Blogs
Migrating From Pfsense to Opnsense

Migrating From Pfsense to Opnsense

May 8, 2021

I’ve been running pfSense for a few years now. Compared to a typical commercial home router it is hands down better and more powerful than anything the home consumer can buy off the shelf and it runs for free on most cheap, used hardware. pfSense has served me well but there have always been a few things that bothered me. Namely:

  • Updates are few and far in between. That’s not what you want from a security standpoint and is one of the major drawbacks of most consumer routers. The manufacturers soon abandon them and stop providing firmware updates.
  • New features never seem to happen. In 2 1/2 years I don’t remember any real new features popping up. There have mostly been just a few obscure things I didn’t need or use and so didn’t really notice. The one new feature I was interested in was WireGuard support and that turned into a major mess that had to be completely pulled from the product shortly after it’s release.
  • Netgate does a great job of scaring the open source community with every press release. They always have a way of leaving you wondering if they are really committed to open source or whether they intend to leave the community version of pfSense to die a lonely, slow and painful death.
  • Netgate has a real public image problem. They have been publicly nasty to the community and most organizations they deal with, especially when it comes to OPNsense.

After the WireGuard fiasco I finally decided enough was enough and I did not want to trust my home lab to pfSense any longer. There was just way too much drama that never seemed to end. OPNsense was always on my list to take a look closer at because it was a fork of pfSense (without the attitude) and had a reputation of a cleaner, more modern UI, with a better focus on security and providing updates.

The migration took some work. Mostly because I was using a lot of features of pfSense and because I was unfamiliar with OPNsense. I give everything in my network a static IP address so my list of DHCP hosts was somewhat large. I cheated a little bit here and create a single host in OPNsense, downloaded a backup XML of the configuration from both pfSense and OPNsense, and with a little cutting and pasting and scrubbing of the XML, I made a DHCP configuration from the pfSense backup that looked like the OPNsense XML version. Everything else I manually setup using the OPNsense UI, even the many firewall rules. I spend a bit of time tweaking rules anyway so learning the OPNsense way of creating rules was an exercise worth pursuing in my case. Some other features I rely on are:

  • An ‘always on’ VPN connection for some clients
  • VPN into the network while travelling using multi-factor authentication
  • GeoIP blocking
  • Surricata for IDS
  • HAproxy for access to some services I access from mobile devices
  • Let’s Encrypt for SSL certificates
  • Dynamic DNS, WOL, and NTP
  • and probably a few others

Feature-wise, the two products are very close. There is nothing in pfSense that I could not find in OPNsense. And in the end, I have to say I liked the OPNsense implementation much better. For example, intrusion detection protection using Suricata was much easier and simpler to setup. Yet other things are just as silly in both pfSense and OPNsense. Why we can’t standardize on using a checkbox and consistently check it to enable something is beyond me. Both product still sometimes check to disable something and sometimes check to enable other things. Some UI consistency would be nice here for both products. Though I have to say OPNsense has given a lot more thought into how to use the UI and to organize things much more intelligently.

If there was anything that didn’t go well it would have to be WireGuard. I did want to use WireGaurd for inbound VPN because it is much faster and supposedly easier to setup. After a day and half of trying to find out why I could reach the service but data was blocked before it was returned to the client I had to give up. I simply tried everything I new to try and triple checked everything against the well written OPNsense documentation. In the end, I went back to OpenVPN and added multi-factor authentication. OpenVPN worked the first time! I am happy with this for now and it is probably more secure than WireGuard because of the MFA but one day I hope to return to WireGuard and get it working. My current thought is to wait for a future update or release as I am not entirely convinced the issue is mine but probably some kind of conflict with my somewhat unique setup like having both a WAN and a VPN gateway.

So, am I glad I made the switch? Absolutely! I wish I had done in sooner! I was concerned about the level of effort and it was not a trivial conversion. I actually bought a ‘new to me’ used PC off of eBay to setup most things offline before I actually made the swap. I figured that way I could minimize downtime and I would also now have backup hardware in the event of a hardware failure down the road. Since I run off of used PC’s and a 4 port network card I can’t exactly pick up a replacement at a local retailer and get back online quickly. Having a backup PC ready to swap in and restore the configuration from the latest backup gives me some additional peace of mind.

Bottom line is OPNsense is a better piece of software. The UI is easier to use though not perfect. I have the peace of mind that OPNsense will be here tomorrow and will continue to grow and remain open source. It is strange that OPNsense isn’t quite as popular as pfSense. I can only attribute that to people just haven’t tried it and the ‘labor cost’ to switch is more than people are willing to spend for something they just aren’t familiar with. So let me share this with you: it is worth it!!!

Adguard Home vs PiholeTech to Avoid Big Tech