{"id":14146,"date":"2019-07-01T08:39:26","date_gmt":"2019-07-01T08:39:26","guid":{"rendered":"https:\/\/www.firewallhardware.it\/pfsense-vs-opnsense-comparazione-tecnica\/"},"modified":"2024-04-15T12:33:11","modified_gmt":"2024-04-15T10:33:11","slug":"pfsense-vs-opnsense-technical-comparison","status":"publish","type":"post","link":"https:\/\/blog.miniserver.it\/en\/pfsense\/pfsense-vs-opnsense-technical-comparison\/","title":{"rendered":"pfSense vs OPNsense: technical comparison"},"content":{"rendered":"

Introduction<\/h3>\n

This article was written as food for thought for a technical comparison<\/strong>\u00a0resulting from our first impressions of the two solid platforms:pfSense\u00ae CE<\/strong>\u00a0ed\u00a0OPNsense\u00ae<\/strong>.
\nThe following information are available in the links in the footer or those directly connected to the article.<\/p>\n

Un po’ di storia contemporanea<\/h3>\n

OPNsense\u00ae<\/strong>\u00a0is a young firewall operating system based on FreeBSD 10, it started as a fork of pfSense\u00ae CE which is a m0n0wall\u00ae fork.
\nHis story begins officially in January 2015, exactly the 2 January 2015, when it was published on the official website the release announcement of its first release: the 15.1.
\nFor all those who were not already known, keep in mind that OPNsense\u00ae versions represent (respectively) the year (ex. 15), and the month (ex. 1). The version 15.1 indicates, therefore, January 2015 and there are two major releases per year: in January and in July.
\npfSense\u00ae CE which is also based on FreeBSD, as mentioned earlier, was born as a m0n0wall\u00ae fork back in September 2004 by *Chris Buechler and Scott Ullrich to overcome some of limitations of this excellent embedded system.
\nThe m0n0wall\u00ae system, for who do not know, was in fact an embedded firewall; his great strength was also a limitation of expandability because both applications that the operating system were performed entirely in RAM.
\nIf, like us, you’ve wondered why the name of pfSense\u00ae CE\u00a0here<\/a>‘s an interesting post written by one of the founders who explains in a few simple words why their project is called so.
\nLast but not least, we write a few words to greet m0n0wall\u00ae; the project ends permanently, as announced on the\u00a0official page<\/a>, the February 15, 2015. Its founding father, Manuel Kasper, always on the\u00a0official page<\/a>\u00a0encourages all its users to check out OPNsense\u00ae.
\n*[Editor’s note: he had contributed to m0n0wall\u00ae project, but\u00a0below<\/a>\u00a0in the section “The Following persons have Contributed code to m0n0wall” does not include his name.]<\/p>\n

So Why did we fork<\/h3>\n

The OPNsense\u00ae<\/strong>\u00a0developers have participated for years to pfSense\u00ae CE project but, in 2014, motivated by a desire of wanting to make a number of things differently, they decided to create their own project that reflects better their needs.
\nThe stated reasons which led to the fork are mainly technical, but also due to security and code quality. In Last (but not least), the fork was due to the license change done by pfSense\u00ae CE, which caused some disappointment whitin the community.<\/p>\n

If you wish to have further details on the reasons of the fork, please refer to the links:
\nhttps:\/\/docs.opnsense.org\/history\/thefork<\/a>
\nhttps:\/\/m.reddit.com\/r\/PFSENSE\/comments\/3rh9dw\/pfsense_vs_opnsense\/<\/a><\/p>\n

OpnSense\u00ae: License<\/h3>\n

It is released under an open source license called BSD 2-Clause “Simplified” or “FreeBSD” license<\/a>\u00a0OSI-approved (Open soruce Initiative – Approved); ie approved by the organization dedicated to the promotion of free software.<\/p>\n

pfSense\u00ae CE: License<\/h3>\n

Let’s talk about the much-discussed license.
\npfSense\u00ae CE\u00a0changed<\/a>\u00a0her license, which was a 4-clause license (original “BSD License<\/a>“), with the ESF License in 2014. You can find this license informations in the COPYRIGHT file inside the older software releases.
\nRecently<\/a>\u00a0it was replaced once again, and now is released under\u00a0Apache License 2.0<\/a>\u00a0which is OSI-approved as well.
\nAll people who wish to contribute to the pfSense\u00ae CE project, have to subscribe and electronically sign an ICLA (Individual Contributors License Agreement).
\nIf you wish to have more information about this, we suggest to follow this links:
\nhttps:\/\/doc.pfsense.org\/index.php\/Contributor_License_Agreement_for_Developers<\/a>
\nBelow an interesting Wikipedia web page where are published some comparing tables about much open source and free licenses:comparing tables about much open source and free licenses<\/a>.<\/p>\n

Technically speaking: differences<\/h3>\n

OPNsense\u00ae<\/strong>\u00a0declares<\/a>\u00a0(In their website) that almost all code has been rewritten keeping only a minor portion of the 10% still shared with that of his elder brother, and to have solved many kernel issues of pfSense\u00ae CE.
\nThe new Graphic User Interface is written with\u00a0Phalcon PHP<\/a>\u00a0framework that, to what we read, is the fastest open source framework on the market.<\/p>\n

[OpnSense\u00ae: Phalcom]<\/h3>\n

Users choosing to try this system can then use this new design that incorporates an efficient search system (really useful and functional), and an interesting module called “System Health”.
\nThis module is interactive and allow you to have a graphical feedback during any analysis. Useful to find a problem more quickly and easly or simply to watch the performances.
\nOnce in the System Health is possible to hide some entries from the view, and use the graphics cursor\/focus (bottom right below the graph) to make a zoom of the relevant time range.
\nFinally we can export the data from the table (shown below the graph activating Show Table On) in CSV format. Here are some screenshots showing this interesting form.<\/p>\n

[pfSense\u00ae CE: Bootstrap]<\/h3>\n

pfSense\u00ae CE, starting from version 2.3, introduces a new look by converting<\/a>\u00a0everything to\u00a0Bootstrap<\/a>.
\nThe layout of the pages and the menu is deliberately kept unchanged; probably to not force numerous users, already familiar to the “old” GUI, to spend time in a new format.
\nHere<\/a>\u00a0you can find a images gallery published during the final stages of development.<\/p>\n

[OpnSense\u00ae: Inline IPS]<\/h3>\n

From version 16.7 (out on July 28, 2016) it is also expected a change in the IPS system called Inline Intrusion Prevention; not limited to block an IP or a port, but inspects the packet and when it detects a certain type of traffic (or connection) the packet\/connection is dropped\/stopped instantly, before it reaches the sender.
\nBased on Suricata uses Netmap to increase performance and decrease CPU utilization.
\nThe system uses Ruleset, blacklist and Finger Printing.
\nFor more informations visit following link:\u00a0https:\/\/docs.opnsense.org\/manual\/ips.html<\/a><\/p>\n

[pfSense\u00ae CE: IPS]<\/h3>\n

You can do it on pfSense\u00ae CE thanks to Snort<\/a>\u00a0package.
\nSnort is an open source (recently bought by Cisco) tool prevention of network intrusions. It is able to perform traffic analysis on IP networks in real time, to perform protocol analysis, content searching\/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
\nhttps:\/\/www.snort.org\/faq\/what-is-snort<\/a><\/p>\n

Here you will find an interesting comparison between Sport and Suricata:\u00a0http:\/\/wiki.aanval.com\/wiki\/Snort_vs_Suricata<\/a><\/p>\n

[OpnSense\u00ae: Update]<\/h3>\n

Weekly security updates are planned to be more in step with the new threats.<\/p>\n

[pfSense\u00ae CE: Update]<\/h3>\n

When writing this article there are no regular updates scheduled, but thanks to our experience we know that pfSense\u00ae CE releases updates frequently.
\nRecently, moreover, it was also announced the conversion of the underlying system to FreeBSD\u00ae pkg which allows to update parts of the system individually rather than the monolithic updates of the past.<\/p>\n

[Community]<\/h3>\n

This is one of the major differences between the two projects. OpnSense\u00ae does not support the creation and installation of third-party packages, opposed to the pfSense\u00ae CE policy.
\nThis choice is motivated, by OpnSense\u00ae developers, to avoid possible code defects.
\nLink: https:\/\/docs.opnsense.org\/history\/thefork.html<\/a><\/p>\n

[OpnSense\u00ae: Community]<\/h3>\n

Questo punto rappresenta una delle differenze maggiori tra i due progetti. OPNsense\u00ae non supporta la creazione e l’installazione di packages di terze parti, come invece consente di fare pfSense.
\nQuesta scelta viene motivata dagli sviluppatori di OPNsense\u00ae per evitare possibili imperfezioni del codice.
\nLink: https:\/\/docs.opnsense.org\/fork\/nomoremyths#myth-opnsense-doesn-t-support-packages<\/a>OPNsense\u00ae abolished packages and introduced a plugin system. All those who want to contribute to the project can learn more details about it consulting the following link:\u00a0https:\/\/docs.opnsense.org\/plugins.html<\/a>.<\/p>\n

As mentioned earlier, the community must sign an ICLA, but can then contribute like it always did in all these years.<\/p>\n

As always, for more about the above information, please see the following link:<\/p>\n