
PfSense vs OPNsense: technical comparison - auslander
http://opnsense.firewallhardware.it/en/pfsense_vs_opnsense.html
======
kev009
As someone with extensive experience and nuance in the FreeBSD community, I
will just say that OPNsense and closely affiliated HardenedBSD are basically
unintentionally hilarious clown projects. They created some bad blood with
particular people but the HBSD side tends to just give me a good belly laugh
every handful of months, usually around the larger conference season. Folks
from OPN and HBSD appear to have rudimentary grasp of C while making grandiose
security claims. This is probably my favorite feature comparison of all time
[https://hardenedbsd.org/content/easy-feature-
comparison](https://hardenedbsd.org/content/easy-feature-comparison). It
appears to be largely cult of personality ensnaring users that don't really
know any better.

YMMV but for people wanting a firewall you'd be much better off with pfSense,
stock OpenBSD, or stock FreeBSD. To get involved in OS work or BSDs you're
much better off with Free/Open/Net/TrueOS. Those are communities filled with
competent people to support the code and that you can learn from.

~~~
sgt
Agreed - I will not change from pfSense to OPNsense. Just because you sprinkle
Bootstrap on top of pfSense and even remove some functionality does not make
it better. My primary concern with OPNsense is however the community behind
it, and their tendency to engage in deceptive behavior.

Oh, and note the passive aggressiveness here:
[https://docs.opnsense.org/fork/thefork.html#so-why-did-we-
fo...](https://docs.opnsense.org/fork/thefork.html#so-why-did-we-fork)

~~~
auslander
It somehow reminds me OpenBSD. People complained about their developers being
rude, but hey, they cleaned a lot of junk and are more secure now that
FreeBSD.

~~~
blattimwind
OpenBSD is not a FreeBSD fork.

~~~
auslander
I _know_ that it is not. Their common ancestor was BSD 4.3 Reno.

And for pfSense and OPNsense common ancestor was m0n0wall.

~~~
gonzo
> And for pfSense and OPNsense common ancestor was m0n0wall.

pfSense forked m0n0wall

Opnsense forked pfSense.

~~~
sjwright
At some point, everyone forked everyone, but all the code was written by
communities under open licenses, so the distinction is entirely political.

------
tptacek
I have been doing security work for a very long time, since before the
projects underpinning pfSense were a thing (I don't mean Snort, which I
predate, but pf itself; I was working in network security when we were all
being thrilled by Darren Reed's work on ipfilter).

I say this not to brag (it would be a terrible brag, like playing up my Turbo
C++ bona fides) but as context for a question:

What are people doing with these things?

When is it making sense for people to be deploying what appears for all the
world to be the Kali Linux of Defensive Network Security? I'd be confused to
hear about a client deploying Suricata at all --- but Suricata on a dedicated
firewall box with a PHP interface? What problem is this solving?

Among the top 10 questions startups ask us when we talk to them about what we
do is, "we got this self-assessment questionnaire from a big client and it
asks what our IPS is, what IPS should we use?" And we laugh and say "these
SAQs were written in the 1990s and lovingly handed down from generation to
generation of network security engineers and nobody actually expects you to
install an IPS because doing that in a 2018 production environment would be
silly, just tell them you only expose ports 80 and 443". And that answer
_always works_. How are people finding a different answer? I'm genuinely
asking.

~~~
auslander
> What are people doing with these things?

home routers ?

~~~
blattimwind
If you need a GUI, just use something like Halon's SecurityRouter.

~~~
auslander
Is it free to use? Is it open source?

~~~
blattimwind
Depends / it's source available AFAIK.

Some time ago I looked at this sort of thing (simple management + status GUI
for a router), and pfsense & friends are just huge, bloated pieces of mess
that I _really_ don't want on critical infra. Securityrouter OTOH came across
as one of the very few frontends actually designed for security (see their
docs). (Also it doesn't include a the full B/S suite)

In the end I didn't choose any GUI and just put a Debian on a box. I don't
really know any of the BSDs and it certainly wasn't worth more of my time to
fool around with a small piece of infra that's going to be ignored >99.99 % of
the time.

~~~
auslander
> it's source available AFAIK

AFAIK it is not.

------
apple4ever
My biggest issue with pfSense is the company that runs it: Netgate. Its
putting it mildly to say they are jerks.

I was banned from their forum for saying I wouldn't pay for Gold if they were
going to sunset a range of CPUs when their explanation of why was less than
clear. I then apologized for offending them, and they said its a life ban so
too bad.

Just read their forum or the reddit. Look for Ivor comments specifically.

------
Corrado
I'm running OPNSense for a small private school and it seems to be working
fine. I looked at pfSense but between the licensing changes, petty infighting,
and "not so pretty" GUI I chose not to use it.

One of the things that OPNSense has over pfSense is the ease-of-use factor.
This firewall/router will be used in a school, by non-technical people, it
needs to be pretty and easy to make simple changes to. Things like
blacklisting/whitelisting a site, and adding a static IP for a printer, are
activities that are commonly done by a teacher or administrator. If it's hard
to do then I get a call and that's no good for me. :)

------
robbyt
I did some performance testing comparing pfsense and opnsense on idential
hardware, and out-of-the-box configuration. On my Atom 1.6ghz dual Intel nic
router I was able to get near line-speed gigabit NAT from pfsense, while
opnsense maxed out around 825mbps. I spent only a couple of hours with the
test, and quickly decided switching off pfsense wasn't worth it for me.

------
madjam002
I am currently running pfSense, but am currently handrolling a firewall with
Ansible and nftables. I highly recommend it over something like pfSense or
OPNSense, I found the GUI in pfSense wasn't flexible enough.

------
asn1parse
I replaced all my bad phrasing with a pointer back to the commenter who
referenced pfsense and others a clown projects. so true. bye

------
solotronics
reading about the recent developments putting FPGA in front of a NIC it seems
to me that would be a really neat way to build a firewall

~~~
user5994461
Firewall and routing have been done with FPGA for many many years. Have a look
at enterprise and carrier grade hardware.

------
myrandomcomment
I had a hard time reading this. The flow and phrasing is quite bad. Read 1/2
way and quit.

~~~
auslander
Yeah, my bad. Try this [https://opnsense.org/about/about-
opnsense/](https://opnsense.org/about/about-opnsense/)

------
auslander
Summary, kind of. I replaced my Sophos UTM with OPNsense. So far so good.

\- Sophos phones home too much, is not open source.

OPNsense in comparison to pfSense:

\- using better BSD, with ASLR (the only check I did so far)

\- licensed under BSD 2-Clause, vs Apache 2.0

\- nicer GUI :)

\- not running PHP as a root user

Looks like OPNsense is true hacker's stuff, check this out for DNS over TLS:
[https://forum.opnsense.org/index.php?topic=8748.msg38928#msg...](https://forum.opnsense.org/index.php?topic=8748.msg38928#msg38928)

------
auslander
What I learned from this submission:

\- people who start with their credentials, 'I'm experienced ..' \- are making
least sense.

\- people who use the word 'FUD' are actually trying to shut down sensitive
for them topic.

