Community Edition will diverge from Pfsense+ with the 2.6 release. They have also made no commitments there will be any releases after that - "it's up to the community".
They will, however, gatekeep what features the community is allowed to add. Community Edition is more or less a dead man walking at this point, they just refuse to come right out and say that.
Someone asked if they'd allow one of the REST API projects to be put into upstream and they gave some ridiculous answer about how they'd review any commit but alluded to the fact they won't actually accept it. Because what would they do if the maintainer left? Their suggestion was to fork it. Which, ironically, is exactly what OPNsense did and then Jim Thompson acted like a misbehaving 6 year old and created a website trying to bash them and didn't even have the spine to own up to it until there was a court order.
I'm not sure why ANYONE would waste any effort on adding anything to pfsense at this point when they won't actually commit to accepting features upstream that competes with PFsense+.
In my case, I don't readily find hostility toward a group that has busted tail to provide me tremendous value while I have contributed very little in return. My interactions over the years have been - perhaps not exclusively positive but overwhelmingly so.
History says one day pfSense will no longer fill my needs. Okay. I'll raise an imaginary glass move on with gratitude.
Well instead of pfSense no longer fulfilling your needs than maybe its time to beam up to the mothership. FreeBSD can do everything pfSense does without a web interface.
pfSense provided a real easy of use, at least back in the day. Given that the whole config synced over to a backup/HA failover system and updates to one could easily be confirmed synced to the other, there was a real ease of use in using pfSense (at least I thought so about a decade ago when I was using it). Spend enough time configuring HA firewalls and you start wishing you had something to take care of alerting about config differences and syncing changes automatically, and that's one of the things pfSense offered that was good.
This wasn't a case of us not knowing how to configure stuff in the OS, we moved from configuring OpenBSD firewalls with pf+pfsync, ipsec+sasync and carp to pfSense because it just made it easier to deploy and configure, given we had about ten or more of these we maintained for customers.
Even recently at a new job we were talking about upgrading or replacing some HA FreeBSD firewall pairs, and I was suggesting pfSense because it's simple to use, and just BSD underneath. Given what I've learned in this thread about the state of the project and company behind them now, I don't think I would recommend it anymore, but I still think a similar project with similar features has something to offer over vanilla BSD.
I moved over to opnsense yesterday. Just built my config in a vm. Exported. Installed the firewall and imported and setup the interfaces.
It should do all of that and seems to have a few nice features to boot. As well as a much steadier release cycle. And a security audit feature built in to tell you if the updates available will patch vulns. Which I found neat
Nice, and thanks for the heads up on your experience. I was actually just looking into comparisons of them today, because I wanted to know what the major differences were, if any. I came across this[1], which while not extremely recent, it within the last year.
Everything looks pretty good for opnsense IMO based on that. The only thing that gave me pause was the note about (unsubstantiated) reports of VLAN problems in opnsense that have supposedly been broken for a while. We make heavy use of VLANs, so that would be problematic, but it could be fixed by now or never have been the longstanding problem reported for all I know, I haven't gotten to that point because I'm not planning on anything in the immediate term that requires it.
Except it's not. The source that is provided doesn't actually build pfSense as shipped. Plus there are binaries that no source is provided for that "you don't need to worry about"
They will, however, gatekeep what features the community is allowed to add. Community Edition is more or less a dead man walking at this point, they just refuse to come right out and say that.
Someone asked if they'd allow one of the REST API projects to be put into upstream and they gave some ridiculous answer about how they'd review any commit but alluded to the fact they won't actually accept it. Because what would they do if the maintainer left? Their suggestion was to fork it. Which, ironically, is exactly what OPNsense did and then Jim Thompson acted like a misbehaving 6 year old and created a website trying to bash them and didn't even have the spine to own up to it until there was a court order.
https://opnsense.org/opnsense-com/
I'm not sure why ANYONE would waste any effort on adding anything to pfsense at this point when they won't actually commit to accepting features upstream that competes with PFsense+.