My experience switching from pfSense to OPNsense on a Watchguard XTM515

[dwasifar]

Successfully made the switch, finally.  Here are some things I learned along the way.

As mentioned in another thread, I was able to use a pfSense exported config file in OPNsense, after manually adding a working OPNsense user into the file so I wouldn't get locked out due to password encryption.  The pfSense file was full of Snort configuration information, which I stripped out manually just to keep things clean.

I built a temporary OPNsense appliance on a spare PC, to use while working on the Watchguard.  While I was waiting for some pieces to arrive in the mail (more on that later) I decided I wanted to install an SSD in the Watchguard instead of the HDD I'd previously hacked into it.  (The Watchguard box originally just ran from CF and had no drive.)  That SSD was currently in the old PC.  I also needed my spare PC back for some other things.  So I cloned the drive with dd and popped the clone into an old server (a 12-core Xeon, actually, which was way overkill).  It appeared to be working but couldn't get any traffic out to the WAN.  So I put that drive back in the spare PC and found it wouldn't talk to the WAN either.  Looked OK in config, just wasn't working.

From this I deduce that moving a working OPNsense installation to new hardware that has a different complement of NICs causes trouble and you shouldn't do it.  I'm guessing the interface assignment settings don't adapt well to that situation.  I wound up doing a new fresh install and restoring settings from backup.

Shortly after that, the parts I needed for the Watchguard arrived.  A CF card reader/writer (for writing OPNsense to the default Watchguard CF boot socket); a replacement CPU; and some thermal paste.  These multi-thousand-dollar Watchguards came with puny Celeron 440 processors, and I found out that you can drop in a Pentium E5700 instead, for better performance.  They're dirt cheap now.  I bought a used pull for $3.50, shipping included, which was less than the thermal paste cost. 

Prior to installation, I wiped the SSD, because I know from prior experience that the Watchguard will try to boot from disk if there's anything on it.  Set up a console-to-USB connection to my laptop using minicom, booted the Watchguard from CF (OPNsense-18.7-OpenSSL-serial-amd64.img, if anyone needs to know which version), installed to SSD, rebooted with CF removed, set the interfaces from console, restored my config, and from there everyone knows how it goes.  I let it burn in on the benchtop for a few hours to shake out any problems with the replacement CPU, and now it's in service and working fine.

One thing I noticed with all this repeated rebooting and/or switching back and forth between firewalls is that machines on the network that have existing sessions tend to leak traffic for a few minutes afterwards.  I watch the live log widget on the dashboard and see a lot of default rule denials for traffic originating on the LAN.  It settles down in a little while.  I have to assume it's normal, or else someone reading this will set me straight.

The Watchguard folks don't make it particularly easy to repurpose their hardware, but it's a nice little OPNsense box now, and should be sufficient until it dies.  I'll cross that bridge when I get there.