OPNsense / pfSense (general software discussion)

Started by Lazybones, January 01, 2023, 06:25:36 PM

Previous topic - Next topic

Lazybones

Starting a separate thread from the hardware one as I have setup OPNsense on spare hardware and wanted to discuss the software. Leaving it open as OPNsense / pfSense are nearly the same. I went OPNsense mostly for broader drivers, UI and faster update cycles for the free/open parts.


I just migrated from my Edgerouter to OPNsense so here are my thoughts:

Pro:

- powerful enterprise options available for free at home like policy based routing and dynamic block list
- Aliasing for networks, hosts, IP lists, ports, including options for nesting
- "Floating" non interface bound rules. I haven't been forced to use interface bound rules at work since we retired our old Cisco ASA firewalls.. I like being able to write one rule focused on an application vs several based on interfaces. Still not true zone based rules but not too bad.
- fairly easy to get wiregard and OpenVPN working as a client or as a server
- unbound allows for a lot of DNS control including dynamic blocking and allowing options for serving stale results which can really enhance speed.
- lots of useful plugins
- rules and many objects support category tags which makes sorting them very fast.

Con:

- not really a big one but setting up things like mdns and upnp required a bit more work
- the secure defaults for unbound ARE SUPER SLOW, if you leave it as its default with root server resolution I found that uncashed results where up to 300% slower than using it with forwarding.
- reporting etc seems to be a bit weak / outdated, most solutions suggest an external logging server.

Overall it is a step up from my edgerouter in terms of capability and ease for doing several things, would never pick it over a PaloAlto in the enterprise space but it could be really handy for a number of niche roles and for Small Business applications.


Melbosa

Basically what you find with OPNsense is the same I found (and why I switched) to pfSense so many years ago.  Glad its working out for you.
Sometimes I Think Before I Type... Sometimes!

Lazybones

I am considering trying pihole/adguard/sensei to monitor DNS / application at a host level.. I have some basic block lists in unbound for malicious traffic however since those lists impact the WHOLE network I would like something with reporting and more granular control.

I have tried running pihole stand alone in the past but combining it with the router/firewall simplifies things. My only reservation at this point is that these are community repo items not mainline. Trying to balance stability vs function.

Lazybones

Still working on discovering and porting some of my home configuration to opnsense native features.

Currently working moving on reverse proxy from my internal host to opnsense to take advantage of a few interesting features.

- using the acme plugin to get a wild card lets encrypt cert for my domain (makes reverse proxy config so much easier)
- setting up nginx as the the reverse proxy on opnsense, while the config is a bit more complex initially, opnsense includes easy controls and a front end for rate limiting, bot fail to ban, web application firewall plug and rules, as well as a built in honey pot system in nginx. All of which can be setup manually but this is taken care of in opnsense. Also the whole config gets backed up with opnsense so the firewall is really taking care of all external communication.

Lazybones

OPNsense23.1 was just released, it adds kernel mode wireguard and some nice reporting / graphs to unbound DNS that show client activity and blocking from blocklists.

Mr. Analog

That sounds pretty good! Do you have any sample reports you can share? I'm curious what they look like
By Grabthar's Hammer

Lazybones

I have a dark theme plugin installed but this should give you a good idea

The dot graph you can hover over and then click to flip you to the log screen filtered.

You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.   

Lazybones

Ripped this from a reddit thread but this is what it looked like with the default theme.

You cannot view this attachment.

Mr. Analog

Whoa! I didn't expect this level of detail

This is great!
By Grabthar's Hammer

Lazybones

It isn't at the level of piHole or Adblock Home but also really nice as unbound is a full dns server not just a forwarder.

Melbosa

Yeah I have the same thing on my pfSense for the unbound DNS on it. Nice to see info like that.
Sometimes I Think Before I Type... Sometimes!

Lazybones

This was pointed out on the opnsense reddit today that netgate is droping hints they may end the community edition of pfSense

https://www.netgate.com/blog/23.01-release-candidate-now-available

QuoteWe encourage you to move from pfSense CE software to Netgate pfSense Plus software, which is still available at no charge.

Note the wording. Many suspect they will drop CE then it is a small step to take way the free version of plus

Melbosa

I'll wait to see if they make CE EoL before I jump.
Sometimes I Think Before I Type... Sometimes!