Hi there,
I was wondering whether some of you would be kind enough to help me understand in which cases one would be better off with IPFire, compared to OPNSense or another open source firewall solution ?
Is it stable enough to run in a business, is there enough support ? Or is it more suitable for individual needs ?
Are there a lot of add-ons for specific use cased ?
I’m currently choosing a firewall and would like to better understand my options,
Thanks a lot!
Hello Jean-Pierre,
IPFire isn’t only “stable enough” it’s fully stable and can run in every business, that wants to run it!
There definetely is enough support. You can take a look at www.ipfire.org - Help for a List of all support possibilities, like Lightning Wire Labs, where you can get professional support by experts.
IPFire is well documented too, so you can try to fix problems yourself well, without needing to consult an expert.
Lightning Wire Labs also offers tailored solutions for your specific needs and wishes.
There are plenty of add-ons, but you can also request features within the bugzilla or get them from Lightning Wire Labs (as mentioned above) or build them yourself.
Regards,
Rico
–
PS:
Here are some Links you might find useful:
Hello @jjso welcome to our community.
IPFire is developed by a small team of very competent network engineers and Linux kernel hackers. The team is focused on maintaining IPFire version 2 and pushing IPFire version 3 to an usable state, which will introduce an unlimited numbers of zones and the support of IPV6. There is also a small but active community of users exchanging help and observations in this forum.
From my perspective, IPFire’s advantage over the *sense family of routers/firewalls lies in its underlying system knowledge. For BSD enthusiasts, OPNSense might be preferable, while Linux users will find IPFire more aligned with their preferences.
Designed for reliability within its intended use, IPFire excels as a secure firewall that effectively segregates private networks from the broader internet. This makes it equally suitable for both home and business use.
There is a good ecosystem of additional packages, however the developers prioritize security over sheer functionality, resulting in a curated selection of add-ons that might not cater to every user’s needs. This is due either to a lack of maintainers or to security concerns that prevent their inclusion.
For businesses seeking direct support, arrangements can be made with the core developers. Home users, on the other hand, have access to a comprehensive documentation repository and this forum for peer assistance.
I cannot agree with this part.
Not once, but several times, happened that update, for some user cases, broke the all mechanism. Distro won’t boot, someone cannot use internet connection, some others had DNS resolve path broken.
Happened few times (less than ten) however… happened.
Looking at the cases of instability, most of then could be avoided if we don’t allow config from the CLI or ‘custom config’ via xxx.local files. This isn’t really practical.
Therefore we have to live with those problems. If I remember right, nearly all were solved quickly with help of a great community and the core devs.
Chimes like a forecast. “it could happen again, and probably what will be done can’t prevent that”.
Again: happened few times and/or for small case number, but happened.
Latest one is dhcpd madness, previous was the hiccup of grub.
I usually update firewall distros from remote with another project. The same applies for firmware of commercial SMB grade firewalls. Zero casualties for these products.
I had this issue ONCE with IPFire: update struck VMWare guest from remote. I was lucky that i had another guest readily available with partial and viable configuration done. Phone-managing was enough to avoid 150km trip.
I’m currently not adopting ipfire anymore (not only for this reason), neverthless is still a great firewall distro, but some important missing pieces.
I am glad this is the case, as I wouldn’t be an IPFire user if the distro was locked down.
I completely sympathize with your position, and you are providing an important different point of view for OP.
I wish to clarify, without any intention of undermining your views, that if I were to remotely administrate a business-critical system I would never assume that the development team will ship a bug free update. Consequently, I would put in place multiple contingency strategies and, possibly, secure a technical assistance agreement to mitigate potential risks.
Your success with alternative systems, so far unaffected by serious issues, likely is due to a combination of vendor selection with favorable trade-offs for your specific situation and also a bit of fortune, as bug-free software does not exist.
Turning back our focus to IPFire, the small size of its development team, the broad spectrum of hardware it supports, and IPFire foundation on open-source philosophy guarantees freedom in system management but also allows a non zero incidence of serious bugs. When issues do arise, the team’s commitment to prompt resolution is commendable, especially considering the resources at their disposal.
I reassert my previous stance: IPFire stands as a viable option for businesses. However, like any technological decision, it’s critical to weigh the trade-offs.
For the italic part Yes… but… actually probably no?
I mean… someone aimed to a big target. And was hard to miss, the blatantly large history of issues, vulnerability, hiccups, apocalypse level bugs who gave some big headaches to large companies and ISPs.
But let’s go business here.
First is the feature set: if your “product” cannot deliver the desired needs for the customer, the product won’t pass phase 1 of selection.
Second is the stability: if your “product” cannot deliver stabile and consistent behaviour or performance, won’t pass phase 2…
Third is scalability: if your “product” cannot follow the growth of data, interfaces or functionality required, can be adopted, but sooner or later will be replaced with something scalable enought as SPOF (for performances) or redundant system (for hardware failure resiliency)
IPfire is a wonderful firewall.
A lot of the decisions made during the development can achieve a really efficient use of the computational power, a really wide user case scenario coverage, an effective way to do a lot of interesting and working solutions for connecting and controlling traffic flow among networks and internet, a set of tools for create issues for someone who’s willing to be a PITA for your connection (except for DDOS… you can’t really win there with any product… sort of)
But: IpFire lacks of features, consistence, stable path.
When runs, can achieve easily 180+days of hiccup-free run. During update… is a tricky process. And “delay” updates can deliver also a lot of headaches. And in these 5-10 years, sometimes you need to update sooner than later.
HI
on the site ipfireitlia.it a university student compared IPFire with PFsense
if you are interested in seeing her rating you can find it at this link
https://www.ipfireitalia.it/index.php?view=article&id=136:ipfire-vs-pfsense-quale-firewall-dovresti-scegliere&catid=32
Cognitive dissonance?
I do think it’s wonderful. However has some flaws. Some really big.
You may not believe me… That’s fine.
I believe you. It simply looked like you stated two mutually exclusive point of view. The use of scare quotes around product was not very conducive to end up with the word wonderful. Making nuanced arguments is not easy especially if English words have a broad meaning and can be seen differently from our reciprocal point of view. Also, English is not my first language.
IpFire nor related services are for sale. So that’s technically not a product.
Only hardware “designed for IPFire” (sort of) is on sale.
The request was to compare open source options, not “commercial SMB grade firewalls”. Check a forum for *sense or something cheap like Mikrotik today and you will find users with identical problems after their most recent releases; yet none should be discarded on that basis as unfit for purpose. These are proper firewalls, with different features and complexities.
A contribution to the OP’s quest for information would be to cite technical and UI strengths and weaknesses. The reality of bug fixes and user problems to be solved within their own more complex setups is true for all software. Simply reading here shows IPFire to be pretty stable and an effective product.
PFSense is open source option. And a commercial SMB grade firewall, according to netgate.
Objection rejected.
@jjso welcome to the community,
I think you should try IPfire and get familiar with it, there is a lot of good people who will guide you through all the steps.
I think this is true, and it means that all of us here are the product. which could actually be a really good thing in case of IPFire.
@pike_it So you do not demur that exactly the same problems occur there, as you can read there right now.
Thank you.
Meanwhile, back on the actual topic of trying to assist a new contributor…
Thank you all for taking the time to respond, I’ll read and keep looking into it 
I believe this concept of “we are the product” does not apply here. This is a community of enthusiasts of an open-source project. The incentives of the project leaders are transparent, unlike in the case of services like GMAIL or a free to use search engine. They receive their funding openly and ethically through our donations or hardware purchases, and we also contribute our time.
This is an example of ethically aligned incentives among all the members of this network, where the common good is maximized. Personally, I have chosen not to use ANYTHING where the incentives are not aligned like this and work against my best interest. I pay for every service I use, including email and search engines.