Migrating from pfSense

Hello everyone,
I have been researching alternatives to pfSense since they announced the whole pfSense+ separation from the Community Edition a couple of days ago.

The writing is on the wall that pretty soon the CE will lag behind and not be as updated as pfSense+ and although, they have a “no-charge” pfSense+ version – it would be closed source thereby giving me pause about the whole thing. I had a feeling this day would come when they first announced the Netgate ID – but IRL was too busy at that time for me to switch things over. I should have.

Anyway the time is here now.

My first thought was to move to OPNSense because:

  1. It’s based off of pfSense so much of my configuration would be similar as long as I can navigate the differences in the GUI
  2. I had considered OPNSense back when I started using pfSense

But since I have to re-learn a new GUI anyway, I thought I might as well go for a Linux based firewall as I am more comfortable in Linux than in *BSD. So IPFire’s got that going for it.

So I am evaluating IPFire and OPNSense and check out which one will be my next firewall. I think if either can satisfy my usage then it would likely be my next firewall. But the most important question would be:

  1. Can IPFire go the pfSense route? As in, can Lightning Wire pull a Netgate and either reserve features or worse close source on certain features?

My usage is basic. I have a single WAN with multiple VLANs trunked to the switch and eventually to an AP. I use the following 4 packages on pfSense

  1. acme – for Let’s Encrypt Certs – I guess certbot can be used if the WebUI doesn’t have any options
  2. nut – for UPS integration – I know nut can be configured in any linux, so I can probably do it via CLI if the WebUI doesn’t have any options.
  3. openvpn-client-export – for easy export of VPN server config – ??
  4. pfBlockerNg-Devel – Ad blocking and such – I might be able to replace this with a pi-hole LXC container on my Proxmox server. Ideas are welcome…

Does IPFire have similar option for the openvpn-client-export?

Secondly, I have a VPN server and a VPN client. All my devices access the Internet via the paid VPN service, except my work laptop & my wife’s work laptop which access the Internet via the ISP. Can I have selective routing for various devices – maybe via device aliases or network aliases etc.? My VPN server is not being used currently – what with COVID and all – but I do intend to keep it running when I eventually go out of the house.

Thirdly, I have a 4 port Intel i340 card with the following networks – WAN, LAN, IOT, GUEST, WORK & CCTV apart from my VPNs. GUEST & WORK run off of LAN whereas IOT & CCTV run off of LAN2. Will I be able to set up the same networks on IPFire?

Fourthly, I use the DNS Resolver within pfSense and I don’t use any other DNS service. How would I set that up in IPFire?

Finally, some basic log information, SMART status of the disk etc & backup & restore of config files would be nice to have in the WebUI.

As you can see, my usage is extremely basic. I hope IPFire can support everything. I do intend to run it in a VM soon so I can take it for a spin before I commit to it on my current router hardware. I am already intrigued by a couple of features like the upgrade cache that I might be able to use for my various Archlinux boxes/VMs/Containers and the built-in IPS with Suricata. I never used it on pfSense, but if it’s available by default, then it would be fun to check it out.

My current pfSense runs on a J3355 SoC board 4GB RAM and an attached Intel i340-T4 card. I also use a 2.5" PATA HDD that I salvaged from my circa 2000 laptop. The new firewall – whether IPFire or OPNSense will eventually be installed on this machine.

PS: To the mods: I was not sure if this kind of post should go into Uncategorized or Getting Started, so if this is the wrong board, please feel free to move it.
PPS: Oh and sorry for the long-winded post!

1 Like

If you’re planning to use dual internet connection, IPFire is a no-go.

1 Like

Hi @inxsible

Welcome to the IPFire Community

I will provide the inputs that I am able to.

Regarding this question, read the blog article by Michael Tremer
https://blog.ipfire.org/post/ipfire-is-open-source-software-and-it-going-to-be-open-source-for-forever

  • There is the Dehydrated add-on which does similar to acme
  • There are both nut and apcupsd available as add-ons
  • When you create an OpenVPN client configuration you get a zip file package to download that has the profile and the certs. See the wiki page on the OpenVPN Server
  • For Ad blocking IPFire has the Squid Web Proxy together with a comprehensive URL Filter.

I would expect so, it depends on the details of your networks.
IPFIre’s Red interface would be your WAN connection
Your LAN would probably be IPFire’s Green interface
Your LAN2 could either be IPFire’s Blue or Orange interfaces depending on the needs. For IOT and CCTV, I would normally put them in Orange as in IPFire that is the DMZ connection.

Yes, SMART status is given in the WUI.
Backup and restore of config files etc is available in the WUI. Additionally if you want to backup from IPFire to other systems then there are some backup addons as well.

I use Virtualbox VM’s for testbedding new releases and for working on code changes and they work fine for that.

The 4GB is fine. The J3355 is 64 bit which is good. I am not familiar enough with Network cards to say anything about the i340-T4

Good luck with your evaluations.

2 Likes

Hello,

You have come to the right place :slight_smile:

It seems to have been an open secret, but it is indeed very sad that this development has happened. Unfortunately it seems to be a bit of a trend right now which is very concerning and I wrote a little blog article about it:

I think Linux is much more superior when it comes to networking. It is fast, and a much more modern operating system than any of the BSDs. Their focus is a slightly different one.

IPFire is also much better when it comes to supported hardware, and since more people are fluent with Linux debugging anything is a lot easier when you feel familiar with the OS.

I am glad you asked that. It is indeed a very important question, and luckily the answer is a simple one:

No, we can’t. The reason for that is software licensing.

The BSD (either 2-clause, 3-clause) and the MIT license under which most of the software in the BSD ecosystem (and in this particular case pfSense) is allows that you do whatever you want with the software itself, including selling it for money, and not publishing any changes under the same license.

In the Linux world, we usually use the GNU General Public License (or GPL for short) which mandates that any changes of the software have to be made public again. At IPFire, we do not exercise any copyright assignment or other ways to transfer the copyright of the software to any body else than the author itself.

That means that the code of IPFire is owned by many people - everyone who has contributed a line has the full copyright on it and we would need their permission if we wanted to change this. This simply won’t happen and we don’t want to do it any ways.

I strongly believe that if you are doing security software and you are hiding the code, you are doing it wrong. And that includes OPNsense with their commercial version, too. I do not know which code I am running, because I only get the compiled version, but I have no idea what is actually in it.

At IPFire, we make this absolutely transparent and I believe that is the only way to do it.

Regarding funding: Times are not easy right now. Everyone working on the project has a fridge to fill and rent to pay. Therefore I would like to emphasise that we need money, too. We do this by donations, and if you can, please donate and help us to keep this project moving forward and make IPFire better :slight_smile:

We have dehydrated because I liked that one better :slight_smile:

Available.

That is a standard feature.

I do not know what this does, but we have ad-blocking integrated into the main OS.

Search on here and you will find some things about VPN providers. Look for Peter’s posts on it.

That would be the default configuration - we can this recursor mode.

I am sure IPFire is the right choice to replace your pfSense system with. Some things might be slightly different, but in the end, you will have a firewall that secures your network and probably performs a lot better on that hardware :slight_smile:

-Michael

3 Likes

Could you please elaborate this? I’m looking for DNS Adblocking and want the system to pull updates from several lists daily. If you mean squid proxy then could you please provide additional examples on your IPFire wiki? I have no idea how to achieve adblocking with proxy and at the moment the simplest approach in my case is the dns_blocklist.sh from GitHub - sfeakes/ipfire-scripts: Scripts for ipfire

Hello,

no, we do not provide DNS blocking like this. The reason for that is that we enforce DNSSEC and the global DNS tree should remain intact. You can find various debates around this on here.

What we have is filtering by proxy which has many advantages. Besides not breaking DNSSEC, it will show the user a clear indication that they have visited a potentially malicious website.

Alternatively you can use the Intrusion Prevention System to filter any malware and so on.

2 Likes

Thanks for your replies @bonnietwin & @ms for confirming that my basic setup can be easily replicated in IPFire. Thanks for the link to the blog post as well. I have read through it and it does seem reassuring.

@ms – Thanks for taking the time to respond as to why the IPFire/Lightning Wire may not be able to close source in the future. I do understand GPL’s mandate with regards to changes being made public.

I agree 100%. I am not against people making money off their software – but at the same time I feel taking something that was open source and then closing off sections is detrimental to the public at large. Not everybody has the technical know-how to build their own firewalls from scratch. Everyone in this world would have the same profession if that were the case.

It’s the closing of source code that is making me look elsewhere rather than paying for something that I use. I have in the past donated to many projects that I have used and will continue to do so. Granted, I do use the software for a few months or more to see if it suits my needs before I will commit to it and donate. I’d rather pour money into something that I use and want to succeed rather than something that I am just testing or evaluating.

Time to fire up a VM or Container and start experimenting … And because this device controls the online access – I have to make sure I do in such a way that I do not incur the Wrath of the Significant One and my llittle toddler devils !!

2 Likes