I have been researching alternatives to pfSense since they announced the whole pfSense+ separation from the Community Edition a couple of days ago.
The writing is on the wall that pretty soon the CE will lag behind and not be as updated as pfSense+ and although, they have a “no-charge” pfSense+ version – it would be closed source thereby giving me pause about the whole thing. I had a feeling this day would come when they first announced the Netgate ID – but IRL was too busy at that time for me to switch things over. I should have.
Anyway the time is here now.
My first thought was to move to OPNSense because:
- It’s based off of pfSense so much of my configuration would be similar as long as I can navigate the differences in the GUI
- I had considered OPNSense back when I started using pfSense
But since I have to re-learn a new GUI anyway, I thought I might as well go for a Linux based firewall as I am more comfortable in Linux than in *BSD. So IPFire’s got that going for it.
So I am evaluating IPFire and OPNSense and check out which one will be my next firewall. I think if either can satisfy my usage then it would likely be my next firewall. But the most important question would be:
- Can IPFire go the pfSense route? As in, can Lightning Wire pull a Netgate and either reserve features or worse close source on certain features?
My usage is basic. I have a single WAN with multiple VLANs trunked to the switch and eventually to an AP. I use the following 4 packages on pfSense
- acme – for Let’s Encrypt Certs – I guess certbot can be used if the WebUI doesn’t have any options
- nut – for UPS integration – I know nut can be configured in any linux, so I can probably do it via CLI if the WebUI doesn’t have any options.
- openvpn-client-export – for easy export of VPN server config – ??
- pfBlockerNg-Devel – Ad blocking and such – I might be able to replace this with a pi-hole LXC container on my Proxmox server. Ideas are welcome…
Does IPFire have similar option for the openvpn-client-export?
Secondly, I have a VPN server and a VPN client. All my devices access the Internet via the paid VPN service, except my work laptop & my wife’s work laptop which access the Internet via the ISP. Can I have selective routing for various devices – maybe via device aliases or network aliases etc.? My VPN server is not being used currently – what with COVID and all – but I do intend to keep it running when I eventually go out of the house.
Thirdly, I have a 4 port Intel i340 card with the following networks – WAN, LAN, IOT, GUEST, WORK & CCTV apart from my VPNs. GUEST & WORK run off of LAN whereas IOT & CCTV run off of LAN2. Will I be able to set up the same networks on IPFire?
Fourthly, I use the DNS Resolver within pfSense and I don’t use any other DNS service. How would I set that up in IPFire?
Finally, some basic log information, SMART status of the disk etc & backup & restore of config files would be nice to have in the WebUI.
As you can see, my usage is extremely basic. I hope IPFire can support everything. I do intend to run it in a VM soon so I can take it for a spin before I commit to it on my current router hardware. I am already intrigued by a couple of features like the upgrade cache that I might be able to use for my various Archlinux boxes/VMs/Containers and the built-in IPS with Suricata. I never used it on pfSense, but if it’s available by default, then it would be fun to check it out.
My current pfSense runs on a J3355 SoC board 4GB RAM and an attached Intel i340-T4 card. I also use a 2.5" PATA HDD that I salvaged from my circa 2000 laptop. The new firewall – whether IPFire or OPNSense will eventually be installed on this machine.
PS: To the mods: I was not sure if this kind of post should go into Uncategorized or Getting Started, so if this is the wrong board, please feel free to move it.
PPS: Oh and sorry for the long-winded post!