Netgate Blog

Announcing pfSense® Plus

pfSense® software is the world’s most trusted firewall. Now on its 46th release, the software has garnered the respect and adoration of users worldwide - installed over two million times, with at least half that many in active use today. A remarkably powerful, robust, and easy to use solution, pfSense software has delivered edge firewall, router, and VPN functionality to homes, businesses, educational institutions, and government agencies - literally across every continent.

While pfSense software stands toe-to-toe with far more expensive alternatives, our customers are demanding new secure networking features, performance improvements, and advanced management capabilities. These requests, while entirely logical and viable, simply outstrip the capabilities of the existing software design - a design that is nearly 20 years old. A modern software foundation is needed, one far better architected to meet evolving WAN edge and cloud computing needs.

pfSense Plus Logo

In early February, Netgate® will rebrand pfSense Factory Edition (FE) to pfSense Plus. While it may sound like just a name change, there is more to appreciate.

Historically, pfSense FE and pfSense Community Edition (CE) have been closely related, differing primarily by:

  • Support for additional hardware platforms (ARM)
  • Support for Cloud Service Provider (CSP) platforms (AWS, Azure)
  • Additional configuration wizards

In 2021, they will begin to diverge from one another in both software platform design and feature set. pfSense CE will continue on, just as it has. Netgate continues to donate features and code to the projects that comprise pfSense. As well, we will continue to compile and distribute installation images, including pfSense CE Release 2.5, in early February 2021. At the same time, the first release of pfSense Plus (Release 21.02), will be made available to all Netgate customers, and will be the standard software installed on all Netgate appliances and all new CSP partner marketplace instances.

The software product family of pfSense Plus and TNSR® give Netgate customers an excellent set of edge and cloud networking options. pfSense Plus is our advanced firewall / VPN / router solution, and TNSR will continue serving as our high-performance edge router. While both products share technology from several open source projects, they each will continue to have their respective markets and uses.

All of our customers - from consumers to service providers - are important to us. In particular, however, are business, government, and education customers who depend upon Netgate solutions to stay securely and reliably connected to the world. pfSense Plus provides a modern software platform from which we can continue to provide ever-evolving, feature-rich, performant, scalable, and easy-to-manage secure networking solutions.

Here are the key pfSense Plus takeaways, best conveyed through an FAQ format:

1. What is pfSense Plus?

pfSense® Plus is the new name of the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It will be made available to Netgate appliance and CSP customers, and over time, will have an evergreen secure networking feature set, performance enhancements, and manageability advancements not available through pfSense Community Edition (CE) releases or project code. The product will become more powerful, flexible and easy to use over time, as it is re-architected to move beyond the limitations of pfSense open source software.

2. Why did Netgate make this change?

There are two primary reasons.

First, demand for new secure networking features, performance improvements, management and automation capabilities outstrip the capabilities of existing software design, which dates to 2004.

Second, the code changes necessary to deliver the above capabilities will be disruptive to users of the open-source code base - especially those dependent upon private forks for their own needs. pfSense has a smorgasbord of features and functions that Netgate will need to update, replace, or delete. These code modifications will not always immediately serve the open-source community. Rather than force the community to quickly follow, Netgate can better serve its customers and the broader community by moving the pfSense Plus stack forward to support product advancement, without disrupting the code base that community members rely upon today.

3. What happens to pfSense FE?

pfSense FE - the historic fork of the pfSense open-source project that Netgate has pre-installed on its appliances, and via public cloud service providers - will be replaced with pfSense Plus. Existing Netgate customers running pfSense FE will be able to upgrade to pfSense Plus from the user interface.

4. When will pfSense Plus be available?

The first release of pfSense Plus will be available in February 2021, as Release 21.02. The ‘year.month’ release numbering convention aligns with that of TNSR - Netgate’s high-performance software router product - since its first release in 2018. We have come to prefer this approach, as our customers can easily identify the relative currency of their operating software.

5. Are pfSense Plus Release 21.02 and pfSense CE Release 2.5 the same thing?

Initially, they are close, but over time they will diverge. pfSense Plus Release 21.02 will be based on pfSense Release 2.5, with added crypto offload for IPsec using QuickAssist Technology (QAT) or EIP-97. Other historical differences will remain, i.e., pfSense Plus will also continue to include an AWS VPC Wizard, and an Apple IPsec Wizard.

In subsequent releases, pfSense Plus will increasingly diverge from pfSense CE - leveraging a newer and more robust secure networking software stack, which allows for feature, performance, and manageability expansion well beyond the limitations of the current stack.

6. What kinds of new capabilities are envisioned?

pfSense Plus will grow to incorporate features - like the following - requested by our end-user and managed service provider customers:

  • Business level dashboard / reporting
  • 802.11ac and 802.11ax wireless access point support
  • Improved packet filter performance
  • New GUI architecture

    • GUI / device control separation, which facilitates multi-instance management
    • Modernized look and feel
  • Zero Touch Provisioning for easier drop ship of unprovisioned appliances

We expect to publish a high-level roadmap soon. If you would like to be informed when it becomes available, simply sign up here. Further, we are always open to product / feature input. We actively monitor for, and solicit, this input through our social media channels and user surveys.

6.5 Will any of the features in pfSense Plus also make it to pfSense CE?*

Yes! Both pfSense CE and pfSense Plus are built on top of FreeBSD. Both use the FreeBSD kernel and the packet filter module for the data path. Any improvements to the performance of packet filtering will be contributed back to the FreeBSD project, and therefore, available to both pfSense CE and pfSense Plus.

In general, features that are part of FreeBSD or the other open source components that comprise pfSense will be upstreamed to those projects and made available to pfSense CE. This includes features mentioned above, like improved packet filter performance. Some features that we add to Plus will contain code that is part of these open source projects and also GUI or middleware modules that are part of pfSense Plus. In those cases, the open source code will still be contributed back and made available to CE, but work will need to happen in CE community to enable it.

*Added Friday, January 29, 2021.

7. Will pfSense CE releases continue?

Here is what to expect relative to the pfSense project, and Netgate-provided CE releases therein:

  • Netgate will continue providing stewardship and resources for the pfSense project, just as it has since 2012
  • pfSense project code will continue to be available on GitHub, and will remain Apache licensed
  • Netgate will continue to support the project with code contributions, particularly with respect to security vulnerability protection, FreeBSD related updates, common code, etc.
  • While Netgate will focus most of its efforts on pfSense Plus, there will continue to be releases, snapshots, and updates of pfSense CE
  • The frequency of this support will be evaluated on an ongoing basis. As an example, we already anticipate there will be a 2.6 release in 2021 to provide 1) the necessary upgrade path to pfSense Plus for instance types beyond those already covered, 2) hardware support updates, and 3) bug fixes.

8. Will pfSense Plus releases come out on a more regular basis than pfSense CE Releases did historically?

Yes. Going forward, pfSense Plus customers will be able to reliably manage their IT infrastructure changes around three releases per year - planned for January, May, and September.

9. Does this mean Netgate is abandoning its open source heritage?

Absolutely not. Nothing has changed about our strong belief in, and commitment to, open source software. This is best expressed by specific evidentiary statements:

  • We are proud of our long heritage of giving back significant financial sponsorship, engineering and test resources, and upstreamed code to numerous open-source projects. Our project list includes Clixon, DPDK, FD.io/VPP, FreeBSD, Free Range Routing (FRR), Linux, pfSense, and strongSwan.
  • Netgate currently employs or contracts many developers with roles in the FreeBSD, pfSense, Clixon, and VPP/FD.io projects. Their contributions and responsibilities include development, administration, maintenance, release engineering, and foundation board membership. These developers, and many more at Netgate are regular contributors to these projects.
  • Netgate directly co-sponsors feature work. Very recent examples of contribution include kernel-resident WireGuard, QAT and EIP-97 crypto-offload, Intel i225 Ethernet drivers for FreeBSD, and a VRRP plugin for FD.io’s VPP.

10. What if I am running pfSense on a CSP partner platform, e.g., Amazon or Azure?

If you are running a paid instance on either Cloud Service Provider (CSP) partner platform, it is, by definition pfSense FE.

pfSense Plus will be offered on Amazon and Azure marketplaces at the same prices as Factory Edition is offered today. Pricing varies based on the underlying cloud compute instance. Both CSPs have their own software longevity policies. You may continue running your current pfSense FE instance into perpetuity. You will not be forced off. However, if you upgrade a deployed CSP virtual machine instance of pfSense, it will be upgraded to pfSense Plus 21.02. Further, new CSP virtual machine instances going forward will only be pfSense Plus releases.

11. Can I get pfSense Plus for my own hardware or virtual machine?

Today, pfSense Plus 21.02 is only available on Netgate appliances, AWS, and Azure platforms.

We plan to make pfSense Plus available for use on 3rd party hardware and select virtual machines by June 2021, if not sooner.

There will be a no charge path for home and lab use and a chargeable version for commercial use.

Read the complete Netgate pfSense Plus FAQ here.

Netgate is excited to embark on this new path to address our customers’ evolving edge and cloud secure networking needs. Please follow our blog and press coverage on the topic to learn more as we proceed towards availability in early February. As always, feel free to reach out directly if we can assist in any way.