What's new

Switch back to Pfsense from Opnsense and why.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Maverick009

Senior Member
I wanted to post this in case anyone else has questions about Pfsense vs. Opnsense, or why to use one over the other, as I have personally used both, and recently made the decision to switch back to Pfsense where I started in the first place.

The main reason I switched from Pfsense to Opnsense in the first place, was the interface was slightly more updated, and the fact there could be weekly security updates and at least 2 major update quarterly, plus a big reason was, that out of the box, Opnsense supported my Realtek RTL81225 Dual 2.5G NIC (Intel currently does not have a 2.5G Dual NIC that I could find), after a small update done. You would think everything was rosy and good to go once setup and configured. Well not so much. As much as OpnSense was streamlining the interface and had more updates, sometimes more is not always good. The way I have my firewall router and network, I needed to bridge at least 1 port from my 2.5G NIC and 2 Ports from the Intel I350-T4 Quad NIC card. The 2.5G connection currently was going directly to my Gaming Multimedia Computers 10G Ethernet Port, while 2 of the 1G Ports were going straight into my TP-Link Smart Switch. At the time I had the cable modem connected to 2 of the other ports of the Intel I350 NIC in LAGG to enable Multigig speeds from my Netgear CM1200 Cable Modem. While setting up and configuring the network, I was having problems with OpnSense keeping the gateway up from packet loss on occasion, especially if I had to restart the Firewall for maintenance or after a configuration/update was done, and it could take time before getting them to correctly talk to each other. The 2nd issue I noticed, is that when doing any heavy downloading/browsing or running just a speed test from my gaming computer, the bridge would get heavy out errors from the traffic with the 2.5G card. Looked cosmetic for most part, but was still a pain to look at. The 3rd and 4th final issue, was the ease of setup and documentation. Opnsense has QOS/Traffic Shaper, but no easy to configure wizard, and would require all the rules to really be done manually. The documentation also was not as helpful either when searching the web, as most tutorials are geared towards Pfsense.

I am not saying there is anything majorly wrong with Opnsense, or it is crap. What I am saying is don't always be quick to think because there is a few extra pros and things that work out of the box, that everything will be great and meet all your needs. Plan your network where you can, and I would even beg to plan for maybe a few things in the future of that network.

Now with that out of the way, I did make the decision to go back to Pfsense and all turned out well. From my personal experience of using both, Pfsense shows that with age and a robust community when it comes to web searches for help and tutorials, which helped me with installing the current production version of PfSense 2.4.5, and adding the 1.96.04 Realtek drivers, that included the RTL8125 chipset enabling my dual 2.5G NIC card. It was actually a very easy tutorial and install process. Further after linking 2 ports on my Intel I350-T4 and right now 1 port on my 2.5G Realtek R8125 card in Bridge Switch mode for the LAN, all was working very well and that error I was seeing when saturating the 2.5G port on the Realtek card disappeared altogether. In fact I think I am seeing a little more throughput on Pfsense with the 2.5G card then what I was seeing on Opnsense. It may also be due to the drivers that I installed on Pfsense vs. the built in driver in Opnsense. Needless to say the errors are gone and as many can say that bridging ports together can cause a penalty, I am not seeing any of it vs. the cards operating independently of each other. Again may be attributed the drivers as well. I was able to easily use the Traffic Shaper wizard to setup my bandwidth and QOS priorities and configure the Firewall for full use within my network.

I will admit, I was one that was all for Opnsense and the constant updates, etc. but to me it was not worth the extra hassles to get there that I value. Pfsense and Opnsense both work similarly to each other, but I would say currently Pfsense is about their Power Users, but with also adding better documentation and wizards as needed for both beginners and power users, making for a more streamline Firewall Router experience and adding ease of use where it is needed, while still leaving advanced features front and center. Updates are also not as needed, as neither has had a compromise, and I would say Pfsense may follow a more general update pattern that Consumer and Professional router/networking companies take with only immediate out of band updates being done when the impact of the security vulnerability is big enough and that makes sense as you do not want to continue updating all the time and have an update that may break a feature or cause issues with the rest of your network.

I know kind of lengthy, and freehanded it all, but wanted to give a users experience with the two big firewall services, and some of the issues I ran into as there has been a few posts about them as of late. If your looking for latest and greatest and faster updates, Opnsense is it. If you are looking for some long-term stability and ease of use wizards, along with pro features and tools still at your fingertips, Pfsense is the better option.

Network Overview

PfSense Firewall - 2U Rack - Intel Q6600 2.4Ghz Quad-Core CPU, 4GB Dual-Channel Corsair Dominator Memory, 240GB Kingston SSD SATA, Syba Realtek RTL8125 Dual 2.5G Ethernet Card, Onboard Realtek 1Gbps Ethernet, and Intel I350-T4 Quad-Port 1Gbps Ethernet Card (Future hardware upgrade planned)
Netgear CM1200 MultiGig Cable Modem (Future upgrade planned)
TP-Link T1600G-28TS Smart Switch
ASUS GT-AX11000 802.11AX Tri-Band Router in Access Point Mode with AiMesh 2.0 running current 386 RC10 Firmware (Plan to go to 386 Final/RTM firmware once available) with LAGG on, plugged into switch
Silicon Dust HDHomeRun Prime 3 Ethernet Cablecard box
HP Laptop with Quad-Core i5 CPU, 6GB DDR4 Memory, 1TB SATA Drive converted to run Ubuntu 20.04 LTS (Thinking about running Asterisk VOIP services from it)
Custom HTPC NAS/Gaming Server in a Silverstone GD08 Rack-mountable case running Windows Server 2019 on a Gigabyte Aorus X470 Motherboard, AMD Ryzen 2700 3.2Ghz/4.1Ghz Boost 8C/16T 65W CPU, 16GB Corsair Vengeance Pro RGB Dual-Channel Memory, 240GB Samsung 960 Evo M.2 SSD for OS, 10G Aquantia Ethernet and onboard 1Gb Intel Ethernet, various SATA drives (soon to be upgraded to at least 3 10-12TB Seagate Ironwolf SATA drives with a 240-512GB SSD as a cache to start. Want to eventually have a total of at least 6 10-12TB drives)
Custom Built Gaming and Multimedia computer with a Ryzen 9 5900X 12C/24T CPU (Not sure if I want to OC or not as the chip is mighty fast already) on a Gigabyte Aorus X570 Xtreme v1.1 Motherboard with onboard 10G Aquantia and 1G Intel ethernet
ASUS RT-AC3100 router in the Living room running in AiMesh with 386 RTM firmware and hardwired 1Gbps Ethernet going back up to the switch (Also acts as a switch for the floor with a Sony Bravia X900H 4K HDR TV, Sony HT-Z9F Soundbar, Sony PS5 and Xbox Series X hardwired to it)
Nvidia Shield 2019 model hardwired in bedroom to 4K Sony Bravia TV (May add a switch later to connect TV, and an Xbox One S hardwired)
Google Speaker connected to 2.4Ghz wireless channel
Google Nest Video connected to 2.4Ghz wireless Channel
3 iPhone 12's connected to 5Ghz-1 Wireless Channel
1 Samsung Galaxy S10+ connected to 5Ghz-1 Wireless
3 Kids laptops all connected wirelessly to 5Ghz-1
2 Work computers hardwired to switch
few other devices also connected

Network runs smoothly and on the Pfsense Firewall, Memory stays around 5% of the 3906MB available and CPU is hovering around 1-3% and running a speed test to load the network, it goes between 6-30%, still within health limits. The Smart Switch helps with some offloading too, as I have established LAGG on some of the ports going to the ASUS GT-AX1100 Access Point and to the Firewall. Once the MultiGig switches come down a little more, I will probably add a Smart Switch to the rack too to add more High Bandwidth ports, but the hardware for the Pfsense Firewall will probably be upgraded first to utilize a AMD Ryzen APU 6C/12T Processor/B550 Chipset combo and I may add at least dual 10G ports at that time too.

I am also attaching a link to the site that helped with the drivers, as this may also help anyone else that ran into same or similar problems or looking for possibly more stable and better drivers then what is baked into Pfsense/Opnsense.

[Guide] Resolve Realtek NIC Stability Issues on FreeBSD - pfSense (2.4.4, 2.4.5, 2.5.0) + OPNSense, use 2.5Gb Realtek - Self-Hosted & Services / pfSense - serverbuilds.net Forums
 
Pretty much the same reason I stick with pFSense as I mentioned in the other thread, OPNSense frequency of updates looks nice on paper but seems to breaks things more often looking on Reddit, pfSense devs take a lot more time to iron out issues. Aside from that pfBlockerng is a big reason too. FYI 2.5 is pretty stable for regular use and nearly done with some of the few unfinished remaining issues being those found in 2.4.5. or those that are fixed but awaiting final confirmation as being fixed. Only a couple of issues still need actual fixing.

Also if you need newer drivers included you need to file a request with FreeBSD, that’s how I got my X710-T2L drivers included after a regression took them out. (Not that I can’t compile them myself but that’s a hassle for most people.) Within a month the FreeBSD changes were pulled into 2.5 with the X710-T2L working on out of the box. I filed a report with pFSense after changes were made in FBSD 12.1.

As for bridging on 1 Gbe, your CPU is fast enough so it can do it but as you approach closer to 5 Gbe or more it will be quite hard and latency will be higher than an actual switch even at 1Gbe. Makes sense as to why your CPU usage is so high at full speed transfers versus having a dedicated switch (for me definitely less than 10% at full network load unless doing VPN). Of course if it’s handling your workloads/needs can stay as is.

Bridging downsides
Look at stephenw the Netgate admin’s explanation in the link below (4th post):
https://forum.netgate.com/topic/38570/high-cpu-usage-with-interface-bridges/4

pFSense Roadmap and Activity

Roadmap:

Activity:
 
Last edited:
Same here. I have looked at OPNSense a couple of times but i really couldn't come up with any good reason to do so. I was very happy with my Mikrotik RB3011 but when i started looking into possibilities to get external access to my Nextcloud with FQDN via https i soon came to the realisation that there was no easy with the Mikrotik and i read somewhere that pfsense could do it via HAproxy and ACME packages. After installing pfsense, i never looked back. It works great for me and has been doing so since the first time i installed it. pfblockerNG has been a great add-on and i never bothered about the updating frequency.
 
Pretty much the same reason I stick with pFSense as I mentioned in the other thread, OPNSense frequency of updates looks nice on paper but seems to breaks things more often looking on Reddit, pfSense devs take a lot more time to iron out issues. Aside from that pfBlockerng is a big reason too. FYI 2.5 is pretty stable for regular use and nearly done with some of the few unfinished remaining issues being those found in 2.4.5. or those that are fixed but awaiting final confirmation as being fixed. Only a couple of issues still need actual fixing.

Also if you need newer drivers included you need to file a request with FreeBSD, that’s how I got my X710-T2L drivers included after a regression took them out. (Not that I can’t compile them myself but that’s a hassle for most people.) Within a month the FreeBSD changes were pulled into 2.5 with the X710-T2L working on out of the box. I filed a report with pFSense after changes were made in FBSD 12.1.

As for bridging on 1 Gbe, your CPU is fast enough so it can do it but as you approach closer to 5 Gbe or more it will be quite hard and latency will be higher than an actual switch even at 1Gbe. Makes sense as to why your CPU usage is so high at full speed transfers versus having a dedicated switch (for me definitely less than 10% at full network load unless doing VPN). Of course if it’s handling your workloads/needs can stay as is.

Bridging downsides
Look at stephenw the Netgate admin’s explanation in the link below (4th post):
https://forum.netgate.com/topic/38570/high-cpu-usage-with-interface-bridges/4

pFSense Roadmap and Activity

Roadmap:

Activity:

Thanks for the reply @avtella, I believe the driver is in the 2.5 Build by default now, but I have stuck with the 2.4.5 production release, as I cannot aford any small hiccups even since working from Home and Kids remote learning as needed. Most updates and heavy experiments take place over the weekend to avoid any major issues, and I am looking to move to virtual enviroments for testing configurations and updates out in the future.

As for bridging, it is something that is needed due to multiple NICs being used within same IP/Subnet. The overhead though is more then enough, and although it is not 5Gbe on the Firewall Router side, it still is Dual 2.5Gbe that can even be linked for one 5Gbe, and I am still comfortable with the performance and getting low latency, however, I do eventually plan to upgrade to the aforementioned AMD Ryzen Pro 4650 6C/12T APU on an ASUS B550 (Most likely the TUF series) Motherboard, and 16GB DDR4 Dual-Channel memory. That should be a huge jump with IPC/Process/Cores/Threads and It would be less power hungry and heat over the aging Q6600 I am using now. At that point I will probably also add at least 1 Dual 10Gbe NIC.

I do agree about Opnsense, with some features being updated to frequently that can break settings/etc, but also due to limited documentation and no easier way to use Traffic Shaper, was my reasoning to go back to Pfsense. I do need to reverse course however on my errors out issue, as it happened again, and looks to only be cosmetic when enabling bridge. Some have said it is due to not having all ports used, and I am thinking it extends to my switch when the ethernet cable is plugged from the firewall into it, as that is when I noticed all the errors again. At least I know realworld everything is working quite well and no real issues. Could also be a setting I turned on after this post too, so looking into all the possbilities.
 
I bought 2 Q6600 Intel CPU's when they came out many many years ago. They were a great CPU in their time. They give off way too much heat nowdaysas . I would be replacing it. You might be able to save enough on electricity and AC to pay for a used motherboard and low watt CPU. I would probably buy a low watt CPU and motherboard off eBay.

I guess I am old school but I would never run a Realtek NIC. I will only run Intel NICs for things like a router. From what I remember Realtek NICs require a lot of CPU power plus their drivers are not very good.

I am not sticking up for Opensense as I have never run it. I ran pfsense a few years ago and it did not play well with others. I always run a Cisco L3 switch and it did work with pfsense. I think pfsense is designed to really be the only L3 device in the network. And it is better than any consumer router you can buy. I think Untangle is a better firewall overall. Untangle is harder to use and setup but once running it requires a lot less maintenance. Untangle also cost $50 per year to run.
 
I bought 2 Q6600 Intel CPU's when they came out many many years ago. They were a great CPU in their time. They give off way too much heat nowdaysas . I would be replacing it. You might be able to save enough on electricity and AC to pay for a used motherboard and low watt CPU. I would probably buy a low watt CPU and motherboard off eBay.

I guess I am old school but I would never run a Realtek NIC. I will only run Intel NICs for things like a router. From what I remember Realtek NICs require a lot of CPU power plus their drivers are not very good.

I am not sticking up for Opensense as I have never run it. I ran pfsense a few years ago and it did not play well with others. I always run a Cisco L3 switch and it did work with pfsense. I think pfsense is designed to really be the only L3 device in the network. And it is better than any consumer router you can buy. I think Untangle is a better firewall overall. Untangle is harder to use and setup but once running it requires a lot less maintenance. Untangle also cost $50 per year to run.

The Q6600 CPU is the only old CPU on my network, and it will be replaced eventually with a AMD Ryzen/Pro 6C/12T APU/ASUS B550 TUF motherboard combo that will be tuned for power efficiency. If it was not for my 2U Rack case and requirements, I would of used my ASUS CH6E board/Ryzen 1700 combo, but it doesn't fit and may also draw extra power due to board was completely on the high end when it launched. I currently have the Q6600 tuned to 1.6Ghz when not on load, and it will go to its 2.4Ghz spot as needed. I do agree though it is a hot chip, but this build started as an experiment and eventually morphed into a piece of my network backbone.

Depending on the chipset, the Realtek hardware has gotten slightly better, and I have noticed big enough improvements by using Realteks direct driver. Currently Intel does not have a Dual 2.5G card. and their Dual 10G cards were more expensive and not needed right now due to the hardware currently in play. I have been using the Dual 2.5G card for quite some time now and it is now really putting a big strain on the network/CPU/memory of the Pfsense firewall and runs flawlessly. As I make upgrades, I will be adding a Dual-Quad 10G Ethernet card for the long term. Short term, my Quad Intel I350-T4 NIC and Syba Realtek RTL8125 Dual 2.5G NIC are plenty. I also have a 24/28 port TP-Link Smart Switch plugged in.

Nothing wrong with Opnsense, just that it was not ready for primetime and what I needed. Looks like they were doing a bunch of rewrites, and currently it was missing features that Pfsense had. Pfsense has gotten better from what I can see from previous builds to the current 2.4.5 latest release. 2.5 will be a nice welcomed upgrade, and from what I can see 3.0 may be a huge update of sorts. IMO $50.00 is not worth it at all. For one, Pfsense and Opnsense get some of the highest scores/reviews as the best firewall router software. The 2nd part, would be the cost of ownership increases, and they would need to offer quite a few updates to justify that premium in a home/small office environment. For me it is all about the opensource nature of the software and support both with the developers behind it and community outside of it. That is what also in turn helps Pfsense and Opnsense flourish. As far as playing nice with other networking hardware, as I mentioned I have a L2/L3 24/28 Port Smart switch from TP-Link, and an ASUS GT-AX11000 Wireless router, connected along with various other networking equipment, and Pfsense plays very nice with it all. I don't know what last version you played with, but I would give it another shot.
 
So now I am back on the fence of upgrading my Firewall Router. As I mentioned I switched back to Pfsense due to a few features that to me were more matured and ready to go, with little effort, while Opnsense was rewriting some code, and the Traffic Shaper (QOS) was rewritten and they did not have a wizard to make the setup easy and effortlessly. That was my biggest needed feature requirement.

Now we are close to Pfsense 2.5 launching and Negate made an announcement that sticks out as a sore thumb to me. They are making a revenue move by announcing PfSense Plus will get updates much more rapidly but you have to by their hardware in order to get the plus edition. The talk is now weather Negate will keep the community edition live and well, or let it slowly fade out, or possibly be updated less. That throws a big monkey wrench into things and may just leave the door open to review alternatives. I want to say before this announcement went live, my feeling was that Opnsense was better supported with the community and left to be 100% Opensource, while Pfsense was Open source to an extent with caveats. Now looks like they are wanting revenue and one way, is to shift attention to their hardware. I may be re-thinking this all again, especially now that the recent version of Opnsense just launched moving to 21.1 Marvelous Meerkat. Decisions, decisions, decisions. How does anyone else feel about this news?
 
You don’t need their hardware for pfSense Plus it’s free for home and lab use. Only paid for commercial use. They said as much in their statement, it’s easy to miss as it’s half way down in their announcement for pfSense Plus.

If you only want OpenSource version then the CE edition will also still be maintained and developed.They’re already preparing for pfSense 2.6 as 2.5 is almost done.

They also hire FreeBSD devs and contribute to FreeBSD itself from which both firewall distros benefit, I personally don’t see anything wrong in trying to increase revenues via this change for their efforts and might even be a bigger incentive to make faster and better changes. I see it more like Google Chrome and Chromium.
 
Last edited:
You don’t need their hardware for pfSense Plus it’s free for home and lab use. Only paid for commercial use. They said as much in their statement, it’s easy to miss as it’s half way down in their announcement for pfSense Plus.

If you only want OpenSource version then the CE edition will also still be maintained and developed.They’re already preparing for pfSense 2.6 as 2.5 is almost done.

They also hire FreeBSD devs and contribute to FreeBSD itself from which both firewall distros benefit, I personally don’t see anything wrong in trying to increase revenues via this change for their efforts and might even be a bigger incentive to make faster and better changes. I see it more like Google Chrome and Chromium.

I thought that too, but looking further into it and at other sources familiar with what is happening, it looks like they will use the plus edition to push updates out more rapidly and relegate the community edition to slower updates with the possibility of evaluating what support they now want to give.

It does not exactly surprise me as that is how we got Opnsense in the first place, due to policies and inner developer conflicts. This could of also been done due to the pandemic and businesses hurting. I could see that too as 2.5 was met with delays too, coming a little later then planned and they backed away from the whole AES-NI requirement.

I am still evaluating options and always open to suggestions. My biggest requirements is security, flexibility, performance, ease of use but still offer power tools, and getting updates for min of 4+ yrs.
 
Yeah CE and Plus will diverge over time they don’t deny that but I’m certain FreeBSD changes/patches wil still be ported over just like in OPNSense. With the bad blood between the two dev teams I can imagine Netgate will at the least keep pfSense CE edition good enough to track with OPNSense to prevent people from jumping ship.

There going to start adding more and more proprietary features on top that in pfSense Plus that probably won’t be available to CE (or trickle down slowly) and even OPNSense as it would be closed source so no access for them either so in that’s sense I feel CE and OPNSense will be at a level playing field unless OPNSense does some major feature set editions or changes.

Yeah who knows what the long term future holds but hey you have lots of options out there.

You may also wanna look at NethServer looks kinda interesting and has firewall features among other things.
 
Last edited:
Yeah CE and Plus will diverge over time they don’t deny that but I’m certain FreeBSD changes/patches wil still be ported over just like in OPNSense. With the bad blood between the two dev teams I can imagine Netgate will at the least keep pfSense CE edition good enough to track with OPNSense to prevent people from jumping ship.

There going to start adding more and more proprietary features on top that in pfSense Plus that probably won’t be available to CE (or trickle down slowly) and even OPNSense as it would be closed source so no access for them either so in that’s sense I feel CE and OPNSense will be at a level playing field unless OPNSense does some major feature set editions or changes.

Yeah who knows what the long term future holds but hey you have lots of options out there.

You may also wanna look at NethServer looks kinda interesting and has firewall features among other things.

I guess full reading on my part was also required lol. Still overall, what I was not expecting and seeing in that article, is that Pfsense Plus 21.02 and PfSense 2.5 will essentially be the same but from that point forward, Pfsense Plus will be the more focal point and get updates much quicker on top of some exclusive features/updates. To get the Plus you have to pretty much buy into their hardware and ecosystem.

For the time being the CE edition will remain open source, but the updates may be further apart, with only some expected security updates being released sooner. Also looks like that revenue spot I was talking about earlier will show its full ugly head as currently PfSense Plus is only available on Negate hardware, AWS, and Azure. They plan on also making it available to 3rd party hardware sometime around June and I suspect it will carry a price to get faster upgrades and support possibly on some perpetual license or monthly/yearly pay 4 updates plan.

This clearly open the door to check Opnsense back out especially now that 21.1 is out and part of that update included Fix stability and reliability issues with regard to vmx(4), vtnet(4), ixl(4), ix(4) and em(4) ethernet drivers amongst other updates. The drivers are a big selling point alone in that update, as we know what a bad or untuned driver can do to performance and stability of a network, let alone in any software. Plus updates are now 6 months for major updates and security patches look like about every two weeks still. Only concern would be due to re-writing some code, features I am use to in Pfsense have been removed or not fully completed in 20.7 of Opnsense, along with a few hick ups. Looks like 21.1 is more of a refinement along with building out the new changes more clearly to start.

Luckily for me right now I am playing with it at home and not something I am rolling out to anyone. Gives me time to figure out for myself first, and better learn and make recommendations from there. Pfsense was my fallback and felt more streamlined in certain areas, and why I switched back, with lesser updates and a move towards a pay model for faster support and updates in that regard, OpnSense or another alternative may be the option. Also gives me time to figure out what direction I really go as I am looking at a big enough hardware upgrade for the firewall router, as I already invested in the rackmount case and NIC cards so far, but the aging Q6600/G41MT-USB3 Motherboard is the only thing old and least powerful on my entire network pretty much.
 
Honestly, i think there is a bit too much drama around this and a lot of (miss?-) interpretation. I also read the thread on the Netgate forums and what bothered me that whilst the Netgate rep. was clear about the future of pfsense CE still people continued to whine about opensource vs. closed source and the frequency for updates. I will stick with pfsense for now and see how it all evolves. Personally, only looking forward to 2.5.0 for now but even with that one, i do not want to be an early adopter. 2.4.5_p1 works great for me and given the fact that everything is working, fast and good internet and wifi is crucial with all the home office and remote lessions and the fact that i do not even have the slightest complaint about pfsense, not sure why i would need to go do anything.
 
Honestly, i think there is a bit too much drama around this and a lot of (miss?-) interpretation. I also read the thread on the Netgate forums and what bothered me that whilst the Netgate rep. was clear about the future of pfsense CE still people continued to whine about opensource vs. closed source and the frequency for updates. I will stick with pfsense for now and see how it all evolves. Personally, only looking forward to 2.5.0 for now but even with that one, i do not want to be an early adopter. 2.4.5_p1 works great for me and given the fact that everything is working, fast and good internet and wifi is crucial with all the home office and remote lessions and the fact that i do not even have the slightest complaint about pfsense, not sure why i would need to go do anything.

I agree to an extent. I stayed out of the Negate forums purposely for that reason of bickering or back forth. Here I can at least have a sensible conversation and get opinions as well as speak my mind and no major whining over it.

I did compare so tech news sites and does look like negate is using plus edition not just for renaming purposes but also to lock code down to stop forks of the OS and it was still a revenue move. May end up seeing paid for packages also become more of a thing, similarly how Asterisk is with certain builds.

My thing more or less still boils down to the supportand there are some suddle hints that Negate may stop or even further slow down development of the community edition of Pfsense, even though right now they are saying they are committed.

I do not see any major change for small to medium/large businesses as most use purchased hardware from an approved vendor and not custom built equipment like some of us are doing. It may be more of a blow to home users especially tech enthusiasts.

With that said I am always evaluating options and may hold out until 2.5 hits sometime this month but still liking the new changes in Opnsense as far as finally stabilizing the driver issues that plague both Pfsense and Opnsense and having support for the newer NIC cards too. For me this is home use and will become my production firewall Router.
 
Hello friends. I currently have a OpenWRT router and have been considering building a PC and looking for a gateway OS for it. I was looking for differences on pfSense and OPNsense and got here.

Tnx a lot for the thread comparing both. My main need is support for dual-wan multi-homing, with load balancing and failover. Most OS have that, but I also need NPTv6 with support for dynamic prefix, because both my ISP insist on providing a single /64 prefix and they claim that only state-owned ISP are forced to follow open standards. Yes, they claim they have only to offer connectivity to their intranet, and if we're unable to reach Internet it's our problem.

As of now, OpenWRT provides multi-homing with its mwan, but it only works for IPv4. For IPv6, all devices receive addresses on both prefixes and use the routing they desire. For all other VLAN, Internet is unreachable in IPv6. It has no support for NPTv6.

pfSense and I believe opnsense support NPTv6, but only with static prefix. Every time a ISP changes the prefix, I'd need to notice it and update the setting. opnsense has a task for adding support to dynamic prefix, but it's been years that nobody work on it. It seems that most devs have enough ISP competition and just hire one that provides static /56 prefix, and most users just disable IPv6.

I believe NPTv6 to be the simples solution for me, because it'd allow to provide a single prefix for all devices and keep the load balancing + failover being managed solely by the router. When my router goes down I lose Internet access, which incluces some cloud services I use, so I need to stop whatever I'm doing and fix it, so it's not an option to have a working LAN while Internet is down.

Regarding pfSense+, I also feel sad about it, but I'm not surprised. Ever since I learned about pfSense, it felt odd that Netgate gladly provides their OS for free and profit from selling appliances. On Brasil there are only 2 companies that sell them, but 1 doesn't have them for sale and the other only import on demand.
One of my requirements for the new router is to be properly able to backup and restore the storage partition, so an appliance isn't good for me.

I don't mind with them having a paid edition. RedHat and other Lix distros did that years ago and they still have their community edition rolling. If they'd require a subscription and keep it on low price, I'm wishing to pay for it. The money would keep the business sustainable and assure new features be implemented. But then, they still don't support dual wan + dynamic prefix + NPTv6. I'm not confortable to pay a subscription on a service that doesn't have the main feature I most need.

My issue is they providing it as closed source. I agree that their objective is avoiding forks, be it of the full OS or of features they develop. I'd be glad if the subscription would incentive them into developing the feature I need, but I fear they keeping it closed and opnsense and other OS be unable to use their code and I be locked on them.

On the other hand, what we've seen is that the community edition of solutions that followed that path had lost popularity. Few ppl use Fedora today. Even OpenOffice lost support compared to LibreOffice, just because their license is "less open".

In any case, I believe it's a fair move, at least for a trying. If they fail to succeed, at least I hope they move back and open the source of any feature they develop, so that at least it can be forked.

Lastly, they said that as of june pfSense+ will be available for "3rd party" hardware. Let's see how it goes, and how hard it will be to move between pfSense+, pfSense CE and opnsense, keeping existing settings.
 
I haven’t used the opensense solution- having been a FreeBSD user I don’t wish to say how long and be the old guy; I was a fan of the net screen firewall but knew it was going to end one day. I went with a netgate firewall because it was the only appliance using something I felt was better than the other options and of course FreeBSD had me anyway.

I was always expecting someone to use ipfw in the creation of an appliance and still has my vote as the winner.

I like pfsense but there are things I personally would have done differently but everybody feels that way so really I have to say it’s the best home appliance available for perimeter placement.
 
I moved from PFsense to OPNsense a few years back because the forum moderaters were very rude and nasty to posters. Maybe that has changed now. It got so bad they were blacklisting dozens of perople including myself just because I once reposted the same question in a new thread. Also the threats of PFsense going to paid only was enough to make me bail. No issues with OPNsense. 5 years going strong on a dozen clients.
 
I moved from PFsense to OPNsense a few years back because the forum moderaters were very rude and nasty to posters. Maybe that has changed now. It got so bad they were blacklisting dozens of perople including myself just because I once reposted the same question in a new thread. Also the threats of PFsense going to paid only was enough to make me bail. No issues with OPNsense. 5 years going strong on a dozen clients.
Both are good options, but Opnsense seemed to have more support at the time and the updates were coming faster. I do miss a few things on Pfsense, such as the Shaper/QOS wizard. I am hoping Opnsense adds one soon, as practically all routers have that feature, even in the basic ones.
 
Thanks for the helpful post. Two questions, as I am thinking of investing in a router for one of the two:
From my personal experience of using both, Pfsense shows that with age and a robust community when it comes to web searches for help and tutorials

Pfsense and Opnsense both work similarly to each other, but I would say currently Pfsense is about their Power Users, but with also adding better documentation and wizards as needed for both beginners and power users
So, to be clear – are you saying that for a new pfSense user, there is more/better help available than for a new OPNSense user?

I will admit, I was one that was all for Opnsense and the constant updates, etc. but to me it was not worth the extra hassles to get there that I value.
Do you have to take the updates, or can you wait and see how other users' experience is before taking the plunge?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top