I think it is very clear the areas of opportunity to ClearOS, since they released version 6 without email, it lost the direction of the distro, many are testing other options, zentyal, pfsense,
I have 12 years working with Linux, and its greatest strength, are Community, I think on this occasion was not heard the community, today there is not much time to be waiting for a new version,
  customers want a reliable solution.
have and talked about zentyal, pfsense, say zentyal is heavy, but it has many more applications that do not have ClearOS,
Zentyal in each version has more applications, ClearOS has less
remember the passage of ClarkConnect 4.3 to ClearOS 5.0 also hotly debated, but in short time and stable, and the technology did not have the speed you have now,
Like many I test Zentyal, pfsense, and I hope this week to have them in production,
I hope the manager of ClearOS soon have a stable and good, competitive for the market, and something important to listen to the community

sorry but my English is very bad, I hope to broadcast my message

he setup more the 15 time la version 6.xx, que ya no se en cual paid zarafa,
deseo dar gracias a timb, por el gran apoyo a la comunidad.
regards :silly:

HI Donnie,

I prefer to see concentration on some of the modules already there like reporting, IPS and QOS.

ClearOS 6 is all about getting rid of the crust from 5.x and focusing on a better experience (for both users and developers). There will always be new apps in the pipeline, but that's not our culture :-)

- QoS is getting closer to completion -- I just saw a nice demo of the GUI that will go on top of the alpha app that was released in February. Details @ http://www.clearfoundation.com/docs/developer/apps/qos/taking_qos_for_a_spin

- As for reports, we always refer to it as "reports, reports, reports" internally. It's a high priority roadmap item that will get a good chunk of resources thrown at it in the next 6 months... I think. The medium/long-term roadmap/resource decisions for are going to be made in the next few weeks.

- Is there a particular enhancement that you want to see with IPS besides a better report? Just curious.

Very Interesting post. A good read it was for sure. I thought I would make some responses to your comments for the sake of conversation.


Security.

I agree with you on separation of duty of devices for several reasons. First is of course, less things running on a gateway type device less change for something to happen by accident either through development or possible exposure. Secondly I do not like to mix spheres of criticality. So I do not see it as a good thing to have your backup or fileshare box eating up the resources of your primary security device. One is far more important than the other.

IPv6.

Triple NAT... good lord.

VLAN.

I saw a hard move to L3 separation myself some 10+ years ago. Cisco themselves used to preach the campus wide VLAN but as things got busier and there were more devices that became an issue of course and the drum beat changed to L3 separation in as many places as you can put it so of course. I still fully believe this is the best way on corp networks of any size but I too see a resurgence in using layer 2 overall which means of course that to keep the broadcast domain within bounds you have to use VLANs. All you have to do is wireshark a typical corp network to see that.

Routing.

I am a HUGE believer in dedicated resources. I often time here people ask "why does that Cisco router or switch cost so much more?" Well obviously its all the RnD and very much all the different hardware inside of it that is specialized per task. A general OS not tuned to its hardware specifically and with just a single CPU and RAM pool can never compete with something that might have several CPU's and sets of memory that was propose built from the ground up.

But with that said there is a place for things like ClearOS, Zentyal and Pfsense. While other things might be technically superior the economics of the matter is that more performance usually incurs more specialization which incurs more cost. So having a lower end device capable of less and doing more jobs means far less cost but in many cases you only need so much. So while spending less you get less but it might be all you need. The catch though is that as internet speeds move forward you need more performance. Yes CPU's continue to increase in relative speed as they always have but oftentimes you can get into bottlenecks long before you max out a CPU. The market and the technology balance I think is right at this time for things like ClearOS to excel and do well. Now if all of a sudden internet speeds say double while general hardware leisure's about there would be an imbalance and you would see more devices being used with dedicated resources.

As I see the future:

There have been dedicated CPU's for things in many devices for sometime. This is not new but the players were always the same as far as I could tell like Motorola, IBM, Intel etc. If what you say about ARM is correct that would be an interesting change to things. But I have to admit I have not seen ARM in anything I have cracked open that I would consider a serious device. But obviously I do run around doing that all day so. However I will be on the lookout.

IPv6

I agree here too. IPV6 has to happen. To many devices and to many networks at this point to do anything else. I think the initial projects people implement to switch will be rocky but after the general public gets a few under their belt it will accelerate greatly.




My own overall thoughts on COS are this. It is a great product. I find it more reliable and having more features that I look for than in similar products. It is why I use it at home (granted I cheat a little I also use a Cisco ASA5505 but I am a little more security aware than the average Joe). But while COS has many solid functions I find them to overall be very lacking of polish. It seems to me the emphasis is on adding more modules instead of making better the ones that there are. I think this is incorrect and while new things should always be worked on I prefer to see concentration on some of the modules already there like reporting, IPS and QOS. In believe you cast a wider net with good form and function than just taking the shotgun approach on modules.

I love using COS, I trust it, I believe in it but I want to see more out of it and I look forward very much to that.


Thanks,
Donnie

I am new here. I came here to meet my NTDomain/fileshare needs. This is my 3rd server since I started with a home server in '95. That NT server ran with barely a hiccup until '09 when the drive started reporting errors. I looked around, I only wanted a Redhat/Fedora derived OS, and tried AMAHI for a few years. OS stability and direction with AMAHI has brought me here. I am still tuning things up, but my basic needs have been met, so I expect to stay around for a few years.

That said, I will provide a little of my bonafides before diving into my view of the future/present of small business/home networking.

I have been active in IETF since '93. Thank me (or blame me) for: TN3270E, RFC1918 (history of which I sent to private email to PBaldwin and DLoper), IPsec, and HIP; I either created, drove, or had a major hand in each. I have been active in IEEE 802 since '01. There I have worked on 802.11i (keeping an eye on 802.11ai), 802.1AE, 802.1X, 802.1AR (well only at the beginning of this one), and now am chair of 802.15.9 (Keying for 802.15.4). I was principally a networks guy from '81 - '96 (starting with X.25 through SNA and XNS to IP), then shifted to network security. I worked 14 years at ICSAlabs before I was switched to the Verizon Enterprise Innovation Group. I am NOT a programmer. Never programmed in C; I DID program in B off and on for a couple years.

Now onto my observations:

Security.

OK, I am a stereophile; I am very reluctant to run a gateway firewall on a server with lots of other services. Unless I had a hypervisor and security containers. (I am being pulled into NFV and SDN at work). You want a firewall? Run OpenWRT on an ARM box if you don't want something from Sonic or Juniper (for example). IPsec? Oh gee, help me here. Part of the reason I bailed during the early IKEv2 days and went and created HIP. Complexity for the sake of market share, IMNSHO. Again, terminate this at a box designed to handle it. I was one of the authors of the ANX, but in the end all the autos backed away; the admin cost was killing them.

As for Clear security itself. I don't like no selinux; it was developed for a reason. I know 1st hand it is hard. I have it on for my DNS and mail servers, and it took work to set up the selinux policies. No iptables as default? My head is pounding. All the more reason for VLANs and limiting access to my Clear server. The basic config should have iptables running; as you add an app, it MUST tell you what ports it will need open and get permission before it installs. If necessary, use something like Shorewall to just manage iptables for the multiple interfaces needed in Clear (see VLANing below).

IPv6.

Get with the program. IPv6 day was almost a year ago. IPv4sundowning is now being worked out. In two years it will be hard for some mobile agents to get to ipv4 only services without paying for the privilege. Right now we are already seeing triple NAT hops and it will only get worst. This will mean DHCPv6 support, though RA is easier; at first.

VLAN.

At the last IEEE 802 plenary, Norm Finn (go to ieee802.org and look for tutorials) said that today's Vlans are not just plain old 802.1Q and bridging is not what you learned about from Radia Perlman's excellent book. L2 is VERY active. No major ISP can run without it any more. It will become a fact in homes and office buildings. You have already seen it in VoIP. It is practically required for home entertainment (10ms from hitting that drum to hearing it in your headphones through your networked amp). HAN (Home Area Networking) with its multiple L2 mediums will be highly VLANed. Office energy and security along with VoIP ARE using VLANs. Will Clear need VLANs? Depends on the services run; **I** don't need it (even though I have multiple VLAns here), but others will.

Routing.

Oh come on, what kind of performance do you expect? A router needs dedicated hardware. Same with bridging, of course. OK a gateway system SHOULD be bounded by the upstream speed. But if it is FiOS or some other 802.3ah product (10Gb)? And what about traffic between local subnets. A nice feature, but it will lead to bad experiences for many.

As I see the future:

ARM is taking over with dedicated functions for gateway, firewall, routing, bridging. Big iron to do these things (from an old IBMer) will not compete. The big differentiator here will be consistent management/reporting; Clear should be looking at how to manage these beasts, not compete.

IPv6 accelerating. Going to happen. Has to happen. Ride the wave.

Rich home/office physical media. Many ethernet types, Powerline, many wireless, and many upstream connections (requiring IPv6!). Stay out of it, but help manage it. VLANs will be required.

File servicing/syncing still a major challenge. Everyone is in this game looking how to make money. Problem is that Apple/Google/M$ are working hard to 'own this, but they really can't. Can't give a recommendation on this due to day job.


So just a bit of my world view.

Sorry I should of been more clear, routing vlans through the gateway was not what I was hinting at all. I was hinting that vlans are a needed feature.

Don't get me wrong I am not anti MS, in fact I am an MS Partner myself, and I work for one as well, it doesn't mean however I must like every solution on offer.

This entire thread was started as an observation at what I am seeing across the board. I love clearos as a product, its great it does what it does fairly well, its being tuned and polished and the devs chip away at feature requests and timeline really well.

Most people I am chatting to at least in the circle of admins and colleagues / member organizations I deal with are under the impression that ClearOS 5.x was a massive jump from Clark Connect. Clear Foundation wished to pursue the 6x platform and its required massive amounts rewrite, and plenty of work all around. With the good also came some bad, some features had to be dropped as they didn't gel into the new framework.

There was a feeling that 6x wasn't as polished nor as complete as 5.x. People bitched people moaned about the changes some stayed some left, again its natural attrition when undertaking what the foundation is doing.

I guess as in the UTM / Edge space its failing, as a connectivity server its thriving. Some agree with some of it, some, none at all.

I´m a long time user of clearos(cc) been running mail systems (for my self) for a long time on them.

During the years i have tested most(all?) firewalls that are doable running at home.

Atm i´m running pfsense since a few years back and a raspberry pi as mailserver (not a highload domain.

My pc only have 2 interfaces so i need to have vlan capable software in order so be able to run my dmz with gameserver,web,etc.

I really think the possibility in running vlan would be really good for clearos, you dont need a really big network(3networks in my case) to have a benefit from that.

you have a awsome product but my 10cent is to implement vlan.

regards
/d

Call it what you will TMG is not a mess. Is it perfect, is it the best thing out there? No but its solid for what its designed for which is simple implementations or special implementations for things like Exchange 2010. You want to dig on it because its made by Microsoft you go ahead.

I am not sure how you come to the conclusion on a discussion of border products that being a better border product does not matter. I do not pretend to know all of anything but as I understand it in most cases these implementations as you mention are internet gateways. If security is not an equal goal to functionality in that arena you are doing yourself and your customers a huge disservice.

I do not understand the VLAN requests myself. I cannot see why anyone would run additional L2 to what should be a routed gateway. All that does is invite trouble in multiple areas. In such cases your gateway should be your gateway and their should be an intermediate routing device to handle the multiple subnets. Sending all your local traffic to your gateway just to route it locally is wasteful.

Lets lay it on the table so to speak. The reason you generally use products like Pfsense, ClearOS or Vyatta instead of things like Cisco and Juniper is because you are trying to accomplish a functionality goal but you need or want to do it at a reduced cost (relatively speaking). Of course small and sometimes medium business have to do things differently than fortune 500's with a huge tech budget. They need something to work and usually for as low as cost as possible. This is the niche the afore mentioned fill and do so well and there is nothing wrong with that at all.

As far as things like Pfsense or Vyatta replacing hardware by Cisco or Juniper I do not see that ever being the case. Cisco and Juniper are costly because of their capabilities. Their hardware is specifically designed to do what you are buying it for and because of that will easily outperform a generalized OS with generalized hardware in it. Simply moving 500mb per second from one nic to another is easy, very little is involved. But moving that 500mb while inspecting it, prioritizing it, shaping it or perhaps filtering is a very very different situation. There is a world of difference in an RTP packet arriving at its destination in 50ms vs. 300ms.

Do not take my lengthy reply as being combative I just enjoy talking about this stuff. I think every product mentioned is a good one and I would be happy to use any of them.

I just prefer ClearOS at this point for my needs all things considered. :P

And yes I do use TMG, it firewalls off all my wireless traffic for the LAN. Layered security is good security. :P

MS know that TotalMessGateway is rubbish - as an MS partner we actually rip it out on a regular basis - coming from the roots of the thing that was ISA it was hefty and performed poorly the only thing people wanted from it was the reports.

Reading between the lines from the horses mouth
http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

Anyone using BGP, VLANs, IPsec, ospf, CARP implementations. I can tell you now they are not using clear and honestly they shouldn't. As a connectivity server is a great product but there are things that clear overlaps into that causes allot of sysadmin's pulling the pin on it and look to other solutions. Simply because its not a suitable as product for border protection, for their implementations. We are talking about the crowd that wants 500+ mb throughput at the gate

They are looking at vyatta and pfsense as alternatives to running Junos and Cisco and checkpoint and ra ra ra

FYI OSSEC can also be installed on pfsense should you want it

I would like to formally say thanks to
Nick howitt, Tim b and the guys for cracking along with IPsec and also to Peter for getting vlans up

I forgot to mention another product that I think is in the realm with ClearOS. And that would be TMG. Yes I have the same nightmares still that you do from the ISA days but its a much different thing now and its pretty damn good. I use it to firewall my wireless from the rest of the network just because.

With that said, I think that whatever market share TMG has out there ClearOS could claim it. So really the sky is the limit. But if they ever start to giveaway it would be something to watch out for.


Thanks,
Donnie

I know this is an old thread. But after reading I wanted to toss in my 2 cents.

Before I do let me mention that I do not go around setting up small business networks all day. My background is large enterprise networks and of course a lot of tinkering at home. Hence ClearOS. So my point is I do not use ClearOS or any other such product in running a business.

I have known of Pfsense for some time. As long as I have known about ClearOS or any of the others. I have not tried it in awhile so I snagged the latest and gave it a test spin.

I think the comparison of ClearOS to Pfsense is unfair mostly. The ClearOS (my opinion of course) market is I would say medium to bordering on large business. Pfsense to me seems it would only be for small to bordering on medium business.

Yes it is small, light and quick. And I have to say I like their QOS system on the surface, I did not actually test it. But its quick setup and fast/easy config to me (again my opinion) are where the Pro's for it ends vs. ClearOS.

Honestly pfsense reminded me more of a Linksys or D-Link type offering that was easy, fast and got the job done but did not have some of the features you want once you want to dig a little deeper.

Just overall I think ClearOS is a much more solid security product. That is one of the things that drove me to it. It has an IDS AND (and that's a HUGE and) an IPS not to mention all the other goodies.

And when I speak of security realize you are talking to someone whom on top of ClearOS runs 2 other IDS's and captures all packets coming and going from their home network (and yes I look at it). The point being I am into the security thing and put a lot of time into it.


Maybe the reason I am so partial to ClearOS is I have found it to perform much better than other such products at high load and because I see the framework that is being built and is constantly being added too and improved on.

In short, I like ClearOS far more than Pfsense for several reasons. I do not think ClearOS has to worry about Pfsense as I do not think they really compete that much in the same market space nor do I think its even an apples to apples comparison. If they were to worry about anyone I personally think it would be Zentyal. That is what I used sometime before I came here and while I still like it ClearOS beats them on multiple fronts namely security and performance.



Just my 2 cents. All stated opinion is mine solely.

PS - I think the things that should be priority are reporting (more for security than anything else) and QOS.

Thanks,
Donnie

Convinced! VLANs are coming. In fact, I recently audited the firewall/network stack to make sure all worked well with VLANs. Only one little change was necessary to make the underlying engine happy.

On the topic of vlans in smb, there is actually huge market for it (I work an msp in my day job 99% of our clients are in the smb client space) I see smb as anything under 70 users really. But that's matter of opinion and not fact

Since most consist of
Virtual Host - Xen / vmware / hyperv etc etc
AD + terminal server
Clearos
MSSQL - LOB servers
Other DB servers
Other Linux guests
Radius
issci

vlans are the logical approach for us to segregate these network up, sure I could also subnet them too but with the cost of layer2 / layer 3 switches becoming dirt cheap why bother. Something like the above you are up to 4 vlans before you even start

Vlan - Management
Vlan - Wifi / guest access
Vlan - Local lan
Vlan - Storage

That's not to say that a small 15 user business needs this but then again they might have a simple little host with a basic little nas box and everything in between. That's also not to say it needs to be expensive either. But its realistically better if the gateway can deal with this effectively

Hi herballizard,

Thanks for being honest -- I admire that :-) We're going to work hard in 2013 to get our mojo back instead of being so revenue-driven.

Back to the topic -- VLANs and Routing are very good examples. These two items are actually on the roadmap but only after a lot of debate. Why? We are focused on the small and distributed office. If a client has VLANs or more than one simple LAN, then that customer is not really in our target market. If I walk into a 15-person construction firm in rural Ontario, I can see that VLANs and advanced routing are just not important. Getting content filtering and reporting right -- yup, that's super important. Pick a market and do it well.

Having said that, I'll go on and contradict myself a bit. We have just recently started to broaden our horizons and potential market segments. That's why VLANs and Routing are coming. To me, it muddies the waters a bit, but our market is also "distributed environments" and we're running into situations where these types of features are required. We'll never be a solution designed for a campus network, but ClearOS should be able to handle a school with a couple of VLANs.

I am not dismissing what the devs do

The roadmap and product decisions are not developer driven -- it's definitely a team effort :-)

awaiting some really important features to become stable before committing again.

Anything in particular!? If there's a bug, please report it - e-mail, bug tracker, forums... whatever is best for you. It's my mission to make ClearOS as bug free as possible. Our culture is "fix bugs before building features".

it had to be nearly 100% community driven to get it back in and on track. Many thanks to nick and tim and everyone else.

Getting IPsec to work with 3rd party boxes has been on the product wish list for a very long time. However, that requires a very big investment and knowledge set to support it professionally. If a customer pings ClearCenter support because their ClearOS IPsec to CiscoXYZ is not working, we better have a good way to resolve the problem. That was the roadblock - interoperability with the dozens of appliances out there in the market. That's also why ClearOS-to-ClearOS IPsec (Dynamic VPN) is out there and has been supported for years.

Tim, Nick et al's new app fills a much needed gap. The QoS piece is coming too -- certainly another big gap in version 5 that will be fixed in 6. More on that in a blog post this week.

Peter Baldwin wrote:

snip..
Product Focus is not Firewall

It should be a little more

Since clear tends to overlap and tried to offer a single one stop shop, and I get this. But there needs to be more attention to utm and perimeter firewall offerings. Ipsec sure its the most piss ridden thing going but its required, not everyone can or wanted to run openvpn, the consensus was too hard can't be bothered.... now this pissed allot of admins off, it had to be nearly 100% community driven to get it back in and on track. Many thanks to nick and tim and everyone else.

But there still other things like Vlans for the love of god?

I totally understand that clear as a connectivity server works, but its also pinged as a gateway and thus needs more focus on what those type of customers expect in a gateway / utm. Routing / VLAN's / Reporting / L2 & L3 otherwise you may as well double out and run bsd on the other fence and then use it inside as well.

All this stuff is an observation from mailing lists from blogs from other forums, while the product ripens the enterprise guys are just not looking at it. Its the same reason I have not renewed by profession sub yet, its entirely tentative and awaiting some really important features to become stable before committing again.

I am not dismissing what the devs do, I try to do the odd bit of bug reporting and the odd howto and figure how to get stuff running but some of the core stuff still needs work. Again its an observation nothing more

herballizard wrote:

Let me first say I love clearos, but honestly more lately I have allot of colleagues jumping ship over to pfsense

There was too much focus on the new customer and not nearly enough love for our existing 5.x users -- ten times more so for Community / free users. Though we have doubled our user traction rate with ClearOS 6, we certainly didn't do it with ClearOS 5 users leading the wave. Ball. Was. Dropped.

We should have taken care of 5.x users (e.g. an import tool right out of the gate) and we won't make the same mistake moving forward.

Hi guys,

We are quite focused on making the current feature set work really well. We spent a lot of time on ClearOS 6 to make sure the underlying engine was "doing it right" instead of chasing ever more features. It's all about making ClearOS 6 (and ClearOS 7) really good at what it's advertised to do. Really good. Anything in version 5.x that was crap was either replaced or chucked out. That caused a lot of grief since we:

1) ripped out old and mature code and added better (but inevitably buggier) code
2) dropped features that people liked in ClearOS 5

Fortunately, we are quickly closing the gap on both of these issues. Making these changes in 6 was certainly a big risk, but I suspect that it will be worth it in the end. It's not easy for a company to have the discipline to pause and retool an existing product. It's not easy to say things like:

No, the IPsec stack in version 5 is not coming to 6 since it's old, crusty and nobody wants to manage it. It either has to be done right, or removed.

Thanks to Tim, Nick and others, it's about to be "done right" in ClearOS 6.

The front end for every single app (80+ at the time) was rewritten and our goal was to keep the user interface very familiar to version 5. The "User Manager" looks the same in version 6, but I assure you that the underlying engine is quite different. From an end user's immediate perspective, nothing happened! ClearOS 7 won't have this same stabilization curve since the underlying engine (software API, web app framework) isn't changing. Instead, we'll continue to focus on making what we have better.

Product Focus is not Firewall

It might surprise many to know that ClearOS development is mostly focused on the Server and Gateway layers. The Network (Firewall) is less of a priority. For example, you won't see the the word "firewall" in ClearOS product descriptions except in reference to basic underlying apps. To put it another way, we consider Zentyal, Univention Server, Microsoft SBS and SME Server to be our closest competitor products. The various firewall solutions like Untangle, pfSense and the gazillion others are secondary competitor products -- there's certainly overlap, but these are indirect competitor products.

I agree... Disillusioned with ClearOS 6.3 tried pfSense 2.0.1 and absolutely loved it once I became more familiar with BSD (needed a few more BSD packages not in the pfSense distribution). As a firewall and proxy it is far superior to ClearOS. The reports it provides are brilliant. However, it is a firewall & proxy so therefore lacks some of the other server functions of ClearOS. Have a machine ready and waiting for pfSense Version 2.1 as soon as the Beta finishes and final is released. (current reports indicate the Beta is extremely sable...)