I have thought about moving from pfsense to opnsense but in my test install I had a feeling it has fewer features (and messy UI).
For example something I use pretty heavily is pfblocker that automatically geo-blocks ips from different countries that most attack my homelab (Russia, USA, china ,etc..) from accessing my homelab
However what you're saying doesn't make any sense. All incoming connections, from anywhere, are blocked by default. That's true in both pfSense and OPNsense.
Are you saying that you allow all incoming connections, but then block specific countries? Because that's mad, and given the existence of VPNs, pointless.
No, there is a feature in Pfsense with Pf-Blocker-NG where you can open a port to a service as usual, say a web-server, then use an alias for the source address to only allow incoming connections from, say, your own country.
Useful for if you're roaming around and need access to that service from your laptop/mobile without a VPN, but also prevents attacks from countries you're unlikely to access it from.
I use it on OPNSense and it seems to work fine. There may be a Megamind (edit: MaxMind, not Megamind) account plugin setup out something to get it going, but if I worked it out, then you should be right.
I use it to flat out block all incoming and outgoing connections to a certain small group of countries. More out of curiosity than necessity.
It's also got a Crowdstrike interface for more dynamic blocking.
This is important for me too. From my searching, they have "GeoIP aliases" which is supposed to be their alternative to PfBlocker-NG; I have no idea if/how it functions as I haven't made the mode yet, but this is a deal breaker if it doesn't work the way I need.
Aliases can consist of one or more countries (tick boxes) pulled from MaxMind's GeoIP DB. Doesn't use ASN-based sources unfortunately. Can be used in source and destination networks, IPv4&/IPv6 , just like pfSense.
Got any tips for the migration? I've been meaning to do it for a while, but I really need to limit down time or my wife and kids will bury me; preferably need to do it over an evening while they're all asleep.
I only have the one piece of hardware so I need a record of the configs somehow to refer to as I do the migration. Perhaps also some sort of backup so I can restore it in a pinch if I can't get OPNSense set up quick enough.
When switching from pfsense to opnsense, I had to move everything to opnsense manually (and I do mean manually, not just updating terraform). It only took about 20 minutes to put things back on both members and have my tunnels up and going again, even counting my very specific customizations.
It was anti-climactic and worked so well as to be boring, which is the absolute highest compliment that a replacement and cutover can have.
Thanks for the info; I tried OPNSense originally but I had an issue with PPP on my old internet provider I never could get working so I switched to pfSense reluctantly and it just worked.
I doubt I have anywhere near the networking knowledge you have, so some of the more complex things I have set up; like my BGP routes for my Kubernetes clusters and my VLANs/trunks etc, that have taken a lot of tinkering might take me quite some time. I expect the way they're configured will be different, terminology might be different, and of course the UI will be different, so I can't just do it by reference.
I have no problem taking my time, so long as we have the basic networking we need for family and working from home.
Those things work the same way in opnsense. Most of my conversion was just data entry of the particulars.
I try to keep my main fws as simple as I can, for the benefit of the household, but I do get carried away with home automation and IaC/CM to my firewalls.
I'm afraid I did it the slow way, and just nuked the router and set up OPNSense from scratch.
In older versions it was possible to import a PfSense backup - with a few glitches, but they're too different now. I think the slow way is the only way.
That's kind of what I was expecting; but do you have any tips? Did you just do it from memory? I was thinking I'll screenshot the major config screens and interface layouts, my BGP configs etc, then work from them.
But also export your config because you will inevitably forget to screenshot a thing or seven and you can poke around the config export for that port number or IP address.
Worst case scenario, you can spin up a VM of pfsense quickly and reimport the config if you have to.
I have off-box backups of my configs. Thanks for the VM idea; sometimes I forget to use VMs to do things "embedded" devices usually do for me; switches, routers, etc!
There's going to be a point soon where I have two fiber providers (and thus two WAN links) for a little while, I'll try move the existing pfSense off of my Protectli box to a VM, keep everything up for the family while I configure OPNSense on the Protectli, then if I do it right, I can move everything over with minimal reconfiguration.
Here we go again....
I've been resisting the change from pfSense to OPNsense for a while now but I start to really think I should just move on and get it done.
All these f*ups with licensing and bs* from Netgate starts to be annoying. Just make a 50 or 100 license for home users who need / want to deploy a better router / firewall and get done with it!
I moved from CE to this PeshPlus thing because supposedly CE was going to cease to exist... Now the PeshPlus is actually the one being discontinued! Wtf Negate!!! Get a grip.
I briefly used pfSense before replacing it with a plain Arch installation (any distro would do just as well - I just use Arch for everything else so it's an easy choice).
In a moderately complex home setup with wireguard to access my home network remotely, multiple VLANs/SSIDs (including one to firewall off IoT things and one that routes wan traffic to a vpn, again via wireguard), my own DNS server, a filtering web proxy for the kids, etc., I haven't encountered anything pfSense or similar would have made any easier for me. It's all achievable by editing relatively straightforward config files. The most complex bit is the firewall, but I have a terse, straightforward nftables config that does what I need and that I understand fully. I didn't really see the value in putting a layer of GUI stuff on top of it and then having to keep up with changes to that layer, and in the process obscuring what's actually going on.
Home+Lab was always there to placate those users bent out of shape when Plus started diverging from CE, apart from just support. Now they're just applying the next step to limit those pesky freeloaders.
Has Netgate provided any meaningful new features to pfsense over the last 5-10 years? Or is it just “support” for essentially what pfsense was a decade ago?
They added boot environments to pfSense+. I think they use ZFS snapshots. You can take a snapshot, set it as the default boot environment, do some updates, and if things go bad you can reboot to get back to the snapshot you set as the default.
I’d like to see some kind of more resilient upgrade process where a pre-upgrade snapshot is taken, the firewall updates and reboots, some kind of watchdog tries to hit a well known endpoint, and the whole thing automatically rolls back to the known good config if it goes X minutes without being able to connect after the update. That would mitigate the riskiest part of updating remotely.
As for new features, once you have a reliable firewall, what more do you want? I wouldn’t complain about a better traffic shaper experience, but OpnSense did that and the “easier” traffic shaper in OpnSense isn’t as flexible IIRC.
For licensing, I don’t hate the TAC-Lite approach. They could make it more clear it’s a lifetime thing (I hope I’m right about that) and I hate begging for installers, but at least they aren’t forcing subscriptions yet. I fear that’s coming one day since it would force us to switch to something else and pfSense is working ok for us ATM.
> Or is it just “support” for essentially what pfsense was a decade ago?
"Just"?
I'm sure all of use nerds and geeks on HN think commercial support is often not important, but there are plenty of SMEs that need to de-risk some things when running their infrastructure.
every large org I've been at pretty much requires escalation contacts and vendor support. is one of the reasons we pay for RHEL and Docker licenses, etc.
I'm glad that my simple plastic OpenWrt router is sufficient right now, and I don't have to deal with changes/problems from Netgate, Ubiquiti, and other brands of fancier gear that once seemed appealing.
I'm happily on my 2nd OPNsense business license on Deciso embedded Ryzen-based hardware with 10 GigE optical links. Even takes care of PKI and has 2FA. I'm happy and I don't have to worry about massive, arbitrary license changes or big corporate enshitification.
"Home+Lab has been installed thousands of times in 2023 alone."
This seems to indicate that nearly nobody was using it, even counting the illicit activities of the multiple appliance vendors.
If I have a modest lab automation with solid bracketing of fw release versions on some network scenarios, I could easily account for thousands of on-install telemetry entries per week.
I can imagine Hetzner alone would account for thousands upon thousands of installs.
Just based on their phrasing, I doubt there will be a massive influx to opnSense.
Well, I was still using pfSense over opnSense due to a bit more polish and having proper Tailscale integration.
As soon as Tailscale has proper integration on opnSense, I'm definitively moving on. The CE version of pfSense has very outdated packages and that probably has an impact on security, which, for a Firewall, is a big no.
BTW: Does anyone know why Tailscale doesn't provide a proper package (with graphical interface) for opnSense, like it does for pfSense? I was under the impression that it would need very few changes for it to work.
Thank you for the told you so, Netgate. And they knew they were going to do this the very moment they conceived of the idea of Plus but sure, if you must accompany this with a multiparagraph BS ridden sob story, go ahead. Expect nothing less from you lot.
I've been using pfSense on 4 private sites for years by now. Luckily I've not upgraded from CE.
I think what pisses people off is the rugpull of them pushing people to get a free upgraded license and then removing it soon after.
As for "but its free". I think its reasonable to expect the free offering to be promotional. I know I have bough Netgate HW and license for work because I was familiar with their free offering at home. But stuff like the recent move might make me reconsider.
Lots of comments about moving to OPNSense -- anyone using something Linux-based that they would recommend as a comparable alternative?
My impression is that this might not exist yet (the currently available projects are significant lacking in either features or reliability), and that my odds of getting something user-friendly with tools like pfBlockerNG are even slimmer.
I always feel so handicapped when something breaks on my router, due to being so much less familiar with BSD, and due to it being an older / limited FreeBSD release (many things missing from the pf repos).
Just last week my pfsense upgrade resulted in a non-booting system, and I felt helpless (user error -- zpool upgrade but didn't upgrade something about the boot directory). I didn't have my usual tools, so I ended up having to install ZFS support to an old RPi3 running NixOS just so I could look around and get the ZFS parts sorted and figure out what happened. (Thankfully I eventually found an old mailing list thread with some obscure incantation that I ran from a pfsense installer usb and resurrected things.)
The whole time I just really wished that I could have been on a Linux machine with my familiar GNU tools!
I tried pfSense recently but I didn't love configuring my network through the UI. An API or something would make it amazing. But maybe that's the DevOps in me talking. I've been mostly happy with VyOS since then.
What did Home+Lab have that CE didn't? I've been using CE for years now and it seems like it's got all the enterprise bells and whistles except support...
I believe the only feature is “boot environments” at the moment. In fact they've diverged so little that, according to various sources online, one should be able to take a working 23.05.1 config (read: pfSense plus) and install it on 2.7CE without issue.
In the Netgate world, it now seems that the CE edition is the most stable, inheriting changes/fixes after they've settled into the plus channel.
> Hey, listen, the company is putting a lot of effort into pfSense for which they are not paid.
And? pfsense uses thousands of packages that they don't pay for either, that's the spirit of open source, I can't understand who post this on HN without understanding it.
@dang: Can we ban these comments? Lately they arrive like clockwork and bring very little to the comments, especially since it doesn't seem to be talking about anyone here.
edit: at the time of this comment I can't find any top post complaining like the OP is describing.
> pfsense uses thousands of packages that they don't pay for either, that's the spirit of open source
You are miss-understanding what open source means. It doesn't mean everything has to be free. Many companies are built on top of open source software which allows them to do exactly that in their license. You also don't know if pfsense sponsors packages or contributes code to the packages they are using.
It's the right of every open source software author to continue working on their software privately under a different license, and that's exactly what happened here.
Just because you are not happy that you don't have access to their software for free any more doesn't mean it's against the open source spirit.
> It's the right of every open source software author to continue working on their software privately under a different license, and that's exactly what happened here.
Yep, and nobody had any qualms about it in this thread, which is why I find such posts to be tiresome to read.
> Just because you are not happy that you don't have access to their software for free any more doesn't mean it's against the open source spirit.
This is exactly what I'm complaining about, I never said I wasn't happy.
We often confuse Free and Open Source with "free beer". We have been using pfsense for years without paying a dime; if we could we would gladly have done it. It's simple fairness.
Also, what we forget is that if we are not paying, somebody else is paying. And somebody else is very likely not aligned with our interests.
There is this conventional wisdom that a lawyer is not really your lawyer until it is you who is paying them. I think it has much broader application and you want to be paying for technology. It is naive to think you can accept services of say Facebook, not pay a dime for it and assume it is all done in your best interests.
It is good mental model because whoever is producing the software is human.
It does not matter if there is zero cost to copying the software.
What matters is that somebody put an effort into doing something and now they are seeing lots of people using it for free. It is in human nature to try to benefit from it and most people have a mental model that they deserve to be compensated for doing something beneficial to another.
Most people are not seeing incremental cost of adding another user (effectively zero or non zero), what they are seeing is total cost of producing the software divided by the number of users. Then they see that some users are paying and some users are not.
It's been quietly doing its job ever since, with a minimum of fuss.