Please use Opnsense now, or something else entirely (Vyos is great but CLI based).
I was a big pfSense fan, telling myself that the odd stuff Netgate did was normal/justified.
Until the attack on Wireguard's Jason A. Donenfeld. Then I realised - it's all true. They are bordering on insane in that organisation. I regret suggesting my old workmate purchase some of their hardware now.
Opnsense is a great replacement. I'm sure it's not perfect, but they're open, friendly, responsive and don't make you question every comment you write on their forum for fear of being banned.
> Until the attack on Wireguard's Jason A. Donenfeld. Then I realised - it's all true. They are bordering on insane in that organisation. I regret suggesting my old workmate purchase some of their hardware now.
This sounds fun. do you know where I can read more?
I just found these tools that help with migration. They pretty print the configuration XMLs such that one can transfer the settings manually through the GUI step by step and finally verify with the second tool.
But don't use these if your configuration is simple enough that you can manually recreate it, on the completely-impossibly-rare chance that pfSense has managed to subtly bork itself and you're switching to OPNsense to get a more reliable device....
I highly recommend implementing the firewall rules form scratch.
Firewall rules tend to aquire "cruft", especially in domestic settings, where you add rules to "fix something", and there is rarely any review of existing rules.
Personally i keep a spreadsheet of the firewall rules i need, including inter VLAN communication, with source/destination ip/port as well as a link to any article describing why this port needs to be open (like Sonos across VLANs, etc).
It sounds cumbersome, but it doesn't change frequently, and reimplementing it in a new firewall takes 30-60 minutes.
The best firewalls/routers i've ever used have been Vyos (or Vyatta) based.
Point & Click has it's charms, but its a crutch. With Vyos you can "replay" you entire configuration over a serial port, as well as make changes to it in a regular text editor.
It does have a learning curve though :)
I'm also on the UniFi line of things for now, but i really wish somebody would make a decent Vyos based appliance (low powered ARM device) like the Ubiquiti Edgerouters of old.
Are you aware of any trustworthy, free VyOS builds? I'd be interested in trying it out at home, but I'm not interested in paying $6k/year or using an unstable nightly. I tried building it myself once but didn't have time to get it working locally.
You can get monthly snapshots free of charge which receive some testing compared to rolling builds. They currently have 1.3 RC builds https://vyos.net/get/snapshots/
Yea, my home router is Vyos now (running under Proxmox virtualisation) and it's just 100% rock solid. Uptimes of 120 days until I reboot it etc. I used to use pfSense but migrated when I hit a pfSense CPU bug. I also find I get better performance (less CPU usage) running "Linux under Linux" instead of "FreeBSD under Linux" was I was with pfSense (it was virtulised too)
What "pfSense CPU bug" are you talking about? Do you mean the Intel C2000 bug[0] that had nothing to do with pfSense and also affected dozens of other vendors, including Cisco among others?
I similarly am running openbsd as a home router under proxmox and it’s rock solid. I had more time on my hands when I set it up than I do now, but thankfully it’s without issue and just seems to always work so there isn’t really any maintenance other than point upgrades to openbsd when I remember.
I've considered virtualizing my current hardware Opnsense router, mostly to save on electricity. But I fear the situation of needing to do maintenance or troubleshooting on the Proxmox host without internet. What fallback do you have?
I have a cluster of 3 Proxmox hosts, mostly to teach myself about clustering. I have two Vyos instances running VRRP between them. If the primary fails, the secondary sees the VRRP state change, runs a small script to bring up the PPPoE interface and we're away laughing. It syncs state, so people notice ~8-10 seconds of packet loss and everything just keeps going.
It's quite nerdy though. And all it does is move the single point of the failure to the switch (required for the hosts to talk to each other for VRRP etc)
Proxmox is so reliable in my experience though, but I don't tend to fiddle with it, just set and forget.
This is my main issue with pfSense/OpnSense. Even the dedicated hardware appliances are quite power hungry compared to some of the rather capable Linux ARM boxes out there.
For comparison, an 8 Gbps capable pfSense appliance (like the Netgate 4100) requires 40W-50W (max 60W), where the UniFi Dream Machine Pro, also capable of 8Gbps, has a maximum power consumption of 33W, which includes a 3.5" harddrive for UniFi Protect. Mine uses about 18W without the harddrive, and 22W with a WD Red.
A difference of 25W over a year at current european electricity prices (€0.5/kWh) means a saving of 219 kWh (€109/year). Considering that electricity has been as high as €1.12/kWh this spring, it could be even higher.
As for virtualization, while it's a great learning experience, it's probably more trouble than it's worth. I greatly prefer appliances for network.
Yeah, I'm in the same boat, but I doubt its gonna save much electricity, and whenever I patch ESXi (or Proxmox) the entire internet connection is down.
Their hardware has not been reliable. We've purchased 4 devices from them for our medium sized business - and 2 of them failed completely within 5 years. Maybe both failures were anomalies, but these were the only two commercial grade devices we've had that failed in that same period.
I'm not sure what these devices are based on, but there was a time when a lot of the Netgate lineup was using Intel C2000-series Avoton CPUs. Down the road it was discovered all of those were susceptible to a hardware big known at AVR54. Could it be why your devices failed? More info here: https://www.servethehome.com/intel-atom-c2000-series-bug-qui...
Just read the blog post from Netgate, sounds to me like they have decent values. Also them asking to keep safe disclosure procedures doesn't sound insane to me either. Beyond that it's a he said she said thing IMHO, and I don't have the time to get involved in any of that. Stuff happens between people, and them not managing to work it out doesn't per se mean they are evil or "insane".
I'm an Open Source user of pfSense (so they don't get money from me) but I still had an extremely helpful experience recently, when I had a feature request. Once I filed it, it was implemented quickly, MUCH better support than I could ever expect from a paid commercial firewall. Also the product runs reliably and is very stable since years. So I won't look for alternatives any time soon.
Netgate pissed off the open source absolutists, who mostly don’t give netgate money.
While I understand their complaints, I don’t understand the constant attacks and hate, as anyone who doesn’t want to support pfsense if there is a paid and a free oss version, is welcome to start a fork or work on other projects.
I recently switched to Ubiquiti’s Unifi line and am extremely happy, mostly for moral reasons, compared to how I felt being a pfSense user these last few years.
The APs are good and the switches too in my experience. However the UDM-P is a troubled device. It’s buggy, things break or stop working and it loses its config every so often.
The form factor is very compelling and the concept is great.
> However the UDM-P is a troubled device. It’s buggy, things break or stop working and it loses its config every so often.
I've been running a UDM and UDMP for years, and have literally never run into any of those issues, despite having a somewhat complex network (for a home network anyway).
It runs 24/7 and only needs reboots when a software update requires it. Multiple VLANs, road warrior VPN. I run a site to site VPN between my UDMP at home and UDM at my summerhouse, and that has been rock solid as well.
In the latest EA version of the software, there is also some support for Wireguard (though UI's Teleport). I'm not sure if "raw" Wireguard is available (yet).
Latest version also implements policy based routing.
That, plus they try very hard to drive you to their cloud. It's not necessary, at least with older hardware, but their cloud has been breached and people should probably ask if they really need its convenience vs cost, privacy and security.
I just ended up resetting my network (switch, sec gateway, controller, and AP) and it's a little tricky without their cloud. You need to do some SSH'ing.
Caveats aside, the hardware is outstanding, the disk AP is solid as is the consumer grade cube one. It's a good prosumer and small business option despite the downsides.
I would hope nobody's opening up the admin interface to the internet. It's certainly not the default. The pfSense / OPNsense codebase is not written to be secure against malicious users in general, even unauthenticated ones that can't get past the login screen. For example I'm pretty sure php-fpm does nothing to prevent slow-loris.
(The admin interface listens on all network interfaces, including all WAN interfaces. However the default firewall rules black-hole all incoming traffic on the WAN interfaces.)
> (The admin interface listens on all network interfaces, including all WAN interfaces. However the default firewall rules black-hole all incoming traffic on the WAN interfaces.)
Also, at least in OPNsense, for some reason, not all interfaces get an IP in the DNS. So if you want to access the admin interface via a name with a certificate, it may not always work if you selectively enable the listening interfaces.
I've had this happened a week ago, where the DNS name wouldn't resolve to the internal interface's IP for some reason... I would only get the WAN interface and some other restricted one I have.
Change the Unbound settings to only listen on LAN interfaces, or even just one specific LAN interface. Eg I have four LAN interfaces but have Unbound configured to only listen on LAN1, so my router FQDN only resolves to the IPs of LAN1.
I think the scenario isn't people hitting it through internet, but some attack chain involving, for instance a clickjacking, XSRF, XSS,etc in another website that try to access the UI in case the admin is authenticated in the firewall, visits the malicious website.
I have never been able to figure out the intent of random slow loris attacks I’ve seen and mitigated on small networks I’ve worked on. It’s just random IPs connecting to the webserver for no reason other than to jam it. It’s not even a competition thing it’s like having a super soaker full of superglue and just spraying it up in the air blindfolded.
When holes like this are exploited it is in combination with other flaws like another app having an XSS flaw which allows a rogue script to make arbitrary connections. If you happen to have an active login session on the admin interface, that script could use the hole to make changes unbeknownst to you.
Also in a situation where you have admins with different levels of access, exploits like this could allow an individual low on gruntles to create a privilege escalation situation and gain access to features they should not.
So a low probability of exploit due to the mitigating factor, but a high potential for damage if an exploit is attempted and succeeds.
I used to use this until I got fed-up with impedance mismatches between `pf` and the PfSense web GUI. Switched to an OpenBSD base installation a few years ago and haven't looked back.
pf.conf is very user-friendly, the BSD docs for it are great, and it's nice being able to put everything directly under source control. Diffing individual conf files is a lot prettier than those massive PFSense XMLs.
The problem I arrive at is I need non-tech peoples to fix problems without my being onsite. CLI support over the phone is a non-starter. Also, that XML file works forever, as best I can tell. Just for testing, I've installed backups from 7 years ago and they load just fine, which is also something a non-tech people can perform, even without calling me.
My experience has been that taking away the noob interface reduces the number of incidents. How quickly a little sleuthing will turn an "I didn't change anything!" into "But, I didn't think that would make a difference."
If it's something extra-special important, a POTS line and a modem make an excellent plan-B.
> A remote administrator can rewrite existing files on the file system and execute arbitrary code on the target system.
If they're administrator, can't they just log in and use the root shell to do whatever the hell they want? Yes, it's a bug, but is it really a vulnerability?
I was a big pfSense fan, telling myself that the odd stuff Netgate did was normal/justified.
Until the attack on Wireguard's Jason A. Donenfeld. Then I realised - it's all true. They are bordering on insane in that organisation. I regret suggesting my old workmate purchase some of their hardware now.
Opnsense is a great replacement. I'm sure it's not perfect, but they're open, friendly, responsive and don't make you question every comment you write on their forum for fear of being banned.