#372550 - 22/01/2020 18:12
Firewalls...
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
opnSense or pfSense?
There's a lot of animosity between the two -- so much that it seems to cloud discussion of individual merits, so I'm having trouble figuring out which I should go with.
pfSense -- slower moving (because latest-shiny isn't good for security), pfBlockerNG, proven track record, parent company pulls shenanigans.
opnSense -- more responsive to CVEs (I think?), no pfBlockerNG (but I can run piHole alongside, so meh?), more security conscious architecture? "Better" UI?
The main goal is to open a home server to the internet, in a proper DMZ, possibly with VPN etc.
Anyone have experience with both that can make recommendations?
|
Top
|
|
|
|
#372551 - 22/01/2020 22:27
Re: Firewalls...
[Re: canuckInOR]
|
enthusiast
Registered: 07/01/2002
Posts: 339
Loc: Squamish, BC
|
Not much help as I've only used pfSense, but I'd say that your list of pros and cons for it is about right.
It's definitely fast (given sufficient hardware) and stable, which is the main thing, of course. My uptime at the moment is 244 days, and I don't think I've ever had a crash.
Updates are few and far between, especially if you don't install beta versions. I'm on the latest stable release, 2.4.4-RELEASE-p3, which was released in May last year, which was the last time I rebooted the server. The lack of security updates does surprise me a little bit -- I'd kind of expect there to have been a CVE that would have needed a new version release in that period, but I don't follow those things closely so maybe it's all fine?
I do find the UI a pain point, not so much in design as in terms of helpfulness. Even simple stuff like defining static leases for DHCP clients usually ends up with me opening an existing lease in another tab so I can remember the right fields to fill in. 2.4.4 added the fq_codel scheduler for queue management/traffic shaping, which works well to keep latency low when your WAN connection is near capacity, but the traffic shaping 'wizard' in pfSense has no knowledge of it, and to set it up I had to follow a Youtube tutorial, and I still have no clear idea how all the bits I set up link together, although it seems to work. Some of that's probably my fault as I'm a home user who only does things occasionally, I'm sure if you used it every day it would be a lot easier.
Overall I can't fault it for reliability, but I don't much enjoy changing any settings when I need to. I've been tempted to move over to opnSense, but haven't got around to it yet, so I guess I'm interested as well if anyone has experience with both, and whether the grass really is any greener...
|
Top
|
|
|
|
#372552 - 23/01/2020 00:29
Re: Firewalls...
[Re: canuckInOR]
|
pooh-bah
Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
|
I use both.
My home runs pfSense from before I knew about opnSense. It does everything I need and was OK to set up. I run a few VPNs mainly as well as have it NAT firewalling, HAproxy and few basic things like that. Don't use much in the way of pfBlockerNG. I could never find a decent bandwidth counter to simply log incoming/outgoing traffic by IP (something like ntopng). I could never get traffic shaping working nicely but that's not really pfSense's fault unless it was the confusing GUI. Running it on a fanless Chinese Celeron 1037U router type appliance.
We have a pro grade XG-7100 Netgate appliance running pfSense in our office. Again we haven't gone close to stretching its legs but it does the job. It's reliable. I doubt I will ever see support for SFP copper adapters which they say is an Intel software issue. To be fair they do declare it won't work, but in the same breath say it's a software issue i.e. fixable.
Finally I have a VPN server that runs on a cloud VPS. There I decided to try opnSense. Mainly it's the centre point for the above two plus 4 or 5 other users to connect to our LAN. It's also an IPSEC endpoint for our M2M SIMs. Originally it was set up as our serviced office was behind a NAT firewall and didn't have a routable IP. So it basically became the centre of network and gave us a publicly routable IP for $4/month.
Sooo.... if I ever had to reinstall my home machine from scratch which is likely as the HD I'm using is dying, I'd almost definitely want to go with opnSense. UI is definitely a nicer place to be and from what I see it will do what I need and as noted seems to get much more frequent updates.
Main thing though with a reinstall on either is it's very easy to reload your config with all settings in one. So that kind of locks me into pfSense in that I don't have to do much work.
Netgate/pfSense guys' attitude really turn me off too. The AES debacle clearly backfired on them significantly for one. And seems they may have backed down on that. The web page they created discrediting the opnSense guys took the cake. They shot down my mini review of the Celeron I bought above, so I didn't bother finishing it off.
Speed wise they'll be largely the same I expect. General reliability is more hardware related from what I can tell. Get Intel NICs if you can for either as they are generally just better supported than Realtek et al.
_________________________
Christian #40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)
|
Top
|
|
|
|
#372553 - 23/01/2020 00:35
Re: Firewalls...
[Re: canuckInOR]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
As another home user who only does things occasionally, I like stability. But I also like a UI that's helpful -- a firewall isn't something I want to have to delve deep into web-searches to figure out how to get it working.
|
Top
|
|
|
|
#372554 - 23/01/2020 00:41
Re: Firewalls...
[Re: canuckInOR]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
Thanks, Shonky. That's the sort of thing I'm looking for. I already have the box with Intel NICs (purchased from Protectli), it's just a question of what to put on it... and I think you've tipped me over the edge to opnSense. Looking at the CVEs, it doesn't seem like there are any more than pfSense, so... *shrug*.
|
Top
|
|
|
|
#372555 - 23/01/2020 22:40
Re: Firewalls...
[Re: canuckInOR]
|
pooh-bah
Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
|
As another home user who only does things occasionally, I like stability. But I also like a UI that's helpful -- a firewall isn't something I want to have to delve deep into web-searches to figure out how to get it working. Either one, you're going to need to have some idea what you're doing. Basic setup has fairly easy to use "wizard" type processes but anything complicated (e.g. setting up IPSEC or OpenVPN) you're generally presented with a large page of options and so need to understand the basics. They both have a level of help for each option built into the page - I'd consider them fairly equal in that respect. Also if you are using opnSense and need help, don't ignore the pfSense forums. They've been around a lot longer and there's still a lot of good information in there which can be useful for getting a particular setting right. Because of course the underlying applications and OS are all basically the same, the same options will apply. The opnSense forums are still useful though (they just don't have the history) and I can almost guarantee you'll get a nicer response there.
_________________________
Christian #40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)
|
Top
|
|
|
|
#372558 - 24/01/2020 19:10
Re: Firewalls...
[Re: canuckInOR]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
I (think I) have a reasonable idea of what I'm doing from a high-level point of view, but I'm certainly not a network/IT professional, and I expect to have to do some reading. The nice thing about having a gui, even if it is just a large page of options, is that it's a handy prompt for "read about X", as opposed to just "read everything."
|
Top
|
|
|
|
#372559 - 24/01/2020 20:49
Re: Firewalls...
[Re: canuckInOR]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14491
Loc: Canada
|
I'm a Linux kernel guru, and I very much prefer a nice router UI for everything that's feasible to do there. The reasoning being, I don't deal with the settings every day, or even every YEAR, so I (the user) cannot be relied upon to remember or figure things out again every time around.
Cheers
|
Top
|
|
|
|
#372564 - 29/01/2020 19:26
Re: Firewalls...
[Re: mlord]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
Perfectly said. I love linux (and open source in general) -- it's been my daily desktop for over 2 decades, most of that with nothing but a terminal and web browser. And sometimes a terminal-based web-browser, at that. But my desire to learn, and retain the knowledge for something that I tweak once every couple of years is... low. I'm not afraid to dip into the command line on a router, if it's critical, I just don't *want* to.
|
Top
|
|
|
|
#372726 - 17/04/2020 08:30
Re: Firewalls...
[Re: canuckInOR]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
So I am up and running with opnSense. It seems... fine? I don't know. I'm just poking around with it at the moment -- double NAT-ing a single machine for the moment, while I check it out.
Which brings me to the next question -- or rather, set of questions...
The intent is to put my ISP-provided MoCA router into bridge mode, followed by the FW (on the WAN port, port0). From FW/port1, I go into a (new) wifi/8-port ethernet router. From FW/port2, I go to my DMZ host (or hosts, as they're VMs running on a single machine). I expect to create a VLAN for each of FW/port1 and FW/port2. What role should the router play? Do I set it as a bridge with DHCP relay, and let the FW act as DHCP server/etc for both VLANs (and their respective subnets)? Or do I let the router be the DHCP server for the LAN? It seems to me that I ought to do the latter -- let the FW dole out IP addresses to machines it's in direct connection with, let the router dole out IP addresses to machines it's in direct connection with.
Is this a 6-of-one, half-dozen of the other type thing?
|
Top
|
|
|
|
#372727 - 17/04/2020 13:39
Re: Firewalls...
[Re: canuckInOR]
|
old hand
Registered: 27/02/2003
Posts: 776
Loc: Washington, DC metro
|
I've lost track of your devices... I think you're saying your FW has three interfaces: two LAN ports, one for inside and one for dmz (so each is a separate physical LAN), and WAN attached to the ISP box (which is in bridge mode). If so, are you making additional VLANs on inside and/or dmz or are you just working with the one LAN on each?
Is the "(new) wifi/8-port ethernet router" routing or just acting as a switch for your inside LAN, attached to the FW/port1?
Or am I completely confused?
Regardless, I'd personally prefer to keep all the DHCP on one device for simplicity. I hate having to keep track of the subtleties of two different user interfaces.
|
Top
|
|
|
|
#372728 - 17/04/2020 17:49
Re: Firewalls...
[Re: jmwking]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
I've lost track of your devices... I think you're saying your FW has three interfaces: two LAN ports, one for inside and one for dmz (so each is a separate physical LAN), and WAN attached to the ISP box (which is in bridge mode). Yes, that's correct. It's a 4-port Vault from Protectli. I don't have anything planned for the 4th port, yet. If so, are you making additional VLANs on inside and/or dmz or are you just working with the one LAN on each?[quote] I was planning on making each non-WAN port on the FW have its own VLAN. But your question makes me think I'm misunderstanding VLANs (and networking) a little. I've been operating on the assumption that all of the ports on a single device are part of the same datalink layer, where truth is, each port is part of a single data link layer, and the device encompassing those ports that knows how to shuffle data from port1 to port2 is part of the network layer. It's been a long time since my networking class in university.
[quote]Is the "(new) wifi/8-port ethernet router" routing or just acting as a switch for your inside LAN, attached to the FW/port1? Hmm. No. I need it to provide ethernet points, and wifi. So I think access point mode is sufficient, and I don't need it to provide routing. But what I was reading about DMZs earlier, is that it's better to have a dual-router/FW configuration. So I hadn't ruled that out. Or am I completely confused? I'm sure if you're confused, it's only a result of my own confusion... Regardless, I'd personally prefer to keep all the DHCP on one device for simplicity. I hate having to keep track of the subtleties of two different user interfaces. That is a very good point.
|
Top
|
|
|
|
#372729 - 17/04/2020 22:45
Re: Firewalls...
[Re: canuckInOR]
|
old hand
Registered: 27/02/2003
Posts: 776
Loc: Washington, DC metro
|
Got it now.
Didn't ask earlier: do you need DHCP in your dmz?
In a dual setup, getting the DHCP requests and replies through the inner router/firewall would require some sort of permission/forwarding setup on it (I don't know if there are meaningful dhcp exploits) but otherwise should work fine.
That said, I'm not sure how much having two firewalls really helps - though I'm often that figurative belt-and-suspenders guy. I think most trouble gets pulled back in via phishing or malware from actively visited web sites (and their ad servers), rather than pushed in through a compromised firewall. Educated users rock!
|
Top
|
|
|
|
#372730 - 17/04/2020 23:54
Re: Firewalls...
[Re: canuckInOR]
|
pooh-bah
Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
|
I'm confused too I don't understand the double router bit. Also I don't think you need VLANs if your LAN and DMZ are different segments anyway. I'm assuming you have 3+ NICs in total on the opnsense box (you are - missed that bit). So... modem (bridge) goes to opnsense WAN opnsense LAN interface goes to your LAN switch opnsense DMZ interface goes to your DMZ machine Wifi is just in AP mode on LAN segment. So you run two separate DHCP ranges - one on each of the LAN and DMZ interfaces. Then just route what you want between DMZ and LAN on opnsense
Edited by Shonky (17/04/2020 23:55)
_________________________
Christian #40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)
|
Top
|
|
|
|
#372734 - 20/04/2020 20:50
Re: Firewalls...
[Re: jmwking]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
Got it now.
Didn't ask earlier: do you need DHCP in your dmz? I don't think so. I only have a machine or two going in the dmz, so I don't mind setting up static routes for them. In a dual setup, getting the DHCP requests and replies through the inner router/firewall would require some sort of permission/forwarding setup on it (I don't know if there are meaningful dhcp exploits) but otherwise should work fine. It would certainly make the configuration more complex. So it comes down to paranoia vs. complexity... That said, I'm not sure how much having two firewalls really helps - though I'm often that figurative belt-and-suspenders guy. I think most trouble gets pulled back in via phishing or malware from actively visited web sites (and their ad servers), rather than pushed in through a compromised firewall. Educated users rock! Well, the second firewall is less about the first firewall being compromised, and more about the a machine in the DMZ being compromised, and then being used as the launching point for the internal network.
|
Top
|
|
|
|
#372735 - 20/04/2020 21:03
Re: Firewalls...
[Re: Shonky]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
I'm confused too I don't understand the double router bit. Router A is the MoCA adaptor. Router B is a wifi+8 port router for the internal network AP. And there's the FW, which is also (I suppose) a router. So I think my real question was what the heck do I do with all the routers? Router A gets turned into a bridge. And then since the FW has mostly the same services as Router B, (only for both the internal network and the DMZ), is there anything left for Router B to do? Or, because the FW has access to the DMZ, do I keep it from providing services to the internal network, and let Router B do that? modem (bridge) goes to opnsense WAN opnsense LAN interface goes to your LAN switch opnsense DMZ interface goes to your DMZ machine Wifi is just in AP mode on LAN segment.
So you run two separate DHCP ranges - one on each of the LAN and DMZ interfaces. Then just route what you want between DMZ and LAN on opnsense Sweet. That's where I ended up last night. (Except for the part about the DMZ, because I haven't started working on that side of things, yet). Thanks for the suggestions, everyone!
|
Top
|
|
|
|
|
|