pfSense vs. OPNSense?

Whattteva

Wizard
Joined
Mar 5, 2013
Messages
1,824
As a community we deserve better firewall options. I need to figure out my role in the future of this issue, but its certainly an important problem to be considered.
A shame really. Especially since... didn't Netgate originally sponsor Wireguard porting work for FreeBSD?

Well, I happen to think pf is the best firewall I've used (No chance in hell I'd ever use Linux iptables mess). There is always that option of just spinning up a vanilla FreeBSD machine and setting up pf manually. Actually, FreeBSD comes with not one, but THREE good firewall options. I've never used IPF, but used IPFW and pf. I like pf syntax and tooling better out of the two. Not exactly a big fan of the shell script-based IPFW.

That being said, I only run vanilla FreeBSD/pf in a transmission jail (auto-kill-switch) and not my router. I run OPNsense on the router simply cause it functions more like an "appliance" similar to how TrueNAS is. Just need to backup config file and I can restore an identical setup pretty effortlessly without any backups.

Admittedly, I do miss pfSense's feature of automatic online backup that OPNsense lacks (must have your own GitHub or file storage), but I can live with it considering the 2017 bug I mentioned before was a deal breaker for me. Netgate shadiness is also a factor, but not the deal breaker that made move to OPNsense.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
didn't Netgate originally sponsor Wireguard porting work for FreeBSD?
Sure--and made a complete mess of it, and when it came out that the code they sponsored was garbage, blamed everyone but themselves. Discussion a few pages back in this thread.
I do miss pfSense's feature of automatic online backup that OPNsense lacks (must have your own GitHub or file storage)
OPNsense has lots of ways to automatically back up its config file:
  • To GitHub/Lab/Tea (self-hosted or remote)
  • To Google Drive
  • To Nextcloud (self-hosted or remote)
  • Via its API, using a simple script running somewhere else
  • Probably others I'm missing
You need access to some form of file storage, but you don't necessarily have to host it yourself. I have it sending backups to a local Gitea instance, as well as running a script on my NAS that downloads them nightly. But what OPNsense doesn't have is their own remote config file storage.
 

Whattteva

Wizard
Joined
Mar 5, 2013
Messages
1,824
Sure--and made a complete mess of it, and when it came out that the code they sponsored was garbage, blamed everyone but themselves. Discussion a few pages back in this thread.
True, but hey they at least started it though. Can't say for sure that FreeBSD would've had Wireguard support later if they didn't start it, but I'd imagine it at least accelerated it a bit.

OPNsense has lots of ways to automatically back up its config file:
  • To GitHub/Lab/Tea (self-hosted or remote)
  • To Google Drive
  • To Nextcloud (self-hosted or remote)
  • Via its API, using a simple script running somewhere else
  • Probably others I'm missing
You need access to some form of file storage, but you don't necessarily have to host it yourself. I have it sending backups to a local Gitea instance, as well as running a script on my NAS that downloads them nightly. But what OPNsense doesn't have is their own remote config file storage.
While this is true, it requires an extra step of signup + setup (especially if self-hosted). Yeah, I know it's not much, but I'm lazy. I'm sure I'm not the only one that appreciates pfSense's zero conf/no signup/setup approach.
 
Last edited:

MrGuvernment

Patron
Joined
Jun 15, 2017
Messages
268

Update...
Personally after hearing about the kind of telemetry in the home lab version, I am not sure anyone should be running it.. wonder if they will remove it now that it will have a paid sub. tied to it..
 

NickF

Guru
Joined
Jun 12, 2014
Messages
760

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
$129 annual subscription for just product updates and little else is pretty hefty. Then again, I don’t rely on my gateway to do a lot of heavy lifting so I guess I’m not part of the target audience?

Anyhow, it’s yet another sign of how MBA’s / PE is ruining the hardware / software business by trying to ram subscriptions down people’s throats. See our friends at IGG re Banktivity or AgileBits re 1Password. Neither OEM is willing to offer perpetual licenses because they know they’d be in trouble if they offered them.
 

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,151

Arwen

MVP
Joined
May 17, 2014
Messages
3,600
I would not mind a one time fee for an OpenSource product, (like for TrueNAS), that came with a light weight support contract for 3 years that included updates. Plus, the ability to renew for another 3 years, (perhaps with a dependency on using a later version that is supportable). If you change your mind during the 3 years, so what? As long as it did not cost an arm & leg cost, fine by me.

What gets me about software subscriptions is the monthly fee. You basically have to tie it to your bank account. Then, if you have a bank issue, like identity theft, and have your account frozen, (perhaps even at your own request), all those subscriptions have issues. Most utilities will give you 30 days to fix any payment issue, but software subscriptions almost certainly have a quick lock date.

Yearly subscriptions are not quite as bad. But, they can be caught with a bank account change, as most banks send out new cards every few years. And the cheapest pfSense yearly subscription has very limited support. Basically have to use to forums for anything beyond simple initial installation.
 

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,151
If I pay for something I have to own it. With a subscription I own nothing.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
There are always a lot of factors affecting "what am I willing to pay." I'm paying a $50/yr subscription for Nethserver, which is my main mail/web/Nextcloud server. I guess I get some support out of that, I do get more stable/tested updates, and I'm supporting the project. I don't know of anything directly competitive, I like the company that's backing it, and the price isn't too steep.

I like and use Proxmox, and have no concerns about the company behind it, but they have more direct competition in xcp-ng, and it would cost me €700/yr for their community subscription--too steep for my home use.

TrueNAS has some competition, but despite my periodic pointed comments about iX, it's another product I believe in and would support if there were some kind of subscription or support available for us who weren't using iX hardware. I think the big question there is what they could offer other than warm fuzzies. More-tested updates? Most of us, except in moments of weakness, already wait a while to update our systems. Support? My complaints aside, their support is pretty good for free; I can't imagine them providing a SLA for BYOD.

pfSense has direct competition in the form of OPNsense, and some less-direct competition in OpenWRT, Yyos, Nethserver, Arista, and others. I do not like Netgate, not one little bit. So there isn't a snowball's chance in hell that I'd pay them a subscription; if I hadn't already moved away (with some difficulty, as this thread documents), this latest change would be pushing me hard in that direction.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740

Arwen

MVP
Joined
May 17, 2014
Messages
3,600
If I pay for something I have to owe own it. With a subscription I owe nothing.
In my example, yes, if I did not want support after that 3 year buy in, any existing installation would continue to work as is. Without any future updates but I own what I own. It would be prudent to update at 2 years, 10 months, giving you 2 months of light weight support to get any issues fixed.

Plus, as MANY OTHERS have said, cloud tie ins are the worst. It is one thing for TrueNAS to check for updates. Those can be blocked various ways if desired. It is another to send telemetry without permission. Or to quit working if the cloud service wants to change, charge more money, or just doesn't like you any more.

I want something I own outright, even if it does not get updates after a certain point. I think 3 years for some computer software is reasonable.

In the case of smart phones, since you BUY the phone, it should come with a longer update time, like 5 years. It is understandable that it may not get new features after 2 or 3 years. But security updates? *ell yes! And bug fixes until the 5 years is up.
 

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,151
Damn it english, you tricked me yet again!

If it's something that comes with physical hardware (like a router/switch or a phone) I would argue security updates have to cover the entire physical lifespan of the product: I shouldn't need to pay to maintain safe a device, I should pay to get an upgrade (either software or hardware).
If my hardware is still perfectly fine after 7 years, I have the right to use it as safely as it was when I bought it, with all the quirks of its seniority.

It's the same concept about games that require an internet connection and an active server to play: if I buy the damn game now, and in ten years the company that makes it isn't around anymore with its server spinning, I can't play the game I payed for. It sucks.
 
Last edited:

Arwen

MVP
Joined
May 17, 2014
Messages
3,600
Damn it english, you tricked me yet again!

If it's something that comes with physical hardware (like a router/switch or a phone) I would argue security updates have to cover the entire physical lifespan of the product: I shouldn't need to pay to maintain safe a device, I should pay to get an upgrade (either software or hardware).
If my hardware is still perfectly fine after 7 years, I have the right to use it as safely as it was when I bought it, with all the quirks of its seniority.

It's the same concept about games that require an internet connection and a server activeto play: if I buy the damn game now, and in ten years the company that makes it isn't around anymore with its server spinning, I can't play the game I payed for anymore. It sucks.
Hey, trying writing in English when your native tongue is Elvish!

The "lifetime" is a debatable subject.

In the case of a cell-phone, 5 years of software support is reasonable in my opinion. They break or require a new standard, (my old one did not support 4G, so when 3G went bye bye, I had to buy a new one). So what would be considered the lifetime of a cell-phone?

What I mean by 3 years for OpenSource software, is that something I buy and install on my own hardware. I may want something different and don't necessarily want to buy in for 5, 7 or even 10 years of life.


In the gaming world, I can see things being a little different. Like a game should never just die if the remote server is not available.
 

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,151
In my ideal world I can buy a phone today, get both security and general updates for 2-3 years, then getting parked into a unified LTS version with only security updates for another 2-3 years at the very least.
I don't use my phone for much else than communications, personal entertainment (reading books), and my home banking.

Even better would be the ability to get infinite updates, but open source OS for phones is something rare these days apparently.

If the phone is gonna cost me a grand, I expect a lot of software support. That would be a nice incentive to push me into not buying "just" a €250-300 model.
 
Last edited:

DigitalMinimalist

Contributor
Joined
Jul 24, 2022
Messages
159
OPNsense has lots of ways to automatically back up its config file:
  • To GitHub/Lab/Tea (self-hosted or remote)
  • To Google Drive
  • To Nextcloud (self-hosted or remote)
  • Via its API, using a simple script running somewhere else
  • Probably others I'm missing
I do run OPNSense on Proxmox.
I have configured to backup the config to my google drive, but I found it so much easier to backup the whole VM to a network drive (in my case TrueNAS Scale) and hen restore the whole VM in case of a new installation.

I’m currently switching to Proxmox Backup Server, which I installed yesterday as VM in TrueNAS Scale.

I like my current „Two-Server-Setup“ a lot…
Power efficient Proxmox Hypervisor with OPNSense, PiHole, Home Assistant, Network Controller, cloudflared
AND more powerhungry TrueNAS Scale Server with a lot storage space, Proxmox Backup Server and a few other nice to have Apps.
I was pleasantly surprised about the smooth Firewall, DHCP, DNS, VLAN setup in OPNSense
 

DigitalMinimalist

Contributor
Joined
Jul 24, 2022
Messages
159
doesn't virtualization add an annoying layer?

It's a layer, but see it as beneficial and not annoying.
I had an issue with my Proxmox Server incl. OPNSense.
Re-installed Proxmox again from USB stick and restored the VM incl. all settings within 30 Min
 

Whattteva

Wizard
Joined
Mar 5, 2013
Messages
1,824
@DigitalMinimalist doesn't virtualization add an annoying layer?
The most annoying thing about it (for me) is if you need to reboot the hypervisor host for updates, your whole network is down. Which is the reason why I'm still running Proxmox 7.3 instead of 8.0 because I basically have to do it late night or else I risk the wife's wrath.
 
Top