OPNsense is the core router platform I default to for all my network infrastructure (work devops env, homelab, vpn to family members etc). Its feature packed and ROCK solid. I almost always run it in a virtual machine so i can live migrate it between hosts and have no downtime. The cluster / high availability works great and ensures no loss of connectivity during upgrades. OPNsense is a true hidden gem in the open source world.
I'm curious if you have any suggestions re configuration management? At the moment i'm just point and click configuring but i'd really like to move towards using source control, edit some config file and push configuration to it.
Do you (or anyone else reading) have any suggestions?
There is a git plugin that pushes and commits every change automatically. But be carefully where you push it as the config file can contain sensitive stuff! I have my own Gitea behind the firewall.
Has there been a positive inflection in its quality recently? I tried it a while back but pretty quickly it got Unbound's config XML in a state which wouldn't allow the daemon to run. I had to get in and fix it up by hand to get it going again. Wasn't impressed with the quality it was showing me, switched to pfSense and haven't had any similar issues, so I haven't felt the need to look at OPNsense again.
I did a bare metal migration and it was pretty painless. Had to reinstall some packages, but it was as simple as just hitting the + on the package manager.
Yes! The single file xml config export is super easy to move an install between systems (physical and virtual). There is even a plugin to manage the changes with git!
Every time I've given up on an OPNsense instance and re-installed it, importing a config backup, half the config didn't import. Maybe things are better these days.
I used to find it rock solid, but around two years ago reliability tanked. I found myself regularly having issues with interfaces (a genuine Intel server-grade multi-port NIC) flip-flopping. About a year ago, I started having random issues with traffic no longer routing, out of the blue. Lately both issues seem to have gone away.
Right now the software update function dies half the time I try to run a check, with a long sqlite query string / error being dumped to the console. This has been going on for at least the last couple of months worth of releases.
About a year or two after install, reboots and power-offs stopped working. The system just hangs instead after printing out a message about USB, and I cannot figure out for the life of me what's wrong. It's a standard Dell SFF PC, nothing exotic, and had been working fine until a major release broke it. FreeBSD's documentation about ACPI is impenetrable, so I can't figure out what's going on.
Startups and reboots used to be lightning quick, with maybe a minute or less between the bootloader kicking off loading the kernel and interfaces/routing/firewall up and it giving its happy chime. These days the system spins its wheels for ages doing...something, not sure what.
I find the project pretty outdated and behind the times. The UI purposefully obtuse with terrible organization and field names and a lot of missing help text to keep their support/consulting biz strong.
They're really far behind on features. There's no application blocking, monitoring/diag is rudimentary, it has extremely limited backup functions (Google Drive and that's it, I believe), and even the DNS blocklist functionality is extremely rudimentary, with only a fixed list of really trashy, unreliably lists available to pick from (one of the groups they pull lists from has demonstrated extensive issues with QA, routinely including things like certificate validation servers in their blacklists.) They've also gone out of their way to make the Adguard Home plugin annoying and confusing to get working if you want to configure it as a proxy to unbound, which is needed if you want DHCP hostname records to work (speaking of which, DHCP leases are needlessly obtuse to mange.)
Their release process is wildly unsuitable for production network equipment. A 'major' release is immediately EOL'd as soon as the next major release comes out. Running 20.1 and need to stay on it because 20.2 breaks something or you want to wait for the dust to settle? Too bad. There's no security releases for older major revisions. And it wouldn't be so bad if each major release was followed by a number of "oops we fucked up...." point-point releases because their QA isn't very good.
The devs are sticks in the mud, too - mostly "franco." They bitched and moaned up a storm for YEARS about wireguard being "insecure" despite no evidence to back their claims, citing that as the reason for refusing numerous requests for integration, and even refusing code contributions from the community for it. They eventually caved. The wireguard plugin is still pretty meh and difficult to navigate unless you know wireguard well.
ARM support? Zero interest in even assisting community efforts, which have gotten impressively far with it, especially now that ARM support in FreeBSD got appreciably better in the last release or two. I suspect it's because they see it as a threat to their (grossly overpriced) hardware offerings.
The list goes on.
They forked pfSense (a good thing, the pfSense devs were being massive dicks) but seem to now be largely on "cruise control" and leveraging community goodwill.
> About a year or two after install, reboots and power-offs stopped working. The system just hangs instead after printing out a message about USB, and I cannot figure out for the life of me what's wrong.
My initial read here would be that this is where serial port / console redirection is happening. There should be settings in the BiOS you can look at however I don't know how limited PC's are in their options / functionality.
>I find the project pretty outdated and behind the times. The UI purposefully obtuse with terrible organization and field names and a lot of missing help text to keep their support/consulting biz strong.
pfSense was the same way as well as most projects if you understand the underlying configurations. You can find people saying the same about ubiquiti's interface in this thread as well. In my experience the GUI is to capture the 80% of mostly default configurations.
What other firewall/routing software have you looked at in comparison to opnsense? I'm interested in what other features they have? The API interface and IDS functionality was one of the draws for me.
>Their release process is wildly unsuitable for production network equipment. A 'major' release is immediately EOL'd as soon as the next major release comes out. Running 20.1 and need to stay on it because 20.2 breaks something or you want to wait for the dust to settle? Too bad. There's no security releases for older major revisions.
I mean are you saying this as a paying customer? Free always has its risks and costs.
> The devs are sticks in the mud, too - mostly "franco."
> wireguard being "insecure"
> ARM support? Zero interest in even assisting community efforts
I observe this with projects overtime and this usually just adds to the bloat and disorganization because everyone is looking for "their" one-stop solution. I think its useful to consider things from other view points and complexities you may not have insight into. Not that I have any specific insight into this project however, there are other companies that make a lot money off networking gear, firewalls, etc and provide what you are asking for but the price isn't free. I assume most open source projects are "best-effort" unless they have a formal revenue stream or foundation behind them and even then I wouldn't expect any claim to expect features or support (not saying you are, just generally).
You could be right but thats a big gap between "could likely do well selling..." and actually having a market and reliable customers.
What if thats not their business model? What if it requires hiring or finding a dedicated ARM developer? What about security? If a zero day comes out now what you have (3) different architectures to support and test. Even if they offered it as a supported solution would most of the people complaining fund the work through support. Probably not, because they expect the software to just "work" for them, for free.
I looked through the forum on one of the first ARM[1] posts and as expected (2) pages in and it becomes a tech support thread for people who want to try the latest but be handed the answers. For a project where they document[2] the development workflow, architecture, and environment its a bit difficult to understand the complaints when its opensource. Clone the repo and get to work.
