I saw the new Mono gateway, and while I like it, it also points to a deeper underlying issue with OPNsense. It trades high network performance of BSD kernel for poor quality drivers and hardware support, which, from my limited point always seems to be behind Linux, and more ppl today are familiar with Linux, unlike BSD. I saw on the openSUSE fora that some use it to route & firewall big internet connections for companies, so it's not unheard of. BSD drivers and hardware support will always be an issue for OPNsense, as few hardwarecompanies want to invest in it, due to its few users. Linux, while imperfect, but due to its larger userbase which is growing, also see better support from hardware vendors and a bigger team working on it. That goes from NIs and CPUs, especially.
I do understand that the lure of BSD is the routing efficiency of its kernel and low sys footprint. Now, could Linus Torvalds & the Linux kernel team be convinced to increase the routing efficiency of the Linux kernel, if it is possible, and work with the OPNsense guys and girls to do it?
If the above is correct, it cost little to at least start a dialogue with him/them about it.
The entirety of pf(5) does not exist on linux.
Linux has some things, BSD has other things. Its always a tradeoff.
By extension it would be better to look into OpenWRT or Vyos for open source linux based projects, since they natively wrap around wht linux offers.
OPNsense is heavily based around a lot of FreeBSD ecosystem requirements like PF.
With the background of the various freebsd controversies, this does not seem like such a far fetched idea as it did years ago.
Nothing's perfect but Linux gives me an uneasy feeling with all the different directions it's going in and how fast it's moving.
Quote from: bimbar on March 30, 2026, 12:39:43 PMWith the background of the various freebsd controversies, this does not seem like such a far fetched idea as it did years ago.
Porting is entirely impossible. The core foundation of OPNsense does not exist on Linux.
Feel free to build an entirely different firewall product based on Linux. But then why do that and not just switch from OPNsense to e.g. IPfire?
Quote from: Monviech (Cedrik) on March 30, 2026, 11:58:42 AMThe entirety of pf(5) does not exist on linux.[...]
I would have gone for an abstraction layer. But then, I'd still be working on it instead of having a working product for 10 years. Reality intervenes.
Let's vibe code it with autonomous agents and Claude in 2 days and then fix it for 20 years. xD
Quote from: bimbar on March 30, 2026, 12:39:43 PMWith the background of the various freebsd controversies, this does not seem like such a far fetched idea as it did years ago.
Such as ?! o.O
/EDIT :Quote from: Patrick M. Hausen on March 30, 2026, 04:37:23 PMhttps://forum.opnsense.org/index.php?topic=50102.0
https://lists.freebsd.org/archives/freebsd-hackers/2025-December/005383.html
Ahh... well if that is all then @bimbar could have just said that...
But Linux has that kind of issues too : SystemD anyone ?! ;)
Quote from: nero355 on March 30, 2026, 04:26:14 PMSuch as ?! o.O
https://forum.opnsense.org/index.php?topic=50102.0
https://lists.freebsd.org/archives/freebsd-hackers/2025-December/005383.html
Quote from: OPNenthu on March 30, 2026, 01:16:48 PMNothing's perfect but Linux gives me an uneasy feeling with all the different directions it's going in and how fast it's moving.
Time to revisit GNU Hurd? OpenBSD? OpenIndiana? NetBSD? Haiku? Resurrect open-source QNX?
I agree, though. I spend a lot of time configuring my servers, and I want to avoid having the rug pulled out from under me. As Windows and Fedora do constantly. Or Debian's SystemD intro. Or Spengler closing GRSecurity. Bleh.
Quote from: Schroinx on March 30, 2026, 11:40:27 AM[...]I saw on the openSUSE fora[...]
Rumor has it SUSE's up for sale again. Which makes me wonder what SAP is up to. Oh well.
OpenIndiana or IllumOS might be interesting, too bad Apple stopped making their BSD flavor available (Darwin).
I'd agree that a Linux version would be nice to have, but the lift to get there is just monumental without a serious influx of very larger amounts of cash money to hire a team to make it happen. And if that happens, let me make people mad, I'd put it on openSuse Leap Micro.
Again: why not simply use an existing Linux based firewall product like IPfire?
The concepts of the core packet filter, routing, and virtual network components in FreeBSD vs. Linux are so fundamentally different that it's not a matter of heavy lifting. IMHO it plain does not make sense.
Quote from: Patrick M. Hausen on March 30, 2026, 08:47:27 PMAgain: why not simply use an existing Linux based firewall product like IPfire?[...]
Heh: Did they ever fix their one-VLAN limitation?
It's too bad Vyatta was sold so many times. A victim of endless management musical chairs. DANOS was kind of interesting. I imagine Ciena will dump it if AT&T and IBM stop paying for it.
Since Apple is not contributing much to BSD, then most of the lifting has to be done by volunteers, but as Linux is more widely used, thats likely also where many go to help out.
@Patrick
Can the functions be added to Linux's kernel, and would it make sense, if someone was to convince Linus about the importance of it?
Quote from: pfry on March 30, 2026, 10:20:17 PMHeh: Did they ever fix their one-VLAN limitation?
When I see all of this : https://www.ipfire.org/about
It sounds like a
Licensing thing that you are talking about and not a limitation inside the underlying Linux distro ??
Also I know people who simply grabbed a Minimal Debian install and built their own DIY Router on top of that with IPTables/NFTables and some SystemD Networking Services ;)
It's not exactly a one VLAN limit but a four zones total limit as I found out. For whatever reasons. Seems silly.
But surely improving on that project to allow an arbitrary number of zones will be easier than "porting" OPNsense. What would the latter even mean? You can port parts of the UI but definitely not the rules and NAT sections because all of this works completely different (I am repeating myself ;-). So better focus on a Linux based product to begin with or create a new one. That's essentially my only point.
Quote from: Schroinx on March 30, 2026, 10:31:56 PM@Patrick
Can the functions be added to Linux's kernel, and would it make sense, if someone was to convince Linus about the importance of it?
No, definitely not. Linux suffers greatly from NIH (not invented here) syndrome, and while in BSD land (specifically FreeBSD) not everything is perfect - far from it, there is historic evidence that Linux in general and Linus in particular refused again and again to import working concepts and software for taste/political reasons more than technological ones.
E.g. netgraph, dtrace, ZFS, ...
ZFS is the only thing where I can relate to Linus. He more or less stated: "Unless I have a written statement by Larry Ellison (read: Oracle's legal department) that it's ok, I won't integrate ZFS into the Linux kernel for copyright reasons." Understandably so.
The barrier to get pf into the Linux kernel is huge - just forget it.
Linux has a working kernel firewall (or two or whatever - what do I know?) and that's what a Linux based firewall has got to use.
HTH,
Patrick
Quote from: Patrick M. Hausen on March 30, 2026, 10:36:07 PMIt's not exactly a one VLAN limit but a four zones total limit as I found out. For whatever reasons. Seems silly.
AFAICS this is a legacy concept that originated from SmoothWall, before it became IPCop, before it became IPFire. Or somesuch as I didn't follow the development closely.
They had originally "colored" the
physical interfaces, which made perfect sense back in the day as there aren't too many even now. Probably the simplicity of the concept kept it around, even though with VLANs it should be updated to at least "8 bit colors". :)
Quote from: Patrick M. Hausen on March 30, 2026, 10:36:07 PMIt's not exactly a one VLAN limit but a four zones total limit as I found out. For whatever reasons. Seems silly.[...]
IPFire (or its progenitor) actually implemented very limited VLAN support (one VLAN per interface/zone...?) before Ben Greear's VLAN code was upstreamed, and they kept that model for historical reasons. From "Zone Configuration" (https://www.ipfire.org/docs/configuration/network/zoneconf):
Please note that:
- Due to backwards compatibility reasons, you can't assign more than one VLAN to a zone
- One NIC can't be accessed natively by more than one zone
- You can't use the same VLAN tag more than once per NIC
[...]
IPFire is definitely its own thing.
Quote from: MrWizard on March 30, 2026, 10:31:56 PM[...]Can the functions be added to Linux's kernel, and would it make sense, if someone was to convince Linus about the importance of it?
Heh. Even the reprogrammed, sensitive and politically correct Linus would have some choice words about that.
Why not get serious and add a pf (filter) and IPFW (shaper compatibility layer) plugin to VPP? No kernel mods required. Porting OPNsense (and maintaining the port) would be a bit of a nightmare. And VPP itself is a moving target - there's a reason it's not packaged for any distro (that is, available via a package manager [Edit: standard repository. I knew what I meant.]).
I saw a guide on a guy making a Lenovo Tiny into a 10/10 Debian router. The UI may not be the best for the average user.
IPFire does not get recommended.
OPNsense does, so ppl come here, if they need more then OpenWrT but are not Linux sysadmins.
That has increased manyfold as ppl distrust Chinese & US vendors, myself included.
Many today also run a ad-removal service on their router like Pi-hole.
@Patrick
Thx.
There is also nothing quite like Poudriere or the whole ports ecosystem where you can build the whole system reproducibly and declaratively from source. The whole build ecosystem is different between FreeBSD and Linux.
In Linux, maybe NixOS can do it declaratively, but that is a very fickle beast.
The main issue isnt just to do some translation layers, its a multi layered issue through many different systems and dependencies.
I also do not miss systemd in the slightest to be honest. :D
Quote from: Monviech (Cedrik) on March 31, 2026, 01:52:53 PMThere is also nothing quite like the whole ports ecosystem where you can build the whole system reproducibly and declaratively from source.
Another thing that's really annoying in Linux : Distro Release X leaves you stuck with Application Release Y
While in FreeBSD I can simply do my own thing via the Ports and install a newer version :)
QuoteI also do not miss systemd in the slightest to be honest. :D
Another weird thing :
- The Linux distro uses SystemD.
- But it does not use it's networking component and uses NetworkManager instead for example.
Result : Sometimes the whole timing between the Network Interfaces coming UP and services bound to a specific IP Address like OpenSSH Server getting started miss their timing and things go horribly wrong...
There is a SysCtl workaround for this, but still...
What the heck ?!?! :(
Yes, Nix is declarative.
The reason IPFire is being unrecommended, is the guys behind.
So there will likely be users for a Linux router with an OPNsense like user interface and decent support. The Linux user base is growing.
Quote from: MrWizard on April 01, 2026, 10:03:02 PMThe reason IPFire is being unrecommended, is the guys behind.
So I learned, thank you.
Quote from: MrWizard on April 01, 2026, 10:03:02 PMSo there will likely be users for a Linux router with an OPNsense like user interface and decent support. The Linux user base is growing.
But there must be a dozen different firewall appliance distributions based on Linux given how the Linux community and ecosystem ticks? There ...
* insert Annakin and Padme meme *
Seriously, no takers? OpenWRT for sure. And they have an optional more capable UI IIRC?
Then again - you need hardware anyway. And Mikrotik Router OS while closed source is not that bad. I use it for everything Layer 2 here.
Quote from: Patrick M. Hausen on April 01, 2026, 11:45:40 PMQuote from: MrWizard on April 01, 2026, 10:03:02 PMThe reason IPFire is being unrecommended, is the guys behind.
So I learned, thank you.
I'm still clueless. Where can I go to also learn?
Quote from: OPNenthu on April 02, 2026, 12:05:20 AMI'm still clueless. Where can I go to also learn?
I was just taking his statement verbatim. If whoever is behind IPfire is problematic, so be it. I am not really interested in digging deeper. "Difficult" project leads in open source are not uncommon. Case closed for me.
Got it. Maybe @MrWizard will feel comfortable to elaborate a bit.
I have no deep background knowledge of IPfire. I have run it in test only, and donated a couple of times in hopes of the fabled v3 or whatever the relevant number is. I noted the "my view on how it must work" restrictions on basic operation of the available zones and the since largely recanted attack on Wireguard as an alternative to OpenVPN. I remain aware of IPfire but otherwise am very happy with OPNsense at the edge and Mikrotik behind.
Feature request: Port OPNsense to windows 11...
Just kidding.... :-D
When ppl ask on places like Reddit and other inet forums for a router setup for people who are in technical groups but not sysadmins, value foss, . For the simpler and up to 1 gbit, OpenWrT and a compatible access point are often recommended. With 1gb and above, many have a separate APs and router, and here pfsense & OPNsense is what is being recommended. Also the access to cheap 10gb network gear. Perhaps OpenWrT is too cut down? I don't know.
With the loss of trust in general, China, US, W11, US tech monopolies - more is also turning to FOSS solutions in general in Europe, and installing Linux has become both more urgent, but also accessible due to GUI like KDE Plasma and better installers.
You can add AI to the W11 port. I'm sure it will be an instant hit. 😄
I understand why it is not feasible to port OpnSense to Linux. Instead, what COULD be done is to invent a new firewall from scratch with Linux underneath, aiming exactly at prosumer users, who want more security or features than what an average consumer router (like a Fritzbox) offers, but with less complexity (at the expense of overwhelming features) than OpnSense.
I would bet that this is a tough spot, though: You do not have businesses as paying customers (like OpnSense and the "other product"), and you do not offer the hardware appliance that can be monetarized like AVM's Fritzbox.
Having had a company that tried to reach that market in vain, I know that those prosumers are enthusiastic for features and quality, but less so for paying the effort that goes along with it.
On top there is also that Proxmox and similar visors are popular for running various things, incl a router and often an ad-removal software/docker. They are Linux based and can be setup with A GUI. So that is makng inroads on the router, along with low prices of small computers. For the power users this has been a new thing, and for the low end, its machine like the Rasberry Pi, that can also do it.
Personally, I have been looking into this too, as I am a superuser on Windows, and now have planned to transition my machines to Linux, but haven't gotten around to it yet.
@meyergru
Agree, and we are also bad at paying for things, esp if the money has gone to companies like MS. And them costing say 200€ for W11 home AI & personal account required slop.
FOSS is a different beast, and most projects cannot live of the corporate business alone to pay the bills for the non-profit users well. But also, as they gain in momentum, it should become normal to say just give 10-15-20€ for years use and updates.
The main question for me is the future of freebsd, I'm fairly sure that linux is more of a long term thing.
Additionally, what I read in the other thread about the way freebsd is managed, does not fill me with confidence.
You could also run a firewall on OpenBSD, I always like to refer to this project:
https://github.com/sonertari/PFFW
That person also maintains the SSLproxy project that can do inline DPI and other fancy stuff.
Only that OpenBSD scales even worse for multicore and speeds of 10 G and beyond :-P
I'm really curious to see how the Mono gateway pans out with OPNsense. If that hardware offload turns out successful, could it be a scalable model to even greater speeds than 10G?
I saw OPNsense running on vmware with 100gig sustained throughput and more at customers (iperf3, multiple threads 100+, stateful, full PF features). I don't know where all the people come from that say it's not scalable.
It is, but not with your puny home N100 hardware et al. It scales with good hardware and good environments.
There is also the bugger turn in EUrope, as Schleswig-Holstein admin is transitioning 30.000 desktops to Linux and FOSS. While many likely chose to use Linux-based routers for smaller offices, as that is what they know and get reeducated in. Unless someone has sold a bunch of OPNsense routers to SH without making it public. Reportedly, they are looking at openSUSE for the desktops.
More will follow. This is a deeper change away from Windows and propriety software, which is likely to spread.
Not sure what linux firewall that would be, I don't know of any that is actually on the level of opnsense.
Also I don't know if the network infrastructure will also be open source.
Many could do it like this, where he does it on Debian. May not be pretty and no UI, but brute force and SSH can also do, and Linux is a known, unlike BSD.
https://www.pieterhollander.nl/post/debian-router/
Me neither. If they are moving to FOSS and Linux, then EU hardware that is not vendor locked, like Mikrotik & OPNsense will also likely be on the wishlist, as it is for me privately, to replace my Chinese network AP-router. No Chinese or Cisco gear for them either, but we will see.
Quote from: Monviech (Cedrik) on April 02, 2026, 03:13:00 PMIt is, but not with your puny home N100 hardware et al.
Size-shaming us now, eh? 😂
Quote from: MrWizard on April 02, 2026, 03:19:08 PMThis is a deeper change away from Windows and propriety software, which is likely to spread.
I don't know where it's all headed because we have problems at every level and it's very sad that issues of mass surveillance, censorship, and digital sovereignty aren't even the most pressing. That's just where we techies like to focus.
I've gotten some new perspectives from Nate Hagens' YT channel, but, it's hard to be optimistic...
:'(
Quote from: OPNenthu on April 02, 2026, 04:00:30 PMSize-shaming us now, eh? 😂
Less my intention, more saying that the kind of hardware you need to push past sustained 10Gbit/s is immense, even 25Gbit/s (stateful firewall performance) is already quite a challenge for a small company.
If you ever played Factorio, it's the difference between launching your first rocket, to launching it sustained with no breaks.
A small raspberry Pi or N100 is just not the target audience for this kind of sustained load, you need a big server and switches that can handle it etc... and these are all well beyond homelab or small business budgets.
And in these environments, admins who know the likes of Juniper, also know about BSD like systems (Junos is FreeBSD based, just as an example).
Quote from: Monviech (Cedrik) on April 02, 2026, 04:08:21 PMQuote from: OPNenthu on April 02, 2026, 04:00:30 PMSize-shaming us now, eh? 😂
Less my intention, more saying that the kind of hardware you need to push past sustained 10Gbit/s is immense, even 25Gbit/s (stateful firewall performance) is already quite a challenge for a small company.
If you ever played Factorio, it's the difference between launching your first rocket, to launching it sustained with no breaks.
A small raspberry Pi or N100 is just not the target audience for this kind of sustained load, you need a big server and switches that can handle it etc... and these are all well beyond homelab or small business budgets.
And in these environments, admins who know the likes of Juniper, also know about BSD like systems (Junos is FreeBSD based, just as an example).
Having worked in those circles for 15 years, I doubt a junos admin knows BSD.
Anyway, if we're talking that kind of hardware, Cisco switches are widely used, for routers, of course Cisco, if you want to go european, probably Nokia. I'm not so sure about firewalls, Fortinet is very popular, if you want to go european, maybe Sophos?
For switches, I don't see any good options for open source. Nor for routers. Firewalls is a bit better, but beyond opnsense there's not much either.
So, to summarize, I doubt they'll go FOSS for the networking stuff.
As to the sustained load thing, I don't see any problems with N100 or something like that, there's many a cisco router that struggles to do 100MBit out there.
I think as well Netflix runs customized FreeBSD nodes at the edge but not for routing/firewalling. IIRC, they cache and serve content that is most popular in the specific regions where they are deployed, so the most in-demand shows load and stream instantly.
I believe it when people say FreeBSD is capable, and where it isn't, companies make it so.
My point about the Mono gateway was that it seems to be trying to solve a significant bottleneck of software routing using hardware tricks... something that could potentially remove any argument for moving to Linux, at least for the performance aspect. A hardware-assisted OPNsense could be interesting, especially if it scales.
Quote from: meyergru on April 02, 2026, 01:21:44 PMWhat COULD be done is to invent a new firewall from scratch with Linux underneath, aiming exactly at prosumer users, who want more security or features than what an average consumer router (like a Fritzbox) offers, but with less complexity (at the expense of overwhelming features) than OpnSense.
There is soo much already out there so what do you need exactly that they can not offer ?!
IPTables/NFTables/UFW/etc...
QuoteAVM's Fritzbox
I hate those things! :(
I know ISPs in Germany have flooded the country with them and some Dutch ISPs use them too, but still : Can we please get rid of those things ?!?!
Quote from: OPNenthu on April 02, 2026, 04:00:30 PMQuote from: Monviech (Cedrik) on April 02, 2026, 03:13:00 PMIt is, but not with your puny home N100 hardware et al.
Size-shaming us now, eh? 😂
IKR ?! LOL! ^_^
QuoteQuote from: MrWizard on April 02, 2026, 03:19:08 PMThis is a deeper change away from Windows and propriety software, which is likely to spread.
I don't know where it's all headed because we have problems at every level and it's very sad that issues of mass surveillance, censorship, and digital sovereignty aren't even the most pressing. That's just where we techies like to focus.
Your main problem is TCPA/Palladium but since everyone has discovered that at least 20 years too late after the release of Windows 11 there is a very low chance that we can go back to a world where things like TPM chips and DRM do not exist anymore... :'(
Quote from: Monviech (Cedrik) on April 02, 2026, 04:08:21 PMAnd in these environments, admins who know the likes of Juniper, also know about BSD like systems (Junos is FreeBSD based, just as an example).
Sorry to disappoint you, but my experience agrees with his :
Quote from: bimbar on April 02, 2026, 04:27:01 PMHaving worked in those circles for 15 years, I doubt a junos admin knows BSD.
I had to save a customers life basically after he had been awake for 3 days and totally stressed because his racks lost connection and his Juniper/HP/CISCO Switches were no longer talking to one another...
Fixed it in like one hour and could have done it even faster is his CISCO Switch wasn't a glorified LinkSys model with a horribly slow webGUI :P
Suddenly I was his favorite contact at the hosting company... I wonder why ?! LOL !!!
QuoteSo, to summarize, I doubt they'll go FOSS for the networking stuff.
There is Jolla SailFish for phones :)
Quote from: nero355 on April 02, 2026, 05:15:44 PMThere is soo much already out there so what do you need exactly that they can not offer ?!
They could offer a decent UI with more limited features, but aimed at what most clueless people who come in here think a firewall should do. There are countless examples of voicing that, the last of which was this one (https://forum.opnsense.org/index.php?topic=51501).
That is:
Not 3 different DHCP services, 4 different DNS servers, loose coupling between MAC / IP and DNS names that must be consolidated manually over the configuration of two services, not even counting the associated firewall rules.
It is very hard to down-size an existing appliance like OpnSense that has grown over the years and adapted many tools and plugins. The decline of FreeBSD poses a chance to start from scratch, with a specific clientele in mind.
What the Fritzbox does not is better in the direction of simplicity, but worse in the way of flexibility, e.g. you cannot have DNS aliases, making the use of name-based reverse proxies or having several services on one IP very difficult. Also, it lacks something like Adguard Home or Pi-Hole.
While IPfire and other Linux-based firewalls may have the correct feature-set, they suck even more on the "complexity" side for such users than OpnSense.
P.S.: To be clear: I like OpnSense for what it is. But, as I often said, it is not suited for the average Joe who does want "a little bit more" than what consumer routers offer. There are more of those these days with IoT and homelabbing. Such users just want the benefits, but are unable or unwilling to grasp the underlying concepts and need a stringent UI, which OpnSense does not offer.
So, this is a growing market that is neither met by Fritzboxes, IPfire, OpenWRT, nor by OpnSense and all the others. Yet, I think that despite there being a lot of people who would love to have it, they are also the same people who do not want to pay for that luxury.
Quote from: nero355 on April 02, 2026, 05:15:44 PMQuoteAVM's Fritzbox
I hate those things! :(
I know ISPs in Germany have flooded the country with them and some Dutch ISPs use them too, but still : Can we please get rid of those things ?!?!
What's so bad about these boxes? In comparison to the other ISP-provided devices, they are among the most flexible, most configurable and generally most "prosumer" I've seen. Of course they're not Open WRT and not close to OPNsense but that's not what they're meant to be, and they're good at what they do, update support is also better than most ISP-provided boxes. However, the flexibility is also being dumbed-down in the name of "Clean UI and pleasant user experience", making simple tasks unnecessarily complicated (like the removal of the "disable WLAN" option, which now you can only do by disabling every transmit band individually, and you can't disable ISDN/S0 at all), so now you need a FAQ for what used to be self-explanatory. Also, I think at some point ion the past they had firewall logs that seem to have vanished, or hidden extremely well. But what annoys me most about FritzOS is that they'll forward you to some AVM site from within their UI without so much as notifying you. This is, to me, a security hazard, the UI of an appliance must be entirely self-contained without external links unless these are explicitly declared.
OK, the OS is AFAIK not FOSS so you can't mod it like you could with at least some Telekom-provided boxes, the last I know is that AVM cracked down on the modding scene with restricting their lab versions somehow.
Quote from: drosophila on April 03, 2026, 02:26:44 PMWhat's so bad about these boxes?
Well, this =>
QuoteHowever, the flexibility is also being dumbed-down in the name of "Clean UI and pleasant user experience"[/qoute]
Even their "Expert Mode" is not advanced enough...
I have seen many of them in combination with xDSL subscriptions and each time I got home again I gave my little DrayTek xDSL Modem/Router a little hug for being soo much better for the same price! ;)
QuoteBut what annoys me most about FritzOS is that they'll forward you to some AVM site from within their UI without so much as notifying you. This is, to me, a security hazard, the UI of an appliance must be entirely self-contained without external links unless these are explicitly declared.
Microsoft started doing that too since Windows 8.x or 10 and it's seriously annoying when the GUI becomes a minefield you have to carefully approach... W-T-F...?!?!
Quote from: meyergru on April 03, 2026, 09:39:05 AMThey could offer a decent UI with more limited features, but aimed at what most clueless people who come in here think a firewall should do. There are countless examples of voicing that, the last of which was this one (https://forum.opnsense.org/index.php?topic=51501).
My German is not that great, but I know what you mean and for that there is no other option than OpenWRT/DD-WRT/Tomato and other alternative firmwares.
I do have to admit that I have seen an example of "WRT based firmware" where the Firewall webpage was basically a direct view into the IPTables config file... oops! LOL!
QuoteThat is: Not 3 different DHCP services, 4 different DNS servers, loose coupling between MAC / IP and DNS names that must be consolidated manually over the configuration of two services, not even counting the associated firewall rules.
But then again when you go completely "DIY Router" by building it from scratch you probably also know what you need and how you are going to do it ?!
QuoteIt is very hard to down-size an existing appliance like OpnSense that has grown over the years and adapted many tools and plugins.
Like mentioned above : If you want something a bit more advanced for a more or less regular price then DrayTek Routers are IMHO the way to go :)
I suggested one for a friend for his small restaurant on his farm and one day he told me :
"I am so happy that limiting the bandwidth of the Guest VLAN is just a couple of clicks now!"So even a more or less beginner user can do this kind of stuff!
QuoteWhat the Fritzbox does not is better in the direction of simplicity, but worse in the way of flexibility, e.g. you cannot have DNS aliases, making the use of name-based reverse proxies or having several services on one IP very difficult. Also, it lacks something like Adguard Home or Pi-Hole.
If they would cut their prices in half it would not be an issue at all, but they ask a lot of money for devices that are pretty basic overall !!
QuoteWhile IPfire and other Linux-based firewalls may have the correct feature-set, they suck even more on the "complexity" side for such users than OpnSense.
To be honest IPFire somehow has never gotten my attention and I am still not convinced enough to even try it in a VM or test somehow anyway...
Basically this : https://forum.opnsense.org/index.php?topic=50857.msg260055#msg260055
But for all of their stuff ;)
QuoteP.S.: To be clear: I like OpnSense for what it is. But, as I often said, it is not suited for the average Joe who does want "a little bit more" than what consumer routers offer.
Such users just want the benefits, but are unable or unwilling to grasp the underlying concepts and need a stringent UI, which OpnSense does not offer.
So, this is a growing market that is neither met by Fritzboxes, IPfire, OpenWRT, OpnSense and all the others. Yet, I think that despite there being a lot of people who would love to have it, they are also the same people who do not want to pay for that luxury.
The friend I was talking about use to have some old pfSense Appliance and the new DrayTek was pretty expensive because it needed to handle his 1 Gbps Fiber connection (At the time there wasn't much that could do it so easily!) so it's all a matter of who you are and what you need at a certain moment I guess...
Quote from: meyergru on April 03, 2026, 09:39:05 AM[...]That is: Not 3 different DHCP services, 4 different DNS servers, loose coupling between MAC / IP and DNS names that must be consolidated manually over the configuration of two services, not even counting the associated firewall rules.[...]
But the alternative is...? There is the flexibility angle, but more so, perhaps, is that if you have three legs and stand on three separate rugs, having one pulled out from under you hurts a bit less. Resource commitment vs. risk - a tough choice.
I was merely talking about what design goals and expectations would be against something like this. When you omit flexibility and do that in a consolidated way instead of configuring any single specific service, you can do that.
Like: model the data, the relations between them, make that editable from the UI and then generate the split configurations for all needed services (of which there exists only the respective one you need to fulfill the needs of your model). All of those services can be hidden behind the surface, because the user does not need to know which exactly is being used.
An example: Someone coming into the forum and asking: "I heard that ISC DHCP is EOL - there is Kea or DNSmasq, which should I choose?" is a pointless discussion. The very fact of which DHCP service is in use under the blanket could be hidden and is only to be determined by the developers. The users only need to fill in MACs and IPs in case of reservations - which service is being used to actually do the job should not be relevant to them.
Quote from: meyergru on April 03, 2026, 06:19:47 PM[...]Like: model the data, the relations between them, make that editable from the UI and then generate the split configurations for all needed services (of which there exists only the respective one you need to fulfill the needs of your model). All of those services can be hidden behind the surface, because the user does not need to know which exactly is being used.[...]
An abstraction layer, exchanging implementation-specific features for uniformity. Naturally. It's an option.
So Draytek still are good? I had one once and it was pretty solid. It had to be decommissioned due to lack of updates in the end. It even looked and felt like it was indestructible despite being plastic only. Everything else looks and feels flimsy compared to that (except the ancient Cisco rackmount switches with their "snake skin" finish :) ).
BTT: that sort of confusion probably arises from the default (unchangeable?) install coming with these options preinstalled without a default(?). Maybe the confusion would go away without reducing flexibility if you'd have a page "DHCP", on which you have an "enable" and then a dropbox to select which one, with one (say, Dnsmasq) preselected, and it's options appearing below that depending on what is chosen, with the rest auto-disabled but keeps its config stored so that you can go back and forth without losing settings.
So if you enable "DHCP" you'd just get Dnsmasq unless you change it and most would probably go with that preselected choice, but for those who care the option is there and immediately visible because the dropbox is a common way to do this and thus intuitive.
This would probably even make the UI cleaner because now services are sorted alphabetically instead of by function.
@drosophila: But that does not change the way how most of this is done within OpnSense, by creating the interfaces aorund the specific implementation of the various services, like that currently, even the actual MAC->IPv4 tables are edited and saved for each service individually. @pfry put it right: There currently is no abstraction layer.
Also, that abstraction layer could catch even more than the uniform usage of different services, but also the jump from the MAC->IP to the IP->DNS layer, including aliases. It could also cover the problems around the dynamic to static transition of devices.
What I mean by that is that now, with Kea, when you first put a device on the network, it will get a dynamic IPv4. Yes, you can make that static - but that does not work at all, because the lease is not deleted and conflicts with the static reservation, thus creating a big problem in its wake (https://forum.opnsense.org/index.php?topic=51324.msg263439#msg263439).
Imagine a "client" entry that can be created manually or automatically upon first contact, where you just fill in the blanks, like change the DNS name, add DHCP options or DNS aliases and so forth, thereby creating a static reservation, while deleting the Kea lease underneath.
But doing that would be an initial design choice, trading limiting capabilities for ease of use. I doubt that it could or even should be tried in OpnSense.
Quote from: drosophila on April 04, 2026, 04:25:34 AMSo Draytek still are good? I had one once and it was pretty solid.
I had two of them and they have never let me down! :)
For xDSL they are my #1 choice be it just a Modem or a Modem/Router combo.
QuoteIt had to be decommissioned due to lack of updates in the end.
10 years later my 2860 still got a firmware update so I guess that's not bad at all these days ?!
QuoteIt even looked and felt like it was indestructible despite being plastic only. Everything else looks and feels flimsy compared to that (except the ancient Cisco rackmount switches with their "snake skin" finish :) ).
Yeah, I would trust it as a brick to throw towards someone's head in case of an emergency! LOL! :P
https://www.netgate.com/blog/pfsense-software-embraces-change-a-strategic-migration-to-the-linux-kernel
I nearly fell for it.... April Fools.
Quote from: meyergru on April 04, 2026, 04:49:42 PMI nearly fell for it.... April Fools.
I suppose that, too, but found this:
https://www.netgate.com/blog/netgate-releases-pfsense-plus-software-version-26.03
And it says "It lays the foundation for the future of pfSense software, including native Linux support."
Nobody remembers pfsense 3 (https://fast.dpdk.org/events/slides/DPDK-2017-09-pfSense.pdf)?
"............... including native Linux support."
Surprising. Virtualization environment?
Quote from: pfry on April 05, 2026, 04:17:57 AMNobody remembers pfsense 3 (https://fast.dpdk.org/events/slides/DPDK-2017-09-pfSense.pdf)?
...they are too young :-D
To throw gas on the fire, there is a small group working on a GUI for VyOS, he has a github set up for this and is working along as fast as time allows. It might be really interesting once it's done.
Quote from: pfry on April 05, 2026, 04:17:57 AMNobody remembers pfsense 3?
I was there 3000 years ago...
On a more serious note OPNsense isn't going anywhere. The fate of FreeBSD is that of FreeBSD itself and they made it clear. For our part we can and will manage very well.
All the people wanting the ultimate Linux based firewall but nobody really doing it... maybe the two are mutually exclusive or we just haven't waited long enough?
Cheers,
Franco
Quote from: franco on April 08, 2026, 10:03:51 AMAll the people wanting the ultimate Linux based firewall but nobody really doing it
One could argue that Mikrotik's RouterOS fits that bill. Oh, you (*) want it to be open source ... well :-)
(*) not you personally, Franco
That's the point indeed... build it... yes... open source it... investors don't like that.
Cheers,
Franco