Running suricata and HAProxy will be the cause of your slowness / wierdness.
this post was submitted on 15 Nov 2023
2 points (75.0% liked)
Homelab
371 readers
9 users here now
Rules
- Be Civil.
- Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
- No memes or potato images.
- We love detailed homelab builds, especially network diagrams!
- Report any posts that you feel should be brought to our attention.
- Please no shitposting or blogspam.
- No Referral Linking.
- Keep piracy discussion off of this community
founded 11 months ago
MODERATORS
Nope. I have moved away several years ago from pfsense and could not be happier. I am running production off a 2 node, 24 vlan cluster and it’s rock solid
Ive been using pfSense CE for 4 years now. I’ve thought about it a couple times, but I have a few reasons I’m staying on pfSense:
- No config migration tool. Yea, I could spend an afternoon redoing my config. But it’s not really worth it imo.
- It’s been rock solid for the last few years.
- BSD has finally been updated! Allowing drivers and whatnot.
- I believe Netgate to be a good contributor for BSD. They’ve added many drivers. Such as the i225/226. Yea, it takes awhile.
- The changes are aggravating, but I’m still running CE. The only feature I feel I’m missing is the boot environments support.
For the first point, I believe that not long ago I've seen here that someone made a website where you upload your config file (or something like that) and it generates a config file for opnsense. I don't have the link to that post, but I guess you could manage to find it
Yeah no
yes. netgate is evil and less reliable than opnsense if you make use of fancy stuff
opnsense seems to be made by people who don't hate me, so I use that.
No, I like pfsense because it has less frequent updates and is better documented.
Here is one of the better guides that helps you config much of what you are talking about:
https://nguvu.org/pfsense/pfsense-baseline-setup/
Plus, opensense gets most of their code from the work done by pfsense, and often have to wait on them to push the code. Just look at what happened with TLS 1.3
chuckle, butthurt downvotes but not one comment to dispute anything I said. Enjoy the depreciated OpenSSL without security updates.
I personally, choose to not support companies who are assholes.
And, especially companies who call their open source competition, "Nazis".
Screw netgate.
First of all, I love Opnsense! I'm saving for Opnsense hardware to support them.
Only thing that is bugging me around lately since 23.7.7. update is getting into my LAN with Tailscale. It's running as an exit node. I do get internet access and everything, but no local services. It worked from the beginning until that update. I hadn't changed anything. I've done all the steps Tailscale describes, but still no LAN access. No blocking rules shows up in the logs. I'm stumped.
Yes. Most go from pfsense to opnsense, including myself.
No one is forcing you to install updates, just skip them if you think that's better for you, but many are security related.
That sounds easy enough, but it creates a situation where I don't know what updates are important (security) and what updates are minor. So I have to read the release notes for each update and then decide if I need it to patch a security vulnerability.
Where with the other method, I know the update is likely critical.
For some those frequent updates are a +, for me it is not. So use what works best for you!
But right now I couldn't use opensense even if I wanted to, as it's FIPS non-compliant due to them still using the depreciated EOL OpenSSH 1.1.1, and no date set to move to v3
I have an official netgate firewall and it runs pfsense+ However, when it comes time to replace it and upgrade to 2.5GB my next firewall will be running opnsense. I just don’t like the direction netgate has gone with their company decisions and I won’t be buying any more hardware from them. I don’t think you should either.
I moved to VyOS from OPNSense, I like VyOS a bit better, because of Ansible integration etc + it’s Linux not FreeBSD
I'm using VyOS in my work environment now, got free licensing because we are a non profit. It's been great.
VyOS is very good. It’s a fork of Vyatta which was sold to brocade and sold again to ATT. Ubiquiti products use a fork of Vyatta as well (EdgeOS on their edge routers for example). I used to work with Vyatta and Brocade so I was a big fan of the Edge line for home and SMB. Since Ubiquiti shelved EdgeOS and stopped putting meaningful updates out I switched to VyOS rolling on my home router with one of those Beelink mini PCs with dual nics.
Is there anyway for us home labbers to get more recent versions of VyOS without having to build it? It used to be easily accessible, now, not so much.
Without paying you need to use the rolling / nightly iso.
They have step by step instructions in their documentation. They even give you the commands to run so you only have to copy and paste.
You literally git clone their repo, cd into the cloned directory, run a docker container and build the iso using the docker container. Took me 5-10 minutes using a single alder lake P core to make the .iso.
OPNSense is far more willing to add "experimental" features and as a result you get a firewall that has more features out of the box, but is less stable.
pfSense is very slow to add new functionality, but the platform is rock solid as a result.
It all comes down to what you want. Do you want to play around with an appliance that has all the knobs, but also some eccentricities, or do you want an appliance that may not have bleeding edge features, but is far less prone to error.
I have an extensive config inclduing vlans, plugins, policies, suricata, VPN, routes, gateways, HAProxy, etc.
When you have an extensive config, you should always test the upgrade on a "lab" machine before applying them to your "production" environment. You don't just apply the update blindly and hope nothing breaks.
If you have a home lab, offshore what you can from your firewall. The less it does the more secure it is. Once you've watered it down to maybe DHCP and suricata then there's almost no difference in pfsense and opn.
If you like support and stability then going for pf over opn is a choice you can make. I just don't like how netgate has been shitting on the competitor with that ridiculous site.
I use pfSense for the stability of it.
Netgate as a company has certainly done a few things which have had me looking at other router options but at the moment, pfSense CE works, is stable, and I don't need to faff with it, so I'm happy staying put.
Do it. OPNSense is starting to not make sense anymore. I had the same conflicts as you. But PFSense has more support and features.
I went from pfsense to opnsense about a year ago after an attempted settings change completely broke my pfsense install (again). I've been debating going back because I cannot get load balancing to work on opnsense, no matter what I do. Currently it's just using a single gateway, and if that goes down then everyone is SOL until it comes back up or I manually switch it.
I use pfsense CE. I am a bit worried that Netgate will be less interested in maintaining the community edition now, but it just works. I don't need a lot of bells and whistles. So I'm staying put until I see a decent reason to switch.
IMO, no. I don’t use pfsense on a daily basis (MikroTik FTW), but netgate will use CE as a testing ground. They’ll keep putting out updates; but advanced functionality will be paywalled.
Used both, from pf to opn maybe 15months ago. Never had issues with either but I've had issues with how pf is managed and just seems to get another reason to dislike every so often.
Depends on your issues but go raise bug report with opn. If opn started to cause me issues then I'd be more likely to goto openwrt I think,rather than pf.
Opnsense does not work well with my set up. A lot of bugs and instability especially vpn and load balancing. I never had a problem with pfsense CE
Yes
Edit: pfSense shill bots in the comments? Something is super sus here
Most of the comments are just shitting on OPNsense, without even given a valid reason why they don't use it or they moved away from it.
Very sus indeed.
pfSense is what happens when you take OPNsense and put a chick in it and make her gay and lame. Always go with open source.
Your extensive config is probably your issue and not opnsense. You said you've been running it for a few years but seemingly 4 months ago, you couldn't figure out a basic rule to block internet for a single ip.
My config probably does factor into some of the issues. To be fair, I've never had to block Internet from a single device before, and the rule seemed backwards compared to my thought process.
If I remember correctly, I started using OPNsense in 2020. Since then, my lab and network has evolved tremendously.
‘Sense’ uses interface to base their rules around. You could use the vlan interface or the wan interface for this.
Yes, that is how networking rules work.
Just an FYI, “your way of thinking” doesn’t apply to pretty much anything. Try learning how things actually work and not assume “your way” is the right way.
I can’t believe I have to explain that.
Not sure why you're being rude for no reason - maybe you need a cup of coffee. I am learning how things work hence the incorrect thought process. Just because you think you know everything doesn't mean you have to put everyone else down for not.
FYI on Fortigates (that I am used to working with opposed to *Sense), there is an incoming (source) and outgoing (destination) interface for the rules, so that's where that thought process originated.
I second this. No offense to OP!
I never noticed any "slowing down issues" since any of the recent updates. Running OPNsense with a similiar setup to yours "vlans, plugins, policies, suricata, VPN, routes, gateways, HAProxy, etc". Again no issues on 8+ sites, including SiteToSite WireGuard VPNs and with large corporate networks. Some systems running perfectly stable and performant since version 20.x (installed) and now running the latest update.
Therefore I highly think your issues are user error / misconfiguration. Yet, I don't mean to judge but it seems to me that you switching to pfSense will just bring your OPNsense issues with it.
I can't tell how much experience you have with networking/firewalls in general but a lack of that won't bring you any further by switching to pfSense.
I use pf CE and if they have plans to discontinue it or whatever I’ll switch. If someone can provide me with a good rational reason I would consider OPNsense though.
I actually switched from pfsense to opnsense last week. The licensing debacle and the stand Netgate took against the community was enough for me to switch. It took a bit of time getting used to the UI, but I'm starting to enjoy using opnsense more than pfsense. First thing that made me happy was the automatic backups to nextcloud haha
I went from pf to openwrt. So far, so good. I'm sure it's not as powerful as a pure firewall device, but it suits my needs.
If stability is what you're after (both in terms of versioning and in the sense of as few unscheduled reboots as possible), then neither is a good option. Both update quite often and go with an "introduce feature now, worry about stability later" and end up having to constantly patch a bunch of stuff.
If you're comfortable with a CLI, then I'd recommend Vyos and then going with the stable branch. It's had 3 service patches since 1.3.0 released in 2021. The last being in june and before that, you have to go to september last year. Ofc, downside is that you'll miss out on a lot of features. Like I don't think stable has wireguard support yet, and not certain it will be ready for when 1.4 goes stable either (it's currently in 1.4 rolling). You could implement some of it yourself because it's built on Debian, but anything you do like that is tied to your current image. So if you upgrade, you have to do it again so I don't recommend it.
Point is, if you need features, don't, but if it's the most stable you're after, I can highly recommend at least having a look. Though I always recommend getting a proper router above any router os on amd64. You'll get more out of it, cheaper, with less power consumption and lower latency.