Rolling Updates / Releases versus Stable 18.1 Release?

[elektroinside]

Other offerings from Companies that would have you think they are ironed out and bulletproof and cost a lot of money to use for even 50 users per year, are simply not telling you everything.

I work with 3 of these. Man, I'm telling you, you are right, we are full of s**t. All marketing departments are selling big fat lies 24/7 and deceiving users as much as they can! For the last 15+ years!

[Davesworld]

I wouldn't go that far. I cannot blame someone for providing a usable service to a paying customer and creating a livelihood in the process. You guys are not full of it and likely would not knowingly and unscrupulously put someone's network at grave risk but would not want to talk about every little zit to the people who are paying you to worry about it. They pay you, you worry about the little zits and prevent the big festering boils or worse, festering carbuncles (a clustered group of boils, ewwww), I'll take a zit or several over a festering carbuncle anytime and be happy about it.

[mestafin]

Hi,

Given the responses to my original post, clearly illustrates the point that there are different opinions about this.

Decisio BV is closely associated with OPNsense and is sponsoring the development. They also sell consulting services and hardware linked to OPNsense.

Clearly, it is in the best interest of Decisio to make sure that OPNsense, even as an open source project, is successful.

The  iXsystems business model for Freenas with an open source community edition and a paid commercial edition, seems to be working very well.

The real money is in servicing enterprise level clients or relative bigger businesses and for these clients, stability is critical.

Before I started the our OPNsense pilot project as an option to replace our EOL Cisco and CheckPoint firewalls, I talked to a lot of people in the IT security field. One of the things I asked was - is it time to move away from proprietary solutions to open source? The answer to this can best be summarised as "... There are some good open source solutions available, but they are not enterprise-ready, they are not stable enough. You can use it for a small branch office, but not in your corporate data centre".

Unfortunately, after about 4 months of using OPNsense, I am starting to agree with that opinion.

Another point, there are some very good open source software available which are enterprise-ready and stable. It is therefore possible to create a development process to deliver great open source software with growing feature sets, without sacrificing stability in the process.

Clearly, more discussion and thinking are needed ...

[elektroinside]

That's a bit stretched... :-) I'm referring to stable vs enterprise.
I personally never deployed any software in mission critical environments without having enterprise grade support in the first place. And never heard anybody doing so. Doesn't really matter what kind of software it is, as long as i get enterprise support, i don't even care. But as an unwritten rule, you will only get this kind of support from very successful, expensive and high quality software/hardware developers/manufacturers. Many times with worldwide coverage. That's what enterprise usually means.

So I'm definitely not talking enterprise here. Just good old SMB stable.

[Davesworld]

Hi,


Before I started the our OPNsense pilot project as an option to replace our EOL Cisco and CheckPoint firewalls, I talked to a lot of people in the IT security field. One of the things I asked was - is it time to move away from proprietary solutions to open source? The answer to this can best be summarised as "... There are some good open source solutions available, but they are not enterprise-ready, they are not stable enough. You can use it for a small branch office, but not in your corporate data centre".

Unfortunately, after about 4 months of using OPNsense, I am starting to agree with that opinion.

If it gives you a warm fuzzy feeling paying for it, then by all means do so. I'm not wowed by the word Enterprise unless it's a Starship. A three man company can be an Enterprise, by that definition a fifty dollar firewall is Enterprise ready. What you suggested in your original post completely contradicts why OPNsense exists in the first place. It forked for a specific set of reasons and many of us are here for some of if not all of those reasons and because we just plain like the firewall compared to many others we have tried, some giving you a free trial before shelling out a lot of money to keep it. We also have no problem with learning how to use it properly for the application of such. Name one person or entity that had their network compromised due to OPNsense and not because of how they botched the setup of OPNsense.

Endian has the exact business model you seek. It was originally forked from IPCop years ago.

[elektroinside]

Did I mention compliance? Audits?
That's also a major player in enterprise-grade stuff...

[mestafin]

That's a bit stretched... :-) I'm referring to stable vs enterprise.
I personally never deployed any software in mission critical environments without having enterprise grade support in the first place. And never heard anybody doing so. Doesn't really matter what kind of software it is, as long as i get enterprise support, i don't even care. But as an unwritten rule, you will only get this kind of support from very successful, expensive and high quality software/hardware developers/manufacturers. Many times with worldwide coverage. That's what enterprise usually means.

So I'm definitely not talking enterprise here. Just good old SMB stable.

I agree with your view on mission-critical environments and enterprise support. That is not what I were advocating and I am not expecting OPNsense and Decisio to compete with companies like Cisco.

My use case for our pilot project is a small subsidiary with 2 servers running a few vm's - a typical SMB with less than 10 people. Despite this, I would still prefer the sysadmin responsible for their IT, to have stable firewall software that he can expect to work.

Let's be honest, the 18.1 release was promoted as the way to go and the 17.7 series was immediately marked as legacy. That implies that the 18.1 release is at least stable and production-ready without big regressions. Judging by the feedback in this forum, basic features did not work as expected or had issues.

As someone else pointed out, it would have been better to keep the 17.7 series as production and rather release 18.1 as beta or release candidates to indicate that there may still be bugs.

[mestafin]

If it gives you a warm fuzzy feeling paying for it, then by all means do so. I'm not wowed by the word Enterprise unless it's a Starship. A three man company can be an Enterprise, by that definition a fifty dollar firewall is Enterprise ready. What you suggested in your original post completely contradicts why OPNsense exists in the first place. It forked for a specific set of reasons and many of us are here for some of if not all of those reasons and because we just plain like the firewall compared to many others we have tried, some giving you a free trial before shelling out a lot of money to keep it. We also have no problem with learning how to use it properly for the application of such. Name one person or entity that had their network compromised due to OPNsense and not because of how they botched the setup of OPNsense.

Endian has the exact business model you seek. It was originally forked from IPCop years ago.

We do not evaluate and select software on whether we pay for it or not or whether it is called "enterprise-ready". If we did that, we would never have selected OPNsense for a pilot evaluation.

I am also not advocating a specific business model. I was responding to a statement made that it is doubtful if Decisio will sponsor more and testing and quality control.

The point that I raised in my first post, was that it may be time to consider a different release model that makes a distinction between a software release that is stable and can be deployed in a production environment, even for a SMB, and a release of new software that may still have some bugs

[mimugmail]

If OPNsense would be enterprise grade (not ready, grade), nobody woud every pay a dime for software :)
My personal mission is to make OPNsense competeable with UTM's like Sophos and this is way more to go than I expected but we are in progress and it's fun too :D

[elektroinside]

Take Mikrotik as an example. Awesome devices, brilliant software (also pretty complicated). Although one might think they are enterprise grade, they lack the support and so very few enterprises adopted them. Also lack the features of OPNsense.
But, their update/release channels are as in the freshly captured (attached) image from my Mikrotik (bugfix only, current, release candidate and development). This gives users plenty of options to choose from. And a warm feeling that there is a stableish channel, so no need to be that nervous about available updates. Sure, they have plenty of bugs as any other software, but most of them are in the development and rc channels. They are not opensource, but not enterprise either, putting both OPNsense and Mikrotik fighting for similar target audience.

[mestafin]

But, their update/release channels are as in the freshly captured (attached) image from my Mikrotik (bugfix only, current, release candidate and development). This gives users plenty of options to choose from. And a warm feeling that there is a stableish channel, so no need to be that nervous about available updates. Sure, they have plenty of bugs as any other software, but most of them are in the development and rc channels. They are not opensource, but not enterprise either, putting both OPNsense and Mikrotik fighting for similar target audience.

Separate channels are all I am asking for

[elektroinside]

Separate channels are all I am asking for

Yep, me too (if possible), as I said before...