So I’ve been using OPNsense for a few years. I have an extensive config inclduing vlans, plugins, policies, suricata, VPN, routes, gateways, HAProxy, etc.
Over the past few months, I’ve noticed certain bugs, weirdness, and slowness within OPNsense. I recently watched Tom Lawrence’s video on the licensing changes and he touched on the openssl vulnerability that OPNsense has yet to remediate.
The Plus license cost (per year) which entitles you to some limited support options is also appealing. Every time I get stuck figuring out something complex in OPNsense, I have to hope someone else has tried to do the same thing and posted about it so I can troubleshoot.
I also don’t like having to constantly update. A more “stable”/enterprise focused cycle like pfSense has seems like my pace. It broke on me last year with one of the upgrades and I had to clean install.
Don’t get me wrong, I love the UI (mostly), plugins, etc. in OPNsense, but these past few months have got me thinking.
I’ve also heard that people don’t like Netgate as a company, so that could definitely factor into not switching.
What are everyone’s thoughts?
First of all, I love Opnsense! I’m saving for Opnsense hardware to support them.
Only thing that is bugging me around lately since 23.7.7. update is getting into my LAN with Tailscale. It’s running as an exit node. I do get internet access and everything, but no local services. It worked from the beginning until that update. I hadn’t changed anything. I’ve done all the steps Tailscale describes, but still no LAN access. No blocking rules shows up in the logs. I’m stumped.
Yes. Most go from pfsense to opnsense, including myself.
No one is forcing you to install updates, just skip them if you think that’s better for you, but many are security related.
That sounds easy enough, but it creates a situation where I don’t know what updates are important (security) and what updates are minor. So I have to read the release notes for each update and then decide if I need it to patch a security vulnerability.
Where with the other method, I know the update is likely critical.
For some those frequent updates are a +, for me it is not. So use what works best for you!But right now I couldn’t use opensense even if I wanted to, as it’s FIPS non-compliant due to them still using the depreciated EOL OpenSSH 1.1.1, and no date set to move to v3
No, I like pfsense because it has less frequent updates and is better documented.
Here is one of the better guides that helps you config much of what you are talking about:
https://nguvu.org/pfsense/pfsense-baseline-setup/
Plus, opensense gets most of their code from the work done by pfsense, and often have to wait on them to push the code. Just look at what happened with TLS 1.3
chuckle, butthurt downvotes but not one comment to dispute anything I said. Enjoy the depreciated OpenSSL without security updates.
opnsense seems to be made by people who don’t hate me, so I use that.
I personally, choose to not support companies who are assholes.
And, especially companies who call their open source competition, “Nazis”.
Screw netgate.
I moved to VyOS from OPNSense, I like VyOS a bit better, because of Ansible integration etc + it’s Linux not FreeBSD
VyOS is very good. It’s a fork of Vyatta which was sold to brocade and sold again to ATT. Ubiquiti products use a fork of Vyatta as well (EdgeOS on their edge routers for example). I used to work with Vyatta and Brocade so I was a big fan of the Edge line for home and SMB. Since Ubiquiti shelved EdgeOS and stopped putting meaningful updates out I switched to VyOS rolling on my home router with one of those Beelink mini PCs with dual nics.
Is there anyway for us home labbers to get more recent versions of VyOS without having to build it? It used to be easily accessible, now, not so much.
Without paying you need to use the rolling / nightly iso.
They have step by step instructions in their documentation. They even give you the commands to run so you only have to copy and paste.
You literally git clone their repo, cd into the cloned directory, run a docker container and build the iso using the docker container. Took me 5-10 minutes using a single alder lake P core to make the .iso.
I’m using VyOS in my work environment now, got free licensing because we are a non profit. It’s been great.
OPNSense is far more willing to add “experimental” features and as a result you get a firewall that has more features out of the box, but is less stable.
pfSense is very slow to add new functionality, but the platform is rock solid as a result.
It all comes down to what you want. Do you want to play around with an appliance that has all the knobs, but also some eccentricities, or do you want an appliance that may not have bleeding edge features, but is far less prone to error.
I have an extensive config inclduing vlans, plugins, policies, suricata, VPN, routes, gateways, HAProxy, etc.
When you have an extensive config, you should always test the upgrade on a “lab” machine before applying them to your “production” environment. You don’t just apply the update blindly and hope nothing breaks.
yes. netgate is evil and less reliable than opnsense if you make use of fancy stuff
Running suricata and HAProxy will be the cause of your slowness / wierdness.
Yeah no
Nope. I have moved away several years ago from pfsense and could not be happier. I am running production off a 2 node, 24 vlan cluster and it’s rock solid
Ive been using pfSense CE for 4 years now. I’ve thought about it a couple times, but I have a few reasons I’m staying on pfSense:
- No config migration tool. Yea, I could spend an afternoon redoing my config. But it’s not really worth it imo.
- It’s been rock solid for the last few years.
- BSD has finally been updated! Allowing drivers and whatnot.
- I believe Netgate to be a good contributor for BSD. They’ve added many drivers. Such as the i225/226. Yea, it takes awhile.
- The changes are aggravating, but I’m still running CE. The only feature I feel I’m missing is the boot environments support.
I went from pf to openwrt. So far, so good. I’m sure it’s not as powerful as a pure firewall device, but it suits my needs.
If you have a home lab, offshore what you can from your firewall. The less it does the more secure it is. Once you’ve watered it down to maybe DHCP and suricata then there’s almost no difference in pfsense and opn.