pfSense vs. OPNSense?

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
So as another point of comparison between the two--don't expect much help from the OPNsense forum. ntpd isn't working for me--something appears to be killing the process, and there's no indication of what. No help here in over a week. The dashboard widgets for OpenVPN aren't working--they say the process isn't running when it demonstrably is (two clients are connected). Nothing on that one either. However nice the software might be, (lack of) support is looking like a pretty big drawback.
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
So as another point of comparison between the two--don't expect much help from the OPNsense forum. ntpd isn't working for me--something appears to be killing the process, and there's no indication of what. No help here in over a week. The dashboard widgets for OpenVPN aren't working--they say the process isn't running when it demonstrably is (two clients are connected). Nothing on that one either. However nice the software might be, (lack of) support is looking like a pretty big drawback.
Same issue here with ntpd, I can manually restart it, but it stops randomly and client's cant seem to connect to it...
I'll try throwing deciso an email in dutch...
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Open an issue on github, possibly?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
The other thing that's surprising me (and I'm seeing other people mention this as well) is that 20.7 in particular seems much more resource-hungry. I'm getting fairly-frequent email alerts about load averages of 5.0 and higher, and CPU utilization of > 75%. I'm not even doing that much with the box most of the time--there isn't much traffic over the VPN most of the time, I've disabled Suricata, HAProxy isn't handling much traffic. Same workload, and same hardware I was using with pfSense.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Open an issue on github, possibly?
Hadn't thought of this, thanks for the suggestion. I'd have thought that their forum would be the primary support channel, though.
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
Hadn't thought of this, thanks for the suggestion. I'd have thought that their forum would be the primary support channel, though.
Support yes, but this seems to be more like a bug than it's about support...
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
The other thing that's surprising me (and I'm seeing other people mention this as well) is that 20.7 in particular seems much more resource-hungry. I'm getting fairly-frequent email alerts about load averages of 5.0 and higher, and CPU utilization of > 75%. I'm not even doing that much with the box most of the time--there isn't much traffic over the VPN most of the time, I've disabled Suricata, HAProxy isn't handling much traffic. Same workload, and same hardware I was using with pfSense.
Coin mining? ;)
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
OK, at this point I'm pretty much giving up on OPNsense as far as support goes. If a security appliance can't reliably tell you that its VPN service is running and has clients connected, that's a pretty big problem. Crickets on the forum. Ntpd isn't working--it's been two weeks since the last response on that, and nobody's touched the bug report.

Use it if you like--it does seem to have some advantages over pfSense. But go into it assuming you're 100% on your own for support.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740

kiriak

Contributor
Joined
Mar 2, 2020
Messages
122
security appliances .... maybe too complicated and very difficult to achieve a polished product, especially for free
I use the Sophos XG (free for home but virtually identical to their subscription based appliances),
it works fine for a newbie like me, but I read a lot of nagging in their forums

having said this, I agree with what is written above about OpnSense
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Wow. From their response:
That particular issue is not reproducible anywhere else so the way to continue is difficult and time-consuming.
...so I guess they're just not going to bother--not to fix it, not even to circle back to say "sorry, can't reproduce, you're on your own." (and, as a side note, it is reproducible for me, on both 20.1 (then upgraded to 20.7) and a fresh install of 20.7, on two different pieces of hardware) But thanks; at least I now have confirmation that they aren't going to do anything to help with either of these issues.

Something's sending signal 15 to ntpd, and the only software on the device is theirs. And on the off chance that something in hardware was causing it (which I didn't expect--I'd think that would do something other than signal 15), I replaced the Netgate device with a Protectli box the other day--no change.

Ugh. The UI is much nicer than pfSense. HAProxy configuration is easier. Hairpin NAT Just Works(tm), when I was never able to get it working with pfSense. And they don't have the "threw a hissy fit when someone forked their supposedly-open-source project" cloud over their heads. But support sucks, and it doesn't sound like they care.
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
threw a hissy fit when someone forked their supposedly-open-source project" cloud over their heads
Well, that response is up there on the yikes meter.. For a security appliance I need more passion for quality then that..
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
I'm a bit on the fence on this one @danb35
You did get support, they did look into your issue and concluded THEY can't reproduce it and, simply put, has low priority.

I think for an opensource project you can't expect your issue getting full attention from the paid developers, their priority would always be paying customers and if they have a small team that also means they need to make choices.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
I'm a bit on the fence on this one @danb35
You did get support, they did look into your issue and concluded THEY can't reproduce it and, simply put, has low priority.
I stepped away from this for a while because I was getting frustrated, and that seems to have carried through enough to frustrate some of the devs. But I think there's something important this analysis is missing, and that's that none of the support*, looking into the issue, or concluding they couldn't reproduce it, happened in what they designate as their support channel. It instead happened on Twitter (which I don't use), after Patrick posted there, and to a lesser degree on my GitHub issue after I'd posted my frustration here and on their forum.

I wouldn't have been happy, as such, if they'd replied on the issue or on the forum with that information, but I recognize the rest of what you said--it's a F/OSS project, I'm a non-paying user, and it's a relatively low-priority issue (though I don't think I'd entirely agree with that wrt the OpenVPN problem). But that isn't what happened. There were two weeks of silence on the forum, and at least a week on the GitHub issue. I don't think I'm being impatient to have expected something in that time.

They suggest hardware issues, or that the hardware was inadequate. I wouldn't rule it out as a possibility, but I'd note that it's been more than adequate to run pfSense (which also runs ntpd as a service) for 4+ years. And even when I replaced the system with one roughly twice as performant (a Protectli FW4B), the same problems persisted. That might not completely rule out a hardware failure as the source of the problem, but it makes it exponentially less likely.

The last straw was today. It notified me that an update to 20.7.2 was available, so I installed it. No errors were reported, but it left the system (and my Internet connection) in an unusable state. Enough. I put the old SSD with pfSense back in the old box, plugged it back in, and turned it on--I'm back to a solid connection. I think I'm done with OPNsense, at least for the time being.

* I did get some help on my thread about ntpd, but then just... nothing. No "we're looking into it," no "that's strange, it shouldn't be doing that," no "I can't duplicate this", nothing. Just silence for 2+ weeks, until I posted my admittedly-inflammatory (though I still believe mostly correct) summary of their Twitter response.
 

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,450
I stepped away from this for a while because I was getting frustrated, and that seems to have carried through enough to frustrate some of the devs. But I think there's something important this analysis is missing, and that's that none of the support*, looking into the issue, or concluding they couldn't reproduce it, happened in what they designate as their support channel. It instead happened on Twitter (which I don't use), after Patrick posted there, and to a lesser degree on my GitHub issue after I'd posted my frustration here and on their forum.

I wouldn't have been happy, as such, if they'd replied on the issue or on the forum with that information, but I recognize the rest of what you said--it's a F/OSS project, I'm a non-paying user, and it's a relatively low-priority issue (though I don't think I'd entirely agree with that wrt the OpenVPN problem). But that isn't what happened. There were two weeks of silence on the forum, and at least a week on the GitHub issue. I don't think I'm being impatient to have expected something in that time.

They suggest hardware issues, or that the hardware was inadequate. I wouldn't rule it out as a possibility, but I'd note that it's been more than adequate to run pfSense (which also runs ntpd as a service) for 4+ years. And even when I replaced the system with one roughly twice as performant (a Protectli FW4B), the same problems persisted. That might not completely rule out a hardware failure as the source of the problem, but it makes it exponentially less likely.

The last straw was today. It notified me that an update to 20.7.2 was available, so I installed it. No errors were reported, but it left the system (and my Internet connection) in an unusable state. Enough. I put the old SSD with pfSense back in the old box, plugged it back in, and turned it on--I'm back to a solid connection. I think I'm done with OPNsense, at least for the time being.

* I did get some help on my thread about ntpd, but then just... nothing. No "we're looking into it," no "that's strange, it shouldn't be doing that," no "I can't duplicate this", nothing. Just silence for 2+ weeks, until I posted my admittedly-inflammatory (though I still believe mostly correct) summary of their Twitter response.
I came across this post. Not sure if it helps.
https://access.redhat.com/discussions/5358171
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
I'd seen the Wireguard news, but not pfSense+. Reading through the FAQ, though, I think STH made a poor comparison between this and the TrueNAS rebrand. pf+is described as a fork of pfSense which will increasingly diverge from it, and it sounds like "CE" is going to be pretty much stagnant wrt features. But "There will be a no charge path for home and lab use". Interesting.
 
Top