OPNsense Forum
English Forums => General Discussion => Topic started by: sparticle on November 26, 2022, 02:11:53 pm
-
I am sure this topic has come up before but, I was wondering why the dependency on BSD.
These days a base Ubuntu server which is capable of routing is using <200 MB of ram and runs on just about any type of hardware with decent NIC drivers that have very active development.
It would be awesome to have all of the OpnSense goodness on top of an enterprise grade mainstream Linux server OS that has mucho dinero spent on development.
Maybe it's just history and legacy but I think it's holding OpnSense back!
Cheers
Spart
-
OPNsense's basic architecture is built on the pf packet filter - which is BSD only.
Of course you can build a Linux based firewall, but it wouldn't be OPNsense.
OpenWRT and IPfire exist.
-
OPNsense's basic architecture is built on the pf packet filter - which is BSD only.
Of course you can build a Linux based firewall, but it wouldn't be OPNsense.
OpenWRT and IPfire exist.
They do exist but are clunky. I came here from Untangle.
These days netfilter is built into the kernel and nftables is the new standard for a lot of the enterprise linux OS vendors. massive dev effort across that community.
Are you saying that the main reason for sticking with BSD is pf?
Cheers
Spart
-
What makes linux so special???
if you are looking for small amount of foot print, then you go with NetBSD. If you want security, then your choice is OpenBSD. For enterprise class POWERHOUSE, you go with FreeBSD.
BSD just takes a lickin' and keeps on ticking...
Now if you want GUI... then you can go back to untangle and work on making it look like the way you like it... :D
-
What makes linux so special???
if you are looking for small amount of foot print, then you go with NetBSD. If you want security, then your choice is OpenBSD. For enterprise class POWERHOUSE, you go with FreeBSD.
BSD just takes a lickin' and keeps on ticking...
Now if you want GUI... then you can go back to untangle and work on making it look like the way you like it... :D
Obviously a xBSD fan. But your assertions may have been valid 10 years ago around security and enterprise but not today and just stating them as fact is misleading. I like OpnSense but it is built on sinking foundations.
There are other foundations that are community supported like debian for instance and more capable and performant with massive global footprint and support ecosystems. If it's really pf that's the anchor then there is no way forward.
I was really just trying to understand if there was a deal breaker dependancy and maybe it is pf. I have no understanding of how the product architecture is structured and whether for instance the UI is closely or loosely coupled or integrated. If you take OpenWRT you can hack it from the command line or install luci from the standard package management and config via web UI. You can do similar with OpnSense core.
And why does anyone who asks these type of questions just get told to * off back to where they came from :)
Cheers
Spart
Cheers
Spart
-
Are you saying that the main reason for sticking with BSD is pf?
More or less, yes. And why would you switch a thriving well-received product to an inferior codebase - architecture wise?
We built our entire hosting platform on FreeBSD, running about 1000 customer instances. It's way cleaner, smaller, and easier to manage with a small team. We are well integrated into the community.
As for OPNsense I don't know how large Deciso's development team is. I can repeat that for limited resources BSD is the easier code base to work with. Facebook, Google et. al. all have their own kernel teams. They have to, given the current state of Linux developmenr. I don't see anything "switching to Linux" would improve in OPNsense. What exactly do you have in mind? What features are missing?
The one that easily comes to mind is hardware support for low end consumer devices? Sorry, that's the one point where I personally say: sorry, not interested. Run something Linux based, then.
I'm interested in a solid product based on something like this:
https://shop.opnsense.com/dec4000-series-opnsense-rack-security-appliance/
How would you improve this beyond what it already does by dropping BSD for Linux?
Kind regards,
Patrick
-
Thanks for the reply Patrick. I think I have my answer and that root then drives the rest of the codebase.
Maybe my hardware choices are the issue. VM performance is not great compared to Linux, driver issues abound.
Dedicated HW like the link you provided I can understand.
I just wonder how many of the userbase fit into the category of enterprise users. I suspect a large proportion of the community are home network or similar to myself users.
I run it on the edge of my SMB lab and home Lab. Currently, it is sitting on a Dell Rackmount ESXI host. If we had better internet it might be an issue but we are not blessed with that in the rural locations.
For example across the internal ESXi vswitch I get a max of .63 Gb and across the lan on 1G infrastructure .55 Gb. We spent a long time following all the tweaking guides to get the best lan performance we can. As I said on the WAN side we don't really care as our backhaul is sub 100Mb.
Linux Vm's across the switch are running around 9Gb and across the lan at Gb wire speed.
It's just an example I am sure there are many more.
Thanks for taking the time to respond.
Cheers
Spart
-
I suspect a large proportion of the community are home network or similar to myself users.
And how much are those contributing with money? ;)
-
I just wonder how many of the userbase fit into the category of enterprise users. I suspect a large proportion of the community are home network or similar to myself users.
We are not exactly enterprise but what is commonly called SMB - small and medium sized business. If the German user group is in any way representative, the majority of users with a high participation in the community are of that kind. Many system integrators/consultants who place OPNsense and pfSense devices at all their customers' locations.
I used to be in the business of selling commercial firewalls, the (in)famous Sidewinder, absolutely brilliant product for its time. I run 4 OPNsense installations, two data centre, two office, for my own company alone, plus I have moved all customers who agreed from Sidewinder to OPNsense.
For these, even while not "enterprise" 1600 € for a rackmount appliance once and no recurring license fees ever (!) makes OPNsense an absolute no-brainer. "Internet" is business critical, you know ;)
Personally if a Deciso appliance doesn't fit the bill I would not use anything less than some Supermicro server board with IPMI, ECC memory, and all the good stuff I'm used to. Actually that is precisely what I run at home currently. The board was left over after I upgraded my TrueNAS system (another very fine BSD based product, although picky about the hardware - surprise! ;)) So I bought just a Supermicro case, some Noctua fans, used left over SSDs and I am running OPNsense on server grade hardware with a ZFS mirror and definitely enough performance for all my home needs.
Kind regards,
Patrick
-
I suspect a large proportion of the community are home network or similar to myself users.
And how much are those contributing with money? ;)
I can see why your handle is bob.dig!
:)
-
Personally if a Deciso appliance doesn't fit the bill I would not use anything less than some Supermicro server board with IPMI, ECC memory, and all the good stuff I'm used to. Actually that is precisely what I run at home currently. The board was left over after I upgraded my TrueNAS system (another very fine BSD based product, although picky about the hardware - surprise! ;)) So I bought just a Supermicro case, some Noctua fans, used left over SSDs and I am running OPNsense on server grade hardware with a ZFS mirror and definitely enough performance for all my home needs.
Kind regards,
Patrick
Yes, we have OpnSense running in ESXI on an ex Ebay Dell server. Plenty of enterprise goodness. Just a pity about the network performance. The server has a quad port NetXtreme BCM5720 maybe I need to swap it for an intel card and try that.
Cheers
Spart
-
Use a dedicated system instead of virtualising. It's a bad idea for infrastructure, anyway ;)
-
Running bare metal is a waste of ressources.
EOD.
-
Yes, we have OpnSense running in ESXI on an ex Ebay Dell server.
If VMware only would support VirtIO for network interfaces and block storage possibly all Open Source platforms would benefit running in ESXi.
-
Running bare metal is a waste of ressources.
EOD.
For you. Maybe.. :P
-
Running bare metal is a waste of ressources.
EOD.
For you. Maybe.. :P
Our electricity price has tripled so no I don't want to proliferate multiple systems when I have a perfectly capable server to virtualize in!
And if xBSD would invest some time in fixing the drivers we would have parity performance.
Cheers
Spart
-
There is a lot of work being put in making FreeBSD perform top notch on AWS EC2 and Firecracker. The performance leaves a bit to be desired in ESXi, admitted. Maybe a KVM based hypervisor would be an option for you?
As I said: if only VMware would support open standards and VirtIO.
-
OPNsense's basic architecture is built on the pf packet filter - which is BSD only.
Of course you can build a Linux based firewall, but it wouldn't be OPNsense.
OpenWRT and IPfire exist.
They do exist but are clunky. I came here from Untangle.
So, you came here and ask OPN to move over to Linux. Did you also asked at IPfire and WRT to be not so clunky anymore? :)
-
As of Nov 22 VMARE has approx 26% of the global virtualisation market with MS approx 10% and Xen about 8% and the rest made up of the many other offerings out there.
My point in opening this dialogue was to understand the anchor to xBSD I think I have my answer and its the core dependency on PF.
I am not a OpnSense hater. I like the product as stated, there are challenges with performance on VMWARE it's not the end of the world for me at present as our backhaul as stated is sub 100mb.
But I do look at the future and wonder whether all of the OpnSense goodness would be better served on a more mainstream enterprise class Linux foundation. With orders of magnitude more resources into development. Arguments around security, scalability, reliability, resource management etc. are all moot these days.
It seems open discourse is hard and the standard approach is to attack the poster!
Cheers
Spart
-
Dont play the victim...
And VmWare is the marketleader in Virtualization and you can fairly easy break the 10gbit/s barrier with server grade hardware.
I have run pfsense virtualized since 2008 and couldnt even begin to grasp the prospect of running it bare metal.
There is very little overhead on Esxi regarding performance and we use X710 Nics from Intel. No issues WSE.
-
Dont play the victim...
And VmWare is the marketleader in Virtualization and you can fairly easy break the 10gbit/s barrier with server grade hardware.
I have run pfsense virtualized since 2008 and couldnt even begin to grasp the prospect of running it bare metal.
There is very little overhead on Esxi regarding performance and we use X710 Nics from Intel. No issues WSE.
Again the attack is not necessary!
Maybe your experience with the Intel based Nics is the difference. The Dell R720 is enterprise HW but maybe the dell branded BroadCom Quad port NIC card is the issue.
We are on copper GB not fibre so maybe not the X710.
If anyone has a recommendation for a full height quad port intel card that has teh right support for ESXI that would be great.
Cheers
Spart
-
X710-T4 is 10Gbit/s and copper.
How many do you need?
-
X710-T4 is 10Gbit/s and copper.
How many do you need?
I think it's 10G Copper not 1Gb copper.
Was thinking of something like this.
https://www.ebay.co.uk/itm/125310701535?hash=item1d2d198fdf:g:2YcAAOSwWC1ifNjh&amdata=enc%3AAQAHAAAA4PK9BXqm1PcvzcPNfI5azqrJ3iZs2TpSOT603digb4CUnbhSYEVIrynQPW0T2aJp6vNBiXU6YuH9fBw%2BuVgKZqPNitNlg36trw4886bCxxOGFzleR2xlf551ST5rWk0gzHgKIIPVwSUqEpSpOkI%2BNKQQqdtuDSr8cQR3gd76Sf7203asgCkoUh6N6GU0m7COAEygX2aoqiHuuUpATZFjgbFN0emnMEchFtPv3Bv2yVMXW3HMSlq4i1frs9wpBp8lva2A2lr8nmpyRk8upuqtg0qHGcfXvZbCQGd3oQFcW%2BrC%7Ctkp%3ABFBMjLGSmJdh
Pro 1000PT Quad port 1Gb Copper
Intel 82571eb chipset. Full support in ESXI 6.7 U3 and it seems BSD em driver.
The em driver supports Gigabit Ethernet adapters based on the Intel 82540, 82541ER, 82541PI, 82542, 82543, 82544, 82545, 82546, 82546EB, 82546GB, 82547, 82571, 82572, 82573, 82574, 82575, 82576, and 82580 controller chips:
Intel Gigabit ET Dual Port Server Adapter (82576)
Intel Gigabit VT Quad Port Server Adapter (82575)
Intel Single, Dual and Quad Gigabit Ethernet Controller (82580)
Intel i210 and i211 Gigabit Ethernet Controller
Intel i350 and i354 Gigabit Ethernet Controller
Intel PRO/1000 CT Network Connection (82547)
Intel PRO/1000 F Server Adapter (82543)
Intel PRO/1000 Gigabit Server Adapter (82542)
Intel PRO/1000 GT Desktop Adapter (82541PI)
Intel PRO/1000 MF Dual Port Server Adapter (82546)
Intel PRO/1000 MF Server Adapter (82545)
Intel PRO/1000 MF Server Adapter (LX) (82545)
Intel PRO/1000 MT Desktop Adapter (82540)
Intel PRO/1000 MT Desktop Adapter (82541)
Intel PRO/1000 MT Dual Port Server Adapter (82546)
Intel PRO/1000 MT Quad Port Server Adapter (82546EB)
Intel PRO/1000 MT Server Adapter (82545)
Intel PRO/1000 PF Dual Port Server Adapter (82571)
Intel PRO/1000 PF Quad Port Server Adapter (82571)
Intel PRO/1000 PF Server Adapter (82572)
Intel PRO/1000 PT Desktop Adapter (82572)
Intel PRO/1000 PT Dual Port Server Adapter (82571)
Intel PRO/1000 PT Quad Port Server Adapter (82571)
Intel PRO/1000 PT Server Adapter (82572)
Intel PRO/1000 T Desktop Adapter (82544)
Intel PRO/1000 T Server Adapter (82543)
Intel PRO/1000 XF Server Adapter (82544)
Intel PRO/1000 XT Server Adapter (82544)
Looking at the FreeBSD hardware list the vmx driver that is currently in use on our OpnSense is not even listed.
Cheers
-
I'd use PCIe passthrough if I was running OPNsense in ESXi. Only one 10G interface as trunk to switch necessary, rest can be done in VLANs. Or two if you want multi chassis LACP for redundancy. Router on a stick ...
-
For security reasons PCI passthrough is not recommended.
-
For security reasons PCI passthrough is not recommended.
Care to elaborate?
-
https://www.tenable.com/audits/items/CIS_VMware_ESXi_6.7_v1.2.0_L1.audit:1d17d57677b4afb74b44266c06e9f728
-
Using FreeBSD allows things like this:
https://forum.opnsense.org/index.php?topic=25540.0
Also worth mentioning is (assumed compatible hardware) that OPNsense is rock solid. I can upgrade from an old version to the current version without any issues. Thats what comes with FreeBSD. When upgrading Ubuntu, Debian or any other linux distri things may break. With FreeBSD the system (in my experience) can run with little maintenance. Also under full load the system stays stable not dropping any connection. FreeBSD also means a smaller attack surface.
-
https://www.tenable.com/audits/items/CIS_VMware_ESXi_6.7_v1.2.0_L1.audit:1d17d57677b4afb74b44266c06e9f728
So you are worried about the guest OS running in your firewall VM which is your frontmost line of defense attacking your hypervisor host through PCIe passthrough?
OK ... you do you, I guess. I'd worry about more productive things. If I would not trust the OPNsense code, I would use a different firewall in the first place.
-
For security reasons PCI passthrough is not recommended.
Then it seems to be virtualization is not recommended. I'm not inclined to run my NVMe ZFS mirror and Intel ethernet adapters through virtualization on a router, just doesn't seem right to me. It's more of a bare metal scenario. That's why I went with a dedicated host. Thought about using it for a NAS as well but decided I didn't want to mess with it.
Maybe my hardware choices are the issue. VM performance is not great compared to Linux, driver issues abound.
Dedicated HW like the link you provided I can understand.
Yeah it seems to me your choices are not suited for the product, and you come here seriously asking them to change the operating system and packet filtering used just to suit your scenario, rather than build a dedicated router that will run right?
Our electricity price has tripled so no I don't want to proliferate multiple systems when I have a perfectly capable server to virtualize in!
And if xBSD would invest some time in fixing the drivers we would have parity performance.
My dedicated OPNsense router uses very little electricity and that is part of why it is dedicated. I want it to be one of the last things running if and when I'm on back up power. I don't need some giant (possibly outdated?) server running 30 different things to keep going just to keep my router alive. It uses basically no CPU or RAM or disk on the machine, even with Suricata and such running, and that's how I like it.
Maybe I'm mistaken and virtualization is the way to run this kind of router. To me, for my home network, it did not make sense.
It's a FOSS product right? Fork it if you want I guess. And then maybe you'd realize you'd be starting all over from the ground up to change the operating system. Don't like the drivers? Fix them. Don't know what it would take to fix them or how to do it? Maybe don't dictate to other people what they do with their skills and time.
-
So, you came here and ask OPN to move over to Linux. Did you also asked at IPfire and WRT to be not so clunky anymore? :)
My question as well. If BSD is holding back OPNsense, why and how is Linux holding back its firewall distributions as well as it seems?
Back in 2012 I made the decision to move from Linux/GPL to BSD since I saw too many hurdles for a small company/startup to engage in the open source GPL space... I've seen the "closed source" (a.k.a. commercial) GPL space and it always was close to violating licenses and Ubuntu was a terrible distribution to build a firewall on. I did not want to continue this weird path... nowadays everyone does their own "genius" work top of DPDK and lack of basic operating system work is the norm.
OTOH, I've meet the Astaro founders and worked with one of their sales guys for a long time afterwards. They had pulled off great GUI on Linux, because of that one graphics guy they had. At some point it was sold to Sophos and now it's not good anymore? Or just too expensive? Michael would be better suited to know what happened...
So in my view BSD with its hands-off licensing made it possible to have longer-running projects which both succeed in open source and commercially. Smaller organic growth that you can see from m0n0wall, pfSense to OPNsense. The BSDs since the 90's are on a similar trajectory.
The notion that "BSD is dead" is a Linux thing maybe trying to divert from the fact that Linux/GPL has fundamental issues that don't exist in the BSD scope.
One last point as an example: IPFire website says "IPFire is free software and developed by an open community and trusted by hundreds of thousands of users from all around the world."
OPNsense has this year reached (in comparison a mere) 150k active installations and here is the Google trends plot:
https://trends.google.com/trends/explore?date=all&q=ipfire,opnsense
pfSense numbers are even better although they seem to have dropped by almost 50% in peak popularity now.
So... if BSD is holding back, why are Linux user interaction numbers a lot lower in comparison? ;)
Cheers,
Franco
-
I usually stand up Ubuntu-based servers for multi purpose file sharing and VMs. This is an excellent firewall. It happens to be BSD based. It's a great tool regardless of what is based on. Given the nature of its function, it works great on its own power sipping hardware.
Having it on a VM, with other VMs dependent on it, can really stop a show sometimes, unless you have a larger complex system. I happened to be disappointed by other Linux based firewalls. One thing that really changed my offering, was having the ability to create interfaces as desired in a design. The Linux based ones I tried, have the Green, Red, and optional Blue and orange zones, which are rather limiting.
-
I'm not super invested on which OS the OPNsense team decides it needs to be on. I'm more interested in the end result.
The only thing I'd love is more options for stable NIC/hardware choices. Completely understand why things are the way they are but the cherry on top would be the confidence, to run this stably, in a majority of hardware configurations.
-
OPNsense's basic architecture is built on the pf packet filter - which is BSD only.
Actually, I've been using pf on macOS as a host-based fw for years (there is a handy app called Murus to configure it) but don't get me started on how utterly unreliable macOS has become to do stuff like this...
-
Um, MacOS is mostly FreeBSD based with a twist. :)
I use the Murus Firewall (Paid) on the MacOS for PF GUI control...
https://www.murusfirewall.com/
-
Hey there. Time to refresh this thread. I totally get where you're coming from. It's true that Linux has come a long way and can handle a lot of heavy lifting when it comes to routing and networking, but there are some good reasons why OpnSense is built on a BSD base. For starters, BSD has a reputation for being rock-solid and reliable, especially when it comes to networking. It's also a more cohesive system, with a single kernel and userland that work together seamlessly. This can make it easier to maintain and troubleshoot, especially for larger installations. Another thing to consider is that CentOS 7 has recently reached its end-of-life support. Check it out https://tuxcare.com/extended-lifecycle-support/centos-7-extended-support/ (https://tuxcare.com/extended-lifecycle-support/centos-7-extended-support/). Of course, I'm not saying that OpnSense is the only option out there or that Linux isn't a great choice in many situations. But I do think that there are some good reasons why BSD has been a reliable choice for networking for many years.
-
BSD is hardly a sinking ship. It may not be the latest, shiny object but BSD is the foundation for quite a few modern applications (Playstation 5 for example). And the licensing is friendly as well :-)