pfSense Plus FAQ (2024)

pfSense® Plus software is a Netgate product, separate and distinct from pfSense Community Edition (CE), which is open-source project software.

Over time, we plan to rearchitect the product to move beyond the limitations of pfSense CE software, adding new customer-valued features.

pfSense Plus software replaces pfSense Factory Edition (FE), and is offered at no charge on Netgate appliances.

It is also offered as chargeable software through AWS and Azure Cloud Service Provider (CSP) marketplaces.

Ourplans are to make it availablecommercially for non-Netgatehardware soon

There are two primary reasons.

First, demand for new secure networking features, performance improvements, management and automation capabilities outstrip the capabilities of existing pfSense software design, which dates to 2004.

Second, the code changes necessary to deliver the above capabilities will be disruptive to users of the open-source code base - especially those dependent upon private forks for their own needs. pfSense has a smorgasbord of features and functions that Netgate will need to update, replace, or delete. These code modifications will not always immediately serve the open-source community. Rather than force the community to quickly follow, Netgate can better serve its customers and the broader community by moving the pfSense Plus stack forward to support product advancement, without disrupting the code base that community members rely upon today.

pfSense FactoryEdition (FE) - the historic fork of the pfSense open-source project that Netgate has pre-installed on its appliances, and via public cloud service providers - will be replaced with pfSense Plus.

Existing Netgate customers running pfSense FE will be able to upgrade to pfSense Plus from the user interface.

No. ThepfSense project (which provides pfSense CE) and pfSense Plus (Netgate product) software are divergent.

An example of divergence is when Netgate releases a new appliance, we almost always need to modify the software to address things like a new driver (Intel I225), or a bootloader change, etc.

pfSense Plus (and TNSR) software release numbering is consistent with the Linux Networking Foundation FD.io project approach - where releases are numbered with a year.month.patch convention.

pfSense CE software release numbering is consistent with the FreeBSD approach - where releases are numbered with a major.minor.patch convention.

We prefer the latter approach forpair products, as our customers can more easily identify the relative currency of their operating software.

There is no change to the package support for pfSense CE.

Initially, pfSense Plus will maintain package parity. Over time, Netgate will evaluate pfSense Plus package support - based on customer demand and technology progression.

Initially, they are close, but over time they will diverge. pfSense Plus Release 21.02 will be based on pfSense Release 2.5, with added crypto offload for IPsec using QuickAssist Technology (QAT) or EIP-97. Other historical differences will remain, i.e., pfSense Plus will also continue to include an AWS VPC Wizard, and an Apple IPsec Wizard.

In subsequent releases, pfSense Plus will increasingly diverge from pfSense CE - leveraging a newer and more robust secure networking software stack, which allows for feature, performance, and manageability expansion well beyond the limitations of the current stack.

pfSense Plus will evolve to incorporate features requested by our end-user and managed service provider customers. Example features in consideration include:

• New GUI
• API
• Expanded reporting
• Wireless access point support
• Zero Touch Provisioning for easier drop ship of unprovisioned appliances

We expect to publish high-level roadmaps at simple point. If you would like to be informed when it becomes available, simply sign uphere.

Further, we are always open to product / feature input. We actively monitor for, and solicit, this input through our social media channels and user surveys.

In general, features that are part of FreeBSD or the other open source components used within pfSense Plus software will be upstreamed to those projects, and by definition, available to pfSense CE software.

Some features that we add to Plus will contain 1) code that is part of open source projects, and 2) GUI or middleware modules that are inherent to pfSense Plus.

Open source project code will still be contributed back and made available to CE, but work will need to happen in CE community to enable it.

Netgate will continue providing stewardship and resources for the pfSense project, just as it has since 2012.

pfSense project code will continue to be available on GitHub, and will remain Apache licensed.

Netgate will continue to support the project with code contributions, particularly with respect to security vulnerability protection, FreeBSD related updates, common code, etc.

While Netgate will focus on its products and customers, we will continue to contribute releases, snapshots, and updates of pfSense CE.The frequency and depth of this support will be evaluated on an ongoing basis.

Absolutely not. Nothing has changed about our strong belief in, and commitment to, open source software. This is best expressed by specific evidentiary statements:

• We are proud of our long heritage of giving back significant financial sponsorship, engineering and test resources, and upstreamed code to numerous open-source projects. Our project list includes Clixon, DPDK, FD.io/VPP, FreeBSD, Free Range Routing (FRR), Linux, pfSense, and strongSwan.
• Netgate currently employs or contracts many developers with roles in the FreeBSD, pfSense, Clixon, and VPP/FD.io projects. Their contributions and responsibilities include development, administration, maintenance, release engineering, and foundation board membership. These developers, and many more at Netgate are regular contributors to these projects.
• Netgate directly co-sponsors feature work. Very recent examples of contribution includekernel-resident WireGuard, crypto-offload, and Intel i225 ethernet drivers.

If you are running a paid instance on either Cloud Service Provider (CSP) partner platform that was launched before February 2021, it is, by definition pfSense FE.

pfSense Plus will be offered on Amazon and Azure marketplaces at the same prices as Factory Edition is offered today.

Pricing varies based on the underlying cloud compute instance.

Both CSPs have their own software longevity policies. You may continue running your current pfSense FE instance into perpetuity. You will not be forced off. However, if you upgrade a deployed CSP virtual machine instance of pfSense, it will be upgraded to pfSense Plus 21.02.

New CSP virtual machine instances going forward will only be pfSense Plus releases.

Currently, pfSense Plus is only available on Netgate appliances, AWS, and Azure platforms.

We plan to make pfSense Plus available for use on 3rd party hardware soon.

pfSense Plussoftwareis a Netgate product - branchedfrom pfSense project - and itis closed source, just as Factory Edition was.

That said, pfSense Plus software is built upon a set of open source projects, namely OpenVPN, strongSwan, Free Range Routing, and of course FreeBSD. Given this, customers can certainly see the vast majority of the underlying code of pfSense Plus, if they are so inclined.

That is really up to how the project progresses itself.

If the community chooses to progress feature set, testing, documentation, and release packaging,there will continue to be newproject software releases.

Netgate will continue to participate both as a community member, and as project steward.

• Any new Netgate appliance will ship with pfSense Plus
• Existing Netgate appliances can be updated to pfSense Plus via the GUI or console menu
• Amazon and Azure Marketplace pfSense instances can be updated to pfSense Plus

Any existing instance of pfSense running on a platform not listed above and without an active pfSense TAC support subscription will be able to obtain a pfSense Plus subscription in a forthcoming release.

Yes. You can upgrade at any time from TAC Lite to either TAC Pro or TAC Enterprise.

TAC Lite is our new name for what we previously referred to as ‘zero-to-ping’ support - made available with all new appliance and CSP instance purchases. TAC Lite is the support that helps you connect your new Netgate firewall (one client online and pinging outside of your network) to the Internet.

By proxy, you may also upgrade from TAC Pro to TAC Enterprise at any time.

At the time of update, a new subscription period will begin. We will not, however, pro rate any remainder of the prior subscription.

Yes. See here.