Switching from pfSense - features

[AdSchellevis]

Hi Whit,

We haven't changed that yet.

Best regards,

Ad

[whitwye]

Our defaults are different for CARP and the code to manage it is different too, the basic setup options are similar, if that's what you're looking for.

Ad,

From your doc, it looks like you just use a single CARP broadcast across all interfaces, which if not received on one results in the backup system taking over. Am I reading that right? (With pfSense, separate CARP signals can be set up for each interface's VIPs, and in failover of a single interface only that set of VIPs is shifted to the secondary system -- I think. To tell the truth my experience with pfSense's CARP implementation found serious inconsistencies in its behavior. Their current implementation may be broken.)

The thing about just trying these things out, is there's the question of whether the theories implemented behind them are solid. A nice interface can have poor logic and coding behind it. I'm late in trying pfSense, but my sense of it is it's a once-solid project that's degenerated badly since the management changes. I'm encouraged that OPNsense has recoded much of the back end. Are there public docs on the engineering concepts somewhere? There's only so much we can tell from looking at the management interface. Even studying code directly, it takes days of work to abstract the design principles. Is there a higher-level description of the operational design available somewhere?

On the IPsec config screens:

We haven't changed that yet.

What happens if one goes to the ipsec.conf file directly and fills in the subnets? Is that compatible, or would it get lost?

Best regards,
Whit

[AdSchellevis]

I'm not sure what you mean, and don't have a lot of time available at the moment, the easiest option is just to install and browse through the options yourself. Changing configuration files manually will always get lost.