OPNsense Forum

Hi,

Is there a list of companies that use opnsense in larger environments?

I have someone trying to change the networks from opnsense to meraki

Quote
"because it just works and large companies use meraki, and nobody uses opnsense"

Sadly, that's manager speech. There was the quote "Nobody gets fired for buying IBM" in the past. The same applies for products which are in the Gartner quadrant in the upper right. Open source products always struggle against common managers.
They calculate some funny total cost of ownership (TCO) and bring some "uncalculatable risk" on the open source side.
Good thing is that there is good commercial support for OPNsense.

The managers will still say that it's easier to find a technician for a Meraki/FortiGate/Palo and so on instead of someone who knows OPNsense.

I agree with that,

I was asked if I could develop a list of "real" companies that use opnsense?

The manager knows nothing about routing and is willing to have it just work (i.e., wide open), which is a disaster in itself.

This is partly driven by one tech who when his company was bought joined the network and his rules in meraki when they exist are any to any rules.

There are a whole bunch of any to any tunnels that "just work" as well.

But the manager does not seem to know enough to recognize this as a problem. etc...

Which is beside the point but I am looking for examples of larger companies that use opnsense. to counter the argument that opnsense is not used for business.

I work at a formula 1 team. We used it in specific simple circumstances that didn't warrant a more enterprise-y firewall (such as a palo alto networks device)

I have had great success setting up a OPNsense firewall for each of my clients. I feel they are far better protected than any of the "business" solutions offered by the ISP.

We are a what is traditionally named an SMB. In the late 90s we started out as an ISP and I can claim that I myself am (or at least was at the time) one of the leading firewall experts in Germany.
Search for the archive of the firewall-wizards mailing lists. My most prestigious consulting customer was the IT of the country of Hesse in Germany.

Today we develop enterprise web solutions, run our own hosting service, and generally aid in what our marketing department named open source digitalisation.

That being said we migrated all our customers and our own data centre from formerly Secure Computing / McAfee / Forcepoint Sidewinder to OPNsense and we are not looking back.

That boils down to ~20 firewalls in total - we are neither a large enterprise ourselves nor the big kahuna of security consulting - but the product is so impressingly solid. The open source development mode so perfectly fits our company "DNA".

If $manager demands product by $bigvendor regardless of the technical merit, I recommend looking for a new job. At some point you find yourself fighting wind mills.

Best of luck, HTH,
Patrick

I installed multiple OPNsense firewalls in SMB environments, and also some Meraki and Unifi stuff.

The "better support and professional support" is a pipe dream. I would even say that if you are willing to pay for OPNsense support, their support is far superior. Heck let me even go one step further, Franco and Patrick in this forum offer better support than paid phone support for Meraki  ;)

The main problem OPNsense has is the "nobody ever got fired for buying blue" problem.

I have a great "nobody ever got fired for buying blue" story.
Switzerland gov needed a new emergency telephone provider.

We have the formerly state owned ISP Swisscom. They are expensive but offer ok quality.
They used their old analog line for a long time, then all of a sudden realized that they can save money by going digital. So over a pretty short time they migrated millions of users to VOIP. I even worked there at that time  ;)

We have also have the ISP Sunrise. They are the cheap competitor with worse quality. But because they never owned their own landline and always had to rent it, they were doing VOIP over the phone line and fiber for years with great success.

There are of course also many other ISPs and also VoIP only providers, but I will leave them out for simplicity.


So while Swisscom was pretty new to the VoIP game, Sunrise was rock solid for years.
Swisscom had multiple nationwide failures where the phone would go offline for hours.


Now, imagine you are in the situation to decide which one to choose as a provider for your state wide emergency line. Which one would you choose? Sunrise? Wrong!

When something goes wrong with Sunrise people will tell you:
"why the fu** did you choose Sunrise? They are only second! They are cheap! What did you expect that would happen!"
Compare that with your bosses argument "because it just works and large companies use meraki, and nobody uses opnsense". Sounds familiar?

So you choose Swisscom instead. Despite them having two nationwide VoIP failures even before the time you do your evaluation! No joke!
Guess what happened next.
Of course we had 3 additional incidents where our emergency lines went down and we had police stations publish their Sunrise mobile phone numbers so people could contact the police.
What was the public reaction to that debacle?

"Well that sucks. But nothing we can do about it. Swisscom is the market leader. If they can't do it, nobody can. This is just like the weather, it is simply something we have no influence over".

We have some opnsense firewalls in the field.

It lacks some critical features for us to roll it out in a wider context.

For example:
- better firewall rule ui
- an easier way to import basic configuration, a cli would be great for that

Who offers a better firewall ui?
To me they are pretty much all the same, no matter if pfSense, Meraki, FortiGate...

I come from astaro originally, I think the fortigate UI is quite a bit better. Plus CLI. And Fortimanager, as fiddly as it may be.

The Fortigate stuff is "better in this regard, but do you really want hard coded passwords that people forgot about?

Mine is just my department, but the network person on campus is always impressed by what I can do, as easily as I can do it compared to their Cisco thing-ama-jig. And it costs a fraction of what they pay, way below 10% of the cost per year. But the Cisco is AI powered! Some insurance person checks the box:

x - Cisco firewall

Then moves on to the next thing that they don't know a thing about.

Quote from: Greg_E on October 24, 2024, 04:44:38 PM
The Fortigate stuff is "better in this regard, but do you really want hard coded passwords that people forgot about?

Cisco is the company with never ending story of hard-coded backdoors. Fortigate was even better: No check of credentials at all. Open house, all night long...

Quote from: Greg_E on October 24, 2024, 04:44:38 PM
The Fortigate stuff is "better in this regard, but do you really want hard coded passwords that people forgot about?

Mine is just my department, but the network person on campus is always impressed by what I can do, as easily as I can do it compared to their Cisco thing-ama-jig. And it costs a fraction of what they pay, way below 10% of the cost per year. But the Cisco is AI powered! Some insurance person checks the box:

x - Cisco firewall

Then moves on to the next thing that they don't know a thing about.

The cisco stuff is really terrible though.

Quote from: bimbar on October 24, 2024, 10:39:24 AM
We have some opnsense firewalls in the field.

It lacks some critical features for us to roll it out in a wider context.

For example:
- better firewall rule ui
- an easier way to import basic configuration, a cli would be great for that

To be honest, the firewall rule ui is one of the best I've seen. Don't like the FortiGate view. There are a couple of small things I would change and some annoyances but nothing deal breaking.

Which ui is better in your opinion?

The last FortiManager security flaw was really scary.

Quote from: Gauss23 on October 24, 2024, 09:46:29 PM
Which ui is better in your opinion?

Sidewinder  :P

EOL product, so not a real contest. Windows Explorer sidebar like view of rules - you could create arbitrarily deep rule group/folde hierarchies, move rules by drag and drop, move groups by drag and drop, enable/disable rules or entire groups ... great UI.

Also the network objects tool (aliases in OPNsense) - just great.

Quote from: Gauss23 on October 24, 2024, 09:46:29 PM

Quote from: bimbar on October 24, 2024, 10:39:24 AM
We have some opnsense firewalls in the field.

It lacks some critical features for us to roll it out in a wider context.

For example:
- better firewall rule ui
- an easier way to import basic configuration, a cli would be great for that

To be honest, the firewall rule ui is one of the best I've seen. Don't like the FortiGate view. There are a couple of small things I would change and some annoyances but nothing deal breaking.

Which ui is better in your opinion?

The last FortiManager security flaw was really scary.

The main feature I miss in opnsense is the ability to display and edit objects directly in a rule.

Well,

Personally, from my experience what bothers me most with enterprise vendors such a CISCO, Oracle etc. Is the state of their support, they do not care.

Even if you have diamond contracts often the support is just (sorry for this, but still worth if I got banned) shit. You cant even imagine, what support and stupidities I am getting from them. I am currently at my job/company holding a higher rate succession of fixing issues than CISCO TAC support. This is sad.

I am literary getting better support for OPNsense here on the forum from people like Franco, Patrick, New, Mo, Chem, Cookie and others active users, than from a payed enterprise vendor.

Regards,
S.

Thanks for all the input does not help as Cisco uses the big-name approach and look at all our big customers.

As a note, we have more than 20 firewalls running, supporting more than 1,000 users, so this is not small.

The CIO just wants a brand name and easy to use so "any" body can do it.

I find in North America that if you have money, then people feel that if it is a big box company it will be better.

We also seem to have problems with the idea of open source. Some "uneducated" IT people ban open source because it is open source (which large companies like Microsoft, Cisco, Apple, etc. still promote), even though all the large companies use the same open source software in their products.

Quote from: Seimus on October 25, 2024, 10:57:37 AM
You cant even imagine, what support and stupidities I am getting from them. I am currently at my job/company holding a higher rate succession of fixing issues than CISCO TAC support. This is sad.

Regards,
S.

Yes, yes I can. We used to get fantastic support from Enterasys, now Extreme support is, well, not great. We have over $100k for our support contract with them, it was a 5 year and took them over 2 years to deliver the power supplies to power the switches up... Think they gave us a credit? Yup, a single year on some of the devices.

Over all, the corporate support world is just lacking as they go cheaper and cheaper. You can never talk directly to one of the engineers that designed the product or programmed the software anymore. Excepting of course OPNsense, once in a while Truenas, and definitely XCP-NG. I should also add the FS.com and Mikrotik are pretty good with support too, but I don't have a lot of equipment from them and don't ask too many questions.

To me you're on a battle you can't win if the decision maker has to justify it to his/her peers IMHO.
OPN is great and used in large environments but like the similarly-named distribution, and other leaning more on the Open source world, they are "unknown" in the world of Corporate IT.
Like it or not, the big 'uns have thrown a lot of money into their offerings which include products, services, support, training and certification and more. And they build walls around them to make them a proprietary offering. Then the cheerleaders at Gartner go and put them in their quadrants and your have the CIOs noticing.

> he CIO just wants a brand name and easy to use so "any" body can do it.
This is one of the big ones to overcome. If he/she is looking for the brand name so "anybody" can do it, we all know it means there are certifications out there where they can go and get a certified engineer when they need to, rather than trying to find someone who knows a particular (in their eyes "niche" product).
Same as unix/linux for servers. They won't replace their CentOS app servers with freeBSD ones even if they are a better suit for their purpose. Same reasons.

Quote from: Greg_E on October 28, 2024, 09:04:42 PM
Yes, yes I can. We used to get fantastic support from Enterasys, now Extreme support is, well, not great. We have over $100k for our support contract with them, it was a 5 year and took them over 2 years to deliver the power supplies to power the switches up... Think they gave us a credit? Yup, a single year on some of the devices.

Indeed you do. Well this is exactly the problem that plagues enterprise, sell for more but go cheaper and cheaper on support for Day 2 etc.

Quote from: cookiemonster on October 28, 2024, 10:37:59 PM
To me you're on a battle you can't win if the decision maker has to justify it to his/her peers IMHO.
OPN is great and used in large environments but like the similarly-named distribution, and other leaning more on the Open source world, they are "unknown" in the world of Corporate IT.
Like it or not, the big 'uns have thrown a lot of money into their offerings which include products, services, support, training and certification and more. And they build walls around them to make them a proprietary offering. Then the cheerleaders at Gartner go and put them in their quadrants and your have the CIOs noticing.

> he CIO just wants a brand name and easy to use so "any" body can do it.
This is one of the big ones to overcome. If he/she is looking for the brand name so "anybody" can do it, we all know it means there are certifications out there where they can go and get a certified engineer when they need to, rather than trying to find someone who knows a particular (in their eyes "niche" product).
Same as unix/linux for servers. They won't replace their CentOS app servers with freeBSD ones even if they are a better suit for their purpose. Same reasons.

This is another plague I see in enterprises. Its like brainwashing.
Me as a eng I barely get into offer and buying calls or discussion. Few times happened I was on such calls, where ppl clapped their hands "what an awesome product" yet when I pointed out several shortcomming not even the vendor technical people couldn't answer this.

Usually how it works is they buy crap, it gets into deployment and provisioning and then they figure out its not working or not behaving as expected because it never even should in the first place :D.

When I was redoing my personal network, I had a possibility to get H/W from the BIG names, but I said no and gave a shot to OPNsense and other OpenSource projects to build what I need. I really would love to have OPNsense in work, but enterprise is enterprise...

The only what we can hope for is that with time this mindset of management changes.

Regards,
S.

I also run into the "open source software" is garbage and full of bugs statements. This is one of the reasons I'm budgeting for a DEC2770, the device immediately provides an acceptable appliance even though the software is exactly the same.

And yet they also use Linux servers here, so how is that any different? And Drupal, can't forget our web host software, isn't that also open sourced? (scratches head)  ???

I'm on old hardware now, so this is an upgrade that is really needed. Hopefully the hardware will extended my current Business license, but not going to worry about it right now. By the time I get it, I'll only have a year left of that license and it's pretty inexpensive.

Getting kind of off topic. I do know a lot of businesses use PFsense, so I would expect there are a few who secretly use OPNsense.

Thank you for all the comments, I agree with many of them.

Sometimes opensource is a battle that cannot be won, even though they already use it.

Security auditors are another problem with the same stuff. I remember being told you should get a brand name like Dell, not a white box solution. (To me Dell is a white box)

The biggest problem I see is they don't want to train their people to think, and they do not really care about security because if it just works or they don't need all that training, chances of an insecure configuration or improper logic the chances of an errors goes way up.

https://www.max-it.de/wp-content/uploads/2023/12/2023_11_14_maxIT_Success-Story_PME_quer-Thomas-Krenn-FIN.pdf

This is a public success story in German. We manage OPNsense for pme Familienservice. 1 datacenter, 80 branches and 2000 employees, OPN everywhere.

Quote from: mimugmail on November 04, 2024, 05:52:12 AM
https://www.max-it.de/wp-content/uploads/2023/12/2023_11_14_maxIT_Success-Story_PME_quer-Thomas-Krenn-FIN.pdf

This is a public success story in German. We manage OPNsense for pme Familienservice. 1 datacenter, 80 branches and 2000 employees, OPN everywhere.

<3 Beautiful

You are also doing a lot of webinars in regards of OPNsense, but I guess those are in German. Are chance you can do some in English?

Regards,
S.