I know that this forum prefers PFSense, and I truly did want to rely on it for my needs. Problem is that I first started a couple of my biggest clients on it to get my feet wet and although I was disappointed with various issues the first couple years I decided to deploy a bunch more and even switched my own office. Switching myself was the biggest issue overall. Immediately ran into a bug that hasn’t been fixed in 2 years until 2.5 but can’t switch to 2.5 because it has even bigger bugs that to this day aren’t fixed. 2 years is unacceptable in my opinion for enterprise.
Please comment on this thread if you’ve been using OPNSense for some time and can vouch for their patching of bugs. How long does it take them? How often do you get surprise reinstalls because an update breaks something? If I can’t find enough confidence in OPNSense I think the only remaining options are proprietary systems, which I’d rather not do.
I’ve been using OPNsense for about 10 Months now in production.
I opted to go for the Business Edition as it was only €149 per year and compared to the community edition, the releases are less frequent so are usually tried and tested by the time they hit the business repository. It’s also an inexpensive way to contribute to the project and you also get a discount on other products like commercial support hours if needed in future.
The documentation is good and I’ve used their Pro Support and they were brilliant.
Thanks for the reply. I agree that supporting the developers is important so that’s why I paid for the most expensive enterprise support for pfsense and was incredibly disappointed. I wish you had more than 10 months of data on the stability of their updates. Is your setup very advanced? Multi wan, various VLANs, various VPNs, and other modules or is it just a residential replacement? The show stopper bugs I’ve had problems with is primarily with multi WAN, which is ridiculous considering that applies to more urgent enterprise that is willing to pay to ensure they stay up.
Sorry, just the 10 months experience so far.
I am about to upgrade from my single Hyper-V VM instance of OPNsense to a HA Cluster of 2 PC Engines APU4D4 Powered Hardware units.
My current setup is basic, 1 WAN , 1 LAN, 1 IPSEC VPN
I hope somebody else with more experience with the product can help you further but my experience has been good so far.
I have ran Opnsense now for about a year. No issues so far. Miss pfblocker but Sensei package was kind of neat to play with. Toms videos on pfsense work on opnsense for the most part, just have to figure out where the option is in the opn gui vs pf gui. This fella has a few guides too OPNsense Firewall Rule "Cheat Sheet" - Home Network Guy
I remember a bug last year …can’t remember fully what it was but it was fixed later that week. All I did was roll back the update and restore my config and was gtg while waiting for the fix. I have never used their paid support but their forums are friendly and helpful. I am more of a home user though so ymmv. I think a big thing for me is after an update, I watch their reddit to see if anyone is grumpy. After a week if everyone is happy I pull the trigger.
Have you looked into your bugs to see if they were pfsense based and not BSD based? I know some bugs that hit pfsense translate over into opnsense because both are bsd. Opnsense is currently hardened bsd but they dumped their coder for that and are talking about moving back to standard bsd from what I read. Another fav on this forum seems to be untangle, have you gave that a look?
I don’t know. First issue was on the 2.4 and it was a known problem for 2 years before getting fixed in 2.5 causing a race condition on WAN failover. Then 2.5 broke DNS Resolver. 2.5.1 broke VoIP when using dual WAN. I still haven’t dared upgrade to 2.5.2 based off precedence and have been considering switching instead of upgrading. Years ago when I first decided to start tinkering with pfsense I bought 2 official appliances from them. First one died in 6 months of not even being in production just plugged in for us to configure LAN. That replacement died a year later in production. I’ve had many times that power failures made the OS completely unbootable so I had to drive and emergency reinstall (I’ll give credit that their installer does a great job grabbing the working config and running with it.) Then to help support I paid for their most expensive enterprise support plan only to find that when I needed them they weren’t very helpful at all. Instead they kept pointing fingers at things and just sent articles to documentation as if we haven’t already read that. Genuinely wanted to support the project and had high hopes for the platform but you can’t leave enterprise in the dust like that. I’d love Untangle but they charge way too much for the client count. I’d have to pay probably $5k/year and I think there are many commercial brands cheaper than that.
Ahh gotcha …you would think you could get some kind of refund or something for lack of support there lol.
I have only used the forums for support on Opnsense when I had a question directly about it, and the folks over there are really friendly. I have had some issues with netgate folks on the reddit forums being pricks. But that is just my experience, I am sure other folks have had it the other way around.
Paid support for opnsense might be interesting if you are in the US as Deciso is based in the Netherlands. If you are in the EU then not really an issue. I had a friend order one of their devices and had to pay extra fees due to importing it as well. I kind of feel like though Companies like pfsense/UBNT/Opnsense rely on folks like Tom to fill the support Gap. They just put the product into your hand and figure the market will support it. This is all just a hobby to me, but the company I work for has around 26k employees and only uses Big names in networking. Not because those products are better, but because there is a number that you call when shit breaks and someone answers and helps till its not broke. If not or they break the SLA then there are big fees/kick backs to us for said problems. I have even seen Dell folks show up before, then you know shit really hit the fan lol.
I did use Sensei/Sunny Valley support once. I did not even pay for it at the time. I was doing the free trial and the app took a dive. I contacted their support around 5pm that day expecting them to reply back a list of things to try the next day. Next morning someone from there hits me up and walks me through setting up opnsense so they could remote in and trouble shoot Sensei for me, and fixed it. Even took the time to show me how to fix it so I could do it if it happened again, Then walked me through how to lock opnsense back down after. I was reading on their site later that day when looking to sign up for a sub and found out it was the CEO that hit me up Lol. I am sure they have full time techs now, but that still left a lasting impression on me.
Apologies for the long reply and I know it still does not really answer your question about turn times on support. I would hit up Franco in the opnsense forums and maybe ask there. They are one of the Devs and seems really active and helpful.
Things have improved dramatically. You no longer have to worry about updates killing your firewall, because opnsense now comes with ZFS snapshot support that works flawlessly. In pfsense you have to pay for this feature. They also improved adblocking, and they brought several features from their business edition into the community edition. Q-Feeds plugin is now available for free and it works great. They improved the dashboard significantly and switched to new MVC/API. While Netgate is going backward with their online only installers, and locking features behind paid version, opnsense guys are doing quite the opposite.
Pfsense+ (paid version) has ZFS snapshots. Community edition (free version) does not. If something goes very wrong, you have to reinstall and then restore your config. If by “rollback feature” you meant logging into console and revert to last known working config, thats ok. But console is not always available.
This is not completely true. What is true is that you can use netgate backup service, but the community edition does not have the ZFS snapshots to roll back to a working state after an update.
Community edition has no Intel QAT support and it has no OpenVPN DCO. These features are pfsense+ exclusive. And before someone calls me opnsense shill, im not. I use pfsense because i use schedule based firewall rules and traffic shapers. This is impossible to do in opnsense without heavy scripting and fiddling with cronjobs and there is no indication if something like this being planned for implementation. I also hate constant opnsense updates. Its just too much. Tom has excellent video about this very subject and i agree with almost everything he said. Im not one of those guys that uses one solution and bashes the other one. We have pfsense, opnsense and dynfi and i hope all three thrive in whatever their goals are.
After all these years of opening this thread, I still haven’t taken the time to do all the data input to migrate all my clients off pfsense. A lot of that is due to deciding if opnsense is the right direction and the past few months I’ve been thinking a lot about Unifi routers. I so badly want open source to succeed and I prefer to buy commercial support for it to support them. However, my entire experience with pfsense has been so lackluster that I couldn’t justify keeping them or paying them money because, even when I did pay them, they didn’t help and just told me they were known issues being patched in future versions. When I paid Zentyal, they patched my system directly and put it in their upstream code.
I’ve had various issues upgrading pfsense to new versions on different firewalls I manage. I had to do an update freeze on 2.5 and 2.6 because they had known issues that affected me so I had to leave a bunch of firewalls on 2.4.5 until 2.7 came out. Various times I have to reboot pfsense for changes to take affect after wasting time trying to figure out what I’m doing wrong because things still don’t work. I’m now testing the waters with a few dream machines in a few households but thanks to @svirepi I’m going to try out opnsense because I love the zfs snapshot idea and didn’t know they had it.
I’ll also give you information for hardware that I’ve used. I’ve had 100% pcb failure on protectli appliances within 5 years or less, most within 3. Only 1 of my pcengine appliances stopped booting but it does turn on so perhaps I can do a firmware recovery or something.