communications bottleneck. We probably agree.

Do me a whimsy and prove that statement wrong, directly.

noticed shit buffered above. bear with me i’ll be back later.

Here’s our core difference of opinion. Let go through line by line.

Open Source software is free because consumers are conditioned to expect it to be free.

This is a really poor way of describing what you are trying to say. Please refactor.

A major side-effect
A major “side-effect” implies a negative connotation. I’m not sure you mean to be talking about something in a negative here.

many FOSS projects are underfunded and understaffed
We completely, and fundamentally agree to this point.

which leads to
We haven’t started anything yet? Where are we going?

less development
potentially, perhaps probably, almost certainly.

being able to deliver
To steal from franklin covey, this is both urgent and important.

more polished experience
Not exclusively.

which leads to people feeling
Peoples and feelings can be irrational. But not always.

spend more time
Time is valuable, time is money. opportunity costs exist. people act. praxeology.

And so the feedback loop continues.
I don’t see a loop. I see a timeline of events. I understand that I stand on the shoulders of giants. I know that I’m probably not worthy, but here we are.

Not trying to speak for @wendell but I do intend to steal his phrase. There are literally dozens of us. I also think Wendell has borrowed “happy accidents” and “bob ross” at least once. I think my reaction here is a happy accident

One more pull on this narrative thread tonight.
I’ve only fuzzy matched the problem and half proposed a solution. There’s a lot of gaps here

I watched the coverage from

From only watching the first 15 min of the stream, seems similar to the same issue red hat is experiencing. Netgate and red hat want the code to open, but also want larger companies to contribute financially to pf sense development (ie preventing companies from shipping routers with pf sense pre-installed). It makes sense, but it feels like the enshitification of open source software.

I’d much rather netgate make the metaphorical pie bigger rather than squeeze the existing community consumer base. I’d be fine if they made future features behind their license.

Alternatively, if there’s a lot of companies packaging up pf sense for consumer routers, maybe this is a opportunity make a consumer router and push the industry to adopt a open standard (similar to how qmk + via has grown in the mechanical keyboards scene). Moreover, they could work with those other companies to offer enterprise licenses, where if those manufacturers pay a fee, they can get additional developer/customer support

Aside from that to generate additional revenue, maybe they can work with existing router manufacturers to build an official pf sense compatible routers.

I think the $300 license per year for the homelab edition is a little much for hobbyists (even if it’s $25 a month). The $129 ($10 a month) seemed more fair for the previous version.

Some interesting comments from the stream

Screenshot_2023-10-29-21-48-13-07_ee8807d2de22f1831269d80920e33a3b1080×1736 372 KB

Nope. This was intentional.

It is indeed a negative thing that because people expect open source software to be free, it is underfunded and therefore understaffed.

Agreed, but I typed this using my iPad, where I am slow and impatient and it requires more words.

In my experience, feelings usually are irrational.

I reckon I just figured others could fill in the gaps here. People feeling like they have to spend more time to use it is a contributing factor into why people aren’t willing to pay for open source software. There are other reasons, first and foremost: the inherent expectation that open source software will be free.

P.S.
I am merely advocating that we stop getting mad at companies for increasing the cost of $0 FOSS software. People got up in arms over Red Hat’s changes, but fundamentally, I understand why. Too many organizations were basically benefiting from the work done by Red Hat and RHEL without providing value in exchange for value received. I use RHEL on my homelab. I am not happy that RHEL source is not as freely available as before, but the GPL only says that the source should be provided alongside a copy of the distributed software.

Fine. Whatever.

Your logic here does not always hold true. I respect the strong correlation here, but lets call a spade a spade. Open source software should be not only free as in beer but also free as in ideas. Stallman was right.

Perhaps, but perhaps not. Please see “Enders Game” and its extended universe as a counter example. Focus on the lessons of empathy.

I very much appreciate the help.

See iXSystems as an example I think that does this correctly to see what I believe. Netgate is just in the spotlight here.

I think you and I are aligned on this. Netgate, generally, Has The Right Idea from an engineering and contribution perspective.

IMHO what set all this off is folks doing marketing more successfully than they have, on their backs. They’re probably facing the same economic hardships many of us are and trying to make business decisions* (*poorly, but I’ll come back to that).

What I mean by that is folks packaging up and selling products with the same software loadout arguably more successfully than they are. In the past they tried to give enthusiasts/“homelabbers” a path to contribute monetarily, somewhat successfully, but almost every decision here has sabotaged the vast majority of community/good will that they had built up.

Bottom line is that few are a more positive influence on the overall *bsd codebase than netgate, and it cost money to employ smart people. Is there a way for netgate to do that which is not what has happened? Absolutely, not only do I think it is possible I think it would have been pretty easy to do in their case.

This is possibly a not great for bsd… bsd needs a strong netgate making a lot of contributions. Like or don’t opnsense but the trackrecord isn’t yet there. Plus I’m sure the devs involved with netgate are watching everything unfold here… and making plans around any uncertainty of their circumstances, if any.

Even in uncertain economic times, or an ebb in corporate support, I think that better leadership at netgage could have made a nothing burger out of this.

“… fork it” and similar arguments are a great lie. Sure, a project can be forked, but it seems to me it is more important to maintain a motivated and well- supplied braintrust to build . Everyone’s got an opinion; it’s easy to imagine getting bogged down in trying to consider everything would cloud the vision for the product, too, which is another aspect of what I think has happened. Not necessarily a personal failing of netgate leadesrhip but more of a – well trying to listen to what customers want… but also move forward the state of the art.

Netgate has the engineering talent and leadership. But not the community leadership. Everyone will see the CE > Plus/homelab thing as a rug pull. I really don’t see any other option for them other than to say “mea culpa, sorry, we really aren’t very good at this and will try to do better in the future.” It is what I’d do in their position, and is their best option imho…

Before getting bogged down in licensing discussions I see this as more of a “stolen valor” type dispute than anything. Their instinct that they’re being slighted is not wrong… but the energy was channeled into an implosion instead of into productive ends. NG has rarely been able to muster and channel community enthusiasm into productive improvements to the product, that i know of.

And the other side of the coin is that… I don’t see team opnsense stepping up to be code stewards and put the work into contributing upstream and improving the state of the art there. Community enthusiasm may turn elsewhere; Probably not VyOS even though it’s good just because of the way the project is structured (imho) but I’m not sure what this’ll look like yet.

Future Router OS Blueprint

I actually think the “router OS” market is ripe for disruption. Forget everything you know about routers. What matters is:

Manage your internet connection – devices, flows, rate limits/rules.
Manage devices behind your connection with special handling for media devices, access points, etc.
Manage SNMP
PiHole/DNS/security filtering (< opportunity for subscription model)
IDS/IPS type thing possible.

T-pot GitHub - telekom-security/tpotce: 🍯 T-Pot - The All In One Honeypot Platform 🐝 lan monitoring (hey, your LG tv was surreptitiously scanning open network shares. Yes, this is a thing that actually happened!)

Deploy Endpoint: Rather than point-to-point vpn, just give it some api creds to linode and blam wireguard or tailscale endpoint.

point-n-click self-hosted service manager. Endpoints can be forwards from linode or tailscale; CG nat isn’t a problem in this scenario. Much of this can be simplified for the user, but still exposed for power users.

device collection management: your phone, desktop(s), laptop(s), server(s) can all always talk to each other a la tailscale, or automated tailscale/headscale. This would greatly simplify redundant/multiple internet connections. the linode thing also makes it more trivial to do multi-path TCP to linode, then trad. tcp from there out. So you could have something more awesome than failover or route-based multi-wan…

like I say…ripe for disruption

Everything is going cloud first. I’m not on that train. As a community and as individuals we need to stem the tide. There is an erosion of good low-cost on-prem options. This cannot occur. We must hold steadfast against the corporate trend of no one owning anything. If anything, I think now is time to hedge our bets.

We are > < this close to things like tailscale breaking the stranglehold on cloud convenience. It’s absolutely going to start with “rethink border gateway appliance” and ISPs will absolutely lose their minds to stop it. Google sees it too; they’re going to try to head it off by offering “privacy services” to tunnel your traffic through their datacenters.

In practical terms this actually reduces their data peering costs AND prevents ISPs from jacking with netflix traffic since now where traffic is going is indistinguishable from search traffic. Can only see Traffic Bound For Datacenter X, not google/netflix/youtube/etc traffic that can be QoS’d to buffering oblivion. It’s an interesting play by alphabet. While media companies are busy with this, we’ll sneak in our own private media servers on our own private wireguard nets and be pretty happy for it.

I Genuinely used to own this domain:
starshit.net

It served a very different purpose at that time.
Now I am a professional and I realize that not still owning that domain name was an opportunity cost lost. I recognize I am stupid as shit sometimes. You dont get better puns than me. The guy who owned the domain starshit.net and didnt recognize its inherent value. Sigh. A cautionary tale.

I’m glad we agree on this and I need to digest the rest. Wendell is ultimate respect.

This deserves a video if none exists. lol You dont even need to talk about whats in between those two points yet

This was my primary motivator in becoming a part of this community. Even back to darker days, I was one of the first to buy a TekSyndicate mouse. I bought a 43" monitor from the other side of the planet because you told me too. The core value above moved me to throwing you a bone back then and buying your merch. I’ve done it since. Wish I could do it more.

I may have a higher degree in trust in Wendell from L1techs, even if that is just wendell’s idealized self for tv. You teach in a mechanism that resonates perfectly with my learning pattern. Not trying to make this weird, just making it clear I’m a real person and a real fan.

Everything should be edge routed to /24s everywhere. dynamic routing matters. redundancy and resiliency both matter. Overlay networks are interesting. They are often going to occur in interesting edge case scenarios because they are hard to do right. I solemnly swear that I think I understand the implications of these statements in the OSI model.

Yes. I have some ideas here. I see what you are saying now. Pied Piper, Hot dog, Not Hot Dog! and here we are.

I think we just resolved that we should work together to build a better firewall?