Introduction
This article was written as food for thought for a technical comparison resulting from our first impressions of the two solid platforms:pfSense® CE ed OPNsense®.
The following information are available in the links in the footer or those directly connected to the article.
Un po’ di storia contemporanea
OPNsense® is a young firewall operating system based on FreeBSD 10, it started as a fork of pfSense® CE which is a m0n0wall® fork.
His story begins officially in January 2015, exactly the 2 January 2015, when it was published on the official website the release announcement of its first release: the 15.1.
For all those who were not already known, keep in mind that OPNsense® versions represent (respectively) the year (ex. 15), and the month (ex. 1). The version 15.1 indicates, therefore, January 2015 and there are two major releases per year: in January and in July.
pfSense® CE which is also based on FreeBSD, as mentioned earlier, was born as a m0n0wall® fork back in September 2004 by *Chris Buechler and Scott Ullrich to overcome some of limitations of this excellent embedded system.
The m0n0wall® system, for who do not know, was in fact an embedded firewall; his great strength was also a limitation of expandability because both applications that the operating system were performed entirely in RAM.
If, like us, you’ve wondered why the name of pfSense® CE here‘s an interesting post written by one of the founders who explains in a few simple words why their project is called so.
Last but not least, we write a few words to greet m0n0wall®; the project ends permanently, as announced on the official page, the February 15, 2015. Its founding father, Manuel Kasper, always on the official page encourages all its users to check out OPNsense®.
*[Editor’s note: he had contributed to m0n0wall® project, but below in the section “The Following persons have Contributed code to m0n0wall” does not include his name.]
So Why did we fork
The OPNsense® developers have participated for years to pfSense® CE project but, in 2014, motivated by a desire of wanting to make a number of things differently, they decided to create their own project that reflects better their needs.
The stated reasons which led to the fork are mainly technical, but also due to security and code quality. In Last (but not least), the fork was due to the license change done by pfSense® CE, which caused some disappointment whitin the community.
If you wish to have further details on the reasons of the fork, please refer to the links:
https://docs.opnsense.org/history/thefork
https://m.reddit.com/r/PFSENSE/comments/3rh9dw/pfsense_vs_opnsense/
OpnSense®: License
It is released under an open source license called BSD 2-Clause “Simplified” or “FreeBSD” license OSI-approved (Open soruce Initiative – Approved); ie approved by the organization dedicated to the promotion of free software.
pfSense® CE: License
Let’s talk about the much-discussed license.
pfSense® CE changed her license, which was a 4-clause license (original “BSD License“), with the ESF License in 2014. You can find this license informations in the COPYRIGHT file inside the older software releases.
Recently it was replaced once again, and now is released under Apache License 2.0 which is OSI-approved as well.
All people who wish to contribute to the pfSense® CE project, have to subscribe and electronically sign an ICLA (Individual Contributors License Agreement).
If you wish to have more information about this, we suggest to follow this links:
https://doc.pfsense.org/index.php/Contributor_License_Agreement_for_Developers
Below an interesting Wikipedia web page where are published some comparing tables about much open source and free licenses:comparing tables about much open source and free licenses.
Technically speaking: differences
OPNsense® declares (In their website) that almost all code has been rewritten keeping only a minor portion of the 10% still shared with that of his elder brother, and to have solved many kernel issues of pfSense® CE.
The new Graphic User Interface is written with Phalcon PHP framework that, to what we read, is the fastest open source framework on the market.
[OpnSense®: Phalcom]
Users choosing to try this system can then use this new design that incorporates an efficient search system (really useful and functional), and an interesting module called “System Health”.
This module is interactive and allow you to have a graphical feedback during any analysis. Useful to find a problem more quickly and easly or simply to watch the performances.
Once in the System Health is possible to hide some entries from the view, and use the graphics cursor/focus (bottom right below the graph) to make a zoom of the relevant time range.
Finally we can export the data from the table (shown below the graph activating Show Table On) in CSV format. Here are some screenshots showing this interesting form.
[pfSense® CE: Bootstrap]
pfSense® CE, starting from version 2.3, introduces a new look by converting everything to Bootstrap.
The layout of the pages and the menu is deliberately kept unchanged; probably to not force numerous users, already familiar to the “old” GUI, to spend time in a new format.
Here you can find a images gallery published during the final stages of development.
[OpnSense®: Inline IPS]
From version 16.7 (out on July 28, 2016) it is also expected a change in the IPS system called Inline Intrusion Prevention; not limited to block an IP or a port, but inspects the packet and when it detects a certain type of traffic (or connection) the packet/connection is dropped/stopped instantly, before it reaches the sender.
Based on Suricata uses Netmap to increase performance and decrease CPU utilization.
The system uses Ruleset, blacklist and Finger Printing.
For more informations visit following link: https://docs.opnsense.org/manual/ips.html
[pfSense® CE: IPS]
You can do it on pfSense® CE thanks to Snort package.
Snort is an open source (recently bought by Cisco) tool prevention of network intrusions. It is able to perform traffic analysis on IP networks in real time, to perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
https://www.snort.org/faq/what-is-snort
Here you will find an interesting comparison between Sport and Suricata: http://wiki.aanval.com/wiki/Snort_vs_Suricata
[OpnSense®: Update]
Weekly security updates are planned to be more in step with the new threats.
[pfSense® CE: Update]
When writing this article there are no regular updates scheduled, but thanks to our experience we know that pfSense® CE releases updates frequently.
Recently, moreover, it was also announced the conversion of the underlying system to FreeBSD® pkg which allows to update parts of the system individually rather than the monolithic updates of the past.
[Community]
This is one of the major differences between the two projects. OpnSense® does not support the creation and installation of third-party packages, opposed to the pfSense® CE policy.
This choice is motivated, by OpnSense® developers, to avoid possible code defects.
Link: https://docs.opnsense.org/history/thefork.html
[OpnSense®: Community]
Questo punto rappresenta una delle differenze maggiori tra i due progetti. OPNsense® non supporta la creazione e l’installazione di packages di terze parti, come invece consente di fare pfSense.
Questa scelta viene motivata dagli sviluppatori di OPNsense® per evitare possibili imperfezioni del codice.
Link: https://docs.opnsense.org/fork/nomoremyths#myth-opnsense-doesn-t-support-packagesOPNsense® abolished packages and introduced a plugin system. All those who want to contribute to the project can learn more details about it consulting the following link: https://docs.opnsense.org/plugins.html.
As mentioned earlier, the community must sign an ICLA, but can then contribute like it always did in all these years.
As always, for more about the above information, please see the following link:
- https://docs.opnsense.org/fork/thefork#debunking-the-myths
- https://opnsense.org/about/about-opnsense/
- https://docs.opnsense.org/plugins.html
OPNsense® vs Feature pfSense® CE: Comparative
Features | OPNsense® | pfSense® CE |
Firewall | Stateful inspection | Stateful inspection |
Web Based Graphical Interface | Bootstrap based on Phalcon PHP Framework | * From 2.3 migrated to Bootstrap |
Installation Setup Wizard | Yes | Yes |
Configurable Dashboard | Yes | Yes |
IPv4 and IPv6 support | Yes | Yes |
Wireless Access Point | Yes | Yes |
Wireless Client Support | Yes | Yes |
Setup and filter/isolate multiple | – | Yes |
Interfaces (LAN] DMZ] etc.) | Yes | Yes |
Traffic Shaping | Yes | Yes |
State Table controls | Yes | Yes |
NAT | Yes | Yes |
Redundancy/High Availability | Yes | Yes |
Multi-WAN Support | Yes | Yes |
Server Inbound Load Balancing | Yes (Virtual Server Setup) | Yes |
Network diagnostic utilities | See below | See below |
[ping] | Yes | Yes |
[traceroute] | Yes | Yes |
[port tests via the GUI] | Yes | more with packages] such as nmap |
VPN | ||
[IPsec (including Phase 2 NAT)] | Yes | Yes |
[OpenVPN] | Yes | Yes |
[L2TP] | Yes (tramite plugin) | Yes (through package) |
[PPPoE] | Yes (tramite plugin) | Yes (through package) |
[PPTP] | Yes (Non considerata sicura) | No (Taken because not sure) |
RRD Graphs | No (System Health) | Yes |
Real-time interface traffic graphs | Yes | Yes |
Dynamic DNS | Yes | Yes |
Captive Portal | Yes | Yes |
DHCP Server and Relay (IPv4 and IPv6) | Yes | Yes |
Command line shell access | Yes | Yes |
Wake on LAN | Yes | Yes |
Built in packet capture / sniffer | Yes | Yes |
Backup and restore the fw configuration | Yes | Yes |
Edit files via the web GUI | Yes | Yes |
Virtual interfaces for: | ||
[VLAN] | Yes | Yes |
[LAGG/LACP] | Yes/No | Yes/Yes |
[GIF] | Yes | Yes |
[GRE] | Yes | Yes |
[PPPoE/PPTP/L2TP/PPP WANs] | Yes/Yes/Yes/Yes | Yes/Yes/Yes/Yes |
[QinQ] and Bridges] | Yes | Yes |
Caching DNS Forwarder/Resolver | Yes | Yes |
Can be run in many virtualization env. | Yes | Yes |
Proxy Server | Yes | using packages |
IPS | Yes (based on Suricata: già incluso) | SNORT (EXTRA PACKAGE) |
IDS | Yes (based on Suricata: già incluso) | SNORT (EXTRA PACKAGE) |
Security Update | Yes Weekly | Yes with patch fix release |
Raid Software | Yes unofficially supported* | Yes full supported |
This comparative table is born researching the pfSense® CE features in OPNsense®.* is possible to choose during works installation the “Geom Mirror” and selecting: the master and the slave disks. In the graphical interface, however, there is no trace of the mirror created, so it not possible to have any information about its status. We also found, in our lab tests, some strange messages of “Geom Mirror distroyed” that not compromised (apparently) the system functionality.[vc_row]
pfSense® CE VS OPNsense: comparing performances
To have another point of comparison we decided to test on site some of the systems performance. We chosen to do the files transfer tests between two hosts connected behind two Firewall Entry level. Below a logical scheme of the tests network used:
Traffic from Host1 to Host2 passed through the two firewall systems on which we registered almost identical performances for all tests done. In the table summary, that you will find below, the expressed values in Mbps reported was recorded during the tests:
- Through OpenVPN
- Through VPN IPSec
- Through a direct routing
Both firewalls have behaved the same way in all situations.
This are the registerd value ranges:
Throughput | OPNsense® | pfSense® CE |
File Transfer OVPN | 40-42 Mbps | 40-42 Mbps |
File Transfer direct (routing) | 150-330Mbps | 150-330Mbps |
File Transfer VPN IPSec | 150Mbps | 150Mbps |
You can consider our hardware devices sizing guide valid for both OPNsense® and pfSense. Check out How to size a firewall.
Conclusions
All around the web you read pros and cons comments for both projects; we do not wish consider them and do not wish take sides in favor of anyone, but certainly, it would be wrong not to see this fork as an opportunity for the open source security world.
The competition between the two is good for both projects and for the end user: whatever your choice will always have a good product.
Aside the small differences already described, firewalls are very similar right now. The systems performances are the same (for now) being derived both from the same O.S. (this result was expected even before the test).
In hardware compatibility, we have not noted particular differences, as well as for the features: for the 90% are equivalent (see table above).
Graphically it seems that OPNSense® is better than pfSense® CE with a more enjoyable menu.
Probably in the future separation will be more pronounced or maybe not; if not it would be pretty hard to choose one solution over the other.
For now the choice could be either due to the different OPNSense® graphic layout, more engaging and with a more pleasing menu, or for the years of experience, the great community and greater notoriety of pfSense® CE. It should not be forgotten that OPNSense® has just over 1 year old (compared with 12 years old of pfSense® CE). This affects the popularity, various discussion forums contents that are much more populated and full of informations.
Instead, what leaves us a bit confused, are the continuous license type changes operated by pfSense® CE and the Community Edition inscription under the logo: maybe in future could there be a different policy?
We’ll see.
Curiosity
After Scott Ulrich, also Chris Buechler leaves the pfSense® CE project: officially on the July 28, 2016. He accepted to become principal engineer at Ubiquiti Networks.
And speaking of notoriety, if you want more information on the trends diffusion of the most famous open source firewall O.S. please consult the following link: