I wouldn’t consider the Unifi stuff because it only runs on their hardware (not that I don’t like their hardware, but the field I have in mind is open-source router/firewall software). You can add IPFire to your list, I think–I haven’t used it, but it appears to be a GUI-fied Linux router distro, and it seems it’s been around for a while. DD-WRT and its variants are out there, but I don’t recall if they run on x86. VyOS, AIUI, should do the job, but it’s CLI-only.
I’d considered virtualizing OPNsense–that’s a big part of why I bought my Microserver with its 4x GbE ports–but still haven’t done that, leaving it on bare metal. I think if I do virtualize it, it’ll be as a HA node rather than as the primary router.
True, but there’s also a point where you should learn. And a “Open-source firewall roundup” video is one of those points, IMO.
agreed. i like the software but i dont want to be bound to the hardware… so you really need to like both or turn a blind eye to the hardware if you want marry into the ecosystem (is that the right word for it? )
this is what pfsense and opensense do nice. you can install in your own hardware. you just need to meet the requirements, that’s it.
Thanks for sharing my videos, but first things I want to say is that I am not here to defend dumb things Netgate has done in the past, such as the domain squatting, or tell anyone not to use OPNSense, use what makes you happy.
My “bias” towards using pfsense is first that I have a lot of experience not just with using it personally but through thousands of business deployments we have done and many that we continue to maintain, my second bias supporting companies a major upstream contributors to the upstream FreeBSD code base.
What I want you to consider is that two big anchor projects that keep FreeBSD relevant to the many of the users here in this forum are TrueNAS Core (which as we all here know is becoming less popular) and pfsense. Without companies like Netgate employing many people that are making those firewall relevant contributions upstream to FreeBSD all downstream projects would suffer.
You can read this report from FreeBSD which shows Netgate contributing about 8% of the overall commits to FreeBSD and of course those commits are mostly going to be things that benefit firewall features.
I know that OPNSense has a much smaller team which makes them slower to adopt big underlying updates and that sometimes left them trailing behind in security. And due to the number people asking my so frequently about this I have a post in my forums explaining in more detail OPNSense VS pfsense Security - Networking & Firewalls - Lawrence Systems Forums
For me and all the business solutions design and consulting we do, we are going to keep going with pfsense as there is not any compelling reason for me or my company to move to OPNSense. That is what works for me and my team, as I said in the beginning, you are free to choose what works for you.
Everyone that piece of software that one finds suitable to use.
Wireguard debacel was the point where i decided to stay with opnsense.
Only thing i’m still missing is some statement regarding used freebsd version from netgate.
Are there some opinions on pfsense using unreleased development branches as base?
Opnsense may be slower with adopting underling big updates, but at some point they said that 14.0 is not stable enough to switch so they’re waiting for 14.1 which is fine IMO, it still works.
On the other side pfsense plus 24.03 is now based on 15-CURRENT where i cannot find release date now?
So netgate is doing test of develoment branch before release now, or is customer supposed to test it?
Feel free to prove me wrong, but the Ars Technica piece over exaggerated the claims to make the story more clickable (yes, even tech news sites do that) my evidence for that is how minor code changes and why Rubicon Communications, LLC (Netgate) is still listed as the sponsor of that code, you can see that code here:
They moved to main branch because when support for new hardware is added to FreeBSD, it goes into the main branch first. When Netgate contibutes code it is also targeted for main and then would have to be backported. Tracking the main branch of FreeBSD gives pfSense software the most up-to-date drivers for a variety of hardware.
They have a write up with more details here pfSense Software is Moving Ahead
And as far as I know, OPNSense does not havae as many devs on their team so it may not be possible for them to test and validate a main branch build, but Netgate does. Also, I would not be able to manage all the installs we have with our clients if it was not stable.
i had watched a lot of lawrence’s videos which got me to try their unifi wireless ap. it’s nice. just not sure about the firewall stuff, but now it’s covered vs pfsense.
“Set it and forget it” is not as good of a thing as it seems like it should be, especially when it is a hardware-software combination. The hardware could become silently deprecated and obsolete, which would then mean that you would no longer get any ‘automated updates’ to the applicable software. It is good to be forced to monitor updates, even if those are automatically downloaded and ready to install, do not require a reboot, or sometimes do (which is extra good to watch it proceed – just in case) but regardless of the simplification of the process still requires intervention which means you know the status of the support and functionality overall.
I switched to FOSS due to linksys dropping support for my hardware (their device) which was technically entirely functional but was simply an older model of the same device. Because I had the older, the security-related software bits were not updated any longer. This woke me up to my mistake in purchasing a linksys firewall/router which is tied to the manufacturer’s software support.
With FOSS, I can put the software on ‘whatever’ and I did, even attempted a 286 which sort of functioned but IMHO my software choice (along with my own newness) meant this was not ultimately as functional as I desired. Later I noticed and compared the roadmaps for OPNsense and the other guys, and it looked like OPNsense would get more done in a better timeframe. So I switched to OPNsense and I have not had much difficulty since.
One niggle in the time I used OPNsense was an intel related security setting which caused my amd install to have issues, but this was FreeBSD related and easily circumvented once I knew the sysctl to adjust. In actuality my difficulties were essentially issues with FreeBSD and not something in OPNsense itself. My present hardware and configuration has not caused me any issues since shifting to a free business-oriented intel box I was given.
Logged into my OPNsense box this morning to see that an update was available–it was nice to be able to update to 24.1.7 without needing to reboot. That’s sometimes possible with OPNsense and sometimes not, but it never was with pfSense.
Now if it could only notify me when an update is available, without my needing to log into it…
Ah, but pfSense uses ZFS alternate boot environments, (if I remember correctly). Thus, the ability to roll back with a simple reboot, (just like Solaris 10/11).
OPNsense uses A/B partitions for major updates, again if I remember correctly. However, can the rebootless update be rolled back?
Package updates in pfsnese do not require reboot and neither do most of the “System Patches” OPNsense does more updates that are just the packages and some of the underlying FreeBSD packages and those don’t always need a reboot. Netgate rolls those into their bigger updates unless there is a security reason to patch them sooner.
It’s been a few years since I used pfSense, but when I was using it, every pfSense version update, without exception, required a system reboot. Many, though not all, OPNsense version updates run without requiring a system reboot.
It’s also correct that OPNsense lets you bulk-update packages, while pfSense never did while I was using it. But I was talking about version updates to OPNsense itself.
Not sure about how you might do so with/on the device, but I believe for at least its significant updates, those are posted on the ‘announcements’ forum on the OPNsense forums site and it is possible to grab that as an rss feed and be notified by way of an rss reader alert of some sort.
)
