Who uses opnsense in companies

Started by hgerding, October 22, 2024, 10:40:27 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 22, 2024, 10:40:27 PM
Hi,

Is there a list of companies that use opnsense in larger environments?

I have someone trying to change the networks from opnsense to meraki

Quote
"because it just works and large companies use meraki, and nobody uses opnsense"
October 22, 2024, 10:55:06 PM #1
Sadly, that's manager speech. There was the quote "Nobody gets fired for buying IBM" in the past. The same applies for products which are in the Gartner quadrant in the upper right. Open source products always struggle against common managers.
They calculate some funny total cost of ownership (TCO) and bring some "uncalculatable risk" on the open source side.
Good thing is that there is good commercial support for OPNsense.

The managers will still say that it's easier to find a technician for a Meraki/FortiGate/Palo and so on instead of someone who knows OPNsense.
,,The S in IoT stands for Security!" :)
October 22, 2024, 11:16:59 PM #2
I agree with that,

I was asked if I could develop a list of "real" companies that use opnsense?

The manager knows nothing about routing and is willing to have it just work (i.e., wide open), which is a disaster in itself.

This is partly driven by one tech who when his company was bought joined the network and his rules in meraki when they exist are any to any rules.

There are a whole bunch of any to any tunnels that "just work" as well.

But the manager does not seem to know enough to recognize this as a problem. etc...

Which is beside the point but I am looking for examples of larger companies that use opnsense. to counter the argument that opnsense is not used for business.


October 23, 2024, 01:17:26 AM #3
I work at a formula 1 team. We used it in specific simple circumstances that didn't warrant a more enterprise-y firewall (such as a palo alto networks device)
October 23, 2024, 11:29:10 PM #4
I have had great success setting up a OPNsense firewall for each of my clients. I feel they are far better protected than any of the "business" solutions offered by the ISP.
October 23, 2024, 11:55:08 PM #5
We are a what is traditionally named an SMB. In the late 90s we started out as an ISP and I can claim that I myself am (or at least was at the time) one of the leading firewall experts in Germany.
Search for the archive of the firewall-wizards mailing lists. My most prestigious consulting customer was the IT of the country of Hesse in Germany.

Today we develop enterprise web solutions, run our own hosting service, and generally aid in what our marketing department named open source digitalisation.

That being said we migrated all our customers and our own data centre from formerly Secure Computing / McAfee / Forcepoint Sidewinder to OPNsense and we are not looking back.

That boils down to ~20 firewalls in total - we are neither a large enterprise ourselves nor the big kahuna of security consulting - but the product is so impressingly solid. The open source development mode so perfectly fits our company "DNA".

If $manager demands product by $bigvendor regardless of the technical merit, I recommend looking for a new job. At some point you find yourself fighting wind mills.

Best of luck, HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 24, 2024, 07:55:54 AM #6 Last Edit: October 24, 2024, 10:58:15 AM by JamesFrisch
I installed multiple OPNsense firewalls in SMB environments, and also some Meraki and Unifi stuff.

The "better support and professional support" is a pipe dream. I would even say that if you are willing to pay for OPNsense support, their support is far superior. Heck let me even go one step further, Franco and Patrick in this forum offer better support than paid phone support for Meraki  ;)

The main problem OPNsense has is the "nobody ever got fired for buying blue" problem.

I have a great "nobody ever got fired for buying blue" story.
Switzerland gov needed a new emergency telephone provider.

We have the formerly state owned ISP Swisscom. They are expensive but offer ok quality.
They used their old analog line for a long time, then all of a sudden realized that they can save money by going digital. So over a pretty short time they migrated millions of users to VOIP. I even worked there at that time  ;)

We have also have the ISP Sunrise. They are the cheap competitor with worse quality. But because they never owned their own landline and always had to rent it, they were doing VOIP over the phone line and fiber for years with great success.

There are of course also many other ISPs and also VoIP only providers, but I will leave them out for simplicity.


So while Swisscom was pretty new to the VoIP game, Sunrise was rock solid for years.
Swisscom had multiple nationwide failures where the phone would go offline for hours.


Now, imagine you are in the situation to decide which one to choose as a provider for your state wide emergency line. Which one would you choose? Sunrise? Wrong!

When something goes wrong with Sunrise people will tell you:
"why the fu** did you choose Sunrise? They are only second! They are cheap! What did you expect that would happen!"
Compare that with your bosses argument "because it just works and large companies use meraki, and nobody uses opnsense". Sounds familiar?

So you choose Swisscom instead. Despite them having two nationwide VoIP failures even before the time you do your evaluation! No joke!
Guess what happened next.
Of course we had 3 additional incidents where our emergency lines went down and we had police stations publish their Sunrise mobile phone numbers so people could contact the police.
What was the public reaction to that debacle?

"Well that sucks. But nothing we can do about it. Swisscom is the market leader. If they can't do it, nobody can. This is just like the weather, it is simply something we have no influence over".

October 24, 2024, 10:39:24 AM #7
We have some opnsense firewalls in the field.

It lacks some critical features for us to roll it out in a wider context.

For example:
- better firewall rule ui
- an easier way to import basic configuration, a cli would be great for that
October 24, 2024, 11:03:22 AM #8
Who offers a better firewall ui?
To me they are pretty much all the same, no matter if pfSense, Meraki, FortiGate...

October 24, 2024, 11:06:11 AM #9
I come from astaro originally, I think the fortigate UI is quite a bit better. Plus CLI. And Fortimanager, as fiddly as it may be.
October 24, 2024, 04:44:38 PM #10
The Fortigate stuff is "better in this regard, but do you really want hard coded passwords that people forgot about?

Mine is just my department, but the network person on campus is always impressed by what I can do, as easily as I can do it compared to their Cisco thing-ama-jig. And it costs a fraction of what they pay, way below 10% of the cost per year. But the Cisco is AI powered! Some insurance person checks the box:

x - Cisco firewall

Then moves on to the next thing that they don't know a thing about.
October 24, 2024, 04:48:55 PM #11
Quote from: Greg_E on October 24, 2024, 04:44:38 PM
The Fortigate stuff is "better in this regard, but do you really want hard coded passwords that people forgot about?


Cisco is the company with never ending story of hard-coded backdoors. Fortigate was even better: No check of credentials at all. Open house, all night long...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
October 24, 2024, 05:23:16 PM #12
Quote from: Greg_E on October 24, 2024, 04:44:38 PM
The Fortigate stuff is "better in this regard, but do you really want hard coded passwords that people forgot about?

Mine is just my department, but the network person on campus is always impressed by what I can do, as easily as I can do it compared to their Cisco thing-ama-jig. And it costs a fraction of what they pay, way below 10% of the cost per year. But the Cisco is AI powered! Some insurance person checks the box:

x - Cisco firewall

Then moves on to the next thing that they don't know a thing about.

The cisco stuff is really terrible though.
October 24, 2024, 09:46:29 PM #13
Quote from: bimbar on October 24, 2024, 10:39:24 AM
We have some opnsense firewalls in the field.

It lacks some critical features for us to roll it out in a wider context.

For example:
- better firewall rule ui
- an easier way to import basic configuration, a cli would be great for that

To be honest, the firewall rule ui is one of the best I've seen. Don't like the FortiGate view. There are a couple of small things I would change and some annoyances but nothing deal breaking.

Which ui is better in your opinion?

The last FortiManager security flaw was really scary.
,,The S in IoT stands for Security!" :)
October 24, 2024, 09:53:10 PM #14
Quote from: Gauss23 on October 24, 2024, 09:46:29 PM
Which ui is better in your opinion?

Sidewinder  :P

EOL product, so not a real contest. Windows Explorer sidebar like view of rules - you could create arbitrarily deep rule group/folde hierarchies, move rules by drag and drop, move groups by drag and drop, enable/disable rules or entire groups ... great UI.

Also the network objects tool (aliases in OPNsense) - just great.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1 2
User actions