Migrating from pfSense

[Greelan]

Geez, let it go, and stop polluting the forum with this crap

[athurdent]

• pfBlockerNg-Devel -- Ad blocking and such -- I might be able to replace this with a pi-hole LXC container on my Proxmox server. Other Ideas are welcome...

Depending on what you have been doing with pfBlockerNG, the Sensei DPI plugin might be a good replacement. It's effectively blocking ads, you can protect your children and it is perfect for traffic visibility.
Try it, you might like it!

[securityconscious]

Does Sensei work offline or does it need to use a cloud service?

[Inxsible]

I'm new to networking and firewalls but I have some experience with IP Fire and I would advice you to stay away from it, they can hack your IP Fire installation and compromise it, if they don't like you.

That is what happened to me and I changed from IP Fire. They didn't like hearing hard truths about firewall distros, so they developed a grudge and hacked my IP Fire installation and made all rules ineffective. I could block access entirely to allow entirely.

Sorry, but I am going to have to call you out on this one. Did you ever consider that since you were new to networking & firewalls (by your own admission), you might have made a mistake in the setup which caused your rules to be ineffective

You say, you have experience with pfSense, then you would be comfortable with OPNSense, although interface is different, but making rules is similar, they use different symbols for allow, block, incoming, outgoing. Remember, in OPNSense, incoming means traffic coming into the firewall from any interface, and outgoing means traffic leaving the firewall.

You can always take the firewall distros for a test drive in virtual machine. Other firewalls based on Linux are Smoothwall, ipcop, ClearOS, etc.

I have some experience with pfSense -- but whatever it is has been acquired by a lot of researching the web on how to do things. I have already installed IPFire and OPNSense both on VMs on my Proxmox server and I did a cursory visit to every page/option available in both the UIs.

I did notice that when I visited the OPNSense pages -- I immediately knew what it was for because most of the pages are similar to what options pfSense had. I had a little bit more trouble in figuring out what a particular option in IPFire did -- but that's something that can be fixed by visiting their wiki.

I am liking what i see in terms of options. OPNSense WebUI certainly is much more polished than the IPFire WebUI. The evaluation continues.....

[securityconscious]

Sorry, but I am going to have to call you out on this one. Did you ever consider that since you were new to networking & firewalls (by your own admission), you might have made a mistake in the setup which caused your rules to be ineffective

I'm new but I'm not stupid, these rules were working fine earlier, but only after certain incidents they seemed to have stopped working.

You can see an image of the rules I made in my other thread, they weren't working with those rules on, even when removed and/or after rebooting with and without those rules. I was able to access green and blue from each other.

You have an IP Fire VM, why don't you create three interfaces, one red for wan, one green for lan/management and blue for lan, without creating any rules, see if you can access green from blue, and blue from green, if you can, create rules preventing traffic between green and blue and then try again.

In firewall rules, in source I selected standard network as green, and in destination I selected standard network as blue, I selected drop packets, placed this rule at position 1, applied it and rebooted, but I could still access blue from green. So what am I to understand? From my logic this ought to have blocked green's access to blue. When this didn't work, I modified the rule and selected interface as green, left the destination untouched, applied this and rebooted, and I still could access blue from green. Either they intentionally gave different meaning or they hacked the system.

Because earlier I wanted to isolate green from everything else and those rules worked.

[athurdent]

Does Sensei work offline or does it need to use a cloud service?

You can disable the real-time cloud part to only work with the local application database. Have not used it that way though.
https://help.sunnyvalley.io/hc/en-us/articles/360024941814-Configuration

[athurdent]

You can see an image of the rules I made in my other thread, they weren't working with those rules on, even when removed and/or after rebooting with and without those rules. I was able to access green and blue from each other.

Good thing with open source firewalls based on Linux or BSD is, you can always SSH in an take a look at the generated ruleset. Sure, debugging iptables rulesets is usually no fun because people go crazy with chain-jumping, but it's no problem to find a bug or misconfiguration that way. Same goes for pf rulesets, they are usually much easier to debug (for me).
I used to configure large ipchains, later iptables or ipfilter & later pf rulesets on the CLI before there were web GUIs, so I usually approach these things differently. If you suspect a bug in IPFire (or also OPNsense), best to SSH in and see what's going on. Also, make sure to set rules to log, maybe you can pinpoint the problem there. Finally tcpdump is a good tool to see where packets actually go.

[axel2078]

Inxsible, I have been running OPNSense for a few months now.  Since my firewalls are hosted virtually, I like to try out different ones on occasion.  I went from IPfire, which I used for years, to pfSense (which I liked, but was a bit harder to set up), to OPNsense, and then I went back to IPfire because it's a bit simpler.  However, one thing that frustrated me to no end with IPfire was that I could NOT get the OpenVPN service to work, no matter what I did.  I even re-installed the OS and started from scratch, but I still couldn't get it working.  Even the GUI showed that the service was not running, when it actually was.  I was able to get OpenVPN working in both pfSense and in OPNsense, but I spent nearly 3 days troubleshooting why it wouldn't work in IPFire and then gave up.  From some of the discussion I saw in their forum, other users were reporting the same thing, but there was no fix for it.  It was basically shoulder shrugs and "works for me".  I went back to OPNsense and have been running it for a few months now.

That being said, what I really miss from pfSense were all the notifications that were sent out automatically whenever the system rebooted or when the DynDNS address changed.  I also really miss being able to sort tables by IP address instead of being forced to scroll through an alphabetized list of host names.  That's really annoying (is it really that hard to add the ability to sort by IP address?)  Aside from those 2 minor things, I really like OPNsense.

[chemlud]

Some email jobs can be done with Monit service:

https://docs.opnsense.org/manual/monit.html

[Inxsible]

However, one thing that frustrated me to no end with IPfire was that I could NOT get the OpenVPN service to work, no matter what I did. 

That's going to be a deal breaker for me as I need to be able to run an OpenVPN server and client both.

I have found that even though the pfSense & opnSense UIs are different, I do find myself being able to understand the options on OpnSense much quicker than in IPFire. I am also finding that I need to read up a lot on how to do basic things like VLANs and OpenVPN on IPFire because I do not have experience with it in IPFire.

plus --- The *sense UI is a whole lot more modern than the IPFire UI for sure.

[security_geek]

2. See https://github.com/opnsense/update#opnsense-bootstrap -- installing FreeBSD 12.1 ZFS and installing OPNsense afterwards. You can even drop the preconfigured config to /conf/config.xml so it'll bootstrap right into the final config. It's not a super-tedious procedure.
Cheers,
Franco

Awesome, glad I found this...going to do this later while I get my test system up and running for the migration!

[Inxsible]

Just an update...

I set up OPNsense in a VM on Proxmox and created all the Interfaces, VLANs, Firewall Rules, NAT rules, a long list of Host Overrides, VPN client etc in about a couple of hours.

The 2 things left are :

• Let's Encrypt certs via the acme package -- plan to do this only after the actual deployment to the bare metal
• OpenVPN server setup

So all in all a pretty easy migration from pfSense to OPNsense. The only thing that I am still trying to understand is the UPS configuration. I installed os-nut package but the nut-daemon keeps failing. pfSense only required the hostname of my networked UPS with the SNMP driver. I selected the SNMP driver option in OPNsense and tried with the hostname and even the IP address of my UPS, but no dice yet.
 
@ security_geek, I think your migration from pfSense would also be easy. And you are right, the closing of the source is what made me look elsewhere in OPNsense and IPFire. I am not against people making money off their skills (software developmen in this case).

Finally -- I think I am going to go with OPNsense over IPFire for the following reasons:

• I also maintain the networks of a few friends and families who are not into IT. So sometimes I have to tell them over the phone to do something. So a good UI is a must. *sense has IPFire beat on this.
• VLANs etc need to be configured by editing files in IPFire as far as I understood which would be difficult for said friends of mine -- if they ever had to make a modification for whatever reason or wait for me to visit them
• Using the same software in my network as my friends allows me to quickly be able to tell them certain settings etc in case they want a few changes -- rather than me googling and guessing

[Greelan]

The 2 things left are :

...

• OpenVPN server setup

Maybe have a look at WireGuard as an alternative? It's very nice. 

[Inxsible]

The 2 things left are :

...

• OpenVPN server setup

Maybe have a look at WireGuard as an alternative? It's very nice. 

Yeah, I might look into that as well. Does OPNsense have a package that helps with Wireguard configuration?

[Patrick M. Hausen]

Yeah, I might look into that as well. Does OPNsense have a package that helps with Wireguard configuration?

OPNsense has got a WireGuard package. Works well.