Not a real popular topic, but I just noticed that OPNsense 24.1 is available for download. Among the features listed is SSL3 which seemed to be a real sticking point for some people. The new version is not mentioned on their blog, not really mentioned on their home page, but if you wait through enough of the slides you will see the 24.1 slide. Downloading 24.1 right now as a confirmation. probably going to take weeks to get through setting it up for testing though.
[edit] One issue that I just noticed from their forums… Suricata 7 has a problem and they rolled it back to version 6., they say it will be fixed in 24.1.2.
Also a mention that there is a need to run SSL3 in legacy mode for things like Google Drive backup to work, so google must still be using an older version of SSL?
system: enable OpenSSL legacy provider by default to allow Google Drive backup to continue working with OpenSSL 3
Ok, the quote in the end cleared up (some of) my confusion with the title. This is about OpenSSL 3, as in the software library, not SSL 3, which is a protocol from 1996 which you absolutely 100% should not be using in production under any circumstances in 2024!
If I read this correctly, the term “legacy” refers to algorithms for encoding/decoding certificate or key files. It’s not related to any encryption algorithms directly.
One note to add… The DVD installer that I downloaded could not be written to a USB drive with Rufus, it said it was an unknown format. The hash matched the website so not sure about that. I ended up going through a mutli-step process to upgrade the 23.x install I already had on a machine. Currently at 24.1.1, but it had to go through each level to get there, not hop directly to 24.1.1. Started at 23.x to 23.12 to 24.1 to 24.1_1 and finally to 24.1.1. And I still haven’t even logged into the web gui, this was all from vga on my test system that barely had 23.x installed, a clean install would have been easier and faster for me.
I didn’t try the DVD iso in Ventoy to see if it would boot, I probably should.
Going to see how it goes as I find time to fiddle with it, curious about Zenarmor and how it might be able to help me do something that I have an unofficial package doing on pfsense (e2guardian for filtering). The OPN business license is a little less costly and something I want to move to at work if I can squeeze it into my budget.
Feature ping-pong - platform a gets something before b, and vice-versa - over time 90% will be the same… Noting that jumping in too early (or indeed too late!) can backfire!
A while back Tom argued they were always behind netgate on security fixes, and they didn’t have a clear road map for openssl 3. That punch still lands, but it is not as solid of a hit as it first appeared.
I switched to OPNsense after the fiasco with the licenses with pfsense. I’ve been happy with my decision. They (OPNsense) update very regularly. It seems like every time I log into the firewall there’s some sort of update.
There is some stuff that I prefer on the interface, and some stuff that I’ve found odd. Overall I can’t say one interface (OPNsense vs pfsense) clearly is better or worse than the other. I’d say both have pros and cons.
However the other day, I cam across this on another forum: Netgate / pfSense acts in bad faith and it seems like Netgate has a history of doing questionable things, which over all solidifies my opinion that I made the right decision jumping ship and switching to OPNsense.
The incredibly frequent updates can be seen as good or bad. If you are managing 100+ of these devices, that’s time that will need to be taken very frequently, and to Tom’s point this doesn’t go over that well as an MSP. However a user that has like 5 of these, not a huge deal to patch them as frequently as needed, but they should probably limit patches to monthly similar to Microsoft. Obviously patches of immediate security or functionality (we broke something) should be pushed as soon as possible.
As far as I can tell, the Business license for OPN is going to cost me less than for PF, and while I can run either as a community edition, it’s not really right for my workplace, even though we are “non-profit”.
The update cadence debate is an interesting topic.
I imagine sitting on patches pushes more of the cost burden on the maintainers. They would have to filter the bug fixes, then determine severity in addition to all the other testing. Or they could just test the patch, confirm it works, and push it out the door. Basically a rolling release style.
I really like the rolling release style when I can containerize my workload. Because we run our routers like we ran our servers in the 00’s, this model is a little more scary. There is no isolation, no security borders, and to this topic; no clean recovery options.
If I had to run one of these systems on this argument alone, I would probably choose pfsense just b/c they are eating some of my cost for me.
BTW, I got to imagine nobody admins 100+ pfsense boxes. It wasn’t built for that.
And while we do have over 120 businesses that we do outside IT for, currently less than half have pfsense. Updates for the sake of updates are fine for home lab but not as manageable in a business setting. Also, Netgate does have a central management system on their roadmap.
I guess the central management interface is good and bad. It’s well wanted and needed, however I’m sure that’s going to be part of their paid project so I’ll probably never see it.
Well, if you have so many pfSenses that you need a centralized management interface to manage them, you’re probably not a home user, and so it’s only fair that you have to pay for it imho.
And now, of course, someone will come along and say that they have a pfSense installed at their parents’ or grandparents’ house that they need to manage. Then I’ll say that your parents and grandparents will be happy if they get to see you in person from time to time
If you only have one or two remote units to manage, you can always set up a VPN of some kind to get in.
Central management for 50+ could be a big helper. I was reading about Zenarmor last night, and they have a central management option in the paid editions. I was thinking about trying it on OPNsense, but it sounds more like it is a standalone firewall first and an add in to pf/OPN second. The thing I’d don’t like is that you need to defeat all the hardware offloading to make it work, and I think it’s single threaded. But it might make a nice Linux based firewall as standalone, again, need to do more research.
Zenarmor is a glorified pfblocker. The only thing that is different is you have to use their software to query their servers if the DNS or IP is bad or malicious.
They want to go into detail about how they have some special sauce using SNI to get the headers and whatnot. I personally think it’s just like other companies saying they are different somehow, but in reality they are doing the same thing as other competitors. They also want to claim they have the best feeds.
Just adding something here… There have been at least 4 updates since the 24.1 came out at the end of January. Starting to look like we need to follow the business release cycle to keep a stable system.
Maybe they need to switch to a beta/RC vs. twice yearly stable release.
That said, there are some interesting features in OPNsense that I’m still learning about as I work towards putting one of these in production.
Why does “more updates” = “less stable”? Updates are good in my opinion. Frequent updates have been the norm for OPNsense since I’ve been using them. I’ve been impressed by it.
So far, most of these updates have been break/fix, and often it seems they are doing both fixing one thing, and breaking another. In production where you may lose functions for hours or days, this is no good. And this is why they have the open source version, and the business licensed version, where business comes out twice a year unless there is a big vulnerability or functional issue, with minor stuff during that time.
I probably won’t be ready to deploy this until the 24.4 is ready so not a big deal while I’m learning, but applying updates for the sake of updates leaves you with things like:
After Suricata updated (v7.0.3) VoIP stopped working.
Or some of the other issues on their forums.
One thing I do see that might be interesting for Tom, with the business license, you can put them into a group for central management. Not sure how much security you give up for this feature, but might be worth looking into.
