Part 1 of this article series was about why you want to build your own router, and how to assemble the APU2 that I chose as the hardware to build it from. Part 2 gave some Unix history and explained what a serial console is. Part 3 demonstrated serial access to the APU and showed how to update its firmware. Part 4 detailed installing pfSense, while the previous one did the same with OPNsense.
A little overview: In this post I will give you some background information, compare the appearance / usability of both products and then take a look at some special features before giving a conclusion.
pfSense vs. OPNsense: Who wins?
This article is about comparing both products and helping you to make a decision. It is not terribly in-depth, because that task would require its own series of articles (and a lot more free time for me to dig much deeper into the topic). But still there’s a lot you may want to know to get a first impression on which one you should probably choose. If you do some more research and write about it, please let me know and I will happily link to your work!
I want to point out one thing right at the beginning: Both products are good firewall solutions with a heck of a lot of extras. If you have the same goal as I have (building a home router), either will do absolutely fine. That does of course not mean that your choice doesn’t matter at all. You can definitely benefit from thinking about it before making a decision. But even making the “wrong” decision doesn’t mean that it will be horribly wrong. There are a couple of differences and maybe they are important to you. But chances are that both products would completely satisfy your needs.
Sometimes it’s helpful to ask the old question: “Where do we come from?” While this question is usually a philosophical one, in our case it helps to shed some light on our topic. If you do a little reading on the net, you will soon find that pfSense and OPNsense do not like each other much. In fact it’s probably safe to state that they are more or less hostile to each other. OPNsense is a fork of pfSense. Obviously not a friendly fork.
Some pfSense enthusiasts have been spreading information about OPNsense which suggests that new team has no idea what they are doing. They are said to frequently break important things and that the whole project is actually quite laughable. Or to put it short: You really should not waste your time with it and stick to the original. Having liked pfSense for years, I would have believed that, even though you should listen to the other side, too, before doing so. But listening to both sides takes time and effort – both of which were rather limited when I briefly looked into the whole clamor in mid 2015.
Eventually it was the plain hatred of one person who appeared to really have no life, that made me look at what the other project would say. This strange guy popped up in every single pfSense vs. OPNsense discussion and threw so much dirt at OPNsense that I could not help but pity that person. The fact that pfSense (despite obviously being completely dependent on pf, a technology that came from OpenBSD) has a rather bad name with a lot of OpenBSD people for behaving poorly in the past, didn’t help to regain my faith in it, either.
According to OPNsense, they were not happy with the code-quality of pfSense. They didn’t like the fact that the whole Web GUI ran as root (ouch!) and wanted to do privilege separation (which is actively work in progress as I was told). Also there were licensing issues when Netgate acquired pfSense and a bunch of other things. Deciso, a company based in the Netherlands, had been a sponsor of pfSense for years but felt that the whole project was going in the wrong direction after Netgate took a couple of actions. So they decided to fund a fork instead.
Who is right? There’s probably some truth to both versions. OPNsense has followed a rapid development style, bringing in lots of new features and even making some rather drastic changes. It’s true that especially in the beginning there were some problems due to that. But it’s also true that they were quick to react to those. One thing that is not true (or at least not the whole truth, if you will) is that pfSense is the original and OPNsense is a cheap rip-off! What’s the whole truth then?
Once upon a time… in 2003 there was a new firewall OS called m0n0wall. Manuel Kasper had built it on a stripped down version of FreeBSD. There had been small firewalls before, but Kasper’s innovation was to put a Web GUI on top of it so that the firewall’s settings could be controlled from the browser! It did not take long and m0n0wall took the world by storm. However Kasper’s project focused on embedded hardware. So only a while later a fork was created which geared towards more powerful hardware. The fork’s name? You’ve guessed it: pfSense. In 2015 Manuel Kasper officially ended the m0n0wall project (because recent versions of FreeBSD had been grown too big to be easily usable for what he did with it in the past). And guess what he did: He gave his official blessing and recommends to migrate to and support OPNsense!
Knowing some background is nice, but what do both products feel like? The first major difference between the two is what they look like. This is pfSense’s main dashboard:
Compare it to OPNsense’s version of the dashboard:
As you can see, OPNsense did a lot to provide the user a much more modern GUI. Both dashboards are customizable but it’s hard to argue that OPNsense’s is not superior. But to be fair: pfSense is working on a GUI overhaul as well.
Let’s compare a couple of the menus. This is pfSense’s “System” menu:
And here’s the one from OPNsense:
While pfSense uses pull-down menus at the top, OPNsense has a navigation bar to the left. As you can see, both have not that much in common. This is because OPNsense did not only redesign the GUI but also re-arranged which options go where. I find the new arrangement more logical (e.g. with pfSense logout is in “System” but halt is in “Diagnostics”). But that’s definitely a matter of taste.
Here’s what the “Services” menu from pfSense looks like:
And here’s the corresponding one from OPNsense:
This time there seems to be quite a bit more consensus about what counts as a service. But still OPNsense looks more like a cleaned up version.
Another example is the “Diagnostics” menu in pfSense:
There’s no direct equivalent with OPNsense. In the “Service” menu above you can see that there is a “Diagnostics” entry. The same goes for “System”, “Interfaces”, “Firewall”, etc.
And now for the heart of the whole thing – here’s pfSense’s (default!) WAN firewall rule settings:
Compare that to the same thing from OPNsense:
This is where it shows that both products do have a lot in common: What we can see here is basically the same thing. Again OPNsense simply has the more modern interface.
To end the visual comparison let’s look at the LAN firewall rules from pfSense, too:
And here’s the LAN rules from OPNsense:
No surprise here: It’s all very similar just with interface improvements on OPNsense’s side.
So far it’s mostly a matter of taste. But now on to the technical points. This is where OPNsense shines (which is no wonder since it’s developing a lot faster). For example OPNsense is already based on FreeBSD 11.0 whereas pfSense is 10.3-based. However there’s already beta versions for the upcoming pfSense 2.4 which are also based on 11.0 and feature many more improvements.
One major difference between the two is that pfSense heavily customized FreeBSD while OPNsense believes in the opposite and tries to be as close to mainline FreeBSD, just adding packages on the top of it. I like that approach better but again that’s probably a matter of taste as well.
The most important thing for me is that OPNsense entered into a partnership with the HardenedBSD project. This resulted in OPNsense being able to change the crypto framework used! For me this is the one killer feature. Give me the option to rip out OpenSSL and use LibreSSL instead and I’m sold! However that’s not even all, yet.
OPNsense: Selecting alternative firmware
OPNsense got HardenedBSD’s ASLR (Address Space Layout Randomization) implementation and the most recent addition is the introduction of packages compiled with SafeStack. This is what the most current update notice looks like (it didn’t fit completely on the screen):
OPNsense: Example of an update notice
If you ask me, hardening your router (especially if it should happen to be promoted to be your border router eventually) makes a lot of sense.
There would be much more to write here, but if you’re interested in that, you will probably have to read some of the recent change notes yourself.
OPNsense and pfSense are quite similar in their core functionality. When should you choose which one? Have a look at the pros and cons of each one and decide for yourself!
- + Better known brand (= more material about it on the net)
- + 2.4 will feature BSDinstall including root-on-ZFS
- +/- Slower development
- – Missing a lot of innovations / security enhancements compared to OPNsense
- – Has been acting quite unfriendly in the past
- – Rather intransparent future direction
- + Already based on FreeBSD 11.0
- + Nice new GUI, sensible rearrangement of items
- + Pushing for priv. sep., uses current technology (PHP 7, phalcon 3, …)
- + Partnership with HardenedBSD (optional use of LibreSSL, SafeStack, …!)
- + Closer to unaltered FreeBSD
- + Bootstrap script to turn a vanilla FreeBSD installation into OPNsense
- + Multiple languages supported
- + Public roadmaps for future versions
- + Official blessings from m0n0wall founder Manuel Kasper
- +/- Fast-paced development, rapid update policy
- – (Currently) less well-known than its competitor
- – (Currently) installer problems with some USB3 devices
- – Not currently able to install root-on-ZFS
The next article of this series will give an example of an advanced install of OPNsense that lets you use the APU for more than just a router!
22 thoughts on “Building a BSD home router (pt. 6): pfSense vs. OPNsense”
Nice to see a fair comparison that wasnt sponsored by Netgate operatives to smear OPNsense.
I can say my own personal experience as a service provider, is that the OPNSense folks were fair and willing to work with us to include authentication support for our web filtering services.
Took me a while to approve your comment, sorry for that. It was among those deemed spam by WP.
Well, I’m pretty happy with OPNsense, too. I’ll try out pfSense when they release version 2.4, but I don’t expect them to grow any killer features (even though root-on-ZFS is really nice) that make me switch back. From what I can say so far the OPNsense community is great and the devs are really approachable, too.
Honestly, I wanted to get a fair comparison feature wise of the two and literally the first comparison (the main dashboard) is *at best* disingenuous. Which really just made me stop there. In fact, my pfSense Dash looks much more like the OPN dash, but a nice dark color. I agree the sub-menus are nicer (from your screen shots) but I won’t even finish the article now.
I didn’t promise a feature comparison. From my understanding they are still quite similar in that regard even though the code diverged a lot. Of course such a comparison would be nice, but I didn’t find anything like that on the net and decided to write this post and cover what I can cover. A lot of this is probably obsoleted now with pfSense’s 2.4 realease, anyways. Feel free to write a feature comparison. I’ll be sure to read it!
OPNSense certainly has a better GUI and the options appear at a better place in the user interface but there are two things I did not like about it –
1. It installs ALL available packages taking up a larger disk space. pfSense on the other hand requires a minimal installation and allows you to choose which packages to add.
2. Squid and SquidGuard implementation (most useful packages for me) is much poorer in OPNsense when compared to pfSense. This was a real deal-breaker which is why I uninstalled it.
Haven’t done anything with Squid so far. So thanks for sharing your experience. For me the new pfSense version is also appealing as it has dropped the DragonFly installer and it supports installing root on ZFS. We’ll see what happens in this regard in OPNsense land. Competition is good.
Thanks for this article. Now that pfSense is forcing community edition to upgrade hardware to support AES-NI I will be giving OPNsense a try. I only every have one VPN session connected at once so software VPN is plenty adequate for me. I feel pfSense’s decision to require this for the community version was a bad one. I much rather try OPNsense than shell out an extra $400-1000 for new hardware.
Hi Yazif! Glad that you liked the article. There have been some good things with pfSense and some bad ones. The best new feature for me is full ZFS support (which won’t even be in the next OPNsense version due this month…). However I’m not totally sure what to think of Netgate and what they might plan for the future. This and things like support for LibreSSL made me stick with OPNsense after trying it out. I also found the community to be really friendly and am pretty happy in general.
Actually I had not even noticed that the new version of pfSense requires AES-NI support! Thanks for pointing this out. Well, looks like Netgate would like to sell some of their hardware with pfSense pre-installed. 😉 I totally agree with you that it’s simply not necessary to make this processor feature mandatory. A use case like the one that you mentioned should be perfectly fine without acceleration, after all.
Just a quick note: I’ve been one hell of a pfsense guy for many many years. I just upgraded my box and obviously installed pfsense. But guess what, panics, crashes etc. So i decided to give opnsense a try, wasn’t in the mood for deep debugging. Surprise! No crashes, no panics, everything just works. Not to mention some really nice features i missed on pfsense, like 2FA and out-of-the-box suricata.
I’m sticking with it.
I thought I was the only one having instability issues with pfSense 2.4. I admit, with as much configs and tinkering, I should have wiped and config’d from scratch but the last nail in the coffin was when I changed some QoS settings and got a kernel panic.
Had to quickly take pfSense of out line, re-route some cables, and plug straight into the switch.
I’m messing with Sophos right now and it’s light, clean, very responsive. I miss pfBlockerng and the ability to filter by ASN.
I’ll give OPNsense a try.
Another thing that could sway people to use OPNSense is the fact that (since V. 2.4 ?) pfSense is not supporting i386 anymore. I know it’s not a big deal for most, especially power-users, but it’s nice to be able to keep some old HW in use.
I built myself a starter-FW with a cheap used HP Thinclient (32-bit Atom) from eBay and a used dual-Eth NIC.
You could also just install plain OpenBSD and be done with it.
Heh, that way you’d also get the newest Pf, yes. But people install pfSense / OPNsense for one reason: Both offer a nice means of controlling your box via a web-based GUI. While I think that there were projects for a Pf GUI on OpenBSD, I don’t know how far those ever got. If there was a “PuffyWall” project that does kind of the same thing (preferably without PHP…), I’d definitely try it out and write about it! 😉
I’m about to try opnsense now, pfsense is a nightmare to work with and i’m tired of the attitude from those who know it’s super secret inter workings.
Haven’t used pfSense in about two years now. I was tempted to try it out again for the love of ZFS, but now OPNsense supports that, too (even though not in the installer, yet). Have things really become that bad? But with the attitude of some pfSense guys – yeah, that’s really a problem. A hard one to fix, though. The OPNsense people are nice and approachable, though. What a contrast!
I just had pfSense go into a loop where it crashes on startup and keeps rebooting, so I tried OPNSense and honestly prefer it by a ton. I even contributed to pfSense’s GitHub and went through the web UI, agreed, the code is garbage lol… I’ll be sticking with OPNSense for a while though.
Word, realized I forgot this part: I was using pfSense development branch so that is kinda to be expected… And it’s running in a VM on a multi-NIC server with some vSwitch magic so it took like an hour to fully swap over haha