OPNsense Forum

English Forums => General Discussion => Topic started by: Tacoma on March 17, 2018, 02:39:41 pm

Title: Long time pfsense user - new to OPNsense
Post by: Tacoma on March 17, 2018, 02:39:41 pm
Just wanted to join this forum and leave a short message as an introduction.
As the subject indicates I have been been using pfsense successfully for a number of years, before that Vyatta, and professionally some work with CISCO routers.

Some very recent problems with the pfsense release 2.4.x and talk of narrowing down the supported hardware significantly has motivated me to research open source router projects.  I found several interesting write ups comparing OPNsense to pfsense.  I also read up on the history of why OPNsense was formed and some of the changes that have been occurring and recent changes with pfsense.  At the end of the day I decided to try OPNsense and contribute to the forum.

Recently I did run some interesting IPsec performance benchmarks on pfsense using gbit speed WAN connections.  I posted the results on their users forum and it was nothing but "crickets", which also made me wonder what was going on with the user community there?

Title: Re: Long time pfsense user - new to OPNsense
Post by: elektroinside on March 17, 2018, 07:35:22 pm
Hi there!

We are definitely interested in IPsec performance tests with OPNsense. Please feel free to post whatever you may find.

Thank you and a warm welcome to OPNsense !
Title: Re: Long time pfsense user - new to OPNsense
Post by: derp on March 17, 2018, 07:42:48 pm
while this might seem unrelated at first glance, it is aimed at your current insight of the plug-in, current abilities, and understanding of the router/firewalls environment


i am looking for a specific type of plug in for OPN

there is a possibility  some of you might remember  Outpost Firewall Created by Agnitum, there was a feature it had that i am looking for ( https://alternativeto.net/software/outpost-firewall-pro/ )

in this program you were able to watch  traffic real time GUI with a line of data classified how and what you chose to show. the ability to right click on it, stop the flow, and chose what type of restrictions to implement into the firewall for that specific address, or general domain was a incredible volume more effective, faster, and efficient that a CLI table modification.

that type of interface and control is what i am looking for.

if anyone has a general name, classification, or maybe even a plug in i can look up and research i can get headed into the correct direction.

your help will be greatly appreciated. thank you.
Title: Re: Long time pfsense user - new to OPNsense
Post by: dcol on March 17, 2018, 07:46:04 pm
Let us know if you see any performance difference between the two firewalls.

You will find a lot more responsiveness and friendly responses on this forum. The main thing that moved me to OPNsense was IPS that never seemed to work right on the other product.

By the way, don't mention that you are using OPNsense on the other forum or you may get banned like I did.
Title: Re: Long time pfsense user - new to OPNsense
Post by: dcol on March 17, 2018, 07:54:44 pm
Outpost Firewall was a client based firewall that was acquired by Yandex who has close ties to Russian intelligence agencies. Not applicable to OPNsense.
Title: Re: Long time pfsense user - new to OPNsense
Post by: fabian on March 17, 2018, 08:42:29 pm
there is a possibility  some of you might remember  Outpost Firewall Created by Agnitum, there was a feature it had that i am looking for ( https://alternativeto.net/software/outpost-firewall-pro/ (https://alternativeto.net/software/outpost-firewall-pro/) )

This software seems to be EoL (alternativeto tells that) so you should not use it for anything as you won't get patches when a problem raises.

that type of interface and control is what i am looking for.
So you are looking for some kind of wireshark in the GUI?
if anyone has a general name, classification, or maybe even a plug in i can look up and research i can get headed into the correct direction.
At least a packet capture is possible via the GUI but you can only view the data when you end the capture (so it is not entirely live).
As an alternative, Netflow can be used.

Outpost Firewall was a client based firewall that was acquired by Yandex who has close ties to Russian intelligence agencies. Not applicable to OPNsense.

Can you explain why? There is no reason as bug and backdoor free software can be used when it fits the needs.
Title: Re: Long time pfsense user - new to OPNsense
Post by: mimugmail on March 17, 2018, 10:12:15 pm
while this might seem unrelated at first glance, it is aimed at your current insight of the plug-in, current abilities, and understanding of the router/firewalls environment


i am looking for a specific type of plug in for OPN

there is a possibility  some of you might remember  Outpost Firewall Created by Agnitum, there was a feature it had that i am looking for ( https://alternativeto.net/software/outpost-firewall-pro/ )

in this program you were able to watch  traffic real time GUI with a line of data classified how and what you chose to show. the ability to right click on it, stop the flow, and chose what type of restrictions to implement into the firewall for that specific address, or general domain was a incredible volume more effective, faster, and efficient that a CLI table modification.

that type of interface and control is what i am looking for.

if anyone has a general name, classification, or maybe even a plug in i can look up and research i can get headed into the correct direction.

your help will be greatly appreciated. thank you.

Sophos UTM can handle this very well, but I have no idea how to port this in a good way to OPN ...
Title: Re: Long time pfsense user - new to OPNsense
Post by: derp on March 18, 2018, 02:16:01 am
i find it amazing mimugmail that the person with the shortest answer has the best answer by far.
i have looked into the sophoes utm and yes , without downloading it it does seem to be what i am looking for.

i can not get a copy to play with for experimentation, and it looks like it is a standalone that will not play with sense OS

so what i have gotten out of this is that what i want is a UTM (unified threat management) plug in for opnsense

now, seeing as how this would be a total game changer and everyone would benefit from it, and everyone needs it
the#1)  question is why do we not already have it
and 2)  what do we have to do in order to get it

in this post opnsense is listed as being a UTM comparable to sophos
http://www.overclock.net/forum/45-networking-security/1630935-once-you-go-utm-firewall-you-never-go-back.html

so this leads me to wonder if there is a plug in, or set of plugins available that i am not seeing

again after all this i want to keep a diligent focus on my end goal

i NEED to be able to watch  traffic real time GUI with a line of data classified how and what you chose to show. the ability to right click on it, stop the flow, and chose what type of restrictions to implement into the firewall for that specific address, or general domain as a incredible volume more effective, faster, and efficient that a CLI table modification.

i am going to apologize to Tacoma for thread jacking his hello post and try to ask everyone helping to  take this to

https://forum.opnsense.org/index.php?topic=7605.0
Title: Re: Long time pfsense user - new to OPNsense
Post by: Tacoma on March 18, 2018, 11:16:02 pm
Let us know if you see any performance difference between the two firewalls.
...
By the way, don't mention that you are using OPNsense on the other forum or you may get banned like I did.

Will do on performance testing.  However, on pfsense V 2.3.4 I was able to get 99.9% of the 1 gigabit throughput on a supermicro 8 core atom CPU with Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM enabled.  2.4.x went totally to hell and was also causing kernel crashes and no one seemed to care.  I used 4 different methods for the benchmark testing.  I saw some posts here about installing iperf within the FreeBSD instance.  As I understand it, the FreeBSD build is a standard build, as opposed to the custom build being used by pfsense?

I will be mindful of that on the forum, but as far as I am concerned, at this point they are most likely dead router project walking.