The Netgate-pfSense Engineering Blog

Hi, I’m the new director of software engineering for pfSense and FreeBSD at Netgate. I’m starting this blog in order to share ongoing insights and previews into the development that we do at Netgate, and most importantly, to connect with the pfSense community. About myself, I started at Netgate a little over 2 months ago, but have been part of the FreeBSD community for 28 years, dating back to the nascent 386BSD days. I’ve known Jim Thompson (our CTO) from when we were both customers of Intel SOCs and encryption components almost 10 years ago, so when he mentioned that he was looking for help on pfSense, I jumped at the opportunity.

Before discussing where we’re going, let me do my best to provide some context of where we are now.

There are over a dozen people in the Netgate engineering organization for pfSense. They’re working on FreeBSD kernel features and hardware drivers, pfSense platform code, the pfSense GUI, packaging and release engineering, automated testing, performance, and next-generation projects. The team has roughly doubled in size in the last year, which if nothing else is a testament to the company’s commitment to pfSense and FreeBSD. Everyone has a deep history in Open Source, and everyone is here because of their passion for network security and privacy, pfSense, and FreeBSD. Nearly all of the code that we write goes immediately upstream into the FreeBSD and pfSense projects. It’s an awesome team, probably the best I’ve ever worked with, and that’s saying a lot.

Right now, we’re putting the finishing touches on the upcoming pfSense CE 2.5 release and our newly announced offering, pfSense Plus. There’s not a lot of difference between the two right now; both will have kernel-optimized WireGuard, both have been updated to FreeBSD 12.2, and both have over 500 other bug fixes and improvements since pfSense 2.4.5p1 was released in June 2020.

pfSense Plus is the evolution of what we internally called our “Factory Edition”, and is what we load onto the hardware appliances that we sell. It’s pfSense, but with tweaks and drivers specific to our hardware offerings. In the case of the pending release, pfSense Plus 21.02, that means that we’re including hardware crypto acceleration drivers for our appliances. The source code for these drivers, along with everything else in pfSense, has already been upstreamed to FreeBSD and is available for anyone to inspect and re-use. What makes pfSense Plus special is that since it’s tightly coupled with our hardware offerings, it comes with some extra GUI controls to enable this hardware, and these controls are not in the regular pfSense CE release.

While I’m talking about features and open source code contributions, I have to discuss WireGuard. Netgate funded a well-known member of the FreeBSD community in 2019 to bring kernel-mode WireGuard support to FreeBSD. Our contractor finished that work in August 2020 and upstreamed the source code into FreeBSD in November 2020. Just like the crypto acceleration drivers, that code is now free for anyone to examine, critique, and re-use for their own projects. It’s also being made available in both pfSense Plus and pfSense CE, including the GUI controls for it. We did this because we’re excited about the performance and ease-of-use that WireGuard brings to the world, and it aligns firmly with our mission statement that privacy and security are fundamental rights, not expensive luxuries. On top of that, our WireGuard code is FAST, and we’ll post a follow-up blog shortly that talks about it.

So where are we going? To start with, pfSense and its m0n0wall predecessor are 19 years old. Netgate engineers have been talking about a re-architecture since at least 2014, and even the original author of m0n0wall spoke about re-architecture back in 2005. pfSense is written in PHP but not in a very modular fashion; the GUI elements directly control the system, so seemingly trivial changes in the system or the GUI can have unexpected and unrelated consequences. The PHP code also takes over much of the low-level FreeBSD system state and functionality, making integration with new versions of FreeBSD time consuming and error prone. That slows down our pace of development and makes it hard to test, fix, and maintain the code from release-to-release. It also makes it hard to extend it with a versatile API. With all of these looming problems, we decided that it’s time to move to new tools and technologies so that we don’t get smothered by this code.

Our efforts right now are focused in two areas, a new GUI written in Go, and a new middleware based on the Clixon project that is already in use by our TNSR product line. This work is forcing us to separate the pfSense functionality into an architecturally sound model-view-controller idiom. Once done, the code will be easier to test and easier to extend or even swap out with alternate modules. It also makes a standards-compliant API a natural part of the architecture, and we plan to allow users to exploit this to extend pfSense in ways that are currently not possible. These are all critically important goals, but they are also disruptive to the pfSense code. Our challenge is to figure out how to make progress, deliver on what we’re promising, continue to support our users and customers, and not spread ourselves too thin.

In order to keep us driving towards our goals, I’m making changes in the organization to move us to a regular release cadence for pfSense Plus. In the past, a release was made “when it’s ready”, and that meant anywhere from 2 days to 10 months in between, with no outward rhyme or reason. It’s not lost on me that we’ve been promising pfSense 2.5 for a very long time, and the delays have been frustrating for our followers. While the engineer in me strives for perfection and wants to wait until every feature is implemented and every bug is fixed, the product manager in me knows that a regular, predictable release schedule is even more important. Thus, we’ll do three major releases a year: January (delayed slightly this year due to everything starting up), May, and September. We may also do minor releases in-between these times to address important bugs and security issues.

Where does that leave the pfSense CE releases? This is a burning question for our users, and for good reason. The pfSense community has been good to us, and we wouldn’t exist without it. In return, we’ve done our best to be good stewards in the community, both in terms of providing resources and in terms of our open source code commitment. We’re already planning a pfSense CE 2.6 release in mid-2021. We’re still fully participating in the open source communities that make up the foundation of pfSense, and we’re still driving that code upstream and into the open. This isn’t going away, but it is going to evolve as our code in pfSense Plus evolves.

As we do the delicate work on transitioning towards Clixon as our middleware, that code, and the new GUI built on top of it, is only going to be in pfSense Plus. This keeps the disruption contained to a smaller set of our users that are more tightly coupled with the hardware, our appliances, that we know intimately. Simply put, we’ll be able to work faster and with more confidence in this environment. The good news is that we also plan to make pfSense Plus available to work on non-Netgate hardware in late 2021, not just our appliances, and we plan to make the licensing of pfSense Plus completely free for home, hobby, and lab use. This will overlap nicely with the planned pfSense CE releases, and we will be including a seamless transition mechanism to go from CE to Plus. In the end, we want to give our users a compelling reason to make the switch, but for those who can’t or won’t make the switch, there will still be future pfSense CE releases to look forward to. There will be CE releases after 2.6, but unlike Plus, they’ll be done when they’re ready, not on a regular cadence.

That’s the 50,000ft view of what’s happening in Netgate pfSense engineering. In future posts I’ll share more details on what we’re working on, and highlight some of the work that we’re especially proud of. Please stay tuned for the upcoming pfSense Plus and CE releases, stay safe and happy, and be kind to yourself and each other during these times.