pfSense vs OPNSense

Dear all, I am really glad to be a part of the community Tom gathered on this forum. I’ve been watching a lot of his videos lately and one question that comes up on nearly every live stream each week: did you try OPNSense? What are your thoughts on it?

Of course, if Tom doesn’t have a use case for it, he can’t answer that question, but I own a small MSP company in London and we got quite a few OPNSense boxes. The product is good, don’t get me wrong, but not as polished as pfSense, unfortunately.

You can have a look at my video on YouTube, in case you are curious about the differences between them. Feedback is very welcome. :slight_smile:


Good review and I hope it makes people happy enough to quit asking me to review it…lol


@chernobyl - Nice video, thank you… As a home user of pfSense I’d be tempted to try OPNSense, but the migration path just seems like too much work i.e. having to re-create the entire configuration by hand.
I do wish pfSense had the Zerotier package available though…

1 Like

This is something that I don’t understand, why would you want Zerotier on your router? The purpose of Zerotier is to set it up on each device that needs to be part of a network without concern of what network they are actually on, either same or remote. Router with VPN make more sense as it will be lower latency and overall a simpler system as their does not need to be a third party involved.

I hear you, but that’s assuming that ZeroTier can be run all those devices. Computers, sure, but there’s all the IOT type devices that one may want access to. And while they may be fixed, the devices you want to access them with aren’t.

I’m currently using ZeroTier like this:
House 1 in country 1: “My” Macbook and Mac Mini running Zerotier
House 2 in country 2: Macbook and Mac Mini and QNAP NAS running Zerotier
Other devices in both places that can’t run ZeroTier.
The two Macbooks get taken out of the houses.

Now Zerotier has been truly awesome (and Teamviewer has been long forgotten) in that My Macbook can access any of those computers wherever I am, or indeed if the other Macbook is taken outside the house.

BUT with ZeroTier on those devices alone I can’t access any of the other devices like IOT stuff, modems, routers, etc in either house when I am on the road. Yes, I could VPN into House 1 pfSense router, but then it gets overcomplicated. If I was running Zerotier on the routers in both houses and directly on the 2 Macbooks, then I’d have a seamless network of all devices all the time.

A standard VPN (Phone home to Router1) isn’t going to give me the seamless bi-directional connection between two houses and roaming devices that ZeroTier offers. One of the great things about ZeroTier is I get always-on connections FROM a home network TO roaming devices wherever they are… Perhaps it could be done with some combination of ZeroTier and site-to-site VPNs but seems complicated to me. If I could run Zerotier on both routers and on the roaming devices directly that would seem a good setup to me.

That said, as I have a pfSense router, not OPNSense, I haven’t had the opportunity to try ZeroTier at the router level so I’m guessing somewhat. And I also don’t have experience with site-to-site VPNs, I’ve only ever used them to call home. But even then connecting home requires manually initiating a connection etc and can’t compare to the always-on nature of ZeroTier.

So I’d be genuinely interested to hear of possibly better or easier ways to do all this, I have an open mind to all this.

I do see what you mean about the point of Zerotier being *“to set it up on each device that needs to be part of a network without concern of what network they are actually on, either same or remote.” But I’m looking to achieve that AND have all devices in each house on the ZeroTier subnet regardless of whether then can run the ZeroTier software themselves.

1 Like

Seems to me what you are looking for is a S2S VPN between homes and client VPN connection to home A. Then you connect you mobile device to home A via the client VPN and you have access to all devices in both homes.


@pdpeerman - Thanks and I appreciate the suggestion. I do need to look into S2S more…
But off the top of my head that setup seems inefficient to me. The traffic of a mobile user connecting to a Home B device would have to travel via Home A first. And any problem occurring at Home A would also affect Home B.
With Zerotier all devices would communicate directly peer-to-peer.

You could use S2S as the main connection and ZeroTier as a fail over :slight_smile:

1 Like

Little bit dated, but I figured I’d chime in, just do wireguard VPN and a GRE tunnel. I suppose WG isn’t technically supported by pfSense but it can be installed. I don’t have all the details on what zerotier is but it seems redundant where GRE is available, which I think is everywhere.

VxLAN is much better than GRE, but it is only supported on OPNSense at the moment. Zero tier has a high latency, so it’s a no go for me anyways. We had to completely move to OPNSense at the moment, due to WG and VxLAN support.

Do you have an update on the rating comparison? It appears to me that over the last year OPNSense has moved up from a 7 out of 10 rating to something substantially higher. Is OPNSense now comparable to pfSense in stability and support for third party hardware out of the box? Is there any substantial drawback to going with OPNSense over pfSense now? I am a newbie to both firewalls. I am considering installing it on dedicated Protectli hardware (FW4B-0-4-120) for a Home firewall. I want to set up WG as well. Thoughts? Comments?

Everything was mostly fixed, we are now deploying OPNSense more and more often. Few things I am still missing:
Arp Watch, Easy access to firewall states, pfBlocker, Snort.

It’s now a solid 9/10, but I would love to see some more development towards API tho.

I’ll probably make a follow up video on this topic soon, seems like the community is eager to know what changed :slight_smile:

1 Like