pfSense vs. OPNSense?

[Newfoundland.Republic]

For those interested:

The full post from Netgate is here: https://www.netgate.com/blog/announcing-pfsense-plus.html

The Netgate FAQ is here: https://www.netgate.com/solutions/pfsense/plus-faq.html

 

[Newfoundland.Republic]

"There will be a no charge path for home and lab use".

Based on the announcement and FAQ, this makes sense considering that Netgate notes that there will be a divergence. That said, your point around stagnation is a good one. Could it be that CE will be more dependent on 3rd party packages? I guess time will tell.

 

[Jailer]

I'm curious as to how long it will be before we have to find a replacement. I'm sure once development gets going strong on pfSense+ and the customer base is built, there will be no appetite for a free version.

 

[Newfoundland.Republic]

@Jailer - good question. For someone like me who uses pfSense just for home/home lab, it would be a pain transferring the firewall rules, etc. but for small businesses it could be a bigger issue. Many small businesses could be using the Netgate gear, so I suspect they would be covered.

 

[Arwen]

The frustrating thing with Linux, is the absolutely insane turn-over of some software packages. Trying to vet each update for security issues is problematic. Add in dependencies, and you can get a horrible mess for an appliance product.

Even the kernel is guilty of that. I ended up using long term support kernels on my home Linux computers. They are much more reliable now. Most minor kernel updates are generally problem free. But, I don't get the latest features... not that I need or even want them.

 

[Newfoundland.Republic]

@Arwen - Good point. I suspect - ney HOPE, though, that they will go with an LTS-type arrangement like Ubuntu. I suspect the same will apply to the TrueNAS Scale project.

 

[seanm]

I use pfsense on netgate hardware. Have been pretty happy. My biggest beef is how very slow software updates are. The current version, 2.4.5-RELEASE-p1, is from 2020-06-02, over half a year now. That seems like a really long time for there not to be a single security update, especially for a device connected to the public internet.

 

[Tigersharke]

I only caught a quick mention of wireguard on twitter and then noticed this post.

https://twitter.com/opnsense/status/1352520907298926592

WireGuard Site-to-Site Setup — OPNsense documentation

docs.opnsense.org

UPDATE: Found this from BSDNow regarding wireguard.

Wireguard VPN mesh

Description: History of FreeBSD: Early Days of FreeBSD, mesh VPN using OpenBSD and WireGuard, FreeBSD Foundation Sponsors LLDB Improvements, Host your Cryptpad web office suite with OpenBSD, and more.

www.bsdnow.tv

 

[danb35]

My biggest beef is how very slow software updates are.

"Slow" also implies "stable". The rapid-fire update cycle of OPNsense seems attractive, until one of those updates bricks your system (as it did for me). That's not a problem I've had with pfSense.

Now, the packages are updated much more frequently. And anything public-facing (other than the core routing functionality) is really going to be in the packages--but I do wish there were an "update all" button for them like there is in OPNsense.

 

[danb35]

Netgate really are trying to push users away, aren't they?

WireGuard Removed from pfSense® CE and pfSense® Plus Software

We introduced a kernel-mode version of WireGuard to our most recent pfSense software releases - pfSense® Plus Version 21.02.

www.netgate.com

 

[Newfoundland.Republic]

Netgate really are trying to push users away, aren't they?

WireGuard Removed from pfSense® CE and pfSense® Plus Software

We introduced a kernel-mode version of WireGuard to our most recent pfSense software releases - pfSense® Plus Version 21.02.

www.netgate.com

Well, I don't think that they are trying to push users away. The issue is the implementation of WireGuard in FreeBSD. Full details from the developer here: WireGuard for FreeBSD in development for 13.y – and a note of how we got here

From Donenfeld:

There were random sleeps added to "fix" race conditions, validation functions that just returned true, catastrophic cryptographic vulnerabilities, whole parts of the protocol unimplemented, kernel panics, security bypasses, overflows, random printf statements deep in crypto code, the most spectacular buffer overflows, and the whole litany of awful things that go wrong when people aren't careful when they write C.

So, basically pfSense (grateful they are funding the development, but...) nerfed the code.

--- Edit - Add The Register info ---
FreeBSD 13.0 to ship without WireGuard support as dev steps in to fix 'grave issues' with initial implementation

 

[danb35]

The issue is the implementation of WireGuard in FreeBSD

...which is Netgate's work. And this (from the link you gave, describing the code that shipped with pfSense 2.5.0):

It was essentially an incomplete half-baked implementation – nothing close to something anybody would want on a production machine.

doesn't describe code I want running on my firewall.

 

[Newfoundland.Republic]

doesn't describe code I want running on my firewall.

Quite correct.

As I noted, pfSense nerfed the code.

 

[Newfoundland.Republic]

For those of you who are interested, the if_wg mailing lists make some really interesting (maybe disturbing?) reading! (They are in the footnotes to the links I posted above.)

 

[danb35]

And at this point, anyway, I don't use wireguard, so that isn't a big deal for me--but just like I was with The FreeNAS Release That Must Not Be Named, I'm concerned about the process that let that code into the wild.

 

[Newfoundland.Republic]

Given the state of software releases (read: Exchange Server as one example) and vendor supply chain controls (read: SolarWinds) I think there is a level of long-term employment...

 

[IOSonic]

Well, I don't think that they are trying to push users away. The issue is the implementation of WireGuard in FreeBSD. Full details from the developer here: WireGuard for FreeBSD in development for 13.y – and a note of how we got here

From Donenfeld:


So, basically pfSense (grateful they are funding the development, but...) nerfed the code.

--- Edit - Add The Register info ---
FreeBSD 13.0 to ship without WireGuard support as dev steps in to fix 'grave issues' with initial implementation

@danb35 @Newfoundland.Republic Thanks for this. I was so happy to see Wireguard in 2.50, and quickly turned it on; now, it is turned off. I had no idea any of this was happening at all. Yikes. Back to OpenVPN SSL hellscape. At least it is known, well-travelled terrain. :)

Hope the CE won't go the way of the dodo, but only time will tell.

 

[Patrick M. Hausen]

Yes they are. And I have noticed your

I was so happy to see Wireguard in 2.50, and quickly turned it on; now, it is turned off.

The Golang implementation of WireGuard works quite nicely on plain FreeBSD or OPNsense or even on TrueNAS.

 

[HolyK]

The whole Wireguard fiasco is more colorful. There was a brown-smelly-thingy flying back and forth between Netgate and original Wireguard author.

A nice sum-up is HERE (scroll down a bit to post from i_mormon_stuff) or HERE (scroll down to the post from megahambone)
Original mail-list threads are HERE and HERE and also some extra commit comments HERE , HERE and HERE
Arstechnica YoLo post HERE
Netgate QQ blogpost HERE
Reddit #1 HERE
Reddit #2 HERE
Reddit #3 HERE
Some bonus HERE

Enjoy the reading and don't forget to flush the toilet once you're done ... with the reading ...

 

[Patrick M. Hausen]

Thanks for the links, especially to the two summary posts at the top. I'm not on reddit, so much appreciated.