So I’ve been using OPNsense for a few years. I have an extensive config inclduing vlans, plugins, policies, suricata, VPN, routes, gateways, HAProxy, etc.

Over the past few months, I’ve noticed certain bugs, weirdness, and slowness within OPNsense. I recently watched Tom Lawrence’s video on the licensing changes and he touched on the openssl vulnerability that OPNsense has yet to remediate.

The Plus license cost (per year) which entitles you to some limited support options is also appealing. Every time I get stuck figuring out something complex in OPNsense, I have to hope someone else has tried to do the same thing and posted about it so I can troubleshoot.

I also don’t like having to constantly update. A more “stable”/enterprise focused cycle like pfSense has seems like my pace. It broke on me last year with one of the upgrades and I had to clean install.

Don’t get me wrong, I love the UI (mostly), plugins, etc. in OPNsense, but these past few months have got me thinking.

I’ve also heard that people don’t like Netgate as a company, so that could definitely factor into not switching.

What are everyone’s thoughts?

  • lkarlslund@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Yes. Most go from pfsense to opnsense, including myself.

    No one is forcing you to install updates, just skip them if you think that’s better for you, but many are security related.

    • SamSausages@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      That sounds easy enough, but it creates a situation where I don’t know what updates are important (security) and what updates are minor. So I have to read the release notes for each update and then decide if I need it to patch a security vulnerability.
      Where with the other method, I know the update is likely critical.
      For some those frequent updates are a +, for me it is not. So use what works best for you!

      But right now I couldn’t use opensense even if I wanted to, as it’s FIPS non-compliant due to them still using the depreciated EOL OpenSSH 1.1.1, and no date set to move to v3