Hacker News new | ask | show | jobs
by WarOnPrivacy 1920 days ago
The shade I occasionally see thrown toward pfSense is curious to me. This isn't push-back at the parent comment but me expressing a bit of confusion.

I've used pfSense since 2009 or so. I was skeptical when Netgate entered the picture but since I've had no reason to complain. It's been a continuous and usually smooth timeline of serving me well.

A relevant sidebar is that I've been part of different, stellar volunteer efforts - started by a core team that was trying to improve or fix something worthwhile. It is inevitable that core teams members will eventually run low on time/energy and changes must follow. Those changes can be anything and usually are.
2 comments
anfogoat 1919 days ago
> The shade I occasionally see thrown toward pfSense is curious to me.

Every last bit of it is deserved. They made a promise to keep pfSense open source and they broke it as soon as they could. I see them hiding behind it's the newly announced pfSense Plus that is closed source, not pfSense CE and it's pure weaseling.

I still use pfSense but I feel bad for ever being excited about it and contributing to their popularity.

link
Godel_unicode 1919 days ago
I'm not sure that over 10 years later is "as soon as they could". NetGate has made a huge number of open source releases, and while they have not held exactly to the platonic ideal of open source (literally every bit on the disc comes from an open repo) I think we can all agree that the vast majority of the existing CE code remains open. I also think that they get a lot of shade because some of their developers have been some of the loudest jerks in open source.

In my opinion, at the moment we have Schrodinger's open source: in the box there's a future pfSense CE which is well-maintained but differentiated from their commercial offering of pfSense Plus, and there's a pfSense CE which languishes from a lack of new features and slowly accrues an ever-larger trail of closed-won't-fix bugs.

At this time, which future will develop is anyone's guess; I suspect even NetGate don't really know. Even if they're planning on effectively abandoning CE in place, a backlash in the community could cause that to reverse.

link
anfogoat 1919 days ago
> At this time, which future will develop is anyone's guess; I suspect even NetGate don't really know. Even if they're planning on effectively abandoning CE in place, a backlash in the community could cause that to reverse.

It seems like a certainty that users will shift over to the free version of pfSense Plus for the eventual performance advantages, if not for the REST API alone, and then pfSense CE will slowly wither. We'll see, but I really think you're being overly optimistic entertaining an alternative scenario :)

link
Godel_unicode 1919 days ago
A possibility, sure. Not a very likely one, but don't let me keep you from your doom-and-gloom :)
link
WarOnPrivacy 1919 days ago
However, you are directing your disdain (about pfSense) toward us. To what end? What is it you want to achieve?
link
anfogoat 1919 days ago
> However, you are directing your disdain (about pfSense) toward us.

I don't think I am; who's us in that sentence?

> To what end? What is it you want to achieve?

I'm scratching an itch. If Netgate can screw the community that helped pfSense gain popularity then surely it is perfectly acceptable for a member of that community to express a little disdain.

link
WarOnPrivacy 1919 days ago
> who's us in that sentence?

Everyone in this thread.

> it is perfectly acceptable for a member of that community to express a little disdain.

Okay. I never inferred otherwise. If venting is the total of your goal here are you okay we blow that off or is there something else you're hoping for?

To be clear, I've no animosity toward your posts. My 'hidden' agenda is this: Because hostility takes a toll on the recipients (us), I'm curious if what you're getting in return is worth it.

No judgment. We all do this.

link
arm 1919 days ago
> “Because hostility takes a toll on the recipients (us), I'm curious if what you're getting in return is worth it.

We aren’t the recipients of the hostility; Netgate is. I feel no hostility directed towards me when reading anfogoat’s post. In fact, I thank them for openly expressing their disdain towards Netgate here, as it gives others like me more information to look into and come to our own conclusions on.

link
anfogoat 1919 days ago
> To be clear, I've no animosity toward your posts.

No worries, no animosity assumed.

> If venting is the total of your goal here are you okay we blow that off or is there something else you're hoping for?

I don't like venting. I said I was scratching an itch but venting makes it sound like it had no substance at all and suggests what Netgate did was alright. To be clear, I think the more Netgate gets criticized and called out the better. But I had no hopes beyond that.

> My 'hidden' agenda is this: Because hostility takes a toll on the recipients (us) ...

Putting aside that I'm not completely on board with the hostility characterization either, you're recipients of it only in the sense that you happened to read it. I disagree with you about the degree to which Netgate deserves the criticism of course, but none of the "hostility" was addressed to you or anyone else in this thread.

It shouldn't be taxing. It's pick-me-up to anyone who's read one too many overly positive comments about the pfSense Plus shenanigans.

link
croutonwagon 1919 days ago
So there are a few things worth noting.

Like you, i have used pfSense since the 1.2.3 days...which is about 2008-2009 or so. I even bought the book to support the devs at the time (which to my knowledge have left for greener pastures). In some sites I even replaced failing hardware with a legit appliance. And even with COVID, pfsenese allowed me to quickly spin up OpenVPN appliances as standalone boxes (something i tried on OPNsense but couldnt get stable, largely due to the interface changes and my lack of familiarity with them). All of that is to say that I have been a big supporter of theirs, having submitted small bug fixes pre-netgate days and even buying/financially some of their later endeavors.

But the issues are as much

1. Starting with the 2.4 train, you can no longer really compile from source. Their build.sh relies on some closed source components not in their git repo. Specifically a small program called gnid that creates a unique ID and AT LEAST calls home to netgate to report that. They have been very cagey about what all occurs but it does happen outside of the firewalls application itself (ie: you cant block it with a state rule). Bringing this up in forums brings in ad-hoc attacks and open hostility. Gonzo is on-record saying if you cant compile its because you dont know what you are doing or something of the sort.

2. They are openly hostile to FreeBSD, forks like OPNsense (which at one point they squatted a similar domain and even tried to spread amlicious misinformation). https://opnsense.org/opnsense-com/. Theres more...entire threads of nonsense and reading. its out there if you want...But all that is to say...everyone has mud of their face when its slung around like it has been.

You may say this is childish and so comically so theres no way its true. But if you see how they conduct themselves on reddit and listservs its actually somewhat inline.

3. Finally, when gonzo or whatever his name is started back into the project and spawned netgate that was mainly to sell certified appliances as a means to support development. Initially he attacked storefronts on sites like amazon that would pre-package the Community edition onto supermicro boxes etc. And that seemed reasonable (at least to me), even though it was kosher within the terms of the Apache license.. But then with 2.5 they initially announced it would require AES-NI, which a lot of these low power boxes dont support. They backed off of that and eventually said it wouldnt be a requirement. Ive been on 2.3 for a while now because with 2.4 they dropped x86 and went x64 only. Ive avoided opnsense because im used tot he pfsense interface and some of its more advanced tweaks. And moving to x64 is an in place rebuild and re-import. But I held largely to see how further development shakes out and frankly I'm now spending the time migrating my config over to the primary fork.

2.6 (well their move to year.month releases) will diverge from their "Open Source" code with no promises for them to stay near track. Basically its going closed source. And while they claim its up to community for further support, they also hold the keys to the PR and commits/merges....so they have the ability (and given their history) to deny commits for features/bugs that would conflict with their closed source aspirations.

From the announcment below

>In general, features that are part of FreeBSD or the other open source components that comprise pfSense will be upstreamed to those projects and made available to pfSense CE. This includes features mentioned above, like improved packet filter performance. Some features that we add to Plus will contain code that is part of these open source projects and also GUI or middleware modules that are part of pfSense Plus. In those cases, the open source code will still be contributed back and made available to CE, but work will need to happen in CE community to enable it.

https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.ht...

https://www.netgate.com/blog/announcing-pfsense-plus.html

link