Would Level 1 still recommend using PfSense today if building a router?

Basically, the title. Is PfSense still the recommended software to run if I wanted to build and run my own router?

@LinuxNoob1 Pfsense, Opensense, or Openwrt are the leading open-source rooting software used by most Level1 members. All of the above-mentioned rooting software will route network traffic. Which one best fits your needs depends on what features you need. There are some features Pfsense has that Opensense doesn’t have. OpenWrt is an open-source, full-featured router software, and Psense and Opensense are firewalls that can route traffic. If you already have a router compatible with Openwrt, I suggest replacing its firmware with Openwrt.

Yes, pfSense and opnSense are both still the de-facto default os for a router/firewall.

3 Likes

I echo the prior responses on pfSense being one of the top 3 leading open source firewalls. I have been using pfSense for several years and have appreciated its stability and flexibility.

That said… if I were looking to be highly cost efficient, I would consider offerings that include router, firewall, managed switch, AP in a singular box for ~$200 or less. I mention this because it can offer considerable cost savings. As mesh VPNs such as tailscale (or headscale), nebula, net bird etc, become much more popular, it reduces our need for a high performance firewall with built in VPN server. One example is the Unifi Dream Router priced at $200. $200 is a very competitive price for a firewall/router, managed switch, and an AP all for $200.

On the other hand options like pfSense are much more flexible. Certainly the way to go if you have any interest in learning more about networking. I appreciate being able to run pfBlocker, OpenVPN, Tailscale, and HAProxy all on my firewall.

I installed Opnsense and I’ll be honest - it feels like a thermonuclear solution for a basic home office network. It’s awesome seeing what all it can do, but terrifying to tinker with because if I break my wife’s internet there will be blood.

11 Likes

Unless the situation has changed in the last two years Linux has better QoS, with CAKE.

I opted for opnsense because netgate changed the licensing

4 Likes

I would recommend Opnsense above pfSense because of the whole WireGuard fiasco. That was pretty poor management from Netgate in my opinion.

5 Likes

opnsense gets much more frequent updates.

pfsense CE hasn’t been updated since last year (2023) ! (there are patches, but they deliver them very awkward as add-ons).
No ETA whatsoever for 2.8 version release as well

1 Like

I recommend Opnsense. I just tried to install the latest version of PFSense on a virtual machine, but the installation failed.

I love the idea of opnsense over pfsense. However, n of 1, but every time I attempt to switch there’s some little thing that doesn’t work quite right on opnsense. This last time it just refused to work with the configuration settings given to me by my ISP Metronet. Switching back to pfsense it worked perfectly. Until opnsense works as intended, I’m going to have to recommend pfsense over opnsense.

1 Like

This is also my issue. pfSense just works every time. OPNsense always seems to have some gotcha that causes me to pull my hair out and I end up switching back.

1 Like

Thanks for the link. That’s definitely something to think about.

1 Like

It’s interesting that the recommendation is for today. There is certainly a sort of ephemerality in the pfSense recommendations. I notice OPNsense being a 2015 fork of pfSense being a 2004 fork of (the now defunct) m0n0wall which was built on FreeBSD.

These projects that are tied to a company do seem a bit more fickle compared to, say, the originating FreeBSD project.

Maybe I’m getting old, but that’s a lot of churn in a domain where I just need to filter and direct IP packets!

OpenBSD gets my conditional recommendation. OpenBSD PF: Building a Router is a good starting point. It was a great choice a decade ago, and I expect will remain so a decade from now.

Vanilla FreeBSD is obviously viable too, though I have little experience there - Chapter 34. Advanced Networking | FreeBSD Documentation Portal looks straight forward enough.

I say conditional above because different personalities gravitate towards different things. If reading the docs above does not spark joy for you, then it’s perhaps not the recommendation for you.

OpenWrt is neat too, though a different sort of thing.

4 Likes

I have re-discovered Vyatta in the form of VyOS recently. Before I used pfSense and then OPNsense I was on Vyatta because of Ubiquiti. Ubiquiti lost my vote long ago, and I ended up on (now) OPNsense. Ran into VyOS recently and although they are kind of are doing a weird won’t provide you with a stable build unless you subscribe thing, they have nighlties that are entirely stable. And I’m kind of liking it, not having mess of a GUI and 1000 odd options and feature I don’t care about, and a very very performant and slim routing (and it’ll firewall ofcourse) platform again.

I’ve tried pfSense, OPNsense, and Linux for my routing needs, but OpenBSD came out on top. It’s very easy to configure, efficient, up-to-date, secure, and a breeze to maintain. I highly recommend giving it a try.

If you’re interested, here’s a helpful guide to get you started:
https://openbsdrouterguide.net/

For reference, I used a Pentium G645T with 4GB of RAM, an Intel 2-port NIC, and a 120GB SATA SSD—though, to be honest, that’s complete overkill for this setup (router + firewall + Unbound with ad/tracker blocking + WireGuard). My OpenBSD is a default installation, without any extra software.

2 Likes

I’m glad I am not the only one.

I’ve had issues with both. I recently switched to OPNSense because PFSense has some rough IPv6 bugs (most notably that in firewall rules if you use the interface’s networks it won’t give you the IPv6 network, which is a huge pain, and a security hole: “block access to IOT VLAN” becomes “block access to IOT VLAN on IPv4, but let it through on IPv6”).

OPNSense has less IPv6 issues, but also still has some, and frankly the interface is a mess, PFSense is a lot better laid out, and OPNSense is full of stuff that’s just easy to misunderstand (e.g: defaulting to showing 7 entries of a list with little indication there are more is really bad UI).

Both have some features I like, and some I dislike, but OPNSense gets much more regular updates, and doesn’t have the hostile company trying to monetise you more. Honestly, I don’t know what I’d install on a new device at this point.

I am changing my recommendation. If you have a consumer router that OpenWRT supports, I recommend using OpenWRT. If OpenWRT doesn’t support your ISP-provided equipment, I recommend Pfsense if the device you will install it on has UEFI BIOS. If the device has legacy BIOS, I recommend OPNsense. I figured out why I was having trouble configuring Pfsense 2.7.2, the hypervisor I am using to virtualize Pfsense, which only has legacy BIOS. The install ISO for Pfsense doesn’t have the option to install on legacy BIOS after 2.6; at least, I couldn’t find it.

2 Likes

If you you want to build, I’d go with OpenSense. It’s deep and can take some time to get your head around it.

If you have a router from someone like ASUS you can use OpenWRT or FreshTomato. They’re super easy to work with.