OPNSense VS pfsense Security

This question comes up a lot and I wanted to have a reply with links for the people who keep asking what I mean when I say that OPNsense, despite having a more frequent updates cycle, is slower to get out security fixes.

Here are some examples with links to posts from OPNSense & pfsense:

Also I am aware their code base has drifted far apart since the fork but when I say OPNSense relies on Netgate for fixes that is because Netgate contributes a lot back to FreeBSD, including the recent fix the incorrect fragmentation check (as noted above). I also have a previous post about Netgate being a key code contributor to FreeBSD for people curious how much they contribute upstream.


It’s interesting that, yes, those kinds of updates seem to be downstream from pfSense, or at least roundabout via FreeBSD. Are all these updates all the time just OPNSense itself niceties and enhancements?

I guess, I have not really tracked their general updates, I was focused on their security.

1 Like

Those points appear to be fair. Is the attack surface larger with opnsense? Probably. Is it material? Debatable, but hard to argue it is not at lease marginally impactful in some circumstances. It is certainly material if you are pitching this argument to a business. This is a big marketing punch in the gut to opnsense.

However, if you are going to find the speak in your neighbor’s eye, might I point out the plank in your own eye? Is the attack surface smaller in a cli firewall than a gui firewall? Maybe just a little, huh. Is it material? If we are going to give you the small win above, then this one would be that times ten. Especially if we consider all the containerization tricks we can do with a bare bones freebsd or linux system.

Fun high level conversation to have on a cold Saturday.

Their lagging behind on OpenSSL is a pretty big issue and not something I would consider casually passing over.

1 Like

Yep, they win the speed race. And that has an impact on the attack surface. If you stop measuring the attack surface there, then pfsense wins.

Supporting pfsense to support the kernel is a weak argument. Kernels are inconsequential to end users in 2023. Support pfsense if you like the GUI. The fact they contribute code back to freebsd or linux is irrelevant. Support open source projects that you want to contribute to.

They support more than the kernel, Netgate is upstreaming fixes such as the one in the example I linked to of remove incorrect fragmentation check.

1 Like

"The fact they contribute code back to freebsd or linux is irrelevant. "

If you don’t support the projects who “Actively” support writing back the code back to what you use then eventually you won’t have anything to use years later. It appears freebsd is the one that is used for firewalls. There is no guarantee that the other big players writing back to freebsd right now won’t switch to Debian Linux or something else 3-5 years from now. Then what happens?

Would that really be a bad thing though? Basing this stuff off of something like Debian would likely be helpful in some ways.

Have you ever wondered what the ‘pf’ in pfSense stands for?

PF, or Packet Filter, is the firewall and traffic filtering system used in several Unix-like operating systems, including FreeBSD, on which pfSense and OPNsense are based on. And guess what? That very PF packet filter just happens to live in kernel space.


Well now that I think about it more and not so tired. It really wouldn’t be that bad if it was based off of Debain. Been playing around with Linux for over 20 years. I do mean “playing, VM’s very briefly and far between”. Finally installed Debian 12 fully on my backup Dell Insp 5570 laptop until my NVMe drive wouldn’t stay put anymore (caddy part broke). Now I have to build that up before can fully use it, been just using Live Linux’s to update router with YUMI for now with that laptop.

I would always check Distrowatch and through all the years it seems a lot of things have been based on Debian, so of all the ones to be based on this would be my top pick. I’m sure it would be in the top 3 guaranteed.

But it still stands that OPNsense is slow to update their security compared to pfSense, even worse for the business one which just heard on YT_LS vid from Dec 28, 2023 (pretty sure this one, was a little behind:)

A lot more eyes on Linux than on BSD these days - can’t believe neither Pfsense or Opnsense (or others?) teams haven’t already looked “over the fence” to see how much work there would be to switch?

It’s not a matter of switching, it’s a completely rewrite of all the code because both are so dependent on FreeBSD. Netgate also does have a Linux alternative TNSR Overview and there used to be quite a few Linux firewalls distros:

Wikipedia List of router and firewall distributions

  • IPCop – Wikipedia IPCop “The Bad Packets Stop Here” started 2001 ended 2019
  • Smoothwall - Wikipedia Smoothwal started 2000 ended Last download for smoothwall org / express was 2014 (only has one supported on their buy me a coffee page)
  • ClearOS - Wikipedia ClearOS is the successor to ClarkConnect and had the concept of being the all in one firewall, VPN, Proxy, Email server, web server, print server, user manager, and file server. Bought by HP and updates seem to have stopped
  • Zentyal - Wikipedia Zentyal very simliar to ClearOS, started 2009, seem to stil have a commercial offering last open source release was January 6 2021 last news update on their blog was from July 2021
  • Endian Firewall - Wikipedia Endian Firewall is a fork of the Linux firewall IPCop, They do still offer a community edition called that can be downloaded via Sourceforge Endian Firewall Community download | SourceForge.net feature comparison Endian Firewall Community vs. EndianOS UTM: Robust Cybersecurity Solutions
  • IPFire - Wikipedia IPFire also a fork of IPCop is still active but no Wireguard support, very little documentation, VLAN setup very confusing
  • OpenWrt - Wikipedia OpenWrt started 2004 and is still active, but I have not used it so I can not really speak to it’s overall functionality or ease of use.
  • VyOS - Wikipedia VyOS is a fork of Vyatta, still active offers, They offer free latest snapshot builds or self-compiled stable. Stable builds require subscription which start at $8,000 per year. They are working on a web interface but most features need to be done via the command line.

Yep, there would be a bunch of upfront cost. But their operating costs would collapse after the initial transition. I bet they have that play book in their back pocket and know how fast the payback would be. And I bet that payback period is shorter & cheaper than most people believe.

Kernel developers are expensive, but not to end users. Including small/medium size businesses. The economies of scale with Linux has dropped kernel costs to near zero for end users. The more popular Linux becomes, the more it drives down kernel costs.

In today’s environment, netgate chooses to overpay for the kernel. That is their business decision and they are competitive even with that extra cost. If/when they lose their competitiveness they will make this change. Simple as that.

I think a bunch of fans are scared of upsetting the current business model. Netgate has a lot of room to raise prices and remain price competitive, but the more end users choose the free version or alternative, the faster they have to raise prices and the sooner that day of change comes.

Whatever happens, it will be interesting to see how this plays out in the next decade. I imagine the cost for a pfsense type firewall will implicitly (time, energy, difficulty) and explicitly (money) rise over the years. We will all be paying for it one way or another.

Yes, and the same goes for the FreeBSD kernel. But end users can’t do much with a kernel, unless they learn how to configure Netfilter / PF by hand :wink:

But then I wonder why Palo Alto, Checkpoint, Cisco, Fortinet etc are so expensive, as far as I know they all use a Linux kernel :wink:

After Netgate’s latest issue with the licensing and pfsense plus fiasco. I started looking at alternatives and I wanted a linux firewall and possibly get away from pfsense because that whole issue turned me off from pfsense. I don’t want to support a company like that so, the search began.

The problem is pfsense is pretty much top notch in its class in the open source firewall category and can’t really be beat (Which is unfortunate). The linux side of configuring firewall rules is really bazar and confusing to me. Not as straight forward. Take a look at unifi firewall rule creation - it is not fun to configure.

Where does that leave us in terms of security, costs, development? The unfortunate truth is we submit to which ever product is best for individuals use cases. Which in most cases are home labs and small business (IMO). I don’t want to be a supporter of pfsense, but it’s the only one (for me) that check all my boxes and is easily configurable.

You’re not really supporting them by just using the Community Edition. And while what Tom says isn’t wrong, there are no “real” security issues with OPNsense, especially if you don’t open anything up to the public internet that is running on it. Both are still good choices for a homelab or a small business imho.

For the record, I actually paid for a 2yr tac lite license for pfsense plus and I have filed important bugs on their redmine so I’d say I was supporting them more than most. I could have been more clear on that.

Depending on how these next 2 years goes will determine what I am going to do next. My hope is somehow they convince me to continue supporting them, but as of right now I am on the fence and there aren’t any good alternatives at this point in time.

1 Like

I have long since given up the illusion that there is that one product that you can use forever without having to re-evaluate again and again. It has always been like that in IT, hasn’t it? :wink:

And not only that, in many areas you have to make compromises, especially as a home or SMB user, and yes, sometimes there is only the choice between the lesser of two evils :wink:

…although I don’t really think that applies to pfSense or OPNsense. As I said, I think both are still good choices, even if neither is perfect. But what is perfect in this world anyways.

Why does everybody avoid the cli? Learning nftables is not rocket science. It does take time to learn, but the nice thing about the cli is it rarely ever changes. Learn it once and you are good for decades. Plus, knowledge is something you own. Not netgate.

bb77 is right about the free version and opnsense. Just lean into that until the cost (money or time) rises enough to justify a change. Use it for a few years to buy you time to learn how to not need these front ends.

I just learned about the horrible things netgate did to opensense a while back. I am surprised that didn’t piss a few of you off. That was shameful.

1 Like