Messages

Does OpnSense have screen? I mean the command line utility to detach / (re)attach your screen? Seems to be included in FreeBSD so I suppose it is there but asking just in case. I cannot live without it :)

I think I will give OpnSense a spin. Still not sure about hardware solution since it requires more hardware and is a single point of failure. Do you think that virtualized OpnSense will be a bottleneck with 20mbps symmetrical connection? Most important internal stuff (iscsi) will reside in same 10g ethernet subnet so it should not be affected, only the outside connections and workstation-server connections would pass through OpnSense but there is no critical stuff there.

edit: and VLAN is something that would play a major role in virtualized solution. I suppose that is not a problem in OpnSense.

Thanks a lot for your comments. I've been a Linux admin since 1995 when kernel was version 1.1 and I am very comfortable with shell stuff and I do all my stuff in command line if a GUI is not required. The Linux firewall I've used so far has performed well, hardly uses any cpu and has been without problems.

But the biggest issues are problem situations and the amount time I use with it. If it fails and I am on another country there is nobody to fix it. Or if I want to add another openvpn cert user I need to make a csr, download it, issue it, upload it, modify openvpn configurations, create a client conf file and cert package and maybe client works. Or I forgot something as this is something i do seldom enough to forget things :)

With OpnSense I am hoping to delegate even with problem scenarios (HA, easy recovery, even some automatic recovery?) and do the above things a bit easier and faster. How is openvpn administration in OpnSense in practice, using the above as an example?

I've never done *BSD but it sounds interesting to learn.

I would appreciate your opinions on using Opnsense in production business environment.

I have 2 dual Xeon CentOS 7 virtual hosts and I am considering using KVM virtualized Opnsense with VLAN tagging to switches via 10G ethernet.

In your opinion what are the main differences / benefits / warnings between hardware and virtualized Opnsense? And if anyone has experience on commercial firewalls then how would you compare reliability and overall usage between Opnsense and them? There is a major difference in price tags so I am not going to commercial side with light grounds nor I am willing to risk my environment. But I have done well the past 15 years with Linux routing, iptables and openvpn so I am leaning towards open source route.

Thanks for your help in advance.

There exists technologies to kill a nonresponsive virtual guest such as fence_kvm. Maybe that would be a development idea.

Maybe it is solved in some other way. I have no experience in CARP but there must be some system that can handle a defunct virtual server to kill it and let secondary node take over?

With HA one problem (at least mine) is when a defunct service gets so badly stuck it won't shut down and keeps the IP / resource occupied. That's where the fencing comes in and kills the system to make way for backup node to become active. With virtual guests I need to run a daemon with the hosts that can be called to kill zombie guests.

Looks promising. Does it have any fencing?

Just joined the forum as I am seriously considering OpnSense as my next routing firewall solution. I've used Linux with iptables (fwbuilder GUI), routes and openvpn with LDAP backend since pre 2000 and it has worked like a rock.

I would like to install my next firewall as a virtual guest keeping another instance as hot standby in another host. Is that possible to do? Do you think it is a smart thing to do that way? I've seen large organizations do that with their Sophos etc.

What technologies in OpnSense would you consider the most solid and best suitable for production use?