OPNsense Forum
English Forums => General Discussion => Topic started by: dcol on March 13, 2023, 07:43:22 pm
-
This list may be controversial, but I feel it is greatly needed. Personally I use both but prefer OPNsense.
PFsense has the following that OPNsense does not
1. pfblocker - easier setup of GeoIP rules, can do similar manually with OPN
2. Create a rule direct from Firewall Normal View log
3. Has more GUI Widgets
4. Move rule position by dragging
5. Auto Configuration Backup
6. More console widget options
7. Change Boot Environments - useful when downgrading version - workaround mentioned below.
8. States shown on Rules page - useful to see if rule was used
9. Access shell within WebGUI
10. Easier to get answers in the forum. More users.
11. More logs available
OPNsense has the following that PFsense does not
1. Quicker upgrade implementations
2. Image files available online - Not available with PFS Plus
3. Monit
4. Enable logging from Rules page
5. Disable Auto-added VPN rules
6. Backup configuration to Google Drive
7. Restore configuration from Shell
8. More plugins Available
9. View Hidden rules in WebGUI
10. Better Advanced firewall log filter
11. Friendlier, but less likely to get results in the community forum
12. More dedicated to open-source - There are signs that PFS will end their free community edition someday
I am sure there are many other item specific differences. I just mentioned the major ones obvious to me. Feel free to add to this list. I am hoping some of the items from the first list can be eventually added to OPN
This list may help others decide which to use
Thanks for looking
-
Changing BE is also possible on OPNsense using bectl command. I always create BE before doing updates or minor config changes for simple rollbacks if needed. Using bemanager you can also export BE to other locations so that it can be use as full bare metal backup :)
-
I don't want to interfere, but I have to comment on:
> 9. Access shell within WebGUI
This and other GUI pages to modify file system content or execute commands are a security nightmare. Any auth/privilege bypass will have your firewall wide open to full remote access.
In any case thanks for posting. :)
Cheers,
Franco
-
Changing BE is also possible on OPNsense using bectl command. I always create BE before doing updates or minor config changes for simple rollbacks if needed. Using bemanager you can also export BE to other locations so that it can be use as full bare metal backup :)
Is there a guide for this?
-
https://forum.opnsense.org/index.php?topic=25540.0
-
Thanks for that BE info. Didn't know about that. Guess my post was useful after all.
-
For sure I think it is useful, it just needs a little update :)
-
To stay fair I think "things that are done via GUI" are a good base for such a comparison. I'm sure both can do a lot more under the hood if you know how to make them do it.
Cheers,
Franco
-
I don't want to interfere, but I have to comment on:
> 9. Access shell within WebGUI
This and other GUI pages to modify file system content or execute commands are a security nightmare. Any auth/privilege bypass will have your firewall wide open to full remote access.
In any case thanks for posting. :)
Cheers,
Franco
My ultimate wish list is #2,4 and 8
-
To stay fair I think "things that are done via GUI" are a good base for such a comparison. I'm sure both can do a lot more under the hood if you know how to make them do it.
Cheers,
Franco
Excellent point
-
For 8 there is an inspect button on the rule page and it even let's you drill down on the individual states.. not sure what pf has but I hope ours is a bit better once you've seen it? ;)
For 2/4 it's going to be a long road but it will be done eventually once these pages move to MVC.
Cheers,
Franco
-
Ok, didnt know that pfsense allows managing BE from webGUI.
Is added to my wishlist, incl. exporting BE for bare metal backup :)
-
In PFS+ BE is so much more important because there are no images available. You have to rebuild from scratch from the CE version to reinstall Plus. Huge negative for PFsense Plus
-
For 8 there is an inspect button on the rule page and it even let's you drill down on the individual states.. not sure what pf has but I hope ours is a bit better once you've seen it? ;)
For 2/4 it's going to be a long road but it will be done eventually once these pages move to MVC.
Cheers,
Franco
Thanks for that info. Did not know about the inspect button. It is even better than PFS. This allows me to see which rules are actually used. Can't wait for items 2 and 4.
-
From a more technical POV. OPNsense devs working years to move the codebase to MVC. How well is pfSense faring? Is that addressed at all, or are they refactoring (only?) in the "+" version? I did not follow that exactly, but my gut feeling was that they wanted to start from "scratch". (which is not bad per se).
Also it is still unclear to me what parts are "open" and "close source". Is it open source with some closed source modules (usually enterprise stuff). So more like "Untangle".
Anyway, pfsense did a terrible way communicating the road ahead.
-
I think PFS+ is mostly closed which is why they are not releasing the images for it. I suspect ending the CE project will come to an end sooner than later. Expect a lot of new users changing to OPNsense. They will not be disappointed.
-
PfSense added the "V" as in view part of the MVC to the static pages. No API to my knowledge. Pages still static although they do have a unified design now.
The "M" as in model is really useful to micro-managing service configuration and doing inline migrations vs. a single point config.xml migration plus the validation of data / integrity verification is a nice bonus.
As for "C" that is where we implement the API parts as well as the flat UI ends where the views are rendered. It also acts as a middleware to broker with the backend.
I think the whole problem started in 2015 with the pfSense 3.0 roadmap blog post[1]... APIs were shuffled to TNSR, where no GUI seems to be available. The crossover back to FreeBSD didn't happen, so CE was born and moved up the food chain as Plus. PHP was never removed, a framework never implemented. It's an interesting read in retrospect.
The FreeBSD side is still quite active and has good fixes nowadays going into FreeBSD, something that was always a major problem in the days past (one that we were vocal about).
I counted again today and from 271 static pages since the fork we have only 103 left. That doesn't sound like much but it is. It's a huge effort and worth the time.
Cheers,
Franco
[1] https://www.netgate.com/blog/further-a-roadmap-for-pfsense
-
PfSense added the "V" as in view part of the MVC to the static pages. No API to my knowledge. Pages still static although they do have a unified design now.
The "M" as in model is really useful to micro-managing service configuration and doing inline migrations vs. a single point config.xml migration plus the validation of data / integrity verification is a nice bonus.
As for "C" that is where we implement the API parts as well as the flat UI ends where the views are rendered. It also acts as a middleware to broker with the backend.
I think the whole problem started in 2015 with the pfSense 3.0 roadmap blog post[1]... APIs were shuffled to TNSR, where no GUI seems to be available. The crossover back to FreeBSD didn't happen, so CE was born and moved up the food chain as Plus. PHP was never removed, a framework never implemented. It's an interesting read in retrospect.
The FreeBSD side is still quite active and has good fixes nowadays going into FreeBSD, something that was always a major problem in the days past (one that we were vocal about).
I counted again today and from 271 static pages since the fork we have only 103 left. That doesn't sound like much but it is. It's a huge effort and worth the time.
Cheers,
Franco
[1] https://www.netgate.com/blog/further-a-roadmap-for-pfsense
Thanks to all the great work the devs have done.