What is your goto opensource firewall? I'm looking for something with a nice UI for a small home network. pfSense is something I used before but I don't remember it being very pretty.
Go with either pfSense or OPNSense. pfSense has had some issues with their plans to go pseudo-closed-source/commercial with the community supported edition becoming an after thought. As a result OPNSense is gaining a fair bit of traction. Both are quite similar usability wise but takes some getting used to the menus/UI depending on what you were previously familiar with. Either way, can't go wrong with it. The GUIs and status/dashboard/overview is pretty usable and quite informative.
iptables is great if your needs are simple but if you want any sort of (multi WAN) failover, loadbalancing or VLANs and isolation of that sort, things can become a little tedious to script and put in place from scratch.
+1 for OpnSense if you just need to turn a PC into a router & firewall. In a professional/business setting I'd suggest pfSense due to Netgate's backing of them (which means commercial support and things of that nature), though you do need to spend extra cash on higher end hardware that meets the minimum requirements (such as supporting cryptographic acceleration via hardware, usually through Intel's AES-NI or similar) compared to OpnSense, which is much more like "old" pfSense in that it'll run on just about anything from the last 15 years unless you're really trying to push throughput through it (1Gbps+). I should note that having AES-NI on OpnSense is a good idea as well, because it will significantly speed up VPN performance and offload some work off of the CPU, but it is not a strict requirement, where as it's required (last I checked) on pfSense.
@vish said:
anyone ever use one of these? or has experience with it? I know it is not open source, but I'm curious.
EdgeRouter X pic
I considered this model but ended up deciding for pfSense because it's more feature rich. If you just want a simple solution that works it seems to fit the bill but for me it lacks some key features like OpenVPN.
I like the community around OPN more than that around PFS, but functionally they're very similar. PFS acquiesced on dropping support for non-AES-NI CPUs. ERX is cheap and functional as fw but not terribly powerful as a router, as others have said. OPN/PFS on most commodity hardware can firewall gigabit, even with VPN, but may struggle with suricata depending on ruleset. If you need to firewall 10G, VyOS with DPDK is probably the move.
PFsense and Opnsense with CARP is being used in production for a lot of projects I work on. Saying that you won't go wrong with either of them UI is much better these days. And both community will respond better and quicker than paid support unless you pay six figures.
@vish said:
anyone ever use one of these? or has experience with it? I know it is not open source, but I'm curious.
I've had a few people use them. They work well but are more routers and less firewalls. The firewall features on them is pretty bare bones.
I'm running zone firewalls and conditionally applying route tables based on network. Edgeos is very capable from CLI
Does EdgeOS utilize parts of the regular Linux userland, or is it just Linux kernel with their own OS/commands for everything (like MikroTik's RouterOS, which I'm familiar with)?
@vish said:
anyone ever use one of these? or has experience with it? I know it is not open source, but I'm curious.
I've had a few people use them. They work well but are more routers and less firewalls. The firewall features on them is pretty bare bones.
I'm running zone firewalls and conditionally applying route tables based on network. Edgeos is very capable from CLI
Does EdgeOS utilize parts of the regular Linux userland, or is it just Linux kernel with their own OS/commands for everything (like MikroTik's RouterOS, which I'm familiar with)?
There's a debian userland. You can enable apt repos and install stuff. I run haproxy on mine
Comments
ufw/iptables on cloud stuff, openwrt on home FW
People overestimate their needs on FW frankly. iptables rules cover most usage cases which basically any FW distro will cover
VyOS (no nice UI I'm afraid)
Contribute your idling VPS/dedi (link), Android (link) or iOS (link) devices to medical research
CSF - manually setup the GUI.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
I'm using OPNsense on three locations, pretty happy with it after running for 1 1/2 years.
PfSense > OPNsense > IPFire
Go with either pfSense or OPNSense. pfSense has had some issues with their plans to go pseudo-closed-source/commercial with the community supported edition becoming an after thought. As a result OPNSense is gaining a fair bit of traction. Both are quite similar usability wise but takes some getting used to the menus/UI depending on what you were previously familiar with. Either way, can't go wrong with it. The GUIs and status/dashboard/overview is pretty usable and quite informative.
iptables is great if your needs are simple but if you want any sort of (multi WAN) failover, loadbalancing or VLANs and isolation of that sort, things can become a little tedious to script and put in place from scratch.
+1 for OpnSense if you just need to turn a PC into a router & firewall. In a professional/business setting I'd suggest pfSense due to Netgate's backing of them (which means commercial support and things of that nature), though you do need to spend extra cash on higher end hardware that meets the minimum requirements (such as supporting cryptographic acceleration via hardware, usually through Intel's AES-NI or similar) compared to OpnSense, which is much more like "old" pfSense in that it'll run on just about anything from the last 15 years unless you're really trying to push throughput through it (1Gbps+). I should note that having AES-NI on OpnSense is a good idea as well, because it will significantly speed up VPN performance and offload some work off of the CPU, but it is not a strict requirement, where as it's required (last I checked) on pfSense.
If you want something with a simpler GUI (but less features), OpenWRT also runs on x86: https://openwrt.org/docs/guide-user/installation/openwrt_x86
Cheap dedis are my drug, and I'm too far gone to turn back.
Straight up Alpine Linux + Awall
The all seeing eye sees everything...
is that still developed? i liked it at first and used it but then faced problems with docker.
anyone ever use one of these? or has experience with it? I know it is not open source, but I'm curious.
I considered this model but ended up deciding for pfSense because it's more feature rich. If you just want a simple solution that works it seems to fit the bill but for me it lacks some key features like OpenVPN.
Looks like last build date was in September 2021, so it's still developed.
The all seeing eye sees everything...
I've had a few people use them. They work well but are more routers and less firewalls. The firewall features on them is pretty bare bones.
Cheap dedis are my drug, and I'm too far gone to turn back.
CSF is not opensource it is however freeware
Indeed. My bad.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
I like the community around OPN more than that around PFS, but functionally they're very similar. PFS acquiesced on dropping support for non-AES-NI CPUs. ERX is cheap and functional as fw but not terribly powerful as a router, as others have said. OPN/PFS on most commodity hardware can firewall gigabit, even with VPN, but may struggle with suricata depending on ruleset. If you need to firewall 10G, VyOS with DPDK is probably the move.
PFsense and Opnsense with CARP is being used in production for a lot of projects I work on. Saying that you won't go wrong with either of them UI is much better these days. And both community will respond better and quicker than paid support unless you pay six figures.
I'm running zone firewalls and conditionally applying route tables based on network. Edgeos is very capable from CLI
Does EdgeOS utilize parts of the regular Linux userland, or is it just Linux kernel with their own OS/commands for everything (like MikroTik's RouterOS, which I'm familiar with)?
There's a debian userland. You can enable apt repos and install stuff. I run haproxy on mine
iptables is legacy we should migrate to nftables eventually! iptables will eventually be deleted, like ipchains before it.
Daniel15 | https://d.sb/. List of all my VPSes: https://d.sb/servers
dnstools.ws - DNS lookups, pings, and traceroutes from 30 locations worldwide.
once docker , k8s start using nft then it will happen fast.