I’ve been using pfSense for around 10 years on Netgate equipment (their entry or slightly above entry level SG models) and have had great success with them. Yes, i’ve had a few fail, but overall I understand it and I actually like the UI (although I haven’t tried OPNsense so maybe I would like that more).
What item that I use frequently is SSH into pfSense and hit 8 for shell and then run
“clog -f /var/log/filter.log | filterparser.php” to monitor logged activity (blocks and passes as I have them setup). You can of course also pipe to grep the output and have it running while doing testing or trying to diagnose something. I assume OPNsense has similar if not the exact same functionality from CLI? One major item I can’t get past is that I have to SSH into the pfSense and hit 8 and then run an alias for this command I can’t simply run the alias via SSH command directly due to having to press 8 for shell.
I also like (prior to all of the politics) that I was purchasing Netgate equipment and it worked right out of the box. I didn’t have to play around with different hardware and take risks whether or not the software was going to work.
I generally don’t buy the hardware unless the site is going to be utilizing the base level of support as it comes included for life of the product. Then the support agreement will pay for itself generally in a few years vs buying support separately.
A HP T620 Plus to T730 have served me well over the years since requiring AES-NI. After migrating all of my clients to supported hardware only for them to walk back the requirement. Oh well, everyone got the increased OpenVPN throughput, so not a total loss. Plus i get plenty of billable hours finding a new platform, testing at home for months, and then ordering 2 dozen, setting up the same and then moving images over. I still have 3 x T620 Plus and 1 x T730 on the shelf behind me as cold spares.
I’m currently looking at Qotom Q20332G9-S10 type products to start deploying in higher demand sites. They have a rack mount variation which will be getting ordered soon for home to test.
From my experience OPNsense has nothing to offer that would justify a drastic change. I do want to point out that pfSense is already on FreeBSD 14.0-CURRENT and whilst updates are not as frequent, i am unsure this is really an objective KPI as i feel that measuring the reliability of software on how often an update is available is a rather superficial measure. in my view, i would like as little as possible interference and reboots for the traffic warden of my entire network.
In the end, to me pfSense has been reliable beyond any expectations and accepts whatever i throw at it including hardware upgrades and stuff.
It’s surely objective, but that doesn’t make it relevant, and I largely agree with you here, particularly when the packages for pfSense are still regularly upgraded. The question is whether they’re frequent enough, and that’s hard to measure objectively.
That’s true, but I think it’s important to distinguish between (1) “they’re jerks,” and (2) their behavior over time raises a serious question about their commitment to open-source software. Both can be true (and I personally think they are here), but I think the latter is considerably more important.
Wouldn’t you agree that the entire user community got a bit spoiled over the passed years with “open-source”. I might be of a different generation but not so long ago, a user went with was best for their application, regardless of open or closed-source. I sometimes think it has become fashionable to care about these kind of things making me in this case “less of a geek” because i don’t want everything to be open-source which could be considered “uncool”. Frankly, i couldn’t care less. I encourage open-source and support it but it is not something i pursue as a requirement.
I’ve been using pfSense for years, and I’ve stuck with it because it generally seems to have a more enterprise-focused direction. I would absolutely use it in any application, work or home, where a regular Layer 4 firewall is needed. I’ve used multiple pfSense VMs for all sorts of whacky things in production, and I’ve also had a good experience with 1st party hardware.
I have been, however, very vocal about some of Netgate’s choices as far as the community goes. Without re-hashing those grievances, let’s just say it’s somewhat discouraging.
This partnership is now fairly well engrained in the product, and Sensei (now ZenArmor) seems to be alot more mature than when I last looked. Bringing true Layer 7 firewall capabilities into my home for a reasonable sum of money is enticing. Zen Armor is available for pfSense, but it is not “officially supported” unlike in OPNSense.
I had previously demoed a small Palo Alto, but getting something that will actually route at the speeds I need would cost a fortune. ZenArmor is really the only game in this town for the $$.
I’m not sure why this topic doesn’t come up that often in these types of discussions, but it’s a real game change IMHO.
Isn’t this something that should be avoided for such critical piece of software?
CURRENT branch is the “bleeding edge” of development.
If i remember corretly Netgate called it somehow different but they already used 14.0-CURRENT as base when release of FreeBSD 14.0 was far away.
So this is a clear win for opnsense which is based on more stable version instead of some “beta” IMO.
It may be a conservative approach to be a little behind with base, hardware support may be not that good, but it will definitely be less buggy.
No, I don’t think I would. But I also don’t think that’s especially relevant to the concern I raised. Netgate claims, quite loudly, to be an open-source software company:
But they don’t act like it. Whatever value you might place on open-source software for its own sake, that seems kind of dishonest on their part.
Moreover, while “choosing what works best for you” is always good advice, there are objective benefits to open-source software that go beyond the price tag. I don’t particularly care what the “cool kids” are doing, but I do want a solid solution for my needs. Increasingly often, that solution is provided by open-source software.
I was a long time pfSense user. I switched to OPNSense about a year ago primarily because of the confusion over the pfSense+ license debacle. An additional reason was that I wanted to use ZeroTier for a ham radio use case.
ZeroTier works great. I also found that the Geo IP blocking is stupid simple in OPNSense whereas in pfSense you need the pfBlockerNG package and it is more complicated to configure.
In both cases, I ran them on a pair of HP T620 Plus thin clients, and they have been rock solid. I even put a fiber card in the PCI slot to run OM3 fiber from my ISP’s ONT.
After using OPNSense for a bit, I am used to the web UI and prefer it to pfSense - but there was a time when I thought the reverse. You can get used to anything.
Linux Kernel with FreeBSD userland? That’s not quite the worst of both worlds, but it’s the closest you can come without cherry-picking bits and pieces to create a frankenOS to rival the levels of pain typically associated with crap like AIX or Windows 9x.
But if that it is true, then any philosophical or technical preferences you have for Linux or FreeBSD would certainly be relevant to the decision whenever pfSense-Linux drops.
It does seem to have been a joke (at least judging by their forum users’ stance and lack of official comments on the matter), in which case boy did they need a punchline. Sure, it hit all sorts of buzzwords, but nothing too insane (and nothing they wouldn’t care about).
Is the joke that they already have a Linux product? Are they really just aliens with no sense of humor who are stranded on Earth and figured they might as well do a firewall distro or two?
