Advantages OPNsense (23.1.3) vs PFsense (23.01)

[dcol]

This list may be controversial, but I feel it is greatly needed. Personally I use both but prefer OPNsense.

PFsense has the following that OPNsense does not
1. pfblocker - easier setup of GeoIP rules, can do similar manually with OPN
2. Create a rule direct from Firewall Normal View log
3. Has more GUI Widgets
4. Move rule position by dragging
5. Auto Configuration Backup
6. More console widget options
7. Change Boot Environments - useful when downgrading version - workaround mentioned below.
8. States shown on Rules page - useful to see if rule was used
9. Access shell within WebGUI
10. Easier to get answers in the forum. More users.
11. More logs available

OPNsense has the following that PFsense does not
1. Quicker upgrade implementations
2. Image files available online - Not available with PFS Plus
3. Monit
4. Enable logging from Rules page
5. Disable Auto-added VPN rules
6. Backup configuration to Google Drive
7. Restore configuration from Shell
8. More plugins Available
9. View Hidden rules in WebGUI
10. Better Advanced firewall log filter
11. Friendlier, but less likely to get results in the community forum
12. More dedicated to open-source - There are signs that PFS will end their free community edition someday

I am sure there are many other item specific differences. I just mentioned the major ones obvious to me. Feel free to add to this list. I am hoping some of the items from the first list can be eventually added to OPN
This list may help others decide which to use
Thanks for looking

[tiermutter]

Changing BE is also possible on OPNsense using bectl command. I always create BE before doing updates or minor config changes for simple rollbacks if needed. Using bemanager you can also export BE to other locations so that it can be use as full bare metal backup :)

[franco]

I don't want to interfere, but I have to comment on:

> 9. Access shell within WebGUI

This and other GUI pages to modify file system content or execute commands are a security nightmare. Any auth/privilege bypass will have your firewall wide open to full remote access.

In any case thanks for posting. :)


Cheers,
Franco

[EdwinKM]

Changing BE is also possible on OPNsense using bectl command. I always create BE before doing updates or minor config changes for simple rollbacks if needed. Using bemanager you can also export BE to other locations so that it can be use as full bare metal backup :)

Is there a guide for this?

[franco]

https://forum.opnsense.org/index.php?topic=25540.0

[dcol]

Thanks for that BE info. Didn't know about that. Guess my post was useful after all.

[tiermutter]

For sure I think it is useful, it just needs a little update :)

[franco]

To stay fair I think "things that are done via GUI" are a good base for such a comparison. I'm sure both can do a lot more under the hood if you know how to make them do it.


Cheers,
Franco

[dcol]

I don't want to interfere, but I have to comment on:

> 9. Access shell within WebGUI

This and other GUI pages to modify file system content or execute commands are a security nightmare. Any auth/privilege bypass will have your firewall wide open to full remote access.

In any case thanks for posting. :)

Cheers,
Franco

My ultimate wish list is #2,4 and 8

[dcol]

To stay fair I think "things that are done via GUI" are a good base for such a comparison. I'm sure both can do a lot more under the hood if you know how to make them do it.


Cheers,
Franco

Excellent point

[franco]

For 8 there is an inspect button on the rule page and it even let's you drill down on the individual states.. not sure what pf has but I hope ours is a bit better once you've seen it? ;)

For 2/4 it's going to be a long road but it will be done eventually once these pages move to MVC.


Cheers,
Franco

[tiermutter]

Ok, didnt know that pfsense allows managing BE from webGUI.
Is added to my wishlist, incl. exporting BE for bare metal backup :)

[dcol]

In PFS+ BE is so much more important because there are no images available. You have to rebuild from scratch from the CE version to reinstall Plus. Huge negative for PFsense Plus

[dcol]

For 8 there is an inspect button on the rule page and it even let's you drill down on the individual states.. not sure what pf has but I hope ours is a bit better once you've seen it? ;)

For 2/4 it's going to be a long road but it will be done eventually once these pages move to MVC.


Cheers,
Franco

Thanks for that info. Did not know about the inspect button. It is even better than PFS. This allows me to see which rules are actually used. Can't wait for items 2 and 4.

[EdwinKM]

From a more technical POV. OPNsense devs working years to move the codebase to MVC. How well is pfSense faring? Is that addressed at all, or are they refactoring (only?) in the "+" version? I did not follow that exactly, but my gut feeling was that they wanted to start from "scratch". (which is not bad per se).

Also it is still unclear to me what parts are "open" and "close source". Is it open source with some closed source modules (usually enterprise stuff). So more like "Untangle".
Anyway, pfsense did a terrible way communicating the road ahead.