Posted on: 2024-06-13
We have deployed pfSense based firewalls at a few clients locations. pfSense (or OPNsense, if this is more your thing) is great because it's a really powerful firewall solution which works well for complex networks too. Unlike many proprietary counterparts there are no artificial limits introduced. All the power of the hardware and software is in your hands, not hiding behind license keys.
You can install pfSense on your own (x86) hardware or even inside a virtual machine, but if you're requiring "enterprise" level reliability and support it's best to buy an appliance from Netgate, the makers of pfSense.
I recently checked the status of one of the appliances we used a lot in client setups and on the Netgate website it says they have reached End-of-sale a while back and will reach End-of-life this year. What does that mean? I expect professional equipment to have a longer live expectancy than a smartphone in the hands of a teenager! Do we have to replace it now??
No, of course not.
There are two flavours of appliance: x86 based appliances and ARM-based appliances. Most of the devices are x86 based, including the one we deployed. x86 means that they are just regular PCs. They will continue functioning as regular PCs until the hardware dies. Providing software updates long past EOL doesn't cost Netgate anything extra and they are not being asses about it. I've read forum posts about people still getting updates for over 10 year old appliances, so no issue there. We seem to be in the clear.
Even if official updates ever stop, one can install pfSense Community Edition, OPNsense or some flavor of FreeBSD or Linux and continue using the device. But at this time switching to newer, more capable hardware is probably the way to go. The old appliance than still doesn't have to be scrapped but can then be given a different task.
The big issue is with the ARM based devices. The problem is that there is no standardized way of booting them and chip manufacturers often require binary blobs in the kernel or bootloader for all the hardware to function. In general, if the chip or board manufacturer looses interest, there is often no way to get a newer kernel than the last one provided. This is a big issue with many ARM based boards including Orange Pi, Banana Pi and all the other various non-Raspberry variations.
Which means there is also no readily installable ARM image of pfSense. All the sources are in the GIT repository, so it should be possible to build it manually, I guess...? But this requires a lot of effort!
Until there is more standardization it's better to stick with x86 for long lasting setups. Well supported ARM systems such as Raspberry Pi are fine too for small servers, but not for pfSense.