Guidance converting from pfSense to OPNsense

[stuartbh]

OPNsense users, developers, et alia:

In as much as I have leveraged pfSense CE to be my routing solution on my network for some several years (running in a virtual machine under ProxMox), I have naturally become familiar with where things are located within the GUI (notwithstanding the clunky nature of it). However, I recently attempted to migrate from ISC DHCP to KEA DHCP (within pfSense CE) and something was causing my WAN interface to drop its IP address regularly. I was able to restore a configuration backup from prior to the ISC DHCP to KEA DHCP conversion, and pfSense CE is now running okay again. This experience gave me some pause and I began to consider migrating from pfSense to OPNsense, as well moving my router instance from a VM to having a dedicated hardware based router (I obtained a Sophos SG135 Rev3 for this purpose). In pursuance of these new endeavors I have installed OPNsense onto the SG135 Rev3 and it boots up and is accessible for configuration on my network. I am now working to migrate my pfSense environment over to OPNsense, hence my questions as set forth herein below as I work to effectuate this conversion to OPNsense. Both router instances are up, but pfSense (for now) still remains as my functioning router.

I will say that being new to OPNsense I already do find attractive that OPNsense (beyond the improved GUI) is inclusive of mechanism to take and leverage snapshots, something pfSense CE stands in the absence of having as a feature unless you move to pfSense Plus (a paid product). I also did some reading on setting up PXE booting within OPNsense, and was quite impressed with the documentation and how easy it looked to do within the GUI.

Enumerated herein below are a number of concerns I wish to address in the process of migrating to OPNsense, however, the most pressing at this juncture is getting ISC DHCP reservations migrated from pfSense to OPNsense. Any assistance or guidance that I can get would be most greatly appreciated.

A little about my network currently...

My network has two main VLANs, one for my internet connection and one for my regular LAN hardware. This was done as initially I installed pfSense on a PC with only one Ethernet port. I then moved pfSense over to running as a VM which now uses one virtual interface and routes betwixt the WAN VLAN and the LAN VLAN.

In as much as my ISP has never updated the firmware in my DSL modem (a Zyxel C3000Z), I have placed it into bridge mode and this is what impelled me to find a separate routing solution. Of note is the fact that my ISP allows up to 3 or maybe 5 internet facing IPv4 addresses to be issued via DHCP in bridge mode, both my pfSense VM and my SG135-Rev3 running OPNsense each have their own individual internet facing IPv4 address on their respective WAN interfaces at this juncture. Currently I have disabled the WAN DHCP server for IPv6 on the C3000Z, but eventually I plan to re-enable it.

I have already configured OPNsense on the Sophos SG135 Rev3 to use two of the hardware interfaces on the device and configured VLANs thereupon (ix0_vlan192 as the LAN interface, ix1_vlan300 as the WAN interface).

Here are the issues that I am curious about receiving guidance on in migrating from pfSense to OPNsense:

1) As ISC DHCP is facing future deprecation, my eventual goal is to move from ISC DHCP to KEA DHCP. I am presuming that for the moment my best pathway (unless someone instructs me otherwise) is to migrate ISC DHCP on pfSense to ISC DHCP on OPNsense, then migrate from ISC DHCP to KEA DHCP once ISC DHCP is working on OPNsense. Thus, I am looking for ideas on how I can migrate my DHCP reservation list from pfSense ISC DHCP to OPNsense ISC DHCP.

2) In the past I had setup a number of subdomains that route to my pfSense public facing IP address (using DDNS) so I could access certain web managed facilities on my network remotely. However, I am now considering to use something like the Heimdall dashboard application having only one subdomain that routes into my internal network. I had used haproxy on pfSense for this purpose and am now contemplating what might be a more improved manner to effectuate this functionality whilst using packages within OPNsense enviromment to the extent practicable.

I am also plagued and constantly subjected to the irritant of having many self-signed certificates on my network and wish to employ some mechanism wherein Let's Encrypt certificates are easily maintained and used for the entirety of my network where possible. I wish to integrate this into whatever solution(s) I select.

3) I have a number of firewall rules that allow certain ports to forward to my pfSense instance from the WAN so that pfSense haproxy can then route them within my LAN to different servers or VMs. Are there any guides or documents on migrating firewall rules from pfSense to OPNsense?

I also wish to modify OPNsense configuration so that sshlockout either does not apply to my LAN subnet or to modify how many attempts are required to fail in precedence to the sshlockout rule being applied.

4) I run pfBlockerNG on pfSense and I am told I can replace that with Unbound and run AdGuard, though I was not able to find a package for AdGuard within OPNsense (I do know it can be run in a VM on ProxMox). Worthy of notation is that I have never used Unbound nor AdGaurd before.

5) I use OpenVPN server on pfSense and wish to migrate that to OPNsense for remote access to my network.

6) I was just getting started with suricata on pfSense, so I will get back to firing that up on OPNsense later.

Little by little I have started to configure certain parameters within OPNsense, though the main focus of my cut over is getting ISC DHCP reservations migrated to OPNsense.

Thanks to everyone that assists and provides ideas about how to improve my network and implementing OPNsense.


Stuart