pfSense vs. OPNSense?

[Patrick M. Hausen]

In case this was missed, just to mention it as an option for those who wish, one can take FreeBSD and make it into OPNsense. https://github.com/opnsense/update#opnsense-bootstrap
I cannot say if pfsense has any similar tool, option, maybe it does.

And you can get a working OPNsense firewall to toy with on your desktop with a simple vagrant up:

GitHub - punktDe/vagrant-opnsense: Bootstrap an OPNsense development environment in Vagrant

Bootstrap an OPNsense development environment in Vagrant - punktDe/vagrant-opnsense

github.com

 

[danb35]

A couple of months later, and OPNsense continues to work fine for me, with the exception of failover dual-WAN--though I haven't done much to try to troubleshoot that. OpenVPN and IPsec both work well. Multiple LAN segments are fine, with an isolated network for IoT devices (remember, the S in IoT is for security). And the third-party plugin for Caddy is 100x easier than HAProxy to configure, even if you have to write the Caddyfile from scratch.

 

[Ericloewe]

I'm going to give OPNsense another shot soon, even if I have to brute force it by untagging the IPTV VLAN upstream with a switch. Besides that weird odor of rot coming from the closet of pfSense, OPNsense nominally, finally, in theory, supports QAT.
I have a C3558 system sitting behind me and a C2758 system on its way - as it turns out, being an unreliable mess likely to fail in nasty ways causes prices to decline substantially enough for crazies like me to give it a try!

 

[no_connection]

I have been "running" OPNsense for a while, might migrate to it as real router use. Complete with failover and HA.

I had a fun bug/mishap with it when running ZT and routing traffic from phone through it, it just stopped working while my other "site" worked fine.
After a LOT of comparing config and trouble shooting I finally figured it out. The IP address of the ZT interface was NOT in the routing table, and I was unable to add link local to the table (something you shuold never need to do anyway). Deleting the IP and adding it through ZT again worked and all was good. Had me for a spin tho.

And since OPNsense have policy based routeing I can finally replace my beloved ZeroShell that has been my workhorse for over a decade.

 

[VioletDragon]

I'm using pfSense and have been since 2013, I'm using it in my Data Center for the VDN Network that hosts Mail and Web Servers as well as Cloud and Internet for Residents, works well and gets the job done however I will be installing Ha across the board in two different locations. It's reliable just like TrueNAS which i use as a SAN for the Ha Cluster and TrueNAS for NAS storage.

 

[Inxsible]

A couple of months later, and OPNsense continues to work fine for me, with the exception of failover dual-WAN--though I haven't done much to try to troubleshoot that. OpenVPN and IPsec both work well. Multiple LAN segments are fine, with an isolated network for IoT devices (remember, the S in IoT is for security). And the third-party plugin for Caddy is 100x easier than HAProxy to configure, even if you have to write the Caddyfile from scratch.

I have been using Opnsense for a little over 2 years now and have nothing but good things to say. pfSense updates usually used to break things for me whereas Opnsense updates have been really seamless and smooth.

I initially used a caddy container on my proxmox server as a reverse proxy, but then thought it would be better to use the firewall itself and thus used the HAProxy plugin as that was the only thing available at the time. It was a lot of effort to understand the configuration for HAProxy. The plugin has a lot of extras that you might never use.

I wanted to move over to caddy ever since I found out that there's a 3rd party plugin, but I am afraid of losing access -- mainly to my self-hosted vaultwarden instance which I would need access to when I want to ssh or root into the different containers for transmission, nextcloud, collabora, pbs etc that I have running in order to switch them over from HAProxy to caddy.

It's always difficult to find examples or tutorials to do something in HAProxy and even more difficult to find something that is based on the UI that Opnsense has for HAProxy. Too convoluted in my opinion.

Here's hoping that I will be able to build a caddy config for my setup and then just save that in the caddy plugin and everything will magically just work.

 

[danb35]

Even though there's no GUI for Caddy, for a basic reverse proxy, it's far easier to set up than HAProxy was. HAProxy on OPNsense was easier for me than it was on pfSense, but Caddy is far simpler than either. Here's what my Caddyfile looks like:

Code:

{
    email admin@mydomain.org
}

ombi.mydomain.org {
    reverse_proxy https://ombi.mydomain.org
}

bitwarden.mydomain.org {
    reverse_proxy https://bitwarden.mydomain.org
}

opnsense.mydomain.org {
    @denied not remote_ip 192.168.0.0/22 
    abort @denied
    reverse_proxy localhost:81
}

Ombi's running on my NAS, which is using a Let's Encrypt wildcard cert and Ingress. Bitwarden is running on a separate VM, which is also configured to get a Let's Encrypt cert via DNS validation. And the opnsense. block is set to block access from anywhere except for 192.168.{0-3}.x.

Once you've done this, there's no need for OPNsense to handle certs for any of these hostnames; Caddy will handle them automatically.

 

[Inxsible]

Even though there's no GUI for Caddy, for a basic reverse proxy, it's far easier to set up than HAProxy was. HAProxy on OPNsense was easier for me than it was on pfSense, but Caddy is far simpler than either. Here's what my Caddyfile looks like:

Code:

{
    email admin@mydomain.org
}

ombi.mydomain.org {
    reverse_proxy https://ombi.mydomain.org
}

bitwarden.mydomain.org {
    reverse_proxy https://bitwarden.mydomain.org
}

opnsense.mydomain.org {
    @denied not remote_ip 192.168.0.0/22
    abort @denied
    reverse_proxy localhost:81
}

Ombi's running on my NAS, which is using a Let's Encrypt wildcard cert and Ingress. Bitwarden is running on a separate VM, which is also configured to get a Let's Encrypt cert via DNS validation. And the opnsense. block is set to block access from anywhere except for 192.168.{0-3}.x.

Once you've done this, there's no need for OPNsense to handle certs for any of these hostnames; Caddy will handle them automatically.

I am using HAProxy as an SSL offloader as well and most of my services run on http only and I handle the ssl on the Opnsense box using the Acme plugin which is why I am worried about moving the whole thing over to caddy. It took me quite a lot of researching and reading to finally set up the certs etc the way i wanted for my services. Will have to go through that exercise again in order to set them up again. There will surely be a few hiccups during the transition, I think.

 

[danb35]

Will have to go through that exercise again in order to set them up again.

Probably not. In that case, you'd proxy to http://whatever, and Caddy will handle the certs for you.

 

[Inxsible]

Probably not. In that case, you'd proxy to http://whatever, and Caddy will handle the certs for you.

Good to know. Since you run bitwarden in https, how do you handle the certs? Do you update the certs on every individual service that you have from a central location or does every individual service handle their own certs?

 

[danb35]

My Bitwarden is kind of a legacy setup--for a good while, it was the only externally-accessible service I had, so I just forwarded ports 80/443 to it and let it get its own certs. Now I'm using acme.sh on that VM to get a cert for it using DNS validation--which probably isn't necessary, but it's what I've been doing.

For all the apps running on my NAS, I use a single wildcard cert (obtained through the TrueNAS UI, once again using DNS validation via Cloudflare's DNS), and I use the Ingress configuration provided by TrueCharts.

I also make use of split-brain DNS--so bitwarden.mydomain resolves to 192.168.1.62 from inside my LAN, and to my external IP address from outside the LAN. That's why I have a cert on the bitwarden installation, so that even on the LAN traffic is encrypted.

 

[Inxsible]

For all the apps running on my NAS, I use a single wildcard cert (obtained through the TrueNAS UI, once again using DNS validation via Cloudflare's DNS),

Yeah, I use Cloudflare as well and use the wildcard cert for all my services -- including the cert for Opnsense itself. I like managing it from one location which is why I opted for SSL offloading.

Do you know if the caddy plugin supports using the LE certs from the Acme plugin in Opnsense. That way I could keep using the wildcard cert for Opnsense too rather than have 2 certs -- one for opnsense and then one maintained by caddy for all the services. I am not even sure yet if this is a good idea since the whole spiel of caddy is automatic HTTPS with built-in management for LE certs.

 

[danb35]

Do you know if the caddy plugin supports using the LE certs from the Acme plugin in Opnsense.

I don't believe it does. I believe it's possible to get Caddy to create and use a wildcard cert, though that would require it use DNS validation, and I don't know that the OPNsense plugin supports that (or which DNS hosts it supports it with, if so).

You might have noticed that I have Caddy proxying for OPNsense as well, and OPNsense itself listening to HTTP on port 81. So my OPNsense itself isn't doing anything with the certs; Caddy's handling all of that on that device.

 

[Inxsible]

and I don't know that the OPNsense plugin supports that (or which DNS hosts it supports it with, if so).

Yeah, it does. I use DNS validation to get my wildcard cert via the acme plugin. It supports quite a few hosts including Cloudflare.

You might have noticed that I have Caddy proxying for OPNsense as well, and OPNsense itself listening to HTTP on port 81. So my OPNsense itself isn't doing anything with the certs; Caddy's handling all of that on that device.

Hmmm. My current setup is Opnsense listening on 10443 with and the AdGuardHome plugin listening on 81 and then forwarding to Unbound. I use AdGuardHome to block ads. I found that using the blocklists in Unbound worked fine but would consume a lot more memory (not a big deal these days) but more importantly it used to take a very long time for Unbound to restart if I ever made any changes. Unbound would also restart on its own sometimes (never could put a finger on why). This would make the internet access unavailable until Unbound was up and running causing a lot of frustration with the better half.

Not sure if I want to overhaul my whole setup only to move from HAProxy to caddy for no real benefit other than easier configuration in the future... If I do move, I want to keep the setup as similar to now as possible.

 

[danb35]

Yeah, it does. I use DNS validation to get my wildcard cert via the acme plugin.

I wasn't clear. I don't know that the OPNsense Caddy plugin supports DNS validation.

 

[victort]

My Bitwarden is kind of a legacy setup--for a good while, it was the only externally-accessible service I had, so I just forwarded ports 80/443 to it and let it get its own certs. Now I'm using acme.sh on that VM to get a cert for it using DNS validation--which probably isn't necessary, but it's what I've been doing.

I also run bitwarden (latest version on a VM) and caddy reverse_proxies perfectly to it. Including DNS validation certs. So that part works.
Bitwarden doesn’t like anything but trusted certs for the app and such.

For all the apps running on my NAS, I use a single wildcard cert (obtained through the TrueNAS UI, once again using DNS validation via Cloudflare's DNS), and I use the Ingress configuration provided by TrueCharts.

I assume you are using TrueNAS Scale for this? Core doesn’t let me chose cloudlare as an acme provider.

 

[danb35]

I assume you are using TrueNAS Scale for this?

Correct, as noted in my signature.

 

[garm]

I’m reviving this dead horse, I stuck with PFSense through all their shit because I believed they made a solid product and looked out for me. I even took the bait and upgraded to their Free Plus version.

Now I’m switching to OPNSense…

Addressing Changes to pfSense Plus Home+Lab

Today, we are announcing that the Home+Lab version of pfSense Plus is no longer available for free download.

www.netgate.com

 

[Apollo]

I’m reviving this dead horse, I stuck with PFSense through all their shit because I believed they made a solid product and looked out for me. I even took the bait and upgraded to their Free Plus version.

Now I’m switching to OPNSense…

Addressing Changes to pfSense Plus Home+Lab

Today, we are announcing that the Home+Lab version of pfSense Plus is no longer available for free download.

www.netgate.com

Any reason why?

 

[Patrick M. Hausen]

Any reason why?

They linked the reason.