This hits a little bit close to home. I have used and recommended
pfSense for many years and overall it has been an extremely stable and
relatively feature-rich option.
But to say that the move to 2.5 was botched would be kind. We rolled
out a new pfSense device on a non-profit's network we help to manage to
turn up a new site and the system acted flat-out broken when trying to
connect IPSEC VPN to the main system back at the HQ. The
recommendation, of course, was to update all the systems so we scheduled
the outages necessary to load the new updtes and reboot. After the
updates, then entire VPN network was down and would not re-connect.
I fiddled with it for some time before opening a paid support case with
Netgate. They had it fixed within literal minutes of opening the case
(yay!) but the report on what they did to fix it was a bit vague, to say
the least. Although the case was resolved, we noted that no
configuration change had been made within the GUI. Odd.
Nobody here knew anything about what had been happening behind the
scenes with the Wireguard mess, but something about the response we got
on our case just didn't feel right. Looking around online, what we
experienced with the VPN doesn't seem to have been an isolated
incident. The lack of transparency from Netgate was disappointing.
I find that I have much better tolerance for a problem when the vendor
will own it and explain the way forward. Hushed conversations and
finger pointing tend to lead to distrust. I hope that Netgate will do
better in the future.
I'm directly responsible for the management of a couple dozen pfSense
devices and we support dozens more. It's been a great product. I'd
like to continue to be able to confidently rely upon and recommend pfSense.
--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ
On 3/27/2021 11:42 PM, Michael Stauber wrote:
Hi all,
This is not BlueOnyx related at all, but if you want a giggle at the
expense of others, say no more:
https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/
TL;DR: Netgate paid a convicted felon to port WireGuard into the FreeBSD
kernel to make it easier for them to use pfSense on FreeBSD for their
stuff. That guy eventually delivered and the code submission was merged
into the code tree for the upcoming release of FreeBSD 13.
Until the FreeBSD core maintainers found out what an unmitigated and
exploitable disaster that code was. "Bad" just doesn't cut it. It was a
hell of a lot worse.
So in a two week bender they rewrote it from scratch on their own. Which
gave Netgate the fits and put them into a rage-fit of accusations and
easily refutable denials. The reason for that unwise move was: They
already had merged the shitty pre-beta FreeBSD-code into pfSense 2.5.0
(released a month before FreeBSD 13 was to come out) and FreeBSD's fixes
now clearly showed what an exploitable buggy mess pfSense 2.5.0 actually
had become.
End result: FreeBSD and Netgate no longer seem to be "friends" and
WireGuard has been stripped from the upcoming FreeBSD 13 release entirely.
That went well. /facepalm
I actually liked pfSense a little. Now I'm wondering what other
"surprises" they have under the hood. :-/
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
