Port OPNsense to Linux?

Started by MrWizard, March 30, 2026, 11:40:27 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
April 02, 2026, 05:15:44 PM #45
Quote from: meyergru on April 02, 2026, 01:21:44 PMWhat COULD be done is to invent a new firewall from scratch with Linux underneath, aiming exactly at prosumer users, who want more security or features than what an average consumer router (like a Fritzbox) offers, but with less complexity (at the expense of overwhelming features) than OpnSense.
There is soo much already out there so what do you need exactly that they can not offer ?!

IPTables/NFTables/UFW/etc...

QuoteAVM's Fritzbox
I hate those things! :(

I know ISPs in Germany have flooded the country with them and some Dutch ISPs use them too, but still : Can we please get rid of those things ?!?!

Quote from: OPNenthu on April 02, 2026, 04:00:30 PM
Quote from: Monviech (Cedrik) on April 02, 2026, 03:13:00 PMIt is, but not with your puny home N100 hardware et al.
Size-shaming us now, eh? 😂
IKR ?! LOL! ^_^

Quote
Quote from: MrWizard on April 02, 2026, 03:19:08 PMThis is a deeper change away from Windows and propriety software, which is likely to spread.
I don't know where it's all headed because we have problems at every level and it's very sad that issues of mass surveillance, censorship, and digital sovereignty aren't even the most pressing.  That's just where we techies like to focus.
Your main problem is TCPA/Palladium but since everyone has discovered that at least 20 years too late after the release of Windows 11 there is a very low chance that we can go back to a world where things like TPM chips and DRM do not exist anymore... :'(

Quote from: Monviech (Cedrik) on April 02, 2026, 04:08:21 PMAnd in these environments, admins who know the likes of Juniper, also know about BSD like systems (Junos is FreeBSD based, just as an example).
Sorry to disappoint you, but my experience agrees with his :
Quote from: bimbar on April 02, 2026, 04:27:01 PMHaving worked in those circles for 15 years, I doubt a junos admin knows BSD.
I had to save a customers life basically after he had been awake for 3 days and totally stressed because his racks lost connection and his Juniper/HP/CISCO Switches were no longer talking to one another...

Fixed it in like one hour and could have done it even faster is his CISCO Switch wasn't a glorified LinkSys model with a horribly slow webGUI :P

Suddenly I was his favorite contact at the hosting company... I wonder why ?! LOL !!!

QuoteSo, to summarize, I doubt they'll go FOSS for the networking stuff.
There is Jolla SailFish for phones :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 09:39:05 AM #46 Last Edit: Today at 03:45:50 PM by meyergru
Quote from: nero355 on April 02, 2026, 05:15:44 PMThere is soo much already out there so what do you need exactly that they can not offer ?!

They could offer a decent UI with more limited features, but aimed at what most clueless people who come in here think a firewall should do. There are countless examples of voicing that, the last of which was this one.

That is: Not 3 different DHCP services, 4 different DNS servers, loose coupling between MAC / IP and DNS names that must be consolidated manually over the configuration of two services, not even counting the associated firewall rules.

It is very hard to down-size an existing appliance like OpnSense that has grown over the years and adapted many tools and plugins. The decline of FreeBSD poses a chance to start from scratch, with a specific clientele in mind.

What the Fritzbox does not is better in the direction of simplicity, but worse in the way of flexibility, e.g. you cannot have DNS aliases, making the use of name-based reverse proxies or having several services on one IP very difficult. Also, it lacks something like Adguard Home or Pi-Hole.

While IPfire and other Linux-based firewalls may have the correct feature-set, they suck even more on the "complexity" side for such users than OpnSense.

P.S.: To be clear: I like OpnSense for what it is. But, as I often said, it is not suited for the average Joe who does want "a little bit more" than what consumer routers offer. There are more of those these days with IoT and homelabbing. Such users just want the benefits, but are unable or unwilling to grasp the underlying concepts and need a stringent UI, which OpnSense does not offer.

So, this is a growing market that is neither met by Fritzboxes, IPfire, OpenWRT, nor by OpnSense and all the others. Yet, I think that despite there being a lot of people who would love to have it, they are also the same people who do not want to pay for that luxury.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 02:26:44 PM #47 Last Edit: Today at 02:40:37 PM by drosophila
Quote from: nero355 on April 02, 2026, 05:15:44 PM
QuoteAVM's Fritzbox
I hate those things! :(

I know ISPs in Germany have flooded the country with them and some Dutch ISPs use them too, but still : Can we please get rid of those things ?!?!
What's so bad about these boxes? In comparison to the other ISP-provided devices, they are among the most flexible, most configurable and generally most "prosumer" I've seen. Of course they're not Open WRT and not close to OPNsense but that's not what they're meant to be, and they're good at what they do, update support is also better than most ISP-provided boxes. However, the flexibility is also being dumbed-down in the name of "Clean UI and pleasant user experience", making simple tasks unnecessarily complicated (like the removal of the "disable WLAN" option, which now you can only do by disabling every transmit band individually, and you can't disable ISDN/S0 at all), so now you need a FAQ for what used to be self-explanatory. Also, I think at some point ion the past they had firewall logs that seem to have vanished, or hidden extremely well. But what annoys me most about FritzOS is that they'll forward you to some AVM site from within their UI without so much as notifying you. This is, to me, a security hazard, the UI of an appliance must be entirely self-contained without external links unless these are explicitly declared.
OK, the OS is AFAIK not FOSS so you can't mod it like you could with at least some Telekom-provided boxes, the last I know is that AVM cracked down on the modding scene with restricting their lab versions somehow.
Today at 03:53:33 PM #48
Quote from: drosophila on Today at 02:26:44 PMWhat's so bad about these boxes?
Well, this =>
QuoteHowever, the flexibility is also being dumbed-down in the name of "Clean UI and pleasant user experience"[/qoute]
Even their "Expert Mode" is not advanced enough...
I have seen many of them in combination with xDSL subscriptions and each time I got home again I gave my little DrayTek xDSL Modem/Router a little hug for being soo much better for the same price! ;)

QuoteBut what annoys me most about FritzOS is that they'll forward you to some AVM site from within their UI without so much as notifying you. This is, to me, a security hazard, the UI of an appliance must be entirely self-contained without external links unless these are explicitly declared.
Microsoft started doing that too since Windows 8.x or 10 and it's seriously annoying when the GUI becomes a minefield you have to carefully approach... W-T-F...?!?!

Quote from: meyergru on Today at 09:39:05 AMThey could offer a decent UI with more limited features, but aimed at what most clueless people who come in here think a firewall should do. There are countless examples of voicing that, the last of which was this one.
My German is not that great, but I know what you mean and for that there is no other option than OpenWRT/DD-WRT/Tomato and other alternative firmwares.

I do have to admit that I have seen an example of "WRT based firmware" where the Firewall webpage was basically a direct view into the IPTables config file... oops! LOL!

QuoteThat is: Not 3 different DHCP services, 4 different DNS servers, loose coupling between MAC / IP and DNS names that must be consolidated manually over the configuration of two services, not even counting the associated firewall rules.
But then again when you go completely "DIY Router" by building it from scratch you probably also know what you need and how you are going to do it ?!

QuoteIt is very hard to down-size an existing appliance like OpnSense that has grown over the years and adapted many tools and plugins.
Like mentioned above : If you want something a bit more advanced for a more or less regular price then DrayTek Routers are IMHO the way to go :)

I suggested one for a friend for his small restaurant on his farm and one day he told me : "I am so happy that limiting the bandwidth of the Guest VLAN is just a couple of clicks now!"
So even a more or less beginner user can do this kind of stuff!

QuoteWhat the Fritzbox does not is better in the direction of simplicity, but worse in the way of flexibility, e.g. you cannot have DNS aliases, making the use of name-based reverse proxies or having several services on one IP very difficult. Also, it lacks something like Adguard Home or Pi-Hole.
If they would cut their prices in half it would not be an issue at all, but they ask a lot of money for devices that are pretty basic overall !!

QuoteWhile IPfire and other Linux-based firewalls may have the correct feature-set, they suck even more on the "complexity" side for such users than OpnSense.
To be honest IPFire somehow has never gotten my attention and I am still not convinced enough to even try it in a VM or test somehow anyway...
Basically this : https://forum.opnsense.org/index.php?topic=50857.msg260055#msg260055
But for all of their stuff ;)

QuoteP.S.: To be clear: I like OpnSense for what it is. But, as I often said, it is not suited for the average Joe who does want "a little bit more" than what consumer routers offer.
Such users just want the benefits, but are unable or unwilling to grasp the underlying concepts and need a stringent UI, which OpnSense does not offer.

So, this is a growing market that is neither met by Fritzboxes, IPfire, OpenWRT, OpnSense and all the others. Yet, I think that despite there being a lot of people who would love to have it, they are also the same people who do not want to pay for that luxury.
The friend I was talking about use to have some old pfSense Appliance and the new DrayTek was pretty expensive because it needed to handle his 1 Gbps Fiber connection (At the time there wasn't much that could do it so easily!) so it's all a matter of who you are and what you need at a certain moment I guess...
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 05:11:30 PM #49
Quote from: meyergru on Today at 09:39:05 AM[...]That is: Not 3 different DHCP services, 4 different DNS servers, loose coupling between MAC / IP and DNS names that must be consolidated manually over the configuration of two services, not even counting the associated firewall rules.[...]

But the alternative is...? There is the flexibility angle, but more so, perhaps, is that if you have three legs and stand on three separate rugs, having one pulled out from under you hurts a bit less. Resource commitment vs. risk - a tough choice.
Today at 06:19:47 PM #50 Last Edit: Today at 06:31:00 PM by meyergru
I was merely talking about what design goals and expectations would be against something like this. When you omit flexibility and do that in a consolidated way instead of configuring any single specific service, you can do that.

Like: model the data, the relations between them, make that editable from the UI and then generate the split configurations for all needed services (of which there exists only the respective one you need to fulfill the needs of your model). All of those services can be hidden behind the surface, because the user does not need to know which exactly is being used.

An example: Someone coming into the forum and asking: "I heard that ISC DHCP is EOL - there is Kea or DNSmasq, which should I choose?" is a pointless discussion. The very fact of which DHCP service is in use under the blanket could be hidden and is only to be determined by the developers. The users only need to fill in MACs and IPs in case of reservations - which service is being used to actually do the job should not be relevant to them.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 07:56:09 PM #51
Quote from: meyergru on Today at 06:19:47 PM[...]Like: model the data, the relations between them, make that editable from the UI and then generate the split configurations for all needed services (of which there exists only the respective one you need to fulfill the needs of your model). All of those services can be hidden behind the surface, because the user does not need to know which exactly is being used.[...]

An abstraction layer, exchanging implementation-specific features for uniformity. Naturally. It's an option.
Print
Go Up Pages 1 2 3 4
User actions