this post was submitted on 26 Oct 2023
45 points (94.1% liked)

Selfhosted

40479 readers
542 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
top 16 comments
sorted by: hot top controversial new old
[–] SheeEttin 43 points 1 year ago (1 children)

And nothing of value was lost. Opnsense is still free and open source, and doesn't start petty drama insulting its competitors.

https://teklager.se/en/pfsense-vs-opnsense/

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

Update: I went and had a look and there's a Terraform provider for OPNSense under active development - it covers firewall rules, some unbound configuration options and Wireguard, which is definitely more than enough to get started.

I also found a guide on how to replicate pfBlocker's functionality on OPNSense that isn't terribly complicated.

So much of my original comment below is less-than-accurate.


OPNSense is for some, like me, not a viable alternative. pfBlockerNG in particular is the killer feature for me that has no equivalent on OPNSense. If it did I'd switch in a heartbeat.

If I have to go without pfBlockerNG, then I'd likely turn to something that had more "configuration as code" options like VyOS.

Still, it's nice to know that a fork of a fork of m0n0wall can keep the lights on, and do right by users.

[–] chagall 2 points 1 year ago* (last edited 1 year ago)

I did end up setting up my new Protectli appliance today. As i said below, I ended up with OPNsense and I have been able to replicate 97% of pfBlockerNG's functionality on OPNsense. I've been able to load all of my previous DNS blocklists (including my own personal blocklists on Github), set up cron jobs (in the GUI) to update these lists every week and and whitelisted some sites too. The only thing that sucks is that regex isn't supported. Instead they do wildcard domains (*.ampproject.org). Not nearly as good as regex but it's better than nothing.

I also used pfBlockerNG for hardcoded ip address blocks (like Roku hard-coding 8.8.8.8). For that, I used the alias function in the firewall and just set up floating rules for that. Definitely not as convenient as a list, but they don't change very much. Also, for IP addresses for security, OPNsense has a whole IDS section that pfBlockerNG used to handle.

pfBlockerNG made everything clean and easy but I've been able to get 97% of the functionality in pfBlockerNG in OPNsense. The 3% deficit is lack of regex support.

Edit: I saw the article you were referring to. That's how I set up IP blocking. But Unbound in OPNSense supports blocklists (it's even called DNSBL) and that is much easier/quicker to set up than using aliases IMO. Just make sure you toggle on Advanced Mode. That's how you quickly load the custom blocklist urls. Just remember to seperate the urls with a comma. I forgot the first time and nothing worked.

[–] mangaskahn 20 points 1 year ago

Now I'm just waiting for Netgate to announce an end to CE so I have a reason to move to OPNsense. I'm lazy and it works so I haven't taken the time to move yet. Weird for a company to EEE their own product.

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (1 children)

Never trust corporations. If you're not profitable, they will abandon you. Only trust community-driven projects with a true open source commitment.

[–] ikidd 10 points 1 year ago (1 children)

Well, this corporation wasn't worth a pinch of shit to start with. Netgate is run by a pack of vindictive twats.

[–] [email protected] 3 points 1 year ago (1 children)

What do you base that strong opinion on?

[–] FutileRecipe 9 points 1 year ago (1 children)

Netgate / pfSense acts in bad faith / WIPO decides in favour of OPNsense: https://opnsense.org/opnsense-com/

[–] [email protected] 5 points 1 year ago

Oh yeah. I do remember that. Ok. They’re assholes agree.

[–] [email protected] 6 points 1 year ago

Been using OpenWRT for a long time on a cheap consumer router. Finally decided to upgrade to a fanless N100 appliance. Had to choose between OPNsense or pfSense.

pfSense just seemed too good to be true.

[–] chagall 5 points 1 year ago (1 children)

I bought a netgate box a couple of years back and it was total garbage. My new 2.5gb Protectli came in yesterday. Looks like I’ll be putting OPNsense on it.

[–] [email protected] 2 points 1 year ago

Good choice. I've switched from pfSense to OPNsense over a year ago and I never looked back. Now that the news are out there's one more reason for me to not look back.

[–] morphixz0r 2 points 1 year ago* (last edited 1 year ago)

Just in case no one else has seen the update, Netgate have walked back the change somewhat.

It is now going to require the original advertised TAC Lite/$129 a year subscription, which is what was stated from the inception of Home/Lab.

https://www.netgate.com/blog/netgate-pfsense-plus-tac-lite-available-for-129-per-year

[–] keyez 1 points 1 year ago (1 children)

This could potentially apply to me as I have a SG3100 that'd now EOL with no direct replacement, I was thinking of getting a non netgate appliance but restoring my PFSense plus to that new device, this now means I'd be forced to get a subscription to TaC to use Plus on a non netgate device? Wording isn't very clear to me.

[–] [email protected] 2 points 1 year ago (1 children)

If you backup your config now, you'd be able to apply the config to CE 2.7.x.

While this would limit you to an x86 type device, you wouldn't be out of options.

I am an owner of an SG-3100 as well (we don't use it anymore), but that device was what soured me on Netgate after using pfSense on a DIY router at our office for years...

I continued to use pfSense because of the sunk costs involved (time, experience, knowledge). This is likely the turning point.

[–] keyez 1 points 1 year ago

Until now my SG3100 experience hasn't been bad at all. I've been using it since like 2018 and don't have much to complain about thankfully.