pfSense vs. OPNSense?

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
So after pondering it on and off for over a year, I decided to make the transition. In addition to Netgate/ESF/Rubicon's misbehavior with the OPNsense fork, I ran across this which didn't help my opinion of them:

It's possible to import configuration information from pfSense into OPNsense. Sometimes it works, sometimes not.
  • Interfaces didn't work at all. It put the LAN interface on the WAN port, and I don't know where it put the WAN interface. This was on identical hardware with identical device names (i.e., the WAN port is igb0 under both)
  • Importing the DHCP server configuration worked just fine, including IP reservations and assigned hostnames
  • So did the Unbound DNS server configuration, including host overrides.
  • OpenVPN configuration partially worked. The server configuration was restored, but not the clients.
  • The firewall rules are strange. They appear to have imported (though the aliases used in them didn't), in that the rules are shown in the tables, but they aren't having the effect they'd had previously. They're going to take some more work.
Some other thoughts:
  • The OPNsense UI is much better. It looks better, and it's organized better (can anyone tell me why the config backup is under the Diagnostics menu on pfSense?). It's still kind of scattershot IMO, but it's a big improvement. It also seems more responsive on the same hardware.
  • The OPNsense installer doesn't support installing on ZFS like pfSense does. Fortunately, there's a pretty simple workaround: Install FreeBSD (11.2 as of right now), and then use the OPNsense bootstrap installer to put OPNsense on it.
  • The OPNsense installer image with serial console enabled doesn't work with the serial console on a Netgate RCC-VE-2440 (which was also sold as the pfSense SG-2440), nor does the FreeBSD installer using the instructions I'd found somewhere online to enable a serial console. Netgate has their own instructions; use them instead (though rather than making entries by hand at the loader prompt, I made a /boot/loader.conf file on the USB stick with the same instructions).
Next up, working on the firewall rules and HAProxy.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,975
Thanks for that update. I'm still pondering switching but I've got everything working like I want on pfsense and I'm leery of switching for that reason, especially since I have some services available online that I don't want to take the chance of screwing up.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Oh, this is nice. OPNsense supports API keys for users, and has a backup-api package, which adds an API call (OPNsense already has an API) to download the configuration. Once that's installed, automatically pulling a config is a matter of creating a group that only has access to download the config, creating a user in that group, and creating an API key for that user. Then a daily curl -k -u "key":"secret" https://192.168.0.1/api/backup/backup/download -o opnsense_config.xml will download the config. Compare that to this script that's needed to do it in pfSense:
Code:
#!/bin/bash

wget -qO- --keep-session-cookies --save-cookies /tmp/cookies.txt \
  --no-check-certificate https://pfsense.domain.org/diag_backup.php \
  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > /tmp/csrf.txt

wget -qO- --keep-session-cookies --load-cookies /tmp/cookies.txt \
  --save-cookies /tmp/cookies.txt --no-check-certificate \
  --post-data "login=Login&usernamefld=download&passwordfld=password&__csrf_magic=$(cat /tmp/csrf.txt)" \
  https://pfsense.domain.org/diag_backup.php  | grep "name='__csrf_magic'" \
  | sed 's/.*value="\(.*\)".*/\1/' > /tmp/csrf2.txt

wget --keep-session-cookies --load-cookies /tmp/cookies.txt --no-check-certificate \
  --post-data "download=download&__csrf_magic=$(head -n 1 /tmp/csrf2.txt)" \
  https://pfsense.domain.org/diag_backup.php -O \
  /mnt/tank/db_backup/pfsense/config-router-`date +%Y%m%d`.xml


So the complete script for OPNsense looks like:
Code:
#!/bin/sh
KEY="api_key"
SECRET="api_secret"
HOST="opnsense_hostname"
PATH="/mnt/tank/db_backup/opnsense"

curl -s -k -u $KEY:$SECRET https://$HOST/api/backup/backup/download \
 -o $PATH/opnsense-config-`date +%Y%m%d`.xml

find $PATH/ -type f -name '*.xml' -mtime +30 -exec rm {} \;


OPNsense also supports scheduled backups to Google Drive and/or Nextcloud.
 
Last edited:

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,450
Just tried to install it under VirtualBox but can't get pass creation of the disk.
Not good.
 

Tigersharke

BOfH in User's clothing
Administrator
Moderator
Joined
May 18, 2016
Messages
890
Just tried to install it under VirtualBox but can't get pass creation of the disk.
Not good.

Try this, although not recommended for actual service, there is a guide for testing (evaluation or screenshot) purposes.
 

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,450
Try this, although not recommended for actual service, there is a guide for testing (evaluation or screenshot) purposes.
I am trying to evaluate basic functionality of OPNsense, so running VM is somewhat a good enough way to go.
Unfortunately, I am being stuck at the install disk creation.
See screenshot with and without swap creation. It just stays there with no noticeable activity.
Installing pfsense as a VM has never been an issue.
Stuck.png

This issue isn't documented as far as I was able to grasp.
I need to dig into it.
I am running on Windows 10 2004, AMD Threadripper 2950X with 64GB RAM and plenty of HDD and NVME storage space.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
The FreeBSD version in the last OPNsense release is a bit outdated. 11.2 ...
Have you tried the OPNsense 20.7 BETA1? Comes with 12.1.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
The FreeBSD version in the last OPNsense release is a bit outdated. 11.2 ...
It is, but they're using HardenedBSD, which is also at 11.2 (at least on the 11.x series). I haven't as yet messed with the beta.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
Funny to read we came to precisely the same conclusions in this case @danb35

I'm a happy OPNSense user, the core software is rock solid. Some plugins however are not always that great, but thats a whole different discussion (not bad, just not great ;) )

The Et Pro Telemetry edition is also awesome and I really like how they publically published examples of the datastream that is shared as "telemetry" :)
 

Tigersharke

BOfH in User's clothing
Administrator
Moderator
Joined
May 18, 2016
Messages
890
You may have seen the beta,
* HardenedBSD 12.1
* Logging issues after major version change fixed
* Traffic shaper statistics API and GUI page
* Firewall API plugin
* Missing plugin GUI install/dismiss feature
* Suricata 5 and optimized ET Pro Telemetry rules plugin
* Images are amd64 only as we jump the major OS version and leave i386 behind
* Nano images probably have a defunct growfs feature, but already fixed on master
---
Now there is an RC1 with a lot more notes that I am not going to copy here.

I recently used the GUI to switch from Production to Development without any issue, updated, and rebooted after to be sure everything was initialized as it ought to be.

And, just in case, there was also relatively recent news of some patching:

Screenshot_2020-07-23 OPNsense ( opnsense) Twitter.png

 
Last edited:

Spearfoot

He of the long foot
Moderator
Joined
May 13, 2015
Messages
2,478
Does OPNSense have any kind of ad-blocking similar to the pfSense pfBlockerng package?
 

marunjar

Cadet
Joined
Apr 7, 2018
Messages
3
Not as nicely guified, no :'(
Thats really the primary downside imho.

This has changed recently.
If you are using unbound you may also install unbound-plus plugin, which is working pretty well.
With this you can use some predefinded and also custom lists for blocking ads:

unbound-plus.png

The only thing not to forget is to add a cron job for updating blocklists :wink:
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
The only thing not to forget is to add a cron job for updating blocklists :wink:
See, thats one of those plugin things I don't like... If only some thought for 2 seconds to think "Wait, don't I need a crons checkbox too?!" :')
But thats an awesome headsup, thanks!

Any good way to visualise the DNS query feed like pihole also shows?
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
With OPNsense 20.7 the os-unbound-plus package is obsolete and the blacklists are integrated into the standard unbound installation.
 
Top