What's new

The move back to OpnSense, 5 Pillars to build network on.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Reposting from older thread.

Hello friends. I currently have a OpenWRT router and have been considering building a PC and looking for a gateway OS for it. I was looking for differences on pfSense and OPNsense and got here.

Tnx a lot for the thread comparing both. My main need is support for dual-wan multi-homing, with load balancing and failover. Most OS have that, but I also need NPTv6 with support for dynamic prefix, because both my ISP insist on providing a single /64 prefix and they claim that only state-owned ISP are forced to follow open standards. Yes, they claim they have only to offer connectivity to their intranet, and if we're unable to reach Internet it's our problem.

As of now, OpenWRT provides multi-homing with its mwan, but it only works for IPv4. For IPv6, all devices receive addresses on both prefixes and use the routing they desire. For all other VLAN, Internet is unreachable in IPv6. It has no support for NPTv6.

pfSense and I believe opnsense support NPTv6, but only with static prefix. Every time a ISP changes the prefix, I'd need to notice it and update the setting. opnsense has a task for adding support to dynamic prefix, but it's been years that nobody work on it. It seems that most devs have enough ISP competition and just hire one that provides static /56 prefix, and most users just disable IPv6.

I believe NPTv6 to be the simples solution for me, because it'd allow to provide a single prefix for all devices and keep the load balancing + failover being managed solely by the router. When my router goes down I lose Internet access, which incluces some cloud services I use, so I need to stop whatever I'm doing and fix it, so it's not an option to have a working LAN while Internet is down.

Regarding pfSense+, I also feel sad about it, but I'm not surprised. Ever since I learned about pfSense, it felt odd that Netgate gladly provides their OS for free and profit from selling appliances. On Brasil there are only 2 companies that sell them, but 1 doesn't have them for sale and the other only import on demand.
One of my requirements for the new router is to be properly able to backup and restore the storage partition, so an appliance isn't good for me.

I don't mind with them having a paid edition. RedHat and other Lix distros did that years ago and they still have their community edition rolling. If they'd require a subscription and keep it on low price, I'm wishing to pay for it. The money would keep the business sustainable and assure new features be implemented. But then, they still don't support dual wan + dynamic prefix + NPTv6. I'm not confortable to pay a subscription on a service that doesn't have the main feature I most need.

My issue is they providing it as closed source. I agree that their objective is avoiding forks, be it of the full OS or of features they develop. I'd be glad if the subscription would incentive them into developing the feature I need, but I fear they keeping it closed and opnsense and other OS be unable to use their code and I be locked on them.

On the other hand, what we've seen is that the community edition of solutions that followed that path had lost popularity. Few ppl use Fedora today. Even OpenOffice lost support compared to LibreOffice, just because their license is "less open".

In any case, I believe it's a fair move, at least for a trying. If they fail to succeed, at least I hope they move back and open the source of any feature they develop, so that at least it can be forked.

Lastly, they said that as of june pfSense+ will be available for "3rd party" hardware. Let's see how it goes, and how hard it will be to move between pfSense+, pfSense CE and opnsense, keeping existing settings.

As much as IPV6 has its uses cases, IPV4 is still relevant enough. What do you specifically need it for? Pfsense and Opnsense have full IPV6 support baked in amongst other features. Also OpenWRT will have little functionality if piggybacking it off of Opnsense or Pfsense and is best suited for wireless. Also Internet provider needs to have full support and Modem. May need to enable it too.

For me I am using Opnsense and mainly use IPV4 with IPV6 trickling to a few devices. My Router of choice is the Asus GT-AX11000 in AP mode running stock firmware. With the 386 firmware I am utilizing it completely including LAGG features. If looking for IPV6 capabilities best option is the Opnsense forums possibility.
 
ATM there's nothing on IPv6 I can't reach with IPv4, I just don't feel right to disable it. In fact, major ISPs on Brasil are using CGNAT and many small regional ISPs have no IPv4 addr to offer. Major ISPs are turning us back from CGNAT when we ask for it, but we don't know when they will stop doing that. I just don't wanna get to the time where it's needed and I'm not ready for it.

pfSense and opnsense have IPv6 support, but they don't support automatic global prefix changes. opnsense has a task for implementing support for it, but it's not being developed for years. :/ There are a few ppl talking on it and on forum, but nobody with dev skills wanna volunteer to develop it. I'm waiting either of them to add proper support for multi-WAN with dynamic prefix changes so I move to them.
 
Hi All, I realise this is a slight necro,

However, given there are some similarities between Mavericks kit / setup and what I am currently running; I thought I would continue in here. If i should be creating a new post, please inform me and I will do so :)

**Opnsense i'm very happy with, as It's far easier for other family members including my wife to understand, however, the more I looked into it the 'Pro Emerging threats lists' Free by way of some anonymous telemetry data and then Sensei to have control at the Application layer. are also key reason as to why I didn't go back to PfSense** Chrony for Secure Time (NTS) ,Unbound for secure DNS, Redis Db for ntopng I only run ntopng and the Redis Db when I want to.

So,
1) Im using an i7 nuc on edge running proxmox (firewall disabled still bugs me, but it's as forum says, no external access) then I have evaluated PfSense->Untangle-> Sophos->Uninvention Server-> ClearOS->Opnsense (anything underlined I ran for 1yr+)
i7 | 32GB Ram | 1x1gb nic | 1x thunderbolt dock with 1x1GB nic | (thinking of getting a USB 2.5Gb nic for connection to the Asus AX11000 2.5Gb port)
2) AX11000 (So darn Happy that Merlin sorted this, again ,Thank you!!!!!) however, as an AP (gutted I can't *easily* VLAN based on SSID or per band. )
AP Mode - Lan connected to Nuc
3) AC86U currently playing with to work out how to eventually set up the AX11000, it is spare and can be used. Will probably bridge the Wifi to resolve the poor signal to the Kids Echo's

**AC86 used to be on 2.5ghz only and directly attached to the i7 with the AX cascaded off of the 86u for (dual nat'd ) private network and vpn fusion cascade, so ASUS WRT not merlin.**

4) Linux i5 off the shelf Nas with 4x1Gb nics, 4x 3.2 gen1 (5Gb) USB's, 48 GB ram and 3xHDMI
I could purchase a 2.5Gb USB to Eth0
5) Pair of Powerline, with one capable of wireless radio 2.5ghz
Could also fix the kids poor signal to Echo's, I think I would rather rely on Merlin firmware, but if concensus is 'no masive benefit to using AC86u' I will lend this out to a friend to borrow (with a dual nic celeron) as they want to gain an understanding and play around also.
6) 2x Managed Netgear (not pro) 8x1Gb switches.
One is lagged to Nas

All networking devies are on the same floor, the only problem I have is I don't have the range from the AX to reach the kids echo shows. Love Sensei for it's policies.
  • Im looking to move to a 2 tier Firewall (not a cascade); so that I can host 5-10 minecraft servers for the kids.
    • So the family can connect to view and download piccies via openvpn.
    • So we can use Open VPN to connect to the same and upload remotely.
    • So I can gain a better understanding of networking and run some vm's, one of particular interest is Security Onion. ( I couldn't get my head around the particular's of the nightmare headache of getting it to bridge on Wan in proxmox, it is not as easy as you initially think).
    • I have a 4G Huawei Router, so I want to Dual Wan for failover.
    • Around 15 Wifi devices: 2 phones of which idealy reach the Private network for the NAS and everything should be monitored by Sensei for profiling.
    • To only have Private Network administrating the switches, routers Nas and Proxmox
    • 14 wired devices: Linux Nas and 4x PC's in private network with NAS Ubuntu Docker and a copy of the Db's for piccies (off of 2 NIC's)
    • 10 minecraft kubernetes (seems to be flavour of the month) and the App server for the family to look at piccies. In this untrusted zone
      • I would want to play with having a 3 tier system once i've tried the 2 tier; to isolate the photo database copy between the Private network and the app server, just as it should be done. I do want to throw myself into the thick of it. as that's how I learn, I need to DO and not just watch vids.
      • As an old fart I think my problem is I struggle with physical and Logical layouts.
    • Work laptop on wifi seperate from everything bar Printer
    • Print from Private network, Mobiles and Work
    • Security Onion Nodes and Server, love the interface and graphs and want to learn more
    • NAS using vpn for it's backups
    • Secure Time
    • Secure DNS
    • Ad blocking
**I am not good in CLI, I need to learn however, I need a GUI 'helping hand' while learning. I knew about skynet from years ago and never tried it as I didnt want to manually do it. Yesterday I spent far too long trying to locate a forum post showing how to find out what AMTM is (given again; years ago, I saw this in people's sigs and yesterday I decided to work out what AMTM was and how the hell to run it........ finally got there but only because I stumbled on a post detailing the acronym meant Asus Merlin Terminal Manager so dug out the Asus 86u, ran terminal for the first time ever on it; then after a few minutes of pondering decided to type AMTM for 's's and giggle's' and saw it for the first time ever..... **
  • I couldn't find out what Entware was either, I can see via AMTM that it is a repository but couldnt find what to, if someone could point me, please?
  • I would greatly appreciate your thoughts as to 'what would be the the ideal physical and logical setup'?
  • Which machine should I use for the Minecraft and Ubuntu untrusted zone?
    • The Nas and physical nic, Nas and virtual switch, i7 proxmox or other?
I keep coming back to ' 1 tier to 2 tier firewall Idea':-
Edge as: Ax1100 | router | no DHCP | Skynet | VPN manager | Manual IPTV VLAN for a Switch or bite the bullet and VLAN in CLI the interfaces as could be easy'ish *bar having to do it every FW update* | Dual Wan | 2x random port forwards for minecraft and App server
Devices connected: Printer, IOT wifi no intranet, Work, guest no intranet, (Ubuntu VM/docker and kubernetes with firewall ).
i7 Opnsense eth0 connected to Ax11000
i7 doing OpnSense, DHCP /29 groups, DoT, NTS, Sensei, Firewall, Suricata | Nic to Ax11000 | Nic to Switch
Devices connected: eth1 to Switch for Private network and nas Ubuntu VM with Photo Database on Nas NIC 4
NAS File Server physically connected to i7 via eth1 switch LAGG - NIC 1+2
Private network Pc's physically connected to i7 via eth1 switch
i7 doing Security onion

Ubuntu VM via NAS physically NIC3 connected to AX1100 Docker with App server, Kubernetes, Firewall, | GeoIP Maxmind block all bar UK
Ubuntu VM via NAS physically NIC4 connected to i7 containing the Database backup for the App server | Firewall bar port foward
**I keep reading you shouldn't Subnet everything but no reasons as to why.. old school I would just /29 groups and firewall based on the last octet groupings**

I have VLAN'd off the switches before, as it's GUI; in prior physical config.

Massively Grateful for any input :)
 
Last edited:
If in a personal house, a 2 Firewall concept is really not needed. I would stick to the i7 for OpnSense, but for bandwidth and stability, add some 2.5G/10G PCie Ethernet cards from Intel/Aquatia. Use the ASUS AX11000 more or less in AP mode. If you add all the proper rules, you can lockdown the network and open up only what you need. For me, since 2.5G/5G/10G Multiswitches were costly, I used 2 1G connections from the AX11000 into the switch in LAGG. That way I have 2G of total bandwidth and close to what the one 2.5G port would of given me otherwise. I also have a 2.5G Dual card in my OpnSense Firewall, and one connection goes to my Cable Modem, and the other is going to my main PC into the 10G port at the moment on a different IP subnet from the rest of the network. I just don't see as much need for a dual layer firewall setup in the home. It can even complicate the entire setup overall.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top