pfSense does have some great documentation and a large community, but unfortunately, some of their most knowledgeable community members seem to have ego problems. If you ask a question, they won't hesitate to tell you how stupid your question is and tell you to google it. The OPNsense forum is much more newbie friendly.
😁You are so right about that. I mean pfsense community stars on their high horsies. Actually I thought I was the only one to get that treatment but sadly not. Don't know yet how opnsense community is - I haven't needed them yet thanks to all info on the web so I would not say it's too little info floating out there. I also like the GUI better on opnsense, feels snappier and more logic. Pfsense GUI is like something from the days of win 3.1 the looks wise and the slower response.
@@vt20247 If you need another good reason, the PfSense developers got really petty and childish when some of the crew decided to split off and start their own project (OPNsense). They (PfSense) took over the domain name used by OPNsense to deface it and degrade the OPNsense developers. It actually went to court and OPNsense won. It’s a shame that grown adults were acting this way.
Thank you for this video. I looked at both and was exposed to pfsense when I was helping administer a system installed at a local charter school. Even though I had used pfsense, I felt that opnsense was easier to administer so that's what I went with at home when I gave up on network "appliance" routers. You've confirmed that my decision was the right one for my situation.
After hearing lots about Pfsense I was definitely leaning towards it for my firewall choice. Hearing about the development history, controversial actions and having the lack of regular updates for the CE version pointed out I'm definitely taking a closer look at OPNsense. Thanks for such a balanced comparison.
@@ecotts like the top commenter of this thread points out. I'm thinking OpnSense should become the Community Leader of the Open Source area, as they are the ones pioneering the open source version.
After a recent breach of my local network using a popular brand of home all in one router/switch/access point, I decided to finally pull the trigger and ordered a ProtectLi box. It’s coming pre installed with OPNSense and at first I was hesitant as I wanted PfSense. After watching through your video series, I feel way better about sticking with OPNSense, especially due to the updates! With how many vulnerabilities are constantly being uncovered, no updates is not an option when it comes to network defense!
The fact that the m0n0wall developers recommend OPNSense and FreeBSD maintainers closely coordinate with OPNSense maintainers tells me something already... As far as I am aware, pfSense did contribute something to FreeBSD but it was an Intel NIC driver they needed to be maintained in FreeBSD for their new hardware. 1 thing to note here, OPNSense Bussiness edition is mostly adding a management console for all your remote firewalls and cloud backup of your configs, which you could set locally on your own, with a storage device - it doesn't hide patches or firewall features.
Good review. I used pfsense for years and for the most part had no issues until I needed to implement AQM with dual WAN's. This worked fine for a while until a software update came out and it broke dual WAN AQM. It was a real pain to fall back to the previous version. So at the time I tried OPNsense and it just worked. And not only did it work but it was way more intuitive on how you control pipes and queues along with their associated rules. Its true that OPNsense has lots of updates which might introduce problems but so far I have not had any. Like you said they are both good firewalls but I am going to stick with OPNsense from now on until something bad happens and I need to re-evaluate. It is for now the best firewall for my needs.
Thank you for mentioning the concerns about the CE. I feel like nobody talks about this. To me it looks like Netgate slacks on the progress of the CE to lure people to switch to the business edition. There's a free licence you can use. "So what's the problem?" you might think. Maybe they want to let the CE die because it's free and brings them no money. As soon as they let it die in a future point of time they will sooner or later kill the free business licence and force you to pay if you want to keep using your pfSense. Think about it - it's every companie's goal to make money. I switched from pfSense CE to OPNsense CE about 3 weeks ago and don't regret a thing.
If it's Open Source, the community could get involved and help. I'm not seeing it. As for open source and freeware, a lot of freeware devs back in the day, had donation forms that accepted various forms of payment processing. Some even had a crypto public address. Idk if OpnSense or pfSense or many others offering freeware shareware subscriptionware. But, maybe they should. Apache https does. MySQL does PHP does. Maybe it's only Apache and the free scripts and code snippets community. I could be wrong.
been looking into setting up an open source firewall at home and have been considering both of these. I've watched a few vids on it, and I think after this one I'll be going with opnsense. thanks for all the great info! subbed for sure
Excellent comparison between the two firewall. I support both but the once a year updates and the current direction of netgate/pfSense will likely cause me to switch to OPNSense for all new customers.
Yeah sometimes trying to keep the peace or being neutral can be difficult. I am still quite shocked at a fake website being created to scare off potential customers.
I ran m0n0wall and DD-WRT back in the early 2000's good stuff indeed. I do remember "being there' when the project winded down but I can't recall the reasoning 20 odd years later.
I considered switching to OPNsense when I replaced my old NetGate router hardware. In the end I stayed with pfSense primarily because they have much better documentation. OPNsense is like a man page describing available settings whereas pfSense has that plus practical examples, reasons you might choose one option over another, explanations of higher level concepts, and links to additional info.
I understand your reason for doing this, but on the flip side, you could probably use those same pfSense documentation resources with OPNsense since they are very similar. I've done this myself. The biggest difference is how they label some of the settings, but if you can figure out the difference, you should be able to work your way through it.
One cool fact about Pfsense is that even if you acquire their appliances second hand, you just need to provide a picture of the serial number and they'll give you an iso for their plus edition OS. They do it pretty quickly too. I have a netgate 7100 I've been toying with the idea of running OPNsense on it.
I noticed you didn't call it out directly, but the bad faith trademark stuff they did was against the OPNsense team. The pfSense development team was mad that some developers decided to go their own way and had the audacity to try to make something better, so the pfSense folks acted like children.
I used pfSense at home for 5-6 years before switching to OPNsense earlier this year, after an unsuccessful attempt to switch a couple of years earlier. The Netgate drama was a big part of my reason for wanting to switch, as was the Wireguard issue. On the latter, it wasn't so much that they'd contributed garbage code (they'd hired a dev whom they had every reason to trust to do good work), but their response when it became apparent that the code was garbage was to blame everyone but themselves. You provided this code, folks; you're responsible for it. Another point, not mentioned in this video, is that there's some serious question whether pfSense is truly Open Source--the claim is being made (and pretty credibly to my uneducated eye) that ESF/Netgate/whatever they're calling themselves now *have not* released all the source code, and that it's impossible to build pfSense with what they have released. As you say, functionality between the two is about the same, and so is the logic--if you know how to do something on pfSense, you can probably figure it out pretty quickly on OPNsense (more so for the core features than for the plugins). OPNsense's GUI is *much* better IMO than pfSense's--not only in terms of "it looks better" (though it does), but also in that the organization is more logical (which of the pfSense UI designers thought that (1) the reboot/shutdown options should be in the Diagnostics menu, rather than System; (2) they should *not* be adjacent to each other in that menu; (3) they should be labeled "halt system" rather than "shut down"; and (4) they should just be in alphabetical order in a 20+-item menu?). Hairpin NAT works for me under OPNsense; I was never able to make it work under pfSense. The biggest downside in my experience has been the OPNsense forum, which has been useless for me. I've been working with F/OSS for 20+ years--I know how to ask a question and provide a reasonable amount of supporting detail. I recognize that the vast majority of the people there are volunteers, not paid staff. But when the response to "DNS isn't working" with a good bit of supporting detail is crickets, that's a bit of a problem. I found more support on the TrueNAS and Nethserver forums than I did on the OPNsense forum.
Thank you for posting about your experience Dan. I have definitely seen people joke about how pfSense/Netgate reacts to criticism on forums and reddit.
saying you found more help from TrueNAS boys than OPNsense boys is concerning. TrueNAS is not pleasant at all. I'll stick to pfsense and considering going on all in this year with a negate 4100
Only we can change that! Hopefully everyone here watching this video will make a small effort to join up at the OPNSense forums and Reddit! Just a couple minutes a month of browsing and answering questions can help out future community members for years to come
FreeBSD 12.3 supports these NICs from the LTT video, however, they forgot to add boot configuration to enable them. Kinda like Linux kernel modules, in a sense. Just to note.
@@ClauSalvio I can't post links since YT doesn't like links in comments. But the title is "I hope you don't need internet.... - Server Room Upgrade". They ended up using OPNsense because of the NIC issue they probably didn't bother to research. For me it was the first Reddit post on Google that presented the fix.
I dropped pursuing pfsense after the trademark trolling and then the wireguard debacle. You can't trust a company with securing your infrastructure when they behave in such an unethical way and have such poor quality control.
I was enjoying making videos around pfSense and how to perform certain parts of configuration until I read through the /selfhosted reddit about the trademark thing. I stopped making any tutorial videos about pfSense afterwards.
I use them both and each has a specific purpose. PHP on pfSense is buggy, hence the restart option from console. OPNSense update cycle can be seen as too frequent.
But you can CHOOSE to not update to latest and greatest if that dont tickle youre fancy.. Let other do the testing and update when they fixed certain issue that may come. Aswell its so much easier to add sideloaded stuff to my opnsense box than pfsense. Such as sideload AdGuardHome directly via freebsd instead of a application where you depend on the ones updating the "built" in app. Were as sideload AGH you use their own code for freebsd. more options, more control.
@@Perra1901 This is true for domestic installs, in a business audited environment, I am required to be running the latest version within a few hours of release, I find this a tiresome issue with OPNSense. Thankfully there are product choices for different install scenarios.
I used pfSense for years and had no issues until the update from 2.4.5-p1 to 2.5.0 and then the router started to hang intermittently. I stuck with it until 2.6.0 but the hanging continued and actually became worse. I re-installed and set it up again manually since re-installing and re-importing my config did not resolve the hanging issue. Shortly after 2.6.0 I ditched pfSense and went to OPNsense and was very happy with it until the last update and now a specific use case is not working correctly (SOCKS5 proxy via SSH) - I can't even get 1 Mbps throughput, whereas previously I was getting normal throughput. I've been doing this since about 2009 (on DD-WRT, EdgeOS, pfSense, and OPNsense). I did not like the constant updates with OPNsense as that leads to issues with stability. Now I'm ready to go back to pfSense after they move to FreeBSD 14 and hope the intermittent hangs go away. I know the intermittent hanging on pfSense is related to my SOCKS5 proxy via SSH because if I don't use the proxy the router is stable and never hangs. Ultimately I may have go back to pfSense 2.4.5-p1 or the original version of OPNsense that I installed which I really don't want to do due to security issues... The hangs with pfSense are not hardware related as I had it happen on two completely separate hardware devices (that are very much overpowered for pfSense / OPNsense).
In 2024 - OpnSense has been using the latest version of FreeBSD way before PFSENSE. - In 2023-2024 Pfsense recommended everyone moved over to PFSENSE plus, so they did, they then said you shouldn't (screwed everyone). - Pfsense is less open-source in 2024 than OpnSense. - Pfsense in 2024 will absolutely mess up your routers config if you add another NIC to your Proxmox virtualisation server, it absolutely shits itself. - Opnsense tends to get more newer stuff sooner than pfsense. - Opnsense developers are more active in the community than pfsense.
Solid review, and excellent timing for me (considering which to use on some new installs)! Every company has some kind of bad blood (maybe not as bad as pfsense's), I think it's down to three major things - what interface do you prefer, do you want hardware from the authors of the firewall, and how often do you want updates? For me, I think it'll be opnsense. I've loaded both on a small firewall appliance and the only major difference was the four interfaces loaded in the reverse order on opnsense! :)
Just for the fact that opnsense is continuously being updated for everyone is reason enough, specially for security reasons. I'm probably cjamging over the weekend to opnsense or as soon as I have the time to set it up virtually and then deploy it on physical hardware.
I don't wanna spam the comments, but I'll leave one last comment here just for completeness. pfSense 2.7 has been released on 2023-06-29 with FreeBSD 14 and ConfigRev 22.9. It is essentially pfSense Plus 23.05.1 (most current release mind you) without the Plus features, or rather the Plus variant is pfSense 2.7 with the Plus features added. Meaning: yes, pfSense (no Plus) will always release on a slower cadence, however, judging by its history, when it will release, it is on par with pfSense Plus base-feature and base-patch wise. If you're not missing any features that pfSense (no Plus) already provides, I see no point in switching to Plus.
very informative video, thanks for that. but I am still struggling to choose. I have run a TrueNAS server for the past 5 years, with no dedicated firewall (just diy geoblocking) and now want get into the topic. for a complete firewall newbee, which one do you think is easier for me to start? The one with the more intuitive GUI or the one with the huge community with a recipe for every need?
Both firewalls will do the job just fine for a complete beginner, the OPNsense documentation has also grown over the years and has many configuration examples as well. Though I think personally for someone completely new that the pfSense community will definitely help ease you into firewalling. So I guess try pfSense and see how you feel about it, though I do highly suggest joining their reddit community as well.
@@kevinthomas7478 thanks, glad to hear. My gut told me to go for OPNsense (nobody stopping me from browsing through both communities for help), and I am really happy with my choice..
So glad I came across your channel. I am curious if you have in mind a video to demonstrate how one could connect datacenters with OPNsense w/ospf at the edge. Full mesh without using IPsec tunnels would be incredible.
Thank you for the kind words! The background is V's apartment from Cyberpunk2077. I love the atmosphere of that game or anything Bladerunner. My homelab is basically run off of my gaming PC, I would love to have custom hardware but I just don't have the cashflow for that :C Perhaps one day! My gaming pc specs are: Mobo: ROG Strix B460-H Gaming CPU: Intel Core i5 10600K Memory: 32GB DDR4 Corsair Vengeance @2666 MHz (can't clock higher) GPU: GeForce GTX 1070 (Could never get a hold of a newer GPU without paying an arm and a leg. THANKS MINERS) Storage: Various different SSD drives (total storage comes to around 1TB) For my actual labbing most of this is done on either my hypervisor or on a network emulator so let me give those details as well: Hypvervisor: VMware Workstation Pro ( I am considering moving this as creating custom VLANs is not as easy as it should be) Network Emulator: EVE-NG
100% agree. I was thinking about the pfSense update a few months ago. I'm going to look into OPNsense soon. Do you have any video how to get started on OPNsense.... Thanks for sharing!!!
It might seem trivial but I don't think it is: OPNsense isn't really born from PFSense, any more than PFSense community edition is, it's a continuation of PFSense caused by a split in the community when they changed the license (similar to LibreOffice/MaraDB/etc...). OPNsense Business Edition is really just a more conservatively updated/tested version of OPNsense, that comes with professional support (a phone number to call). OPNsense however has feature parity between it's editions (the reason for the PFSense split), and is a far better product IMHO.
I have a strange problem with opnsense appliance that working on hyper-v. When I'm using console of appliance to ping something, the only way to stop this process is to ssh to appliance and kill the process from command line. And i'm still don't find more comfortable solution 😥
After watching this video, I'd go with OPNsense. The only thing that is good on PFsense is the ZFS. Wasn't OPNsense built on hardenedBSD or did they dropped that?
only two things that made me switch back from opnsense was looking at the traffic graph it didn’t really show current talkers but more it didn’t show me the names so i’d have to know the ip of devices or look at the ip tables. also not having tailscale in the plug-in or packages. but opensense was super fast doing anything or doesn’t make you wait before you can do anything else. i guess zerotier is similar to what i need tailscale for just need to look into it more how to use.
I was already heavily leaning towards Opensense just due to the more frequent update cycle. However, after hearing about what PFsense did to their competitors it's a solid lock on Opensense. Then them adding the super buggy module just to get it out there was icing on that decision. That shows multiple poor decisions for profit over morality. I fully expect they'll make more questionable decisions in the future. Given past poor decision making for profit, it wouldn't surprise me to hear over the next few years that "someone" contributed bad code to some of the packages that "their" version has patched out. I'm not aware of them doing that, but it does seem like one of the next logical steps since they got caught on the other stuff.
You will find 100x more how-to videos for pfSense vs OPNSense here on RUclips making it much faster and easier to get up to speed and solve problems with pfSense.!
@@rpsmith Maybe in total volume, but a lot of that is repeat info from multiple people. It's funny, you can see the same blocks of creators come out with videos about the same topics all around the same time, just based on the trends like every other RUclips subject. Once you filter out the repeats you're left with a lot less useful info. Still likely more I'll admit, but nowhere near what you might think.
I have tried both, and used pfsense for long time. however, currently, I switched over to VyOS and its been running flawlessly and feels snappier than pfsense tbh. Also, it is based on Debian 11, which has much better hardware compatability than both. also, its fully opensource. I really wish that you give it a shot and make a video on it. Thanks, and your video is awesome btw very comprehensive and fair to both.
@@TheNetworkBerg yeah, also it is so difficult to implement filters in PFSense pfblocker, will also require that pfsense should be the primary dns thus rendering the internal dns useless for internal zones. I don't know why other tech tubers push pfsense to people 🤔 . I would only use Opnsense and untangle in my workplace.
@@kurdapio2k6 I think the reason so many RUclipsrs push new folks onto pfSense is because there is so much hype surrounding pfSense. They will repeat all of the same "gee whiz" cool features that pfSense has, but they won't get into any of the drawbacks like this video did.
opnsense is better for better licensing - they are basically the same sw - opnsense is way better politically and it is more better for more updates #more
This was a good video, but honestly, I still have no idea which one to go with after watching it. All of my hardware is seen by both so that makes things even more difficult. Choices are good, but can be frustrating!
Both are valid options and still supported. If you have some basic network skills (and a simple ISP without vlan crap) then a install should not be that difficult. After the “command line” (setting up the interfaces) part you should have a working and safe setup. If you have a simple setup you can also switch quite easily later.
I am looking to move to a personalised router and I must say the open BSD makes me uneasy. I am working on linux for 7 years now and every time I wanted to flashed open BSD on a vm or available pc I ran in to driver problems that prevented me to install it. Why is that relevant ? Because dropping 700-1000€ to a fanless pc with powerful cpu and multiple NICs just to have BSD being BSD does not inspire trust. 2nd pf sense is out. I can’t trust people who act like MW2 lobby trolls.
Freebsd based have hardware drivers limited not even Intel based 10 g cards such as x520s do not work is prefer to debian based such as ipfire ,etc that works
Don't be surprised is pf sense stops maintaing comunity edition altogether. Opnsense were clear about difference between paid stuff and free stuff and free version will be updated but not as fast as paid version so we all benefit. You can also get ETpro rulesets for suricata for free but in exchange you have to agree to allow them to collect your data but that's strictly data needed for creating and updating suricata rulesets or you can pay per year so it's up to you. Comunity for opnsense isn't big like one for pfsense but when it comes to how each of them treat users in myopinion opfsense wins because they don't focus mostly on paid version at the expense of free version so i can live with slower updates. Ons sense options are very resonable and very resonably priced and you pay per year,not per month like most subscription services so you have option even to pay business editon for 3yrs in advance.
I don't understand the controversy for the pfSense community updates. Looking at the release table from their docs: pfSense CE version 2.6: Config rev 22.2 pfSense Plus version 21.x: Config rev 21.7 (latest revision) pfSense Plus version 22.x: Config rev 22.2 (22.01), config rev 22.7 (22.05) pfSense CE version 2.7: Config rev 22.7 So basically the Plus version gets the updates faster (in-between full releases), whereas the CE version gets them via full release. I think that's a fully understandable business move. To add to that, the Plus version has the proprietary components which get updates, too. So, because these components are not part of the CE version, there cannot be any updates for them in the first place.
I agree with you that it definitely makes sense from a business point of view to handle releases the way they are. Especially if they want to push people to migrate from CE to +, I mean the Tac lite support is even free at the moment which cost well over a 100 dollars. So they are really incentivizing people to move over from CE. I guess I am mainly just iterating what many others in the community tend to think. That the project has become more commercialized over the years and that there is less focus on CE. Personally I don't think they will drop CE, as this would probably cause a total riot from the community. But still these are the perceptions that tend to come up on Reddit or on Lawrence System's comment sections.
@@TheNetworkBerg if they just made a open source version with some closed source modules/plugins (usually enterprise features) the backlash would be negligible. That is not how they introduced it. I think they are somewhat building it from scratch (MVC) so the 2 will diverse over time. Also note the controversy about the state over how “open source” the CE really is. People tried to build the code but failed because important stuff seems missing.
@@edwinkm2016 yeah Edwin, that is a point I have not really brought up in the video as I haven't tried building it myself and I don't want to get pulled into a very bad whirlwind as I have seen discussions on this point be debated at length and get pretty volatile.
just to reiterate my point: pfSense 2.7 has been released on 2023-06-29 with FreeBSD 14 and ConfigRev 22.9. It is essentially pfSense Plus 23.05.1 (most current release mind you) without the Plus features, or rather the Plus variant is pfSense 2.7 with the Plus features added.
good video all the way up to the competitor website war is war you and I don't know what happened its a fight which you now sided which is what happened between these 2 firewall companies Duche bag move
The dick move alone by pfsense is enough to convince me to go with opnsense, but it overall sounds a bit better anyway, especially the update frequency and openness of the platform. The only notable downside I'm seeing is higher prices for opnsense, but that's a price I'm willing to pay
pfSense does have some great documentation and a large community, but unfortunately, some of their most knowledgeable community members seem to have ego problems. If you ask a question, they won't hesitate to tell you how stupid your question is and tell you to google it. The OPNsense forum is much more newbie friendly.
😁You are so right about that. I mean pfsense community stars on their high horsies. Actually I thought I was the only one to get that treatment but sadly not. Don't know yet how opnsense community is - I haven't needed them yet thanks to all info on the web so I would not say it's too little info floating out there.
I also like the GUI better on opnsense, feels snappier and more logic. Pfsense GUI is like something from the days of win 3.1 the looks wise and the slower response.
Sounds like Stack Overflow
I was looking for a good reason to pick which one!
This might be the best reason I can find. Thx for sharing your experience!
@@vt20247 If you need another good reason, the PfSense developers got really petty and childish when some of the crew decided to split off and start their own project (OPNsense). They (PfSense) took over the domain name used by OPNsense to deface it and degrade the OPNsense developers. It actually went to court and OPNsense won. It’s a shame that grown adults were acting this way.
Thank you for this video. I looked at both and was exposed to pfsense when I was helping administer a system installed at a local charter school. Even though I had used pfsense, I felt that opnsense was easier to administer so that's what I went with at home when I gave up on network "appliance" routers. You've confirmed that my decision was the right one for my situation.
After hearing lots about Pfsense I was definitely leaning towards it for my firewall choice. Hearing about the development history, controversial actions and having the lack of regular updates for the CE version pointed out I'm definitely taking a closer look at OPNsense. Thanks for such a balanced comparison.
Agreed
same here Im glad I caught this
OpnSense has the ability to run it from a Thumb drive. I like that.
More and more people are moving to OPNsense.
@@ecotts like the top commenter of this thread points out.
I'm thinking OpnSense should become the Community Leader of the Open Source area, as they are the ones pioneering the open source version.
This guy makes some real good points and he isn't afraid to call out ppl! Subbed!
After a recent breach of my local network using a popular brand of home all in one router/switch/access point, I decided to finally pull the trigger and ordered a ProtectLi box. It’s coming pre installed with OPNSense and at first I was hesitant as I wanted PfSense. After watching through your video series, I feel way better about sticking with OPNSense, especially due to the updates! With how many vulnerabilities are constantly being uncovered, no updates is not an option when it comes to network defense!
where did you purchase yours . Im looking at the same hardware ??
Thank you very much for addressing all of the controversy!! This was definately totally needed. You said what I never could have!
The fact that the m0n0wall developers recommend OPNSense and FreeBSD maintainers closely coordinate with OPNSense maintainers tells me something already...
As far as I am aware, pfSense did contribute something to FreeBSD but it was an Intel NIC driver they needed to be maintained in FreeBSD for their new hardware.
1 thing to note here, OPNSense Bussiness edition is mostly adding a management console for all your remote firewalls and cloud backup of your configs, which you could set locally on your own, with a storage device - it doesn't hide patches or firewall features.
That's because the people who started OPNSense were the devs of Monowall. 😀
Good review. I used pfsense for years and for the most part had no issues until I needed to implement AQM with dual WAN's. This worked fine for a while until a software update came out and it broke dual WAN AQM. It was a real pain to fall back to the previous version. So at the time I tried OPNsense and it just worked. And not only did it work but it was way more intuitive on how you control pipes and queues along with their associated rules. Its true that OPNsense has lots of updates which might introduce problems but so far I have not had any. Like you said they are both good firewalls but I am going to stick with OPNsense from now on until something bad happens and I need to re-evaluate. It is for now the best firewall for my needs.
Thank you for mentioning the concerns about the CE. I feel like nobody talks about this.
To me it looks like Netgate slacks on the progress of the CE to lure people to switch to the business edition. There's a free licence you can use. "So what's the problem?" you might think. Maybe they want to let the CE die because it's free and brings them no money. As soon as they let it die in a future point of time they will sooner or later kill the free business licence and force you to pay if you want to keep using your pfSense. Think about it - it's every companie's goal to make money.
I switched from pfSense CE to OPNsense CE about 3 weeks ago and don't regret a thing.
If it's Open Source, the community could get involved and help.
I'm not seeing it.
As for open source and freeware, a lot of freeware devs back in the day, had donation forms that accepted various forms of payment processing. Some even had a crypto public address.
Idk if OpnSense or pfSense or many others offering freeware shareware subscriptionware. But, maybe they should.
Apache https does.
MySQL does
PHP does.
Maybe it's only Apache and the free scripts and code snippets community. I could be wrong.
been looking into setting up an open source firewall at home and have been considering both of these. I've watched a few vids on it, and I think after this one I'll be going with opnsense. thanks for all the great info! subbed for sure
We need more free minded youtubers like you man! Thank you so much for clearing this up for me!
I switched to OPNsense about 2 years ago and could not be happier.
Quality review. Fair and comprehensive cover of the two platforms. I’ve personally been running pfsense for about 10 years and it’s been solid.
Excellent comparison between the two firewall. I support both but the once a year updates and the current direction of netgate/pfSense will likely cause me to switch to OPNSense for all new customers.
My impression is that Netgate is similar to Oracle.
This is a great unbiased comparison. Thanks for making this video.
thanks for your honest comments trying to keep peace in the world :)
Yeah sometimes trying to keep the peace or being neutral can be difficult. I am still quite shocked at a fake website being created to scare off potential customers.
These firewalls are solid, i have tried both of them. I am more familiar with pfsense so that is what I use.
I ran m0n0wall and DD-WRT back in the early 2000's good stuff indeed. I do remember "being there' when the project winded down but I can't recall the reasoning 20 odd years later.
Question: Mikrotik vs one of this two software, witch one you recomend?
Regards
I've been using OPNSense for over 2 years now and it works perfectly for my needs. PFSense is great too :)
I considered switching to OPNsense when I replaced my old NetGate router hardware. In the end I stayed with pfSense primarily because they have much better documentation. OPNsense is like a man page describing available settings whereas pfSense has that plus practical examples, reasons you might choose one option over another, explanations of higher level concepts, and links to additional info.
That makes total sense Randy and is a great reason to stick with pfSense.
I understand your reason for doing this, but on the flip side, you could probably use those same pfSense documentation resources with OPNsense since they are very similar. I've done this myself. The biggest difference is how they label some of the settings, but if you can figure out the difference, you should be able to work your way through it.
One cool fact about Pfsense is that even if you acquire their appliances second hand, you just need to provide a picture of the serial number and they'll give you an iso for their plus edition OS. They do it pretty quickly too.
I have a netgate 7100 I've been toying with the idea of running OPNsense on it.
That's pretty cool, I wasn't aware of that at all. Thanks for the info 😃
I noticed you didn't call it out directly, but the bad faith trademark stuff they did was against the OPNsense team. The pfSense development team was mad that some developers decided to go their own way and had the audacity to try to make something better, so the pfSense folks acted like children.
I used pfSense at home for 5-6 years before switching to OPNsense earlier this year, after an unsuccessful attempt to switch a couple of years earlier. The Netgate drama was a big part of my reason for wanting to switch, as was the Wireguard issue. On the latter, it wasn't so much that they'd contributed garbage code (they'd hired a dev whom they had every reason to trust to do good work), but their response when it became apparent that the code was garbage was to blame everyone but themselves. You provided this code, folks; you're responsible for it. Another point, not mentioned in this video, is that there's some serious question whether pfSense is truly Open Source--the claim is being made (and pretty credibly to my uneducated eye) that ESF/Netgate/whatever they're calling themselves now *have not* released all the source code, and that it's impossible to build pfSense with what they have released.
As you say, functionality between the two is about the same, and so is the logic--if you know how to do something on pfSense, you can probably figure it out pretty quickly on OPNsense (more so for the core features than for the plugins). OPNsense's GUI is *much* better IMO than pfSense's--not only in terms of "it looks better" (though it does), but also in that the organization is more logical (which of the pfSense UI designers thought that (1) the reboot/shutdown options should be in the Diagnostics menu, rather than System; (2) they should *not* be adjacent to each other in that menu; (3) they should be labeled "halt system" rather than "shut down"; and (4) they should just be in alphabetical order in a 20+-item menu?). Hairpin NAT works for me under OPNsense; I was never able to make it work under pfSense.
The biggest downside in my experience has been the OPNsense forum, which has been useless for me. I've been working with F/OSS for 20+ years--I know how to ask a question and provide a reasonable amount of supporting detail. I recognize that the vast majority of the people there are volunteers, not paid staff. But when the response to "DNS isn't working" with a good bit of supporting detail is crickets, that's a bit of a problem. I found more support on the TrueNAS and Nethserver forums than I did on the OPNsense forum.
Thank you for posting about your experience Dan. I have definitely seen people joke about how pfSense/Netgate reacts to criticism on forums and reddit.
@@TheNetworkBerg That's its own issue as well, and one that I've seen, but haven't personally dealt with.
I suspect reddit is more active
saying you found more help from TrueNAS boys than OPNsense boys is concerning. TrueNAS is not pleasant at all. I'll stick to pfsense and considering going on all in this year with a negate 4100
Only we can change that! Hopefully everyone here watching this video will make a small effort to join up at the OPNSense forums and Reddit! Just a couple minutes a month of browsing and answering questions can help out future community members for years to come
FreeBSD 12.3 supports these NICs from the LTT video, however, they forgot to add boot configuration to enable them. Kinda like Linux kernel modules, in a sense. Just to note.
Thanks for the info :)
@@TheNetworkBerg you're welcome :)
Hello Cheeba Digga
Can you please add a link to the LTT video you mentioned?
@@ClauSalvio I can't post links since YT doesn't like links in comments. But the title is "I hope you don't need internet.... - Server Room Upgrade". They ended up using OPNsense because of the NIC issue they probably didn't bother to research. For me it was the first Reddit post on Google that presented the fix.
@@cheebadigga4092 Thank you ! 🙏
I dropped pursuing pfsense after the trademark trolling and then the wireguard debacle. You can't trust a company with securing your infrastructure when they behave in such an unethical way and have such poor quality control.
I was enjoying making videos around pfSense and how to perform certain parts of configuration until I read through the /selfhosted reddit about the trademark thing. I stopped making any tutorial videos about pfSense afterwards.
Welcome back.. 🌹🕊️
Great video. I learned a lot. Thanks!
I use them both and each has a specific purpose. PHP on pfSense is buggy, hence the restart option from console. OPNSense update cycle can be seen as too frequent.
But you can CHOOSE to not update to latest and greatest if that dont tickle youre fancy..
Let other do the testing and update when they fixed certain issue that may come.
Aswell its so much easier to add sideloaded stuff to my opnsense box than pfsense.
Such as sideload AdGuardHome directly via freebsd instead of a application where you depend on the ones updating the "built" in app.
Were as sideload AGH you use their own code for freebsd.
more options, more control.
@@Perra1901 This is true for domestic installs, in a business audited environment, I am required to be running the latest version within a few hours of release, I find this a tiresome issue with OPNSense. Thankfully there are product choices for different install scenarios.
I agree, quarterly updates would be sufficient. I too deal with audits at the workplace.
I used pfSense for years and had no issues until the update from 2.4.5-p1 to 2.5.0 and then the router started to hang intermittently. I stuck with it until 2.6.0 but the hanging continued and actually became worse. I re-installed and set it up again manually since re-installing and re-importing my config did not resolve the hanging issue. Shortly after 2.6.0 I ditched pfSense and went to OPNsense and was very happy with it until the last update and now a specific use case is not working correctly (SOCKS5 proxy via SSH) - I can't even get 1 Mbps throughput, whereas previously I was getting normal throughput. I've been doing this since about 2009 (on DD-WRT, EdgeOS, pfSense, and OPNsense). I did not like the constant updates with OPNsense as that leads to issues with stability. Now I'm ready to go back to pfSense after they move to FreeBSD 14 and hope the intermittent hangs go away. I know the intermittent hanging on pfSense is related to my SOCKS5 proxy via SSH because if I don't use the proxy the router is stable and never hangs. Ultimately I may have go back to pfSense 2.4.5-p1 or the original version of OPNsense that I installed which I really don't want to do due to security issues... The hangs with pfSense are not hardware related as I had it happen on two completely separate hardware devices (that are very much overpowered for pfSense / OPNsense).
In 2024
- OpnSense has been using the latest version of FreeBSD way before PFSENSE.
- In 2023-2024 Pfsense recommended everyone moved over to PFSENSE plus, so they did, they then said you shouldn't (screwed everyone).
- Pfsense is less open-source in 2024 than OpnSense.
- Pfsense in 2024 will absolutely mess up your routers config if you add another NIC to your Proxmox virtualisation server, it absolutely shits itself.
- Opnsense tends to get more newer stuff sooner than pfsense.
- Opnsense developers are more active in the community than pfsense.
Solid review, and excellent timing for me (considering which to use on some new installs)! Every company has some kind of bad blood (maybe not as bad as pfsense's), I think it's down to three major things - what interface do you prefer, do you want hardware from the authors of the firewall, and how often do you want updates? For me, I think it'll be opnsense. I've loaded both on a small firewall appliance and the only major difference was the four interfaces loaded in the reverse order on opnsense! :)
Another point to add. Companies usually want support. So for America is makes sense to use pfsense. Target of Opnsense is Europe
Just for the fact that opnsense is continuously being updated for everyone is reason enough, specially for security reasons. I'm probably cjamging over the weekend to opnsense or as soon as I have the time to set it up virtually and then deploy it on physical hardware.
I don't wanna spam the comments, but I'll leave one last comment here just for completeness. pfSense 2.7 has been released on 2023-06-29 with FreeBSD 14 and ConfigRev 22.9. It is essentially pfSense Plus 23.05.1 (most current release mind you) without the Plus features, or rather the Plus variant is pfSense 2.7 with the Plus features added. Meaning: yes, pfSense (no Plus) will always release on a slower cadence, however, judging by its history, when it will release, it is on par with pfSense Plus base-feature and base-patch wise. If you're not missing any features that pfSense (no Plus) already provides, I see no point in switching to Plus.
very informative video, thanks for that. but I am still struggling to choose. I have run a TrueNAS server for the past 5 years, with no dedicated firewall (just diy geoblocking) and now want get into the topic. for a complete firewall newbee, which one do you think is easier for me to start? The one with the more intuitive GUI or the one with the huge community with a recipe for every need?
Both firewalls will do the job just fine for a complete beginner, the OPNsense documentation has also grown over the years and has many configuration examples as well. Though I think personally for someone completely new that the pfSense community will definitely help ease you into firewalling. So I guess try pfSense and see how you feel about it, though I do highly suggest joining their reddit community as well.
As someone who has used both quite a bit, I'd recommend OPNsense.
@@kevinthomas7478 thanks, glad to hear. My gut told me to go for OPNsense (nobody stopping me from browsing through both communities for help), and I am really happy with my choice..
The best one is the one you can manage effectively for your purposes.
So glad I came across your channel. I am curious if you have in mind a video to demonstrate how one could connect datacenters with OPNsense w/ospf at the edge. Full mesh without using IPsec tunnels would be incredible.
Are updates in pfSense CE lacking security patches or is it feature lag?
The background in the intro is the best! Also can you please share your homelab setup
Thank you for the kind words! The background is V's apartment from Cyberpunk2077. I love the atmosphere of that game or anything Bladerunner. My homelab is basically run off of my gaming PC, I would love to have custom hardware but I just don't have the cashflow for that :C Perhaps one day!
My gaming pc specs are:
Mobo: ROG Strix B460-H Gaming
CPU: Intel Core i5 10600K
Memory: 32GB DDR4 Corsair Vengeance @2666 MHz (can't clock higher)
GPU: GeForce GTX 1070 (Could never get a hold of a newer GPU without paying an arm and a leg. THANKS MINERS)
Storage: Various different SSD drives (total storage comes to around 1TB)
For my actual labbing most of this is done on either my hypervisor or on a network emulator so let me give those details as well:
Hypvervisor: VMware Workstation Pro ( I am considering moving this as creating custom VLANs is not as easy as it should be)
Network Emulator: EVE-NG
100% agree. I was thinking about the pfSense update a few months ago. I'm going to look into OPNsense soon. Do you have any video how to get started on OPNsense.... Thanks for sharing!!!
It might seem trivial but I don't think it is: OPNsense isn't really born from PFSense, any more than PFSense community edition is, it's a continuation of PFSense caused by a split in the community when they changed the license (similar to LibreOffice/MaraDB/etc...). OPNsense Business Edition is really just a more conservatively updated/tested version of OPNsense, that comes with professional support (a phone number to call). OPNsense however has feature parity between it's editions (the reason for the PFSense split), and is a far better product IMHO.
Thanks Jeremy, yeah you are correct and I totally agree with you.
@@TheNetworkBerg I did enjoy the video though and thought it was a good summary.
I have a strange problem with opnsense appliance that working on hyper-v. When I'm using console of appliance to ping something, the only way to stop this process is to ssh to appliance and kill the process from command line. And i'm still don't find more comfortable solution 😥
After watching this video, I'd go with OPNsense. The only thing that is good on PFsense is the ZFS.
Wasn't OPNsense built on hardenedBSD or did they dropped that?
Yes they switched
@@edwinkm2016 Ah, good to know, thank you!
OPNsense has ZFS option
I went opn since I have i-226 nics. I'd like to try pf too.
only two things that made me switch back from opnsense was looking at the traffic graph it didn’t really show current talkers but more it didn’t show me the names so i’d have to know the ip of devices or look at the ip tables. also not having tailscale in the plug-in or packages. but opensense was super fast doing anything or doesn’t make you wait before you can do anything else. i guess zerotier is similar to what i need tailscale for just need to look into it more how to use.
You can send your suggestion to the developers and they may incorporate it in a future release.
It's not just the updates, but also the code of opnsense is more moderm
I was already heavily leaning towards Opensense just due to the more frequent update cycle. However, after hearing about what PFsense did to their competitors it's a solid lock on Opensense. Then them adding the super buggy module just to get it out there was icing on that decision. That shows multiple poor decisions for profit over morality. I fully expect they'll make more questionable decisions in the future. Given past poor decision making for profit, it wouldn't surprise me to hear over the next few years that "someone" contributed bad code to some of the packages that "their" version has patched out. I'm not aware of them doing that, but it does seem like one of the next logical steps since they got caught on the other stuff.
You will find 100x more how-to videos for pfSense vs OPNSense here on RUclips making it much faster and easier to get up to speed and solve problems with pfSense.!
@@rpsmith Maybe in total volume, but a lot of that is repeat info from multiple people. It's funny, you can see the same blocks of creators come out with videos about the same topics all around the same time, just based on the trends like every other RUclips subject. Once you filter out the repeats you're left with a lot less useful info. Still likely more I'll admit, but nowhere near what you might think.
can I use OPN Sense with Protectli Vault ?
Never tried to so don't know, can't see why not. Anything you can load a pfSense image onto you should be able to load OPNsense on as well.
Is wireguard secure enough. Like ikev2
Wireguard is very secure.
@@TheNetworkBerg Somebody told me there are firewalls which look in IPsec traffic. I guess it was Noris Firewall.
Thanks a bunch!
I think opensense has a little bit lag connection to the internet
I feel that when I start to call website
Or test internet speed connection
I have tried both, and used pfsense for long time. however, currently, I switched over to VyOS and its been running flawlessly and feels snappier than pfsense tbh. Also, it is based on Debian 11, which has much better hardware compatability than both. also, its fully opensource. I really wish that you give it a shot and make a video on it. Thanks, and your video is awesome btw very comprehensive and fair to both.
+1 for VyOS
Not sure if they target the same people. AFAIK fully command line. Probably compete more with Microtik.
OPNSense + ZenArmor ftw! so easy to filter websites.
Yeah I've seen a few people loving ZenAmor with their Sense firewalls :D!
@@TheNetworkBerg yeah, also it is so difficult to implement filters in PFSense pfblocker, will also require that pfsense should be the primary dns thus rendering the internal dns useless for internal zones. I don't know why other tech tubers push pfsense to people 🤔 .
I would only use Opnsense and untangle in my workplace.
@@kurdapio2k6 I think the reason so many RUclipsrs push new folks onto pfSense is because there is so much hype surrounding pfSense. They will repeat all of the same "gee whiz" cool features that pfSense has, but they won't get into any of the drawbacks like this video did.
Have you looked at the fork of Opnsense called Dynfi ?
Sadly I can't really use either as it's limited to 1 thread on pppoe
You can increase them, I did.
opnsense is better for better licensing - they are basically the same sw - opnsense is way better politically and it is more better for more updates #more
Opensense is what I prefer.
Opnsense Franco 👍
This was a good video, but honestly, I still have no idea which one to go with after watching it. All of my hardware is seen by both so that makes things even more difficult. Choices are good, but can be frustrating!
Both are valid options and still supported. If you have some basic network skills (and a simple ISP without vlan crap) then a install should not be that difficult. After the “command line” (setting up the interfaces) part you should have a working and safe setup. If you have a simple setup you can also switch quite easily later.
FTPS on OPNsense?
I am looking to move to a personalised router and I must say the open BSD makes me uneasy. I am working on linux for 7 years now and every time I wanted to flashed open BSD on a vm or available pc I ran in to driver problems that prevented me to install it. Why is that relevant ? Because dropping 700-1000€ to a fanless pc with powerful cpu and multiple NICs just to have BSD being BSD does not inspire trust.
2nd pf sense is out. I can’t trust people who act like MW2 lobby trolls.
🙌
Netgate has some evil in house. Thats enough for me to run OpnSense
new users i think are better of starting with PF
Freebsd based have hardware drivers limited not even Intel based 10 g cards such as x520s do not work is prefer to debian based such as ipfire ,etc that works
Sir if possible I want u to show vpn site to site pfsense +mikrotik I tried many times not yet success. Thanks
Don't be surprised is pf sense stops maintaing comunity edition altogether. Opnsense were clear about difference between paid stuff and free stuff and free version will be updated but not as fast as paid version so we all benefit. You can also get ETpro rulesets for suricata for free but in exchange you have to agree to allow them to collect your data but that's strictly data needed for creating and updating suricata rulesets or you can pay per year so it's up to you. Comunity for opnsense isn't big like one for pfsense but when it comes to how each of them treat users in myopinion opfsense wins because they don't focus mostly on paid version at the expense of free version so i can live with slower updates. Ons sense options are very resonable and very resonably priced and you pay per year,not per month like most subscription services so you have option even to pay business editon for 3yrs in advance.
I don't understand the controversy for the pfSense community updates. Looking at the release table from their docs:
pfSense CE version 2.6: Config rev 22.2
pfSense Plus version 21.x: Config rev 21.7 (latest revision)
pfSense Plus version 22.x: Config rev 22.2 (22.01), config rev 22.7 (22.05)
pfSense CE version 2.7: Config rev 22.7
So basically the Plus version gets the updates faster (in-between full releases), whereas the CE version gets them via full release. I think that's a fully understandable business move. To add to that, the Plus version has the proprietary components which get updates, too. So, because these components are not part of the CE version, there cannot be any updates for them in the first place.
I agree with you that it definitely makes sense from a business point of view to handle releases the way they are. Especially if they want to push people to migrate from CE to +, I mean the Tac lite support is even free at the moment which cost well over a 100 dollars. So they are really incentivizing people to move over from CE.
I guess I am mainly just iterating what many others in the community tend to think. That the project has become more commercialized over the years and that there is less focus on CE. Personally I don't think they will drop CE, as this would probably cause a total riot from the community.
But still these are the perceptions that tend to come up on Reddit or on Lawrence System's comment sections.
@@TheNetworkBerg if they just made a open source version with some closed source modules/plugins (usually enterprise features) the backlash would be negligible. That is not how they introduced it. I think they are somewhat building it from scratch (MVC) so the 2 will diverse over time. Also note the controversy about the state over how “open source” the CE really is. People tried to build the code but failed because important stuff seems missing.
@@edwinkm2016 yeah Edwin, that is a point I have not really brought up in the video as I haven't tried building it myself and I don't want to get pulled into a very bad whirlwind as I have seen discussions on this point be debated at length and get pretty volatile.
just to reiterate my point: pfSense 2.7 has been released on 2023-06-29 with FreeBSD 14 and ConfigRev 22.9. It is essentially pfSense Plus 23.05.1 (most current release mind you) without the Plus features, or rather the Plus variant is pfSense 2.7 with the Plus features added.
try to Execute a Shell Command from OpnSense GUI.
I wonder if there will be a pfSense or OPNSense based on the Linux Kernel? like how Truenas has both BSD and Debian kernels
good video all the way up to the competitor website war is war you and I don't know what happened its a fight which you now sided which is what happened between these 2 firewall companies Duche bag move
Higher end Netgate devices have support for VPP, which is a huge leap in performance that Opnsense doesn't have, to my knowledge.
VPP is only supported on the TNSR platform. TNSR is Linux based whereas PFSense is BSD.
@@feekes Nothing that I have stated was incorrect. Thanks for the info.
Bruh, you can't mention something like "wireguard" and not even give a brief summary of what it does. But great video overall. Thanks!
Opnsense documetation SUCKS ... it's like the short nonsense recipes from Ubiquity.
The dick move alone by pfsense is enough to convince me to go with opnsense, but it overall sounds a bit better anyway, especially the update frequency and openness of the platform. The only notable downside I'm seeing is higher prices for opnsense, but that's a price I'm willing to pay
Nice tutorial video.👍
From what I understand PFSense are going straight to Free BSD 14
It was pushed until the January release.
Be sure to have clear consent before you.. OPNSENSE🫢😆🤣