That is amazing. I’m not really clear how that can function in the context of encrypted traffic but considering how slow my internet traffic is, I might spring for the $65 AliExpress special mentioned and just plug it in to see if I can make it work.
As @dan knows all too well, I have a clown car full of bags of tricks to make his excellent scripts / tutorials fail in all sorts of unanticipated ways. Usually spectacularly. So let’s put this guy to the test. 
I started with pfsense about 5 years ago on a QOTOM Q575G6 i7-7500U 8gb ram and 64gb ssd for home use.
DHCP, Firewall, NAT, IPS DNS filtering, VLAN, VPN.
Despite a fairly standard configuration, it wasn’t rock solid and restarted for who knows what reason about once a month. Updates sometimes fixed one problem and introduced another.
Then I switched to OPNsense, same hw, same configurations, obviously used suricata instead of snort but everything worked.
I added the mimugmail repository to add adguard and a couple more plugins.
My practice is to make a backup of every change I make, always updating to one less release.
Eg: I’m on release 1, I update to 2 when they publish 3, and in any case I check on the forum to see if there are any known problems.
Recently my qotom died, I took advantage of it to assemble a new PC with Proxmox and virtualize FW and more. ADGuard is finished in a dedicated container so as not to mess with unofficial repositories.
My switch from pfsense to opnsense was due to a not very stable system and their behavior at the license level as well as not very fast updates.
Among other things, I feel better with the opnsense interface and the vicuna theme.
That one was a silly shot at their own feet, but not something that ever bothered me. It was transparent, vaguely-understandable and not a sleazy alteration of the social contract… Just pointless.
Thank you for the video link, I am going to subscribe to this content creator as this video seems quite clear and pleasant. One nit, that he refers to OPNsense as running under/as Linux, but aside from that quite easy to follow.
EDIT: turned out I was already a subscriber, so changed my alerts to ‘all’ and tapped the like.
He does at least post a correction, both in the description and as a pinned comment, but it set my teeth on edge too. But it didn’t seem deliberate as was his CCNA jab.
ok thats news i hadn’t heard yet. now i’m quite worried 
ok thats news i hadn’t heard yet. clearly dark clouds were brewing while i wasn’t paying as close attention. now i’m quite worried
no encryption? why… that makes no sense.
*delete the previous post. wont let me edit x-x; it’s crazy… xd
Not really. In 2017, Netgate announced that the next release, 2.5, would require AES-NI to support an overhaul of the UI/API (and I recall they gave more detail, but I don’t remember it and can’t find a link at the moment–edit: here’s the announcement: pfSense 2.5 and AES-NI). AES-NI was released in 2008 and had been very common for several years by the time Netgate made that announcement, but people still freaked out–I guess they wanted to keep using their old 386s or something. In 2019, they announced they’d abandoned that requirement (and the “pfSense 3.0” that was discussed back in 2017 is still a long way off).
IMO, this was a tempest in a teapot. pfSense has certain hardware requirements, and they’re bound to change over time. They gave a good amount of advance notice of the change, and a more-or-less reasonable explanation of why they were doing it. My last four pf/OPNsense boxes (i.e., all of them) have supported AES-NI–this point isn’t even on my list of concerns with Netgate, and that list is pretty long.
AES-NI is a good thing anyway. It’s what allows a 10 year old machine to do >1GB/s of encryption 
The latest versions also allow QAT (Intel QuickAssist) if your system supports it.
QAT is a hardware offload for SSL computations etc, that’s even faster than AES-NI, without using cores.
I looked at QAT but my CPU doesn’t support that. But then again, i don’t use VPN for home purposes and i have no use for logging into my router remotely. My nextcloud instance i access through an FQDN with letsencrypt certs and a reverse proxy and that works like a charm.
Are there any other purposes where you would benefit from QAT or even AES-NI for that matter?
Intel® QAT is an integrated workload acceleration feature on Intel® Xeon® Scalable processors purpose-built to improve performance and achieve greater efficiencies in compute-intensive processes, including workloads in AI, analytics, application and content delivery, high-speed networking, and more.
As data sets continue to scale exponentially, these advanced use cases require more resources and greater performance. Such demanding workloads amplify the need for data compression and decompression, cryptographic ciphers, and public key cryptography to support operations and protect the integrity of data in use, in flight, and at rest.
While compression and encryption make it possible to handle large files and advanced applications, the enabling processes themselves consume significant compute resources.
Intel® QAT offloads these computationally intensive operations from the CPU cores, allowing the CPU to perform other tasks more efficiently for greater overall system performance, efficiency, and power.
Intel® QAT boosts workload performance to meet the demands of today’s data-intensive and network-dependent workloads, helping systems to serve more clients with a lower data footprint and higher performance. Intel® QAT can deliver significant acceleration for data compression as well as symmetric and asymmetric data encryption and decryption.
From https://www.intel.com/content/www/us/en/products/docs/accelerator-engines/what-is-intel-qat.html.
I meant, in the use-case of pfSense… 
ZFS based install and bectl FTW! Advantage FreeNAS and ZFS veterans.
Well, one would need pfSense+ anyway since QAT is disabled in the CE edition.
This is called product differentiation.
A couple of comparison videos, though both are a couple of years old. First from @lawrencesystems, pfSense cheerleader:
A different view from Network Berg:
i enjoy lawrence’s content, but yes he does seem to have a bias for pfsense.
example, he did a roundup for firewalls
but he omitted opnsense. why?
on few occasions he answered why he doesn’t talk about opnsense, he said because he doesn’t use it for himself. Fair enough.
but… like the video i linked, when you do a round up deliberately, when you leave something out like opnsense, that seems a bit sus.
so take with a grain of salt. Though he did seem to redeem himself with the opnsense vs pfsense to address the elephant in the room so to speak. Even if you disagree at least he goes into what he thinks was good or bad in the comparison. it’s videos like this i am more interested in really.
i’ve been wondering if it’s time i try out opnsense, but still researching on it still.
I think so, but I hope my comment doesn’t sound like it’s unreasonable or dishonest, because I don’t believe either of those to be the case. I do think the bias is there, but I’m sure I’m more sensitive to it because I disagree with it. And he has lots of good content about pfSense (and many other subjects).
I’d like to see an updated roundup, because I think the options are dwindling unless there are others I don’t know of. I don’t anticipate moving from OPNsense any time soon, but it’s always good to know what’s out there.
I didn’t want to sound like lawrence is a bad dude I don’t think that, as i am still subscribed. He does more good than bad, nobody is perfect.
opnsense, pfsense, open wrt. Ubiquiti (dream machine??) has a nice UI if you want to get into their ecosystem. Other than this, nothing has really fallen onto my radar of interest 
RT Merlin was great back when i was using off the shelf asus routers, but i’ve long sinced moved on.
Oo i was watching this recently. this setup uses proxmox, then to install opnsense ontop of that. this was what i was contemplating for myself.
so if opnsense didn’t work as well as i hoped it would, i could then switch back to pfsense also using proxmox. for someone like me that tends to want to experiment, maybe this is a good solution hm…
IMHO saying “I don’t use it so I don’t know much about it, hence I won’t speak about it” is something noteworthy: too many people speak without knowledge today (maybe yersterday as well, but hey… I was not there yersterday). Knowing your limits is a good thing.
