Community vs. Business Edition

[GameNTechFocus]

Hello,

I am currently in search for my first real firewall for home use. I have narrowed down my options to essentially two, and Opnsense is one of them.

I am curious what will community edition be missing from feature standpoint when compared to business edition. I know business edition gets less frequent update, but that seems certainly not a reason why anyone would pay for subscription.

Looking at https://shop.opnsense.com/product/opnsense-business-edition/, the primary reason to choose it is "access to selected professional plugins"? 

I didn't quite understand what offering selective path meant. But I am guessing community edition auto updates while business edition allows admin to decide whether to accept certain updates or not, or possibly even more granular update selection over the CE?

The primary reason I am asking this is because I am considering to purchase official hardware for whichever firewall I end up choosing. I know its cheaper to build own, but it's just my way of supporting the developer/product as well as ensuring I get full intended experience of the developer.

With this, I see Opnsense will give 1 yr of subscription free, but after that I will lose it. So I am curious what functionality will I be losing.

Thank you

[Monviech (Cedrik)]

The business edition has a slower release cycle but each release is less likely to introduce bugs or break functionality.

The business edition is the downstream version of the community version and lags behind. (In my experience like 3-6 months)

There are some plugins like os-opnwaf and os-opncentral that offer some extended functionality. But this is only plugins, all core functionality is exactly the same, so its easy to switch between business/community.

https://docs.opnsense.org/third_party_plugins.html#deciso

Ive recently gotten official hardware for home use too and together with the business edition it runs great and it gives me peace of mind.

Professionally I always use the business edition in combination with the official hardware too, runs great.

[GameNTechFocus]

Thank you for the detailed reply.

Less frequent, less bug sounds totally inline with business setting vs. sooner newer techs for community make total sense. I like the separation.

But if BE is just downstream of CE, why can't we just wait to update CE until we see next chosen BE edition? Then use that version CE to update? Is update automatic that you cannot turn them off?

Or there is a bit more tweak/selective features in BE version as compared to CE?

[Patrick M. Hausen]

Whenever there is a new community release the older ones will cease to receive any - possibly security relevant - updates. There is only ever one actively supported release train in the community OPNsense.

[GameNTechFocus]

Whenever there is a new community release the older ones will cease to receive any - possibly security relevant - updates. There is only ever one actively supported release train in the community OPNsense.

Ah I think I'm getting it.

Basically, BE, which is older version of CE, still gets their security patches. While that corresponding CE version is no longer active, so it won't get the security patch. So the main advantage of BE is stable, better tested version while still getting critical security patches. While CE has more features but with a risk of stability/bugs that community are contributing to test. Is this correct way of interpretation?

Is there any talk about offering BE equivalent for home user. Not sure if it's ok to bring up competition name, but they do offer lifetime business edition when purchasing their official hardware.

[Patrick M. Hausen]

Basically, BE, which is older version of CE, still gets their security patches. While that corresponding CE version is no longer active, so it won't get the security patch.

BE is not simply an older CE version. It's a completely separately maintained edition with its own lifecycles and maintenance. Features are ported from CE to BE as the developers see fit.

While CE has more features but with a risk of stability/bugs that community are contributing to test. Is this correct way of interpretation?

I think you can put it this way.

Is there any talk about offering BE equivalent for home user. Not sure if it's ok to bring up competition name, but they do offer lifetime business edition when purchasing their official hardware.

pfSense? Their development model is completely the other way round. Business edition changes at a faster pace. And without a support contract what's the value of anything named "business", anyway? OPNsense or pfSense ...

I run CE in production on all firewalls. The key is to have a proper test and QA environment and concept for staged rollout. I deploy new releases in this order:

- test/lab environment
- my private firewall at home
- the two office firewalls for our locations in Karlsruhe and Frankfurt, one uplink, simple outbound NAT
- my customers with a single firewall
- our datacentre high availability pairs serving hosting environments

I prefer the faster development cycles and the fact that I can quickly get essential features or fixes in via merge requests. That saved our life when we first migrated to OPNsense - some of the IPsec VPNs to customers would not work, which I was able to fix myself rather easily.

I do buy official appliances to support the project and then simply because they are great quality and value for the money.

HTH,
Patrick

[GameNTechFocus]

Thank you Patrick,

Very helpful insights.

BE is not simply an older CE version. It's a completely separately maintained edition...

Can you please elaborate on this a little? Are you referring to the fact, BE choose subsets of CE to ensure the highest stability? Or is there actual internal codes that is proprietary to BE such as those code making BE edition that's more stable than CE.

By the way is BE also open source?

Since you have been doing a systematic, step by step deployment using CE, how often have you come across the issue certain iteration of CE (since their patch cycles look fairly frequent) where you feel like you can't push it to next level? If so, what were some of the major issues you run into?

Again, thank you for your insights! This has been very helpful.

[Monviech (Cedrik)]

If you look at the patch notes of the BE edition and compare it to the CE edition, you will see that the commits match between the two. I made some commits to the community edition, and later they appeared in the Business edition as well. It's all very transparent.

Look at this for example: https://github.com/opnsense/src/issues/187

Right now two of my business firewalls run a community kernel on the business edition. It's all open source.

The difference is "release engineering" by Franco, to make sure that the version is tested and ready for deployment in business infrastructure without worrying about doing your own testing.

[GameNTechFocus]

That makes sense and good to hear.

Thank you!

[franco]

A lot of good points have already been made. Let me just fill in the few gaps that are left.

The business edition is not open source in the sense that you can rebuild it from the source tree. It was my initial wish to publish stable branches for the core, which we actually did in 2021:

https://github.com/opnsense/core/tree/stable/21.4
https://github.com/opnsense/core/tree/stable/21.10

Unfortunately they have been misused so we no longer provide them. FWIW, there were also no questions about these branches ever and nobody asked for them to remain, too.

Yet the core side of the business editions still uses all open source patches found in https://github.com/opnsense/core but they are being managed differently for reduced release policy and out of band security updates (something we rarely do for community release since we can simply release a new version 2 weeks later with the latest third party updates).

So you get a different release style which is constantly being improved (the approach designed in 2021 was more conservative than what we do now). You can do something similar manually in the community edition when unhappy with the release volume, but it requires knowledge of how the software components work, where the updates are published and stored and how to get to a consistent end result.

The second part about the business edition is the business plugins which may be overkill for non-business users. Most notably the ability to manage multiple firewalls using a central management GUI.

We have been discussing additional home and enterprise versions, but nothing concrete was decided at this point as both come with additional challenges and require further infrastructure improvements.

Happy to answer more questions.


Cheers,
Franco

[GameNTechFocus]

Thank you for the detailed explanation.

It's interesting to hear that you're considering additional versions.

We have been discussing additional home and enterprise versions, but nothing concrete was decided at this point as both come with additional challenges and require further infrastructure improvements.

Actually, I got one more question.

What happens after 1 year BE access expires? Do we need to re-install CE at that point?

Have your team or community ever discussed about the potential of offering unlimited (not just 1 year) Business Edition pathway to those who purchase official hardware without technical support component? Similar to the competitor approach.

[franco]

> What happens after 1 year BE access expires? Do we need to re-install CE at that point?

The business update mirror will not provide any more updates to expired keys. You can use the installation as it is for as long as you want in the fixed state or move it to a community releaase (without reinstall) and eventually move back to business (without reinstall) if you so chose.


Cheers,
Franco

[ou1]

We have been discussing additional home and enterprise versions, but nothing concrete was decided at this point as both come with additional challenges and require further infrastructure improvements.

Hi Franco, have you guys had a chance to consider some other Home subscription options for people with OPNsense hardware? I am dreading the day that my business subscription will run out and it's really hard to justify the 150eur fee for home use.

I'd be more than happy to pay for access to a stable release channel for home use, but the current price is around 3x my pain threshold.

If I am forced to switch to community edition, do you have any tips on how to stay on a stable release schedule, closely tracking the business edition version? Is there a way to install a specific release using the GUI? For example, Business edition 24.4.1 is based on 24.1.8, but 24.1.9 has since been released. If I were on community edition, I'd like to install 24.1.8 as of today.

[fre4ki]

Hey guys,

i want also support the project and thought about the Business Edition.

Maybe there is a ,,business edition" for Non-Commercial / Home use in the future...

[Patrick M. Hausen]

I buy "official" hardware wherever applicable and then run the community edition. You might want to consider that. It's a one time expense and the devices are awesome.

For all my customers it was essentially a no-brainer when we switched from Sidewinder. 1500€ per unit and *no* recurring costs? Shut up and take my money :)