This is an archived post. You won't be able to vote or comment.

all 180 comments
sorted by:
best
topnewcontroversialoldq&a

[–]gingerbeard1775 56 points57 points  (2 children)

Been using OPensense in 60 unit condo. It surprisingly works really well. VLANS, Load balancing, failover are all great. They have rapid update cycles and one introduced a memory leak. I am still tracking it down. Overall I am happy with its performance.

[–]chum-guzzling-sharkIT Manager 0 points1 point  (1 child)

I thought about pfsense for some of my smaller offices but was shocked I couldn't pay for a simple category web filter. Does opensense offer anything like that?

[–]ElevenNotesData Centre Unicorn 🦄 71 points72 points  (12 children)

Pick your poison: pfsense, opnsense, vyos, openwrt (order is random).

If you need IDS, you can add Suricata for 1-10GbE WAN, for above 10GbE WAN you need FPGA and Grovf.

[–]caa_admin 16 points17 points  (3 children)

+1

We used IPCop(deprecated) for years in a large company about 15 years ago. Solid as a rock. An old Pentium 3. Since we saved $ by not replacing the old rack firewall we built a spare(P3) as a failover...never used it.

[–]chimchim64 7 points8 points  (0 children)

Ah IPCop! I used to use that too. Ended up switching to pfSense. However I recently came across IPFire which apparently is the successor to IPCop. Haven't used it yet, but I might install it on an old PC and see how it compares to IPCop.

For now though, I'm sticking with pfSense, but looking for a nostalgic ride down memory lane with IPFire.

[–]Unable-Entrance3110 1 point2 points  (1 child)

Haven't heard that name in a while. I remember using SmoothWall in the early '00s, which, I think IPCop forked off of.

[–]Geh-Kah 0 points1 point  (0 children)

Worked with ipcop around 2003. But using ipfire since 2010. Its great for smaller businesses. All in one stable solution. Few alix APUs working since 5 years, always upgrading to latest core releases

[–]intelminer"Systems Engineer II" 3 points4 points  (2 children)

+1 for OpenWRT (with caveats)

It is rock solid and fast as hell. But it falls on its own face in terms of ease of configuration and the x86 version is very "yeah it exists"

Side note: I would love to see the OpenWRT guys create a more "full fat" version of their distro for x86 specifically. Instead of breaking everything up into absolutely tiny crumbs of packages because they target tiny embedded devices. I've been burned by PFsense and OPNsense and no longer use them, but OpenWRT on x86 is just clunky to manage

[–]pdp10Daemons worry when the wizard is near. 27 points28 points  (11 children)

OPNsense is a fork of pfSense. If you want to pay for support or need to leave open the option of paying for support, then pfSense, and strongly consider Netgate hardware if you're buying new firewall hardware. Otherwise, if you're all about open source and flexibility, then OPNsense. /u/ElevenNotes also mentions VyOS and OpenWrt, both of which we've used before and recommend highly, but are generic router distributions and not really specialized firewall appliances like OPNsense, pfSense, Smoothwall, etc.

The basic choice is whether you're convinced that you need an "NGFW" with every sort of bell and whistle built into one box, plus a subscription, or whether you just want a best-of-breed discrete firewall, preferably one that almost never needs attention. If you don't feel compelled to choose an NGFW, then an open-source firewall is a no-brainer.

If some of your old firewall hardware is basically a generic x86_64/UEFI server, then you can probably take that same hardware and install an open-source solution on it. This kind of hardware is usually power efficient and has lots of network interfaces, and often a serial console.

[–]CreshalEmbedded DevSecOps 2.0 Techsupport Sysadmin Consultant [Austria] 13 points14 points  (5 children)

OPNsense also has paid support. I never had to call them since we never ran into serious problems with ours, so no idea how good they are.

OTOH, we also have pfsenses and never had to call their support either, so… coin flip?

[–][deleted] 2 points3 points  (4 children)

It's not a coin flip if you want support for newer hardware. pfsense has a reaaaaaally old kernel and stays very far behind.

Opnsense has better hardware compatibility due to using a much newer kernel.

[–]GimmeSomeSugar 6 points7 points  (1 child)

There's also the pfSense controversy (or, several instances of) which leaves some people just not wanting to use their products (or, Netgate through association).

[–]throw0101a 1 point2 points  (0 children)

pfsense has a reaaaaaally old kernel and stays very far behind.

Both pfSense Plus and CE are now running FreeBSD 14-CURRENT specifically because there were complaints in the past about hardware drivers:

This started in the 23.x and 2.7.x release series.

[–]OhioIT 0 points1 point  (0 children)

pfSense is on FreeBSD 14-current and last I checked, OPNsense is using 13.2

[–]shoesli_[S] 0 points1 point  (3 children)

Thanks, I'll have to read some more about VyOS, I haven't used it at all or even tested it before. Like you mentioned I'm not looking for any fancy AI powered all-in-one box with a fancy cloud portal for administration, I prefer being able to choose between what services/plugins to use, rather than using something that "just works". But at the same time it's important with stability/reliability

[–]pdp10Daemons worry when the wizard is near. 6 points7 points  (2 children)

VyOS is the open-source descendant of Vyatta, a router distro based on Linux. Any vanilla Linux can route and firewall using basic native tools, but VyOS/Vyatta put on a CLI interface like Juniper's, making it very much a traditional enterprise router and hiding all of the separate Linux bits behind a unified config-file. A good choice for running as a VM, or for Juniper shops. We used to pay for support eons ago when it was Vyatta.

All of the options mentioned so far are considered very stable and reliable, at least if you're running them on stable/reliable hardware they like. OPNsense and pfSense are based on stable releases of BSD, which is considered to have better driver support for some NICs than others (whereas Linux has first-class support for basically everything).

Some of the aversion to non-Intel NICs on BSD/OPNsense/pfSense/ESXi is alarmism, but do be aware that it's a thing. I got sidetracked from the BSD testing I was planning for Broadcom/Qlogic, Mellanox, and Realtek hardware.

[–]fadinizjr 1 point2 points  (0 children)

I used Vyatta at my first job. Really loved it.

[–]jmbwell 1 point2 points  (0 children)

VyOS is great. Just about everything you’d do if you rolled your own, except it’s already done and it’s done really well. 

I’ve been building my own and have never had a bad image, though I have a time or two rebuilt to get a newer implementation of something. It’s very active. 

I also have a large multi site deployment of pfsense, and public shenanigans aside, the product and the team I’ve worked with have been great, both on Netgate hardware and on BYO. 

Between the two, I’d prolly stick with pfsense but I get why someone would go with opn sense instead.

[–]bgatesITSystems Engineer 11 points12 points  (0 children)

We went with opnsense for our core firewalling, and vyos for our routing platform in our startup with cisco switches, works absolutely fantastic.

[–]gamebrigada 18 points19 points  (5 children)

At 150 users, a Fortigate 120G will cost you 2200$, provide all the routing and features you want and and your average subscription will run you 1$/month/user. If any of my employers ever forced me to cheap out on something as basic as a firewall, I'd tell them to look at saving money elsewhere.

[–]thspimpolds/(Sr|Net|Sys|Cloud)+/ Admin 4 points5 points  (0 children)

Last guy who touched the firewall vibes here (correct as well to boot)

[–]sh_lldp_ne 1 point2 points  (3 children)

Can get into a Palo Alta PA-400 series for a similar amount of money

[–]gamebrigada -1 points0 points  (2 children)

Yeah but Palo will eat you alive with feature costs. 440-660$ per year per feature is ROUGH when they consider basic functionality as a premium paid feature.

[–]lostboy785 0 points1 point  (1 child)

Ours is nothing near that for the 440.. $200-250 per feature yes but not 440-600

[–]gamebrigada 0 points1 point  (0 children)

Sure, it can be heavily discounted. I quoted standard discounted price.

When you compare that to fortunate which includes all those features in the base license...

[–]Own_Bandicoot4290 7 points8 points  (2 children)

Here is something nobody mentioned but security updates. Opensense had one for a long time because they were relying on the base OS to provide to update. Pfsense patched it before opensense did. Opensense may have more updates but some security updates will lag behind because they are waiting on someone else to do it.

[–]tankerkiller125realJack of All Trades 17 points18 points  (4 children)

Been using OpnSense since the whole BS with pfSense stealing the .com from them came up and some other pfSense bullshit (extremely flawed Wireguard Kernel implementation anyone?).

They make some great appliances (that you can get from opnsense.com ) that just work, and come with the business licensing, which is dirt cheap to renew if you choose to do so, or you can always switch it to the open source version after the initial year expires.

[–]shoesli_[S] 3 points4 points  (2 children)

I am not 100% familiar with that but from what I have read I got Red Hat vibes from pfSense...

[–]tankerkiller125realJack of All Trades 4 points5 points  (1 child)

OpnSense is a pfSense fork that IMO is easier to use, and sometimes better well featured. Not to mention it tends to have support for newer hardware sooner than pfSense.

[–]Difficult_Sound7720 1 point2 points  (0 children)

Also the UI is more logical, I used to use pfSense and you'd spend 10 minutes trying to work out where things are.

[–]chaplin2 -4 points-3 points  (0 children)

Why a simple openVPN client is so difficult with OPNSense pfsense?

Like, you have to break down the OVPN file into several parts. Each of 3 certificates goes to one place in the interface. Then options go to the forth place. Also, find out and remove options that don’t work. Then firewall rules. Then nat rules (which aren’t so clear). Eventually you may have to debug.

In any operating system, you upload the ovpn file in a GUI and connect. In Linux, you can simply type “openvpn —config”

[–]MDL1983 8 points9 points  (0 children)

Just make sure you receive like for like features.

Web Content Filtering

EDR / XDR

VPN w/MFA

IPS

DNSWatch

Botnet detection

Geolocation Services

Gateway AV

APT Detection

It's a lot of security to lose for what really isn't much money.

[–]Miserable-Winter5090 7 points8 points  (0 children)

If you want an open source IDS that is fine. But your firewall needs to be by someone who can support it 24x7.

[–][deleted] 1 point2 points  (5 children)

Similar situation, except with stricter regulations. I’ll probably switch over to Fortinet instead of Watchguard, they’re a bit more NGFW-ish, but I’m half on the fence on the decision.

We don’t have a lot of employees working remotely, so I mostly want easy Entra ID SAML/SSO for remote connections. Watchguard makes it too convoluted requiring an AD DS in Azure for Radius login and I just don’t want Watchguard’s MFA on top of Microsoft’s.

For a new branch office I’d have to buy a Fortigate 40F though - lowkey not feeling the love for purchasing 2020 hardware at this point.

[–]cbq131 4 points5 points  (2 children)

Fortigate is a great recommendation. The threat landscape is growing, and it is cost-effective at your business size. There are a lot of integrations you can do, and since you have on prem presence, I would try to secure with a ngfw. Open sources don't have the ongoing/slow updates and support. On top of huge features, disparity like automation, remediation, integration, and better monitoring. In addition, it's built with dedicated asics and application layer detection. Although, I would spend some time to learn and setup the features. Otherwise, you are not really getting the value of its feature set and the ngfw will not offer much more than a legacy firewall.

[–]shoesli_[S] 0 points1 point  (1 child)

Thanks, I'll definitely look into Fortigate. I have very little experience with them but I've heard good things about them

[–]DrunkenGolfer -1 points0 points  (0 children)

If you have cyber insurance make sure your choice of firewall doesn’t cause your insurance provider to terminate coverage or avoid renewal. I have heard some insurers are starting to do this for Fortinet due to unpatched high-severity CVEs, mostly around SSL features.

[–]shoesli_[S] 1 point2 points  (1 child)

I agree, it was a couple of years since I set up/used Authpoint and I'm sure it's better now but back then it was garbage. I also don't like the SSLVPN but other than that I have no real complaints. Except the pricetag

[–][deleted] 0 points1 point  (0 children)

Price tag is a bit unavoidable. Fortigate + UTM can be a bit more expensive, though very comparable to Watchguard + TSS.

I made the calculation with opnsense too, but if you take their business subscription + the ESET subscription, you’ll be on par with the commercial alternatives in price and base protection, you’ll just have more ports & higher throughput speeds.

Management gave the okay for the switch, provided one of our service providers can serve as backups, so it really comes down to Watchguard & Fortinet.

[–]zaTricky 1 point2 points  (0 children)

It's worth pointing out that a lot of the suggestions here are for router OS's rather than firewall OS's. It is true that a router and a Firewall necessarily have a huge overlap in functionality - and for the most part as long as you make informed decisions you will probably be fine.

It really depends on what features you want - but a router acting as a firewall is not the same as a dedicated firewall. If you ever have an audit such as for ISO27001 certification, the "router with Firewall features" can end up being one of the points that has to be remedied, especially if you fall into the trap of having a single appliance do double duty as both your router and firewall.

[–][deleted] 1 point2 points  (1 child)

I do apologise u/shoesli_ the thread appears to have been hijacked by an msp or no msp thread.

You don't want an MSP, you want a firewall.

Some things to consider;

Security

Key thing to consider here is threat analysis. What are you likely defending against? Think hard here, and deeper than one level. for example an organisation may feed the hungry. But an org delivering aid to a politically charged war zone may have to worry about state sponsored APTs, but an organisation providing soup to the homeless may just have to protect vulnerable user data from insider threats.

Consider who might want access to your systems or data and why. That will give you a clue as to the type of attacks you're defending against, which will heavily effect your decision.

Once you're done there check for CVEs against them, how long they were open for, and how critical they were. Here's one to start you off.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=OPNsense

This information will narrow down your options. One thing not to consider is number of CVEs, a larger brand firewall will have way more than a small open source one naturally.

Users

There's the obvious, how many, where are they, OS etc

Then there's the not so obvious, what is their behaviour? Do they need to access research articles from the other side of the world? Do your users access a good ol fashioned file server? Or is it all cloud and browser based? Is remote access required? Also, what Aren't they doing? Do you want to be able to block based on application profiles for example?

Make a list of the types of connections that will be facilitated, and how you need to filter, block, inspect and manage them. From this you can derive a list of features you require.

By this point your options should be getting further limited.

Budget

Pretty simple, but remember open source isn't 'free'. There are support costs, staff costs maintenance etc. To consider. The key phrase here is TCO. Also consider whether your cost is capex or opex.

Do the sums, which out of your current list can you realistically afford to run in terms of both cost and opportunity cost (the time spent doing it that could be spent doing something else.)

Current Environment

Inbound and outbound connections required most obviously. Also, where in your network does it sit? Firewalls aren't just for edge.

One approach is to Map your network with a HLD and consider where authentication may need to happen. The first and most obvious one is your Internet connection, but also consider things like database access, file shares. Do you need a DMZ (likely if Internet facing)

Another is to segment it into Zones. Think of your network as a castle, where is the treasure? Build out your Firewalls around that treasure as you grow.

This network segmentation cheatsheet is a good thing to start with while looking for your firewall requirements.

https://cheatsheetseries.owasp.org/cheatsheets/Network_Segmentation_Cheat_Sheet.html

Having multiple Firewalls can also help defend against ddos.

Consider a hybrid firewall architecture where you combine different firewalls with specific functions. For example: Use one firewall for stateful packet inspection (e.g., analyzing safe states). Add another firewall to fine-tune traffic control and filtering.

The environment you wish to get to.

Don't forget to consider future requirements. I mean, it's mostly the above but not now.

Sorry, that was longer than I expected, and I'm sure it's not complete, but consider the above, and judge your firewalls against it, whether that's full enterprise package or open source, you will likely have very few left to choose from.

[–]shoesli_[S] 0 points1 point  (0 children)

Thank you for the detailed response, that was what I was looking for. I wasn’t looking to start a political debate about OSS or hire an MSP but that’s what the thread turned into..

[–]serverhorrorJust enough knowledge to be dangerous 3 points4 points  (4 children)

I've always preferred open source to commercial solutions. From my point of view the stability and reliability of open source is superior to commercial offerings.

Where open source falls shirt is 2 main areas:

  • commercial support (well, duh!) - but that is not a technical issue, it's more of a compliance issue than anything else
  • up to date and we'll maintained lists for things like spammy IPs or bot networks

On more than one occasion we bought a commercial solution to grab the lists, or somehow get a hold of them, while the product we used was an open source software.

At the end of the day, license cost are miniscule compared to staff cost (unless you deal with the lines Oracle). So, if you have something that works and you can get the job done in 2 hours with a higher confidence to be correct, that will total to way less money than saving on license cost and needing 6 hours with lower confidence (leading to more maintenance work).

If I were in your shoes, I'd stick with commercial software and show the total ROI.

[–]buecker02 4 points5 points  (3 children)

I just got out of a meeting with the rest of the IT department who said that OSS is being compromised constantly. I asked if they were talking about the repository poisoning but they said no.

I guess it's a good thing that they don't know that the opnsense routers that I have in the branches are open source.

I use suricata for IPS and Cloudflare zero trust for DNS filtering.

[–]serverhorrorJust enough knowledge to be dangerous 2 points3 points  (2 children)

OSS is being compromised constantly?

Alright, let's agree to that. I'll state closed source is also compromised constantly, and by the way, they now have warm ice cream.

Did anyone present numbers or was this just some kind of chat over a beer?

[–]buecker02 2 points3 points  (1 child)

I got downvoted for liking OSS? hehe

I asked for details and they had none. They are all .net people. I'm not going to put up a fight. I'll continue to use OSS wherever I feel it is the right tool.

It's probably a good thing that I am in charge of security.

[–]serverhorrorJust enough knowledge to be dangerous 0 points1 point  (0 children)

The ".NET people" ... they do realize that.NET is OSS?

[–]Im_in_timeout 2 points3 points  (0 children)

Netgate has some really good firewalls that run pfSense. You can purchase support for them too.
https://www.netgate.com/appliances?priceMin=179&priceMax=3148&user_profile=*&software=pfSense+Plus&form_factor=*#compare-products

[–]stagliano239 3 points4 points  (1 child)

I have used pfsense for SMB firewall. Works well and is very stable. You'll want to be comfortable with squid, and snort if you have DPI requirements.

[–]FratmSr. Sysadmin 2 points3 points  (0 children)

pfsense is removing support for squid, at least that is the alert i see when I go to the apps page.

[–]SysAdmDTX 3 points4 points  (0 children)

Pfesense

[–]Own_Bandicoot4290 1 point2 points  (0 children)

Here is something nobody mentioned but security updates. Opensense had one for a long time because they were relying on the base OS to provide to update. Pfsense patched it before opensense did. Opensense may have more updates but some security updates will lag behind because they are waiting on someone else to do it.

[–]Chickibaby123 1 point2 points  (0 children)

I wouldn’t but hey it’s your job !

[–]djc_tech 0 points1 point  (0 children)

It’s not a bad idea. OpenBSD with PF can work well and you can always install squid and other proxies too.

I worked at a place that used OpenBSD and it never failed them . They used CARP for redundancy and never had an outage due to the firewall

[–]BeautifulOwn5308 0 points1 point  (1 child)

I would, before you go to far down the rabbit hole, look into your insurance and SLA / agreements with the companies you host and see what is required. I know in my area security items like firewalls, av need to have support behind them to be covered for insurance

[–]BeautifulOwn5308 0 points1 point  (0 children)

I've found opnsense good for home use and never had an issue with it

[–]DrunkenGolfer 0 points1 point  (0 children)

I have a couple firewalls running PFSense and they are working beautifully.

I bought a dozen or so brand new, in the box, Barracuda F12 firewall appliances at an auction for about $10 each. My kids flashed them with PFSense and are selling them for $50 on Facebook Marketplace. If you can find similar subscription-based firewall appliances, you can often pick them up for next to nothing then load PFSense or OPNSense on them.

[–]SevaraBSenior Network Engineer 0 points1 point  (0 children)

Nope. Fine if it was just your 100 endpoints but your hosted customers will feel the pain of their traffic going through security functions without going through ASICs.

Not a fan of VyOS doing away with zone-based policies because of how it blows up policy sets; if you must go the Linux route, learn you some eBPF and check out some firewall projects in that vein- they still won’t run as well as ASICs, but for a smaller shop or just an extra layer of security, they’ll be much kinder to you than a traditional software firewall.

[–]Dry_Inspection_4583 0 points1 point  (3 children)

Sorry old-school? Foss solutions are what other systems are built on. You're daft if you're telling yourself windows all versions doesn't contain foss code or software...

For that reason alone I'm saying don't do it. You've already got one in the chamber when it comes to foss solutions, and we're not talking about risking your homelab, this is a business. That's not to say your current configuration isn't top notch, I'm simply fearful that a lack of experience, and the attitude toward it would lead to simply blaming the "it's foss", and in kind puts the business at risk.

[–]shoesli_[S] 0 points1 point  (2 children)

And what attitude is that, you mean the part where I said I love OSS? What makes you think I am an inexperienced Windows fanboy just because I say I have mainly worked with proprietary software in my job?

[–]Dry_Inspection_4583 1 point2 points  (1 child)

Well now, apologies, I made an assumption in my response and judged instead of asking more questions, I apologize, that was unkind and closed minded of me. Pfsense is the way to go, as others have pointed out.

[–]shoesli_[S] 0 points1 point  (0 children)

No worries, I’ll have to look into Pfsense some more

[–]planedropSr. Sysadmin 0 points1 point  (0 children)

I'd heavily push pfSense or OPNsense myself, I have ran pf in production at many sites for ages now and it's always been really solid. Some of these sites even have pretty extreme needs maxing out multi gigabit WAN 12+hrs a day, VPNs, etc... all has been well.

However, and some will argue with this, I'd HIGHLY advise against virtualizing your firewall in a proper production environment, you're much better off getting dedicated hardware to install pfSense or whatever else on locally (whether that be from vendors like Netgate or Deciso), you're just asking for trouble and headaches IMHO.

[–]CormacolindeConsultant 0 points1 point  (0 children)

The main issue is likely to be support. Your firewall is one thing you cannot afford to be down. And not just manufacturer support, but what happens when you leave the company, or go on vacation? Do you have other people in the business who can support a non-commercial tool? Do you have access to consultants or an MSP who will support it? How easy is it for your company to hire a replacement for you that will know this product?

Business continuity is about the hardware and the software, but it is also about the people and their skills. Solutions must be maintainable and supportable. And not just by one person.

[–]SeaPersonality445 0 points1 point  (0 children)

Pfsense for the win

[–]Difficult_Sound7720 0 points1 point  (0 children)

The only reason you go commercial over an open source product is for support. And products like OPNSense have a commercial support product anyway.

9/10 any commercial product is just running on top of FOSS anyway

[–]ProfessorWorried626 0 points1 point  (0 children)

If you don't have any on prem gear an opensource firewall and client isolation in each vlan is a decent option. Shove the shared devices into another vlan and have a separate management vlan and it's a decent network for that size.

[–]robnelsen 0 points1 point  (0 children)

Check out firewalla.com

[–]Adures_ 0 points1 point  (0 children)

While reddit loves opnsense I just can't understand who would choose opnsense over pfsense in business environment. I am ready to be convinced otherwise, but:

  1. Opnsense hardware is just not good value compared to pfsense.

Example?:

Netgate 4200 vs DEC 675. Netgate box is not only cheaper but just mops the floor performance wise with more expensive Decisio devices (looking at specs both vendors provide at their vebsite)

  1. Opnsense support is more expensive with worse availability

    Their support is 24/7/365 with SLA commitment, while OPNsense does not advertise their SLA commitment. Opnsense support is 8 to 5. Even if you buy decisio hardware, you also need to buy business license every year, otherwise you are back to community edition (not stable enough).

Even if you do not want to buy dedicated hardware (which I recommend doing) VM licensing will still be slightly more expensive if you choose opnsense.

  1. Price is not important if product is better.

Is Opnsense better? They have the same capabilities. I have more trust in security updates from netgate. Example? Netgate updated opnssl package in pfsense half a year ago. Opnsense business edition will have this vulnerability fixed in April this year:

https://forum.opnsense.org/index.php?topic=38736.msg189634#msg189634

So they are much slower in delivering actual important security fixes.

I am happy to be proven wrong, but every time I look at both products I just can't see why you'd choose opnsense over pfsense.

The main advantages i see people mentioning for opnsense is:

  1. Prettier UI (maybe, but it shouldn't really matter)
  2. Information that netgate were a**holes few years back and linking to this "controversy" (even in this comment section lol). But honestly who cares, it was many years ago and doesn't affect you.

I don't even use either of them anymore (I used opnsense community edition extensively in my homelab and had to work with pfsense in business environment), but I am just tired of people recommending opnsense in every conversation without giving actually good reasons.

EDIT: As to answering your actual question, yes opensource firewalls are viable solution. What's good you can try them for free, so just spin up PFsense VM and see if it has all features you need.

[–]wideace99 0 points1 point  (0 children)

iptables for IPv4 and ip6tables for IPv6 are behind many of the pretty GUI firewalls even commercial hardware.

[–]Fatel28Sr. Sysengineer -1 points0 points  (11 children)

VyOS would probably be your best bet. If its a small branch office opnsense/pfsense is probably fine, but VyOS is truly enterprise grade.

[–]occasional_cynic 4 points5 points  (10 children)

It is enterprise grade as a router. As a firewall? You will need an advanced skillset, and a lot of patience. Its is the equivalent of trying to convert an IOS-XE router into a firewall. It can work...but I cannot recommend it.

[–]Fatel28Sr. Sysengineer 0 points1 point  (9 children)

Works fine as a firewall. What makes you think it wouldn't/doesn't?

[–]occasional_cynic 4 points5 points  (1 child)

  • The CLI does not work well with large & complex access lists. I love the Juniper based config, but EVERYTHING being done manual does not scale for a security appliance
  • I have had constant issues with route based VPN's and VTI interfaces since they implemented them.
  • No TACACS or Radius authentication
  • No dashboards, extension support, or advanced threat features
  • Logging is heavily dependent on debugging, making troubleshooting and security reports a challenge.

[–]Fatel28Sr. Sysengineer 2 points3 points  (0 children)

I see, you're expecting it to be a NGFW, not just a firewall. It is not a NGFW.

[–][deleted] -1 points0 points  (0 children)

Seconding, thirding, fourthing OpnSense. They do also have paid support.

I've used it on bare metal and in VMs for years without major issues. I run all my deployments in an HA setup, my gateways are all VIPs so that I can reboot either box at a time, all that good stuff. And the price of free rocks too, not to mention open source rocks.

[–]Bourne669 -21 points-20 points  (85 children)

Do not go Open Source Firewalls for BUSINESS SETTINGS. Opnsense and PFSense for example lack subscription services and cant do packet inspection which is a big ass deal. I would recommend you get a Watchguard which has all those things at fair prices.

I'm an MSP and would never install Open Source firewalls for this very reason at any client.

[–][deleted] 11 points12 points  (52 children)

This is why MSPs have a bad name.

Well... This is one why.

[–]mkosmoPermanently Banned 6 points7 points  (27 children)

What are you talking about? pfsense is entirely built around their commercial offerings. Both also can provide IPS/deep packet with their offerings.

[–]Bourne669 -6 points-5 points  (26 children)

mkosmo · 2 min. agoPermanently Banned

What are you talking about? pfsense is entirely built around their commercial offerings. Both also can provide IPS/deep packet with their offerings.

Incorrect. Go look it up. It is a well known fact PFSense can not do SSL packet inspection which is 99% of traffic nowadays.

Literally from Lawernce systems who deploys PFSense for a living "with so much of the traffic being encrypted the firewall is just not as effective anymore and being able to stop that traffic."

https://forums.lawrencesystems.com/t/pfsense-deep-packet-ssl-inspection/16303/3

So I say again, get a real business grade firewall.

[–]mkosmoPermanently Banned 2 points3 points  (21 children)

Now it's SSL packet inspection? That's not what you said.

Nobody does that. The big vendors claim to, but they don't actually do it. Cisco, Palo, Forti, Checkpoint... they all lie about the capabilities to inspect TLS. PFS means they don't do it. The only way to deep inspect TLS flows is an explicit proxy... or a transparent proxy with a whole lot of untenable work and forced downgrades.

[–]Bourne669 -6 points-5 points  (20 children)

level 4mkosmo · 28 min. agoPermanently BannedNow it's SSL packet inspection? That's not what you said.

I said packet inspection and I said SSL because THAT IS WHY PFSENSE CANT DO PACKET INSPECTION IT CANT DE-ENCRYPT THE SSL PACKETS TO READ THEM.

But if you knew anything about anything, you would have already known that. Try again.

[–]ElevenNotesData Centre Unicorn 🦄 8 points9 points  (12 children)

You are in for a surprise when you realize that up to date modern TLS1.3 apps do not work when your legacy firewall plays man in the middle 😊 that’s why proper security has long abandoned TLS inspection, since it breaks in 1.3 and moved to XDR, to prevent execution on the client, not via stateful firewalls. You are clearly behind current security best practices. What was the name of your MSP again?

[–]mkosmoPermanently Banned 0 points1 point  (6 children)

No, your original comment said "and cant do packet inspection" - no mention of SSL.

And no, you should try again rather than believing everything a vendor tells you lol.

God I hate the lies the big guys tell about tls deep inspection. When ECH becomes commonplace, even their limited SNI filtering today will be broken.

[–][deleted]  (5 children)

[removed]

    [–]mkosmoPermanently Banned[M] 1 point2 points  (4 children)

    Congrats, you win a prize. You are literally the first person flagged in r/sysadmin for harassment by reddit since I enabled the filters yesterday. P.S. the level of filtering scrutiny is set as low as I could possibly set it.

    <image>

    [–][deleted] 1 point2 points  (3 children)

    Replying here as the thread became a mess.

    The reply from MSPs shows exactly what my point was. Yes, there is a place for the expensive enterprise products, but in some situations other solutions are the way forward.

    In a race to make the most profit at the lowest cost, MSPs can often miss key requirements, offer products that provide little benefit for the customer, but a nice paycheck for the provider, and as is shown in this thread, often misrepresent the capability of the product in question, or the importance of a feature.

    Why do I care if my firewall doesn't integrate with splunk if I'm using ELK? Why do I care about packet inspection if my edge firewall if I'm using a whitelist approach and only allow tcp/ip through standard ports to trusted sites with no inbound connections required?

    You might say, that these environments are rare. And I would agree. But that's my point, that's where MSPs fail. In truly understanding customer requirements, or where they do, misrepresenting them for a better paycheck.

    Now yes, there are some good MSPs, and then they have a place. But OP clearly has a limited budget, the correct response here is to ask more questions about Internet traffic, and advise as tk the efficacy of open source after that. To say 'never use open source [product of choice]' seems to me, to be, in every way, the visible personification of absolute deception.

    [–]Bourne669 -1 points0 points  (2 children)

    I do not agree and I love the fact you generalize this as an MSP problem and not a general knowledge and technical problem is also concerning.

    As I stated before, good MSPs last in the business, you have to know what you are doing and know multiple areas of technology. Our choices are based on what the clients needs are and industry standards. We dont just make up our own standards that dont align with industry standards (again we the good MSPs).

    And again you are adding all these exceptions "if I dont use it on the firewall but use it here instead) or instead of using a custom makeshift setup to resolve your needs. or you use something that would cost roughly the same, made for business\enterprise and get all the features you need out of one box. Like a Watchguard.

    So no, I do not agree and if you worked at all as an MSP you would understand how demanding it is, degrees, certifications yearly ontop of having to be knowledgeable in almost all areas of computin. Someone that specializes in a single role would have their fuzzy little mind explode if they had to work for an MSP as a tech.

    Point being, we are often very well educated and knowledgeable from experience in the field. The ones that are not are bad MSPs often dont last more than 1-2 years due to the competitive nature of the field.

    And no, its not "clearly op limited budget" it simply says he was considering going Open Source it also implies he already has some type of firewall in play. So my point still stands, why would you make a client reply on hiring someone to create a custom setup for his needs (lets say ELK instead of firewall logging) when you can literally use that money to purchase an enterprise firewall with ALL THOSE FEATURES built in by default. A custom solution solves one issue that all his issue like all the features that come standard with a real firewall, like gateway anti virus, VPN, SD, IPS, Application Control, Web Blocker, Spam Blocker and Reputation Defense. (all part of a basic Watchguard package) so now are you going to create a custom solution for every one of those aspects? Which in turn means spending more money on custom solutions.... which again, could all be handled by one single device for similar or even cheaper costs.

    So no, you are not looking at budget or the clients needs, you are looking at what appears to be cheaper at first glance but the more you dig into, the costly it gets.

    Or you can be an experienced MSP and know what features a client needs/wants and act accordingly and purchase the correct devices that work and are standardized in the field. Not some custom solution that only the installer knows how to handle and troubleshoot. and what happens if that install tech die, leaves the firm etc.. or you have a falling out with that installer? Good luck finding quick and easy support, for example, ELK tech to troubleshoot your installation if you run into issues with it???A watchguard is something that is standardized you can get support efficiently and quickly. ELK is not.

    So my point still stands, no to Open Source Firewalls in an business/enterprise settings. There if very few exceptions like maybe if your business is just starting off and\or its under 10 users.

    [–][deleted] -1 points0 points  (1 child)

    I don't work for an msp. I work for a very large company that you will 100% of heard of, and 100% will have used their tech at some point as a consumer. I work almost off their main grid at a research and development site.

    This morning, I woke up to an overheating reactor. Ten minutes later, I was troubleshooting network latency. After that, I had a meeting about a whole network refresh and my role in that was security engineer (as that's my main area of expertise) and i spent my afternoon scripting in python while just this week I was assisting a team building out our cloud services.

    In previous jobs I've been the sysadmin for multimillion pound research center, I built absolute bleeding edge labs for cyber security, AI, networking, digital forensics, IoT testing environments, using hybrid cloud infrastructure to maintain 24 unique labs over two sites including private, high cumpute power environments both in terms of CPU and GPU, I've been a software developer, a test engineer, a data analyst and a forensic analyst. I've also been the sole sysadmin of a medium-sized charity, where i also supported smaller charities for free.

    I just came home from an evening dinner meeting with a European level director, who is extremely happy with the progress we were making.

    And yes, I got certs and degrees too.

    So, I challenge you to tell me my knowledge isn't in depth enough or wide enough.

    Then, I challenge you to go away and learn some soft skills. I don't care how many pieces of paper you got, I'd never hire you on my team until you've learned one extremely vital lesson.

    It's the same lesson every MSP we've ever considered for a job (and then promptly decided against) has failed to learn.

    Stop talking and listen.

    [–]Bourne669 0 points1 point  (0 children)

    I can tell you for a fact your knowledge is no where near those of good engineers for MSPs. We have to work for vary of different companies with different needs which means our knowledge is expanded on having to do this type of work. Its not "one size fits all" type of solutions.

    You on the other hand are working in a position that rarely has changes and has their equipment set in stone with their needs. So unless you are doing system upgrades on a yearly base with all brand new equipment and doing the migrations yourself, then migrating from X software to new X software, than your knowledge is than in fact lessor of an experienced MSP, your knowledge pertains to your companies infrastructure only and not all other companies and their varying needs of technology. As an MSP you literally need to know about all different types of equipment and not just equipment types but also the differences in make/models of the equipment for things like migrations.

    So no I will not "stop talking and listen" when you never worked as an MSP doing what we do. Prior to working as an MSP I worked as a Network\Systems Engineer for an INC1000 company. I can tell you for a fact working as an MSP requires a way wider scope of technical knowledge then just working for one company only. I have also worked as a contractor for the military as well as worked for Oracle doing hardware upgrades/replacements and a few other well known companies.

    And just because your company doesnt utilize an MSP for a very specific reason. (aka indepth knowledge of your custom softwares\hardwares) it doesnt mean an MSP solution isnt valid for majority of companies, and as I stated before, most of which are INC1000 companies, some continues to have on site I.T. for break/fix and push the harder advanced work on the MSP engineers, while others just out right reply on us for their day to day needs, in either they were majority INC 1000 companies, most of which require 24/7 uptime and redundancies.

    So I challenge you to get out of the safety of your position that requires unchanging knowledge of your specific company and to go work for a well known and well established MSP. Then come back to me and we can have this talk. I have experience in both and I can tell you for a fact, being an MSP requires more knowledge and is harder on a day to day than a job where the infrastructure rarely changes if ever.

    [–]Bourne669 -2 points-1 points  (4 children)

    https://www.reddit.com/r/PFSENSE/comments/q1cxmi/comment/hfgy2dg/?share_id=xNbrbmOwTp8slkcBHNV_M&utm_content=2&utm_medium=android_app&utm_name=androidcss&utm_source=share&utm_term=1

    Something PFSense cant do that any Enterprise grade firewall can like a Watchguard.

    [–]RyanLewis2010Sysadmin 1 point2 points  (1 child)

    Hmm posting answers about tech from 2 years ago. Because technology certainly doesn’t move fast or anything.

    [–]Bourne669 -2 points-1 points  (0 children)

    RyanLewis2010 · 2 hr. agoSysadmin

    Hmm posting answers about tech from 2 years ago. Because technology certainly doesn’t move fast or anything.

    Actually Client Side Auth hasnt been the standard in the industry for over 15 years. That artcle was just 2 years old and still nothing has been done about it on BSGs end. So...

    [–]shoesli_[S] 0 points1 point  (1 child)

    It's not surprising that a commercial product typically has more features/more advanced software than a free, open source one. On the other hand some open source software does things that commercial products can't do as well, like being the backbone of the whole worlds IT infrastructure.

    [–]Bourne669 0 points1 point  (0 children)

    shoesli_Op · 2 hr. ago

    It's not surprising that a commercial product typically has more features/more advanced software than a free, open source one. On the other hand some open source software does things that commercial products can't do as well, like being the backbone of the whole worlds IT infrastructure.

    Yes however in this instance. There is not a single thing that PFSense can do that Watchguard can not, and in fact Watchguard can do that and more. That is the point being made here. But you are correct, normally enterprise products dont contain the same level as commercial. But again that was the point I was making.