This question comes up a lot and I wanted to have a reply with links for the people who keep asking what I mean when I say that OPNsense, despite having a more frequent updates cycle, is slower to get out security fixes.
Here are some examples with links to posts from OPNSense & pfsense:
Also I am aware their code base has drifted far apart since the fork but when I say OPNSense relies on Netgate for fixes that is because Netgate contributes a lot back to FreeBSD, including the recent fix the incorrect fragmentation check (as noted above). I also have a previous post about Netgate being a key code contributor to FreeBSD for people curious how much they contribute upstream.
Itâs interesting that, yes, those kinds of updates seem to be downstream from pfSense, or at least roundabout via FreeBSD. Are all these updates all the time just OPNSense itself niceties and enhancements?
Those points appear to be fair. Is the attack surface larger with opnsense? Probably. Is it material? Debatable, but hard to argue it is not at lease marginally impactful in some circumstances. It is certainly material if you are pitching this argument to a business. This is a big marketing punch in the gut to opnsense.
However, if you are going to find the speak in your neighborâs eye, might I point out the plank in your own eye? Is the attack surface smaller in a cli firewall than a gui firewall? Maybe just a little, huh. Is it material? If we are going to give you the small win above, then this one would be that times ten. Especially if we consider all the containerization tricks we can do with a bare bones freebsd or linux system.
Fun high level conversation to have on a cold Saturday.
Yep, they win the speed race. And that has an impact on the attack surface. If you stop measuring the attack surface there, then pfsense wins.
Supporting pfsense to support the kernel is a weak argument. Kernels are inconsequential to end users in 2023. Support pfsense if you like the GUI. The fact they contribute code back to freebsd or linux is irrelevant. Support open source projects that you want to contribute to.
"The fact they contribute code back to freebsd or linux is irrelevant. "
If you donât support the projects who âActivelyâ support writing back the code back to what you use then eventually you wonât have anything to use years later. It appears freebsd is the one that is used for firewalls. There is no guarantee that the other big players writing back to freebsd right now wonât switch to Debian Linux or something else 3-5 years from now. Then what happens?
Have you ever wondered what the âpfâ in pfSense stands for?
PF, or Packet Filter, is the firewall and traffic filtering system used in several Unix-like operating systems, including FreeBSD, on which pfSense and OPNsense are based on. And guess what? That very PF packet filter just happens to live in kernel space.
Well now that I think about it more and not so tired. It really wouldnât be that bad if it was based off of Debain. Been playing around with Linux for over 20 years. I do mean âplaying, VMâs very briefly and far betweenâ. Finally installed Debian 12 fully on my backup Dell Insp 5570 laptop until my NVMe drive wouldnât stay put anymore (caddy part broke). Now I have to build that up before can fully use it, been just using Live Linuxâs to update router with YUMI for now with that laptop.
I would always check Distrowatch and through all the years it seems a lot of things have been based on Debian, so of all the ones to be based on this would be my top pick. Iâm sure it would be in the top 3 guaranteed.
But it still stands that OPNsense is slow to update their security compared to pfSense, even worse for the business one which just heard on YT_LS vid from Dec 28, 2023 (pretty sure this one, was a little behind:)
A lot more eyes on Linux than on BSD these days - canât believe neither Pfsense or Opnsense (or others?) teams havenât already looked âover the fenceâ to see how much work there would be to switch?
Itâs not a matter of switching, itâs a completely rewrite of all the code because both are so dependent on FreeBSD. Netgate also does have a Linux alternative TNSR Overview and there used to be quite a few Linux firewalls distros:
Wikipedia List of router and firewall distributions
IPCop â Wikipedia IPCop âThe Bad Packets Stop Hereâ started 2001 ended 2019
Smoothwall - Wikipedia Smoothwal started 2000 ended Last download for smoothwall org / express was 2014 (only has one supported on their buy me a coffee page)
ClearOS - Wikipedia ClearOS is the successor to ClarkConnect and had the concept of being the all in one firewall, VPN, Proxy, Email server, web server, print server, user manager, and file server. Bought by HP and updates seem to have stopped
Zentyal - Wikipedia Zentyal very simliar to ClearOS, started 2009, seem to stil have a commercial offering last open source release was January 6 2021 last news update on their blog was from July 2021
IPFire - Wikipedia IPFire also a fork of IPCop is still active but no Wireguard support, very little documentation, VLAN setup very confusing
OpenWrt - Wikipedia OpenWrt started 2004 and is still active, but I have not used it so I can not really speak to itâs overall functionality or ease of use.
VyOS - Wikipedia VyOS is a fork of Vyatta, still active offers, They offer free latest snapshot builds or self-compiled stable. Stable builds require subscription which start at $8,000 per year. They are working on a web interface but most features need to be done via the command line.
Yep, there would be a bunch of upfront cost. But their operating costs would collapse after the initial transition. I bet they have that play book in their back pocket and know how fast the payback would be. And I bet that payback period is shorter & cheaper than most people believe.
Kernel developers are expensive, but not to end users. Including small/medium size businesses. The economies of scale with Linux has dropped kernel costs to near zero for end users. The more popular Linux becomes, the more it drives down kernel costs.
In todayâs environment, netgate chooses to overpay for the kernel. That is their business decision and they are competitive even with that extra cost. If/when they lose their competitiveness they will make this change. Simple as that.
I think a bunch of fans are scared of upsetting the current business model. Netgate has a lot of room to raise prices and remain price competitive, but the more end users choose the free version or alternative, the faster they have to raise prices and the sooner that day of change comes.
Whatever happens, it will be interesting to see how this plays out in the next decade. I imagine the cost for a pfsense type firewall will implicitly (time, energy, difficulty) and explicitly (money) rise over the years. We will all be paying for it one way or another.
After Netgateâs latest issue with the licensing and pfsense plus fiasco. I started looking at alternatives and I wanted a linux firewall and possibly get away from pfsense because that whole issue turned me off from pfsense. I donât want to support a company like that so, the search began.
The problem is pfsense is pretty much top notch in its class in the open source firewall category and canât really be beat (Which is unfortunate). The linux side of configuring firewall rules is really bazar and confusing to me. Not as straight forward. Take a look at unifi firewall rule creation - it is not fun to configure.
Where does that leave us in terms of security, costs, development? The unfortunate truth is we submit to which ever product is best for individuals use cases. Which in most cases are home labs and small business (IMO). I donât want to be a supporter of pfsense, but itâs the only one (for me) that check all my boxes and is easily configurable.
Youâre not really supporting them by just using the Community Edition. And while what Tom says isnât wrong, there are no ârealâ security issues with OPNsense, especially if you donât open anything up to the public internet that is running on it. Both are still good choices for a homelab or a small business imho.
For the record, I actually paid for a 2yr tac lite license for pfsense plus and I have filed important bugs on their redmine so Iâd say I was supporting them more than most. I could have been more clear on that.
Depending on how these next 2 years goes will determine what I am going to do next. My hope is somehow they convince me to continue supporting them, but as of right now I am on the fence and there arenât any good alternatives at this point in time.
I have long since given up the illusion that there is that one product that you can use forever without having to re-evaluate again and again. It has always been like that in IT, hasnât it?
And not only that, in many areas you have to make compromises, especially as a home or SMB user, and yes, sometimes there is only the choice between the lesser of two evils
âŚalthough I donât really think that applies to pfSense or OPNsense. As I said, I think both are still good choices, even if neither is perfect. But what is perfect in this world anyways.
Why does everybody avoid the cli? Learning nftables is not rocket science. It does take time to learn, but the nice thing about the cli is it rarely ever changes. Learn it once and you are good for decades. Plus, knowledge is something you own. Not netgate.
bb77 is right about the free version and opnsense. Just lean into that until the cost (money or time) rises enough to justify a change. Use it for a few years to buy you time to learn how to not need these front ends.
I just learned about the horrible things netgate did to opensense a while back. I am surprised that didnât piss a few of you off. That was shameful.
