OPNsense Discussions

[xiaofan]

While I endeavor into proxmox/openwrt , happened to come across this optimization rant on abysmal stock performance on OPNsense, happy tweaking

I believe you do not need much tweaking once OPNSense is upgraded to use FreeBSD 14.0 (similar to pfSense CE 2.7).

Usually pfSense is a bit conservative in terms of FreeBSD version they are using, but with the latest CE 2.7 (and pfSense Plus), they are getting more aggressive by going to FreeBSD 14.0 Current, unlike OPNsense which is still using FreeBSD 13.2 Release.

But then it is the easist with OpenWRT as it is based on Linux, the HW support is much better compared to FreeBSD based pfSense/OPNsense, even though FreeBSD has excellent Firewall implementation.

Even Netgate (the company behind pfSense and a strong supporter of FreeBSD) has the Linux based TNSR which has higher performance than pfSense.
https://www.netgate.com/tnsr-vs-pfsense-software

Similarly iXSystem (the company behind TrueNas CORE, one of the strongest supporter of FreeBSD development) has Linux based TrueNAS SCALE, which is catching up with TrueNAS CORE.
https://www.truenas.com/compare/

 

[ss2000]

I’m very curious why people use these software like openwrt, OPNsense and pfsense.

I mean routers are stuff that we set and forget, unlike Windows and MacOS that we constantly need to upgrade so that we can run other programmes on them. These OS we use everyday but the router OS we don’t. I look at Synology NAS, my Linksys and Nokia routers gateways and they look ok. I saw the Asus one which has many more settings than the Linksys one.

it takes effort to learn these network OS especially those that use command line . I’m wondering if the effort is worth it. Not criticising anyone; just genuinely curious.

 

[xiaofan]

I’m very curious why people use these software like openwrt, OPNsense and pfsense.

I mean routers are stuff that we set and forget, unlike Windows and MacOS that we constantly need to upgrade so that we can run other programmes on them. These OS we use everyday but the router OS we don’t. I look at Synology NAS, my Linksys and Nokia routers gateways and they look ok. I saw the Asus one which has many more settings than the Linksys one.

it takes effort to learn these network OS especially those that use command line . I’m wondering if the effort is worth it. Not criticising anyone; just genuinely curious.

Router is an important part of your home network.

If you care about home network security, then you may not want to just "set and forget". You are using your router OS 24/7 (unless you shutdown your router).

The average consumer router is an all-in-one device, with so-so security features.

And your Linksys router will not have FW updates after a few years. OpenWRT can be a good upgrade if your router supports OpenWRT. pfSense/OPNsense are much better in terms of Firewall capability.

 

[ss2000]

Router is an important part of your home network.

If you care about home network security, then you may not want to just "set and forget". You are using your router OS 24/7 (unless you shutdown your router).

The average consumer router is an all-in-one device, with so-so security features.

And your Linksys router will not have FW updates after a few years. OpenWRT can be a good upgrade if your router supports OpenWRT. pfSense/OPNsense are much better in terms of Firewall capability.

My Linksys AC2600 EA8100 FW is at version 1 and openwrt does support it but it’s also at version 1. I suppose both are dead ends now. Is the firewall that bad with the standard router OS provided? i‘m thinking for the average consumer they shouldn’t have to worry so much about security when using the original router OS? There should be minimum protection?

 

[xiaofan]

My Linksys AC2600 EA8100 FW is at version 1 and openwrt does support it but it’s also at version 1. I suppose both are dead ends now. Is the firewall that bad with the standard router OS provided? i‘m thinking for the average consumer they shouldn’t have to worry so much about security when using the original router OS? There should be minimum protection?

OpenWRT on EA8100 v1 is still very up to date. It is supported by the latest OpenWRT 23.05 version.

If you are using stock Linksys OS, you should actually upgrade to a different model now as you do not get any new security updates.

You can probably live with a consumer router if it is still supported and you are not so worried about security.

Asus is quite a bit better compared to Linksys by providing long term FW updates. It also has more advanced security feature like AIprotection. Still it can not be compared to pfSense/OPNsense.

 

[xiaofan]

Singtel starts to roll out native IPv6 (dual stack).

I am able to get it working under OPNsense after inseting a new UUID DUID.
Interfaces -- Settings -- IPv6 DHCP --> Insert a new UUID DUID (LL DUID also works)

WAN settings:

LAN settings

 

[xiaofan]

LAN2 settings

 

[xiaofan]

I still need to learn to set up prefix deligation on the LAN side so that next level of router can have working IPv6 as well.

Reference:
https://forum.opnsense.org/index.php?topic=31076.0

OPNsense router (/56 from WAN) -- LAN and LAN 2 -- /62 to the nodes -- Asus RT-AX82U.

Not working yet --> RT-AX82U (router mode) client got IPv6 address but can not access internet through IPv6.

 

[xiaofan]

If I set up the RT-AX82U as an AP, then the wireless client of RT-AX82U works fine with IPv6.

PS C:\work> ping ipv6.google.com

Pinging ipv6.l.google.com [2404:6800:4003:c01::65] with 32 bytes of data:
Reply from 2404:6800:4003:c01::65: time=5ms
Reply from 2404:6800:4003:c01::65: time=6ms
Reply from 2404:6800:4003:c01::65: time=6ms
Reply from 2404:6800:4003:c01::65: time=5ms

Ping statistics for 2404:6800:4003:c01::65:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 6ms, Average = 5ms

PS C:\work> ping -6 www.gov.sg

Pinging www.gov.sg [2600:1413:1:591::12a1] with 32 bytes of data:
Reply from 2600:1413:1:591::12a1: time=183ms
Reply from 2600:1413:1:591::12a1: time=185ms
Reply from 2600:1413:1:591::12a1: time=193ms
Reply from 2600:1413:1:591::12a1: time=234ms

Ping statistics for 2600:1413:1:591::12a1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 183ms, Maximum = 234ms, Average = 198ms

PS C:\work> ping -6 www.singtel.com
Ping request could not find host www.singtel.com. Please check the name and try again.

PS C:\work> ping -6 www.singnet.com

Pinging www.singnet.aws.singtel.com [2600:9000:2003:a00:13:5c27:e900:93a1] with 32 bytes of data:
Reply from 2600:9000:2003:a00:13:5c27:e900:93a1: time=5ms
Reply from 2600:9000:2003:a00:13:5c27:e900:93a1: time=7ms
Reply from 2600:9000:2003:a00:13:5c27:e900:93a1: time=6ms
Reply from 2600:9000:2003:a00:13:5c27:e900:93a1: time=7ms

Ping statistics for 2600:9000:2003:a00:13:5c27:e900:93a1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 7ms, Average = 6ms

PS C:\work> ping -6 www.m1.com

Pinging www.m1.com [2620:12a:8000::3] with 32 bytes of data:
Reply from 2620:12a:8000::3: time=4ms
Reply from 2620:12a:8000::3: time=6ms
Reply from 2620:12a:8000::3: time=7ms
Reply from 2620:12a:8000::3: time=8ms

Ping statistics for 2620:12a:8000::3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 8ms, Average = 6ms

PS C:\work> ping -6 www.starhub.com
Ping request could not find host www.starhub.com. Please check the name and try again.

PS C:\work> ping -6 www.myrepublic.com.sg

Pinging www.myrepublic.com.sg [2606:4700::6811:1962] with 32 bytes of data:
Reply from 2606:4700::6811:1962: time=46ms
Reply from 2606:4700::6811:1962: time=40ms
Reply from 2606:4700::6811:1962: time=42ms
Reply from 2606:4700::6811:1962: time=42ms

Ping statistics for 2606:4700::6811:1962:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 40ms, Maximum = 46ms, Average = 42ms

 

[xiaofan]

I still need to learn to set up prefix deligation on the LAN side so that next level of router can have working IPv6 as well.

Reference:
https://forum.opnsense.org/index.php?topic=31076.0

OPNsense router (/56 from WAN) -- LAN and LAN 2 -- /62 to the nodes -- Asus RT-AX82U.

Not working yet --> RT-AX82U (router mode) client got IPv6 address but can not access internet through IPv6.

Not so sure if I need to change RA settings.

 

[xiaofan]

Singtel starts to roll out native IPv6 (dual stack).

I am able to get it working under OPNsense after inseting a new UUID DUID.
Interfaces -- Settings -- IPv6 DHCP --> Insert a new UUID DUID

This is the screenshot for reference. I set it to Debug since I could not get it to work initially (no WAN IPv6 address)

 

[xiaofan]

Unfortunately somehow IPv6 stopped working on my OPNsense/pfSense/OpenWRT Virtual routers. It seems to be a SIngtel issue. After all, Singtel just started the deployment and the backend may not be so stable yet.

Singtel 6rd IPv6 is still working. For Singtel 6rd IPv6 settings, OPNsense is more or less the same as pfSense.

WAN:

LAN:

DHCPv6 for LAN:

RA for LAN

 

[xiaofan]

I still need to learn to set up prefix deligation on the LAN side so that next level of router can have working IPv6 as well.

Reference:
https://forum.opnsense.org/index.php?topic=31076.0

OPNsense router (/56 from WAN) -- LAN and LAN 2 -- /62 to the nodes -- Asus RT-AX82U.

Not working yet --> RT-AX82U (router mode) client got IPv6 address but can not access internet through IPv6.

Today OPNsense DHCPv6 works again.
WAN and LAN settings mentioned before.
https://forums.hardwarezone.com.sg/threads/opnsense-discussions.6943166/page-3#post-150259870

It seems to me that the above mentioned OPNsense prefix deligation issue to a subrouter is the same as what @Mach3.2 mentioned when using Track WAN Interface for LAN under pfSense.

I think it's one of those pfsense peculiarities. They seem to hard code a /64 if you select the IPv6 config type to track interface with no way of changing it to a prefix length shorter than /64.

 

[xiaofan]

Today OPNsense DHCPv6 works again.
WAN and LAN settings mentioned before.
https://forums.hardwarezone.com.sg/threads/opnsense-discussions.6943166/page-3#post-150259870

It seems to me that the above mentioned OPNsense prefix deligation issue to a subrouter is the same as what @Mach3.2 mentioned when using Track WAN Interface for LAN under pfSense.

LAN DHCPv6 server settings

LAN RA settings

 

[gpgtmeowmeow]

Just reinstalled 23.7 with zfs. (It'll say no disk selected on the installer, I think you need to select the disks you want and hit spacebar)

Was unable to update packages and facing weird reboots. Seems like filesystem corruptions with ufs previously.

Will recommend zfs for new installs.

 

[xiaofan]

For those who want to play with OPNsense and home networking but not to disturbing the main network, it is good to get a mini PC and then install Proxmox VE and then install OPNsense VM on top along with some Linux containers and Linux VMs.

One Youtube video guide from Tailscale:
A Homelabbers Networking Playground with Opnsense, Proxmox, VLANs and Tailscale

 

[chromeIT]

My N100 from Cwwk Taobao should be coming in today, will report back my initial setup. Planning to offload adblock from my server to the N100 router running along side unbound dns. Still trying to figure out should i go for opnsense or pfsense...

 

[hwzlite]

My N100 from Cwwk Taobao should be coming in today, will report back my initial setup. Planning to offload adblock from my server to the N100 router running along side unbound dns. Still trying to figure out should i go for opnsense or pfsense...

Or even better, dive into virtualization first and then go flexibility path for softrouters on opnsense, pfsense or others.

BeenThereDoneThat: Virtualized m0n0wall (forefather of pfsense/opensense, my shamelessplug showcase: https://m0n0.ch/wall/gallery/315.jpg ) > pfsense > sophos utm , and now on PROXMOX/OpenWRT

 

[gpgtmeowmeow]

My N100 from Cwwk Taobao should be coming in today, will report back my initial setup. Planning to offload adblock from my server to the N100 router running along side unbound dns. Still trying to figure out should i go for opnsense or pfsense...

OPNsense, since you're in this thread.

You can indeed run the adblock using only unbound. It accepts external sources, am using Hagezi - https://github.com/hagezi/dns-blocklists

Then just set a cronjob to update the blocklist

 

[xiaofan]

OPNsense, since you're in this thread.

You can indeed run the adblock using only unbound. It accepts external sources, am using Hagezi - https://github.com/hagezi/dns-blocklists

Then just set a cronjob to update the blocklist

Nice one.

For me I just use OPNsense built-in block lists. Please refer to my previous post #38.
https://forums.hardwarezone.com.sg/threads/opnsense-discussions.6943166/page-2#post-150009642

I can get similar performance using OPNsense Unbound blocklists, comparable to using Adguard Home, Pi-hole or pfSense pfBlockerNG-devel.