Ready to jump ship to Opnsense, but have several questions

[Lxndr]

Hi OPNSense community,

I'm currently looking for options to replace my current setup which consist on a Ubiquiti UDM-Pro and Untangle in bridge mode but certain limitations have me reconsidering other options.

On the UDM-Pro side firmware issue have me stuck on an older version of the firmware as people are having issues with the newer firmware versions, also the fact that only 2 wan connections can be used and the second one can only be used in failover mode are among the things that are in my list of issues, and with Untangle which I was planning to use as my main firewall after removing the UDM-Pro, their recent change on their home licences cost got me started to look for alternatives and while I've been testing pfsense for several months now but something is just bothering me but can't figure out exactly what, so to kept searching and have decided to give Opnsense a try.

Apologies if what I'm about to says is obvious for you all but please keep in mind that I'm a complete noob when it come to Opnsense, but just by looking at UI alone compared to pfsense is makes it much more user friendly for my point of view and doesn't makes you scratch your head askig yourself where to find what you're looking for, but that's not the purpose of my post here today.

I have a few questions:

I currently run DNS server on my Synology nas and 2 raspberry pi to run adguard home for adblocking, can you confirm that I can keep that setup, what DNS upstream server should be set on Opnsense, should I point to my Synology DNS or to an external DNS provider like Cloudflare?

Has anyone here jumped ship from the UDM-Pro to OpnSense and a standalone Unifi controller (physical or docker)? was the migration path smooth or was it a bumpy ride but still no regrets whatsoever?

Are there any issues with IOT devices and mDNS setup?

Any good book you would recommend me to read in order to get deeper knowledge on OpnSense?

From a hardware perspective if all testing goes well and according to plan I will invest on a low power hardware appliance so that I can turn of my r210 running Untangle and save some money on power.

I had some other questiosn in my mind when started writing this but they just vanished, will post them later if they come back.

Anyways, thabk you all for your time reading and hopefully answering.

Hava great weekend

[cookiemonster]

Hi. I recently moved from dd-wrt to opnsense.
I was using dnsmasq for dhcp server and forwarding to a stub resolver for DNSoverTLS with a pi-hole for only ad-blocking.
I had no problem moving from dnsmaq to unbound, and keeping the rest the same.
What i found was that OPNS doesn't impose unbound and we have a choice of it or dnsmasq.
As I said the pi-hole setup wasn't problematic and I had friendly assistance to finish my setup. I did my reading and my own checks to try to make clear questions (IMHO).
Also DNSMasq and Unbound allow the flexibility to use them to go out to public resolvers or to be pointed to your internal ones if you prefer. What you are likely to need is to tailor firewall rules but that goes for any firewall.

[Greelan]

I made the move about a year ago from a UniFi USG to OPNsense - so not quite the same shift as yours, but for similar reasons. Absolutely zero regrets.

To answer your questions:

- You can continue to use your separate DNS server. That’s what I do - I have a separate box running Pi-hole and unbound as my DNS server for the entire network, including the router itself.

- I still run my UniFi controller (on a CloudKey) as I still have a couple of UniFi switches. I also used to have some UniFi APs but I have since replaced those. No issue about running the controller without a UniFi router, although of course it complains that there is not one there and you don’t get any meaningful stats as a result.

- No issues with IoT or mDNS (although I am not quite clear what issues you had in mind?). Like for any other solution you will need to run a mDNS repeater or broadcast relay to repeat mDNS traffic across VLANs. There are a couple of plugins available on OPNsense for that purpose. I have my IoT devices on a separate VLAN and use the udpbroadcastrelay plugin to make them available on other VLANs. Historically my main issue with mDNS was caused by my previous UniFi APs, not OPNsense.

- In terms of reading, there is a book called “Practical OPNsense” by Markus Stubbig. Never read it myself, so can’t vouch for it. The OPNsense docs online also have a lot of information, and in a lot of cases the pfSense docs can also be helpful (they tend to go into more detail and explanation about concepts and settings, and so can be helpful getting a better understanding of how the same functionality on OPNsense works).

Good luck with making the move.

[Lxndr]

Hello,

Cookiemonster, Greelan,

Appreciate you guys taking the time to answer my questions.

@Greelan,

I had an USG Pro with cloudkey prior to the prior to replacing them with the all in one solution the UDM-Pro provides, also thanks for the book recommendation, I've just downloaded it on my kindle.


I'm using Nginx proxy Manager to handle certificates for my internal services and I see that OpnSense can handle this internally, are you guys using certificates as well and if so are you using OpnSense to handle them or are you using and external solution like NPM or Traeffik, would it be better to let OpnSense handle this ?

I own 3 domains,  is there any issue or limitations on handling more than one domain?

Can I choose where my logs are stored as currently all the logs froms my hardware are stored in my nas?

I've just installed OpnSense on a VM on my Proxmox server, if I wish to move it to a dedicated hardware, I assume there's no issues with recovering a backup file to reinstall on new hardware?

Any hardware recommendations for a 3 wans, 1 lan and 3 vlans setup? mais link will be 1G/1G fiber, IPS/IDS activated?

Thanks again

[Greelan]

Yes there is a nginx/LE plugin. No I don’t use it. I prefer not to have extraneous stuff on my router/firewall. I have an nginx reverse proxy running in an LXD container on my server that serves my whole network.

Yes, there is an option for remote logging.

Yes, you can restore a saved config. The only thing you might need to reconfigure are the interfaces if the NICs don’t match.

[Lxndr]

Awesome! Thanks.

[Nnyan]

I also had a USG (with a Unifi switch and 5 of their APs).  I wanted to move away from USG (some years ago) b/c at the time they just had the USG and the Pro and the pro didn't have the performance I needed.  I moved back to opnsense (which I had used prior to the USG) and it's been mostly a good experience.  It's not quite as polished and it can take a bit to figure out how to do things but it's been pretty rock solid.  I am currently having an issue with port forwarding (i'll post about that in a bit). 

I do miss the clear insights that you can get from Unifi, if I was to do it again I would run the controller on my network.

[Lxndr]

Hi all,

Just thought I would let you guys know that the migration has been done, my UDM Pro was shut down yesterday and it's back in the box, I'm running OPNSense on a Dell r210ii and will be migrating that a Opnsense appliance within the next year if all goes well.

I do have a couple of questions following the migration:

As mentioned on a previous post, I was using Untangle in bridge mode behind the UDM Pro, so wanted to know if I should keep the untangle box in bridge mode behind OpnSense of if I should consider installing Sensei and call it a day?

What's the best option concerning the usage of certificates, I'm using Ngnix Proxy Manager with LE, but was considering using Opnsense to handle the certificates /getting a wildcard certificate if possible, any advise or recommendations on this?

Thanks in advance

[therapistfarflung]

Any good book you would recommend me to read in order to get deeper knowledge on OpnSense?

I can recommend you "Practical OPNsense" by Markus Stubbing. It's a great one for the beginning. You also may find some helpful literature on the particular resources. For example, this book https://freebooksummary.com/category/a-separate-peace is my favorite, and I also always read the books here. Finding a good resource, especially tech-related books, is a big challenge.

[dbass81]

Hi OPNSense community,
I currently run DNS server on my Synology nas and 2 raspberry pi to run adguard home for adblocking, can you confirm that I can keep that setup, what DNS upstream server should be set on Opnsense, should I point to my Synology DNS or to an external DNS provider like Cloudflare?

I run Adguard on my OPNSense PC.  Adguard isn't in the official repos, but it's in the mimugmail repo (Google it).  It's really easy to add that repo and use Adguard IMO.  I have a CenturyLink DSL modem in transparent bridging mode, and I use PPPoE in OPNSense. I'm really happy using OPNSense over a DD-WRT/Tomato based router.  It's a lot faster, and can do a lot more!