Why I am Not Using OPNSense

I love how you tell why you do or don't do things and not try to force your opinions upon others! Keep up the great work.

Everyone is free to make their own decision. For me the stuff pfsense did at the start to try to interfere with opnsense left a very sour taste in my mouth. I can't support them again.

Tech can be worse than religion at times.

pfSense requiring signup to download the ISO just made me switch to OPNSense...
this is just a dumb move...

I'm sure the most recent comments at you are a direct result of Netgate dropping CE downloads from the website, which probably would have gone over fairly well if they didn't double down posting 'CE users are not customers' on Reddit.

Been on OPN for years since retirering the last Soekris box running PF years ago. OPN never let me down and I'm pretty sure PF wouldn't have either. Just recently replaced a Juniper SRX as our data center edge router with an OPN and it has been performing great.

I think there's real demand for high quality OPNSense videos on CZcams, and when people like the videos you make, they want to see you make high quality videos about the topics they want. I think the issue is that they don't notice that this channel is mostly in depth videos about the software Tom uses professionally, and occasionally a video about comparable products, but nothing in depth.
One of the best things about VMWare imploding was the influx of videos doing a survey of lots of different solutions. As varied, interesting, and niche IT solutions can be, this is not the channel for lots of videos about lots of different software.

That is fair video, I'm an OPNsense user, but reasons why you're using pfSense are reasonable

I feel that Netgate has an adversarial view of their own users, and it will be their downfall. Just look at VMware....

Used pfSense for at least 10 years. Wanted to give OPNSense a go. Still running it 2 years later. For my use case at home...the router OS doesn't matter as long as it's at least pf/OPN based.

The reason I don't use pfSense is because the pfSense team appears to behave like children. Look at the way they initially tested OpnSense. And then the way they handled the licensing recently seems to back that up. Maybe we need a third option, I don't know. I also don't like the pfSense interface. I'd feel a lot better if all the children on pfSense left. Just my $0.02.

I appreciate you making this video Tom. I’ve watched your other videos with the detailed comparisons, heard about the “controversy” between PFSense and OPNSense and had decided to stick with OPNSense on that alone. But your argument to support the product that benefits the community more is enough reason for me to consider trying PFSense and see where I land after giving them both a fair shot. Thanks again and may I also say, I love your content!

Used pfSense for 10 years, but recently switched to OPNsense. The main impulses were packages (Xen guest tools, Zerotier) and many automation features (like in Wireguard - when you define allowed networks, it automatically creates the routes unlike in pfSense; or HAProxy integration and config). So overall it is the automation and packages that make the difference for me.

I picked OPNsense because it has better driver support for all my devices.

Lawrence I just have to say I appreciate you take the time to create and upload these videos. Even myself as an MSP Network/Systems Engineer (I mostly do commercial hardware like Watchguards, Ciscos etc...) it is very nice to have a reliable unbiased knowledgeable person such as yourself on the OpenSource community. I learned a lot about OpenSource from you and even implemented some at my own home to continue my education on the platforms. Thank you and keep up the good work!

Thanks, Tom! Especially as an OPNsense user, that's exactly what interests me. It's not a religion, it's just facts and here are some facts I didn't know and I'm grateful for that.

I switched from PF to OPN a few months back, mostly on a whim because my homelab FW got corrupted somehow and needed to be rebuilt, so I gave OPN a shot. To me it feels like mostly the same functionality behind a slightly redesigned UI. I like the fact that it has a REST API for common stuff, which I use for monitoring DHCP leases and a few other simple things. In PFsense I had to build my own API backend in order to get data in and out, whereas in OPNsense I just wrote a trivial script to consume the API and feed into my dashboard. People have been asking for REST functionality in PFsense for many, many years, and Netgate's answer was always "soon", but then TNSR happened and any hope of a PFsense API completely evaporated.

For me it's really simple I use pfsense because there are plentiful video based beginner level tutorials - there are some for OPNsense, but nothing like the same breadth and depth. Bottom line is that whether you're a home user like me or a professional network engineer my guess is that you want to spend as little time as possible fixing broken stuff, which means setting things up correctly in the first place. In my case I want to spend as little time as possible thinking about pfsense altogether!

When I was deciding between opnsense and pfsense, I ended up choosing opnsense because of what I had read about really bad behaviour from the people behind pfsense. So no technical reason, just that I would not support such behaviour. Pure and simple.

great video Tom very informative. thanks

Great video Tom, thanks

Thanks for providing a grounded perspective on the topic!

been using pfsense 2 years now as both edge fw and another internal fw for my homelab... its been great so far.
had to chance to help a friend of mine spinning up their opn instance and had no issues with it, felt pretty similar to pfsense..
personally i think both are great and solid, ill stick with pfsense for the time being for one of the reasons mentioned in your video! thx for sharing your experience!

Thank you for the video!

I just want to tell you many thanks for your tutorials ..I learn a lot from your pfsense tutorials. I managed to have a better job like firewall admin and was easy to understand after that also the Sophos firewall. Thank God for people like you exist and know how to explain this. Greetings from Germany

I LOVE how much actual data and info are in each of fairly short videos - no annoying pointless filler. Networking in general has always been a big weakness of mine, even though I've been building and tinkering with computers for almost 50 years. I've learned a LOT going through your videos.

I like interface of OpnSense, but i like PfSense too

yes, netgate has stuff in the *bsd code.
yes, opnsense pulls some of it...
but from what i can tell, most of it:
- was not created by netgate (but now maintained)
- is no longer maintained by netgate
- was created by someone else and they just assigned a portion of netgates money(?) in the credit
- or has not been changed in over 3 years
so saying opnsense relies on pfsense is a bit... oversimplified ?
on top of that, it's code inside of *bsd, meaning it's not really "opnsense uses netgate code" but "opnsense has a *bsd base", so you could say both netgate & opnsense "depend on every single contributor to *bsd"
that being said, my main reason for using opnsense are mostly because i like the interface much more and second because of how netgate "bullied" opnsense like a toddler when they forked.

Another significant advantage OPNsense has, compared to other NIPS open source projects, is that it only blocks the traffic that matches the NIPS signature. Some solutions block the source/destination IP for a while, which can cause a lot of issues in a false positive case.

Thanks for the video

Tom, do you experience with pfSense as 10GbE router for VLAN ? What throughput could one achieve ? I have an UDM SE which gives me ~3Gbps via iperf3 between two VLAN. My OPNsense on xcp-ng is not better (on a i9-12900 with SFP+ DAC). Within the same VLAN I get full 9.7Gbps. Any chance I could get more with pfSense box. And any difference between bare metal vs virtualized (e.g. xcp-ng). Understand I would not get 9.7 Gbps but hope more close to 7 or 8 Gbps.

Tom, the intro confuses me. Are you saying I do NOT have to use Arch Linux?
One thing I was wondering being new and not getting started with any of these firewalls yet, I saw you guys were talking about pfsense having third party plug-ins for some things, one of them being automatic updates, is that something you trust installing and using for your clients as a professional in the space?

Appreciate the opinion. But I love OPNSense.

Thanks Tom. Appreciate your comments

Well you got my head all in a pretzel now Tom. I used pfsense for several years, then eventually switched to opnsense recently. Those are some compelling arguments to go back to pfsense. There are certainly things I like about both pieces of software, but I also have some major issues with both as well. I think the one thing I can say for certain is there isn't a wrong choice, and its better than most home users firewalls that never get updates.

As a home user.. OPNsense is goat

Ok.. it is a bit cherry picked. The 100% more speed of wireguard in pfsense is because of BSD kernel. The same speed will be available in openSense when they go with kernel 14.x. And there are some specific improvements for pfSense Plus only, aka that is closed source, so after both are on kernel 14, if you have the pfSense plus you will have some extra speed because of the closed source code. Not defending anyone I used only pfSense but let's not sweeten the deal to much...

Great video Tom

Opnsense has a freaking API. Just that was enough for me. Sure it might not be super extensive but it's better than a wannabe API that pfsense has

Thank you

Duuuude that’s an awesome shirt. Where’d you get it ?

I’m still a little oblivious to some of the “political behind the controversies on both products, but did something happen with pfsense as far as why this video is being made? I didn’t think to look into OPNSense, but I saw there was so many pfsense videos and I set up a better router for the network I’m wanting to grow in my house and so far, it’s been a learning curve, but I got it down for the most part.

I use pfsense too on a couple of VMs, one with Ipsec VPN. There was a learning curve to optimise things (especially TCP fragmentation and offloading), but once that's done, it's working like a charm. Actually, I forgot it's there and this video's reminded me.

When I wanted to start using pfsense, the realtek chip of my nic was quite new and a FreeBSD driver was available. However, it was not integrated into pfsense. Op sense on the other hand did already support it. I was and still am very grateful for that

It's good to see reasoned arguments and also agreeing to disagree as it should be.

I gave OPN a go for a good few months shortly after the pfSense+ shenanigans.. i found it to be "okay". I found the GUI easy enough to get used to as most things are the same just a little different way around... But... Having 1Gbit PPPoE fibre i was strugglung to get over 650mbps up or down with OPN, I exhuasted every possible option in the "tunables" section.. CPU was pegging at 75/85% a lot of the time and temps were way outside of my comfort zone.
Moved back to pfSense CE last month and everything "just works" full speed up and down no tunables needed.. CPU now down to 5% idle with temps in the 40c area.. No faffing about.. pfSense gets the job done.
Thank you for the content

Excelente Tom, yes I like both, if you manage pfsense you manage opnsene. I love the GUI of OpnSense, but if someone let me chose, i go with pfsense, why? I have more experience with, simple. But if some request opnsense no problem, lets doit. At the end, the customer has the Last decisión.

Just one question:
What version of each are you comparing? You do not say if you compare the free version of both or a different combination. It would not be fair to compare the free version of OpenSense with the paid version of pfSense. The experience so far is that pfSense CE is VERY slow with updates. How does this compare to the free version of OpenSense?
I am currently using pfSense, but looking hard at OpenSense. I do respect your recommendations a lot, but I just want to make sure I know what you are comparing.

excellent

Tom any credence about pfsense switching to Linux kernel? Truenas leaving bsd and I suspect others to follow...this despite what the companies project

I 100% agree with your opening statement. I see it a lot with other things as well, Intel and AMD is a good example.

Still undecided between pfSense CE and OPNsense for home use (home lab). Probably going to go with OPNsense due to the update frequency. Netgate forgot about pf CE, they're all about that flashy bling-bling now :(

Are the enchantments effective? Do they work better than runes, crystals, or blood sacrifice?

As bad as that Netgate situation was, I will say TAC is great and their enterprise support is very good.
Both are good and to be honest I hope both do very well so people have options. Including myself

There's nothing pfsense could do at this point to make me want to use it. Why don't you report on their behavior, or list both sides of the isle? This video wouldn't be necessary if there weren't issues, but here we are. Even if opnsense went away I would find something else besides pfsnese. Already burned that bridge.,

Loving my virtualized OPNsense in Proxmox. Think I bloated it too much with Zenarmor and plugins. Computer runs a lot hotter and fan spins up a lot more than normal (after installing Zenarmor). Learning a lot from it though, breaking things and then fixing them. Great start to a sweet homelab setup. Getting more serious and involved in networking.

Just migrated my home network off of a Firewalla box to my DIY router VM. PFsense was never considered and I’m very happy with OPNsense thus far.

idk for most stuff this opnsense vs pfsense is like fedora vs rocky. For the majority of cases they are the same, for some cases one is slightly better, but it doesn't make any of them better overall.
i used both, both are basically the same for an average user. PPPoE was a bit worse on pfsense ( still way better than on microtik), now im on opnsense mainly because gui is more intuitive for me.

Why is it not possible to define static leases WITHIN a DHCP range in OPNsense? Like, I don't understand, even the Windows DHCP Server does this and so do literally ALL other dhcpservices I know of.

I use both :>

pfsense now has a package for patches in package manager..been like at least 6 months now

I haven't updated my ClarkOS from 2008, is that bad?

Very helpful. Thanks for the info.

the reason pfsense wiregaurd is faster was it was on freebsd 14 opnsense just moved to freebsd 14 we need to rerun the benchmarks

I am totally new to all of this, I was trying to setup a HomeLab on Hyper-V and could not get the ISO installer to work, all of the guides I see online dont go over this new ISO installer.

I gave up on the whole vpn thing and switched to splash top,makes it easier to remote into my home servers and network vs the vpn confusion on opnsense

Very valid points for enterprise environements. Appreciate your insights.

Pfsense has demonstrated horrific behaviour in regards to opnsense, spreading misinformation, hijacking domains and subreddits etc.
There was a big controversy with the wire guard code too.
That being said, your reasons seem sound, so if you're comfortable with them. Fair

Zero Trust Networking. Let's assume I took the time to create a 99.99% zero trust custom compile of FreeBSD by doing an offline compile of that distro entirely from source code (no pre-compiled binaries), then compiled a compiler and libraries (also from source code only), then recompiled the distro using that compiler in order to verify that every element of the original distro was 'clean' and traceable to only source code without any precompiled binaries.
In that zero trust environment, can either OPNSense or pfSense CE be compiled entirely offline and only from source code without any pre-compiled binaries?

I learned something valuable about 20 years ago with my experiences on a local blog I frequented.. It's not about facts or well reasoned opinions. It's all about how much crap you can stir up (they call it engagement). This means more ad revenue. Yeah, pretty much made me cynicle. I think the Internet pretty much killed reasoned thought. But then again, i could be wrong. Look where I'm posting this.
Another possible form of click bait. But i admit it is hard to tell.

Yep, different situations, different requirements, and different pros and cons.
I got a tiny router/PC type thing and put OPNsense in it just to experiment a bit, I have nowhere near the requirements (or knowledge) most people here have, so much so that I'm now just considering a regular Wi-fi router running a custom version of OpenWRT to do the same job. Probably in a way that I'll just understand what is happening better.
It's like, right after I got this whole project going, I got myself a portable access point, started using it, and realized how much you can already do with OpenWRT alone.
So I'm kinda scaling back, and then I'll use the tiny PC for something else. Different needs.

Love this. I have wondered this for a long time. Contributing development of FreeBSD is a great reason to support the paid version. Only thing missing is a centrally managed point...maybe host your own relay server option one day.

For sure upstreaming to BSD is better for all parties than maintaining patches version to version.

Use what you like! Thats what i say !

Sadly there was a dns bug that hasn't been fixed in years and i had to rebuild pfsense every 6-ish months. I kinda gave up on pfsense as much as i like parts of it over opnsense.

VI, Like there's anything else :-)

I was using PFSense right around the time of Netgate holding OPNSense domain. Wireguard fiasco. Very immature. Regardless of there support for the OS, they don't deserve my support. After the flair up I switched. Will never switch back.

In recent months I have evaluated the transition from pfSense to OpnSense and I have been able to observe how Netgate is more punctual and precise in its documentation. The hardware part is also better documented (the CPUs are indicated, for example, while OpnSense does not say which CPUs it installs on its devices). Furthermore, pfSense is more explicit in indicating whether certain functions are or are not supported: for example Intel QAT Crypto. I also found that OpnSense is slower in implementing features than pfSense (for example in QAT support). For this reason I calmly decided to stay with pfSense, even if I had to agree to pay for the pfSense+ version. It's not a great price to have maximum speeds with QAT and IPSec and to have better and more reassuring management of ZFS boot.

Hypothetically, as a thought experiment, if pfSense ceased to exist, would you then choose OPNSense or something else?

I believe there will still be plenty of people in the coming years who will "bash" other peoples over different text editors, pfsense/opensense, Linux distribution etc etc etc.
For some reason some people think that if they use software X and other people use software Y - users of software X feel somewhat the need to go and to leave comments in other peoples videos or posts.
Not sure why this is happening but it is a different topic

Running MacOS as daily driver I laugh when people argue about distros. 🤣

Thanks for taking the time to make this video Tom

The reason I left PFSense for OPNSense was uniquely because of how PFSense treats people. You'd ask a question and get shut down hard,
I even tried to get them a contract at my job which is a very large organization, and PFsense shot themselves in the foot just by being arrogant assholes.
OPNSense community is much more welcoming, encouraging, and supporting. and after you dig into the software I felt it fit what I needed for my network, more than PFsense.
Im no zealot for OPNSense, but I do hate Unifi and people claiming Unifi has anything even close to resembling a firewall is the biggest joke of the internet. :P

Since you first pointed out the security fixes I went from OPNSense to PFSense. And I’m content with it.

tried opnsense a few years back but the dhcp6 over pppoe does not work even after settings was already in place. However with pfsense it works flawlessly with the same settings.

Almost forgot.. I use arch btw

Free vs OpenBSD.
BSD vs Linux.
Mac vs Windows.
Android vs iOS.
iptables vs netfilter
Cisco vs Juniper
Cisco vs PaloAlto
AMD vs Intel
AMD vs NVidia
Democrats vs Republicans
Azure vs AWS
Blondes vs Brunettes
Ferrari vs McLaren
Ford vs Chevrolet
Dogs vs Cats
And the list goes on and on and on. Glad we are living in a free society where people can make their own choices. Yet I remember our long gone past when people respected others opinion.

I'm fortunate that in my home lab I have enough resources to play with both opnsense and pfsense ce in my environment. I use pfsense as my primary firewall router though because there are a number of features that work better than what opnsense offers at this time. While I do like the opnsense UI and interface systems better, PFSense has been a workhorse and keeps on doing things *better* for my use case. That can change if the features come over - which is why I keep an eye on opnsense. I've got no desire to stick with something just *because*. But I do have to see that I'm getting more with one than the other and all my decisions are based around that.

EDIT: Tom has good reasons but doesn't acknowledge opposing ones. :EDIT
Okay...but that completely ignores the 'problem'. And ignoring it is de facto support.
It doesn't really matter if Joe's Used Car Lot has the highest quality cars at the lowest price. They engage in slimy business practices that are not only bad for everyone involved, they are also bad for completely uninvolved people because the practice becomes normalized.
I enjoy Chick-fil-a food, and unlike almost every other fast food chain I can even eat almost everything on their menu, but their company loudly and proudly supports some VERY bad/abusive stuff. So I don't give them my money.
I don't use OPNSense because it's BETTER than PfSense. I use it because PfSense isn't a valid option for me, because they keep doing things that I refuse to support.
Is it more work to do things like this? Yeah OF COURSE it is!
That's why these companies/organizations are able to get away with doing bad shit. People will excuse them because they provide convenience.
If you know someone is doing something shady, you are no longer a neutral party. Period.
Continuing the status quo IS participation. It IS contributing to the problem.

The lack of wifi drivers had put me off from Opnsense or pfsense

Enchancements are even better

Arch is old new. It’s all about the NixOS now.

Both have advantages and disadvantages so it's use what works best for you. Opnsense tends to have better driver support for new hardware and pfsense has better code support. I think what hurts pfesense more then anything else is some of their behavior and the forums where it can turn sour quickly with ego's running the show at times. In many ways pfsense is its own worst enemy not opnsense and its own actions have hurt them more then anything else.

If you don't use VIM, your soul will burn for all eternity. This is a fact, don't be mad at me for telling the truth. /s Figured this video would need a non--pfsense/opensense joke to relieve tensions.

Umm... This is the internet... we're all sheep here, we NEED to be told what to do! We don't want to "make our own decisions"!
😂

Tom, could You do a video on how to make PFSense more like a NGFW? Something like Zen Armor on OPN Sense.

0:47 did i told anyone that i use arch BTW ??????
Wait, i have an add for product you sold on bottom left of my screen. Is that new ? (doesn't bother me if it's not a random add btw)
Otherwise i don't have anything else to say about this video other than shit lol

Meanwhile, I run my firewalls using… just FreeBSD :D

I don't use arch btw. I transcended to gentoo and my beard is longer now.

Something I never understood Tom is why so many CZcams content creators spend so much time defending what they use and making videos like this with a whole bunch of time wasted on the "WHY"... If the Keyboard warriors don't like what you are doing they can do what they like and have their own CZcams channels talking about it. The rest of us I'm sure have had quite enough of CZcams Creators wasting so much time being defensive because of "Comment XYZ". Just stop, and I'd encourage everyone else with a channel to do the same. Stop feeding the trolls and there won't be any because they feel you aren't listening to them bitch about things and giving them a stage to do it!