I tried vyos which is all CLI and I seriously considered using it. I had to make a decision of not supporting a company and their development or suck it up and keep using what I know. CLI doesn’t bother me at all and my Linux VM’s are all CLI anyway. My cisco switch’s are all CLI.
You’re not wrong, but not fully correct either. I’d argue that all CLI is not the same and once you learn how to navigate one firewall with CLI, it does not transfer to other firewall CLI due to possible API’s being written differently.
Why reinvent the wheel? Eventually you will end up recreating someone else’s work in the long run. It is not as simple as pulling together all the packages you want and then run with it. There has to be structure and it would be to overly complicated to run everything that is in said linux distro.
There is a reason why no one is doing this. Instead they are contributing on github to make software better collaboratively. Hints why opensource projects are popular because when you get a community of devs that want to see great software ideas they can all contribute to. Money also helps to these causes.
I don’t know if it exists, but I think since open source projects are free software, I think there should be something on github that allows for fundraising for patches and feature requests so that the projects can continue to grow and devs get paid some money too. Kind of like a bounty.
The community would vote on the price of the feature or patch and then whoever completes the task gets said payout. If the community doesn’t meet the payout then the request stays stale until the community meets the price of the work to be done.
I knew about it when it happened, but at the time I was using an off-the-shelf ASUS router and an EDGE Router X in a double NAT configuration, with my public-facing server sitting in a “poor man’s DMZ” between the two. A few years later, I decided to take things a step further and I needed a proper firewall. I tried both OPNsense and pfSense (among others). In the end, the very detailed videos Netgate had on YouTube at the time, their documentation and of course Tom’s videos were the deciding factors.
I’m certainly not a networking expert, but I would argue that even for someone who knows NAT, routing, firewall rules and VLANs inside out, it is still much more time-consuming and error-prone to set up and configure all this “by hand” on a standard Linux (or BSD) distribution than it is to use a dedicated router/firewall appliance such as pfSense or OPNsense.
Because it is your wheel, not somebody else’s. You own it. It won’t change unless you want it. Otherwise you need somebody else to build, secure, and maintain their wheel for you to use. Kind of like renting vs owning. We all pay, but what do you really own when it is all done?
Also, you aren’t really reinventing the wheel. You are just using the keyboard instead of the mouse. You have to write firewall rules just the same. The same goes for all the other services. You only need help from others to build your FW when you rely on the mouse.
Also, It is actually easier/faster with the keyboard. Not to mention, the mouse comes with a much larger attack surface.
If you dig into it and you will see it doesn’t take a network ninja to set this up. It is all logical and straight forward. No voodoo here. You can f-up your firewall rules with a gui just as easily. As for time, yep you will invest a lot more time upfront. But after you climb that hill you own the flat ground from there on out. Your costs are paid, you own the knowledge.
I am pretty sure we have battled this topic before and I’m afraid you won’t win this argument. You can argue all day that “anyone can do anything so what is stopping you?”. No one is going to build their own firewall. No one is going to spend countless hours writing scripts, creating backups, creating a guide to rebuild their environment. I say it again, reinvent the wheel. No one is going to build it just to say they built it and they own it.
You are probably right. I guess I was trying to encourage people to branch out and reach higher. I thought given the pedigree you outlined, you might give it a try with the right encouragement. That must have come across as arrogance given your reaction. I know Tom has the same reaction, despite his prominent bash sticker.
The challenge and intrigue must have been a larger motivation for me than I appreciate now. I am not sure the high level arguments I made above would have encouraged me to try if that itch wasn’t there in the first place.
This distraction needs to end. I bid this forum adieu.
For my part, I haven’t said it enough times I guess, OPNsense on the same hardware as pfsense runs slower (and not by just a few bit/sec here) and doesn’t support the same hardware either. When you need to add tunable to get the support of Chelsio 10GE NICs that have been supported in pfsense since they were out on the market, what else can you think has been neglected?
The only thing going for OPNsense its their GUI, but even then it uses the left-menu paradign that plagues all new GUI which lengthen the number of actions/hand movements/clicks to perform what would be quicker in an older standard top menu - like pfsense does for example (Xen Orchestra also comes to mind here as a bad GUI).
Their dev team is too small and don’t really bring something more on the table except being a EU-based software.
Netgate might have had their bad moments in the past (who didnt?), but their software is top notch.
pfsense tech is proven and works, and even as a Fortigate specialist, I would recommended it - heck it is my main router at home in front of Fortigate!
For me OPNsense is more a gimmick that shouldn’t even exist and I would rather use IPFire then that firewall, thx to all the bad experience I had with it in the past, and still recently. Don’t touch that firewall please and let it die.
Even tho OPNsense is using the Wireguard code that was sponsored by Netgate, their Wireguard VPN performance is much slower, all comes down to implementation.