Opnsense vs Pfsense ~ My own thoughts and concerns

pfSense does have some great documentation and a large community, but unfortunately, some of their most knowledgeable community members seem to have ego problems. If you ask a question, they won't hesitate to tell you how stupid your question is and tell you to google it. The OPNsense forum is much more newbie friendly.

Thank you for this video. I looked at both and was exposed to pfsense when I was helping administer a system installed at a local charter school. Even though I had used pfsense, I felt that opnsense was easier to administer so that's what I went with at home when I gave up on network "appliance" routers. You've confirmed that my decision was the right one for my situation.

been looking into setting up an open source firewall at home and have been considering both of these. I've watched a few vids on it, and I think after this one I'll be going with opnsense. thanks for all the great info! subbed for sure

After a recent breach of my local network using a popular brand of home all in one router/switch/access point, I decided to finally pull the trigger and ordered a ProtectLi box. It’s coming pre installed with OPNSense and at first I was hesitant as I wanted PfSense. After watching through your video series, I feel way better about sticking with OPNSense, especially due to the updates! With how many vulnerabilities are constantly being uncovered, no updates is not an option when it comes to network defense!

Thank you very much for addressing all of the controversy!! This was definately totally needed. You said what I never could have!

After hearing lots about Pfsense I was definitely leaning towards it for my firewall choice. Hearing about the development history, controversial actions and having the lack of regular updates for the CE version pointed out I'm definitely taking a closer look at OPNsense. Thanks for such a balanced comparison.

Good review. I used pfsense for years and for the most part had no issues until I needed to implement AQM with dual WAN's. This worked fine for a while until a software update came out and it broke dual WAN AQM. It was a real pain to fall back to the previous version. So at the time I tried OPNsense and it just worked. And not only did it work but it was way more intuitive on how you control pipes and queues along with their associated rules. Its true that OPNsense has lots of updates which might introduce problems but so far I have not had any. Like you said they are both good firewalls but I am going to stick with OPNsense from now on until something bad happens and I need to re-evaluate. It is for now the best firewall for my needs.

This guy makes some real good points and he isn't afraid to call out ppl! Subbed!

Great video!
But you forgot the cool feature of OPNsense where you just type what function you want, in the search bar and it pulls up the meny for you.
A function i use ALOT.

The fact that the m0n0wall developers recommend OPNSense and FreeBSD maintainers closely coordinate with OPNSense maintainers tells me something already...
As far as I am aware, pfSense did contribute something to FreeBSD but it was an Intel NIC driver they needed to be maintained in FreeBSD for their new hardware.
1 thing to note here, OPNSense Bussiness edition is mostly adding a management console for all your remote firewalls and cloud backup of your configs, which you could set locally on your own, with a storage device - it doesn't hide patches or firewall features.

Thank you for mentioning the concerns about the CE. I feel like nobody talks about this.
To me it looks like Netgate slacks on the progress of the CE to lure people to switch to the business edition. There's a free licence you can use. "So what's the problem?" you might think. Maybe they want to let the CE die because it's free and brings them no money. As soon as they let it die in a future point of time they will sooner or later kill the free business licence and force you to pay if you want to keep using your pfSense. Think about it - it's every companie's goal to make money.
I switched from pfSense CE to OPNsense CE about 3 weeks ago and don't regret a thing.

Excellent comparison between the two firewall. I support both but the once a year updates and the current direction of netgate/pfSense will likely cause me to switch to OPNSense for all new customers.

My impression is that Netgate is similar to Oracle.

Quality review. Fair and comprehensive cover of the two platforms. I’ve personally been running pfsense for about 10 years and it’s been solid.

This is a great unbiased comparison. Thanks for making this video.

100% agree. I was thinking about the pfSense update a few months ago. I'm going to look into OPNsense soon. Do you have any video how to get started on OPNsense.... Thanks for sharing!!!

We need more free minded youtubers like you man! Thank you so much for clearing this up for me!

These firewalls are solid, i have tried both of them. I am more familiar with pfsense so that is what I use.

I ran m0n0wall and DD-WRT back in the early 2000's good stuff indeed. I do remember "being there' when the project winded down but I can't recall the reasoning 20 odd years later.

The background in the intro is the best! Also can you please share your homelab setup

Great video. I learned a lot. Thanks!

So glad I came across your channel. I am curious if you have in mind a video to demonstrate how one could connect datacenters with OPNsense w/ospf at the edge. Full mesh without using IPsec tunnels would be incredible.

Welcome back.. 🌹🕊️

I switched to OPNsense about 2 years ago and could not be happier.

One cool fact about Pfsense is that even if you acquire their appliances second hand, you just need to provide a picture of the serial number and they'll give you an iso for their plus edition OS. They do it pretty quickly too.
I have a netgate 7100 I've been toying with the idea of running OPNsense on it.

I've been using OPNSense for over 2 years now and it works perfectly for my needs. PFSense is great too :)

Thanks a bunch!

thanks for your honest comments trying to keep peace in the world :)

I have a strange problem with opnsense appliance that working on hyper-v. When I'm using console of appliance to ping something, the only way to stop this process is to ssh to appliance and kill the process from command line. And i'm still don't find more comfortable solution 😥

Solid review, and excellent timing for me (considering which to use on some new installs)! Every company has some kind of bad blood (maybe not as bad as pfsense's), I think it's down to three major things - what interface do you prefer, do you want hardware from the authors of the firewall, and how often do you want updates? For me, I think it'll be opnsense. I've loaded both on a small firewall appliance and the only major difference was the four interfaces loaded in the reverse order on opnsense! :)

I went opn since I have i-226 nics. I'd like to try pf too.

I used pfSense at home for 5-6 years before switching to OPNsense earlier this year, after an unsuccessful attempt to switch a couple of years earlier. The Netgate drama was a big part of my reason for wanting to switch, as was the Wireguard issue. On the latter, it wasn't so much that they'd contributed garbage code (they'd hired a dev whom they had every reason to trust to do good work), but their response when it became apparent that the code was garbage was to blame everyone but themselves. You provided this code, folks; you're responsible for it. Another point, not mentioned in this video, is that there's some serious question whether pfSense is truly Open Source--the claim is being made (and pretty credibly to my uneducated eye) that ESF/Netgate/whatever they're calling themselves now *have not* released all the source code, and that it's impossible to build pfSense with what they have released.
As you say, functionality between the two is about the same, and so is the logic--if you know how to do something on pfSense, you can probably figure it out pretty quickly on OPNsense (more so for the core features than for the plugins). OPNsense's GUI is *much* better IMO than pfSense's--not only in terms of "it looks better" (though it does), but also in that the organization is more logical (which of the pfSense UI designers thought that (1) the reboot/shutdown options should be in the Diagnostics menu, rather than System; (2) they should *not* be adjacent to each other in that menu; (3) they should be labeled "halt system" rather than "shut down"; and (4) they should just be in alphabetical order in a 20+-item menu?). Hairpin NAT works for me under OPNsense; I was never able to make it work under pfSense.
The biggest downside in my experience has been the OPNsense forum, which has been useless for me. I've been working with F/OSS for 20+ years--I know how to ask a question and provide a reasonable amount of supporting detail. I recognize that the vast majority of the people there are volunteers, not paid staff. But when the response to "DNS isn't working" with a good bit of supporting detail is crickets, that's a bit of a problem. I found more support on the TrueNAS and Nethserver forums than I did on the OPNsense forum.

very informative video, thanks for that. but I am still struggling to choose. I have run a TrueNAS server for the past 5 years, with no dedicated firewall (just diy geoblocking) and now want get into the topic. for a complete firewall newbee, which one do you think is easier for me to start? The one with the more intuitive GUI or the one with the huge community with a recipe for every need?

I noticed you didn't call it out directly, but the bad faith trademark stuff they did was against the OPNsense team. The pfSense development team was mad that some developers decided to go their own way and had the audacity to try to make something better, so the pfSense folks acted like children.

only two things that made me switch back from opnsense was looking at the traffic graph it didn’t really show current talkers but more it didn’t show me the names so i’d have to know the ip of devices or look at the ip tables. also not having tailscale in the plug-in or packages. but opensense was super fast doing anything or doesn’t make you wait before you can do anything else. i guess zerotier is similar to what i need tailscale for just need to look into it more how to use.

I considered switching to OPNsense when I replaced my old NetGate router hardware. In the end I stayed with pfSense primarily because they have much better documentation. OPNsense is like a man page describing available settings whereas pfSense has that plus practical examples, reasons you might choose one option over another, explanations of higher level concepts, and links to additional info.

I dropped pursuing pfsense after the trademark trolling and then the wireguard debacle. You can't trust a company with securing your infrastructure when they behave in such an unethical way and have such poor quality control.

Question: Mikrotik vs one of this two software, witch one you recomend?
Regards

I use them both and each has a specific purpose. PHP on pfSense is buggy, hence the restart option from console. OPNSense update cycle can be seen as too frequent.

Are updates in pfSense CE lacking security patches or is it feature lag?

I used pfSense for years and had no issues until the update from 2.4.5-p1 to 2.5.0 and then the router started to hang intermittently. I stuck with it until 2.6.0 but the hanging continued and actually became worse. I re-installed and set it up again manually since re-installing and re-importing my config did not resolve the hanging issue. Shortly after 2.6.0 I ditched pfSense and went to OPNsense and was very happy with it until the last update and now a specific use case is not working correctly (SOCKS5 proxy via SSH) - I can't even get 1 Mbps throughput, whereas previously I was getting normal throughput. I've been doing this since about 2009 (on DD-WRT, EdgeOS, pfSense, and OPNsense). I did not like the constant updates with OPNsense as that leads to issues with stability. Now I'm ready to go back to pfSense after they move to FreeBSD 14 and hope the intermittent hangs go away. I know the intermittent hanging on pfSense is related to my SOCKS5 proxy via SSH because if I don't use the proxy the router is stable and never hangs. Ultimately I may have go back to pfSense 2.4.5-p1 or the original version of OPNsense that I installed which I really don't want to do due to security issues... The hangs with pfSense are not hardware related as I had it happen on two completely separate hardware devices (that are very much overpowered for pfSense / OPNsense).

FreeBSD 12.3 supports these NICs from the LTT video, however, they forgot to add boot configuration to enable them. Kinda like Linux kernel modules, in a sense. Just to note.

It's not just the updates, but also the code of opnsense is more moderm

Is wireguard secure enough. Like ikev2

This was a good video, but honestly, I still have no idea which one to go with after watching it. All of my hardware is seen by both so that makes things even more difficult. Choices are good, but can be frustrating!

can I use OPN Sense with Protectli Vault ?

After watching this video, I'd go with OPNsense. The only thing that is good on PFsense is the ZFS.
Wasn't OPNsense built on hardenedBSD or did they dropped that?

🙌

I don't wanna spam the comments, but I'll leave one last comment here just for completeness. pfSense 2.7 has been released on 2023-06-29 with FreeBSD 14 and ConfigRev 22.9. It is essentially pfSense Plus 23.05.1 (most current release mind you) without the Plus features, or rather the Plus variant is pfSense 2.7 with the Plus features added. Meaning: yes, pfSense (no Plus) will always release on a slower cadence, however, judging by its history, when it will release, it is on par with pfSense Plus base-feature and base-patch wise. If you're not missing any features that pfSense (no Plus) already provides, I see no point in switching to Plus.

I think opensense has a little bit lag connection to the internet
I feel that when I start to call website
Or test internet speed connection

Sadly I can't really use either as it's limited to 1 thread on pppoe

Have you looked at the fork of Opnsense called Dynfi ?

FTPS on OPNsense?

I have tried both, and used pfsense for long time. however, currently, I switched over to VyOS and its been running flawlessly and feels snappier than pfsense tbh. Also, it is based on Debian 11, which has much better hardware compatability than both. also, its fully opensource. I really wish that you give it a shot and make a video on it. Thanks, and your video is awesome btw very comprehensive and fair to both.

Sir if possible I want u to show vpn site to site pfsense +mikrotik I tried many times not yet success. Thanks

I was already heavily leaning towards Opensense just due to the more frequent update cycle. However, after hearing about what PFsense did to their competitors it's a solid lock on Opensense. Then them adding the super buggy module just to get it out there was icing on that decision. That shows multiple poor decisions for profit over morality. I fully expect they'll make more questionable decisions in the future. Given past poor decision making for profit, it wouldn't surprise me to hear over the next few years that "someone" contributed bad code to some of the packages that "their" version has patched out. I'm not aware of them doing that, but it does seem like one of the next logical steps since they got caught on the other stuff.

I wonder if there will be a pfSense or OPNSense based on the Linux Kernel? like how Truenas has both BSD and Debian kernels

It might seem trivial but I don't think it is: OPNsense isn't really born from PFSense, any more than PFSense community edition is, it's a continuation of PFSense caused by a split in the community when they changed the license (similar to LibreOffice/MaraDB/etc...). OPNsense Business Edition is really just a more conservatively updated/tested version of OPNsense, that comes with professional support (a phone number to call). OPNsense however has feature parity between it's editions (the reason for the PFSense split), and is a far better product IMHO.

Opnsense Franco 👍

new users i think are better of starting with PF

try to Execute a Shell Command from OpnSense GUI.

opnsense is better for better licensing - they are basically the same sw - opnsense is way better politically and it is more better for more updates #more

Opensense is what I prefer.

Netgate has some evil in house. Thats enough for me to run OpnSense

From what I understand PFSense are going straight to Free BSD 14

I am looking to move to a personalised router and I must say the open BSD makes me uneasy. I am working on linux for 7 years now and every time I wanted to flashed open BSD on a vm or available pc I ran in to driver problems that prevented me to install it. Why is that relevant ? Because dropping 700-1000€ to a fanless pc with powerful cpu and multiple NICs just to have BSD being BSD does not inspire trust.
2nd pf sense is out. I can’t trust people who act like MW2 lobby trolls.

i was unbiased, had used opnsense before - there is no way in hell im going the route of eternal damnation, im sticking with opnsense lol

In 2024
- OpnSense has been using the latest version of FreeBSD way before PFSENSE.
- In 2023-2024 Pfsense recommended everyone moved over to PFSENSE plus, so they did, they then said you shouldn't (screwed everyone).
- Pfsense is less open-source in 2024 than OpnSense.
- Pfsense in 2024 will absolutely mess up your routers config if you add another NIC to your Proxmox virtualisation server, it absolutely shits itself.
- Opnsense tends to get more newer stuff sooner than pfsense.
- Opnsense developers are more active in the community than pfsense.

Don't be surprised is pf sense stops maintaing comunity edition altogether. Opnsense were clear about difference between paid stuff and free stuff and free version will be updated but not as fast as paid version so we all benefit. You can also get ETpro rulesets for suricata for free but in exchange you have to agree to allow them to collect your data but that's strictly data needed for creating and updating suricata rulesets or you can pay per year so it's up to you. Comunity for opnsense isn't big like one for pfsense but when it comes to how each of them treat users in myopinion opfsense wins because they don't focus mostly on paid version at the expense of free version so i can live with slower updates. Ons sense options are very resonable and very resonably priced and you pay per year,not per month like most subscription services so you have option even to pay business editon for 3yrs in advance.

I don't understand the controversy for the pfSense community updates. Looking at the release table from their docs:
pfSense CE version 2.6: Config rev 22.2
pfSense Plus version 21.x: Config rev 21.7 (latest revision)
pfSense Plus version 22.x: Config rev 22.2 (22.01), config rev 22.7 (22.05)
pfSense CE version 2.7: Config rev 22.7
So basically the Plus version gets the updates faster (in-between full releases), whereas the CE version gets them via full release. I think that's a fully understandable business move. To add to that, the Plus version has the proprietary components which get updates, too. So, because these components are not part of the CE version, there cannot be any updates for them in the first place.

good video all the way up to the competitor website war is war you and I don't know what happened its a fight which you now sided which is what happened between these 2 firewall companies Duche bag move

Higher end Netgate devices have support for VPP, which is a huge leap in performance that Opnsense doesn't have, to my knowledge.

Bruh, you can't mention something like "wireguard" and not even give a brief summary of what it does. But great video overall. Thanks!

Opnsense documetation SUCKS ... it's like the short nonsense recipes from Ubiquity.

OPNSense + ZenArmor ftw! so easy to filter websites.

Nice tutorial video.👍

The dick move alone by pfsense is enough to convince me to go with opnsense, but it overall sounds a bit better anyway, especially the update frequency and openness of the platform. The only notable downside I'm seeing is higher prices for opnsense, but that's a price I'm willing to pay