Transitioning from m0n0wall to OPNsense

[chol]

OPNsense has many exciting features, but right now, there is a large group of m0n0wall refugees out there looking for a new shelter, so this is like a humanitarian problem, lol.

Lol, like that!

Perhaps there can be a "OPNsense Lite" approach? A bare minimum version of OPNsense that doesn't do much more than m0n0wall? Many existing m0n0wall users will transit in droves just for the OS/SSL bug patches and new drivers alone (us included).

Franco mentioned something like stripping down the base install of OPNsense by selectable packet, i.e. option out big-BIND (for a smaller) or Squid-proxy or WiFi+Captive portal blob, if I am not mistaken.

The problem with pfSense is that, there is always a large group of users who only require the most basic functions, but once they install pfSense and see the 10 menus with 100 options, they think "screw this, I am not going to spend a month to learn and tweak everything and risk breaking something", pfSense ended up trying to be everything for everybody and lost many would-be users.

Exactly, plus the GUI is crowded and deep. It will need huge man-years only to explain all the basic firewall configurations over and over via forum, mailing-list to the normal users...
Our project's developers recently did add toggle switches for advanced/basic options to the GUI, which shows the right way in which OPNsense will go in the future.

With a "Lite" version, OPNsense won't suffer the same fate as pfSense, no matter how feature rich OPNsense become in the future, the "Lite" version will keep reminding people that, at its core, OPNsense is still a no-nonsense firewall/router.

Exactly!! And, again, if I am not mistaken, the developers showed understanding and awareness of this, so I see forward to it - it should show up in the future. It is a question of time, number of developers and community strength.

[chol]

Your m0n0wall system is still quite stable and will be fine for quite a while.  Also the m0n0wall developers did not all retire with Manuel.  I have been talking with a few of them, and while we are impressed with OPNsense, many of us do not feel it truly addresses the m0n0wall segment.  (Others do, and my join the project)

As I see it, to push the remaining m0n0wall code-base to FreeBSD10.1 or later to 11 would be a huge block of work and the conclusion was, that time is running fast, very fast away from the m0nowall/FreeBSD-8 base, while the alignment to stable, peer reviewed & secureFreeBSD10 base is done here with the developers of OPNsense anyway, which is backed by industry and a potential huge user base.

Because I can add drivers for one platform in one day.  Doing an entire basis takes a lot more.   However, you are right in that we need to stay current.  It adds ALL the drivers for nics, video, and more...

I was just saying we might be able to fix your problem sooner than you think.

Yes! Make it so! Maybe use the OPNsense base?

Plus, there are new drivers for new hardware, many new WiFi drivers and (more secure) WLAN support in FreeBSD, but also only in the new distributions.

Security also goes up with FreeBSD 10 or 11 .

Idea: merge development power and establish a light NanoBSD version out of OPNsense, that would fit the legacy m0n0wall user-base with their reliable older or smaller hardware and have it all more secure and up to date!

At least I feel the need for a rush to develop, test install a new firewall, like Manuel advised!

[chol]

With a "Lite" version, OPNsense won't suffer the same fate as pfSense, no matter how feature rich OPNsense become in the future, the "Lite" version will keep reminding people that, at its core, OPNsense is still a no-nonsense firewall/router.

Also, once the first step of transition is made, it'll be easy to encourage them to try the more advanced version, for example, in the settings page of the "Lite" version, there can be some advance setting fields that are greyed out, with the text "This feature is available in the Normal/Advance version <URL>" next to it.

I like the idea a lot. We have all build overrides in place in the config folder of our tools.git:

https://github.com/opnsense/tools/tree/master/config/current

This means ports, their options, the source binaries to be installed, the kernel to be built. Even the core/GUI repository could be replaced. However, things start to get rough around the edges. While it is perfectly safe to start with this, the projects will diverge quickly in terms of the core.git. We might be able to stay on track with the tools.git, src.git and ports.git.

So here it seems that there should be a "core-lite.git" or something along with the proper overrides in the tools.git.

I have seen a web-based build config tool with OpenWRT router images some years ago. I did configure my router build online via web-interface, specifying platform, radio drvers, code-base (stable, snapshot..) and got it build with a remote serve. I got an email notifiv=cation if the image was build with or without errors and a download link.
I do not know the downsides of this, but jused it to just build my images and testing stuff for the small plastic WRT type routers/firewalls, then.

May this be an idea for exactly tailored embedded / NaonBSD images of OPNsense in the future?

To conclude, you guys could strip down the system, remove features and still ride most of the eco system drive with OPNsense. Maybe there is a better solution mid or longterm, but as far as those things go they tend to diverge rather than converge.

PS: I really like this productive discussion. Thank all of you for your time. (No, the discussion isn't over )

Yes, exactly my idea/thinking. So, in my oppinion, with all due respect, it would be fantastic if all the legacy m0nowall developers would join our alingnment with stable FreeBSD 10 code!

Also, this would mean more fun in development, for it is always nicer and more inspiring, if people work together, create, envision, merge, just make things happen in a group of like-minded people! And, eventually, meet from time to time.

The potential is there, for my gut feeling is that pfSense shows signs to head for big iron/$ and enterprise and the m0nowall code-base is fading out, unfortunately, again with all due respect. And there is no shame in leting established senior codes retire in dignity and go on with new and more exciting streams. This is how things go, one would say.

 

[franco]

Probably too late to this conversation, but the great thing about M0n0wall's smallness wasn't that it would run on hardware X, or that it would run with only Y gigs of RAM, or that the menus were less threatening.   It was that M0n0wall's minimalist approach met most needs--basic and advanced--while maintaining a minimal attack surface.  Less attack surface == more sleep == fewer heart attacks.  The memory and CPU savings were just gravy.

That's one of the key aspects of the work we have been doing, stripping code and software where we can, exchanging older solutions for newer ones, rewriting subsystems for easier access and maintenance, removing over 40 custom patches from the project because we do not trust them and ourselves, the FreeBSD devs have a far better grasp on those things.  If something gets in the way and needs customisation, we're most likely not thinking hard enough.

From the specs, OPNsense looks more like a full-blown BSD distro than a network appliance.  If the rest of FreeBSD is coming along for the ride anyway, why even roll a new distro?  Why not just make it an optional package inside FreeBSD?

That's the ultimate goal. The road, however, is long and winding. Writing such a package from scratch takes a few years, so why not fork good work and realign accordingly? A lot of bitrot prevented us from making that FreeBSD package in the first place. That's normal when the project's goal doesn't change, but with OPNsense it did. Making a package in FreeBSD requires support for pkgng, which we introduced in January with our first release ever. You see, the questions you have align with the work that we've already done, but there is more to be done to reach that goal. It takes time and won't happen overnight. Maybe in time for 16.1.

I am really curious as to how Manuel sees OPNsense as a replacement for M0n0wall???

You'll have to ask him or read again how he talks about the open source spirit and the future of embedded systems. If it's not what you desire, t1n1wall or smallwall are worth checking out.