Why BSD base. Why not Linux base?

[sparticle]

I am sure this topic has come up before but, I was wondering why the dependency on BSD.

These days a base Ubuntu server which is capable of routing is using <200 MB of ram and runs on just about any type of hardware with decent NIC drivers that have very active development.

It would be awesome to have all of the OpnSense goodness on top of an enterprise grade mainstream Linux server OS that has mucho dinero spent on development.

Maybe it's just history and legacy but I think it's holding OpnSense back!

Cheers
Spart

[Patrick M. Hausen]

OPNsense's basic architecture is built on the pf packet filter - which is BSD only.
Of course you can build a Linux based firewall, but it wouldn't be OPNsense.

OpenWRT and IPfire exist.

[sparticle]

OPNsense's basic architecture is built on the pf packet filter - which is BSD only.
Of course you can build a Linux based firewall, but it wouldn't be OPNsense.

OpenWRT and IPfire exist.

They do exist but are clunky. I came here from Untangle.

These days netfilter is built into the kernel and nftables is the new standard for a lot of the enterprise linux OS vendors. massive dev effort across that community.

Are you saying that the main reason for sticking with BSD is pf?

Cheers
Spart

[lilsense]

What makes linux so special???
if you are looking for small amount of foot print, then you go with NetBSD. If you want security, then your choice is OpenBSD. For enterprise class POWERHOUSE, you go with FreeBSD.

BSD just takes a lickin' and keeps on ticking...

Now if you want GUI... then you can go back to untangle and work on making it look like the way you like it... :D

[sparticle]

What makes linux so special???
if you are looking for small amount of foot print, then you go with NetBSD. If you want security, then your choice is OpenBSD. For enterprise class POWERHOUSE, you go with FreeBSD.

BSD just takes a lickin' and keeps on ticking...

Now if you want GUI... then you can go back to untangle and work on making it look like the way you like it... :D

Obviously a xBSD fan. But your assertions may have been valid 10 years ago around security and enterprise but not today and just stating them as fact is misleading. I like OpnSense but it is built on sinking foundations.

There are other foundations that are community supported like debian for instance and more capable and performant with massive global footprint and support ecosystems. If it's really pf that's the anchor then there is no way forward. 

I was really just trying to understand if there was a deal breaker dependancy and maybe it is pf. I have no understanding of how the product architecture is structured and whether for instance the UI is closely or loosely coupled or integrated. If you take OpenWRT you can hack it from the command line or install luci from the standard package management and config via web UI. You can do similar with OpnSense core.

And why does anyone who asks these type of questions just get told to * off back to where they came from :)

Cheers
Spart

Cheers
Spart

[Patrick M. Hausen]

Are you saying that the main reason for sticking with BSD is pf?

More or less, yes. And why would you switch a thriving well-received product to an inferior codebase - architecture wise?

We built our entire hosting platform on FreeBSD, running about 1000 customer instances. It's way cleaner, smaller, and easier to manage with a small team. We are well integrated into the community.

As for OPNsense I don't know how large Deciso's development team is. I can repeat that for limited resources BSD is the easier code base to work with. Facebook, Google et. al. all have their own kernel teams. They have to, given the current state of Linux developmenr. I don't see anything "switching to Linux" would improve in OPNsense. What exactly do you have in mind? What features are missing?
The one that easily comes to mind is hardware support for low end consumer devices? Sorry, that's the one point where I personally say: sorry, not interested. Run something Linux based, then.

I'm interested in a solid product based on something like this:
https://shop.opnsense.com/dec4000-series-opnsense-rack-security-appliance/

How would you improve this beyond what it already does by dropping BSD for Linux?

Kind regards,
Patrick

[sparticle]

Thanks for the reply Patrick. I think I have my answer and that root then drives the rest of the codebase.

Maybe my hardware choices are the issue. VM performance is not great compared to Linux, driver issues abound.

Dedicated HW like the link you provided I can understand.

I just wonder how many of the userbase fit into the category of enterprise users. I suspect a large proportion of the community are home network or similar to myself users.

I run it on the edge of my SMB lab and home Lab. Currently, it is sitting on a Dell Rackmount ESXI host. If we had better internet it might be an issue but we are not blessed with that in the rural locations.

For example across the internal ESXi vswitch I get a max of .63 Gb and across the lan on 1G infrastructure .55 Gb. We spent a long time following all the tweaking guides to get the best lan performance we can. As I said on the WAN side we don't really care as our backhaul is sub 100Mb.

Linux Vm's across the switch are running around 9Gb and across the lan at Gb wire speed.

It's just an example I am sure there are many more.

Thanks for taking the time to respond.

Cheers
Spart

[Bob.Dig]

I suspect a large proportion of the community are home network or similar to myself users.

And how much are those contributing with money?  ;)

[Patrick M. Hausen]

I just wonder how many of the userbase fit into the category of enterprise users. I suspect a large proportion of the community are home network or similar to myself users.

We are not exactly enterprise but what is commonly called SMB - small and medium sized business. If the German user group is in any way representative, the majority of users with a high participation in the community are of that kind. Many system integrators/consultants who place OPNsense and pfSense devices at all their customers' locations.

I used to be in the business of selling commercial firewalls, the (in)famous Sidewinder, absolutely brilliant product for its time. I run 4 OPNsense installations, two data centre, two office, for my own company alone, plus I have moved all customers who agreed from Sidewinder to OPNsense.

For these, even while not "enterprise" 1600 € for a rackmount appliance once and no recurring license fees ever (!) makes OPNsense an absolute no-brainer. "Internet" is business critical, you know  ;)

Personally if a Deciso appliance doesn't fit the bill I would not use anything less than some Supermicro server board with IPMI, ECC memory, and all the good stuff I'm used to. Actually that is precisely what I run at home currently. The board was left over after I upgraded my TrueNAS system (another very fine BSD based product, although picky about the hardware - surprise! ;)) So I bought just a Supermicro case, some Noctua fans, used left over SSDs and I am running OPNsense on server grade hardware with a ZFS mirror and definitely enough performance for all my home needs.

Kind regards,
Patrick

[sparticle]

I suspect a large proportion of the community are home network or similar to myself users.

And how much are those contributing with money?  ;)

I can see why your handle is bob.dig!

:)

[sparticle]

Personally if a Deciso appliance doesn't fit the bill I would not use anything less than some Supermicro server board with IPMI, ECC memory, and all the good stuff I'm used to. Actually that is precisely what I run at home currently. The board was left over after I upgraded my TrueNAS system (another very fine BSD based product, although picky about the hardware - surprise! ;)) So I bought just a Supermicro case, some Noctua fans, used left over SSDs and I am running OPNsense on server grade hardware with a ZFS mirror and definitely enough performance for all my home needs.

Kind regards,
Patrick

Yes, we have OpnSense running in ESXI on an ex Ebay Dell server. Plenty of enterprise goodness. Just a pity about the network performance. The server has a quad port NetXtreme BCM5720 maybe I need to swap it for an intel card and try that.

Cheers
Spart

[Patrick M. Hausen]

Use a dedicated system instead of virtualising. It's a bad idea for infrastructure, anyway  ;)

[Supermule]

Running bare metal is a waste of ressources.

EOD.

[Patrick M. Hausen]

Yes, we have OpnSense running in ESXI on an ex Ebay Dell server.

If VMware only would support VirtIO for network interfaces and block storage possibly all Open Source platforms would benefit running in ESXi.

[chemlud]

Running bare metal is a waste of ressources.

EOD.

For you. Maybe..  :P