question on FreeBSD for underlying system on OPNsense

[ajoeiam]

Greetings

I have been having a more than somewhat painful odyssey in trying to install and setup opnsense.

Some of the issues (at the very least) are directly related to the state of the drivers on FreeBSD.
Have spent a lot of time reading on FreeBSD forum and in whatever else I can find I'm starting to wonder if
OPNsense is served well in their use of FreeBSD as a base system for OPNsense.

I'm a wondering if anything near the amount of effort, for support and drivers, would be required if one
used a hardened version of Devuan (Debian derivative w/o systemd). Such would remove issues with
drivers and open up the use of a wider range of hardware. I'm likely missing some things and am not
trying to suggest that a move should happen just wondering about the amount of support that I see
necessary in the forum and wonder as to options to reduce that need.

What say you?

[Maurice]

Personal opinion: OPNsense is a network appliance, not a general purpose desktop / server OS. Buy the hardware which fits the software, not the other way around. Or use virtualization to offload driver stuff to a hypervisor of your choice (can be Linux-based).

Also, remember that an important part of Deciso's business is developing and selling hardware optimised for OPNsense.

If you prefer a Linux-based firewall, there are other options.

Cheers
Maurice

[ajoeiam]

Personal opinion: OPNsense is a network appliance, not a general purpose desktop / server OS. Buy the hardware which fits the software, not the other way around. Or use virtualization to offload driver stuff to a hypervisor of your choice (can be Linux-based).

Also, remember that an important part of Deciso's business is developing and selling hardware optimised for OPNsense.

If you prefer a Linux-based firewall, there are other options.

Cheers
Maurice

Had I known how incredibly picky and complex the relationship between OPN and FreeBSD was I would have.
Hmmmmmm - - - I haven't been able to find a linux-based firewall that is ipv6 capable.
If you have - - - please advise.
I have had excellent success purchasing used commercial SFF machines and using them as servers and as test bed systems for other critical systems. This was my first foray into the freebsd world  - - - most commentators talked about the similarity - - I've found the differences are huge (if you have problems finding linux support - - that's apple pie easy compared to freebsd support!!).
The first machine I tried to use had been used as a firewall and a number of individuals had reported success in installing opnsense - - - I couldn't get things to install so went with option #2 - a lightly used i5 system with some decent chops - - - just today using more than one rj-45 port is considered bad form so its almost impossible to find such - - - then if you're using a tiny form factor - - - its almost impossible (dunno how one could) drop in a pcie card to give good rj-45 ports. Then without that - - - well freebsd doesn't much like anything but a pcie port card although others seem to have been successful and opn really doesn't seem to like anything other than motherboard direct connected ports.
I had assumed that freebsd was as flexible as *nix - - - wrongly as it turns out.
Also know that there are options to severely harden up *nix - - - so was wondering what advantage was given by using freebsd - - perhaps there is a list of such somewhere.
(It is listed that opn actually modifies freebsd to harden it - - -yes?)

So perhaps the software is also designed to sell the hardware.
In that case - - - sorry - - - its out of my budgetary range (even though I would like to run great software my pocketbook dictates what I do to more than a trivial extent!!).

[lilsense]

what??? NONESENSE!!!!

have not heard of VyOS?

https://docs.vyos.io/en/equuleus/configuration/firewall/index.html

Thanks for using OPNsense. You can proceed to uninstall and use VyOS.

[Patrick M. Hausen]

OPNsense and pfSense are deeply rooted in the "pf" firewall, which is only available on BSD. Case closed. Pick a different Linzx based product if that is what you prefer. Nobody is twisting your arm ...

[passeri]

ajoeiam, it looks to me that you are trying to build your hardware out of parts lying about the place plus additions. It is not a necessary alternative that you buy hardware from Deciso, much as that may help them to develop OPNsense. There are low-cost router-oriented mini-PCs aplenty on which one can install FreeBSD/OPNsense without any difficulty. I have some so installed, with 4 and 6 ports, passively cooled. One of them came with pfSense already installed (and now replaced), an indicator of suitability. As already noted above, a firewall is and should be an appliance once installed. Reliability is key.

The suggestion you simply run OPNsense in a VM while Linux handles the interface cards may solve your problem but I would not choose your apparent route to a reliable and functional appliance. There are of course Linux options. Choose what suits you best. After considering at some length most of the open, free or similar options plus relevant commercial ones, I am here, largely on grounds of capability+support of the product.

[CJ]

As someone how has run multiple FreeBSD routers using generic desktops with addon NICs, I'm a bit surprised that you would have issues with going that route.  I can pick up used desktops quite cheaply, and the desktop form factor allows me to have plenty of expandability.

I will admit that the desktop and addon NICs use more space and power than other options but it's not that much different and allows me to have more resources to throw at things like IDS/IPS.  About the only time I regret the higher power budget is my UPS runtime.

[meyergru]

I have been having a more than somewhat painful odyssey in trying to install and setup opnsense.

Some of the issues (at the very least) are directly related to the state of the drivers on FreeBSD.

Apart from the near-impossible porting of OpnSense (or pfSense) to Linux because of lack of pf, having followed many of your posts, I agree you had a painful odyssey, but as to what was the reason, evidence indicates otherwise:

Most of your issues were networking-related stuff and only one (although with several different topics) could be tracked down to drivers (or hardware), namely that you tried to use USB network adapters which are indeed considered unreliable - and not only under FreeBSD.

[lilsense]

not that you brought up pf... On an OT, I was just reading up about how netflix uses eBPF on linux to be able to gather streams, etc for monitoring...
Now, I always thought that BPF and PF were the same, aren't they?


Edit:   Ah! Thanks to google ai:

pf is involved in filtering network traffic. bpf is an interface that captures and accesses raw network traffic.

[Patrick M. Hausen]

And eBPF is something entirely different because like time and time again Linux folks could not be bothered to just use DTrace.

[lilsense]

but based on Netflix blog site, eBPF requires very little resources and I know there are comparisons with DTrace. Some things eBPF is far faster and some Dtrace...

I was looking in terms of monitoring OPNsense as a whole with eBPF, as I have not seen one currently there with DTrace??? Maybe I am over looking it...

[Patrick M. Hausen]

eBPF is not available on FreeBSD. Linux only.

[lilsense]

I understand Patrick. I was wondering if the OPNsense is utilizing the dtrace like the link below...

https://www.brendangregg.com/dtracetoolkit.html

[Patrick M. Hausen]

Feel free to download the toolkit and debug away. DTrace is part of OPNsense. The toolkit are scripts in the D programming language which DTrace uses.

You might want to start with dwatch(1) which is a simpler frontend to DTrace written by Devin Teske.

HTH, I think I don't quite understand your question. DTrace is a system call tracing facility much like tcpdump/bpf is a packet tracing facility. You use it on the command line to debug misbehaving processes.