Homelab

Ive been using pfSense CE for 4 years now. I’ve thought about it a couple times, but I have a few reasons I’m staying on pfSense:

1. No config migration tool. Yea, I could spend an afternoon redoing my config. But it’s not really worth it imo.
2. It’s been rock solid for the last few years.
3. BSD has finally been updated! Allowing drivers and whatnot.
4. I believe Netgate to be a good contributor for BSD. They’ve added many drivers. Such as the i225/226. Yea, it takes awhile.
5. The changes are aggravating, but I’m still running CE. The only feature I feel I’m missing is the boot environments support.

Yes

Edit: pfSense shill bots in the comments? Something is super sus here

I went from pfsense to opnsense about a year ago after an attempted settings change completely broke my pfsense install (again). I've been debating going back because I cannot get load balancing to work on opnsense, no matter what I do. Currently it's just using a single gateway, and if that goes down then everyone is SOL until it comes back up or I manually switch it.

pfSense is what happens when you take OPNsense and put a chick in it and make her gay and lame. Always go with open source.

Running suricata and HAProxy will be the cause of your slowness / wierdness.

yes. netgate is evil and less reliable than opnsense if you make use of fancy stuff

opnsense seems to be made by people who don't hate me, so I use that.

Dealing with Netgate:

https://www.youtube.com/watch?v=3D8TEJtQRhw

I actually switched from pfsense to opnsense last week. The licensing debacle and the stand Netgate took against the community was enough for me to switch. It took a bit of time getting used to the UI, but I'm starting to enjoy using opnsense more than pfsense. First thing that made me happy was the automatic backups to nextcloud haha

If you have a home lab, offshore what you can from your firewall. The less it does the more secure it is. Once you've watered it down to maybe DHCP and suricata then there's almost no difference in pfsense and opn.

Used both, from pf to opn maybe 15months ago. Never had issues with either but I've had issues with how pf is managed and just seems to get another reason to dislike every so often.

Depends on your issues but go raise bug report with opn. If opn started to cause me issues then I'd be more likely to goto openwrt I think,rather than pf.

I use pfsense CE. I am a bit worried that Netgate will be less interested in maintaining the community edition now, but it just works. I don't need a lot of bells and whistles. So I'm staying put until I see a decent reason to switch.

OPNSense is far more willing to add "experimental" features and as a result you get a firewall that has more features out of the box, but is less stable.

pfSense is very slow to add new functionality, but the platform is rock solid as a result.

It all comes down to what you want. Do you want to play around with an appliance that has all the knobs, but also some eccentricities, or do you want an appliance that may not have bleeding edge features, but is far less prone to error.

Do it. OPNSense is starting to not make sense anymore. I had the same conflicts as you. But PFSense has more support and features.

I use pfSense for the stability of it.

Netgate as a company has certainly done a few things which have had me looking at other router options but at the moment, pfSense CE works, is stable, and I don't need to faff with it, so I'm happy staying put.

Your extensive config is probably your issue and not opnsense. You said you've been running it for a few years but seemingly 4 months ago, you couldn't figure out a basic rule to block internet for a single ip.

If you like support and stability then going for pf over opn is a choice you can make. I just don't like how netgate has been shitting on the competitor with that ridiculous site.

I use pf CE and if they have plans to discontinue it or whatever I’ll switch. If someone can provide me with a good rational reason I would consider OPNsense though.

I have an extensive config inclduing vlans, plugins, policies, suricata, VPN, routes, gateways, HAProxy, etc.

When you have an extensive config, you should always test the upgrade on a "lab" machine before applying them to your "production" environment. You don't just apply the update blindly and hope nothing breaks.

I went from pf to openwrt. So far, so good. I'm sure it's not as powerful as a pure firewall device, but it suits my needs.

Yeah no

If stability is what you're after (both in terms of versioning and in the sense of as few unscheduled reboots as possible), then neither is a good option. Both update quite often and go with an "introduce feature now, worry about stability later" and end up having to constantly patch a bunch of stuff.

If you're comfortable with a CLI, then I'd recommend Vyos and then going with the stable branch. It's had 3 service patches since 1.3.0 released in 2021. The last being in june and before that, you have to go to september last year. Ofc, downside is that you'll miss out on a lot of features. Like I don't think stable has wireguard support yet, and not certain it will be ready for when 1.4 goes stable either (it's currently in 1.4 rolling). You could implement some of it yourself because it's built on Debian, but anything you do like that is tied to your current image. So if you upgrade, you have to do it again so I don't recommend it.

Point is, if you need features, don't, but if it's the most stable you're after, I can highly recommend at least having a look. Though I always recommend getting a proper router above any router os on amd64. You'll get more out of it, cheaper, with less power consumption and lower latency.

Nope. I have moved away several years ago from pfsense and could not be happier. I am running production off a 2 node, 24 vlan cluster and it’s rock solid

First of all, I love Opnsense! I'm saving for Opnsense hardware to support them.

Only thing that is bugging me around lately since 23.7.7. update is getting into my LAN with Tailscale. It's running as an exit node. I do get internet access and everything, but no local services. It worked from the beginning until that update. I hadn't changed anything. I've done all the steps Tailscale describes, but still no LAN access. No blocking rules shows up in the logs. I'm stumped.

I personally, choose to not support companies who are assholes.

And, especially companies who call their open source competition, "Nazis".

Screw netgate.

No, I like pfsense because it has less frequent updates and is better documented.

Here is one of the better guides that helps you config much of what you are talking about:

https://nguvu.org/pfsense/pfsense-baseline-setup/

Plus, opensense gets most of their code from the work done by pfsense, and often have to wait on them to push the code. Just look at what happened with TLS 1.3

I have an official netgate firewall and it runs pfsense+ However, when it comes time to replace it and upgrade to 2.5GB my next firewall will be running opnsense. I just don’t like the direction netgate has gone with their company decisions and I won’t be buying any more hardware from them. I don’t think you should either.