What's new

pfSense/ OPNsense help

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I am not sure that the quantity or frequency of updates makes something better then others. pfSense has much more online documentation, tutorials and community support - that is more valuable if you ask me. Besides, pfSense+ 23.01 runs on FreeBSD 14-CURRENT which is the latest branch and with that, contains all the latest drivers and security patches.
Not necessarily. FreeBSD 14-CURRENT is just that - the CURRENT branch. In FreeBSD terms, that means beta/testing. CURRENT is a non-stop stream of the latest tweaks, tests, changes and so on, and it isn't even expected to include binary packages at times. FreeBSD 13.2 is a RELEASE, meaning it's the latest fully patched 'stable' production quality release. It has all the latest drivers and fixes.

In fact, the somewhat ironically named STABLE is more akin to what you confused CURRENT for. It is the upstream of RELEASE and contains the latest fixes, patches and drivers. From STABLE, the next RELEASE is cut, and STABLE begins working towards the next one in a never-ending cycle.

In other words, OPNSense is based on the latest, fully patched and production-stable release of FreeBSD. Conversely, pfSense is (if it's cut from CURRENT) based on an ever-changing unstable test codebase. In Linux terms (if that means anything to you), RELEASE is Red Hat Enterprise Linux or Debian Stable. STABLE is Debian Sid or Fedora Rawhide. CURRENT is the daily ISO of every latest update/patch/test/idea the devs were working on that day, good and bad. As I type this, you might better consider the analogy of Firefox/Chrome stable (RELEASE), beta (STABLE) and nightly/canary (CURRENT).

Neither is wrong, they're just very different. As they say, though - if you're not sure which to choose, install RELEASE. If you think you want STABLE, then install RELEASE...

As it is, I would always avoid pfSense on personal preference. Between the dev's attitude, their intense hate campaign[1] against OPNsense (Nazi pictures and symbols on websites they named and designed to have people confuse it with the real OPNsense site), having to be ruled against by WIPO (World Intellectual Property Organization) and have their slanderous domain seized and returned to OPNsense, their shoddy and dangerous WireGuard implementation[2] fed back to FreeBSD (and pfSense) by the convicted felon/nightmare harassing landlord/international fugitive developer they paid to write it, the AES-NI debacle, the closed split editions, the refocus of dev time on TNSR, and all the other nonsense...

Well, let's just say I'm thankful there's a sane, European based, regularly maintained alternative. To be clear, I have no personal investment here and I don't use any *sense personally, I stick to vanilla OpenBSD. I have, however, been around *nix and networking for long enough (>20 years) to have seen it all and to know when a spade is a spade.



This whole thread is a car crash I couldn't stop reading. @Tech9 was spot on. What problem are you actually trying to solve, @Thomas01? What will your x86 router give you that Asuswrt Merlin didn't? What feature was missing? VLAN management? Lower level control of SNAT and DNAT? Finer grain control of rules for pf/nft/iptables? The ability to run WireGuard in-kernel? Wanting to switch from iptables chains to a plaintext pf .conf file for readability and long-term documentation and management? The ability to run cake instead of fq_codel as part of your SQM strategy? Needing to virtualize your router with IOMMU passthrough so you can run bhyve of qemu alongside? Something else?...

Given the level of questions you've asked in this thread (what order do these things connect, how many IPs in a /24, what's the 'best' private address...) I have to wonder what you're actually trying to achieve, and why. Someone asking those types of questions, who doesn't know about APs and is throwing egregious amounts of money at a problem that didn't exist, is starting in the wrong place.

Doing IDS/IPS at gigabit speeds is very intensive, is half useless thanks to TLS (as someone else pointed out), and unlike a purpose built router an x86 box has no dedicated hardware (ASIC) for network packets. Unless you count RSS, TRO/GRO/LRO etc on the NIC, but some of those ought to be disabled on a router anyway, to preserve the end-to-end principle (you already know that, if you're ready to build your own).

Context switching for packet processing, and having software handle things a dedicated router handles in hardware ASICs, can actually be detrimental (eg latency). I'm no ASUS fan (quite the contrary - I wouldn't touch their networking equipment if it was free[3]), but if it was handling your connection fine and your only concern was to make it 'better' then I think you're going about it wrong.

I'm equally confused at some of the replies in here. Just because the RFC specifies 10.0.0.0/8 (alongside 172.16.0.0/12 and 192.168.0.0/16) as private address space, it doesn't mean you're supposed to actually use the /8 in production lol. It just means you have the whole /8 to choose from when segmenting (e.g. to avoid IP conflicts and allow network demarkation). For starters, the resources required to table and track 16M addresses is not trivial... and for a home network?! Then suggestions to forego router-specific releases like *sense, OpenWRT or Untangle, and instead go with vanilla Linux? The OP doesn't even know basic networking; so where did we get the idea they'll be capable or comfortable in transforming a barebones off-the-shelf Ubuntu install into a routing platform?

Not that I have anything against x86 routers! Personally, I run an x86 router which has - over the decades - run everything from OpenBSD (my favourite) and FreeBSD to OPNsense to IPFire to VyOS to OpenWRT to Debian and back again. You get the idea. My AP is a Ruckus R710 with a 24 port enterprise POE+ core switch. I had use for these things, knew why I wanted/needed them, and I allocated them accordingly.

OP, I'd strongly suggest you take a breath. If you haven't already purchased hardware, don't. At least not yet. Start by reading some networking books, the FreeBSD handbook and OpenBSD documentation on routers, the Arch Wiki etc and build up your knowledge. Meanwhile, set up a private network in virtualisation software and connect VMs together to gain knowledge. For example, a /24 local net with a few Linux VMs whose vNIC connects to a different *BSD or Linux VM acting as router. Connect one of that machine's vNICs to the virtual LAN and the other bridged through the host machine's physical NIC. Experiment away. Once you're confident in that, can configure and troubleshoot the network with your eyes closed, and - more importantly - know what all those terms mean and what makes a /16 different from a /32, *then* consider whether your real LAN needs to change, why, and how.

None of this is intended to bash you, put you off, or belittle you. Networking is great fun, highly rewarding and can open career opportunities. That said, learn from others' mistakes and start to walk before you run. Learn why it's modem/ONT > router > firewall > switch > AP. Learn the OSI model. Learn Linux and/or *BSD. Learn how to DNS and DHCP works, and then try running your own. Learn about multicast and unicast, IPv6, the difference between VLANs and segregated physical subnets, and about how network stacks and firewalls actually operate. Have fun doing it! Don't start by spending >$1,000 on stuff you don't even understand and throwing it into production on your one and only home network.

FWIW, the Chinese 'firewall' you linked to is just another run of the mill ultra SFF mini PC clone (albeit with a decent enough CPU and overkill specs). Paying $1,000 for that is insane, especially for a router/firewall. You can buy a decommissioned enterprise thin client or other SFF box like a Lenovo, HP, Dell or similar on eBay (et al.) with a good recent-ish i5 for $100 to $200. Even a fairly modern i3 or Pentium will do perfectly well up to multi-gig. Just make sure it has AES-NI (it will) and prioritise core speed and physical cores over more threads (you should disable SMT on a router anyway). Drop in a dual port PCIe NIC (again, enterprise cast offs are fine) and you're away for 1/10 of the cost of that 'firewall' box. That leaves you with a machine that's amply capable and doesn't cost the earth for no reason, and $800 change for an enterprise AP, a good core switch, your cabling and a few 100 spare for whatever you like.

There's lots to learn and a lot of satisfaction to be gained. In a year or two you'll know more about networks and software than most general 'IT' folks - and you'll find lots of practical uses for it, too. For now though, think long and hard. When you can confidently design your own single subnet flat network, consider and implement AP segregation and know how (and why) to configure your firewall, security policy and ACLs - and what hardware to spec for it - then go for it. Until then, it'll be an exercise in frustration, financial loss, and a potential security nightmare. Just my .02.


[1] https://opnsense.org/opnsense-com/
[2] https://arstechnica.com/gadgets/202...olations-and-bad-code-freebsd-13s-close-call/
[3] https://www.securityweek.com/asus-settles-ftc-charges-over-router-security/
 
OPNSense is based on the latest, fully patched and production-stable release of FreeBSD. Conversely, pfSense is (if it's cut from CURRENT) based on an ever-changing unstable test codebase.
Extremely informative.

What will your x86 router give you that Asuswrt Merlin didn't?
From what I understand, x86 hardware will be more powerful than any consumer router like my current Asus router. That coupled will give me better performance and allow me to get my full internet plan speed that I pay for. I plan to explore the features of OPNsense after I get the internet working. Heard about x86 router/firewalls about 1.5 years ago from the Youtube channels Networkchuck, Linuss Tech tips and Levelonetechs/ but had no reason/excuse to change from my setup of Netgear cable modem and Asus router until recently My Netgear cable modem internet light would give out intermittently and the internet would stop working. Speed test showed download was fine but upload would be 0.01 mbps. Only fix was to unplug the modem for 10-15 seconds then plug it back in. This would fix the problem until it happened again.

Comcast/Xfinity technician came to the house and said he thinks the modem is fried and said to use the Xfinity rental modem/router combo until I got my own again. This is what my setup is currently. The first modem ordered was defective so I had to return that and get another one. After I got another one it worked. So I tried setting it up but the Zyxel APs wouldn't boot up correctly and just kept flashing green/amber. After this I returned the APs switch and router/mini PC since I don't have time to try again for a few weeks. I only have the Netgear modem that I know is working but I'm not using it yet since I don't have a router and wireless APs yet, so I'm currently using the rental modem/router combo from Xfinity.

Currently my plan is to buy a custom PC from a custom boutique PC manufacturer and ask them to install all the hardware so I just need to install and setup OPNsense. Also I need to buy a switch and a couple APs.
 
I'm watching the thread the same way as I sometimes watch "Dashcam crash" videos on YouTube. Waiting for this 18-wheeler roll over scene.
In 4-5 weeks when I try again if it doesn't work then I think I might just stay with the rental modem/router combo from Xfinity. But then the question is what is the point of paying for the 1.2 gig plan when the best I can get is 700-800 mbps right next to the rental modem/router? If I move only 15-20 feet away best I can get 400-500 mbps. So my problem is, I'm paying every month for speed I'm not getting.
 
you will need to upgrade, if possible (available client devices may not be capable though ), your client devices....or use a cable to get the full bandwidth.

"what is the point of paying for the 1.2 gig plan..."
speed test points, of course ;-)
 
But then the question is what the point of paying for the 1.2 gig plan when the best I can get is 700-800 mbps right next to the rental modem/router?

I told you already - this is what you get from common 2-stream AX client at 80Mhz wide channel. Even if you buy the latest and greatest enterprise class Aruba Networks AP for $2000 you'll get exactly the same speed. The speed drops away from the radio because AX 1024QAM needs good SNR ratio. If you have 2-stream AX 160MHz wide channel capable client and your Wi-Fi environment allows 160MHz channel use you can get up to 1.7Gbps throughput over Wi-Fi in exchange of shortened range. Basically in the same room where the router is and not guaranteed because Wi-Fi is a shared medium.

If you don't start reading and only follow YouTube videos and random advice you'll turn into this 18-wheeler going into the ditch.

speed test points, of course ;-)

Indeed.
 
I told you already - this is what you get from common 2-stream AX client at 80Mhz wide channel. Even if you buy the latest and greatest enterprise class Aruba Networks AP for $2000 you'll get exactly the same speed.
So is there any point in keeping my current internet plan speed?

If you don't start reading and only follow YouTube videos and random advice you'll turn into this 18-wheeler going into the ditch.
What should I start reading to learn more about networking. Most of what I know is from the YouTube channels I mentioned in a previous post.
 
So is there any point in keeping my current internet plan speed?

It's up to you. I personally have 500/30 ISP and my APs are Wi-Fi 5 class up to about 480Mbps most of the time. I have no intentions to upgrade ISP or hardware any time soon. Works perfectly for a family of 4 with usual online activities. I'm using pfSense firewall, PoE switch and PoE APs.
 
Google for "basic networking course" and see what happens. Skip YouTube videos.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top