This question comes up a lot and I wanted to have a reply with links for the people who keep asking what I mean when I say that OPNsense, despite having a more frequent updates cycle, is slower to get out security fixes.
Here are some examples with links to posts from OPNSense & pfsense:
Also I am aware their code base has drifted far apart since the fork but when I say OPNSense relies on Netgate for fixes that is because Netgate contributes a lot back to FreeBSD, including the recent fix the incorrect fragmentation check (as noted above). I also have a previous post about Netgate being a key code contributor to FreeBSD for people curious how much they contribute upstream.
It’s interesting that, yes, those kinds of updates seem to be downstream from pfSense, or at least roundabout via FreeBSD. Are all these updates all the time just OPNSense itself niceties and enhancements?
Those points appear to be fair. Is the attack surface larger with opnsense? Probably. Is it material? Debatable, but hard to argue it is not at lease marginally impactful in some circumstances. It is certainly material if you are pitching this argument to a business. This is a big marketing punch in the gut to opnsense.
However, if you are going to find the speak in your neighbor’s eye, might I point out the plank in your own eye? Is the attack surface smaller in a cli firewall than a gui firewall? Maybe just a little, huh. Is it material? If we are going to give you the small win above, then this one would be that times ten. Especially if we consider all the containerization tricks we can do with a bare bones freebsd or linux system.
Fun high level conversation to have on a cold Saturday.
Yep, they win the speed race. And that has an impact on the attack surface. If you stop measuring the attack surface there, then pfsense wins.
Supporting pfsense to support the kernel is a weak argument. Kernels are inconsequential to end users in 2023. Support pfsense if you like the GUI. The fact they contribute code back to freebsd or linux is irrelevant. Support open source projects that you want to contribute to.
"The fact they contribute code back to freebsd or linux is irrelevant. "
If you don’t support the projects who “Actively” support writing back the code back to what you use then eventually you won’t have anything to use years later. It appears freebsd is the one that is used for firewalls. There is no guarantee that the other big players writing back to freebsd right now won’t switch to Debian Linux or something else 3-5 years from now. Then what happens?
Have you ever wondered what the ‘pf’ in pfSense stands for?
PF, or Packet Filter, is the firewall and traffic filtering system used in several Unix-like operating systems, including FreeBSD, on which pfSense and OPNsense are based on. And guess what? That very PF packet filter just happens to live in kernel space.
Well now that I think about it more and not so tired. It really wouldn’t be that bad if it was based off of Debain. Been playing around with Linux for over 20 years. I do mean “playing, VM’s very briefly and far between”. Finally installed Debian 12 fully on my backup Dell Insp 5570 laptop until my NVMe drive wouldn’t stay put anymore (caddy part broke). Now I have to build that up before can fully use it, been just using Live Linux’s to update router with YUMI for now with that laptop.
I would always check Distrowatch and through all the years it seems a lot of things have been based on Debian, so of all the ones to be based on this would be my top pick. I’m sure it would be in the top 3 guaranteed.
But it still stands that OPNsense is slow to update their security compared to pfSense, even worse for the business one which just heard on YT_LS vid from Dec 28, 2023 (pretty sure this one, was a little behind:)
It’s not a matter of switching, it’s a completely rewrite of all the code because both are so dependent on FreeBSD. Netgate also does have a Linux alternative TNSR Overview and there used to be quite a few Linux firewalls distros:
Wikipedia List of router and firewall distributions
Smoothwall - Wikipedia Smoothwal started 2000 ended Last download for smoothwall org / express was 2014 (only has one supported on their buy me a coffee page)
ClearOS - Wikipedia ClearOS is the successor to ClarkConnect and had the concept of being the all in one firewall, VPN, Proxy, Email server, web server, print server, user manager, and file server. Bought by HP and updates seem to have stopped
Zentyal - Wikipedia Zentyal very simliar to ClearOS, started 2009, seem to stil have a commercial offering last open source release was January 6 2021 last news update on their blog was from July 2021
IPFire - Wikipedia IPFire also a fork of IPCop is still active but no Wireguard support, very little documentation, VLAN setup very confusing
OpenWrt - Wikipedia OpenWrt started 2004 and is still active, but I have not used it so I can not really speak to it’s overall functionality or ease of use.
VyOS - Wikipedia VyOS is a fork of Vyatta, still active offers, They offer free latest snapshot builds or self-compiled stable. Stable builds require subscription which start at $8,000 per year. They are working on a web interface but most features need to be done via the command line.
Yep, there would be a bunch of upfront cost. But their operating costs would collapse after the initial transition. I bet they have that play book in their back pocket and know how fast the payback would be. And I bet that payback period is shorter & cheaper than most people believe.
Kernel developers are expensive, but not to end users. Including small/medium size businesses. The economies of scale with Linux has dropped kernel costs to near zero for end users. The more popular Linux becomes, the more it drives down kernel costs.
In today’s environment, netgate chooses to overpay for the kernel. That is their business decision and they are competitive even with that extra cost. If/when they lose their competitiveness they will make this change. Simple as that.
I think a bunch of fans are scared of upsetting the current business model. Netgate has a lot of room to raise prices and remain price competitive, but the more end users choose the free version or alternative, the faster they have to raise prices and the sooner that day of change comes.
Whatever happens, it will be interesting to see how this plays out in the next decade. I imagine the cost for a pfsense type firewall will implicitly (time, energy, difficulty) and explicitly (money) rise over the years. We will all be paying for it one way or another.
After Netgate’s latest issue with the licensing and pfsense plus fiasco. I started looking at alternatives and I wanted a linux firewall and possibly get away from pfsense because that whole issue turned me off from pfsense. I don’t want to support a company like that so, the search began.
The problem is pfsense is pretty much top notch in its class in the open source firewall category and can’t really be beat (Which is unfortunate). The linux side of configuring firewall rules is really bazar and confusing to me. Not as straight forward. Take a look at unifi firewall rule creation - it is not fun to configure.
Where does that leave us in terms of security, costs, development? The unfortunate truth is we submit to which ever product is best for individuals use cases. Which in most cases are home labs and small business (IMO). I don’t want to be a supporter of pfsense, but it’s the only one (for me) that check all my boxes and is easily configurable.
You’re not really supporting them by just using the Community Edition. And while what Tom says isn’t wrong, there are no “real” security issues with OPNsense, especially if you don’t open anything up to the public internet that is running on it. Both are still good choices for a homelab or a small business imho.
For the record, I actually paid for a 2yr tac lite license for pfsense plus and I have filed important bugs on their redmine so I’d say I was supporting them more than most. I could have been more clear on that.
Depending on how these next 2 years goes will determine what I am going to do next. My hope is somehow they convince me to continue supporting them, but as of right now I am on the fence and there aren’t any good alternatives at this point in time.
Why does everybody avoid the cli? Learning nftables is not rocket science. It does take time to learn, but the nice thing about the cli is it rarely ever changes. Learn it once and you are good for decades. Plus, knowledge is something you own. Not netgate.
bb77 is right about the free version and opnsense. Just lean into that until the cost (money or time) rises enough to justify a change. Use it for a few years to buy you time to learn how to not need these front ends.
I just learned about the horrible things netgate did to opensense a while back. I am surprised that didn’t piss a few of you off. That was shameful.