Maverick009
Senior Member
I have previously discussed, my many network changes and test, including a most recent discussion of moving from Opnsense back to Pfsense and my reasoning why. Now fast forward to 2021 and further testing, including with the latest major release of Opnsense 21.1. Initially my logic for going back to Pfsense was due to a little more stability with some features/drivers and the Shaper wizard was a blessing. It also did not mean I would stop testing software/hardware and features out. So what did I do? I for one read more about the differences, and further educated me on the tech and differences between them. The next thing was to plan out what I really wanted with my network and what would be connected.
There was 5 pillars I built my network on:
1. Security
2. Updatable
3. Stability
4. Performance
5. Expandability and Flexibility
Let me explain the 5 pillars further, to give a deeper understanding. Security was the first pillar and sits at the top, as no matter how fast or updatable your network can be, it is nothing if it not secure. With my choosing of Opnsense, it gives me more then enough security, and even goes as far as weekly updates for security fixes or updates. It also goes hand in hand with the 2nd pillar, which was to be updatable. Opnsense, not only gets the weekly security updates, but also gets point releases that enhance or patch the current major release you are on. Speaking of the major updates, you can expect a major update roughly every 6 months, and the latest version 21.1 AKA Marvelous Meerkat did some major improvements on the drivers and stability enhancements, which is very welcome, along with supporting newer NICs including the 2500Mbps cards that have been flooding the market in the last year as the new standard and with Opnsense, you can expect to get all major updates, and the weekly and point releases with no catch. The latest irritation of Opnsense (21.1.3 as of this writing) has been rock stable and performs very well. As far as performance goes, I currently have a Netgear CM1200 Cable Modem plugged into the Opnsense Firewall router with a single 1Gbps connection on both ends, and running speed test, all my devices are able to hit the full bandwidth of the Gigabit internet speed (940Mbps due to overhead with Comcast), and no errors or issues. I also have full intranet performance too, and the Opnsense Router keeps up with my network's needs. Now the last pillar, is partially a need but also more of a want and I can say if you go completely the custom route, you can achieve this goal very easily. The hardware in place will give me the expandability as I need it and the flexibility to work with what I have and what I may want/need down the road.
Now that I have explained the 5 pillars, lets, dig further into the last 3, as the first 2 already come by design. As I mentioned, stability is a big part of the network, and the latest version of Opnsense, went a long way to improving the framework, and driver stability. Now I am not only looking for stability in software alone, but also in hardware. Right now I have Opnsense 21.1.3 running on a custom rackmount system running, Intel Core Q6600 2.4Ghz Quad-Core CPU on a Gigabyte G41MT-USB3 Motherboard, with 4GB Corsair DDR3 Dominator Dual-Channel Memory. The OS is installed on 240GB SATA SSD. As far as NICs go right now, I have the 1Gbps Realtek card built-in to the motherboard, an Intel I350 Quad Gigabit PCIe x4 card, and a Dual 2.5Gbps Realtek powered PCIe x1 card. Originally I was bridging 2 ports of the Intel I350 card with at least 1 port on the Realtek Dual 2.5G card, but have recently forgone bridging to take my network further into isolation and a little bit more performance. It also allowed me to experiment with separate subnets too. I now have the Intel I350 Quad NIC being used with 1 port as a WAN port from the cable modem with the 2 port above reserved for LAGG (The modem supports Link Aggregation to multigig speeds and If I go this route, on my Gigabit connection, I can get about 1.1-1.25Gbps as Comcast leaves some headroom). The other two ports of the I350, are plugged into a TP-Link T1600G-28TS Managed Switch, as I am looking at possibly separating some of the ports on different subnets as well. The 1 port of my Dual 2.5G card is connected currently directly to my Main gaming/multimedia custom computer's 10G NIC and achieving the full 2.5Gbps speed on a different subnet from the rest of the network.
The Network is pretty stable, and I am still achieving full performance even with splitting the network subnets on the current hardware I have. The setup software wise, can be a little confusing, but if you have a basic understanding of networking, it can be fairly easy to get most of the settings right, The hardest part more or less is the Firewall rules configuration, especially when working with more then one LAN, but there is guides and assistance you can find just by searching or going to the forums. I think the hardest part was getting VLAN to work, and that so far I could not get configured correctly on the Opnsense side, but as I mentioned, I have a connection to a managed switch which does support out of the box VLAN and may be easier to just let it manage VLAN connections. Work in progress is what I will say. Overall I have two different subnets at this moment and with the firewall rules, each subnet can connect to the internet and also speak to each other, for instance, I can type the IP address of a device on the one subnet from my main system that is on a different subnet, and it just works.
I also have an Asus GT-AX11000 Router, which was considered the highest home wireless router you could by at the time, connected to network in Access Point Mode. It is connected to the Managed Switch with two 1Gps Ethernet connections in LAGG giving essentially a 2Gps connection and eliminating any major bottlenecks. From that I have all my IOT devices connected on the 2.4Ghz radio, and have the 5Ghz radios split handling various high performance devices, and smartphones. I also have the GT-AX11000 running in AiMesh mode with an Asus RT-AC3100 Wireless router as an AiNode wired into the network through the Switch and managing, the Living Room Sony 4k 65in Android TV, 4K Apple TV, Sony Soundbar and Sony PS5 connected wired with the Xbox Series X wirelessly connected. It also helps expand the wireless connection out, and all IP addresses are managed from Opnsense. There is no performance penalty ether for how I am using AiMesh, and I can rely on Opnsense being the sole Firewall hardware piece of the network.
Using this latest version of Opnsense and now getting past testing it in a production environment, I can say safely that Opnsense may be the better option long-term, as they are redoing the framework of the OS, instead of directly just being a semi copy of Pfsense, and embracing newer tech while at it. I also learned that although the Shaper, does not currently have a wizard, it was due to re-writing the Shaper, and from the forums and searching, it looks like a wizard will be added at a later date. In the mean time, I found some tips and tricks to help me add some shaping settings to my network to manage QOS. With Pfsense pulling back on some features, requiring you to buy their hardware/partner hardware to get faster updates and new features, or forever wait until they push it to the free version, just did not sit as well with me, plus they are going between 1-3yrs between major updates, just doesn't feel like they will be able to keep up as networking is changing quickly and possibly much more then say 2yrs ago due to this pandemic creating a new need, pushing people from smart devices, back to desktops and laptops and network to support them. I still have the expandability, security, and get updates on a regular basis with major releases at least once a year, making sure my network stays secure and can support my needs now and my wants and needs later. I am also planning a major firewall router upgrade moving to at least a 6 Core/12 Thread AMD APU and 16GB DDR, but Once I am ready for that and can secure the hardware, I will share my experience then as that will fit my last pillar much more.
I hope this write up gave you more insite and why even planning can be a good thing no matter the network size. The biggest thing I hear is home router running stock or 3rd party vs. Opnsense/Pfsense as the software is hard to configure. Yes the deeper you go into the software, Opnsense can become more complicate, but out of the box, it will assist in configuring a WAN and LAN connection for basic usage and set the default rules. It is when you go beyond that or want custom rules, and even then just a little reading or search on the internet can assist in most cases. Also with Opnsene, there really is no hardware limit to how many clients can be connected, as consumer home routers, can be limited in addresses and/or hardware functionality. Just keep that in mind when planning your network for now and expandability.
There was 5 pillars I built my network on:
1. Security
2. Updatable
3. Stability
4. Performance
5. Expandability and Flexibility
Let me explain the 5 pillars further, to give a deeper understanding. Security was the first pillar and sits at the top, as no matter how fast or updatable your network can be, it is nothing if it not secure. With my choosing of Opnsense, it gives me more then enough security, and even goes as far as weekly updates for security fixes or updates. It also goes hand in hand with the 2nd pillar, which was to be updatable. Opnsense, not only gets the weekly security updates, but also gets point releases that enhance or patch the current major release you are on. Speaking of the major updates, you can expect a major update roughly every 6 months, and the latest version 21.1 AKA Marvelous Meerkat did some major improvements on the drivers and stability enhancements, which is very welcome, along with supporting newer NICs including the 2500Mbps cards that have been flooding the market in the last year as the new standard and with Opnsense, you can expect to get all major updates, and the weekly and point releases with no catch. The latest irritation of Opnsense (21.1.3 as of this writing) has been rock stable and performs very well. As far as performance goes, I currently have a Netgear CM1200 Cable Modem plugged into the Opnsense Firewall router with a single 1Gbps connection on both ends, and running speed test, all my devices are able to hit the full bandwidth of the Gigabit internet speed (940Mbps due to overhead with Comcast), and no errors or issues. I also have full intranet performance too, and the Opnsense Router keeps up with my network's needs. Now the last pillar, is partially a need but also more of a want and I can say if you go completely the custom route, you can achieve this goal very easily. The hardware in place will give me the expandability as I need it and the flexibility to work with what I have and what I may want/need down the road.
Now that I have explained the 5 pillars, lets, dig further into the last 3, as the first 2 already come by design. As I mentioned, stability is a big part of the network, and the latest version of Opnsense, went a long way to improving the framework, and driver stability. Now I am not only looking for stability in software alone, but also in hardware. Right now I have Opnsense 21.1.3 running on a custom rackmount system running, Intel Core Q6600 2.4Ghz Quad-Core CPU on a Gigabyte G41MT-USB3 Motherboard, with 4GB Corsair DDR3 Dominator Dual-Channel Memory. The OS is installed on 240GB SATA SSD. As far as NICs go right now, I have the 1Gbps Realtek card built-in to the motherboard, an Intel I350 Quad Gigabit PCIe x4 card, and a Dual 2.5Gbps Realtek powered PCIe x1 card. Originally I was bridging 2 ports of the Intel I350 card with at least 1 port on the Realtek Dual 2.5G card, but have recently forgone bridging to take my network further into isolation and a little bit more performance. It also allowed me to experiment with separate subnets too. I now have the Intel I350 Quad NIC being used with 1 port as a WAN port from the cable modem with the 2 port above reserved for LAGG (The modem supports Link Aggregation to multigig speeds and If I go this route, on my Gigabit connection, I can get about 1.1-1.25Gbps as Comcast leaves some headroom). The other two ports of the I350, are plugged into a TP-Link T1600G-28TS Managed Switch, as I am looking at possibly separating some of the ports on different subnets as well. The 1 port of my Dual 2.5G card is connected currently directly to my Main gaming/multimedia custom computer's 10G NIC and achieving the full 2.5Gbps speed on a different subnet from the rest of the network.
The Network is pretty stable, and I am still achieving full performance even with splitting the network subnets on the current hardware I have. The setup software wise, can be a little confusing, but if you have a basic understanding of networking, it can be fairly easy to get most of the settings right, The hardest part more or less is the Firewall rules configuration, especially when working with more then one LAN, but there is guides and assistance you can find just by searching or going to the forums. I think the hardest part was getting VLAN to work, and that so far I could not get configured correctly on the Opnsense side, but as I mentioned, I have a connection to a managed switch which does support out of the box VLAN and may be easier to just let it manage VLAN connections. Work in progress is what I will say. Overall I have two different subnets at this moment and with the firewall rules, each subnet can connect to the internet and also speak to each other, for instance, I can type the IP address of a device on the one subnet from my main system that is on a different subnet, and it just works.
I also have an Asus GT-AX11000 Router, which was considered the highest home wireless router you could by at the time, connected to network in Access Point Mode. It is connected to the Managed Switch with two 1Gps Ethernet connections in LAGG giving essentially a 2Gps connection and eliminating any major bottlenecks. From that I have all my IOT devices connected on the 2.4Ghz radio, and have the 5Ghz radios split handling various high performance devices, and smartphones. I also have the GT-AX11000 running in AiMesh mode with an Asus RT-AC3100 Wireless router as an AiNode wired into the network through the Switch and managing, the Living Room Sony 4k 65in Android TV, 4K Apple TV, Sony Soundbar and Sony PS5 connected wired with the Xbox Series X wirelessly connected. It also helps expand the wireless connection out, and all IP addresses are managed from Opnsense. There is no performance penalty ether for how I am using AiMesh, and I can rely on Opnsense being the sole Firewall hardware piece of the network.
Using this latest version of Opnsense and now getting past testing it in a production environment, I can say safely that Opnsense may be the better option long-term, as they are redoing the framework of the OS, instead of directly just being a semi copy of Pfsense, and embracing newer tech while at it. I also learned that although the Shaper, does not currently have a wizard, it was due to re-writing the Shaper, and from the forums and searching, it looks like a wizard will be added at a later date. In the mean time, I found some tips and tricks to help me add some shaping settings to my network to manage QOS. With Pfsense pulling back on some features, requiring you to buy their hardware/partner hardware to get faster updates and new features, or forever wait until they push it to the free version, just did not sit as well with me, plus they are going between 1-3yrs between major updates, just doesn't feel like they will be able to keep up as networking is changing quickly and possibly much more then say 2yrs ago due to this pandemic creating a new need, pushing people from smart devices, back to desktops and laptops and network to support them. I still have the expandability, security, and get updates on a regular basis with major releases at least once a year, making sure my network stays secure and can support my needs now and my wants and needs later. I am also planning a major firewall router upgrade moving to at least a 6 Core/12 Thread AMD APU and 16GB DDR, but Once I am ready for that and can secure the hardware, I will share my experience then as that will fit my last pillar much more.
I hope this write up gave you more insite and why even planning can be a good thing no matter the network size. The biggest thing I hear is home router running stock or 3rd party vs. Opnsense/Pfsense as the software is hard to configure. Yes the deeper you go into the software, Opnsense can become more complicate, but out of the box, it will assist in configuring a WAN and LAN connection for basic usage and set the default rules. It is when you go beyond that or want custom rules, and even then just a little reading or search on the internet can assist in most cases. Also with Opnsene, there really is no hardware limit to how many clients can be connected, as consumer home routers, can be limited in addresses and/or hardware functionality. Just keep that in mind when planning your network for now and expandability.
