Thinking of making a change...

[PhlMike]

Hi, I'm new here. I am a technical director for an MSP and Cloud Host in Pennsylvania, US. I built my own cloud in carrier-neutral datacenters on my own vmware servers, running zfs backend storage. I usually host Windows Terminal Servers for legacy applications that are not web-based. Mostly legal, accounting and EMR/EHR. I do some cloud hosted CAD with VDI.

I currently have over 100 virtual firewalls and another few hundred physical firewalls from the alternate m0n0wall fork. I have grown tired of them. In my opinion, the company that sells the hardware and owns the project to be a bit abrasive in both words and actions and a bit slow to release. I've spoken to both Jims on the phone over the years. Then there was an issue with a very buggy and year too late release that lacked its most major feature upgrades that were promised for a while. Even recently, their "fall release" is now delayed, again.

Realistically, I liked the project and the capabilities were unmatched. I always told people I could make the firewall turn on your espresso machine if I felt like it.

I tried OPNsense, once for a day or two as a VM in VirtualBox on Ubuntu at least more than 5 years ago, and I didn't take the plunge to change. However, I would like to start the new year shedding old dead weight. I feel like I am being held back.

I have done some unusual configs, like a super firewall with like 50 vlans and over 200 OpenVPN users all going to different vlans plus another 50 ipsec tunnels. I even do things like have an OpenVPN to one firewall that can also route to another firewall via ipsec and reach many different vlans on the other side. I use pfBlockerNG devel (another pain point), but I don't really use Snort/Suricata (too aggressive and too much to troubleshoot and set-up). I used to use that 3rd party central management solution for my firewalls, but new releases kept breaking it. And recently updates have been bricking firewalls where I no longer can update a firewall without being onsite with a replacement.

I have a newer protectli vault box kicking around, I may test at my home (which has 5 vlans). I am interested though, if any MSPs here that have run something similar, especially on the cloud level wanted to share experiences using OPN. I am also looking for some advice on apples to apples when doing configs, I'm assuming I can't just import the other guy's config into OPNSense.

[franco]

Hi and welcome,

We all have a story with a Jim to share I think... 

But in any case I'm not sure if there will be answers here for this thread as the likelihood of responses is greater for specific questions or discussing use cases / integration changes.

I think you will find the setup a bit more lightweight. E.g. rules configuration and services like DHCP/static mappings can be imported, but there has been a lot of drift in config layout for the projects so that partial imports should be taken with a grain of salt. For smaller setups it's likely better to start fresh with a new install.

As an MSP you might find a few API calls handy to automate rules deployment, extracting metrics and handling services. As the task to do this is huge we still have older components that won't support an API though.


Cheers,
Franco

[PhlMike]

I guess specifically - would be replacing pfBlockerNG Devel.

I have it up and running, I got a dark theme on it. So far so good. However I haven't cut the ambilocal cord and popped it on the edge. I still have 5 vlans, 2 wans and 3 ipsec tunnels with 7 phase 2's and about 15 alias and more than 15 firewall rules. I only spent about 2 hours on it last night, I have like a good 90 minutes of config to do.

More specifics would come as I actually run into issues. Right now its just navigation of the UI.

Is their a centralized manager for it, other than Brennt's pfMonitor? If pfMonitor works at all.

[PhlMike]

RAM is going to be an issue. It's not doing anything and it is eating like 90% of the 4GB I have in it.

[lilsense]

I have done some unusual configs, like a super firewall with like 50 vlans and over 200 OpenVPN users all going to different vlans plus another 50 ipsec tunnels. I even do things like have an OpenVPN to one firewall that can also route to another firewall via ipsec and reach many different vlans on the other side. I use pfBlockerNG devel (another pain point), but I don't really use Snort/Suricata (too aggressive and too much to troubleshoot and set-up). I used to use that 3rd party central management solution for my firewalls, but new releases kept breaking it. And recently updates have been bricking firewalls where I no longer can update a firewall without being onsite with a replacement.

super firewall??? 50 VLANs??? our normal firewalls have over 150 VLANs and our skimpy has over 700 VLANs...

It's not OPNsense firewall but it does not mean it cannot be...

So not sure what you mean super firewall... you might want to look at Fortinet when it comes to those terms...

Fortinet's latest hyperscale kit packs 2.4Tbit/sec of firewall into a 4U chassis

[PhlMike]

As compared to a single virtual firewall for each client vlan. I'm not calling it super as in its the biggest thing on planet earth, just replaces 50 virtual firewalls essentially. It's only a dual E5-2620v4 with 64GB of ram, and 4 SATA SSDs in a cached RAID10. But you can reasonably call 50 vlans with 50 SSLVPN servers and 4 internet pipes a bit unusual. Neat trick is the !rfc1918, so you can allow all traffic that isn't rfc1918 on all of those interfaces and avoid crosstalk and keep the number of rules down.

Although I found with >32 interfaces, pfSense kind of gets a little squirrelly. Not just in the GUI, but in saving changes and such it is a bit laggy.

I had a few Sonicwall SuperMassives back in the day, and my one client is a Hospital with Palo Altos - they don't have 700 vlans, but they have a few hundred, 250 - 300 somewhere around that.