pfSense vs. OPNSense?

[Oriann]

I have plenty of concerns with pfSense (most, if not all, of which are discussed in this thread), but "infrequent updates" isn't even on my radar.

From my point of view every software need fast and reliable updates because software will be never perfect and every week (maybe month) there are some nasty people who really just care about network penetration and making new bot computers for their ddos attacks and they will not hesitate to use every inch of a bad code block against you.
Maybe another thing is a nice reworked UI in OPNsense, I really can find everything now. pfSense is kinda more messy for me.
And last thing is they are more conservative in new features. I am not that kind of person.

But as I said earlier thats just my POV.

 

[danb35]

Odd then that if the update policy is slow (potentially suggesting a careful review process) that all that bad code made it into their main code base.

Indeed. I haven't, as yet, had trouble with any pfSense updates. I have with OPNsense. But as you say, it appears that they put a bunch of pretty bad code into their product, which doesn't seem consistent with the point of a slow update cycle.

From my point of view every software need fast and reliable updates because [snip lengthy explanation of the obvious fact firewalls are needed]

So where (until this latest fiasco with Wireguard) are the vulnerabilities in pfSense that have taken so long to be fixed, leaving users exposed for months or years? Or is your concern just hypothetical?

I agree with you on the UI; pfSense is a disaster in that regard.

 

[AbsolutIggy]

I haven't, as yet, had trouble with any pfSense updates.

I have only used pfSense, testing OPNsense now. The last update to 2.5.0 which I did late at night to not disturb anyone meant going to bed roughly 2 hours later than planned because I had no internet connectivity, and no IPsec connectivity once the first problem was fixed. The first problem was easy to fix once I realised that the box had forgotten the default gateway, but the second was a bit worse, since version 2.5.0 made a mess of IPSec:

pfSense 2.5.0 broke all IPSec VPNs

Seems there are several issues here all getting confused. Identifier issues with "Distinguished Name" (Which is a bug -- see https://redmine.pfsense.org/issues/11442 -- for a quick workaround, apply the patch there or just set your IDs to KeyID in the me...

forum.netgate.com

 

[danb35]

Maybe I'm a glutton for punishment, but I'm giving OPNsense another try. Rather than try to bootstrap the configuration by uploading a saved pfSense configuration as I did before, I've manually configured it, and it seems to be going more smoothly--though Unbound DNS doesn't seem to be working right now for some reason.

A couple of things are different this time. One of them is that there's now a Caddy plugin from a third-party repo. While it doesn't have a GUI for configuration the way HAProxy does, it's still much easier to configure. Another is that there's now a plugin (it may have been there before, but I don't remember it) to back up the router's configuration to an external Git repo. Since I'm already running a Gitea instance, that was pretty straightforward to set up.

But: NTP is working. OpenVPN is working, and correctly reporting its status on the dashboard. Dual-WAN with failover seems to be working. Caddy is working nicely as the reverse proxy. And, of course, the basic Internet routing is working.

 

[danb35]

Unbound DNS doesn't seem to be working right now for some reason.

Still not working, even after "blow it away, reinstall from scratch, use as basic a config as possible." This is kind of a problem. I can use DNSmasq, of course, but that's not how I want to use the system (nor how I've been using pfSense for years, nor e-smith/SME before that)--nor is that the default for the system; it defaults to using Unbound. And I can't find any logging for the failures.

OpenVPN is working, and correctly reporting its status on the dashboard

Well, not so much. The client systems connect, and do show up in the dashboard--but no traffic actually passes between them and my LAN. I think this is a matter of firewall rules (pfSense auto-creates a firewall rule when you set up the VPN server; OPNsense doesn't seem to do this), but until I can get DNS working I'm not going to mess with the rest of it.

I want to like OPNsense--but it's making it very hard for me.

 

[Ericloewe]

I'll throw in my two cents:

I had to go with pfSense because OPNsense does not have a fix for igmpproxy (which I need for IPTV) crashing if the connection handle is too large for its taste - made more likely by the ISP using VLAN 105 for IPTV...
This is somehow fixed in pfSense, possibly through a quick-and-dirty patch that was rejected by upstream igmpproxy due to "you're just allocating more handles until it works for you, not fixing the problem", which... I kind of understand on some level, but I need this to work at the end of the day and software without pragmatism is just philosophy.

Still not working, even after "blow it away, reinstall from scratch, use as basic a config as possible." This is kind of a problem. I can use DNSmasq, of course, but that's not how I want to use the system (nor how I've been using pfSense for years, nor e-smith/SME before that)--nor is that the default for the system; it defaults to using Unbound. And I can't find any logging for the failures.

What's your failure mode anyway? I'm thinking of buying a pair of rackmount OPNsense appliances for work (the high-end Epyc embedded stuff, which is actually a good price) and if OPNsense doesn't pan out, I can just install pfSense or whatever else I want on the things.

 

[danb35]

What's your failure mode anyway?

Clients connect to the OPNsense box, but it returns an error. Like this:

Code:

PS C:\Users\Dan> nslookup google.com
Server:  opnsense.familybrown.org
Address:  192.168.1.1

*** opnsense.familybrown.org can't find google.com: Server failed

and this:

Code:

 ✘ dan@Dan-Mac-Mini-2  ~  dig @192.168.1.1 google.com

; <<>> DiG 9.10.6 <<>> @192.168.1.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3653
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN    A

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jul 08 04:32:37 EDT 2022
;; MSG SIZE  rcvd: 39

...and even this, on the OPNsense box itself:

Code:

root@opnsense:~ # dig @localhost google.com

; <<>> DiG 9.18.4 <<>> @localhost google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2147
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN    A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Fri Jul 08 04:33:05 EDT 2022
;; MSG SIZE  rcvd: 39

...and with nothing logged that I can find, I'm having trouble figuring out what to try next.

 

[Ericloewe]

Well, that's not a very subtle failure mode. I wonder what's going on there. Don't they have Unbound logging to /var/log?

 

[neofusion]

...and with nothing logged that I can find, I'm having trouble figuring out what to try next.

No personal experience with OPNsense or unbound but can you enable logging in /etc/unbound/unbound.conf?
Edit: I suppose this might also be of interest, maybe that's a more suitable approach to changing the .conf in OPNsense.

 

[danb35]

Don't they have Unbound logging to /var/log?

They do, but turns out the default log level is pretty low. But there are bells, whistles, and knobs in the UI to control it--let's see what that comes up with.

Edit: Wow, do they ever. Turn the log level up to 4 (out of 5), enable query logging, and a single query generates over 1000 lines of logs. It'll take a little bit to dig through that.

Edit 2: Who has time to manually read through > 1000 lines of log? That's what grep is for:

Code:

 dan@Dan-MBP-2013  ~/Downloads  grep error unbound_log.txt
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11066"] [77014:0] error: udp connect failed: No route to host for 2001:503:ba3e::2:30 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11110"] [77014:0] error: udp connect failed: No route to host for 2001:500:2d::d port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11150"] [77014:0] error: udp connect failed: No route to host for 2001:500:2d::d port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11188"] [77014:0] error: udp connect failed: No route to host for 2001:500:1::53 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11228"] [77014:0] error: udp connect failed: No route to host for 2001:500:9f::42 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11337"] [77014:0] error: udp connect failed: No route to host for 2001:7fe::53 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11377"] [77014:0] error: udp connect failed: No route to host for 2001:500:12::d0d port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11417"] [77014:0] error: udp connect failed: No route to host for 2001:500:a8::e port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11453"] [77014:0] error: udp connect failed: No route to host for 2001:503:ba3e::2:30 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11611"] [77014:0] error: udp connect failed: No route to host for 2001:500:9f::42 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11684"] [77014:0] error: udp connect failed: No route to host for 2001:500:2f::f port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11756"] [77014:0] error: udp connect failed: No route to host for 2001:7fd::1 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11795"] [77014:0] error: udp connect failed: No route to host for 2001:500:1::53 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11833"] [77014:0] error: udp connect failed: No route to host for 2001:500:a8::e port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11872"] [77014:0] error: udp connect failed: No route to host for 2001:dc3::35 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="12111"] [77014:0] error: udp connect failed: No route to host for 2001:500:2f::f port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="12188"] [77014:0] error: udp connect failed: No route to host for 2001:500:1::53 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="12225"] [77014:0] error: udp connect failed: No route to host for 2001:500:12::d0d port 53 (len 28)
<31>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="12310"] [77014:0] debug: return error response SERVFAIL

So why is it trying to connect to a bunch of IPv6 addresses when the system doesn't use IPv6 at all? Hmmm...

I do see a setting (at system / settings / general / prefer to use ipv4), but that's checked already.

 

[danb35]

Well, isn't that interesting... There's this setting in the Unbound configuration, hidden behind an "Advanced" button:

The default, as you might expect, is "All." When I set it to WAN instead, it starts working. Wonder why that would be...

 

[neofusion]

Well, isn't that interesting... There's this setting in the Unbound configuration, hidden behind an "Advanced" button:
View attachment 56720
The default, as you might expect, is "All." When I set it to WAN instead, it starts working. Wonder why that would be...

Including the LAN as an outgoing network interface is a peculiar choice. Failover WANs or VPN tunnels I could understand but not LAN.

 

[danb35]

Including the LAN as an outgoing network interface is a peculiar choice

The tooltip help indicates you can only specify an interface if that interface is statically configured. If that's the case, it would explain not setting it to WAN by default, because WAN for lots of people is DHCP or otherwise dynamic. The default is the same in pfSense, but for whatever reason it doesn't cause this problem.

 

[Ericloewe]

The tooltip help indicates you can only specify an interface if that interface is statically configured.

That's kinda weird. I'm having a hard time figuring out why that would be a problem for Unbound.

 

[danb35]

No idea, but here's what it says:

 

[Patrick M. Hausen]

As far as I can tell from your posts in the OPNsense forum for some reason there is a GUA IPv6 address on some interface and "of course" the OS prioritizes IPv6 over IPv4 so if you don't have a working IPv6 connection you end up with the situation you experience.

BTW LAN is quite common in one particular situation - when you want to send all your outbound requests through an IPsec tunnel, it's important the query source address is part of the phase 2 SA ...

 

[danb35]

for some reason there is a GUA IPv6 address on some interface

So the IPv6 configuration type for my LAN interface is set to "Track interface." It isn't entirely clear to me from their docs what that means, but that interface doesn't have an IPv6 address, nor does any other interface but lo0. But this leaves two scenarios I'd be interested to test, after setting Unbound's interface back to All:

• Enable DHCP6 on WAN
• Disable IPv6 entirely (and explicitly) on LAN.

 

[Patrick M. Hausen]

If you don't want to run IPv6, you need to set it to "None" for all interfaces.

 

[devilsfruit]

On paper, I'd choose OpnSense over PfSense. That's also what I did originally, but for some inexplicable reason I'd have WiFi that'd disconnect (using an external access point) and I'd also have to wait a minute or two (after booting my desktop) before I had any Ethernet.
I had this both on special configurations and on factory reset settings.

So I made the switch to PfSense and even without any special config, everything worked out of the box like I wanted it to. So, while I'd prefer OpnSense for the way they conduct their business (in regards to the opensource community and their consumers), I'm actually using PfSense because it just works for me.

 

[Tigersharke]

In case this was missed, just to mention it as an option for those who wish, one can take FreeBSD and make it into OPNsense. https://github.com/opnsense/update#opnsense-bootstrap
I cannot say if pfsense has any similar tool, option, maybe it does.