OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: TL on March 19, 2016, 04:50:29 pm

Title: Questions before attempting the transition (pfSense -> OPNsense)
Post by: TL on March 19, 2016, 04:50:29 pm
I've been using pfSense for a number of years, saw the writing on the wall when they started in with the "gold" menu and have been waiting forever for them to fix some things, so OPNsense looks like the way to go, probably.

But, at present, pfSense is working, for limited values of working.

In transitioning, are there tools to import a pfsense backup and process what can be processed, and toss the rest, or is it ground-up configuration rebuilding time?

Does OPNsense solve my major pet peeve with pfSense as it sits, which is that traffic shaping (primarily the limiter, as I find that it does "fairness" the way I want, better - share available bandwidth fairly, rather than limit arbitrarily even if lots of BW is unused) AND run transparent squid sensibly (ie, squid cache hits are not limited, so we actually reap the benefit of squid in improving performance beyond what our outside line can do)?? I have tried many variants of many peoples claimed recipes for this on pfSense, and none have worked, and most have resulted in the system needing to be restored to a working configuration. Since ~pfSense 2.1.5 the two things simply can't run at the same time (before that they could, but cache hits were shaped.)

For almost a year now I just gave up on transparent squid as the limiter/bandwidth sharing is more important to overall function, but I'd like to get transparent squid back so I can re-implement squidguard filtering. Non-transparent squid with overbearing rules/individual setup is not a good solution IMHO, and the antiquated and never widely adopted auto web proxy discovery methods are largely pointless.

I found a few threads with "pfsense transition" in the title, but not much about the actual transition in the thread, when I searched for "pfSense" here. If I've missed a helpful, detailed thread, please point me to it. If not, let's make this be that thread.

Thanks.
Title: Re: Questions before attempting the transition (pfSense -> OPNsense)
Post by: franco on March 19, 2016, 06:52:35 pm
Hi TL,

Welcome. Let me try to answer your questions briefly and go into more details if needed. :)

In transitioning, are there tools to import a pfsense backup and process what can be processed, and toss the rest, or is it ground-up configuration rebuilding time?

The transition from 2.1.x is seamless, just import the config. Caveats here are that packages have been removed and selectively rebuild (especially the proxy) so that will need reconfiguring or other types of replacements.

The transition from 2.2.x requires a minor tweak, namely editing the version tag of the XML before import: https://github.com/opnsense/core/issues/28#issuecomment-141755217

We've tried to retain as much of the original config format as possible, which means 2.3.x transitions will likely be beyond our scope. The above tweak may work, but there can be made no guarantees and providing such a "reverse upgrade" path in config.xml layout terms is a slippery slope we don't want to fall down.

Does OPNsense solve my major pet peeve with pfSense as it sits, which is that traffic shaping (primarily the limiter, as I find that it does "fairness" the way I want, better - share available bandwidth fairly, rather than limit arbitrarily even if lots of BW is unused) AND run transparent squid sensibly (ie, squid cache hits are not limited, so we actually reap the benefit of squid in improving performance beyond what our outside line can do)?? I have tried many variants of many peoples claimed recipes for this on pfSense, and none have worked, and most have resulted in the system needing to be restored to a working configuration. Since ~pfSense 2.1.5 the two things simply can't run at the same time (before that they could, but cache hits were shaped.)

We've killed the ALTQ-based (pf) shaping in favour of a reworked stock-FreeBSD limiter (ipfw) approach. Since we've replugged the proxy in 15.7, the two have been working together as is. On that front, we'll also add FQ/Codel support that has recently become available as an additional patch for FreeBSD.

Here are the proxy and limiter docs to skim through in terms of what GUI and features you'll encounter on OPNsense:

https://docs.opnsense.org/manual/how-tos/shaper.html
https://docs.opnsense.org/manual/how-tos/proxywebfilter.html

Hope that helps.


Cheers,
Franco