Messages

Oh, OK, sounds pretty standard then - certification made for the sole purpose of being able to make the befriended vendors win in public tenders. I guess OPNsense rather needs the Dutch variant of the BSI certificate. ;D  :P

yes makes sense that opnsense should apply to dutch regulation. currently it looks like for critical infrastructe (where it comes to real security and not just homelab security) they will change laws, so you can only use hardware/software built in germany. at that point, opnsense would not able to use anyway for real security needs (in germany).

another update. The opnsense hardware distributor just tried to catch us with BSI promises. Then sold us a overpriced garbage device that failed on the initial installation. Therefor opnsense is not on the list anymore after 2026. Maybe I reach the 100 active devices until then.

general is 127.0.0.1 configured, with google it works but is not a option since Im using encrypted dns and blocklists with unbound.

Im using unbound as dns server and ipsec tunnel with a dns remote gateway. after rebooting the firewall, ipsec seems to be started before unbound and is not able to resolve the host. it stops after 3 retrys, even though keyretries is set to 0 in the ipsec config which should mean unlimited retries.
is there a way to start ipsec delayed after unbound, or configure ipsec service not to stop?

Update, the hardware you are selling in your shop will get the BSI certification, plus opnsense will get it too

Thanks for this :-)

It will get to the point where cisco has to apply, sooner or later. I worked for Daimler for example in the network department, where all of the devices where Cisco. I would bet a thousand euro that if Daimler decides it will only install BSI certified hardware because of security risks, cisco will run. Its just a matter of enough industrial momentun, like I said before.

To be frank, I am unsure what you are looking for pressuring others and not responding to the questions and concerns we have. I'm out of this one... good luck! ;)

If you dont want to talk to me anymore, than I will reach out via other channels.
I mean we have the business support too, where you need to answer.

P.S. If you want to root for OPNsense in your own corporation, suggest an independent evaluation of both alternatives. Secorvo in Karlsruhe are renowned for their knowledge, professional attitude and the fact that they really are impartial.

I went through exactly this process for the country of Hessen and BSI certification or not Genugate "lost" and Sidewinder "won". Because apart from a certification sometimes you just need certain features. If you support very little like Genugate does, certification is of course way easier.

problem, thats not all, we need at least a wide temperature. landitec offers 0-50°, i just googled quick and sidewinder does not have a device to meet it.
its really hard to find we searched 6 months to get the perfect combination. thats why I want to stick with opnsense.

Mark my words, the BSI train will hit anybody. Its starting with kritis, where we have to deal with it. And there will be enough momentum when this will get to every single corporate firewall.

....and only because its hard, you should fear it so much to not even try it, thats a live quote.

I dont want to pressure anyone, I want opnsense to live (and Insys to die)

If thats too much, then sorry.

Any update to this topic?

Well if Opnsense is an corp only soluton, how come landitec and thomas krenn offering industrial hardware solutions with opnsense preinstalled? I mean you wasnt even aware of its purpose in industrial solutions before I told you so.
Apart from this, we have 60 business licenses alone coming with our firewall, so we are paying a huge share for the opnsense existense, and there would be another 80 licenses ( it would be 160 license, because we planning clusterd firewall)
I do not understand why you talking like that.

Just want to tell, we turned to an kritis environment which gives opnsense a REAL case and not just some dumb idiot corp or hobby case.

welcome to the world of "decision makers" if its insys vs opnsense, bsi light vs no bsi, who would you choose rationally? and thats it.

Never heard of them.

Prominent manufacturers of enterprise firewalls are among others:

Cisco
Juniper
Checkpoint
Palo-Alto
Fortigate
Forcepoint
Sophos
Sonicwall
...

This is the market OPNsense is competing in. None of the above has got a BSI certification. The one for Sophos is for their OS and completely outdated.

maybe prominent but only in corporate environment and not used in huge numbers. insys is used in industry environment, in huge numbers.
example: we running ~60 opnsense+ counting and ~80 sophos utm firewalls but only 4 corporate firewalls.

And I agree that Common Criteria is not very suitable to a full software distribution. Maybe a software core, but you need formal verification of your code in the higher levels which is a very difficult endeavour.


Cheers,
Franco

not good... cannot argue then to not move to insys.

most prominet is insys not genua, its probably to late anyway. we have a project to migrate around 80 sophos utm firewalls, because they are end of life in 2026. right now they will be insys not opnsense, because of this certification.