Netgate pfSense Plus FAQ

The pfSense® Plus addition to the Netgate family is both a new name and a new way of moving the product forward. The questions below should provide information to help clarify the upcoming changes.

General TAC Support FAQ

pfSense® Plus is the new name of the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It will be made available to Netgate appliance and CSP customers, and over time, will have an evergreen secure networking feature set, performance enhancements, and manageability advancements not available through pfSense Community Edition (CE) releases or project code. The product will become more powerful, flexible and easy to use over time, as it is re-architected to move beyond the limitations of pfSense open source software.

There are two primary reasons.

First, demand for new secure networking features, performance improvements, management and automation capabilities outstrip the capabilities of existing software design, which dates to 2004.

Second, the code changes necessary to deliver the above capabilities will be disruptive to users of the open-source code base - especially those dependent upon private forks for their own needs. pfSense has a smorgasbord of features and functions that Netgate will need to update, replace, or delete. These code modifications will not always immediately serve the open-source community. Rather than force the community to quickly follow, Netgate can better serve its customers and the broader community by moving the pfSense Plus stack forward to support product advancement, without disrupting the code base that community members rely upon today.

pfSense FE - the historic fork of the pfSense open-source project that Netgate has pre-installed on its appliances, and via public cloud service providers - will be replaced with pfSense Plus. Existing Netgate customers running pfSense FE will be able to upgrade to pfSense Plus from the user interface.

The first release of pfSense Plus will be available in February 2021, as Release 21.02. The ‘year.month’ release numbering convention aligns with that of TNSR® - Netgate’s high-performance software router product - since its first release in 2018. We have come to prefer this approach, as our customers can easily identify the relative currency of their operating software.

Initially, they are close, but over time they will diverge. pfSense Plus Release 21.02 will be based on pfSense Release 2.5, with added crypto offload for IPsec using QuickAssist Technology (QAT) or EIP-97. Other historical differences will remain, i.e., pfSense Plus will also continue to include an AWS VPC Wizard, and an Apple IPsec Wizard.

In subsequent releases, pfSense Plus will increasingly diverge from pfSense CE - leveraging a newer and more robust secure networking software stack, which allows for feature, performance, and manageability expansion well beyond the limitations of the current stack.

pfSense Plus will grow to incorporate features - like the following - requested by our end-user and managed service provider customers:

  • Business level dashboard / reporting
  • 802.11ac and 802.11ax wireless access point support
  • Improved packet filter performance
  • New GUI architecture
    • GUI / device control separation, which facilitates multi-instance management
    • Modernized look and feel

  • Zero Touch Provisioning for easier drop ship of unprovisioned appliances

We expect to publish a high-level roadmap soon. If you would like to be informed when it becomes available, simply sign up here. Further, we are always open to product / feature input. We actively monitor for, and solicit, this input through our social media channels and user surveys.

Yes! Both pfSense CE and pfSense Plus are built on top of FreeBSD. Both use the FreeBSD kernel and the packet filter module for the data path. Any improvements to the performance of packet filtering will be contributed back to the FreeBSD project, and therefore, available to both pfSense CE and pfSense Plus.

In general, features that are part of FreeBSD or the other open source components that comprise pfSense will be upstreamed to those projects and made available to pfSense CE. This includes features mentioned above, like improved packet filter performance. Some features that we add to Plus will contain code that is part of these open source projects and also GUI or middleware modules that are part of pfSense Plus. In those cases, the open source code will still be contributed back and made available to CE, but work will need to happen in CE community to enable it.

*Added Friday, January 29, 2021

Here is what to expect relative to the pfSense project, and Netgate-provided CE releases therein:

  • Netgate will continue providing stewardship and resources for the pfSense project, just as it has since 2012
  • pfSense project code will continue to be available on GitHub, and will remain Apache licensed
  • Netgate will continue to support the project with code contributions, particularly with respect to security vulnerability protection, FreeBSD related updates, common code, etc.
  • While Netgate will focus most of its efforts on pfSense Plus, there will continue to be releases, snapshots, and updates of pfSense CE
  • The frequency of this support will be evaluated on an ongoing basis. As an example, we already anticipate there will be a 2.6 release in 2021 to provide 1) the necessary upgrade path to pfSense Plus for instance types beyond those already covered, 2) hardware support updates, and 3) bug fixes.

Yes. Going forward, pfSense Plus customers will be able to reliably manage their IT infrastructure changes around three releases per year - planned for January, May, and September.

Absolutely not. Nothing has changed about our strong belief in, and commitment to, open source software. This is best expressed by specific evidentiary statements:

  • We are proud of our long heritage of giving back significant financial sponsorship, engineering and test resources, and upstreamed code to numerous open-source projects. Our project list includes Clixon, DPDK, FD.io/VPP, FreeBSD, Free Range Routing (FRR), Linux, pfSense, and strongSwan.
  • Netgate currently employs or contracts many developers with roles in the FreeBSD, pfSense, Clixon, and VPP/FD.io projects. Their contributions and responsibilities include development, administration, maintenance, release engineering, and foundation board membership. These developers, and many more at Netgate are regular contributors to these projects.
  • Netgate directly co-sponsors feature work. Very recent examples of contribution include kernel-resident WireGuard, crypto-offload, and Intel i225 ethernet drivers.

If you are running a paid instance on either Cloud Service Provider (CSP) partner platform, it is, by definition pfSense FE.

pfSense Plus will be offered on Amazon and Azure marketplaces at the same prices as Factory Edition is offered today. Pricing varies based on the underlying cloud compute instance. Both CSPs have their own software longevity policies. You may continue running your current pfSense FE instance into perpetuity. You will not be forced off. However, if you upgrade a deployed CSP virtual machine instance of pfSense, it will be upgraded to pfSense Plus 21.02. Further, new CSP virtual machine instances going forward will only be pfSense Plus releases.

Today, pfSense Plus 21.02 is only available on Netgate appliances, AWS, and Azure platforms.

We plan to make pfSense Plus available for use on 3rd party hardware and select virtual machines by June 2021, if not sooner.

There will be a no charge path for home and lab use and a chargeable version for commercial use.

pfSense Plus is a branch of pfSense software, just as Factory Edition has been historically. Effectively, pfSense Plus is built upon a set of open source projects, namely OpenVPN, strongSwan, Free Range Routing, and of course FreeBSD. Integrating those project code bases together and adding value through that integration, e.g., GUI, API, etc. - is Netgate value-add for its customers. Anyone with the necessary skills could build their own product from the same open source components. Given that, customers can certainly see the vast majority of the underlying code of pfSense Plus, if they are so inclined.

As has always been the case, the latest pfSense Community Edition software release, in this case Release 2.5 (once available), will continue to be available through the project.

That is really up to how the project progresses itself, separate and distinct from Netgate - which is a company with its own products. If the community chooses to progress feature set, testing, documentation, and release packaging, there will obviously be progression beyond Release 2.5. Netgate will continue to participate both as a community member, and as project steward.

Beginning with the release of pfSense Plus 21.02 in February 2021, all Netgate appliances will factory ship with pfSense Plus software.

Simply upgrade through the pfSense software GUI or console menu on your Netgate appliance.

Documentation will initially remain as it is today, with references to pfSense Plus deltas where applicable.

  • Any new Netgate appliance will ship with pfSense Plus
  • Existing Netgate appliances can be updated to pfSense Plus via the GUI or console menu
  • Amazon and Azure Marketplace pfSense instances can be updated to pfSense Plus

Any existing instance of pfSense running on a platform not listed above and without an active pfSense TAC support subscription will be able to obtain a pfSense Plus subscription in a forthcoming release.

Yes. You can upgrade at any time from TAC Lite to either TAC Pro or TAC Enterprise.

TAC Lite is our new name for what we previously referred to as ‘zero-to-ping’ support - made available with all new appliance and CSP instance purchases. TAC Lite is the support that helps you connect your new Netgate firewall (one client online and pinging outside of your network) to the Internet.

By proxy, you may also upgrade from TAC Pro to TAC Enterprise at any time.

At the time of update, a new subscription period will begin. We will not, however, pro rate any remainder of the prior subscription.

Yes. pfSense Release 21.02 is a fork of pfSense CE 2.5. However, as has been covered in more detail above, over time they will diverge in terms of architecture, feature set, performance and manageability.

There is no change to the package support for pfSense CE. All packages available in pfSense CE Release 2.4.5-p1 will be available in pfSense CE Release 2.5.

Initially, pfSense Plus will maintain package parity. Over time, Netgate will evaluate pfSense Plus package support - based on customer demand and technology progression.