What's new

Pfsense for the foreseeable future. The move away from Opnsense after nearly 2yrs of using.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Maverick009

Senior Member
It has been awhile since I have discussed my network or tribulations with using Opnsense over Pfsense. Fast forward almost 2yrs since I switched to Opnsense, and I am now back on Pfsense for the first time since using Opnsense as my main backbone to my network. I want to start by saying this move was not due to any security issues, and for the most part not completely due to stability issues. It all came down to some network incompatibilities, removed, or partially updated add-ons. Let me just add that Opnsense is not bad, but as I mentioned in my previous post, I thought it would be better for the long run due to the updates, and part of why I picked them, as security was a non-issue for either platform. However rapid updates, is not always a good option. In fact Opnsense is in a flux right now, as changes are being made to prepare it to go to FreeBSD 13 moving away from HardenBSD. That puts the core OS features on the same level, as Pfsense is already using FreeBSD 12 as of this writing. The updates including the minor updates in between OpnSense 20.7, to 21.7 have had too many reworkings and slight changes preparing them to jump to FreeBSD 13 with the 22.1 Update coming in January. Even the security update minor updates were making some changes in preparation. The problem with that in a production run, is it can cause havoc with certain features/settings that I already had set. I also noticed the drivers for the network interface I had with Realtek chipset for my dual 2.5G NIC were a little problematic. Last but not lease, was the LAGG features in Opnsense seemed broke (This was also an issue in PfSense before release 2.5). Last but not least, is Opnsense seemed to have a harder learning curve for similar setup such as the Traffic Shaper, and documentation was not great. This all added to my frustrations and if the network should go down, it was a pain to sometimes trouble shoot.

Now I do use this network in my home, so it is not powering a business or anything that critical, but it is still the backbone for my network, and now even more so than it was when I first deployed it. I have since added some smart home features, such as smart light bulbs, Google Assistant and NEST Assistant and went more into a cable cutting experience, with internet only through Comcast, and Hulu no adds Live TV/Disney+/ESPN+ bundle (A few channels like Fox offer no streaming app options only, and could not make the kids fully suffer), HBO Max (free with my AT&T wireless plan), Paramount+, Funimation Now, Crunchyroll, and Netflix. That also saves me about $40-60 over just a Comcast Triple play plus all the streaming services and TV through Hulu. I also have 3 managed subnets now.

Here is my findings. Installed and using Pfsense 2.5.2 (still powered by an Intel Q6600 2.4Ghz Quad-Core CPU with 4GB DDR3 Memory, Quad 1Gb Intel I350-T4 Ethernet card, Dual Realtek 2.5Gb NIC, and onboard Realtek 1Gb port at the moment), and I have my Netgear CM1200 cable modem connected to the Pfsense router with a LAGG connection using 2 1Gb ports on the Intel I350-T4 card. I currently using a 1Gb port from the same I350 card to power subnet 1 and plugged into a 24 port TP-Link Smart Managed switch, handling all the current wired devices plugged in. I have not currently turned on LAGG to feed the last empty port on the I350 card to the switch to give 2Gb of total bandwidth. If I need it, I may do that in the future. A few of wired devices on that subnet include an HP Envy AIO printer, my Ubuntu Laptop Server, and NAS/Gaming Windows 2019 Server. I also have an Asus RT-3100 Router plugged wired into one of the ports on the switch with 100ft Cat7 cable, as I am using it to serve up my Living room entertainment center devices by a wired connection and the ASUS Router, currently acts as a switch. I have subnet 2 going from 1 port on my 2.5G Realtek card to the 2.5G port on my Asus GT-AX11000 wireless router, which is running in Access Point Mode, but now getting a full 2.5G up and down from one port vs. previously having 2 1G ports used in bonding. Simplified connection and more bandwidth at the same time. All wireless devices also are separated on a different subnet as well, making a better case for security. I further have mainly all IOT devices using the 2.4Ghz Band, while media based devices use 5Ghz Band 1, and all laptops and other performance devices, use 5Ghz Band2. Last but not least, subnet 3 currently goes from the other 2.5G port on the Realtek card and directly plugs into my 10G port on my main custom multimedia and gaming PC. Everything is setup the way I want and with the network on 3 different subnets, it can make upgrades, and servicing a little easier too, on top of the security improvements of segregating the network.

My biggest goal after re-evaluating everything, was to have stability, and spend less time fixing network errors or degradation due to LAGG errors. With Pfsense 2.5.2, I can say that with LAGG enabled for the cable modem, I am able to enjoy the full 1200Mbps (1.2Gb) speed my internet plan gives me at the level I am paying for. Best of all, there has been 0 errors. I repeat 0 errors (There was 5 during my turning on the feature but that was expected. Zero errors since completing the setup). Before, in LAGG, I was getting errors, and if I saturated the network, the errors would increase. Seems like Pfsense fixed the broken LAGG issues and adds a plus as that was a feature I was heavily interested in for several reasons, with one being my current cable modem did not have a single 2.5G port and needed LAGG, to get the full bandwidth from it. The firewall rules are much similar to setup and with Pfsense, you can find well documented help, and feature explanations. You also have wizards for some features like the Traffic Shaper (QOS), making the approach and usage easy even for a novice, but also can help even well experienced veterans. I do not plan on going back to Opnsense as a full router system at any point, unless there is something compelling me enough to make the leap, or Pfsense makes a drastic change. This did turn out to be a long usage case scenario with Opnsense, and all sounds good in the short term, but long term, plus the issues with updates and features rapidly being deprecated or changed enough, was causing havoc. Now that I have had enough time, I can say I tried, but ended up having to go back to Pfsense. I do not want this to feel negative, but for some it will feel that way, but for others I hope it is a teaching instrament for educating about issues you can face with more saphisticated networks, but also shed light on the 2 similar but varying firewall router software packages. If you never used either, than it may be an easier jump, but if you are also looking for ease of managing and setup, Pfsense will be the better option. If you used Opnsense and have managed it well, than that is good as well. For me I could figure out most of the features I wanted to use, but the speed of updates and changes, to switch the core OS platform, was too much for me, plus the fact of small quirks such as LAGG not always working correctly. One last thing to note which can be minor/major is I also saw Pfsense 2.5.2 may be slightly more optimized as the CPU is running cooler, and I am actually even running more tasks on Pfsense than I was with Opnsense, including 3 subnets, plus the Cable modem in LAGG, just to name a few. It is about a 5-9 degrees cooler.

I may try and give a end of year/beginning of the New Year update, but this time, it seems like everything so far is working perfect (9 Days up so far).
 
Thanks for the update @Maverick009 .

But that wall of text, hurts. :D
 
How is your IoT separated from your main network?
All wireless devices are on a different subnet now. Also on the wireless network all IOT devices are only on the 2.4Ghz channel. I may further break it down possibly by using Vlan. I am just not sure if the Asus router also can support that functionality. All my servers and main PC are on different subnets with firewall rules in place for them.
 
All wireless devices are on a different subnet now.

On most networks for security reasons IoT devices are isolated from your other devices. With Asus in Access Point Mode all devices connected to LAN and WLAN can see and communicate with each other. There is no VLAN's support in Asuswrt. This is the main drawback of using consumer routers as AP's. Most folks use Guest Network for IoT. Not ideal, but some sort of isolation. Asus router must be in Router Mode though.
 
On most networks for security reasons IoT devices are isolated from your other devices. With Asus in Access Point Mode all devices connected to LAN and WLAN can see and communicate with each other. There is no VLAN's support in Asuswrt. This is the main drawback of using consumer routers as AP's. Most folks use Guest Network for IoT. Not ideal, but some sort of isolation. Asus router must be in Router Mode though.
The Asus GT-AX11000 physically could support Vlan but needs the custom firmware or for openWRT and/or DD-WRT to add support but they may be a long way off.

The IOT devices are still separated by the wireless SSID running on the 2.4Ghz band and can have static IPs with firewall rules that just target them. When it is time to move I may get another wireless router/AP and use it solely for IoT devices with their own subnet.
 
The Asus GT-AX11000 physically could support Vlan but needs the custom firmware or for openWRT and/or DD-WRT

With Broadcom closed source drivers, Tomato/OpenWRT/DD-WRT is not coming to GT-AX11000.

When it is time to move I may get another wireless router/AP

Get a proper business class AP with native VLAN's support. Then you can do whatever you want with SSID's.
 
With Broadcom closed source drivers, Tomato/OpenWRT/DD-WRT is not coming to GT-AX11000.



Get a proper business class AP with native VLAN's support. Then you can do whatever you want with SSID's.
At this point there is no need for a business class AP. I am renting as well right now so I cannot go all out on fully running cables and AP's, etc. When I buy a home, than I have bigger plans.

Also this is a home network, and I still have the full wireless on a different subnet from my servers and wired devices. I may also activate the wireless in my RT-AC3100 and setup a separate subnet for it from my mananaged smart switch that supports VLAN's. It is overall work in progress.
 
At this point there is no need for a business class AP. I am renting as well right now so I cannot go all out on fully running cables and AP's, etc. When I buy a home, than I have bigger plans.

Also this is a home network, and I still have the full wireless on a different subnet from my servers and wired devices. I may also activate the wireless in my RT-AC3100 and setup a separate subnet for it from my mananaged smart switch that supports VLAN's. It is overall work in progress.
If you use small business wireless like Cisco you can use multiple VLANs on your wireless AP. It makes it much easier. This especially works better if you need multiple wireless APs to cover your home.
 
If you use small business wireless like Cisco you can use multiple VLANs on your wireless AP. It makes it much easier. This especially works better if you need multiple wireless APs to cover your home.
I have been wanting to separate my IoT and guests from my LAN for a long time now but am honestly concerned i am adding unnecessary complexity to my network which has been running great on pfsense since the moment i switched from Mikrotik.
 
I would say pfsense is better than Mikrotik also. I am sure there will people that disagree, not me.

pfsense lacks networking especially with an L3 switch. Their software updates break too much stuff. I can tell it really was designed for a flat network. It wants to be in charge of the network and does not play along very well. It is better than most consumer routers but it does not meet my standards.

The reason I think Untangle is better is because it was designed as UTM device which is a high-end firewall. It is not a router and does not care about the network. It just plays along. We are lucky we get to run Untangle for cheap at home.
 
I have been wanting to separate my IoT and guests from my LAN for a long time now but am honestly concerned i am adding unnecessary complexity to my network which has been running great on pfsense since the moment i switched from Mikrotik.
Definitely can add complexity to the network. I also have a home network and the IOT devices are isolated on the 2.4Ghz channel of my high-end Asus GT-AX11000 Router/AP. I have created a VLAN from the NIC port on my Pfsense Firewall that is going into my TP-Link T1600G-28TS L3 Managed Smart Switch, but I have really not played with VLANs when connected to a switch, and do not want to accidently knock out my network on that subnet. I may need to setup the switch to use a portion of the ports on their own VLAN group and than test using 2 subnets through one connection. That way the one subnet can be setup to connect to the Asus RT-AX3100 Router I have. If that works, I can enable the 2.4Ghz radio on it and use that subnet for the wired Livingroom devices (mainly the Sony TV and Soundbar setup and Sony PS5 and Apple TV 4K), along with the IOT devices. Just sounds more sophisticated by thinking about it.
 
My IOT devices live in my Apple VLAN as I use my AppleTV and HomeKit to control my IOT devices. I use Apple devices to interface with my home IOT devices. All my IOT devices work with HomeKit are I don't buy them. I like Apple's security. My PCs live in a different VLAN. All my VLANs have different networks.

I have no problem with the complexity of the network.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top