Not necessarily. FreeBSD 14-CURRENT is just that - the CURRENT branch. In FreeBSD terms, that means beta/testing. CURRENT is a non-stop stream of the latest tweaks, tests, changes and so on, and it isn't even expected to include binary packages at times. FreeBSD 13.2 is a RELEASE, meaning it's the latest fully patched 'stable' production quality release. It has all the latest drivers and fixes.I am not sure that the quantity or frequency of updates makes something better then others. pfSense has much more online documentation, tutorials and community support - that is more valuable if you ask me. Besides, pfSense+ 23.01 runs on FreeBSD 14-CURRENT which is the latest branch and with that, contains all the latest drivers and security patches.
In fact, the somewhat ironically named STABLE is more akin to what you confused CURRENT for. It is the upstream of RELEASE and contains the latest fixes, patches and drivers. From STABLE, the next RELEASE is cut, and STABLE begins working towards the next one in a never-ending cycle.
In other words, OPNSense is based on the latest, fully patched and production-stable release of FreeBSD. Conversely, pfSense is (if it's cut from CURRENT) based on an ever-changing unstable test codebase. In Linux terms (if that means anything to you), RELEASE is Red Hat Enterprise Linux or Debian Stable. STABLE is Debian Sid or Fedora Rawhide. CURRENT is the daily ISO of every latest update/patch/test/idea the devs were working on that day, good and bad. As I type this, you might better consider the analogy of Firefox/Chrome stable (RELEASE), beta (STABLE) and nightly/canary (CURRENT).
Neither is wrong, they're just very different. As they say, though - if you're not sure which to choose, install RELEASE. If you think you want STABLE, then install RELEASE...
As it is, I would always avoid pfSense on personal preference. Between the dev's attitude, their intense hate campaign[1] against OPNsense (Nazi pictures and symbols on websites they named and designed to have people confuse it with the real OPNsense site), having to be ruled against by WIPO (World Intellectual Property Organization) and have their slanderous domain seized and returned to OPNsense, their shoddy and dangerous WireGuard implementation[2] fed back to FreeBSD (and pfSense) by the convicted felon/nightmare harassing landlord/international fugitive developer they paid to write it, the AES-NI debacle, the closed split editions, the refocus of dev time on TNSR, and all the other nonsense...
Well, let's just say I'm thankful there's a sane, European based, regularly maintained alternative. To be clear, I have no personal investment here and I don't use any *sense personally, I stick to vanilla OpenBSD. I have, however, been around *nix and networking for long enough (>20 years) to have seen it all and to know when a spade is a spade.
This whole thread is a car crash I couldn't stop reading. @Tech9 was spot on. What problem are you actually trying to solve, @Thomas01? What will your x86 router give you that Asuswrt Merlin didn't? What feature was missing? VLAN management? Lower level control of SNAT and DNAT? Finer grain control of rules for
pf
/nft
/iptables
? The ability to run WireGuard in-kernel? Wanting to switch from iptables
chains to a plaintext pf
.conf file for readability and long-term documentation and management? The ability to run cake
instead of fq_codel
as part of your SQM strategy? Needing to virtualize your router with IOMMU passthrough so you can run bhyve
of qemu
alongside? Something else?... Given the level of questions you've asked in this thread (what order do these things connect, how many IPs in a /24, what's the 'best' private address...) I have to wonder what you're actually trying to achieve, and why. Someone asking those types of questions, who doesn't know about APs and is throwing egregious amounts of money at a problem that didn't exist, is starting in the wrong place.
Doing IDS/IPS at gigabit speeds is very intensive, is half useless thanks to TLS (as someone else pointed out), and unlike a purpose built router an x86 box has no dedicated hardware (ASIC) for network packets. Unless you count RSS, TRO/GRO/LRO etc on the NIC, but some of those ought to be disabled on a router anyway, to preserve the end-to-end principle (you already know that, if you're ready to build your own).
Context switching for packet processing, and having software handle things a dedicated router handles in hardware ASICs, can actually be detrimental (eg latency). I'm no ASUS fan (quite the contrary - I wouldn't touch their networking equipment if it was free[3]), but if it was handling your connection fine and your only concern was to make it 'better' then I think you're going about it wrong.
I'm equally confused at some of the replies in here. Just because the RFC specifies 10.0.0.0/8 (alongside 172.16.0.0/12 and 192.168.0.0/16) as private address space, it doesn't mean you're supposed to actually use the /8 in production lol. It just means you have the whole /8 to choose from when segmenting (e.g. to avoid IP conflicts and allow network demarkation). For starters, the resources required to table and track 16M addresses is not trivial... and for a home network?! Then suggestions to forego router-specific releases like *sense, OpenWRT or Untangle, and instead go with vanilla Linux? The OP doesn't even know basic networking; so where did we get the idea they'll be capable or comfortable in transforming a barebones off-the-shelf Ubuntu install into a routing platform?
Not that I have anything against x86 routers! Personally, I run an x86 router which has - over the decades - run everything from OpenBSD (my favourite) and FreeBSD to OPNsense to IPFire to VyOS to OpenWRT to Debian and back again. You get the idea. My AP is a Ruckus R710 with a 24 port enterprise POE+ core switch. I had use for these things, knew why I wanted/needed them, and I allocated them accordingly.
OP, I'd strongly suggest you take a breath. If you haven't already purchased hardware, don't. At least not yet. Start by reading some networking books, the FreeBSD handbook and OpenBSD documentation on routers, the Arch Wiki etc and build up your knowledge. Meanwhile, set up a private network in virtualisation software and connect VMs together to gain knowledge. For example, a /24 local net with a few Linux VMs whose vNIC connects to a different *BSD or Linux VM acting as router. Connect one of that machine's vNICs to the virtual LAN and the other bridged through the host machine's physical NIC. Experiment away. Once you're confident in that, can configure and troubleshoot the network with your eyes closed, and - more importantly - know what all those terms mean and what makes a /16 different from a /32, *then* consider whether your real LAN needs to change, why, and how.
None of this is intended to bash you, put you off, or belittle you. Networking is great fun, highly rewarding and can open career opportunities. That said, learn from others' mistakes and start to walk before you run. Learn why it's modem/ONT > router > firewall > switch > AP. Learn the OSI model. Learn Linux and/or *BSD. Learn how to DNS and DHCP works, and then try running your own. Learn about multicast and unicast, IPv6, the difference between VLANs and segregated physical subnets, and about how network stacks and firewalls actually operate. Have fun doing it! Don't start by spending >$1,000 on stuff you don't even understand and throwing it into production on your one and only home network.
FWIW, the Chinese 'firewall' you linked to is just another run of the mill ultra SFF mini PC clone (albeit with a decent enough CPU and overkill specs). Paying $1,000 for that is insane, especially for a router/firewall. You can buy a decommissioned enterprise thin client or other SFF box like a Lenovo, HP, Dell or similar on eBay (et al.) with a good recent-ish i5 for $100 to $200. Even a fairly modern i3 or Pentium will do perfectly well up to multi-gig. Just make sure it has AES-NI (it will) and prioritise core speed and physical cores over more threads (you should disable SMT on a router anyway). Drop in a dual port PCIe NIC (again, enterprise cast offs are fine) and you're away for 1/10 of the cost of that 'firewall' box. That leaves you with a machine that's amply capable and doesn't cost the earth for no reason, and $800 change for an enterprise AP, a good core switch, your cabling and a few 100 spare for whatever you like.
There's lots to learn and a lot of satisfaction to be gained. In a year or two you'll know more about networks and software than most general 'IT' folks - and you'll find lots of practical uses for it, too. For now though, think long and hard. When you can confidently design your own single subnet flat network, consider and implement AP segregation and know how (and why) to configure your firewall, security policy and ACLs - and what hardware to spec for it - then go for it. Until then, it'll be an exercise in frustration, financial loss, and a potential security nightmare. Just my .02.
[1] https://opnsense.org/opnsense-com/
[2] https://arstechnica.com/gadgets/202...olations-and-bad-code-freebsd-13s-close-call/
[3] https://www.securityweek.com/asus-settles-ftc-charges-over-router-security/