Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[chenks]

For a home environment with usual amount of mobile and media devices, is pfsense or opensense the better choice?

I’ve heard both are very similar but opensense has a better UI

I would be going into it with zero experience of either just a decent knowledge of setting up networks.

ISP is Virgin 250Mbps and would then be adding my own APs and switch.

Would also need to work out the spec of the system I’d need to use for the bandwidth.

Would also need to be able to route certain traffic (either by device or by external IP) via a VPN connection (NordVPN).

Was considering going full Unifi kit, but the cost is too high.

[skyeci]

I use opnsense on an i7 qotom with zen's 900 fttp package. Static ipv6 via zen.

There's a number of features I am not using on opnsense but the basics have served me well over the last 3/4 years.
I used to use pfsense too but changed from in favour of opnsense. The box is probably overkill as it never seems to get stressed but I bought it pre fttp thinking it would suffice when fttp came along (last May)

Most of the basic settings are the same between the 2 so you can try both and see what you like...

[Alex Atkin UK]

Having gotten used to pfSense I considered moving to opnSense but honestly didn't like the look of the UI.  If I weren't using pfBlockerNG I might have still switched though.

The box I'm using is linked in my sig, cheap and extremely efficient yet should handle up to 2.5Gbit.

[chenks]

Having gotten used to pfSense I considered moving to opnSense but honestly didn't like the look of the UI.  If I weren't using pfBlockerNG I might have still switched though.

The box I'm using is linked in my sig, cheap and extremely efficient yet should handle up to 2.5Gbit.

this one?
https://www.aliexpress.com/item/1005004254089060.html
£147 with 8GB/128GB

i currently run pihole on a separate device, so if i could run something similar with either pfsense or opnsense then that would be preferrable.

ideally i would be looking for the cheapest fanless solution i can get away with that won't struggle with 250Mbps up to a max of 1Gbps (i can't see myself either upgrading or exceeding 1Gbps in the lifetime of such a device).

being able to route certain devices or specific traffic thru a VPN is a must though. my current asus router is able to do that.

[Alex Atkin UK]

Yes, and over OpenVPN:


Wireguard:


I'm not aware of any consumer router that gets close to this.

Line rate:


It idles around 11W (and in my experience FreeBSD based OS don't idle as low as Linux) and I think peaks at 25W, but its hard to get that high.  I'm running it off a PoE splitter.

Its also much smaller than you think from photos.


https://www.youtube.com/watch?v=rUuaAPG0PxU

His conclusion that the J4125 is potentially good enough does not take into account policy routing, OpenVPN or in my case PPPoE.

[chenks]

as my upstream is only 250Mbps (recently increased from 200Mbps), i've only ever been able to test by VPN compared to that and i get pretty much no drop when connected via the VPN, so as long as it is capable of that then i'm no worse off.

can it do intrusion prevention/detection and deep packet inspection with no drop in performance?

basically i'm assuming that no matter what other background tasks it's running there doesn't seem to be a hit in performance?
and 8GB ram / 128GB storage is more than enough?

[Chrysalis]

opnsense and pfsense have a lot of similarities but there is a different etho's in certain areas, I use both, opnsense in datacentres, pfsense at home, and I think the opnsense UI is miles ahead in its responsiveness.

Opnsense also has a much more rapid release model, lots and lots of updates if that excites you, pfsense hasnt done any for a while but have now given a reason for it (they preparing to rebase on FreeBSD CURRENT to get the most up to date network code).

If you doing deep packet inspection, expect a overhead hit, whether it gets a performance drop will depend on your hardware.  There is performance left in the bag to be gained by tuning though, the easiest win been enabling multiqueue packet processing.

Martin did tell me some of pfblockerng features are built into opnsense such as loading asn's,  But I never got round to playing with it so dont know the specifics, maybe skyeci does since he uses it for his home setup.

your ram and storage will be more than enough.  Biggest factor on the hardware is nic spec and cpu spec.

[chenks]

DPI was just a "would be good to have" sorta thing, don't have it now but did tinker with it when i previously had unifi kit.

ad blocking is something i would want integrated, if possible, though. i think i read that there is an AdGuard plugin (or similar) for opnsenes), which would most likely do the job that my pihole currently does, and saves me on a docker instance that needs to be run elsewhere.

[Chrysalis]

If I remember right from what Martin told me, but not 100% opnsense can use at least some black lists, I dont mind trying it out on an existing install so you have some clarification.

[chenks]

i found a thread about it here
https://forum.opnsense.org/index.php?topic=22162.0

[Chrysalis]

I just checked there doesnt seem to be an existing plugin for adguard, but there is a guide to use it.

https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/

[Chrysalis]

i found a thread about it here
https://forum.opnsense.org/index.php?topic=22162.0

Even better seen your post when I submitted mine, I am going to add this repo, nice find.

[chenks]

again, this would be a "good to have" as it would save me having to run a separate docker instance for pihole.

[chenks]

issue will be playing the AliExpress roulette, where you wonder if the image matches what you get delivered, and how long it actually takes to get delivered.

[Alex Atkin UK]

If I remember right from what Martin told me, but not 100% opnsense can use at least some black lists, I dont mind trying it out on an existing install so you have some clarification.

I only use blocklists and geoblocking so that might be enough, I just didn't fancy the effort of porting all my rules over.

I have to admit, I'm a little dismayed at how pfSense having such infrequent releases seems to result in having some long-standing issues that seem to take forever to get fixed.  Having to manually search for patches seems a poor way of dealing with this sort of thing.  It also leads to newer NICs not being supported on pfSense for quite a while.

As for DPI, I've never really seen that as very practical.  Its such a performance hog and as things moved over to https and then QUIC, its going to get harder and harder to do.

issue will be playing the AliExpress roulette, where you wonder if the image matches what you get delivered, and how long it actually takes to get delivered.

True, but they cost two to three times as much for the same hardware if you use a UK supplier.  Although its generally a good idea to get a replacement PSU as the quality of what they provide is a real gamble.  The PSU mine came with is the lightest 12V 3A I've ever felt, I have serious doubts of its quality and safety given my external HDD ones at 1.5A weigh more.  But I wouldn't trust a UK supplier to provide anything better than direct from China either.