Planing to Change from IpFire 2.x

[teclis22]

Hi all.
I have used IPCop for a while then moved to IpFire when IpCop closed down.
I very mmuch enjoy the simplicity of it for a home lab environment.
But always needed more interfaces then the 4 zones offered by ipFire. And that option is likely only to be intorudiced in 3.x wich might take years to be released.

So i am looking at opnsense.
My question at this point:

Is there like a recommended tutorial to set up an ipfire like network ? I know the "zones" term is not really industry standard. but its just practical.
any resource you can recommend to a opnsense beginner to get a ipfire like set up configured and running ?
thankj you very much

best regards
me

[pfry]

Have you looked at the OPNsense Documentation? Specifically Security Zones. I don't recall specifics from IPFire, so the concepts may not be precisely comparable. Also, Tutorials and FAQs here.

[teclis22]

ohh thats good input
thank you very much.
going to dig myself into those :)

[passeri]

I looked closely at IPFire when first developing my understanding of firewalls and routing, loading both it and OPNsense and donating to both (hoping for IPFire v3) while I examined them. I found IPFire presented concepts cleanly in its otherwise dated interface and its user-driven documentation, but ultimately went for the greater capability, flexibility, of OPNsense. IPFire can be nigh-dictatorial in its model. You can do "everything and more" in OPNsense and its documentation, though in a different style, gives you both setups and detail. As ever, the user forum is a vital component of the information and Q&A system so questions about any translation of concepts or implementation will be answered here.

I never had IPFire in production so cannot comment directly on working up that transition. While I keep an eye on IPFire by continuing to accept their e-mail announcements (curiosity), for my own circumstances there is no question that my choice was sound.

[OPNenthu]

I think pf is a thing of beauty because as a home networking newcomer (speaking of myself only) I could grasp its fundamental mechanics from a simple, well written manual.

I feel that OPNsense presents pf in a very beautiful way and with a nice set of RFC-compliant defaults.  It abstracts very little, but it also doesn't need to.

The fun thing about that flexibility, coupled with the fact that OPNsense doesn't force a particular design pattern, is that I find myself constantly experimenting as I come across different concepts from others.  I started with separate sets of rules on each interface, but there was duplication.  Then I started grouping rules.  Then I came across different schools of thought on how to group rules, such as the OPNsense Zones document linked above and also this one.

After studying and comparing the two grouping methodologies, I think I finally boiled the differences down to this:

- The OPNsense Zones method is really grounded in a traditional enterprise perimeter security model with zones of "trust" and untrust.  It uses Floating rules for inter-zone policy.

- Schnerring's method is grounded in a more zero-trust ideology except it doesn't start strict.  It gives all local interfaces an initial baseline set of intranet access that can be further expanded (or restricted) as needed with interface-level overrides. It heavily leverages the pf quick/non-quick mechanism and doesn't use Floating rules.

This is honestly one of the more fun and interesting aspects of learning OPNsense for me :)  Hope you have a similar experience, and it will be interesting to see how you decide to translate your IPFire experience to pf/OPN.