this post was submitted on 27 Jul 2024
85 points (96.7% liked)

Selfhosted

39976 readers
375 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hiya, just getting into networking and recently completed my Tp-link Omada stack, which I'm very pleased with. Have heard great thing about all three mentioned services above, but struggle to understand which to go for. Do they have different use cases? Is one easier than the other? Which one is recommended to begin with?

top 33 comments
sorted by: hot top controversial new old
[–] chronicledmonocle 67 points 3 months ago (1 children)

pfSense = Firewall and router system based on FreeBSD. Has both open source and commercial versions. Built for SMB to Enterprise uses. Extremely powerful with all of the bells and whistles you'd expect from a professional firewall product.

OPNSense = Basically pfSense with a different UI. It's a fork of pfSense. Much of the same capability, but is built by a smaller company.

OpenWRT = Replacement firmware for embedded devices (as well as x86). It's open source WiFi router firmware that runs on tens of thousands of devices. Many vendors will even base their custom firmware on OpenWRT and put a different skin on it (GL.iNet, for example).

[–] [email protected] 9 points 3 months ago (1 children)

Perfect, thanks for summing it up for me! <3

[–] TCB13 11 points 3 months ago* (last edited 3 months ago)

That explanation is misleading because:

  1. OpenWrt does firewalling and routing very well;
  2. If you’ve a small / normal network and OpenWrt will provide you with a much cleaner open-source experience and also allow for all the customization you would like;
  3. There are routers specifically made to run OpenWrt, so it isn't only a replacement firmware.
[–] Gerbils 42 points 3 months ago (2 children)

pfSense and OPNsense are firewalls. OpenWRT is router firmware. They're all open source - to varying degrees - and they all have overlapping features and functionality.

Quick breakdown:

  • OpenWRT: originally developed as a replacement for the firmware on Linksys wireless access points. It has grown into a full Linux-based networking OS with extensible features and broad hardware support. The target devices are still mostly wireless routers/access points and the use cases it services are still mainly about wireless networking.
  • pfSense: Originally a fork of m0n0wall, it's a BSD-based firewall distribution. Designed primarily for firewall use cases, it can be loaded on bare metal or in VMs, but it's generally deployed "upstream" from wireless devices - typically it's the device that all of your network traffic passes through on the way in/out of the LAN. Extensible architecture and a rich ecosystem of plugins means that pfSense can also serve as a caching proxy, load balancer, intrusion detection server and logging host.
  • OPNsense: a fork of pfSense. Almost identical use cases. OPNsense has a more usable/modern UI, but lags slightly in support for new features and plugins.

So the question of pfSense or OPNsense is either/or - you'd typically pick one or the other. Note that I'm staying away from the political comments that will invariably come up around this comparison. It's enough to know that both have commercial offerings in addition to their open source versions and people have strong opinions one way or the other.

Either one of either pfSense or OPNsense in conjunction with OpenWRT is common, with OpenWRT on the wireless devices and pfSense/OPNsense at the egress to WAN. In your case, Omada already does what OpenWRT would do - along with some very limited versions of what you could do with pfSense or OPNsense.

It's worth noting that folks often deploy these three open source tools as a method to regain control rather than using a third party cloud based solution like Omada. No judgement, just saying that Omada is the polar opposite of the 'selfhosted' esthetic.

[–] [email protected] 4 points 3 months ago

Clap clap clap. Great explanation

[–] [email protected] 1 points 3 months ago (1 children)

Just fyi; I am using the Omada system without using the cloud option, it is also selfhostable :) But thanks for the info/writeup!

[–] [email protected] -2 points 3 months ago (1 children)

You are using the cloud though. They control it not you. If they push a bad update or decide to start selling your data there is nothing you can do

[–] [email protected] 3 points 3 months ago (1 children)

They what and what?? Generally the Omada-stack devices are just on-premises hardware that you control. If you enable automatic firmware updates, then yeah, "if they push a bad update" and all (similar to a Linux distro with auto updates enabled). To improve operations, and enable certain features, there is the "cloud-based controller" software (appliance), which is named weirdly, because it generally does not live in the cloud - you can self-host on-premises, though its core software component is a black box and not (F)OSS (also available as an actual hardware appliance). There have been instances of the devices "phoning home", though you might be able to limit that to some extent with firewall rules.

[–] [email protected] 2 points 3 months ago

My point is that you do not control it. If you want full untethered control, go with OpenWRT and possibly OPNsense as a firewall

[–] anamethatisnt 14 points 3 months ago (2 children)

pfsense and opnsense are very similar. The pfsense devs has acted like jackasses towards the opnsense gang. They are both great for a router/firewall/vpn device. I would use external access points with them.
I think there are more addons to pfsense than opnsense.

OpenWrt is great when it comes to WiFi, but I find it much less intuitive to use for router/firewall parts. Could be that I am used to the way pfsense and opnsense do things.

Neither do switching from what I know, so pair the router with a switch of your choice.

[–] aseriesoftubes 12 points 3 months ago (1 children)

The pfsense devs has acted like jackasses towards the opnsense gang.

And toward their users. Ask the wrong question on the pfSense subreddit or forum and expect to get lit up. The Opnsense community is much more helpful and inviting in my experience.

[–] [email protected] 5 points 3 months ago

Yeah, that was the reason I switched from pfsense to opnsense about 4 years ago

[–] [email protected] 4 points 3 months ago

Also worth noting that pfsense was ready and intending to knowingly ship a broken and insecure wireguard integration

[–] [email protected] 6 points 3 months ago

Lots of comments already mentioning the differences. I have tried these, including the mentioned ipfire, and decided on the end to use opnsense plus openwrt on two different devices.

I chose opnsense at the time many years ago because it supported wireguard out of the box, where as pfsense required some weird install process I didn't want to deal with. Plus I liked the UI to opnsense more.

My moden has been literally replaced by my firewall so I have the ONT connected to it and then use it to do all the heavy lifting for... Well, firewall stuff. It connects to a VPN so my entire network routes through the VPN. Then my openwrt device is connected to that. It also handles firewall stuff, but more at an internal level (keeping network devices only permitted to communicate with devices I say are okay, blocking internet access, etc) and also hosts my nginx setup to route to various servers.

While I could do everything on one machine with opnsense, I've got a particular setup that allows me to have multiple devices at the firewall level, truly isolated from the rest of my internal network (for a couple of internet open port services). And it gives me peace of mind that if someone found a zero day in opnsense, I'm not totally screwed unless they also got one in openwrt.

To answer "which is better to begin with", I personally find opnsense way more flexible and robust than the other 2 options. Has a lot more capabilities and upgrading is super easy without requiring jumping through weird hoops and such like openwrt does.

[–] rtxn 6 points 3 months ago* (last edited 3 months ago) (2 children)

They all offer more or less the same network services with different UIs.

OpenWRT is specifically designed to work as a lightweight system running on consumer-grade routers. If you want this, you'll have to check the website's Table Of Hardware to determine if your hardware is compatible.

OPNsense and pfSense are general-purpose FreeBSD-based operating systems that you can run on discrete computers or in VMs that act as network gateways. All three are free/gratis, but you have to make an account and go through the store page to download pfSense.

I personally use OPNsense in a VM.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago)

OpenWRT is a iot operating system. It can run anywhere and everywhere. You can totally run it on enterprise gear and x86 machines. It can work as a firewall or a operating system for a light bulb. It also has the advantage of being very extensible and you can build custom images that have only the stuff you need.

The downside is that even though the wiki is fairly good it still requires a good amount of networking knowledge to use. It isn't bad and it ships with sain defaults but if you want to get advanced you need to know what you are doing.

It also lacks a mechanism for automatic security patching. You need to manually update it which is easier with attended upgrades but it still requires button pushing and downtime.

[–] [email protected] 1 points 3 months ago

Thanks for the info :)

[–] [email protected] 6 points 3 months ago (2 children)
[–] [email protected] 2 points 3 months ago

Thanks for sharing, had not heard of this one 👍

[–] [email protected] 1 points 3 months ago (1 children)

Did they add Wireguard yet?

[–] [email protected] 2 points 3 months ago

Not yet, but it has OpenVPN. I think they plan to add Wireguard in the upcoming 3.x release.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (1 children)

Open vs closed solutions

I also like how OpenWRTs implementation of 802.11r doesn't require any central controller

Edit: the closed solution I'm referring to it TP-link

[–] [email protected] 2 points 3 months ago (1 children)

What’s closed about OPNSense?

[–] [email protected] 2 points 3 months ago (1 children)

My bad I was talking about TP-link

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (1 children)

Are there any "open" solutions to mesh networking that can compare to TP-Link Omada? I don't think any open source hardware or software can come close, especially not for the newer Wi-Fi standards.

I haven't bought them yet, but I'm seriously thinking about some Omadas. I imagine I can prevent them from phoning home, and the management software can run locally in a Docker container. Running it like that would be good enough for me even though they're not "open."

I'm planning a rework of my home Wi-Fi, and my current plan is an OPNsense box from Protectli, and a few EAP772's:

https://www.tp-link.com/us/business-networking/omada-wifi-ceiling-mount/eap772/

If there's something comparable/better that's more of an open ecosystem, you definitely have my attention while I'm shopping around for different options.

[–] [email protected] 1 points 3 months ago (1 children)
[–] [email protected] 1 points 3 months ago (2 children)

Ok.... sure. But what physical devices would I use, and what software would they run?

[–] snekerpimp 2 points 3 months ago

The newer Omada routers are pretty good, and their software is getting better. Personally I use Opnsense on a Chinese fanless router from eBay. Paid for an n100, got an i3-1113 with dual channel memory does everything I need no issue, and it has helped me learn ALOT. However if I had the $200 just laying around today, I would stick with Omada just for simplicity.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
SMB Server Message Block protocol for file and printer sharing; Windows-native
VPN Virtual Private Network
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.

[Thread #893 for this sub, first seen 28th Jul 2024, 07:15] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 3 months ago (1 children)

This thread has reminded me that I have Ruckus APs that mesh. But support had been dropped because they are "old". Presumably there is no open source solution that I can flsh these with, still allowing me the meshing?

[–] anamethatisnt 5 points 3 months ago

OpenWrt with 802.11r and 802.11s configured will work as a mesh network with roaming functionality.
https://openwrt.org/docs/guide-user/network/wifi/mesh/80211s
https://openwrt.org/docs/guide-user/network/wifi/roaming

Not many Ruckus devices that are supported though:

Brand - Model - Supported Version
Ruckus - ZF7025 - 23.05.2
Ruckus - ZF7321 - 23.05.2
Ruckus - ZF7341 - 23.05.2
Ruckus - ZF7343 - 23.05.2
Ruckus - ZF7351 - 23.05.2
Ruckus - ZF7352 - 23.05.2
Ruckus - ZF7363 - 23.05.2
Ruckus - ZF7372 - 23.05.2

https://openwrt.org/toh/start?toh.filter.supportedcurrentrel=22.03%7C23.05