Alternative to pfsense/Opnsense

[Maverick009]

Was not sure where to exactly post this but lately I have been thinking of an alternative firewall router like OS alternative to pfsense and Opnsense. Now, I am not looking for the OMG comments of why I would be looking to do that, as there are some reasons, which I will explain in a moment. I am looking for some good suggestions and think this has potential to be educational to pros and newbies alike.

The reason for looking to possiblely switch, was brought on by hardware scaling issues and possible incompatibilities with the cable modem I ran into. I previously had Gigabyte G41M-USB3/Intel Core2 Q6600 2.4Ghz quad core CPU/board combo with 4GB DDR3 memory. I have since upgraded the hardware to an Asus B550M Tuf WiFi Plus with Ryzen 1700 3.0Ghz Base/3.7Ghz Boost 8C/16T CPU and 16GB DDR4-3200MHz running at 2667Mhz (Native memory clock of the Ryzen 1700). I moved over the 240G SATA SSD, Intel I350-T4 Quad 1G NIC, and a Dual Realtek 8125 2.5G NIC over.

The problem I was experiencing prior and after seems to be with the cable modem syncing up with Opnsense and prior Pfsense where I would get loss packets constantly and a reset of both the firewall and modem would usually do the trick for the most part, but not always guaranteed. Also recently when synced and I try a speed test, either during sustained speeds or once it begins the upload speed test, I would see packet loss both on IP4 and IP6 hit as high as 8-10+ % on the WAN. Also the WAN would get errors on occasion not too high but I did see as many as 28 in a 24-48hr span and every so often I might loose access to all Lans directly connected to the firewall causing a hard reboot to fix the issue. I have a CM1200 Netgear modem and plan on eventually upgrading to one with a single 2.5G port but at the moment trying to nip this issue in the butt.

In the meantime I have tested out Ipfire built on Linux, as it seems to for one scale with the multicore CPU I have and supports newer hardware much quicker, and 2, it looks like my issues have been resolved with the system remaining up and stable, a eat with a few less features but a more straight forward and easy approach and it scaled with my upgraded hardware. I have also thought about OpenWRT as it is also based on Linux Kernel and takes better advantage of the multicore CPU and architecture including the Realtek NICs (3x 2.5G including the onboard one). Ipfire seems to work well for a home network.

I really liked the features that pfsense/Opnsense offer as far as subnets and scale with multiple NICs, however I am not a fan of instability and scalability teething problems just add to it. Is there any free alternatives based on Linux that would be great for network security and scability? Or anyone else experience similar issues and figured out how to fix this? I don't think I overlooked anything but not ruling out possibilities or alternatives.

 

[Tech9]

The instability is not coming from pfSense/OPNsense software. It's somewhere else. You may try different software, but don't be surprised if you encounter the same compatibility issues between the same hardware used.

 

[Maverick009]

The instability is not coming from pfSense/OPNsense software. It's somewhere else. You may try different software, but don't be surprised if you encounter the same compatibility issues between the same hardware used.

Actually, after I posted this, I went back to the drawing board troubleshooting. I believe it may have been Opnsense as the drivers seemed to of been buggy and problematic, especially on the latest release. I had not used Pfsense since the early 2.5 release and decided to give it a 2nd go around. Behold, and once installed and put back in the rack with a modem reboot, everything started to come up and since configuring it, it is running nicely. I ran speed tests to saturate the WAN connection as that was where my issues were, and not a single sign of a loss packet or errors on that connection, which is where all this began escalating with.

I have the WAN now connected to the onboard Realtek RTL8125B, as I do eventually plan to upgrade the cable modem to a new model with a 2.5G jack on it as well. The rest of the connections are going through the Intel I350-T4 with 1 port connected to a dedicated L3 Managed switch and another connected to my main system. I also have a 2.5G RTL8125B port connected to the 2.5G Port of an Asus GT-AX11000 in AP AiMesh mode. All now working flawlessly and on separate subnets again.

Thanks for reading. I just could not figure it out at the beginning and tried IPFire but had not attempted Pfsense again since switching to Opnsense. I should of probably realized rapid features and updates is not always a good thing.

 

[Maverick009]

Oh, and also found out Pfsense is more multicore/multithreaded along with most app packages now, but there are still a few that are single threaded. That was another concern of mine as when I was searching, I saw the Linux Kernal is better with newer hardware and multithreading, but further searching showed BSD could be a tad more stable and better suited for enterprises on a large scale...The things you find out when searching for a solution to a problem....

 

[coxhaus]

I would think Linux would have the best NIC drivers. I would also think Opensense would have better drivers than pfsense since they are running a later OS version. pfsense is trying to catch up as they are going to skip version 13 and go straight to version 14.

You can try Untangle software, but they sold, and it looks like they may have limits now for home use. You get a 30-day free trial no limits.

 

[Tech Junky]

I just use Ubuntu and add functions as needed. The base os and added bonding/bridging/iptables. Add some utils to monitor from a browser and ssh for commands. Debian seems to play better with hw than BSD. Just updated to kernel 6.3 as well. But it all comes down to preference.

 

[ddaenen1]

I would think Linux would have the best NIC drivers. I would also think Opensense would have better drivers than pfsense since they are running a later OS version. pfsense is trying to catch up as they are going to skip version 13 and go straight to version 14.

You can try Untangle software, but they sold, and it looks like they may have limits now for home use. You get a 30-day free trial no limits.

I am running pfsense+ 23.01 since February since i migrated from CE 2.6.0 to +22.05 in Dec/22 as I decided not to go with the opensource vs closed source yada yada and just do it. Afterall, other stuff such as RouterOS are not opensource either.

I have not regretted it for a single moment and can highly recommend it. +23.01 is built on FreeBSD 14-CURRENT and php8.1 and does everything it is supposed to without a glitch. It also has some very neat functionality such as the boot environment which allows you to roll back in case of an issue. I am now working on creating a backup router using a NUC with an intel i350-T4 quad NIC so i can pull out the main one for maintenance and hardware upgrades without major interruptions to the network. I am almost there. Getting pfSense installed on the NUC was a bit of a pain but i got it done. Now i need to upload the config of the main router but that will take some time as i need to connect it directly to the modem to do that to avoid any LAN IP conflicts.

 

[Maverick009]

I would think Linux would have the best NIC drivers. I would also think Opensense would have better drivers than pfsense since they are running a later OS version. pfsense is trying to catch up as they are going to skip version 13 and go straight to version 14.

You can try Untangle software, but they sold, and it looks like they may have limits now for home use. You get a 30-day free trial no limits.

When doing my research, Linux does have better hardware support, but Openwrt and Ipfire are the best options you get for firewall routing, and Openwrt is as close as you get featureset wise to Pfsense/Opnsense. I am thinking because there is so many moving parts right now, and the fact there seemed to be a driver issue even in earlier pfsense with even the Realtek drivers, but Pfsense seems to of fixed it or at least further tweaked the driver while stabilizing other parts of the OS. Even this morning, the Firewall with Pfsense variant is working quite well.

 

[Maverick009]

I just use Ubuntu and add functions as needed. The base os and added bonding/bridging/iptables. Add some utils to monitor from a browser and ssh for commands. Debian seems to play better with hw than BSD. Just updated to kernel 6.3 as well. But it all comes down to preference.

I was thinking about that at one point but it is more work for certain settings and the web interfaces you can add, are not as polished as a front-end webui for the firewall.

 

[Tech Junky]

firewall

Firewalling is simple unless you want to invoke complicated scenarios. I've tried most of the stuff I found and it just makes things slower. Block everything from the outside unless it originates for the inside. I trimmed it down to maybe 10 rules permitting lan to lan and then permit originating traffic to get out and return. Add a drop statement to the end of the chain for counters and call it a day.

The most insightful tool is ntop for viewing the types of traffic traversing the system. Other than that it just works and I don't feel the need to watch it at this point.

 

[Maverick009]

I am running pfsense+ 23.01 since February since i migrated from CE 2.6.0 to +22.05 in Dec/22 as I decided not to go with the opensource vs closed source yada yada and just do it. Afterall, other stuff such as RouterOS are not opensource either.

I have not regretted it for a single moment and can highly recommend it. +23.01 is built on FreeBSD 14-CURRENT and php8.1 and does everything it is supposed to without a glitch. It also has some very neat functionality such as the boot environment which allows you to roll back in case of an issue. I am now working on creating a backup router using a NUC with an intel i350-T4 quad NIC so i can pull out the main one for maintenance and hardware upgrades without major interruptions to the network. I am almost there. Getting pfSense installed on the NUC was a bit of a pain but i got it done. Now i need to upload the config of the main router but that will take some time as i need to connect it directly to the modem to do that to avoid any LAN IP conflicts.

I thought about going with Pfsense plus but the whole registration part threw me off and I was not sure about the licensing per se.

I am also thinking of having a backup and might add a virtual machine to my Gaming and NAS server to use mainly for when performing maintenance on the main firewall. I am not sure I would need 2 physical routers on a home network at all times but open to hearing suggestions lol.

 

[Weblee2407]

I considered pfSense but decided to give Merlin a try and with Skynet and Diversion added it pretty much addresses the issues I was having. I haven't seen my router get too busy and make me think I need to offload any processes, and my networking doesn't have high requirements for subnets, VLANs etc. I anticipate the next steps in IOT and streaming may require me to re-evaluate my configuration. Right now, it's not broken - my Merlin config is getting it done.

What would be a primary consideration/advantage to use a pfSense device?

 

[ddaenen1]

I thought about going with Pfsense plus but the whole registration part threw me off and I was not sure about the licensing per se.

I am also thinking of having a backup and might add a virtual machine to my Gaming and NAS server to use mainly for when performing maintenance on the main firewall. I am not sure I would need 2 physical routers on a home network at all times but open to hearing suggestions lol.

The "whole registration" is rather meaningless to be honest and doesn't cost anything. I actually did it three times because i did 3 different installations; my main router, an earlier trial with a Cisco C170 and now the NUC. Yeah, they have your email address and the postal address to put in the invoice but honestly, that stuff floats around anyways.

 

[coxhaus]

I am running pfsense+ 23.01 since February since i migrated from CE 2.6.0 to +22.05 in Dec/22 as I decided not to go with the opensource vs closed source yada yada and just do it. Afterall, other stuff such as RouterOS are not opensource either.

I have not regretted it for a single moment and can highly recommend it. +23.01 is built on FreeBSD 14-CURRENT and php8.1 and does everything it is supposed to without a glitch. It also has some very neat functionality such as the boot environment which allows you to roll back in case of an issue. I am now working on creating a backup router using a NUC with an intel i350-T4 quad NIC so i can pull out the main one for maintenance and hardware upgrades without major interruptions to the network. I am almost there. Getting pfSense installed on the NUC was a bit of a pain but i got it done. Now i need to upload the config of the main router but that will take some time as i need to connect it directly to the modem to do that to avoid any LAN IP conflicts.

Yes, the last I heard from you is your old pfsense PC would only boot from BIOS which won't work with the newer OSs. I am not excited about arm architecture for pfsense as I don't think they are powerful enough for pfsense if you really want to run IPS/IDS. You end up with lag which is not fun for games.
I have no issues with closed source, but you cannot load it on your own PC. Which Netgate did you buy?

 

[coxhaus]

When doing my research, Linux does have better hardware support, but Openwrt and Ipfire are the best options you get for firewall routing, and Openwrt is as close as you get featureset wise to Pfsense/Opnsense. I am thinking because there is so many moving parts right now, and the fact there seemed to be a driver issue even in earlier pfsense with even the Realtek drivers, but Pfsense seems to of fixed it or at least further tweaked the driver while stabilizing other parts of the OS. Even this morning, the Firewall with Pfsense variant is working quite well.

I tried Ipfire a long time ago maybe 15 years, when I was running my own email server so I ran it with IpCop. It was not my cup of tea. So, I only ran it for a week. I think Openwrt looks good from what I have read.

I would never run an OS for a router firewall as I want somebody else to keep up with security and writing the code. The same with DNS. I want somebody else to keep up with what is happening. I am trying to retire.

 

[ddaenen1]

Yes, the last I heard from you is your old pfsense PC would only boot from BIOS which won't work with the newer OSs. I am not excited about arm architecture for pfsense as I don't think they are powerful enough for pfsense if you really want to run IPS/IDS. You end up with lag which is not fun for games.
I have no issues with closed source, but you cannot load it on your own PC. Which Netgate did you buy?

Sorry @coxhaus but this is a bit outdated info. pfSense boots perfectly fine in UEFI. The issue i had back then was on older hardware and is long gone. I run pfSense+ 23.01 on the config in my signature. Throughput is perfectly fine on my 1000/40 cable connection with only 7% CPU load with pfBlockerNG, HAproxy, 2 DHCP servers running. I don't know if i could achieve 10Gbps but i am sure i will not be far off. The process is simple: you just install CE 2.6.0 and upgrade to plus from there. I did this already 3 times without any issue. The most recent one on a NUC with i5 and 16Gb in UEFI.

 

[coxhaus]

I considered pfSense but decided to give Merlin a try and with Skynet and Diversion added it pretty much addresses the issues I was having. I haven't seen my router get too busy and make me think I need to offload any processes, and my networking doesn't have high requirements for subnets, VLANs etc. I anticipate the next steps in IOT and streaming may require me to re-evaluate my configuration. Right now, it's not broken - my Merlin config is getting it done.

What would be a primary consideration/advantage to use a pfSense device?

It is just a level above in all ways. ASUS is consumer level.

 

[coxhaus]

Sorry @coxhaus but this is a bit outdated info. pfSense boots perfectly fine in UEFI. The issue i had back then was on older hardware and is long gone. I run pfSense+ 23.01 on the config in my signature. Throughput is perfectly fine on my 1000/40 cable connection with only 7% CPU load with pfBlockerNG, HAproxy, 2 DHCP servers running. I don't know if i could achieve 10Gbps but i am sure i will not be far off. The process is simple: you just install CE 2.6.0 and upgrade to plus from there. I did this already 3 times without any issue. The most recent one on a NUC with i5 and 16Gb in UEFI.

I know pfsense and Opensense boots from UEFI and is required for the newer versions and that is what I stated. An i5 should work but it is not arm. I was talking about loading and using SNORT full featured where you are creating rules for SNORT. It will add a load and lag to the smaller CPUs.

 

[ddaenen1]

I know pfsense and Opensense boots from UEFI and is required for the newer versions and that is what I stated. An i5 should work but it is not arm. I was talking about loading and using SNORT full featured where you are creating rules for SNORT. It will add a load and lag.

I don't do any IDS/IPS right now and i am unsure i need it. I have looked at SNORT and Suricata before and actually installed the package on a former pfSense test router but load increase was only a couple of percent. I am happy with pfBlockerNG for now. Might change in the future.

 

[Maverick009]

Firewalling is simple unless you want to invoke complicated scenarios. I've tried most of the stuff I found and it just makes things slower. Block everything from the outside unless it originates for the inside. I trimmed it down to maybe 10 rules permitting lan to lan and then permit originating traffic to get out and return. Add a drop statement to the end of the chain for counters and call it a day.

The most insightful tool is ntop for viewing the types of traffic traversing the system. Other than that it just works and I don't feel the need to watch it at this point.

Firewalling is simple of in itself yes, but the convince factor is not just for complicated scenarios, but also transversing over multiple subnets, which would include some more advanced settings but at the same time provides convience if you have a good or simple enough UI to manage it from. Also if you have the CPU and hardware, along with some tweaks to settings you can hit full throughput with no slow downs at all. Only time a slow down may take affect is if you have QOS/Traffic Shaping turned on and than it would slow down traffic or as I put it prioritize traffic based on your settings.