Opnsense vs Pfsense ~ My own thoughts and concerns

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys the natural breaker hope you're doing well so this video we will be covering open sense versus pf sense now this is a bit of a weird video because i don't typically like to make versus videos because they tend to cause divides and communities and uh people tend to start lashing out at each other and i don't want that i want you guys to please keep things civil i don't want you to say which firewall is the better one or which firewall you need to use at the end of the day use whatever you are comfortable with and what you are happy with if you are using pfsense and you're happy with it continue using it there's no reason for you not to use it but i just want to bring up some of the points that i've discovered after researching both firewall vendors and both operating systems for a while and i just like to post those findings here and see what you guys think about both of them what do you think about open synths what do you think about pfsense let's have a fruitful discussion so let's get into the video [Music] so i think the first thing i want to talk about is the key differences between pfsense and open sense in this long standing battle between these two open source firewalls now i want to make a point of that word open source because both of them in theory are open source firewalls so pfsense has the pfsense community edition and then opensense similarly has its community edition now these are open source meaning if you took the source code and you copy that onto a box and you started changing it and updating it yourself you could in essence create what we call a fork and that could be your own firewall now this is important to note because pf sense is actually just a fork of something that was known as mono wall now mono wall is just a precursor to pf sense it worked kind of the same it did the same function it was a firewall with a nice gui and you could change stuff and add firewall rules and do that but it just wasn't the the people that created it just i don't know why they couldn't maintain it anymore but they quit the project and then pf since decided hey we're going to continue this project we're going to fork it they created their own copy of it and then they started maintaining it and updating it their selves and from there pf sense was born now again this is important because open sense is born from pf sense it's actually just a fork of pf sense so the people that run open sense decided hey there's certain elements that we feel that we can do better maybe it's updates maybe some security patches uh we feel that it isn't consistently being done by pfsense we would like to take up that mantle ourselves we're going to create our own four copy call it open sense and that is how open sense was born so they created a copy of pf sense and psense again was just a copy of mono wall so it's a bunch of copying but in the development world i think this actually happens quite a lot when it comes to open source so it's nothing weird but on the other side of the spectrum you have what we call proprietary software now what does that mean well it means it's not open source it means you can't just look at the source code and see what it's doing it's basically encoded we don't know what what's in the source code it's not freely available and this is where stuff like pfsense plus comes into play because with the community edition you can change your firewall to a pfsense plus subscription which enables additional features and functions on your firewall but it also changes your firewall from open source to become proprietary so you can't just see all of the source code anymore that means it's no longer open source now what is pfsense plus besides just adding the additional functions it was actually created for businesses and enterprises to give them the type of service level agreements or slas that they might need and it also just gives pf sense a certain degree of control over the software and just to make sure that things functions the way that they intended to function now this is a double-edged sword almost because a lot of the community members have seen that pfsense will update stuff like their pfsense plus software but they are not updating the community edition so that has placed some doubt in a lot of people's mind where they think hey pfsense has dropped community edition now i've spoken to some people at netgate and they've also assured me they haven't dropped community edition they will bring out a new community edition and even on the psense website there is a roadmap for the new 2.7 community edition so i'm pretty sure they will bring that out but just something to take note of now that doesn't mean open sense doesn't have a similar type of subscription model they have what they call open sense for business and it does the same function it's there for businesses and enterprises and gives you a certain level of support uh but the difference with opensense is you can consistently still see that opensense updates their open source software or code they they just keep it updated there's always changes or security patches or stuff that comes in so this is why you'll see a lot of people mention that opensense is consistently also just updating their software which is a pro as well but we'll talk about that a little bit later in the video again now here's also some more additional information both firewalls run off of freebsd now freebsd is just an operating system think of this as unix or linux or windows or something it's just the back end where these firewalls run off of but it's worth noting and this is where i've watched the ltt video where they wanted to upgrade their device or the network to a 25 gig infrastructure however their nic on their server wasn't being picked up and this was due to the version that pfsense was natively running just didn't support that next drivers it wasn't loaded on freebsd at that point in time whereas open sense runs the latest version of freebsd and those drivers were running off of that so this is why ltt was able to then switch to open sense and then that was able to pick up the nick and then they could use that 25 gig interface now with this it is important to note as well pfsense actually has another appliance or software called tensor which is supposed to serve that routing functionality now this doesn't excuse them for running a older version of freebsd but they definitely have something else for your routing or networking component i also want to drill down on this a bit because i've seen other youtubers also have issues with the freebsd drivers and where nicks aren't being picked up or they might use something like a real tech nic and that just doesn't want to work at all and a lot of the times the support that they receive or the feedback they receive from netgate is hey it's not intel so we can't really support you um use something else you know and they say it's a freebsd limitation it's not a pf sense limitation so they don't really take any accountability for that and they should because they are choosing to run this all for free bsd so at least ensure that you are running the latest version of freebies and i'm pretty sure after the ltt video they will start looking at upgrading the freebsd to 13.1 or something similar i know there has been talk of them getting it to 13 i just haven't actually seen any implementation yet now open sense features now this slide is actually a little bit of a i don't want to say a joke because both firewalls pretty much do what the other firewall does if i go to the next slide where there's the p of sense features i basically copied and pasted this reason being they are both supposed to be like next generation firewalls they are supposed to be able to do stuff like ipv4 and ipv6 they're supposed to do stateful firewall or stateful packet inspection it's supposed to be multi-wan it does vpn it does high availability there is sd-wan in the form of zero tier with open synth or um tail scale with pfsense you're supposed to have ips it does net it does vlans like the whole list is here for you to read through but i have placed a link at the bottom of both of the slides where you can look at the feature sets for about firewalls but in essence they can both do what the other one does so feature wise you shouldn't have any issues one big feature that i do think of now um is vxlan actually that open sense does which the pf sense does not do but in that same breath where i mentioned pfsense has or netgate does another appliance called tensor tensor is supposed to do that role of vxlan so they're just kind of separating the network and firewalling components with different appliances but this is the nice thing about the firewalls if you really want you can use either one if it's just for the features but when it comes down to keeping stuff updated and modern and the latest builds and stuff this is actually where opensense excels because they always make sure that they have the latest current bulls almost all right next slide is going to be a very difficult one because this is going to be surrounding a bit of the controversies uh surrounding key of sense now i'm saying here i'm addressing the elephant in the room and we need to talk about this because a lot of the bigger youtubers like network chuck david bumble tom lawrence they say how wonderful pf senses and it is definitely a great firewall but they don't mention any of the concerns that a lot of the people in the community can see and the biggest concern that we've already brushed up on is the community concern regarding the community edition because if you look at stuff like the release schedule and patch notes you don't really see anything happening with the community edition it's been stagnating it's just been sitting there the same way it's been sitting for the last since release i think whereas you can still see that pfsense is consistently updating the pfsense plus stuff the proprietary stuff so it gives the appearance to the community and to me as a user that the community edition is on the back burner it's not something that they really are actively looking at supporting so if you really want that additional support or updates then you typically need to switch to pfsense plus but that also means that you're no longer using this as an open source firewall you're now basically signing yourself to pf sense and using their proprietary software which you have no control over you can't see anything next bit is and this was super scary to me and i'm wondering how i can go about describing this without making any scenes because i don't want people to get upset or you know harass any company or anybody but if you look at the wikipedia page that i listed which is pf sense wikipedia this is how wikipedia sees pf sense they were utilizing trademarks in bad faith now what does that mean well in essence they had a domain registered which had the same naming convention as a competitor and on this website there was a bunch of stuff that was disgusting actually there was videos of things there was descriptions of the firewall vendor there were photos of the developers on the website and you can use the wayback machine to go and look at the site and see what what was done but it was all about reputational damage and to me it's absurd that you would go to that step or stage if you are also in essence let's say guilty of doing the same thing you also just created a fork of another firewall and now somebody fork your source code and then you get upset at them and you do something as childish as that that's not acceptable to me it was on the level of bordering the early 2010s trolling it's it's like the people from 4chan was trolling and it's not nice it's definitely not a good thing for a business to be doing and i feel like that is something that a lot of people just throw on the wayside and it shouldn't it should not be forgotten that a competitor was treated like that and i'm still disgusted i i don't know really how to talk about it differently i know pf sense has done a lot of steps in changing how they approach their competitors and they've also basically they had to give up the domain name that was associated with the competitor so that um you know there was no more trouble but let's just face it the damage was already done if i was a new user and i was searching open sense and i got to that web page you know i would probably be scared off and i wouldn't use the software so it's definitely one of the wildest things i've seen in recent memory when it comes to open source firewalls and i hope i never see something like that again and then the last big point of controversy is wireguard so in 2020 netgate actually got somebody to develop wireguard for pfsense and that is actually something to be commended for that is a great initiative on their part i actually think it is awesome that they try to get wireguard running the only issue is when the dev that was working on the code basically submitted it to be implemented for freebsd and pfsense um it got to go ahead and it actually made it to pfsense but the people that actually run wireguard when they looked at the code it scared them to their soul because it was full of bad code there were vulnerabilities there were code that didn't need to be there there was a bunch of sleep states to fix things that shouldn't have been needing that to be fixed and it just caused a huge mess for the open source community up to a point where wireguard had to be pulled off of pfsense they got rid of it they killed it they they didn't want to use it anymore um and it only came back to pf sense and freebsd like a year later and i mean that did a lot of reputational damage in my opinion and it shouldn't have gone into that point i do think netgate also learned the lesson from that and they most likely if they do endeavor to develop anything new like that like a new package then they will most likely speak to the people like wireguard and ensure that everything is fine from the beginning so that they don't run into issues like that again but it's still a big controversy and something that just won't fade away it's going to be remembered all right so let's talk about some strong points and i'm not going to bring up any bad points or weak points because i think both firewalls like i said does what the other one does but here are some of the strong points of open sense that i can definitely pick up and the first thing is the consistent updates if you look at the open sense twitter it's almost weekly you'll see they'll be talking about a patch day coming and you know when the patch is going to be arriving so that you can update your open sense firewall for the latest security patches or additional features and they even have a nice roadmap to show exactly what they're planning and what's going to be coming out and that's really cool to see so there's always consistent updates it's almost bi-weekly or monthly you will at least see a new update for open sense and second point they do lead with innovations and new technologies so stuff like the vxlan zero tier extra packages of stuff that you know you want but it's not there like open sense typically leads with that they bring these new extended features into the firewall for us to use and enjoy and that's really something that they shine with so i love that about open sense and now the last point it is also the open source successor of mono wall one of the big guys of mono one of the creators of mono will actually made a statement and said hey guys uh thank you for the support for mono wall if you are a wall user i highly encourage you to use open sense so if the guy that made mono wall you know the people that came before pf sends and pf sends copied is telling you to go for open sense then that is actually saying something that's actually a huge huge um honor almost for the the guy that made monologue to say hey go for open sense i think that is so cool but on the flip side pf sense has a massive or a large community and i'm not even joking if you look at the subreddits the pfsn subreddit is almost 100 000 members in size whereas the open send subreddit is something like 5 000 so there's definitely more people that are aware of pfsense and that work with pfsense and has actively been using it over the years so there's definitely the argument that if you ever run into any issues that you can maybe reach out to somebody on the reddit or forums or on facebook or wherever and you're more likely to have somebody that has a similar issue and then they can point in the direct direction of how to fix that issue so that is a huge bonus point for pfcenter it's got a massive community and also the accessibility is there even though both firewalls function roughly the same and you can figure them both out the same way uh pfsense definitely is more accessible just due to the volumes of how-to guides and stuff that's available on the internet this is from just written blog articles to actual youtube videos like i mentioned tom from lauren systems has a ton of videos awesome videos on pfsense showing you how to configure everything i've even made a couple of videos on pfsense so the accessibility is there where people can actually show you how to get into the firewall and ease you into the process of learning it so the learning curve isn't as steep as uh something like open synth but since both arms work the same in principle you can also kind of apply what you see in a how-to video for pf sent onto something like open sense all right so this is going to wrap up the presentation side let's actually jump into the firewall so i can show you what they look like and what they're doing all right so i'm logged onto my open sense firewall and as you can see it looks pretty good but this is with additional tweaking that has been done i have added additional widgets i've added additional columns and i've changed the theme i actually downloaded a plugin for a different theme and this is the result of that but in essence your firewall will work the same you will have a dashboard and from the dashboard you can navigate onto different types of spaces or configuration objects let's say and what i enjoy about opensense is it's got this arrow that you can click on and you can either have this menu where you can click on the objects to go into something or you can just have the arrow this way which i like because this looks a little bit neater and if you hover over any object you can just hover over the next object and then you can see if there's any additional configuration that you can do and as you can see open sense gives you stuff like reporting system different interfaces you can set up obviously the firewall which is huge the routing is added as an additional plug-in via the fr package it does this it's the same with pfsense you also download the fr package for that you have your different vpns that you can set up and also zero tier is also an additional package or plug-in that you need to install it's not just here by default um same for wireguard by default you only have ipsec and openvpn with your open sense firewall other than that it's additional plugins and then we've got stuff like our services power and very important help so from here you can get your documentation and then there will be various different recipes and documentation of how to fix issues on your firewall or configure certain things just so that you can do whatever you want to do on your firewall now i just want to also navigate to the system firmware and then from here i just want to go into the plugins because as i mentioned there is a large scope of different plugins that you can install to do whatever you maybe want to do if you just scroll down here you can see there's stuff like the open connect is here the zabbix is here for the monitoring lots of different cool things like extra themes if you want to and it's again this isn't just for open sins pfsense also has a package manager where you can install different things but it's nice to see that you have this option but what i like is when you go to your status you can check for updates and then if there aren't any new updates it will just tell you what the update is you can download the new update uh let me see if i can go to the change log because this is really cool the change log will obviously tell you what stuff has changed so if i just scroll through here quickly you can almost see that almost every month there has been a new match that came out as you can see this is from january this year so january february march march march april april may may this is so cool so you can see how consistent they are with updating and what's nice you can look at the change log you can just click on this little file or this little book and it tells you exactly what the changes are what they fixed anything that they've actually made additional here and we'll even tell you freebsd has been updated and that is so cool so this is just a generic view of the open sense firewall let's quickly have a look at our pfsense firewall so for that i'll just go into this windows vm and here i've got pfsense running and it's typically the same thing you log in you get prompted into your dashboard and from your dashboard you will have various widgets that you can see and then you can check what the widgets are doing it will give you stuff like device information or system information if you have that widget um and the difference with pfsense is it doesn't have this dashboard setting here where you can click on the arrows and have everything on the left hand on the panel it's just here at the top but this is fine as well i also actually like how this looks so you can just click on any of these objects for a drop down menu and it will tell you exactly where it's going to take you so you've got your system your interfaces your firewall services vpn and just like open sense the tail scale where open synth uses zero tier here it's tail scale for pf sense which is just an additional package that was installed we have statuses diagnostics and the important the help help is always so important because help will allow you to just get onto the documentation quickly and then you can figure out what is going on or how to set up any configuration object now as you can see netgate actually has quite a beefy library if i go into my uh software documentation for pfsense you'll definitely see there's a lot of different uh sections you can go into and just help you with whatever you're trying to set up or configure which is quite nice now let's also just have a look at its plugin manager or package manager so you can go to the system package manager and here you should be able to see any packages that's been installed or you can look at the available packages and just download whatever package you fancy you can also just search for a package through this nifty search bar but i'd like to maybe see the update so if i go system update and this is kind of like the downside of why the people are so confused with community edition because this is version 2.6.0 which is um what i just downloaded off of their site and this is the same version from release and it's the latest version you know so let's go on to the pfsns website quickly i think it's a pfsense.org or dot com one of the two there this opened let's go download so if i download here you can see version 2.6.0 that's the latest build and let's go back to the documentation because i actually want to have a look at the release there we go let's see the release history so here we can see that's pfsense plus software and then even though pfsens plus had one additional update you know there was only one release at the february and then another release later or in the middle of the year and here we can see the pf sense ce software there was only one build of 260 that released in february and that's been it and then if i go back to my ubuntu vm quickly go to the open sense docs let's look at its releases here we can see there's different types of builds like the observant always the previous or the older bold and then we have the new bull for the powerful panther um so if we just click on that we can actually see all the changes that was made and if we scroll down it's like giving you a ton of information of exactly what was changed but this is kind of just like clicking on that little book to tell you uh what the updates were but there's definitely a bit more of a change log on here similarly if i do this and go on to forum.opensense.org and let's go forum.pfsense.org if i look here and i look at the announcements you can definitely see that the community edition for open sense again almost has a new announcement every week or second week or so just explaining what's changing and then you can just get those updates whereas netgate if we go into the pfcn software we go into their announcements announcements are very few and in between so this is why a lot of people will tell you if you want the latest and greatest then you'll go for open sense right so this is where i want to end off the video and just give my thoughts on both firewalls since i had a lot of time i had months to play with both of them actually and i must say i enjoy both of them i think both firewalls are decent pieces of software and hardware if you get the hardware um i think there's a little bit it's a little cheaper to get a net gate than a open sense 10 but the software it's pretty much um on par it's just that open sense is definitely more driven to be current and cutting edge which is something that i prefer because i like having the latest builds and making sure that i have the latest security patches that i'm not vulnerable to some type of exploit and also just to make sure that i can deploy stuff like the zero zero vx lan as they come out um so that's really nice for me about open synths that's why i'm i actually made a post and say this is my open source firewall of choice because it resonates with me a bit more but don't let me tell you that you can't use pfsense because pfsense is really just as good it can do basically everything opensense can't do it's just not as current with all of the updates and obviously there's a bit of controversy surrounding pf sense that i feel like needed to be just brought up again because it it the you know it's almost like a game of thrones reference that the good doesn't wash away the bad even though they do a lot of good like they need to also be accountable for the stuff that they have done in the past and then they need to just keep working forward with that with the community and they need to show that the community that they are going to keep community edition as something that they want they're not just going to get rid of it that they are going to make sure that people still get the support that they need and then i really think that pfsens is still fine there's no reason not to use pfsense if you are using it and you've enjoyed it continue using it there there's really no reason for you to switch firewalls but again i think opensense is doing an amazing job and i'd like to see more from them so this is me signing out thank you for watching the video and i'll catch you guys in the next one bye you

Info

Channel: The Network Berg

Views: 56,911

Rating: undefined out of 5

Keywords: #OPNsense, #Open-Source, #pfSense, pfsense installation and configuration, vyos

Id: Of0Zp8h258g

Channel Id: undefined

Length: 29min 15sec (1755 seconds)

Published: Mon Aug 22 2022