So I’ve been using OPNsense for a few years. I have an extensive config inclduing vlans, plugins, policies, suricata, VPN, routes, gateways, HAProxy, etc.
Over the past few months, I’ve noticed certain bugs, weirdness, and slowness within OPNsense. I recently watched Tom Lawrence’s video on the licensing changes and he touched on the openssl vulnerability that OPNsense has yet to remediate.
The Plus license cost (per year) which entitles you to some limited support options is also appealing. Every time I get stuck figuring out something complex in OPNsense, I have to hope someone else has tried to do the same thing and posted about it so I can troubleshoot.
I also don’t like having to constantly update. A more “stable”/enterprise focused cycle like pfSense has seems like my pace. It broke on me last year with one of the upgrades and I had to clean install.
Don’t get me wrong, I love the UI (mostly), plugins, etc. in OPNsense, but these past few months have got me thinking.
I’ve also heard that people don’t like Netgate as a company, so that could definitely factor into not switching.
What are everyone’s thoughts?
You must log in or register to comment.
I moved to VyOS from OPNSense, I like VyOS a bit better, because of Ansible integration etc + it’s Linux not FreeBSD
VyOS is very good. It’s a fork of Vyatta which was sold to brocade and sold again to ATT. Ubiquiti products use a fork of Vyatta as well (EdgeOS on their edge routers for example). I used to work with Vyatta and Brocade so I was a big fan of the Edge line for home and SMB. Since Ubiquiti shelved EdgeOS and stopped putting meaningful updates out I switched to VyOS rolling on my home router with one of those Beelink mini PCs with dual nics.
Is there anyway for us home labbers to get more recent versions of VyOS without having to build it? It used to be easily accessible, now, not so much.
They have step by step instructions in their documentation. They even give you the commands to run so you only have to copy and paste.
You literally git clone their repo, cd into the cloned directory, run a docker container and build the iso using the docker container. Took me 5-10 minutes using a single alder lake P core to make the .iso.
Without paying you need to use the rolling / nightly iso.
I’m using VyOS in my work environment now, got free licensing because we are a non profit. It’s been great.
I use pfsense CE. I am a bit worried that Netgate will be less interested in maintaining the community edition now, but it just works. I don’t need a lot of bells and whistles. So I’m staying put until I see a decent reason to switch.
IMO, no. I don’t use pfsense on a daily basis (MikroTik FTW), but netgate will use CE as a testing ground. They’ll keep putting out updates; but advanced functionality will be paywalled.
Do it. OPNSense is starting to not make sense anymore. I had the same conflicts as you. But PFSense has more support and features.
Yeah no
OPNSense is far more willing to add “experimental” features and as a result you get a firewall that has more features out of the box, but is less stable.
pfSense is very slow to add new functionality, but the platform is rock solid as a result.
It all comes down to what you want. Do you want to play around with an appliance that has all the knobs, but also some eccentricities, or do you want an appliance that may not have bleeding edge features, but is far less prone to error.
I use pfSense for the stability of it.
Netgate as a company has certainly done a few things which have had me looking at other router options but at the moment, pfSense CE works, is stable, and I don’t need to faff with it, so I’m happy staying put.
Used both, from pf to opn maybe 15months ago. Never had issues with either but I’ve had issues with how pf is managed and just seems to get another reason to dislike every so often.
Depends on your issues but go raise bug report with opn. If opn started to cause me issues then I’d be more likely to goto openwrt I think,rather than pf.
I went from pfsense to opnsense about a year ago after an attempted settings change completely broke my pfsense install (again). I’ve been debating going back because I cannot get load balancing to work on opnsense, no matter what I do. Currently it’s just using a single gateway, and if that goes down then everyone is SOL until it comes back up or I manually switch it.
Yes
Edit: pfSense shill bots in the comments? Something is super sus here
Most of the comments are just shitting on OPNsense, without even given a valid reason why they don’t use it or they moved away from it.
Very sus indeed.
I went from pf to openwrt. So far, so good. I’m sure it’s not as powerful as a pure firewall device, but it suits my needs.
If you like support and stability then going for pf over opn is a choice you can make. I just don’t like how netgate has been shitting on the competitor with that ridiculous site.
pfSense is what happens when you take OPNsense and put a chick in it and make her gay and lame. Always go with open source.
Your extensive config is probably your issue and not opnsense. You said you’ve been running it for a few years but seemingly 4 months ago, you couldn’t figure out a basic rule to block internet for a single ip.
I second this. No offense to OP!
I never noticed any “slowing down issues” since any of the recent updates. Running OPNsense with a similiar setup to yours “vlans, plugins, policies, suricata, VPN, routes, gateways, HAProxy, etc”. Again no issues on 8+ sites, including SiteToSite WireGuard VPNs and with large corporate networks. Some systems running perfectly stable and performant since version 20.x (installed) and now running the latest update.
Therefore I highly think your issues are user error / misconfiguration. Yet, I don’t mean to judge but it seems to me that you switching to pfSense will just bring your OPNsense issues with it.
I can’t tell how much experience you have with networking/firewalls in general but a lack of that won’t bring you any further by switching to pfSense.
My config probably does factor into some of the issues. To be fair, I’ve never had to block Internet from a single device before, and the rule seemed backwards compared to my thought process.
If I remember correctly, I started using OPNsense in 2020. Since then, my lab and network has evolved tremendously.
Yes, that is how networking rules work.
Just an FYI, “your way of thinking” doesn’t apply to pretty much anything. Try learning how things actually work and not assume “your way” is the right way.
I can’t believe I have to explain that.
Not sure why you’re being rude for no reason - maybe you need a cup of coffee. I am learning how things work hence the incorrect thought process. Just because you think you know everything doesn’t mean you have to put everyone else down for not.
FYI on Fortigates (that I am used to working with opposed to *Sense), there is an incoming (source) and outgoing (destination) interface for the rules, so that’s where that thought process originated.
‘Sense’ uses interface to base their rules around. You could use the vlan interface or the wan interface for this.
Opnsense does not work well with my set up. A lot of bugs and instability especially vpn and load balancing. I never had a problem with pfsense CE
I actually switched from pfsense to opnsense last week. The licensing debacle and the stand Netgate took against the community was enough for me to switch. It took a bit of time getting used to the UI, but I’m starting to enjoy using opnsense more than pfsense. First thing that made me happy was the automatic backups to nextcloud haha