Port OPNsense to Linux?

[MrWizard]

When ppl ask on places like Reddit and other inet forums for a router setup for people who are in technical groups but not sysadmins, value foss, . For the simpler and up to 1 gbit, OpenWrT and a compatible access point are often recommended. With 1gb and above, many have a separate APs and router, and here pfsense & OPNsense is what is being recommended. Also the access to cheap 10gb network gear. Perhaps OpenWrT is too cut down? I don't know.
With the loss of trust in general, China, US, W11, US tech monopolies - more is also turning to FOSS solutions in general in Europe, and installing Linux has become both more urgent, but also accessible due to GUI like KDE Plasma and better installers.

You can add AI to the W11 port. I'm sure it will be an instant hit. 😄

[meyergru]

I understand why it is not feasible to port OpnSense to Linux. Instead, what COULD be done is to invent a new firewall from scratch with Linux underneath, aiming exactly at prosumer users, who want more security or features than what an average consumer router (like a Fritzbox) offers, but with less complexity (at the expense of overwhelming features) than OpnSense.

I would bet that this is a tough spot, though: You do not have businesses as paying customers (like OpnSense and the "other product"), and you do not offer the hardware appliance that can be monetarized like AVM's Fritzbox.

Having had a company that tried to reach that market in vain, I know that those prosumers are enthusiastic for features and quality, but less so for paying the effort that goes along with it.

[MrWizard]

On top there is also that Proxmox and similar visors are popular for running various things, incl a router and often an ad-removal software/docker. They are Linux based and can be setup with A GUI. So that is makng inroads on the router, along with low prices of small computers.  For the power users this has been a new thing, and for the low end, its machine like the Rasberry Pi, that can also do it.
 
Personally, I have been looking into this too, as I am a superuser on Windows, and now have planned to transition my machines to Linux, but haven't gotten around to it yet.

@meyergru

Agree, and we are also bad at paying for things, esp if the money has gone to companies like MS. And them costing say 200€ for W11 home AI & personal account required slop.

FOSS is a different beast, and most projects cannot live of the corporate business alone to pay the bills for the non-profit users well. But also, as they gain in momentum, it should become normal to say just give 10-15-20€ for years use and updates.

[bimbar]

The main question for me is the future of freebsd, I'm fairly sure that linux is more of a long term thing.
Additionally, what I read in the other thread about the way freebsd is managed, does not fill me with confidence.

[Monviech (Cedrik)]

You could also run a firewall on OpenBSD, I always like to refer to this project:

https://github.com/sonertari/PFFW

That person also maintains the SSLproxy project that can do inline DPI and other fancy stuff.

[Patrick M. Hausen]

Only that OpenBSD scales even worse for multicore and speeds of 10 G and beyond :-P

[OPNenthu]

I'm really curious to see how the Mono gateway pans out with OPNsense.  If that hardware offload turns out successful, could it be a scalable model to even greater speeds than 10G?

[Monviech (Cedrik)]

I saw OPNsense running on vmware with 100gig sustained throughput and more at customers (iperf3, multiple threads 100+, stateful, full PF features). I don't know where all the people come from that say it's not scalable.

It is, but not with your puny home N100 hardware et al. It scales with good hardware and good environments.

[MrWizard]

There is also the bugger turn in EUrope, as Schleswig-Holstein admin is transitioning 30.000 desktops to Linux and FOSS. While many likely chose to use Linux-based routers for smaller offices, as that is what they know and get reeducated in. Unless someone has sold a bunch of OPNsense routers to SH without making it public. Reportedly, they are looking at openSUSE for the desktops.
More will follow. This is a deeper change away from Windows and propriety software, which is likely to spread.

[bimbar]

Not sure what linux firewall that would be, I don't know of any that is actually on the level of opnsense.

Also I don't know if the network infrastructure will also be open source.

[MrWizard]

Many could do it like this, where he does it on Debian. May not be pretty and no UI, but brute force and SSH can also do, and Linux is a known, unlike BSD.

https://www.pieterhollander.nl/post/debian-router/


Me neither. If they are moving to FOSS and Linux, then EU hardware that is not vendor locked, like Mikrotik & OPNsense will also likely be on the wishlist, as it is for me privately, to replace my Chinese network AP-router. No Chinese or Cisco gear for them either, but we will see.

[OPNenthu]

It is, but not with your puny home N100 hardware et al.

Size-shaming us now, eh? 😂

This is a deeper change away from Windows and propriety software, which is likely to spread.

I don't know where it's all headed because we have problems at every level and it's very sad that issues of mass surveillance, censorship, and digital sovereignty aren't even the most pressing.  That's just where we techies like to focus.

I've gotten some new perspectives from Nate Hagens' YT channel, but, it's hard to be optimistic...

:'(

[Monviech (Cedrik)]

Size-shaming us now, eh? 😂

Less my intention, more saying that the kind of hardware you need to push past sustained 10Gbit/s is immense, even 25Gbit/s (stateful firewall performance) is already quite a challenge for a small company.

If you ever played Factorio, it's the difference between launching your first rocket, to launching it sustained with no breaks.

A small raspberry Pi or N100 is just not the target audience for this kind of sustained load, you need a big server and switches that can handle it etc... and these are all well beyond homelab or small business budgets.

And in these environments, admins who know the likes of Juniper, also know about BSD like systems (Junos is FreeBSD based, just as an example).

[bimbar]

Size-shaming us now, eh? 😂

Less my intention, more saying that the kind of hardware you need to push past sustained 10Gbit/s is immense, even 25Gbit/s (stateful firewall performance) is already quite a challenge for a small company.

If you ever played Factorio, it's the difference between launching your first rocket, to launching it sustained with no breaks.

A small raspberry Pi or N100 is just not the target audience for this kind of sustained load, you need a big server and switches that can handle it etc... and these are all well beyond homelab or small business budgets.

And in these environments, admins who know the likes of Juniper, also know about BSD like systems (Junos is FreeBSD based, just as an example).

Having worked in those circles for 15 years, I doubt a junos admin knows BSD.

Anyway, if we're talking that kind of hardware, Cisco switches are widely used, for routers, of course Cisco, if you want to go european, probably Nokia. I'm not so sure about firewalls, Fortinet is very popular, if you want to go european, maybe Sophos?
For switches, I don't see any good options for open source. Nor for routers. Firewalls is a bit better, but beyond opnsense there's not much either.

So, to summarize, I doubt they'll go FOSS for the networking stuff.

As to the sustained load thing, I don't see any problems with N100 or something like that, there's many a cisco router that struggles to do 100MBit out there.

[OPNenthu]

I think as well Netflix runs customized FreeBSD nodes at the edge but not for routing/firewalling.  IIRC, they cache and serve content that is most popular in the specific regions where they are deployed, so the most in-demand shows load and stream instantly.

I believe it when people say FreeBSD is capable, and where it isn't, companies make it so.

My point about the Mono gateway was that it seems to be trying to solve a significant bottleneck of software routing using hardware tricks... something that could potentially remove any argument for moving to Linux, at least for the performance aspect.  A hardware-assisted OPNsense could be interesting, especially if it scales.