OPNsense initial thoughts

[networkguy]

I just wanted to comment on OPNsense from the perspective of a recent PFsense user. In my initial search looking for a firewall I tested various firewalls; untangled, sophos/astro, and clearOS to name a few. I found PFsense to be the best by far that reached all of my needs. I use PFsense in a home environment that basically was used for monitoring and limiting internet usage, vpn service, traffic shaping (when my internet pipe was smaller) and providing reliable network access and security for my family. I recently started trying to fine tune my IDS within PFsense and was deciding between suricata and snort when I ran across some references for OPNsense forking from PFsense. It has been a while sense I messed around with another firewall distribution and sense this was based off the firewall I was already used to I thought it was worth investigating.

From 2 weeks of use with OPNsense I have to say this firewall looks great. It still has a lot of the PFsense feel to it but the GUI/Layout is improved greatly. OPNsense appears to take the approach to provide all the core functions that PFsense did but decide which is the best package to facilitate that need, make it the standard and direct its focus to maintaining those dedicated packages. This removes some choices/options for the firewall admin but I think it provides a more reliable/stable firewall. I currently run OPNsense on not the most ideal hardware but I have noticed the it appears to be using less ram than what PFsense used. I still have yet to configure surricata so i know that will be a good size hit on ram. I also really like that netflow visibility is built in to the gui but ntopng did provide more visibility.

I am still in the early stages of OPNsense so there may be some things I have missed but below are the items I think would be great to get included in OPNsense.
* Historical monitoring for individual client use - such as bandwidthd.
    * would be really cool if insight could map an ip to dhcp reservation and list traffic usage per user along with source/destination
* Squid reports, such as sarg or light squid
    * I haven’t messed with the proxy much and this may be available and I just need to configure it but for the purposes of web filtering it would be nice to be able to do a splice all on squid so you can block a destination without having to intercept SSL traffic
* Its early and I dont know if i prefer the way historical bandwidth usage is displayed under health versus the graphs in PFsense

I mainly just wanted to post to tell the developers and community I think you guys are doing a great job.

[franco]

Hi there,

Thank you for talking the time to give this lovely kind of feedback and of course welcome.

As these threads tend to get buried really quick it looks like this took a long time to respond in full. My apologies. Here we go with a bit of historical context and trivia...

From 2 weeks of use with OPNsense I have to say this firewall looks great. It still has a lot of the PFsense feel to it but the GUI/Layout is improved greatly. OPNsense appears to take the approach to provide all the core functions that PFsense did but decide which is the best package to facilitate that need, make it the standard and direct its focus to maintaining those dedicated packages. This removes some choices/options for the firewall admin but I think it provides a more reliable/stable firewall. I currently run OPNsense on not the most ideal hardware but I have noticed the it appears to be using less ram than what PFsense used. I still have yet to configure surricata so i know that will be a good size hit on ram. I also really like that netflow visibility is built in to the gui but ntopng did provide more visibility.

That is mostly true, although not entirely intentional. The time was spent to generally highlight the individual service integration, remove side effects between them and get rid of unmaintained, deprecated or non-future-proof functionality. Some of this functionality ended up in the plugins to provide a mid-term migration plan. The menu has changed more drastically to reflect a commercial look and feel, but at its core it is what was there always. pfSense has been such a thoroughly enjoyable project and why should that core idea be changed.

For web proxy and intrusion detection the packages approach was abandoned when we didn't have packages so they ended up as core features, the first to be written in MVC with API and all. They are heavy components, but helped shape the core much more than if they were left out or added much later when the plugins became available one by one starting in 2016. Today, even former static core components like IPsec, OpenVPN, Unbound and Dnsmasq are pluggable, but remain without an API.

Ntop is better for sure. We have some backwards glue that is my doing that prevents us from building a recent ntop version because of a stale rrdtool dependency. I'll bump the priority of this and hopefully 2018 will have more in that regard within the plugin scope, too. The only pity is we can't use ntop to do shaping and policing based on applications. That would be a killer feature.

* Historical monitoring for individual client use - such as bandwidthd.

I agree the report-generating functionality of insight could be better, either by grouped accounting and weekly, monthly usage. Right now it's only a "basic advanced" search and export plus a general history context view.

* would be really cool if insight could map an ip to dhcp reservation and list traffic usage per user along with source/destination

The API is in place now to do reverse DNS lookups with 18.1. The DHCP registrations are automatically pulled in only when the firewall is allowed to resolve via Dnsmasq or Unbound (System: Settings: General). What is missing is the resolving in the text view, but there is a ticket for this already.

* Squid reports, such as sarg or light squid

I agree, though definitely plugin territory. We've had the packages for sarg and lightsquid for a long time now, but nobody has risen to the challenge yet to build the GUI.

* I haven’t messed with the proxy much and this may be available and I just need to configure it but for the purposes of web filtering it would be nice to be able to do a splice all on squid so you can block a destination without having to intercept SSL traffic

That works. One last fix that we recently did was to be able to do nobump via common name.

* Its early and I dont know if i prefer the way historical bandwidth usage is displayed under health versus the graphs in PFsense

Which graphs to you mean? The RRD frontends for both? Or comparing different subsystem's visualisation? Either way, very interested in specifics.

Again, thank you for this valuable feedback!


Cheers,
Franco

[networkguy]

Which graphs to you mean? The RRD frontends for both? Or comparing different subsystem's visualisation? Either way, very interested in specifics.

I thought the traffic graph under health was showing incorrect values but then realized it is displayed in bytes instead of bits. I have searched but I dont see an option to change this. The graph itself is more visually pleasing than the standard RRD graphs in PFsense. I like how you can fine tune the area by moving the window below the main graph. Maybe its there and I just cant locate it but is there a way to configure the default behavior. I would love to be able to set the health graph to default to traffic and my lan interface. As well as change the unit from Bytes to Bits. Also, although the window is nice it would be nice to be able to enter a start and stop time to display on the graph.

Just my thoughts.