OPNsense is criminally underrated. My main routers for my office are virtualized OPNsense VM's in high availability with CARP, DHCP, DNS, VPN endpoints, inter-vlan routing, gateway policies, outbound nat... I could go on. It all works extremely well I can't fathom why people still choose pfSense with all of the community shenanigans and closed source versions.
My only gripe with it over 3 years has been the documentation on their API's for programatically updating firewall rules/aliases could use some more examples, or just mention "use browser's network requests developer mode to see what calls you need to make".
I did LOTS of research on what firewall/router distro to install to my new router a few months ago. See my comment history for considering different options.
I have to say choosing OPNsense has been a great choice. All the things you said I can agree on, but I have to add one more thing:
That quick search bar on the top-right corner where you can quickly type where you want to go. That thing is just super nice when jumping through places in the router.
Now if I'd need to build a new router, I'd like to try my luck with NixOS. Would be great if I could just build a new router from a reproducible configuration.
Same here but I've concluded that there is nothing better than a simple install of pure OpenBSD or FreeBSD and setting the rules on /etc/pf.conf. Its safer, faster, lighter and I could argue that is also easier to admin with just SSH and no web code in between.
For example, in the latest version of OpenBSD which has a Wireguard kernel implementation, the management tool has been basically included in the ifconfig command.
ifconfig wg0 create wgport 5180 wgkey ...
And then you are set. For persistence you create a /etc/hostname.wg0 file containing the commands to bring the interface up.
I run openbsd virtualized on proxmox and it’s fantastic and not that difficult to set up (I’m a casual tinkerer at best). I’ve got a gigabit connection and can saturate that without any significant stress on the single core that it runs on.
When I came into FW distros, my practical choices were MonoWall, SmoothWall and pfSense. IPfire wasn't even on the scene yet. pfSense won me early. I figure there are a lot of similar stories of pfSense being there for us when not much else was.
My only gripe with it over 3 years has been the documentation on their API's for programatically updating firewall rules/aliases could use some more examples, or just mention "use browser's network requests developer mode to see what calls you need to make".