this post was submitted on 28 Oct 2023
11 points (100.0% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

I was surprised to not see any post about this here yet, so here it is i guess.

Netgate (the company who runs pfSense) has just announced serious changes to their "free" so called "Home+Lab" license of pfSense.

Here is the link to their offical blog post.

Background:

Netgate have offered a free and opensource version of pfSense, called the CE (Community Edition). They also offered a version called "pfSense Plus" which was paid and offered a few more features but also support from Netgate, which is of course perfectly fine and very common (look at Proxmox for example).

A while ago (1,5 years) they introduced "Home+Lab" as a product and license version in order for casual users and "homelabbers" to dip a toe into their commercial offerings which has more features than the CE. Basically like "here you can use your enterprise version for free, but its a bit limited of course". The obvious goal there is to motivate users to switch from the free CE to a paid version, again nothing wrong with that. Portainer for example does this too.

Because of this, users switched from the "always" free CE version to the "Home+Lab" version, upgrading their installations and enjoying a few more features. According to Netgate, thousands of users have installed it. Great!

Now

But just now Netgate have announced major changes to this, out of the blue, without any prior notice. The free "Home+Lab" version is no longer available for download, its just gone.

As a reason they cite that thirdparty sellers (on Aliexpress etc. i imagine) were downloading the "better" version of pfSense, aka the "Home+Lab" version, and installing it on their hardware appliances and then selling them. Without Netgate seeing any revenue from this.

Please see their blogpost for all the details. But one crucial point is that anyone who is currently running their "Home+Lab" version, can keep running it (yay!) but they also say that future upgrades and bugfixes may require a subscription. So basically, users installed a free "better" version, which now doesnt exist anymore, and to continue using it with updates, they "might" need to pay a subscription fee. Something as crucial like a firewall appliance should be kept up to date for security, so just ignoring that is not really a option. And Netgate also state that if you have to reinstall your current "Home+Lab" version, they cannot provide that for free to you. And those subscriptions apparently come at a very high price. Are you willing to pay $400/year for your firewall software when youre only using it privately in your small homelab?

Paying for software, or any product, is not a bad thing. And companies need to make money, they need to pay employees. This should be obvious. There is no problem with that in itself. But the way this was done, telling their userbase for quite a while to try out this free version of the premium product, and then pulling the rug away underneath the feet, is just plain wrong and fucked up.

"Okay whatever, then just switch back to the actual free CE version!" Great idea, but apparently thats not so super easy.

Lawrence Systems have already made a excellent video summing up all these changes. I would recommend watching it to get the full picture, i can and want to only cover a bit here:

They also made a video about switching back from pfSense plus (Home+Lab) to pfSense CE:

Reading recent posts about this on /r/pfSense subreddit, the community seems to be quite angry about this. And it doesnt help that their subreddit is actually run by Netgate employees, so it isnt exactly a independent discussion forum there at all. For example a user tried to get feedback and support for a tool to convert pfSense configs to OPNsense configs, and the moderators removed the post without further comment.

My personal recommendation would be that this is a huge opportunity to finally switch away from pfSense, they have shown once again that they cannot be trusted. Take a look at the most obvious "competitor" /r/OPNsenseFirewall, they started as a fork of pfSense and have developed quite nicely.

And to make it even more clear what kind of people are running Netgate (pfSense), if you havent read it yet, this is the story of when users announced the fork OPNsense, how a employee of Netgate was running opnsense.com which was a mock website entirely made to shit on the OPNsense project and discredit them. I encourage you to look at it and make up your own mind about it. And yes, this employee still works for them today it seems. This alone should be reason enough to never use anything by Netgate, ever, wether its a free CE or paid.

Atleast right now they are still offering the free and opensource CE version. But who knows how long that will last. They might as well kill that option without prior notice in a few months or a year from now. Its better to think about switching before being forced to.

There have also been various other issues with Netgate´s behaviour towards their users over the years, but covering them all here would be too much and offtopic, i would like to focus this post mostly on the very recent issue.

If people get angry about Oracle and seemingly shutting down "free" VPS instances at random, then they should be angry about Netgate pulling shit like this too.

#TL;DR

Stop using pfSense (just any Netgate products), switch to something else.

Its not the only alternative, but /r/OPNsenseFirewall is one major example.

Disclaimer: I am no pfSense expert, very far from it. If i got any of the history or current events wrong in this post, please let me know and i will immediately correct them. For me when the time came to pick a (virtualized) firewall/router appliance, i installed both pfSense and OPNsense in VMs and took a quick look. Even tho pfSense did leave a very "enterprise-ish" impression, it didnt feel right somehow, just odd in some way. Then looking at OPNsense, i felt immediately at home, i cant really narrow down why exactly. It simply felt much more open and friendly from the beginning. And i mean the software, at that point i had no idea what was going on between pfSense and OPNsense. All i knew was that OPNsense originated from pfSense, thats all. I tried both a tiny bit and quickly decided that i like OPNsense more, and thats what i have been using for a long time now and im very happy with it.

None of the existing flair options seem to really fit to this, so forgive me for not having any flair. Mods feel free to overwrite any flair to this.

top 50 comments
sorted by: hot top controversial new old
[–] HittingSmoke@alien.top 2 points 1 year ago (3 children)

And to make it even more clear what kind of people are running Netgate (pfSense), if you havent read it yet, this is the story of when users announced the fork OPNsense, how Netgate was running opnsense.com which was a mock website entirely made to shit on the OPNsense project and discredit them. I encourage you to look at it and make up your own mind about it. And guess who exactly was running that website? Some disgruntled hardcore pfSense fan, or some low level employee who went too far? No, it was the founder & CEO of Netgate. This alone should be reason enough to never use anything by Netgate, ever, wether its a free CE or paid.

Story time.

I always found it difficult to like pfSense. I'm big on UI/UX and this was before their redesign. Even after the new design I really didn't love it. I started researching alternatives and asked in some (not /r/pfsense) subreddit about opnsense.

Some dude named htilonom shows up absolutely going off the handle about it. Was calling it a scam. He seemed disturbingly passionate about hate for an open source project so I did some digging instead of taking his words at face value. He was running a subreddit called /r/opnscam where he was doing some downright creepy dude stalking an onlyfans girl level of stalking the opnsense devs. Posting random links to forum posts by opnsense devs, making wild accusations that didn't fit the links he was posting. Long nonsensical rants about topics like how criticizing the choice of using C or a web interface meant people wanted to "steal" code. Nobody else posted there. Was just years of this one guy talking to himself about opnsense being a scam and how the maintainers were incompetent or were somehow stealing from an open source codebase.

I always suspected it was someone who had some business ties to pfSense, if not that CEO himself.

[–] thekrautboy@alien.top 1 points 1 year ago

This subreddit was created by a petty and childish troll who made pfSense users look bad by doing nothing on reddit but shitting on a similar open source project. It has been taken over and shut down.

Excellent, well done!

[–] BarServer@alien.top 1 points 1 year ago

Oh god. I fell in love with you after reading this. :-)

[–] Low-Chapter5294@alien.top 1 points 1 year ago

Nice story bro.

[–] TetchyTechy@alien.top 2 points 1 year ago (1 children)

I think they always planned for ce's obsolescence from the very start, just they fudged the whole thing with poor communication and wrong decisions...probably they will be aiming for business from now on because that's their main revenue stream and their lifeblood and not the open source community.

[–] katrinatransfem@alien.top 1 points 1 year ago

Yes, but most business customers, or the people that advise those business customers, choose stuff that they have already tried out on their homelab and are familiar with.

[–] lmamakos@alien.top 2 points 1 year ago (1 children)

So the people that make the free version of the software and the paid version of the software decided others were taking advantage of the free eval version, and stopping giving that away for free. Why not just use the CE version? It's been working fine for me for more than a decade. Is there functionality missing in the free CE version that you'll be giving up, or are you just pissed off that something changed unexpectedly in the selection of free things that are available to you?

Is OPNsense really more "open and friendly?" I dunno, I know some of the guys at Netgate professionally, and they're trying to run a business.. and for some reason, giving away software for free. Probably as a combination of giving back to the community and having people do testing at the same time. Seems like a reasonable tradeoff.

[–] NightH4nter@alien.top 2 points 1 year ago

it's all about breaking the promises previously given

Beside the obvious alternatives I understand the move. However it would also have been possible to forbid the installation of that particular license on commercially sold hardware under thread of a fine…

[–] Aronacus@alien.top 2 points 1 year ago (1 children)

Dropped them last year for a Ubiquiti stack. Very pleased.

[–] daq@lemmy.sdf.org 1 points 1 year ago

No issues with pfsense, but I'm thinking of doing the same just because I'm starting to dislike the company and pretty much all my hardware is ubiquity anyway. I also have a ubiquity gateway laying around.

I do use pfsense to an advanced level for a home lab so I'm worried ubiquity won't match the features.

[–] SpongederpSquarefap@alien.top 2 points 1 year ago (2 children)

Yep OP is right, but OP didn't mention the fucking disasterous WireGuard implementation they tried to pull off

God that was a mess

This is yet another reminder to tick off "switch to OPNsense" on my to do list

[–] thekrautboy@alien.top 1 points 1 year ago

Feel free to add more context please or links to other issues.

I did not want to make this a "look how bad Netgate has been for years" post, but mostly focus on this one current issue.

[–] Nestramutat-@alien.top 1 points 1 year ago

Yup, the whole Wireguard debacle is what had me switch to OPNSense in the first place

[–] sassydodo@alien.top 1 points 1 year ago

I've used both pfsense and opnsense. Given this was like 4+ years ago, but still. Used opnsense because userinterface had better ui/ux. Otherwise pfsense had much more to give, but I really never needed it so switched to lighter/easier to use version - opnsense. I really don't see a problem with switching/reinstalling different version of pfsense if you don't want to use "paid" version.

Now, the problem of AliExpress - this is true. The most important part of the network gear isn't hardware, it's software and drivers on said gear. Pfsense turns cheap shitty minipc worth $100 into powerful router on par with enterprise gear worth $10000 and capable of running thousands of users in multiple locations with site to site networks.

[–] ModerateBiscuit@alien.top 1 points 1 year ago

My weekend job is working out how to migrate my VPN config over. Once I've done that in moving.

[–] Blazorax@alien.top 1 points 1 year ago

I can understand this topic can be personal, yet I see no issue. CE still available, homelab is their product and they have been allowing ppl to use for free. Now they decided not to allow it anymore, so be it. It is their product after all.
Maybe I'm missing something, if I do, please elaborate and I am happy to be corrected.

[–] supra98tt@alien.top 1 points 1 year ago

When they pulled the shit against opnsense back in the day, I moved to sophos home edition and never looked back. Netgate as a company is cancer.

Either run opnsense or sophos home if you don't mind closed source firewall.

[–] lvlint67@alien.top 1 points 1 year ago

never liked pfsense.. the interface usually got in the way more than it helped. Ran a linux router for years..

These days i have mikrotik gear at the edge. (no they aren't insecure... all of the cve's you've heard about were publicly exposed admin interfaces...).

[–] KN4MKB@alien.top 1 points 1 year ago

I've ran both and unfortunately, as much as I HATE to admit it, pfSense "just worked". I tried opnsense, but strange problems kept coming up that had me fixing issues like wack a mole in a time where I needed something to just do it's job. I'll give opnsense another shot in the future. But as of now pfsense is doing what I need, the way I need it to on the community edition. I have no reason to swap now, but if they screw around with that, I guess opnsense will get another shot.

[–] cr1tic@alien.top 1 points 1 year ago (1 children)

You people expect so much. They have a free open source version. Use it. Need more? Pay. Negate have been wonderful to the community and this take of yours is wildly off.

[–] NightH4nter@alien.top 2 points 1 year ago

You people expect so much.

nope, just transparency and adherence to the promises given

[–] ScottyPuffJr@alien.top 1 points 1 year ago (2 children)

Sophos utm home/free. Never looked back

[–] wally40@alien.top 1 points 1 year ago

I've wanted to go this route, but have had trouble getting Sophos to run on my hardware. Didn't spend too much time with it as pfsense ran on install. May have to circle back to it and troubleshoot it.

[–] ColdDeck130@alien.top 1 points 1 year ago

I’ve been using Sophos UTM for years, but they announced that it will be End Of Life next year. I have been looking at OPNsense as a replacement. It will be a very interesting transition.

[–] netmind604@alien.top 1 points 1 year ago

Was there ever a real reason to use offense+ other than more frequent updates?

I couldn't go opnsense as a newbie to and needed the much richer docs tutorials and ecosystem.

Stayed on offense CE as it's fully open and I wanted to support that.

TBF what did you expect? For profit company starts to add closed code "for free".... Of course it won't last and the fact you pay nothing .... Well means you should expect no say.

[–] clovepalmer@alien.top 1 points 1 year ago

Never reward bait and switch.

Fuck this company

[–] JzJad12@alien.top 1 points 1 year ago

First realvnc does a bait and switch with rport, then netgate pulls more stupid crap. Guess its time to buy an opnsense appliance just to show how much better they are as a company.

[–] iccb@alien.top 1 points 1 year ago (1 children)
[–] WeiserMaster@alien.top 1 points 1 year ago (1 children)

IPFire devs lives in 1997 and don't want to wake up to the world that is IPv6. They even list IPv6 as a significant security risk lmao

https://wiki.ipfire.org/optimization/start/security_hardening/reducing_attack_surface

[–] iccb@alien.top 1 points 1 year ago

Yeah, mostly true. It’s not perfect profuct, but option still. I gues that 98% home users don’t need ipv6 so it’s not so big thing to be disabled in default installation.

[–] iTzzKoLT@alien.top 1 points 1 year ago

I recently did a i9 proxmox build and it became an opportunity to do a fresh install of opnsense from my pfSense install. It's a bit different to get use to, UI wise, in some sense pfSense seemed a little more clunky but easier to read things like the firewall table. But I decided I was going to switch because of hearing the scummy things they do so this reinforced my decision and push getting use to opnsense. Good writeup

[–] TetchyTechy@alien.top 1 points 1 year ago

Yes, I think so - just like what happened with unity

[–] telenieko@alien.top 1 points 1 year ago (1 children)

TL;DR often goes at the top of the post, not the bottom 😉

[–] thekrautboy@alien.top 1 points 1 year ago

Just making sure you read the whole thing...

[–] user01401@alien.top 1 points 1 year ago

OpenWrt on x86/64. Also being Linux based you gain features such as SQM which is a game changer for bufferbloat and responsiveness with devices.

[–] elyl@alien.top 1 points 1 year ago (1 children)

That opnsense.com archive. Man, it's just unhinged.

[–] thekrautboy@alien.top 1 points 1 year ago

Even more so when its by the CEO.

[–] lilolalu@alien.top 1 points 1 year ago

Well, again someone using a "free" commercial product and complaining when the offer is changed.

[–] nostradamefrus@alien.top 1 points 1 year ago

Clicked on this as a pfSense CE user and, gotta be honest, this post is more of a bait and switch than what Netgate did. This is absolutely a scummy practice, don't get me wrong, but putting up a thread about a company "messing with their userbase" sends up a lot more red flags than "they took away one free offering". This doesn't impact CE users, so your very loud rallying cry of "Are you willing to pay $400/year for your firewall software when youre only using it privately in your small homelab" is pretty overblown if you're acknowledging the target audience of this sub is largely people who can get away fine with CE

And what about Jellyfin's demise are you on about? I don't see any recent posts in here about anything going on with JF

[–] edparadox@alien.top 1 points 1 year ago

To be fair, I do not get why people still use pfSense over OPNsense nowadays.

[–] jmartin72@alien.top 1 points 1 year ago

I switched to Ubiquiti and I couldn't be happier.

[–] coupledcargo@alien.top 1 points 1 year ago

I tried opnsense after using ce for so many years but ended up on sophos, which provide a free license for personal use. I really like it, the interface feels generations ahead and seems to be pretty reliable. Not for everyone of course and who knows if sophos will do the same thing (pull the free version)

[–] markv9401@alien.top 1 points 1 year ago

The alternatives you listed are not quite on par.

  • OpnSense is great and should be used as the firewall.
  • VyOS is great, but it's more of a router software, enterprise grade while at it. It can do firewalling but it's unnecessarily complicated compared to OpnSense.
  • OpenWRT is an exceptional WiFi/Wireless AP software and then can do firewalling too but shouldn't be used as the main fw imo
  • Sophos may or may not be great, no experience with it on my side, and won't be any as it's not open source AFAIK
  • Mikrotik hardware may be priced fairly, sometimes, but their software and configuration thick client is just a terrible mess. It does indeed require certifications to set it up, even if you're a well battle experienced security guy. It's just bad imo, sorry
[–] broknbottle@alien.top 1 points 1 year ago

VyOS LTS can be easily built yourself via docker or even using GitHub Actions

[–] km_ikl@alien.top 1 points 1 year ago

Netgate / pfSense would have been better off with using a licensing scheme like most (ie. you get CE, and only CE off the website, your home+lab license is paid for ($10/yr or something nominal), and the full enterprise edition is whatever the cost is.

I'm using CE, but I'm considering switching to OPNSense if for no other reason than having Suricata pre-installed sounds really, really good.

[–] MrDephcon@alien.top 0 points 1 year ago (1 children)

I don't understand the AliExpress argument. They want people to use free H+L to expose them to the ecosystem and hopefully pay for the full version.

AliExpress vendors shipping thousands of routers with free H+L installed vastly boosts their user base... So isn't that mission accomplished? If some of those users upgrade to the paid version it's a win.

By removing free H+L, Ali express vendors will just start shipping opnsense instead and I would expect the majority of users to continue to use it instead of moving to pfSense.

Alternately if Ali vendors shipped without any software pre-installed, and then the customer installs free H+L, what's the difference?

[–] bubblegumpuma@alien.top 1 points 1 year ago

Most of those Aliexpress vendors ship with no RAM and no OS as a significantly cheaper option anyway, so many of the people who are buying that hardware are just grabbing their own OS in the first place, I'd think. It's certainly what I'd do if I were in the market for one of those 150 dollar firewall boxes.

[–] treebeardd@alien.top 0 points 1 year ago (1 children)

The free version of the rXg Router is an incredible solution for SOHO type scenarios, I run it myself and it's amazing. Let's say you want to have your work devices on one VLAN, your home devices on one VLAN, and your guests devices on a third VLAN so they NEVER see each other.

Let's say you want to manually approve your guest's onboarding request, super easy!

Just be warned, their product is built for someone who knows something about networking so if you're challenged by that requirement please take it as an opportunity to learn!

Free technical support is available at reddit.com/r/rgnets, head over to RGNets.com for a free download!

[–] thekrautboy@alien.top 2 points 1 year ago

This sounds so much like an ad.