Transitioning from m0n0wall to OPNsense

[Lee Sharp]

We had a go moving to pfSense a year ago but we dropped it and returned to m0n0 after reading their PHP scripts, it was a horror show, nobody tight on security would ever code that way.

This can be a problem with what I call "kitchen sink" applications, with open plugin architecture.  They focuse on features and not security.  That is why so many people stuck with m0n0wall over the years.  It only tried to do one thing.

It also looked like the pfSense team is in "cash out" mode and is now focused on the $ instead of theirs users, so it is great to hear someone else felt the same about pfSense and decided to do something about it, please promise you guys will never turn arrogant (I am looking at the pfSense team). 

This is another problem I have seen with open source apps over the years.  Someone decided to monetize, and things go downhill fast.  pfSense is just the latest, but Untangle, Nagios, Elastix and FreeNAS also have had similar problems.  So this is a good thing to look at.  Do they have a plan for later?

But lastly, remember that there is no rush.  Your m0n0wall system is still quite stable and will be fine for quite a while.  Also the m0n0wall developers did not all retire with Manuel.  I have been talking with a few of them, and while we are impressed with OPNsense, many of us do not feel it truly addresses the m0n0wall segment.  (Others do, and my join the project)  But take some time and look at the various alternatives.  There is no rush.

Disclaimer:  Yes, I am behind one of the potential alternatives at www.smallwall.org so may be slightly biased.

[franco]

Disclaimer:  Yes, I am behind one of the potential alternatives at www.smallwall.org so may be slightly biased.

We appreciate diversity of opinion. I can see that not all the m0n0wall folks are happy. It may be an impossible feat to bring everybody under a single roof.

[weust]

One can also not expect for the OPNsense people to just alter their course just because the former lead of m0n0wall said he thinks people need to move over here.

[Packet]

Let's just say we are completely arrogant about not being arrogant.

But seriously, what is a project--especially an open source project--without a community to listen to and build upon?

Sure, we have put in a bit of effort to get this project bootstrapped, but now that we've been here for just over 50 days, it really matters that we've had the privilege of a kind user base who is willing to help test and let this project progress beyond what we could have achieved alone. There are endorsements like Manuel's, countless bug reports, feature requests and proactive mentions of the work that we have done all around the web. We have plans for the next year, but they mean nothing in the face of what our community looks like in 6 months or maybe less. We'll have to shift and adapt while maintaining just a couple of core principles: open, easy, fast, secure *and* fun. We believe these values are not exclusive.

All I can say is there is more to learn and grow and hopefully we have shown how we want to do it.


Franco

That is a great attitude to have, keep up the good work, we'll be following OPNsense closely and help out when we can.

We appreciate diversity of opinion. I can see that not all the m0n0wall folks are happy. It may be an impossible feat to bring everybody under a single roof.

OPNsense has many exciting features, but right now, there is a large group of m0n0wall refugees out there looking for a new shelter, so this is like a humanitarian problem, lol.

Perhaps there can be a "OPNsense Lite" approach? A bare minimum version of OPNsense that doesn't do much more than m0n0wall? Many existing m0n0wall users will transit in droves just for the OS/SSL bug patches and new drivers alone (us included).

The problem with pfSense is that, there is always a large group of users who only require the most basic functions, but once they install pfSense and see the 10 menus with 100 options, they think "screw this, I am not going to spend a month to learn and tweak everything and risk breaking something", pfSense ended up trying to be everything for everybody and lost many would-be users.

With a "Lite" version, OPNsense won't suffer the same fate as pfSense, no matter how feature rich OPNsense become in the future, the "Lite" version will keep reminding people that, at its core, OPNsense is still a no-nonsense firewall/router.

Also, once the first step of transition is made, it'll be easy to encourage them to try the more advanced version, for example, in the settings page of the "Lite" version, there can be some advance setting fields that are greyed out, with the text "This feature is available in the Normal/Advance version <URL>" next to it.

[franco]

With a "Lite" version, OPNsense won't suffer the same fate as pfSense, no matter how feature rich OPNsense become in the future, the "Lite" version will keep reminding people that, at its core, OPNsense is still a no-nonsense firewall/router.

Also, once the first step of transition is made, it'll be easy to encourage them to try the more advanced version, for example, in the settings page of the "Lite" version, there can be some advance setting fields that are greyed out, with the text "This feature is available in the Normal/Advance version <URL>" next to it.

I like the idea a lot. We have all build overrides in place in the config folder of our tools.git:

https://github.com/opnsense/tools/tree/master/config/current

This means ports, their options, the source binaries to be installed, the kernel to be built. Even the core/GUI repository could be replaced. However, things start to get rough around the edges. While it is perfectly safe to start with this, the projects will diverge quickly in terms of the core.git. We might be able to stay on track with the tools.git, src.git and ports.git.

So here it seems that there should be a "core-lite.git" or something along with the proper overrides in the tools.git.

Reasons for that are different approaches to GUI and compartmentalisation, we want to use python in the backend--that adds at least 50 MB to the image. We want manual pages, examples and such to be retained and not strip the base system down to something that simply runs for users. For one it does not help development, and OTOH, it prevents users from exploring the inner workings of their systems. These things are pure opinions, please don't hold me against them.

To conclude, you guys could strip down the system, remove features and still ride most of the eco system drive with OPNsense. Maybe there is a better solution mid or longterm, but as far as those things go they tend to diverge rather than converge.

PS: I really like this productive discussion. Thank all of you for your time. (No, the discussion isn't over )

[weust]

Why not build it more modular? Select the features you want on a base system.
Start with a Lite version and just add in what you want.
And if done right, you only see the optional packages in the menu after you activated them from a advanced part of the configuration.

For example, in my case a Lite version with firewall, router, DNS forwarder, DHCP and DynDNS would be enough.
And I think for most home users it will be. (If there are packages that really are needed and I missed them, they should be in too of course)

I don't care about setting up point to point VPN tunnels or DPI, and I doubt most people would who are like me.

[Packet]

I like the idea a lot. We have all build overrides in place in the config folder of our tools.git:

https://github.com/opnsense/tools/tree/master/config/current

This means ports, their options, the source binaries to be installed, the kernel to be built. Even the core/GUI repository could be replaced. However, things start to get rough around the edges. While it is perfectly safe to start with this, the projects will diverge quickly in terms of the core.git. We might be able to stay on track with the tools.git, src.git and ports.git.

So here it seems that there should be a "core-lite.git" or something along with the proper overrides in the tools.git.

Reasons for that are different approaches to GUI and compartmentalisation, we want to use python in the backend--that adds at least 50 MB to the image. We want manual pages, examples and such to be retained and not strip the base system down to something that simply runs for users. For one it does not help development, and OTOH, it prevents users from exploring the inner workings of their systems. These things are pure opinions, please don't hold me against them.

To conclude, you guys could strip down the system, remove features and still ride most of the eco system drive with OPNsense. Maybe there is a better solution mid or longterm, but as far as those things go they tend to diverge rather than converge.

PS: I really like this productive discussion. Thank all of you for your time. (No, the discussion isn't over )

Glad to be helpful.

The more I think about it the more I think "keeping it simple" is more of a psychological thing rather than a data size thing.

Sure some people stick to m0n0wall because they are using very low performance hardware, but the majority of them run m0n0wall on standard hardware, they just don't trust/like Linux and they want a simple interface, less options means less things to learn and go wrong, they don't really care how many components there are under the hood as long as they don't see them.

Large USB sticks/CF/SD cards are cheap these days, so personally I don't mind having a "Lite" version even if it is 2G/3G/4G, I'll be happy as long as I know that the guys behind it are taking a "keep it simple" approach.

From a programmer's point of view, perhaps "Lite" version means ripping most of the guts out of the system, but from a basic user's point of view, sometimes "Lite" version just means having a simple menu, you know, sometimes you just want 15 buttons on your remote instead of 150.

Of course, this is just one man's opinion, I am sure you guys know what you're doing.

[BrianLloyd]

I understand what Lee is saying and I appreciate it. m0n0wall has served me really well in both small business and personal environments for about 10 years now.

But I always wanted something a little more with m0n0wall than I ever quite got. I got the feeling that pfSense might be going in the right direction but it just didn't feel "polished" enough. OPNsense seems like it might be the right vehicle.

The key to serving a wider range is making it modular. OPNsense with modular functionality that you can turn on or off seems like the right answer. Want a bare-bones firewall that will run nicely on a PC-Engines Alix or a Soekris board? Include only the modules you need and use it. Want everything? Throw in the kitchen sink and run a bigger board with more RAM and persistent storage (disk) to hold it all. Having exactly the same code base for both means that you don't spread your development resources quite as thinly. (I think that competing projects that overlap is wasteful. Work together on a common code-base and reap the rewards.)

And WRT hardware, well, hardware doesn't last forever. If you have hardware that has served you for 10 years, you have gotten one hell of a good run out of it. There is no shame in retiring it and moving up. The new PC Engine APU board costs the same as the Alix board and Soekris boards before them. It has a LOT more memory and processing power for that price. It feels OK to me to say, "Time to retire that hardware and move up." After all, you could afford that price point for hardware before. We are not talking about a hardware price going up (unless one goes with a PC mobo).

In the mean time, my home router/firewall just happens to be a PC mobo (Celeron-based) with 512MB RAM and a 4GB CF for booting. I plan to pull out and save the m0n0wall CF and try the i386 version of OPNsense. I can plug in a graphics card and keyboard and load from a USB flashdrive. If it works and I can duplicate my m0n0wall functionality, I have made the initial transition. If not, I just plug the CF with m0n0wall on it back in and I am back up-and-running with m0n0wall. If I *can* make the transition, I will probably get a PC-engines APU board to try to make an OPNsense router/firewall "appliance" and retire my old Celeron-based box. I'm hoping that Franco, et al, will make a bootable version of OPNsense available to facilitate that process.

I'll let you know what happens.

[franco]

I think I'm slowly understanding what is being yearned for.

So we just happen to pull in a proxy and IPS into the base install, but, OTOH, rebuild a clean plugin system to make it possible to bring back "packages". That's all pretty neat, but....

One particular case of interest is PPTP, which a lot of people said it should be killed. While that may be true, it is still the base of internet connectivity for whole countries, so killing it is out of the question.

Instead, how about making a plugin of that so everyone is happy? Splitting off base functionality and wrapping it up so that if we split off enough of those pieces we'll end up with the proposed lite version and simply need to make sure the lite version addresses at least all of the SOHO needs.

Is this what you guys suggest we should do? To be frank, I find that approach very appealing after giving it the benefit of the doubt.

[Packet]

I think I'm slowly understanding what is being yearned for.

So we just happen to pull in a proxy and IPS into the base install, but, OTOH, rebuild a clean plugin system to make it possible to bring back "packages". That's all pretty neat, but....

One particular case of interest is PPTP, which a lot of people said it should be killed. While that may be true, it is still the base of internet connectivity for whole countries, so killing it is out of the question.

Instead, how about making a plugin of that so everyone is happy? Splitting off base functionality and wrapping it up so that if we split off enough of those pieces we'll end up with the proposed lite version and simply need to make sure the lite version addresses at least all of the SOHO needs.

Is this what you guys suggest we should do? To be frank, I find that approach very appealing after giving it the benefit of the doubt.

Yup, that is it.

pfSense got it wrong by having way too much stuff on their base install, when basic users use it and see the huge menu, they keep thinking "What the hell is that doing here? And what is this? I don't need this, it probably has a wrong default setting and has bugs or something", pfSense looks like a bunch of crap duct taped together, the messy design makes security conscious users feel uneasy.

Seeing only exactly what you need = trust = loyalty, that is how m0n0wall built its cult.

If OPNsense can pull that off, plus the bonus of the newest drivers and OS security updates that m0n0wall lacks, plus a plugin system for edge use cases, it'll be unbeatable (and guarantees a smooth transition from m0n0wall to OPNsense).

[Lee Sharp]

Disclaimer:  Yes, I am behind one of the potential alternatives at www.smallwall.org so may be slightly biased.

We appreciate diversity of opinion. I can see that not all the m0n0wall folks are happy. It may be an impossible feat to bring everybody under a single roof.

Oh yes!

On the other hand, why should everyone be under one roof?  Can you imagine if there was only one type of house for everyone?  (And how ugly that designed by comity thing would look?)   Sometimes you need different houses, but that is no reason they can not be good neighbours.  I think if you try and serve both the small and the full featured, you may have more trouble then you think.  When the classic "ram is cheap" runs up against ram soldered on the motherboard, for example.   But with two houses that often work together (as pfSense and m0n0wall were in the early years) both projects benefit quite a bit.

But as several others have posted, simple can be good either way.  When there are too many choices, it is overwhelming.  For an example, compare the traffic shaper in m0n0wall to the one in pfSense.  Having a light install can only help.  In m0n0wall we actually had several features that could not be found in the GUI on purpose.  By the time you needed them, you had learned enough to be ready for them.

[bchociej]

I will open by saying that I think the possibility of having a slim embeddable installation of OPNSense is very important especially to transitioning m0n0wall users and I would love to see it! Perhaps a poll of desired hardware configurations and features is in order?

For now I am in the "virtualized" category so I have no trouble running with a relatively large amount of disk, RAM, and CPU. The biggest "feature" outside of basic firewall functionality for me is a rock solid OpenVPN client, as I use it for work everyday, currently with pfsense.

Cheers to the lively discussion here. I am so glad to see an organization picking up the m0n0wall/pfsense project in a responsible, open way!

[Lee Sharp]

Cheers to the lively discussion here. I am so glad to see an organization picking up the m0n0wall/pfsense project in a responsible, open way!

Keep in mind that OPNsense is not the only option.  There is still pfSense, and www.smallwall.org is aiming to just continue where m0n0wall left off with minor changes.  (And a beta was just released with l2tp support)  There is also one other I am aware of that has not been officially announced, but is allong the same lines as SmallWall.

And choice is good.  If a tad overwhelming when you first open a new GUI.

[Jason Stewart]

Probably too late to this conversation, but the great thing about M0n0wall's smallness wasn't that it would run on hardware X, or that it would run with only Y gigs of RAM, or that the menus were less threatening.   It was that M0n0wall's minimalist approach met most needs--basic and advanced--while maintaining a minimal attack surface.  Less attack surface == more sleep == fewer heart attacks.  The memory and CPU savings were just gravy.

From the specs, OPNsense looks more like a full-blown BSD distro than a network appliance.  If the rest of FreeBSD is coming along for the ride anyway, why even roll a new distro?  Why not just make it an optional package inside FreeBSD?

I am really curious as to how Manuel sees OPNsense as a replacement for M0n0wall???

[jstrebel]

Don't get me wrong, I like the development of OPNsense.
Just to mention, the spirit of Manuel continues also in the m0n0wall fork of Andy White. Tiniwall follows the idea of low resources embedded boards like PC engines WRAP.
http://t1n1wall.com
Jakob