Why I am Not Using OPNSense
VloĆŸit
- Äas pĆidĂĄn 22. 06. 2024
- lawrence.video/pfsense
Forum Post
forums.lawrencesystems.com/t/...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter đŠ / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
âșđ lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
đ www.amazon.com/shop/lawrences...
UniFi Affiliate Link
đ store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
đ lawrencesystems.com/partners-...
Gear we use on Kit
đ kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
đ www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
đ m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
đ hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
đ www.privateinternetaccess.com...
Patreon
đ° / lawrencesystems
Chapters
00:00 Why I Am Not Using OPNSense
01:50 My Perspectives and Framing
02:40 Security Fixes
03:19 FreeBSD Code Contribution
05:34 VPN Performance
07:12 Building on FreeBSD Main - VÄda a technologie
I love how you tell why you do or don't do things and not try to force your opinions upon others! Keep up the great work.
Thanks
Everyone is free to make their own decision. For me the stuff pfsense did at the start to try to interfere with opnsense left a very sour taste in my mouth. I can't support them again.
Tech can be worse than religion at times.
Come to the church of emacs to avoid the cultists of vi. /s
:q!
well considering Tom is deleting comments that link to articles what pfsense did and point out some issues in his presentation.. yeah..
@@EmperorTerran I doubt that's tom. CZcams never lets through any of my comments when I include links. I think it is an (overly aggressive) anti spam measure.
ââ@@EmperorTerran Do you even know how youtube's spam filter works? Links ar nuked everywhere for no reason....
EDIT: And not only links
pfSense requiring signup to download the ISO just made me switch to OPNSense...
this is just a dumb move...
Same. I actually preferred pfSense. Oh, well. At least it's an easy transition to OPNsense.
I have official hardware and pfSense plus, but tried to download the CE version to use in a virtual environment. It was not easy, tried to sign up, but I got the non-ce version. However the sha256 hash for the iso.gz is in the official documentation, so it's easy enough to find mirrors and verify. This is a lot harder than it should be though.
The old school download links still work from Netgate.
Netgate is a bit to shady for me, the long release cycles for community does not look like they care much for that edition. Past few month is almost looked like they stop developing community and want to push everyone to Plus. With all the US shitshow with Cisco and Juniper placing backdoors in their product does not really speak for US Security Products :(
Man when the hell did they add that stupidness
I'm sure the most recent comments at you are a direct result of Netgate dropping CE downloads from the website, which probably would have gone over fairly well if they didn't double down posting 'CE users are not customers' on Reddit.
they pull crap like that all the fscking time - horrible
It is this sort of stuff where I feel pfSense will eventually not have a CE (free) edition. It has been moving towards that direction for some time., which is a real shame. This turns me off pfSense since they may just pull the rug out from CE. Currently quite happy with the product, less excited about the company.
@@bertblankenstein3738Iâve consistently said that weâre not taking CE away and weâre keeping it free. We still work on it.
The ISOs can still be downloaded without registering. This is widely known.
@@bertblankenstein3738 You can just build from source can't you?
@@mitchellmnr The downloads currently point to the Netgate Installer, which requires you to setup a WAN connection so it can download the correct version (CE/Plus).
The 'old' install images are still on the server, and their links have been shared around the internet, but there are not plans to continue building those in the future.
Apparently 'customers' can create a support ticket to request an offline Plus installer, but CE users aren't customers so they can't.
Been on OPN for years since retirering the last Soekris box running PF years ago. OPN never let me down and I'm pretty sure PF wouldn't have either. Just recently replaced a Juniper SRX as our data center edge router with an OPN and it has been performing great.
PF has let me down repeatedly. TNSR isnt bad tho.
I think there's real demand for high quality OPNSense videos on CZcams, and when people like the videos you make, they want to see you make high quality videos about the topics they want. I think the issue is that they don't notice that this channel is mostly in depth videos about the software Tom uses professionally, and occasionally a video about comparable products, but nothing in depth.
One of the best things about VMWare imploding was the influx of videos doing a survey of lots of different solutions. As varied, interesting, and niche IT solutions can be, this is not the channel for lots of videos about lots of different software.
In particular, I'd like an OPNSense version of the buffer bloat video.
That is fair video, I'm an OPNsense user, but reasons why you're using pfSense are reasonable
I feel that Netgate has an adversarial view of their own users, and it will be their downfall. Just look at VMware....
Used pfSense for at least 10 years. Wanted to give OPNSense a go. Still running it 2 years later. For my use case at home...the router OS doesn't matter as long as it's at least pf/OPN based.
The reason I don't use pfSense is because the pfSense team appears to behave like children. Look at the way they initially tested OpnSense. And then the way they handled the licensing recently seems to back that up. Maybe we need a third option, I don't know. I also don't like the pfSense interface. I'd feel a lot better if all the children on pfSense left. Just my $0.02.
Don't forget the drama when Netgate tried to ram in a botched and vulnerable WireGuard implementation into BSD
Jason Donenfeld was absolutely appalled
Same, they are pretty much the same, if you are the sort of customer that needs dual WAN, you are better of with a pain firewall honestly.. I don't see a customer segment for pfsense, I even tested the wireguard throughput heavily on my 2G WAN with a single client, I didn't see any difference between opnsense and pfsense but my hardware is old.
I appreciate you making this video Tom. Iâve watched your other videos with the detailed comparisons, heard about the âcontroversyâ between PFSense and OPNSense and had decided to stick with OPNSense on that alone. But your argument to support the product that benefits the community more is enough reason for me to consider trying PFSense and see where I land after giving them both a fair shot. Thanks again and may I also say, I love your content!
Used pfSense for 10 years, but recently switched to OPNsense. The main impulses were packages (Xen guest tools, Zerotier) and many automation features (like in Wireguard - when you define allowed networks, it automatically creates the routes unlike in pfSense; or HAProxy integration and config). So overall it is the automation and packages that make the difference for me.
I picked OPNsense because it has better driver support for all my devices.
This was due to the newer BSD base version used by OpnSense compared to PfSense. PfSense changed that a while ago, and therefore it is no longer a problem. But there is hardware I would avoid with both :D
Latest Pfsense+ now uses FreeBSD 15.0 which is a few versions ahead of Opnsense so it's not an issue anymore in terms of providing hardware support.
Lawrence I just have to say I appreciate you take the time to create and upload these videos. Even myself as an MSP Network/Systems Engineer (I mostly do commercial hardware like Watchguards, Ciscos etc...) it is very nice to have a reliable unbiased knowledgeable person such as yourself on the OpenSource community. I learned a lot about OpenSource from you and even implemented some at my own home to continue my education on the platforms. Thank you and keep up the good work!
Thanks, Tom! Especially as an OPNsense user, that's exactly what interests me. It's not a religion, it's just facts and here are some facts I didn't know and I'm grateful for that.
I switched from PF to OPN a few months back, mostly on a whim because my homelab FW got corrupted somehow and needed to be rebuilt, so I gave OPN a shot. To me it feels like mostly the same functionality behind a slightly redesigned UI. I like the fact that it has a REST API for common stuff, which I use for monitoring DHCP leases and a few other simple things. In PFsense I had to build my own API backend in order to get data in and out, whereas in OPNsense I just wrote a trivial script to consume the API and feed into my dashboard. People have been asking for REST functionality in PFsense for many, many years, and Netgate's answer was always "soon", but then TNSR happened and any hope of a PFsense API completely evaporated.
Fair point!
If that corruption happens again just run fsck. One of my installations a few days ago got corrupted when simulating a power fault. Fsck fixed it right up. Was able to boot again!
For me it's really simple I use pfsense because there are plentiful video based beginner level tutorials - there are some for OPNsense, but nothing like the same breadth and depth. Bottom line is that whether you're a home user like me or a professional network engineer my guess is that you want to spend as little time as possible fixing broken stuff, which means setting things up correctly in the first place. In my case I want to spend as little time as possible thinking about pfsense altogether!
I chose pfsense for the same reason. Tried OPNsense a few months ago when the pc I was using for pfsense broke, but Iâm not in IT, I can follow tutorials online but mostly I donât know what Iâm doing. Pfsense has far better online guides.
Just use what you like, the internet seems hell bent to get you to stay away from products they donât like.
When I was deciding between opnsense and pfsense, I ended up choosing opnsense because of what I had read about really bad behaviour from the people behind pfsense. So no technical reason, just that I would not support such behaviour. Pure and simple.
great video Tom very informative. thanks
Great video Tom, thanks
Thanks for providing a grounded perspective on the topic!
been using pfsense 2 years now as both edge fw and another internal fw for my homelab... its been great so far.
had to chance to help a friend of mine spinning up their opn instance and had no issues with it, felt pretty similar to pfsense..
personally i think both are great and solid, ill stick with pfsense for the time being for one of the reasons mentioned in your video! thx for sharing your experience!
Thank you for the video!
I just want to tell you many thanks for your tutorials ..I learn a lot from your pfsense tutorials. I managed to have a better job like firewall admin and was easy to understand after that also the Sophos firewall. Thank God for people like you exist and know how to explain this. Greetings from Germany
I LOVE how much actual data and info are in each of fairly short videos - no annoying pointless filler. Networking in general has always been a big weakness of mine, even though I've been building and tinkering with computers for almost 50 years. I've learned a LOT going through your videos.
I like interface of OpnSense, but i like PfSense too
yes, netgate has stuff in the *bsd code.
yes, opnsense pulls some of it...
but from what i can tell, most of it:
- was not created by netgate (but now maintained)
- is no longer maintained by netgate
- was created by someone else and they just assigned a portion of netgates money(?) in the credit
- or has not been changed in over 3 years
so saying opnsense relies on pfsense is a bit... oversimplified ?
on top of that, it's code inside of *bsd, meaning it's not really "opnsense uses netgate code" but "opnsense has a *bsd base", so you could say both netgate & opnsense "depend on every single contributor to *bsd"
that being said, my main reason for using opnsense are mostly because i like the interface much more and second because of how netgate "bullied" opnsense like a toddler when they forked.
Exactly and a comparison of companies paying developers for OSS is stupid imo cuz there will always be someone else to do it if you don't
Not to mention opnsense devs also contribute code to bsd and in some instances have fixed bugs in netgate's contributions. It's a silly argument by Tom.
@@jhboricua agreed. Plus, from what I see, negate seems to do it only to get patches in sometimes, and if negate didn't exist, another company would do it. It's not really an argument.
Another significant advantage OPNsense has, compared to other NIPS open source projects, is that it only blocks the traffic that matches the NIPS signature. Some solutions block the source/destination IP for a while, which can cause a lot of issues in a false positive case.
Thanks for the video
Tom, do you experience with pfSense as 10GbE router for VLAN ? What throughput could one achieve ? I have an UDM SE which gives me ~3Gbps via iperf3 between two VLAN. My OPNsense on xcp-ng is not better (on a i9-12900 with SFP+ DAC). Within the same VLAN I get full 9.7Gbps. Any chance I could get more with pfSense box. And any difference between bare metal vs virtualized (e.g. xcp-ng). Understand I would not get 9.7 Gbps but hope more close to 7 or 8 Gbps.
UDM backplane for routing is topping at 3-4Gbps. Their new UDM Pro Max is doubling that. Your OPNsense on XCP-ng is probably suffering for a bad network driver if your routing is stuck at at 3Gbps.
I'm running pfsense in Proxmox on an MS-01 (Intel X710 10GbE SFP+ NIC), an easily reach the link full speed while routing inter VLANs. CPU usage rise around 70% of the 8 assigned cores when running iperf continously between VLANs.
@@jchrnico the MS-01 I have too (sweet little box); might need to try once more with pfSense in xcp-ng or live system/bare metal.
Tom, the intro confuses me. Are you saying I do NOT have to use Arch Linux?
One thing I was wondering being new and not getting started with any of these firewalls yet, I saw you guys were talking about pfsense having third party plug-ins for some things, one of them being automatic updates, is that something you trust installing and using for your clients as a professional in the space?
Pfsense and opnsense run on FreeBSD Unix. They are whole images. I use them for virtual routers and switches on hyper-v and kvm with libvirt to set up labs to mimick work stuff or exams. You can use both on old pcs for home routers or buy a pfsense gateway or router with it running natively as well
Appreciate the opinion. But I love OPNSense.
Thanks Tom. Appreciate your comments
Well you got my head all in a pretzel now Tom. I used pfsense for several years, then eventually switched to opnsense recently. Those are some compelling arguments to go back to pfsense. There are certainly things I like about both pieces of software, but I also have some major issues with both as well. I think the one thing I can say for certain is there isn't a wrong choice, and its better than most home users firewalls that never get updates.
As a home user.. OPNsense is goat
I second you. And I'm particularly happy with Zenarmor on it as well.
@@starfoxBR77 Same!
Ok.. it is a bit cherry picked. The 100% more speed of wireguard in pfsense is because of BSD kernel. The same speed will be available in openSense when they go with kernel 14.x. And there are some specific improvements for pfSense Plus only, aka that is closed source, so after both are on kernel 14, if you have the pfSense plus you will have some extra speed because of the closed source code. Not defending anyone I used only pfSense but let's not sweeten the deal to much...
It's definitely cherry picked, with a good dose of lying. Tom states that the wireguard speed difference is due to poor implementation. Any integrity he had left is now gone.
@@crankbrochad71 Indeed that was a dumb thing to say.
Great video Tom
Opnsense has a freaking API. Just that was enough for me. Sure it might not be super extensive but it's better than a wannabe API that pfsense has
What are some good apps that use the API?
How do you use the API?
@@UltralifeTech Home Assistant for instance, to monitor your hardware or fw rules...
@@UltralifeTech I use curl to modify some policy based routing rules. I have a button on home assistant that when pressed will route the traffic of the chromecast through a specific country. I also use the API to perform queries to search for the IPs of different mac addresses in my network. Another one that is really useful is a script that modifies an alias to add another host. That alias is used for very specific accesses in my network. Possibilities are endless.
@@UltralifeTechThe issue is the build set for pfsense build process is proprietary and not updated frequently. The API means its build able
Thank you
Duuuude thatâs an awesome shirt. Whereâd you get it ?
Lawrence.Video/swag
Iâm still a little oblivious to some of the âpolitical behind the controversies on both products, but did something happen with pfsense as far as why this video is being made? I didnât think to look into OPNSense, but I saw there was so many pfsense videos and I set up a better router for the network Iâm wanting to grow in my house and so far, itâs been a learning curve, but I got it down for the most part.
Netgate the developer of pfSense very recently but the ISO download of the free Community Edition behind an online store front that you have to sign into in order to get the download now. Not sure if thatâs part of the reason for this video.
I use pfsense too on a couple of VMs, one with Ipsec VPN. There was a learning curve to optimise things (especially TCP fragmentation and offloading), but once that's done, it's working like a charm. Actually, I forgot it's there and this video's reminded me.
When I wanted to start using pfsense, the realtek chip of my nic was quite new and a FreeBSD driver was available. However, it was not integrated into pfsense. Op sense on the other hand did already support it. I was and still am very grateful for that
It's good to see reasoned arguments and also agreeing to disagree as it should be.
I gave OPN a go for a good few months shortly after the pfSense+ shenanigans.. i found it to be "okay". I found the GUI easy enough to get used to as most things are the same just a little different way around... But... Having 1Gbit PPPoE fibre i was strugglung to get over 650mbps up or down with OPN, I exhuasted every possible option in the "tunables" section.. CPU was pegging at 75/85% a lot of the time and temps were way outside of my comfort zone.
Moved back to pfSense CE last month and everything "just works" full speed up and down no tunables needed.. CPU now down to 5% idle with temps in the 40c area.. No faffing about.. pfSense gets the job done.
Thank you for the content
Excelente Tom, yes I like both, if you manage pfsense you manage opnsene. I love the GUI of OpnSense, but if someone let me chose, i go with pfsense, why? I have more experience with, simple. But if some request opnsense no problem, lets doit. At the end, the customer has the Last decisiĂłn.
Just one question:
What version of each are you comparing? You do not say if you compare the free version of both or a different combination. It would not be fair to compare the free version of OpenSense with the paid version of pfSense. The experience so far is that pfSense CE is VERY slow with updates. How does this compare to the free version of OpenSense?
I am currently using pfSense, but looking hard at OpenSense. I do respect your recommendations a lot, but I just want to make sure I know what you are comparing.
pFsense CE has faster security updates as I noted in the video. OPNSene does have more updates....
@@LAWRENCESYSTEMS Sorry to bother you again about this. But there is something I do not understand.
Commits in Github does not mean much unless it results in a new version being pushed out.
It looks to me that as of today, the latest version of pfSense CE is dated Dec 7, 2023. And the latest OpenSense version is dated May 29, 2024.
To me, this looks like OpenSense can be a few months slower to commit than pfSense and still be faster as the releases are more frequent. Is my logic sound? Unless you compile pfSense yourself đBut I guess the majority just click update in the web interface when something new is available.
Updates for the sake of updates doesn't make much sense to me
@@LAWRENCESYSTEMS Agreed. So you say that what is in the changelog of OpenSense is just for show and not real?
excellent
Tom any credence about pfsense switching to Linux kernel? Truenas leaving bsd and I suspect others to follow...this despite what the companies project
I doubt it will happen
Wonât happen. BSD tcpip stack is used for Hotmail, Netflix, and even early Cisco for a reason
@@timothygibney159 Sure, however isnt the linux tcp stack used to power large sites as well?
I 100% agree with your opening statement. I see it a lot with other things as well, Intel and AMD is a good example.
Still undecided between pfSense CE and OPNsense for home use (home lab). Probably going to go with OPNsense due to the update frequency. Netgate forgot about pf CE, they're all about that flashy bling-bling now :(
I'm in the same boat with a slight difference, I'm already using CE.
It's been ages since the last update (I think it was last year), I'm pretty sure I'm falling behind.
Every now and again I think about getting an appliance from them, but within my budget there's nothing rack mounted (obviously), and then I look at my current router and think what would I do with it....
I'll stick around with ce until the end of the year, if 2.8 isn't released by then, I'll change to opnsense.
The last pfsense CE 2.7 update was released Dec of 2023 and 2.8.0 will be out soon.
â@@TheBaldOne I feel your pain. To me it seems like Netgate is pulling a "vmWare", they'll probably end up killing pfSense CE to "streamline and simplify their portfolio".
This blinded haste for cash disgusts me to the core. Won't touch vmWare, and at this rate won't touch Netgate either. - which is funny because it might seem unimportant due to me using it "just at home", but the sentiment will carry on in my professional career.
@@LAWRENCESYSTEMS Tom, if you tell them this then it makes their claim of âno updatesâ seem like a deliberate lie.
That might make them angry. đ
â@@jimthompson971 the only problem with your statement is that I'd gladly use pfsense, if the updates would be say once per quarter.
pfsense CE seems closer to a bottom priority for Netgate, than a top one. I've been around long enough to see this shift in a company's attitude towards open source, for me to embark on a journey with a platform that *may* be soon dying.
(not saying it *is* dying, but the track record doesn't show me much hope)
Are the enchantments effective? Do they work better than runes, crystals, or blood sacrifice?
I started immediately looking for this comment specifically. Thank you.
@@charlesholliday9112 me too! haha
As bad as that Netgate situation was, I will say TAC is great and their enterprise support is very good.
Both are good and to be honest I hope both do very well so people have options. Including myself
There's nothing pfsense could do at this point to make me want to use it. Why don't you report on their behavior, or list both sides of the isle? This video wouldn't be necessary if there weren't issues, but here we are. Even if opnsense went away I would find something else besides pfsnese. Already burned that bridge.,
Loving my virtualized OPNsense in Proxmox. Think I bloated it too much with Zenarmor and plugins. Computer runs a lot hotter and fan spins up a lot more than normal (after installing Zenarmor). Learning a lot from it though, breaking things and then fixing them. Great start to a sweet homelab setup. Getting more serious and involved in networking.
Just migrated my home network off of a Firewalla box to my DIY router VM. PFsense was never considered and Iâm very happy with OPNsense thus far.
I considered going to Firewalla from Opnsense. You donât recommend?
idk for most stuff this opnsense vs pfsense is like fedora vs rocky. For the majority of cases they are the same, for some cases one is slightly better, but it doesn't make any of them better overall.
i used both, both are basically the same for an average user. PPPoE was a bit worse on pfsense ( still way better than on microtik), now im on opnsense mainly because gui is more intuitive for me.
Why is it not possible to define static leases WITHIN a DHCP range in OPNsense? Like, I don't understand, even the Windows DHCP Server does this and so do literally ALL other dhcpservices I know of.
I use both :>
pfsense now has a package for patches in package manager..been like at least 6 months now
I haven't updated my ClarkOS from 2008, is that bad?
Very likely
Very helpful. Thanks for the info.
the reason pfsense wiregaurd is faster was it was on freebsd 14 opnsense just moved to freebsd 14 we need to rerun the benchmarks
Ahem... pfsense is now on FreeBSD 15.
â@@Darkk6969There is no FreeBSD 15. The latest release is 14.1
@@Darkk6969 Which has not been released yet. Which begs the question why Netgate is using a bleeding edge codebase that is in constant development on a firewall device.
I am totally new to all of this, I was trying to setup a HomeLab on Hyper-V and could not get the ISO installer to work, all of the guides I see online dont go over this new ISO installer.
I gave up on the whole vpn thing and switched to splash top,makes it easier to remote into my home servers and network vs the vpn confusion on opnsense
Very valid points for enterprise environements. Appreciate your insights.
Pfsense has demonstrated horrific behaviour in regards to opnsense, spreading misinformation, hijacking domains and subreddits etc.
There was a big controversy with the wire guard code too.
That being said, your reasons seem sound, so if you're comfortable with them. Fair
Zero Trust Networking. Let's assume I took the time to create a 99.99% zero trust custom compile of FreeBSD by doing an offline compile of that distro entirely from source code (no pre-compiled binaries), then compiled a compiler and libraries (also from source code only), then recompiled the distro using that compiler in order to verify that every element of the original distro was 'clean' and traceable to only source code without any precompiled binaries.
In that zero trust environment, can either OPNSense or pfSense CE be compiled entirely offline and only from source code without any pre-compiled binaries?
I learned something valuable about 20 years ago with my experiences on a local blog I frequented.. It's not about facts or well reasoned opinions. It's all about how much crap you can stir up (they call it engagement). This means more ad revenue. Yeah, pretty much made me cynicle. I think the Internet pretty much killed reasoned thought. But then again, i could be wrong. Look where I'm posting this.
Another possible form of click bait. But i admit it is hard to tell.
Yep, different situations, different requirements, and different pros and cons.
I got a tiny router/PC type thing and put OPNsense in it just to experiment a bit, I have nowhere near the requirements (or knowledge) most people here have, so much so that I'm now just considering a regular Wi-fi router running a custom version of OpenWRT to do the same job. Probably in a way that I'll just understand what is happening better.
It's like, right after I got this whole project going, I got myself a portable access point, started using it, and realized how much you can already do with OpenWRT alone.
So I'm kinda scaling back, and then I'll use the tiny PC for something else. Different needs.
Love this. I have wondered this for a long time. Contributing development of FreeBSD is a great reason to support the paid version. Only thing missing is a centrally managed point...maybe host your own relay server option one day.
For sure upstreaming to BSD is better for all parties than maintaining patches version to version.
Use what you like! Thats what i say !
Sadly there was a dns bug that hasn't been fixed in years and i had to rebuild pfsense every 6-ish months. I kinda gave up on pfsense as much as i like parts of it over opnsense.
We maintain many instances I have no idea what bug you're talking about
@LAWRENCESYSTEMS with pfblocker there is a weird bug that causes dns to drop. The dev of pfblocker talked about it years ago and how its an issue in pfsense itself or something. You cant use service watchdog because pfblocker has a special script to handle dns reloads. If service watchdog tried to start dns in the middle of a update it would be bad but apparently pfblocker has internal handling so i traced the code and pulled the function that should be safe. It worked for years pretty well as a small custom script addon with cron.
VI, Like there's anything else :-)
:q!
I was using PFSense right around the time of Netgate holding OPNSense domain. Wireguard fiasco. Very immature. Regardless of there support for the OS, they don't deserve my support. After the flair up I switched. Will never switch back.
In recent months I have evaluated the transition from pfSense to OpnSense and I have been able to observe how Netgate is more punctual and precise in its documentation. The hardware part is also better documented (the CPUs are indicated, for example, while OpnSense does not say which CPUs it installs on its devices). Furthermore, pfSense is more explicit in indicating whether certain functions are or are not supported: for example Intel QAT Crypto. I also found that OpnSense is slower in implementing features than pfSense (for example in QAT support). For this reason I calmly decided to stay with pfSense, even if I had to agree to pay for the pfSense+ version. It's not a great price to have maximum speeds with QAT and IPSec and to have better and more reassuring management of ZFS boot.
Hypothetically, as a thought experiment, if pfSense ceased to exist, would you then choose OPNSense or something else?
Hmm... hard to say.
it would be something else because then the fork would not have happened.
@@jaypines let's say Netgate went bankrupt and shut down, would the community keep developing it as another fork or would contributors move on to OPNSense? I've personally used openWRT, tomato, edgeOS and unifi, I still haven't learned pfSense and OPNSense but I am curious what the future will bring, since the future of FreeBSD is uncertain.
Saying 'hard to say' lead me to think there is more to the history on opnsense that is not addressed in this video?
â@@fedefede843 I feel it too, which is one of the reasons I was probing (other than being genuinely curious about alternatives).
But one thing I think we can all agree on is that OPNsense exists for a good reason.
I believe there will still be plenty of people in the coming years who will "bash" other peoples over different text editors, pfsense/opensense, Linux distribution etc etc etc.
For some reason some people think that if they use software X and other people use software Y - users of software X feel somewhat the need to go and to leave comments in other peoples videos or posts.
Not sure why this is happening but it is a different topic
Running MacOS as daily driver I laugh when people argue about distros. đ€Ł
Thanks for taking the time to make this video Tom
The reason I left PFSense for OPNSense was uniquely because of how PFSense treats people. You'd ask a question and get shut down hard,
I even tried to get them a contract at my job which is a very large organization, and PFsense shot themselves in the foot just by being arrogant assholes.
OPNSense community is much more welcoming, encouraging, and supporting. and after you dig into the software I felt it fit what I needed for my network, more than PFsense.
Im no zealot for OPNSense, but I do hate Unifi and people claiming Unifi has anything even close to resembling a firewall is the biggest joke of the internet. :P
Since you first pointed out the security fixes I went from OPNSense to PFSense. And Iâm content with it.
tried opnsense a few years back but the dhcp6 over pppoe does not work even after settings was already in place. However with pfsense it works flawlessly with the same settings.
Almost forgot.. I use arch btw
Free vs OpenBSD.
BSD vs Linux.
Mac vs Windows.
Android vs iOS.
iptables vs netfilter
Cisco vs Juniper
Cisco vs PaloAlto
AMD vs Intel
AMD vs NVidia
Democrats vs Republicans
Azure vs AWS
Blondes vs Brunettes
Ferrari vs McLaren
Ford vs Chevrolet
Dogs vs Cats
And the list goes on and on and on. Glad we are living in a free society where people can make their own choices. Yet I remember our long gone past when people respected others opinion.
I'm fortunate that in my home lab I have enough resources to play with both opnsense and pfsense ce in my environment. I use pfsense as my primary firewall router though because there are a number of features that work better than what opnsense offers at this time. While I do like the opnsense UI and interface systems better, PFSense has been a workhorse and keeps on doing things *better* for my use case. That can change if the features come over - which is why I keep an eye on opnsense. I've got no desire to stick with something just *because*. But I do have to see that I'm getting more with one than the other and all my decisions are based around that.
The GUI is what does it for me. I have tried, but that pfsense interface just doesn't work for me at all.
EDIT: Tom has good reasons but doesn't acknowledge opposing ones. :EDIT
Okay...but that completely ignores the 'problem'. And ignoring it is de facto support.
It doesn't really matter if Joe's Used Car Lot has the highest quality cars at the lowest price. They engage in slimy business practices that are not only bad for everyone involved, they are also bad for completely uninvolved people because the practice becomes normalized.
I enjoy Chick-fil-a food, and unlike almost every other fast food chain I can even eat almost everything on their menu, but their company loudly and proudly supports some VERY bad/abusive stuff. So I don't give them my money.
I don't use OPNSense because it's BETTER than PfSense. I use it because PfSense isn't a valid option for me, because they keep doing things that I refuse to support.
Is it more work to do things like this? Yeah OF COURSE it is!
That's why these companies/organizations are able to get away with doing bad shit. People will excuse them because they provide convenience.
If you know someone is doing something shady, you are no longer a neutral party. Period.
Continuing the status quo IS participation. It IS contributing to the problem.
I 100% agree with you. I've been running pfsense for 5/6 years now at my home and I'm this close of shutting it all down and move to opnsense.
I still have a bad taste in my mouth regarding the licensing issues, I can't really pay 140 dollars A YEAR to get the plus license. I do not need the support, I just want the updates.
Heck, this is coming from a guy that bought the Lifetime plex license.
I even considered buying a router from them, but not only all my hardware is rack mounted and they don't really sell a rack mounted prosumer appliance, but also for the money they're asking I can build something much more powerful..
I'll stick around until the end of the year IF a new update to the free version comes around, but probably I'm going to switch over sooner rather than later.
@@TheBaldOne Really? $140/yr is nothing...
My biggest issue is speed via PFsense and routing using an L3 switch. IE can't do DHCP on another subnet. IE I want my internal stuff to be on my L3 switch, but it doesn't do authoritative DHCP, so some devices will not connect, and again PFSense cant do DHCP for a network it isnt managing. Odd. This has been brought to PFsenses attention over a decade ago, and they still have not implemented standard features for DHCP. At home I have 100Gbps backbone and I want to utilize that. So off to TNSR or VyOS it is and both are much more expensive.
Engaging with a bad actor is tacit approval of their bad acting, agreed. Have to make a principled stand but I give Tom a break here because it's not that serious and he's got a duty to his clients.
â@@justinooms6419for me it is, it's not just 140 a year, it's 140 EVERY year, it's too much. I really want to support but I can't afford that every year.
Slash that to 50% off or more and I'll consider paying for it just for the updates.
I'm not making money with pfsense, I'm using it as my normal home router for stuff like split tunneling and firewall.
I get that if I was making money creating my own appliances and slapping pfsense onto them, 140 dollars is an adequate price to pay.
@@justinooms6419 $140 is nothing for a business. It can be a lot for a home user that just needs something better than the crappy router their ISP gives them.
The lack of wifi drivers had put me off from Opnsense or pfsense
Enchancements are even better
Arch is old new. Itâs all about the NixOS now.
Both have advantages and disadvantages so it's use what works best for you. Opnsense tends to have better driver support for new hardware and pfsense has better code support. I think what hurts pfesense more then anything else is some of their behavior and the forums where it can turn sour quickly with ego's running the show at times. In many ways pfsense is its own worst enemy not opnsense and its own actions have hurt them more then anything else.
Since pfsense has moved to FreeBSD Main they are ahead of OPNSense and now have the better driver support.
@@LAWRENCESYSTEMS They were behind for two years, which caused many people (like LTT on CZcams) to switch to OPNsense to gain access to 25Gb network drivers (as an example). Whether Netgate maintains using the latest FreeBSD releases needs time, trust is earned and they've lost a lot of it over the years with their various shenanigans.
@@LAWRENCESYSTEMSWhat does âmainâ in this context means? Is it rolling release, which matures into number releases, e.g. 13.2, 14.1 etc., like Sid in the Debian?
â@@LAWRENCESYSTEMS On the surface that would seem so since its on the newer codebase.
In truth its not quite that simple since pfsense updates far slower meaning things added to the codebase can take a long time to get added pfsense.
This still gives opnsense an edge when it comes to drivers for new hardware.
It's unlikely pfsense is going to change its update cycle.
There also the fact that opnsense shall be on 14.1 next month which well put pfsense slower in the driver area again.
In the end its pick what works both are good.
@@magnus33john That is not true either as OPNSense is not adding new drivers with their updates and since pfsense is based on FreeBSD and are the one writing the drivers they will have them first and OPNSense has to wait on back porting of features and drives. See the last two links in my forum post for more details.
If you don't use VIM, your soul will burn for all eternity. This is a fact, don't be mad at me for telling the truth. /s Figured this video would need a non--pfsense/opensense joke to relieve tensions.
Umm... This is the internet... we're all sheep here, we NEED to be told what to do! We don't want to "make our own decisions"!
đ
Tom, could You do a video on how to make PFSense more like a NGFW? Something like Zen Armor on OPN Sense.
Zen Armor is far from making OPNsense like a NGFW. It makes you feel like it is, but it isn't. NGFWs all have tightly nit code between the firewall own code and all the rest (security features) that are linked and make your firewall a real security device. It's now just a package that you install on top that offer some general protection.
@@Traumatree I get Your point, but still better than nothing.
@@Traumatree They also support pfsense as well. Same idea anyway.
0:47 did i told anyone that i use arch BTW ??????
Wait, i have an add for product you sold on bottom left of my screen. Is that new ? (doesn't bother me if it's not a random add btw)
Otherwise i don't have anything else to say about this video other than shit lol
Meanwhile, I run my firewalls using⊠just FreeBSD :D
I don't use arch btw. I transcended to gentoo and my beard is longer now.
Something I never understood Tom is why so many CZcams content creators spend so much time defending what they use and making videos like this with a whole bunch of time wasted on the "WHY"... If the Keyboard warriors don't like what you are doing they can do what they like and have their own CZcams channels talking about it. The rest of us I'm sure have had quite enough of CZcams Creators wasting so much time being defensive because of "Comment XYZ". Just stop, and I'd encourage everyone else with a channel to do the same. Stop feeding the trolls and there won't be any because they feel you aren't listening to them bitch about things and giving them a stage to do it!