Messages

I think I'm slowly understanding what is being yearned for.

So we just happen to pull in a proxy and IPS into the base install, but, OTOH, rebuild a clean plugin system to make it possible to bring back "packages". That's all pretty neat, but....

One particular case of interest is PPTP, which a lot of people said it should be killed. While that may be true, it is still the base of internet connectivity for whole countries, so killing it is out of the question.

Instead, how about making a plugin of that so everyone is happy? Splitting off base functionality and wrapping it up so that if we split off enough of those pieces we'll end up with the proposed lite version and simply need to make sure the lite version addresses at least all of the SOHO needs.

Is this what you guys suggest we should do? To be frank, I find that approach very appealing after giving it the benefit of the doubt.

Yup, that is it.

pfSense got it wrong by having way too much stuff on their base install, when basic users use it and see the huge menu, they keep thinking "What the hell is that doing here? And what is this? I don't need this, it probably has a wrong default setting and has bugs or something", pfSense looks like a bunch of crap duct taped together, the messy design makes security conscious users feel uneasy.

Seeing only exactly what you need = trust = loyalty, that is how m0n0wall built its cult.

If OPNsense can pull that off, plus the bonus of the newest drivers and OS security updates that m0n0wall lacks, plus a plugin system for edge use cases, it'll be unbeatable (and guarantees a smooth transition from m0n0wall to OPNsense).

I like the idea a lot. We have all build overrides in place in the config folder of our tools.git:

https://github.com/opnsense/tools/tree/master/config/current

This means ports, their options, the source binaries to be installed, the kernel to be built. Even the core/GUI repository could be replaced. However, things start to get rough around the edges. While it is perfectly safe to start with this, the projects will diverge quickly in terms of the core.git. We might be able to stay on track with the tools.git, src.git and ports.git.

So here it seems that there should be a "core-lite.git" or something along with the proper overrides in the tools.git.

Reasons for that are different approaches to GUI and compartmentalisation, we want to use python in the backend--that adds at least 50 MB to the image. We want manual pages, examples and such to be retained and not strip the base system down to something that simply runs for users. For one it does not help development, and OTOH, it prevents users from exploring the inner workings of their systems. These things are pure opinions, please don't hold me against them.

To conclude, you guys could strip down the system, remove features and still ride most of the eco system drive with OPNsense. Maybe there is a better solution mid or longterm, but as far as those things go they tend to diverge rather than converge.

PS: I really like this productive discussion. Thank all of you for your time. (No, the discussion isn't over ;) )

Glad to be helpful. ;)

The more I think about it the more I think "keeping it simple" is more of a psychological thing rather than a data size thing.

Sure some people stick to m0n0wall because they are using very low performance hardware, but the majority of them run m0n0wall on standard hardware, they just don't trust/like Linux and they want a simple interface, less options means less things to learn and go wrong, they don't really care how many components there are under the hood as long as they don't see them.

Large USB sticks/CF/SD cards are cheap these days, so personally I don't mind having a "Lite" version even if it is 2G/3G/4G, I'll be happy as long as I know that the guys behind it are taking a "keep it simple" approach.

From a programmer's point of view, perhaps "Lite" version means ripping most of the guts out of the system, but from a basic user's point of view, sometimes "Lite" version just means having a simple menu, you know, sometimes you just want 15 buttons on your remote instead of 150.

Of course, this is just one man's opinion, I am sure you guys know what you're doing. ;)

Let's just say we are completely arrogant about not being arrogant. ;)

But seriously, what is a project--especially an open source project--without a community to listen to and build upon?

Sure, we have put in a bit of effort to get this project bootstrapped, but now that we've been here for just over 50 days, it really matters that we've had the privilege of a kind user base who is willing to help test and let this project progress beyond what we could have achieved alone. There are endorsements like Manuel's, countless bug reports, feature requests and proactive mentions of the work that we have done all around the web. We have plans for the next year, but they mean nothing in the face of what our community looks like in 6 months or maybe less. We'll have to shift and adapt while maintaining just a couple of core principles: open, easy, fast, secure *and* fun. We believe these values are not exclusive.

All I can say is there is more to learn and grow and hopefully we have shown how we want to do it. :)


Franco

That is a great attitude to have, keep up the good work, we'll be following OPNsense closely and help out when we can. ;)

We appreciate diversity of opinion. I can see that not all the m0n0wall folks are happy. It may be an impossible feat to bring everybody under a single roof.

OPNsense has many exciting features, but right now, there is a large group of m0n0wall refugees out there looking for a new shelter, so this is like a humanitarian problem, lol.

Perhaps there can be a "OPNsense Lite" approach? A bare minimum version of OPNsense that doesn't do much more than m0n0wall? Many existing m0n0wall users will transit in droves just for the OS/SSL bug patches and new drivers alone (us included).

The problem with pfSense is that, there is always a large group of users who only require the most basic functions, but once they install pfSense and see the 10 menus with 100 options, they think "screw this, I am not going to spend a month to learn and tweak everything and risk breaking something", pfSense ended up trying to be everything for everybody and lost many would-be users.

With a "Lite" version, OPNsense won't suffer the same fate as pfSense, no matter how feature rich OPNsense become in the future, the "Lite" version will keep reminding people that, at its core, OPNsense is still a no-nonsense firewall/router.

Also, once the first step of transition is made, it'll be easy to encourage them to try the more advanced version, for example, in the settings page of the "Lite" version, there can be some advance setting fields that are greyed out, with the text "This feature is available in the Normal/Advance version <URL>" next to it.

We are thinking about moving from m0n0 to OPNsense too.

We had a go moving to pfSense a year ago but we dropped it and returned to m0n0 after reading their PHP scripts, it was a horror show, nobody tight on security would ever code that way.

It also looked like the pfSense team is in "cash out" mode and is now focused on the $ instead of theirs users, so it is great to hear someone else felt the same about pfSense and decided to do something about it, please promise you guys will never turn arrogant (I am looking at the pfSense team).  ;)