pfSense vs. OPNSense?

[danb35]

I've been running pfSense at home for the last three years or so. It's working well, and has honestly given me no reason to change. But who needs a reason, right? OPNSense forked from pfSense about four years back, looks like it's comparable in the features department, has no plans to require AES-NI (though the CPU in my pfSense box has that anyway), and has a rather-more-straightforward license. Any comparable experience between the two?

 

[maxbet]

I have been running pfSense for a few years and switched to OPNsense 6 months ago. I do not regret.
I run OPNsense 19.1.6 with DynDNS, UPS and a customized LCDproc packages. It has been running flawlessly ever since.
I like the frequent updates and the friendly forum, all thing sorely missing in the other *sense.
On the other end, the use is somehow limited by the status of Internet here in China.

 

[danb35]

Thanks. I'm currently running OpenVPN for remote access, UPS, and ACME to get a cert from Let's Encrypt using DNS validation (specifically, using acme-dns). Probably some other things, but those are the big ones. All available under OPNSense?

 

[NASbox]

What about packages like pfBlockerNG?

Forced AES-NI is a bit of a bummer, but hopefully the old hardware will be supporters for at least 18 months more. By that time it will hopefully be cheap to get suitable hardware. At the moment a good little box is quite a bit more than the J1900 boxes that don't support AES-NI.

 

[Tigersharke]

I used pfsense for a while prior to the fork. Then when I read what the timeline and feature plans were for OPNsense, I decided to switch since OPNsense appeared that it might reach those goals sooner. I had also a time or two with difficulties on pfsense, updates that didn't work so smooth, or other configuration things. For the vast amount of time since switching to OPNsense, I have had no problems. I am still using it, and with an older bit of hardware (Asus M5A88-M with AMD Athlon II x2 270) but something about this hardware denies an update/upgrade or fresh install to the 19.1.x version. I suspect it may be *something* related to Hardened BSD since migration to HardenedBSD 11.2 was completed in OPNsense 19.x. The update or install reaches a point where the screen goes blank and it seems to stall, so one of my last trouble-shooting options would be to try a graphics card in lieu of the integrated one. Another idea I just realized is to attempt a fresh install of vanilla Hardened BSD to see whether that succeeds or not.

I am likely a corner case. All updates between the first or second after switching to OPNsense and the last version prior to 19.1 were easy and trouble-free.

EDIT: I received help with the issue and it is a simple fix. The default config favors intel (or dis-favors my particular CPU) in that I need the setting: sysctl vm.pmap.pti=0
This means during bootup (after an update that fails to boot) do the following:

choose boot loader
set vm.pmap.pti=0
boot

Once boot succeeds, go to your browser login and make the following adjustment (again):

After bootup, go to system > settings > tunables to re-create the line
tunable: vm.pmap.pti
description: annoying AMD unfriendly mitigation
value: 0

 

[Jailer]

I seriously thought about switching to Opensense after reading some of the dirty stunts pulled by jimp after Opensense forked yet I'm still running pfSense. Honestly it's mostly because of the fact that I have everything configured exactly as I want it and don't want to change platforms and have to start over. If there is ever a time where I have to start from scratch again I'll likely go Opensense.

 

[NASbox]

... after reading some of the dirty stunts pulled by jimp after Opensense forked yet I'm still running pfSense.

Could you please elaborate?

 

[Tigersharke]

Thanks. I'm currently running OpenVPN for remote access, UPS, and ACME to get a cert from Let's Encrypt using DNS validation (specifically, using acme-dns). Probably some other things, but those are the big ones. All available under OPNSense?

I cannot at the moment say whether those functions are available if not a plugin but if I find info I'll post it later. Below is the list of plugins on the github page today.

Code:

benchmarks/iperf -- Connection speed tester
databases/redis -- Redis DB
devel/debug -- Debugging Tools
devel/helloworld -- A sample framework application
dns/bind -- BIND domain name service
dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
dns/dyndns -- Dynamic DNS Support
dns/rfc2136 -- RFC-2136 Support
mail/postfix -- SMTP mail relay
mail/rspamd -- Protect your network from spam
misc/theme-cicada -- The cicada theme - grey/orange
misc/theme-rebellion -- A suitably dark theme
misc/theme-tukan -- The tukan theme - blue/white
net-mgmt/collectd -- Collect system and application performance metrics periodically
net-mgmt/lldpd -- LLDP allows you to know exactly on which port is a server
net-mgmt/net-snmp -- Net-SNMP is a daemon for the SNMP protocol
net-mgmt/netdata -- Real-time performance monitoring
net-mgmt/telegraf -- Agent for collecting metrics and data
net-mgmt/zabbix-agent -- Enterprise-class open source distributed monitoring agent
net-mgmt/zabbix-proxy -- Zabbix Proxy enables decentralized monitoring
net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
net/arp-scan -- Get all peers connected to a local network
net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
net/frr -- The FRRouting Protocol Suite
net/ftp-proxy -- Control ftp-proxy processes
net/haproxy -- Reliable, high performance TCP/HTTP load balancer
net/igmp-proxy -- IGMP-Proxy Service
net/l2tp -- L2TP server based on MPD5
net/mdns-repeater -- Proxy multicast DNS between networks
net/ntopng -- Traffic Analysis and Flow Collection
net/pppoe -- PPPoE server based on MPD5
net/pptp -- PPTP server based on MPD5
net/relayd -- Relayd Load Balancer
net/shadowsocks -- Secure socks5 proxy
net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
net/upnp -- Universal Plug and Play Service
net/vnstat -- vnStat is a console-based network traffic monitor
net/wireguard -- WireGuard VPN service
net/wol -- Wake on LAN Service
net/zerotier -- Virtual Networks That Just Work
security/acme-client -- Let's Encrypt client
security/clamav -- Antivirus engine for detecting malicious threats
security/etpro-telemetry -- ET Pro Telemetry Edition
security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (needs a valid subscription)
security/intrusion-detection-content-pt-open -- IDS PT Research ruleset (only for non-commercial use)
security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
security/maltrail -- Malicious traffic detection system
security/openconnect -- OpenConnect Client
security/softether -- Cross-platform Multi-protocol VPN Program
security/tinc -- Tinc VPN
security/tor -- The Onion Router
sysutils/api-backup -- Provide the functionality to download the config.xml
sysutils/boot-delay -- Apply a persistent 10 second boot delay
sysutils/dmidecode -- Display hardware information on the dashboard
sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
sysutils/mail-backup -- Send configuration file backup by e-mail
sysutils/node_exporter -- Prometheus exporter for machine metrics
sysutils/nut -- Network UPS Tools
sysutils/smart -- SMART tools
sysutils/vmware -- VMware tools
sysutils/xen -- Xen guest utilities
www/c-icap -- c-icap connects the web proxy with a virus scanner
www/cache -- Webserver cache
www/nginx -- Nginx HTTP server and reverse proxy
www/web-proxy-sso -- Kerberos authentication module
www/web-proxy-useracl -- Group and user ACL for the web proxy

 

[Tigersharke]

@danb35
OpenVPN is one of the Virtual private Network technologies OPNsense offers, their documentation for VPN. I do see the acme let's encrypt plugin listed as an option in the firmware: plugins section on my OPNsense.

 

[Jailer]

Could you please elaborate?

https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-1828

Mod note:
The following content is less-than-safe-for-work. While not quite up there in terms of being offensive and in poor taste, it's high enough that it would ordinarily not be allowed on the forum.

However, since this is meant as education, in the sense of educating people about the activities in question, by showing the archived version of the website, I'm going to let the link stay, inside the spoiler button.

If you open the link, I suggest quickly scrolling down to avoid said content.

- Ericloewe

Show : Somewhat graphic content

https://web.archive.org/web/20160314132836/http://www.opnsense.com/#section-53

 

[danb35]

Second link in Jailer's post above, inside the spoiler button

Wow. Knowing that ESF built that, makes me not want to use pfSense any more. And that was before I closed the archive.org banner to see the stylized goatse.cx image.

 

[maxbet]

Thanks. I'm currently running OpenVPN for remote access, UPS, and ACME to get a cert from Let's Encrypt using DNS validation (specifically, using acme-dns). Probably some other things, but those are the big ones. All available under OPNSense?

They are all available. I use NUT for UPS management, but no OpenVPN or ACME, so I cannot elaborate how well they work.
Given the fact that in OPNsense you can install standard BSD pckages, I expect no issues; worst case you will have to resort to manual configuration (no GUI integration).

 

[NASbox]

All I can say is it is sad that things have to degenerate to this state. From what I can see pfSense is more stable/handled in a more "enterprise" manner with professional support and OpenSense is more "experimental" with constant updates.... both have their place and server different audiences. I personally don't want to be updating a firewall appliance every couple of weeks, but I can see that other people might and I say that's great... that's what open source is all about.... sharing ideas and evolving technology.

 

[Ericloewe]

Wow. Knowing that ESF built that, makes me not want to use pfSense any more. And that was before I closed the archive.org banner to see the stylized goatse.cx image.

I knew it was bad, but I hadn't quite realized how bad. I'd read the WIPO case around when they were holding back QuickAssist support so that it only worked on their boxes, which was a scummy move*, but the actual website is in unbelievably poor taste.

* It was a scummy move because they said it "wasn't validated with other hardware", which is basically nonsense since it's an Intel C3000 feature. They could've just been up-front about it, but decided to instead put on a farce.

 

[Jailer]

Sorry about that, I didn't even consider the content before I posted the link. I'll make sure to pay more attention to that in the future.

 

[Ericloewe]

Don't worry about it.

 

[Mlovelace]

Having briefly looked at both, I'd go with OPNsense. Though, I've been running a Dell Sonicwall TZ215 firewall at home for 4+ years and it's been great.

 

[Heracles]

I am running pfSense here, using both OpenVPN and IPSec VPN. OpenVPN is for my MAN and IPSec is for RoadWarrior because IOS can have an Always ON VPN only when connecting IKEv2.

My hardware has AES-NI, so no problem here.

Also, considering the reason for requiring AES-NI, I agree with the choice they took. It is for security and to protect pfSense against timing attacks and more using software crypto would be a waste of energy. That energy is better invested anywhere else and to rely on AES-NI is legitimate.

Considering my HAProxy, ACME, DynDNS, packet filtering, NUT, log parsing and more are all configured, I have more important things to do than moving from pfSense to anything else.

 

[Tigersharke]

One can look at it as either of two or three choices: pfsense, OPNsense, or commercial hardware + software.

IF you choose commercial hardware with its included software, you MUST remain vigilant about hardware updates because the home-oriented boxes such as Linksys brand may choose to drop support when newer hardware is released. You should still periodically check to see whether any software updates are necessary, and not buy a device, install it and forget it. The frustrating part of this forced obsolescence is that the hardware technically continues to operate just fine, but the vendor chooses not to continue to supply "threat fingerprint" files tailored (if different, unlikely) for that device. This means that your previous Linksys with included security features may effectively become simply another modem/router. One might assume that commercial industry-oriented (ie., not cheap nor technically for home use) firewall hardware would include a support contract and regular updates that might even be handled by that vendor. Commercial industry-oriented devices may not be quite the same, but it remains important to be aware of updates and the need for them and to monitor to some degree that they have been handled in a timely manner.

The main issue, whatever your choice is, whether one of the two options mentioned in the thread or another FOSS option, or even commercial if affordable or appropriate, is that the software be maintained. Expecting things to always keep working perfectly with ZERO interaction, zero upkeep, zero monitoring, is foolish. No hardware that is computing-related will magically work flawlessly (yes, flawless includes functioning security) except in the consumer-oriented market among the naive non-techies and only in their minds because to them it IS magic.

I cannot say whether any home-oriented hardware has automated software updates, that those are enabled by default, or that hardware vendors have abandoned the forced obsolescence described above.

 

[CompuGlobalHyperMegaNet]

OPNSense forked from pfSense about four years back, looks like it's comparable in the features department, has no plans to require AES-NI (though the CPU in my pfSense box has that anyway)

Just an fyi, despite it originally being the plan to do so, AES-NI is not / won't be a requirement for the pfSense 2.5.0.

https://www.netgate.com/blog/pfsense-2-5-0-development-snapshots-now-available.html