There's not a lot to say beyond the title, just that in the long term I plan on building a 10G capable pfSense box, but when opnsense was mentioned I got interested, but I can't find any good up to date comparisons of any kind.
Input on this would be great. :)
OPNSense is a fork of pfSense. There is a lot of drama out there about the relationship between the two.
pfSense is a rock solid platform. Netgate offers several boxes with 10gig NICs and pfSense pre-installed.
I feel pfSense is ahead of the curve and OPNSense drags behind, pushing hacks into the mix to keep up. ARM is a good example of this.
pfSense also contributes a great deal back to FreeBSD - IE: ARMv6.
I've spoken to many businesses running pfSense, ranging from data-centers, enterprise businesses, small offices, personal use. Most of the feedback I've heard has been extremely positive.
TL;DR, pfSense is a rock-solid mature platform. Simple as that.
Well, in a way this is good that it doesn't change any of my plans.
Also, welcome to the forums!
Thanks. I just happened to do my monthly google search of "pfSense vs OPNsense" and came across this freshly posted thread. I couldn't help it :)
I found a nice big thread on Reddit about this very thing, hard to filter through it and find the truth. Opnsense doesn't seem to be a fork for the better, say when the original project stagnates. It seems to be a fork so it can be re-branded and bundled with hardware. At least that's what I gleaned from reddit.,
Suffice to say, I will stick with pfsense. I have been using it for years and it has been fine. Well, good enough, all failings are usually my own.
The reason for the fork is a very good one. The goal of PF sense is to commercialize the product and make it a pay product So that anyone who wants to use it in a business must pay for it. OpnSense actually has some very interesting features that pfSense does not have. So it is a very good thing that they have forked as it will keep pfSense in check as if you are paying attention you will see all the changes are leading two words a product that is no longer free to use . I have no issue with this I have no issue with this and completely understand why but saying opnsense is a bad thing is a complete lie and is propoganda to scare people away from using it. I use both! They both have there purpose but if pfsense stops allowing me to use the now community edition I will switch and not look back.
pfSense is locking their software down to hardware. Not OpnSense. OpnSense is following the path of the original m0n0wall project which is to keep the software completely open and royalty/restriction free.
Agreed, but when last I looked, I didn't notice where OpenSense had yet distinguished itself, apart from their commitment to the open philosophy. Although pfSense has been serving me well for nearly a decade, their trajectory definitely gives me pause for concern.
I'm glad to hear that OpenSense has been undergoing active development and that they now have some new and interesting features. It sounds like I need to check in with them a little more frequently.
Not sure I understand what you mean by distinguish themselves.
Simply, that when last I looked, I saw no new, different, compelling features that would confer an edge, or advantage by switching to OpenSense. Therefore I have stayed with pfSense, because they have a long established track record for performance, stability and bug management.
I don't understand why they would need to. It's open-source software, so if Netgate decided they want to lock it down to paying customers at one point in the future, people could just fork it then.
What do you mean locking it down to hardware?
To hardware specifically made by them or netgate? This would be bad and might cause me to jump ship.
Or are you referring to the requirement for crypto instruction sets? This is annoying, but modern CPUs have this instruction set anyway. And the sort of packet inspection stuff you can do requires a beefy CPUs, so I am not worried about that.
I don't think it is a clandestine move of some sort, like whats happening with HEVC hardware decoding etc.
That said, there are legit reasons to put in a requirement for newer hardware, especially if established vulnerabilities exist in current architectures. Row hammering, defeating address space layout randomisation, stuff like that.
haha a lie AND propoganda? How dare I. Thats what I read on the internets. It seems there is a team opensense/monowall/pfsense war going on, and I don't really have any interest in taking sides. I just want one that I can use without any strings attachted. Pfsense just happens to have my trust as I have used it for a while.
I think so. But I have to agree with you. Modern CPUs have this anyways and low-end CPUs that don't are probably not powerful enough for VPN, etc. anyways (especially in the near future when you need stronger encryption). Maybe you can live with a slow performance if you have slow internet, but upgrading the hardware to get AES-NI really isn't a big deal anymore, in my opinion.
That's the thing with open-source software. The more people use it, the higher the chances are, that someone took a look at the source-code and therefore the higher the chances that the code is trustworthy. Being around for a long time gives pfSense an edge too, in my opinion.
it’s mostly open source. it uses or used some libraries that weren’t open or fully open source. I think Emby has the same issue. Emby also gets flack for it too.
OPNsnese claims some kernel tweaks?
Saw Reddit post that said OPN sense has a search function in GUI to find stuff as it’s laid out differently than PFsense and it comes with some different packages by default but, that’s probably not really notable
EDIT: bonus reading? https://news.ycombinator.com/item?id=17431053
Care to elaborate on said features? I think what BarkingMad meant by the line “I didn’t notice where OpenSense had yet distinguished itself” is that he didn’t see what features OpnSense provides compared to Pfsense.
you are correct! i’ve been reading up and they are pretty similar. now if OPN has a proper implementation of SQM or something that would be big but, even PFsense doesn’t have that until NAT for SQM is fixed.
I’ve run numerous pfSense boxes, both physical and virtual. It’s huge in the work place these days. If you are trying to parlay your homelab into potential future work, I’d stick with the tried and true.
However, in my own limited experience, I’ve found OPNsense to be capable and vastly superior to administer. At a certain point it becomes purely personal preference and no one can really help YOU decide what is best for your use case(s).
I absolutely loved my little OPNsense edge device cobbled together on an ancient eMachine with an AMD Sempron and 2GB of RAM, which sat between my optical network terminal and my Edgerouter, working silently in bridge mode as a transparent firewall. I’d still be running it, but I needed the quad-port Gbps Intel NIC for my second ESXi host and never ordered a replacement. Good luck with your project, I adore seeing OPNsense considered seriously, it deserves to be in the conversation.
Some folks aren’t thrilled with pfSense essentially “selling out” but I try not to allow politics to interfere with homelabbing. You need the right tool for the job, in this case you have many great options.
Of course, YMMV.
This is an old thread but not mentioned so far:
ZeroTier is a smart Ethernet switch for planet Earth.
It’s a distributed network hypervisor built atop a cryptographically secure global peer to peer network. It provides advanced network virtualization and management capabilities on par with an enterprise SDN switch, but across both local and wide area networks and connecting almost any kind of app or device.
I manage pfSense boxes at work but at home I run OPNsense because it is much more secure.
Before this gets locked via necro rules, I’ll throw my vote in for OPNsense:
Aesthetically pleasing, imo.