Messages

The firewall with no open ports and no pass rules will silently drop unsolicited incoming packets.  In my opinion, that is usually best.  Now, if I had SSH running on the WAN or other service installed in opensense that listened on the WAN, then there would be a great need to have IDS checking the WAN. 

One would think.  You are definitely going to get a ton more alerts inspecting the WAN.

I do inspect the wan on my personal servers where the firewall and all clients are virtual and sit behind another SPI firewall.  As expected I get very few alerts, all real threats and only on ports I opened.  Otherwise, it is silent. 

Many people are of the opinion that you only need to worry about what has made it passed the WANs firewall and might have access to the LAN or other resources behind opnsense that you are trying to protect.  So, just checking the LAN, and other interfaces are more meaningful and generate less noise. 

For instance, Are you worried that someone sent a packet to a closed port or are you worried about services running to where your open ports are forwarded?  I suppose it depends on how much log reading you like to do. 

I would use the lowest encryption settings I could get away with.  Then, I'd find a tech museum and donate the Watchguard.  After that, I'd get either a new box for opnsense or a used piece of hardware.  What you need for the speeds you mentioned earlier isn't an expensive rig.  Most likely you can get it for free.  Heck, I'm using one like that right now.  VERY old retired dual core AMD x2 processor. 

You just need a couple of reasonably quick cores on an older converted desktop, or else you could buy a new small device.  Its up to you.

As a measure, "very slow" doesn't tell us much.  How much bandwidth are these 4 people using?

You can very easily max out CPU with openvpn with several users with sorta quick connections. 

Especially a CPU as weak as this one.  I'm not sure how much bandwidth to tell you to expect, but its not going to be extremely fast by any means.  How much total bandwidth do you need?

Haha - I feel pretty good about the odds I will win this bet. 

Too technical for me.  However, for IPV4 most people filter traffic based on much fewer parameters.  Seems like it to me anyway,    Seems like most people filter on originating IP, destination IP and a few other things like if the packet is fragmented or out of state. 

Specifically, what sort of filtering for IPV6 is opnsense missing that it CAN do for IPV4? 

That would be meaningful for me. 

The thing I like about openvpn is I can take your average idiot (and some below average ones), and export a client.  Just tell them to double click it and boom....   They are all set.  I've yet to meet the person who can't double click a file, so I'm a big fan of openvpn.  Generally speaking as soon as you say "OK - Now type this in...", you have already lost 90% of people.

What kind of problems did openvpn give you?

I checked out softether a few times over the years and recently.  The simplest and easiest setup I ever saw was too complicated.  I'm sure it works fine, but with openvpn for ease of use and ipsec for those who dislike openvpn, softether falls into the "why bother" category for me.  Id consider it if it were incorporated into opnsense much the same way openvpn is.  Otherwise, not worth fussing with for me. 

Now - Comparing the mathematical predictions in 2016 to the actual usage all the way to today in Nov 2017, the upward curve remains steady at a slightly higher than predicted rate.  Good news for all gamers and anyone who hates NAT.

https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption&tab=ipv6-adoption

The adoption rate is currently on a 2.5x per year rate of increase.  In mathematical terms a curve that is flattening against the Y axis as time on the X axis passes.  The numbers look clear to me.  I'm sure there will be a few hold outs, (lab setups in basements) but it is following the same sort of accelerating curve you see in things like population growth or bacterial growth in nature.  It is extremely predictable once a curve like this is evident. Numbers don't lie.  There are a few things that could stop it...   

Coronal Mass ejection like the one in 1859...   Lets see...   Asteroid collision like the one that wiped out the dinosaurs.   Things like that. 

This graph was produced using regression and curve fitting I'm sure.

Yeah - I posted this same thing on the pfsense boards about 5 or 6 years ago, but its sort of a hack to patch a bigger problem, which is having a requirement for NAT at all.  2- 3 more years, won't be an issue anymore.  Glad its working for you.  Same fix works for SIP issues also, in case you ever experience VOIP problems.

No - You must only try opnsense!   

Try them.  Its smart to test your choices.  You will miss the features of opnsense sooner or later though. 

I have.  It will work, but you will hit a cap on bandwidth.  Probably just a 5% hit if the VM is working right.

How big a hassle would it be for you to install opnsense on the machine directly to test the limits of the physical machine and THEN compare it to opnsense in VM?