OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: Jack V on March 11, 2021, 12:48:04 pm
-
Years ago I switched from m0nowall to OPNsense and I love it.
It's, Dutch / European, I love it and I never want to change to something else anymore.
But through the years of using OPNsense there is something that makes me wonder:
Is it stable or not? Is it really production safe or not?
So much updates and a couple of times in the past I ended up with a weird working firewall/router or not connecting any more to the internet. This all with vanilla installs, nothing added.
Every time there is an update I now completely expect the worse and sometimes just delay updates/upgrades just to be safe.
Now again with the production release of 21.1.3 I see posts here on the forum and on the net of stuff breaking due to the updates/upgrades.
Even the latest release notes say: "We encourage everyone to install this version in a test environment before using it in production. As usual, please have a look at the plugin changes[1] and report bugs on GitHub."
Wait what? In a test environment? And we need to report bugs on GitHub?
What does "production" even mean? Not stable? Unstable?
Is it an rolling testing distribution like Fedora and Tumbleweed is?
I have never seen Deciso appliances in the wild, but don't companies want a stable operating system with low maintenance and safe update cycles with stuff that won't break?
Sorry if this comes on a bit to harsh for the devs, but this is something I really don't like of the distribution for a long time now :-\
-
I recently had arp crashing on 21.1.1 and 21.1.2
21.1.3 fixed it for me. YMMV.
Btw, your question could be the same for any product. I've had friends with Cisco TAC cases open > 1 year for bugs that needed to be resolved.
-
Even the latest release notes say: "We encourage everyone to install this version in a test environment before using it in production. As usual, please have a look at the plugin changes[1] and report bugs on GitHub."
This is a comment of the author of HAProxy plugin. Most plugins only have community support and are only tested by community. Using core features should work mostly.
If you need a 99,99% stable system with less update frequency then just take the business edition which is some months behind and the price is more or less symbolic.
P.S.: I use it in production for many customers, in azure, hyper-v, esx, hardware, around the world, connectiong of 100 branches to central ... Just dont install every update when it's released since most of them only introduce some minor features or fix minor bugs (but may also introduce some)
-
As so often, one can judge the situation from very different angles. But I can understand the uncertainty.
Basically, one could have the attitude that it is an open source project and one can voluntarily use the software free of charge and therefore not make any claims.
On the other hand, one could take the OP's question seriously. I think we are all interested in OPNsense being just great and being perceived that way. And even if bugs are only cosmetic or annoying, they can still cause confidence in the product to suffer, and perhaps even confidence in the security of the product.
As a software developer myself, I try as much as possible to take the criticism or personal perceptions of customers or users as a valuable reflection without feeling attacked myself. Feedback is something very valuable. And I always ask myself then, what can I draw from it to make the product or the communication around the product better. And I think that is almost nowhere as important as with a security-relevant software like OPNsense.
In the simplest case, the answer might be: it's open source software with fast release cycles and you have to tolerate minor glitches. If you don't want to or can't (which is justifiable), then it is recommended to use the more rigorously curated and tested business releases for a small fee.
-
How does the business edition differ exactly from the free version? The official opnsense shopping page does not go into the details.
-
Is it stable or not? Is it really production safe or not?
So what's our point of reference. OPNsense a minor or major release ago, a few years ago, a commercial firewall or another open source product or pfSense particularly? Details matter and heartfelt discussions tend to not provide enough hard evidence.
So much updates and a couple of times in the past I ended up with a weird working firewall/router or not connecting any more to the internet. This all with vanilla installs, nothing added.
Some people like the updates, some don't have issues. Everyone can trash their firewall at some point. Again, what is the baseline and how can we match it. :)
Every time there is an update I now completely expect the worse and sometimes just delay updates/upgrades just to be safe.
So don't update or wait a week to apply it. I do not understand the need for people to update and complain at the same time about having to update. Nobody has to update and we never forced nor will we.
Now again with the production release of 21.1.3 I see posts here on the forum and on the net of stuff breaking due to the updates/upgrades.
So what broke for you? So far we have a benign dashboard issue (stupid mistake of course but impact is zero), browser compatibility issues (which project hasn't seen these) and a disk layout possibly disintegrating. If you can show me the production bug you are worried about we can have a look?
Even the latest release notes say: "We encourage everyone to install this version in a test environment before using it in production. As usual, please have a look at the plugin changes[1] and report bugs on GitHub."
https://github.com/opnsense/plugins/pull/2214#issuecomment-791024310
It looks like a complete misunderstanding of what was being said and done. Are you using HAProxy? Have you worked with maintainer Frank before on issues? He does an outstanding job on supporting issues with the plugin for free if you haven't met him.
How is this bad (for you)? :)
Wait what? In a test environment? And we need to report bugs on GitHub?
Er, yes, BSD license comes without warranty and liability. This has never changed. If you want to report a bug you will need to go to the bug tracker. I am unsure what the issue was in the first place.
What does "production" even mean? Not stable? Unstable?
Without said point of reference we will never know?
Is it an rolling testing distribution like Fedora and Tumbleweed is?
Not entirely. We have two major releases and minor releases in between. That never changed. Features are added to minor releases if demand is high or maintenance is due or when they have been sponsored.
I have never seen Deciso appliances in the wild, but don't companies want a stable operating system with low maintenance and safe update cycles with stuff that won't break?
It's going further off-topic.
Sorry if this comes on a bit to harsh for the devs, but this is something I really don't like of the distribution for a long time now :-\
I'm not sure what to change. We have these sentiments from time to time and adjust according to the will of the people, but it's impossible to appease everyone all the time. If we have updates there is code churn there are issues and which other software does not have issues on new releases?
I get what you are saying and the reality is that this is not the way software projects will work out in practice.
Cheers,
Franco
-
I am new on opnsense firewall an would like to say thank you very much for this amazing piece of software.
I am trying to implement this in my home-office equipment. In the past I had very bad experiences with the stability of UniFi Software, so it is a good point for me so watch the usereports in this forum.
Normally I wait a month before I upgrade my "productive" environment having a backup and a snapshot of my
virtual machine ready for a fallback. But I understand the thoughts with which version someone should start. Sometimes a version more bulletproof than others.
Best regards from Germany
Frank
:)
-
This was quite enlightening the answers I got here.
I never knew that there where 2 versions of OPNsense.
I always thought you could buy a business support subscription on top of the version you can download from the main opnsense.org website.
The website gives the impression that there is only one version of OPNsense.
So if I understand correctly:
One is the default version that is not stable/reliable and production ripe you can find on the main page of https://www.opnsense.org/
And the other version is a stable version called the business version which is more stable because it only gets save updates and upgrades that won't break anything I guess.
The one you can download from the main opnsense.org website I consider that unstable and I even want to slap a testing label on it when you compare it to how other BSD like and Linux distributions handle it all.
This should be expressed on the main website that this is a testing branch rather than a stable branch version to keep users from big surprises that there firewall, there main gate to the internet, is at risk of breaking down due to updates and or upgrades.
Calling it "production¨ isn't that a bit misleading?
You can name it like that because its constant work in progress, but at least tell your users that it is a testing/unstable branch and that they should expect bugs that might break your firewall/internet gateway on a regular basis and that it should be considered as unreliable.
The name production means (to me) being stable, reliable, code mature, ripe for live production environments.
Is it stable or not? Is it really production safe or not?
So what's our point of reference.
A system that is stable and reliable enough that you can count on not to break every month due to updates/upgrades?
And on what part of your network you want stability and reliability? Right, your gateway to the internet!
Now I am a (sometimes grumpy) old fart and have seen and used lots of distributions through the years since the 90's. But when the other distributions call something stable and reliable they mean it and you can expect that the code is mature enough to be used live in production situations and relied on.
-
imho it's a terminology question
stable is pre-tested or ready to install on production servers?
just a question: do you install software updates from other vendors on production servers the same night they are released?
But when the other distributions call something stable and reliable they mean it and you can expect that the code is mature enough to be used live in production situations and relied on.
;D sorry
-
I’ve been running OPNsense now for 6 months and besides an IPv6 issue that was fixed really quickly I have found the core operation to be very reliable. Is it perfect? No. Does it do a great job overall? In my experience, yes. It is certainly a whole heap better than my previous router (UniFi Security Gateway). And I find the attention to constant improvement to be heartening.
If you want to be taken seriously in your comments and not just viewed as a troll, give concrete examples of issues that have affected you that are not just minor or cosmetic. Otherwise I am not sure anyone is really interested in your ranting. 😀
-
As I said in a message yesterday, the only time my primary router needs or gets a reboot is when there is an upgrade, sometimes I skip a couple as I might forget so it might go for example 20.7.1 to 20.7.3. Never have I had a showstopper in what must now be three years. Is it stable, if you don't mess about with it, yes very, is it 100% perfect, in your dreams... Is Windows bug free? is it buggery, do they call it stable, yes they do.
My test router gets constantly rebooted and hammered when I'm working on something, and odd things do happen, but that's what its for.
-
A system that is stable and reliable enough that you can count on not to break every month due to updates/upgrades?
It's still wishy-washy I-want-it-all talk. I get it you don't want changes. You can have that by not updating I mean what are updates for anyway if it works... :)
Or you can try out the release engineering process involved in a release yourself and see how it turns out on your local box. Open source is great.
Cheers,
Franco
-
A system that is stable and reliable enough that you can count on not to break every month due to updates/upgrades?
Who said monthly updates break things? I have not had a single function of my OPNsense appliances broken by updates since my initial install. Ony minor glitch that could easily be worked around and was fixed with the next update. You are just spreading FUD. Open Source projects receive regular updates all the time. I patch around a thousand customer systems based on FreeBSD every single f... month. 2nd Tuesday in the month - all systems marked as test/staging. 4th Tuesday - all systems marked as production. Automated.
Microsoft rolls out monthly Windows updates on patch day. Unstable, immature, not suited for production according to your logic.
-
Btw, your question could be the same for any product. I've had friends with Cisco TAC cases open > 1 year for bugs that needed to be resolved.
Very much that.
OP:
No matter which product you use there will always be bugs.
Is Exchange production safe or not when you get hit by a HAFNIUM 0day?
Is Solarwinds production safe or not when you they get totally wrecked by a supply chain attack?
So, it comes down to how you want to handle it. If you want to play it safe, then I would wait a while when a new update is released.
-
My strategy has always been the following:
First, check the security advisories and other critical fixes. Are they affecting my system or am I using the affected software?
a) If yes, then I will wait for a couple of weeks to see what kind of issues other users have possibly reported. Backup, reboot and then apply updates.
b) If no, then I will likely skip the updates unless I have a specific need or reason to upgrade (e.g. new critical feature). But again, I will wait for a few weeks to see what kind of issues others have reported.
I love OPNsense (and Sensei). Rock solid combination.