Switching from pfSense - features

[sporkman]

Hi all,

I'd really like to learn about the differences between the two firewall products, ideally on my home connection so I'm not mucking around with someone's connectivity who's actually paying for service.

Last time I looked at OPNsense was at least a year ago and there were a few missing features.  I think everything is there now, but can someone confirm?  I have two connections, 100/100 FiOS and 3.0/768kb/s DSL. These are my must-haves for home use:

- Dual WAN support (primary and backup)
- Traffic shaping that works for dual WANs where each WAN connection is a different speed
- Traffic shaping that just prioritizes a few things up/down - VoIP (based on my VoIP phone IPs), ssh, DNS, ICMP, OpenVPN, and a handful of other things
- OpenVPN (I use it as a server for when I'm working outside my home, and it's acting as a VPN client for 3 remote sites)
- Dynamic DNS updates
- DNSSEC-capable resolver (not forwarder)

If all of that's available in the current stable version, I'm good to go...

[bartjsmit]

Have a look at the documentation to confirm that each of those features are supported in the way that meets your requirements. https://docs.opnsense.org/

I don't use OPNsense to your level, but all items on your list have been discussed on this forum.

Bart...

[coffeecup25]

I'm going to switch over too. Here's my concerns. I assume the conversion will work well, however.

1) I have a supermicro j1900 based motherboard with 8gb ram and 120GB SSD. two i210-at intel gigabit lan ports ... OK? No AES-NI.

2) As an aside, i noticed opnsense will support wifi. I have a spare intel 6205 dual band card. My motherboard will support it. Will I need an external antenna ... if so, pointers on how to install it. Thanks.

3) I'm assuming openVPN still support multiple servers like pfSense? I want to install a tun, possibly a tap, and a site to site. Can openvpn be locked to specific users and the certs must match the user? Is there a client export capability?

4) Geoblocking and IPS/IDS are needed and appear to be offered. Any big differences? It took a while but I eliminated most snort false positives in pfSense. Are specific false positives easy to override in opnsense?

5) No-IP dynamic DDNS is used by me. Is it supported?

6) I need to afix a few permanent ip addresses on a couple of devices. I assume it's pretty easy?

7) Any big differences you have to deal with? The above pretty well described my complete needs. My preference is that the forum here doesn't have as many snotty contributors as pfSense has.

Thanks, much. Glad opnsense is available. My other option was sophos, and I was not looking forward to the learning curve. I don't like being forced to buy new hardware just to continue with pfSense. It's good but not the only product out there. Apparently, other products support AES-NI if it's detected, otherwise it's ignored.

edit: jut did some research. Looks good. I plan to test it out soon. Still wondering about the wifi - mostly how to deal with antennas on a motherboard - in general.

[franco]

Hi there,

Let me just go through this quickly.

- Dual WAN support (primary and backup)

Yes.

- Traffic shaping that works for dual WANs where each WAN connection is a different speed
- Traffic shaping that just prioritizes a few things up/down - VoIP (based on my VoIP phone IPs), ssh, DNS, ICMP, OpenVPN, and a handful of other things

Yes, but to be fair we rewrote the shaper to resemble what the limiter used to be. Traffic shaping happens in another packet filter (ipfw) and there is no link between the main firewall (pf) anymore, because these were custom kernel additions. I can't say for sure you'll find what you expect if you reference the pfSense shaper, not the limiter.

- OpenVPN (I use it as a server for when I'm working outside my home, and it's acting as a VPN client for 3 remote sites)

Yes.

- Dynamic DNS updates

Yes. We do, however, do not have a matching feature set. We are missing some predefined ones, but added others.

- DNSSEC-capable resolver (not forwarder)

Yes.


Cheers,
Franco

[franco]

Hi there,

Same here, let's go.

1) I have a supermicro j1900 based motherboard with 8gb ram and 120GB SSD. two i210-at intel gigabit lan ports ... OK? No AES-NI.

Yes.

2) As an aside, i noticed opnsense will support wifi. I have a spare intel 6205 dual band card. My motherboard will support it. Will I need an external antenna ... if so, pointers on how to install it. Thanks.

Find out which driver it uses, add the relevant lines to /boot/loader.conf.local listed in the manual page, e.g.:

https://www.freebsd.org/cgi/man.cgi?query=iwn

Then reboot and see under Interfaces: Wireless: Add if the wireless card was detected and you can add devices to it.

3) I'm assuming openVPN still support multiple servers like pfSense? I want to install a tun, possibly a tap, and a site to site. Can openvpn be locked to specific users and the certs must match the user? Is there a client export capability?

Yes.

4) Geoblocking and IPS/IDS are needed and appear to be offered. Any big differences? It took a while but I eliminated most snort false positives in pfSense. Are specific false positives easy to override in opnsense?

Yes. IPS, however, uses Suricata exclusively. You can disable per rule if you need to. Geoblocking is in there too, but the other Geoblocking is more flexible, you can create GeoIP aliases and use them in firewall rules.

5) No-IP dynamic DDNS is used by me. Is it supported?

Yes, there's No-IP and No-IP (free).

6) I need to afix a few permanent ip addresses on a couple of devices. I assume it's pretty easy?

Assuming you use DHCP and static mappings, yes.

7) Any big differences you have to deal with? The above pretty well described my complete needs. My preference is that the forum here doesn't have as many snotty contributors as pfSense has.

We try to help and stay clear of judging people for using features. We have no time to argue about silly things. We want to be friendly and positive.

As for other things... For some the menu layout and restructuring we've done over the years was sporadically labeled "confusing", but in truth it tries to align better with commercially available firewall software. The traffic shaper is really the limiter. The captive portal was a total rewrite. We already run FreeBSD 11 with all its positive sides and rough edges. No Snort, just Suricata. "Packages" are called "plugins" to avoid confusion with FreeBSD packages. Firmware updates are cool. That's all I can think of for now.

edit: jut did some research. Looks good. I plan to test it out soon. Still wondering about the wifi - mostly how to deal with antennas on a motherboard - in general.

Oh, for hardware guidance on this best thing to use a targeted topic. I don't have experience with this.


Cheers,
Franco

[fabian]

edit: jut did some research. Looks good. I plan to test it out soon. Still wondering about the wifi - mostly how to deal with antennas on a motherboard - in general.

Oh, for hardware guidance on this best thing to use a targeted topic. I don't have experience with this.

wireless is usually easy (I use it in my apu 1 board):

• you need a wireless card which is supported by FreeBSD
• I used two pigtail to sma cables and
• two antennas (8 dba)

1. step: add the pigtail cables on the PCI express card
2. step: put the card into the slot
3. step: open the screws of the sma jack and push it through the case (where the holes for them are), fix the screws
4. step: close the case
5. step: mount the antenna

It is really that easy

It works well but only in G mode.

[coffeecup25]

fabian, franco,

Thank you. I think I read that both Opnsense and sophos work with a usb lan attachment.  I have a couple lying about and also a spare laptop that has a gigabit port. I plan to replace the hard drive in it temporarily and try both softwares. Sophos is only an indulgence as I have always wanted to see it. I suspect the learning curve will be far too steep, but I'm curious.

Then I will install Opnsense on it and configure it to my needs. After it works I'll reformat my Supermicro, install Opnsense and update the configuration. I'll decide about the wifi later as It would only be for fun; I have a R6400 as a wireless access point on the 1st floor; the main router is in the basement where the wires enter the house - I wired the 1st floor with cat6.

edit: Decided to go straight to Opnsense and ignore Sophos. Sophos has a 3 year free license renewal period. It's free but I don't want to have to worry about a router not working 3 years down the road because of a failure to replace it with a new free 3 year license.

BTW, you might want to add to the improvement list an auto-update capability for new versions of Opnsense as they are pumped out. Perhaps give it a delay so it's not installed until a month or so after release so it can be pulled if there's a problem before auto-update.

[sporkman]

Yes, but to be fair we rewrote the shaper to resemble what the limiter used to be. Traffic shaping happens in another packet filter (ipfw) and there is no link between the main firewall (pf) anymore, because these were custom kernel additions. I can't say for sure you'll find what you expect if you reference the pfSense shaper, not the limiter.

Hi Franco - thanks for the rundown, very helpful.

Right now I have a 100/100 connection at home, so technically I probably could get away with just having no shaping at all, but I'd rather not.  I like to know that at least on outbound, I'm always going to have zippy ssh sessions, quick DNS lookups, and normal VPN responsiveness regardless of whether I'm seeding a torrent, syncing with various cloud drives, running a backup, etc. I also find that prioritizing outbound ACKs is great for keeping downloads running full speed when upstream is running near capacity.  Is it fair to assume this is all possible?  I assume I should probably put this in a VM to just get a good look at the UI and such.

[sporkman]

Hmmm...  Trying to run the current amd64 version in a VMware Fusion VM, just boots to a black screen.  OS type in Fusion is set to "FreeBSD 64 bit".  Any tips or is this a FreeBSD 11 quirk?

Sorry - OS-X/Fusion bug with Intel graphics:

https://communities.vmware.com/message/2675225#2675225

[whitwye]

Also considering switching from pfSense. I respect the request for positivity here, and apologize if I step just a bit outside of that path for a moment. Part of my motivation is that some pfSense forum administrators are not positive people.

The specific situation I've run into is, with pfSense 2.3.3 I had two firewalls, each connected to two WANs, with CARP set to take the VIPs for one WAN on the primary firewall, and for the other WAN on the other. Worked (in coordination with VIPs on the LAN side, and some policy routing on Linux machines in the DMZ). Then on upgrading to pfSense 2.3.4 it stopped fully working. Testing has revealed that, at least with the NICs we're using, CARP packets aren't seen unless the NICs are in promiscuous mode. pfSense has some sort of inner logic to choose whether to have NICs in that mode or not. The result of that logic is that, in 2.3.4, not all NICs that 2.3.3 would put in promiscuous mode are in that mode.

Nobody who responds in the forums for pfSense knows how the NIC mode settings are handled in the product. It seems to have layers of interacting code beyond human comprehension. For instance, almost any change in the primary firewall's rules results in the secondary firewall having CARP turned back on -- when I've of course got it turned off until I can fix the problems now with it. 

Let's say I switch and end up in a similar situation with OPNsense: I discover a problem with CARP packets being seen that looks like it would be solved by putting an interface into promiscuous mode. Will I find either (1) a place in the GUI to simply set the interface that way, or at least (2) an available way to edit a configuration file to accomplish that? And if I turn CARP off on a secondary device while troubleshooting it, will it stay off?

[whitwye]

Looked around more here and at the brochure. A few more questions:

- The brochure describes the CARP failover method as being for the whole device with OPNsense. So where pfSense allows setup of multiple CARP tests on a per-interface basis, OPN sense uses a single CARP signal for everything? The brochure implies that every interface on the primary is tested, when it says with the failure of any one results in the secondary taking over. How is this implemented? Is it one CARP signal broadcast over all interfaces, with the secondary listening on all interfaces and taking over if any one of them goes silent? What is done to avoid split-brain then, and take down the VIPs on the primary?

- The forums show that there are some persistent problems with IPsec. Reliable IPsec is a primary requirement here. Is there a stable version with rock-solid IPsec performance?

Thanks,
Whit

[AdSchellevis]

Hi Whit,

The easiest step is probably to install the product and try it out for yourself, we tend to stick as close to the standards as possible, for technical details about the internals of carp you could read the freebsd manual pages or https://calomel.org/pf_carp.html is also a nice read.

The details on how to set it up and where to pay attention to can be found on our documentation available here
https://docs.opnsense.org/manual/how-tos/carp.html?highlight=carp.

I've seen quite some faulty setups over the years, always make sure you test failover using some tcp session to make sure the state sync and nat rules are setup like they should (the switch should be seamless).

About IPsec, we use standard strongswan on FreeBSD. There's one feature which is requested from time to time which is not available on FreeBSD (and thus OPNsense) and that's nat before ipsec.
Devices from different vendors using ipsec, sometimes don't interact very well, but we've seen that with different products (often fixable with configuration).

In case you run into issues, you can always try to seek help here on the forum or turn to commercial support for mission critical applications.

Best regards,

Ad

[whitwye]

Hi Ad,

Appreciate the quick, informative response. Let me clarify that I've used CARP for years with Linux firewalls, where I wrote the config. So I'm less concerned with the theory of it, and more with just what the local implementation is. Am I right to understand that OPNsense has integrated it differently than pfSense does into its failover scheme? My question isn't what CARP is and what it can do, but what the particulars are of the implementation here. I've checked the manual, which gives a good abstract view. It doesn't give the specifics of the internal design used though.

Also, having seen that pfSense has nowhere in its interface to set interfaces explicitly to promiscuous -- which at least in the pfSense context seems from experience to be required for the particular NICs we have here -- where would I be if I run into the same stumbling block with OPNsense? Is there a way for the end user to simply specify promiscuous mode for the NICs?

My question on IPsec was from seeing some long-running threads here about it not working for some people, and references to an underlying FreeBSD bug. In a standard situation -- in our case with a CIsco ASA on the other end in a couple cases, and with whatever-the-heck AWS uses for IPsec in others, it's important to us that we're not too likely to run into such problems. Strongswan on pfSense can connect to the Ciscos, although for some reason it's touchier than Openswan for that. What's the last stable version of OPNsense for IPsec that won't run into the apparent FreeBSD kernel bug that's tripping some people up?

Thanks much,
Whit

[AdSchellevis]

Hi Whit,

Our defaults are different for CARP and the code to manage it is different too, the basic setup options are similar, if that's what you're looking for.
Some of the defaults that are different are:

net.pfsync.carp_demotion_factor (default, see man pages, can set manually), pfSense forces it to 0
net.inet.carp.senderr_demotion_factor (default, see man pages, can set manually), pfSense forces to 0

We did extensive testing (pulling plugs testing sessions, etc) to make sure our setup works smooth when properly configured.

At the office we're just using the latest version with different IPsec tunnels enabled, without any issues, I don't have an ASA connected at the moment.

Like I said, you can install OPNsense quite easily and test out for yourself.

Best regards,

Ad

[whitwye]

Thanks again Ad,

One other question, that could be answered by installing a copy, to be sure, which I'll do if the answer to this is what I hope. The pfSense means of setting up IPsec tunnels with multiple LANs on each side is laborious. As you probably know, it requires a separate screen filled out for each pair of subnets on either side. So if you have 8 subnets on each side, and you want to specify them exactly, you need to fill out and maintain 8x8 (64) screens. The back-end result is the standard *swan ipsec.conf file with leftsubnets={ ... } and rightsubnets={ ... }. That configuration file could have been created from a single-page form. Has OPNsense inherited pfSense's awkward design for IPsec configuration, or does it better support IPsec configurations suitable for complex corporate networks?

Best regards,
Whit