| So there are a few things worth noting. Like you, i have used pfSense since the 1.2.3 days...which is about 2008-2009 or so. I even bought the book to support the devs at the time (which to my knowledge have left for greener pastures). In some sites I even replaced failing hardware with a legit appliance. And even with COVID, pfsenese allowed me to quickly spin up OpenVPN appliances as standalone boxes (something i tried on OPNsense but couldnt get stable, largely due to the interface changes and my lack of familiarity with them). All of that is to say that I have been a big supporter of theirs, having submitted small bug fixes pre-netgate days and even buying/financially some of their later endeavors. But the issues are as much 1. Starting with the 2.4 train, you can no longer really compile from source. Their build.sh relies on some closed source components not in their git repo. Specifically a small program called gnid that creates a unique ID and AT LEAST calls home to netgate to report that. They have been very cagey about what all occurs but it does happen outside of the firewalls application itself (ie: you cant block it with a state rule). Bringing this up in forums brings in ad-hoc attacks and open hostility. Gonzo is on-record saying if you cant compile its because you dont know what you are doing or something of the sort. 2. They are openly hostile to FreeBSD, forks like OPNsense (which at one point they squatted a similar domain and even tried to spread amlicious misinformation). https://opnsense.org/opnsense-com/. Theres more...entire threads of nonsense and reading. its out there if you want...But all that is to say...everyone has mud of their face when its slung around like it has been. You may say this is childish and so comically so theres no way its true. But if you see how they conduct themselves on reddit and listservs its actually somewhat inline. 3. Finally, when gonzo or whatever his name is started back into the project and spawned netgate that was mainly to sell certified appliances as a means to support development. Initially he attacked storefronts on sites like amazon that would pre-package the Community edition onto supermicro boxes etc. And that seemed reasonable (at least to me), even though it was kosher within the terms of the Apache license.. But then with 2.5 they initially announced it would require AES-NI, which a lot of these low power boxes dont support. They backed off of that and eventually said it wouldnt be a requirement.
Ive been on 2.3 for a while now because with 2.4 they dropped x86 and went x64 only. Ive avoided opnsense because im used tot he pfsense interface and some of its more advanced tweaks. And moving to x64 is an in place rebuild and re-import. But I held largely to see how further development shakes out and frankly I'm now spending the time migrating my config over to the primary fork. 2.6 (well their move to year.month releases) will diverge from their "Open Source" code with no promises for them to stay near track. Basically its going closed source. And while they claim its up to community for further support, they also hold the keys to the PR and commits/merges....so they have the ability (and given their history) to deny commits for features/bugs that would conflict with their closed source aspirations. From the announcment below >In general, features that are part of FreeBSD or the other open source components that comprise pfSense will be upstreamed to those projects and made available to pfSense CE. This includes features mentioned above, like improved packet filter performance. Some features that we add to Plus will contain code that is part of these open source projects and also GUI or middleware modules that are part of pfSense Plus. In those cases, the open source code will still be contributed back and made available to CE, but work will need to happen in CE community to enable it. https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.ht... https://www.netgate.com/blog/announcing-pfsense-plus.html |