So you likely found this article because you are part of the pfSense community and run pfSense in your home lab or rely on it to secure your business network. You have most probably heard all the chatter on Reddit, YouTube, and various other forums about the recent changes announced by Netgate to the pfSense Plus Home+Lab and how it is no longer a free option. You have likely seen in these same discussions people recommending alternatives like OPNsense, but you can’t decide if you should downgrade to pfSense CE or try something new like OPNsense. Perhaps none of the above affects you and you are simply looking for a pfSense alternative, or maybe you are completely new to the world of open-source firewalls and you are trying to decide what is best for you.
Regardless of the reasons that you found yourself here, I am hoping to make your decision-making process a lot easier. In this article, we are going to compare OPNsense to pfSense and talk about some advantages of using OPNsense as an alternative. We are also going to take things a step further and talk about how we can enhance OPNsense by easily installing the Zenarmor Next Generation Firewall plugin, which unlocks advanced security features like deep packet inspection, application, and web controls. With OPNsense and Zenarmor, you can start exploring and benefiting from next-generation firewall features for free in the comfort of your own home-lab environment.
So grab your favorite beverage, and let’s dive into the article.
Installation options and hardware considerations
If you already have pfSense deployed, you will be using hardware compatible with the x86-64 (AMD64) architecture, or alternatively, you will be virtualizing pfSense in a hypervisor like Proxmox, VMWare, or Hyper-V. In some cases, particularly business use cases, you may have a Netgate appliance deployed running pfSense software.
The good news is that because OPNsense shares the same underlying FreeBSD operating system, it can easily be run on the same x86-64 (AMD64) compatible hardware or hypervisor that you are using for your current pfSense deployment, with no need to invest in new hardware.
Unlike most prebuilt commercial firewall solutions, OPNsense is versatile and allows you to choose the hardware so that you can build a tailor-made firewall solution for your environment’s unique needs. It’s compatible with popular ready-made hardware appliances like the Protectli, and it can even run on older-generation hardware, like your old gaming rig or desktop PC. OPNsense has good driver support overall, so you are covered.
If you are an enterprise user, OPNsense also has its own rack-mountable security appliances which you can purchase directly from their store. These are similar to pfSense Netgate appliances, which you may already be familiar with.
As you can see, you are truly spoilt for choice when it comes to choosing how you would like to deploy your OPNsense firewall.
General core feature comparison
If you are familiar with the many pfSense core features, you will be pleased to know that OPNsense has a practically identical feature set. One of the main reasons for this is that OPNsense is a fork of pfSense and m0n0wall, so it has retained those familiar aspects since its official release in 2015.
This is advantageous to a pfSense user because it means you have a relatively small learning curve when it comes to the setup and maintenance of your OPNsense firewall. To prove that you are not going to miss out on the core features that you have come to love in pfSense, I have listed the main OPNsense core features below with some brief explanations.
- GUI
Like pfSense, OPNsense also has an intuitive GUI to make configuration and maintenance an easy task. Off the bat, you will immediately notice familiar aspects like system information, services, and interfaces, with the ability to customize your dashboard with additional widgets as needed. OPNsense has its menu options tucked away to the left of the window, with options once again similar to those of pfSense. What is unique to OPNsense is the ability to search for features by using the built-in search field, which will take you directly to the settings menu you are after.
Figure 1: The OPNsense dashboard layout
- Stateful Firewall
Because firewalling is essentially the heart of both OPNsense and pfSense, they both include a stateful firewall that supports IPv4 and IPv6 with all the rule customization, logging, and diagnostics one would expect of firewalls like this.
Figure 2: Firewall rule settings menu
- VPN
OPNsense includes a few VPN options like IPsec, OpenVPN, WireGuard, Zerotier, and Tink, which are on par with pfSense, so all your remote access needs are fully covered if you migrate to OPNsense.
Figure 3: OPNsense VPN options menu
- Multi-WAN support
OPNsense has multi-wan support with load balancing, so once again, you are covered if you need this functionality.
- HA and Hardware Failover
If you require redundancy and high availability in your network environment, OPNsense supports this by making use of pfSync and CARP (Common Address Redundancy Protocol) which are once again on par with pfSense.
- Intrusion Detection and Prevention
OPNsense comes pre-installed with the Suricata IDS/IPS package, which is similar to pfSense, and uses the Snort add-on which needs to be installed separately. Alternatively, you can use OPNsense with the Zenarmor NGFW plugin, which can handle all this for you on autopilot without the need to manage your own threat rule sets.
Figure 4: Suricata IPS/IDS settings menu
- Routing
If you require specific routing functionality like OSPF or BGP, OPNsense supports this using the FRRouting Project plugin.
- Web Filtering, Ad-Blocking, and DNS
If you have been using pfSense, you are most likely using the pfBlockerNG add-on to filter ads and malicious websites. The good news is that when you migrate to OPNsense you can easily achieve this same level of DNS-based filtering using the blocklists built into Unbound DNS that come pre-installed on OPNsense. As an alternative, you can simply achieve this by using the Zenarmor NGFW plugin, which takes care of all of this and more without the need to manage blocklists. Zenarmor is a powerful alternative to pfBlockerNG, perfect for those migrating from pfSense to OPNsense. It offers capabilities that exceed expectations.
Figure 5: Unbound DNS options menu
- Traffic Shaping and QoS
We have all experienced those bandwidth hogs on our networks. OPNsense has you covered with an easy-to-implement traffic-shaping solution on par with pfSense.
- Reporting
If you are into pretty graphs and visuals, OPNsense has many reporting options, giving you the ability to monitor your overall network health and traffic flow with ease. If you are after even better visibility of your network, using the Zenarmor NGFW plugin unlocks an additional 60+ pre-defined reports, giving you total granular visibility of your network traffic so that you don’t miss any threats.
Figure 6: Live traffic flow graphs
Figure 7: Zenarmor Connections Report
Figure 8: Zenarmor Connections Live Sessions
While the list above just covers the most commonly used core features of OPNsense, there are many other features included, which I will leave you to explore yourself. To add to this, there are loads of plugins that can be easily installed, making OPNsense even more powerful.
I am hoping that viewing some of these features and capabilities side by side has cleared any doubts you may have had about migrating to OPNsense. As you can see, you are well covered if you migrate to OPNsense.
Support, Development, and Documentation
Another major deciding factor for many considering changing their firewall is how well the developers and community support it, how often the product is developed, and finally, how well it’s documented.
As for support, OPNsense has a large community across many platforms like Reddit and YouTube as well as an incredibly well-run forum, making it easy to find information and ask troubleshooting questions if needed. For those who are after priority business support and professional services, OPNsense offers this directly through their commercial support subscriptions. So rest assured, help is always nearby when you need it.
As far as ongoing development is concerned, this is where OPNsense truly shines. OPNsense offers weekly security updates and a fixed release cycle of 2 major releases each year, which is great because businesses can plan their upgrades ahead. All of this comes standard, regardless of whether you have business support or not.
If we bring pfSense CE into consideration, there was roughly a 1.5-year development gap between major releases 2.6.0 and 2.7.0 which is a fair amount of time. While this is not the case with the pfSense Plus software that comes at a fee, it is worth mentioning here because having regular updates may be a big deciding factor for some, especially for those building home labs or non-business users who can’t justify the expense to benefit from more frequent updates.
Proper, detailed documentation is a must and a big deciding factor when choosing the best open-source firewall for your needs. OPNsense has you covered in this regard and includes up-to-date documentation covering all aspects of the product, including configuration examples and step-by-step guides, so you will never feel lost when deploying or maintaining your OPNsense firewall.
Support, development, and documentation are covered, but how can we get even more from OPNsense by enhancing it with next-generation firewall capabilities?
Using Zenarmor to unlock Next-Generation firewall capabilities
You have heard me mention the Zenarmor NGFW plugin a few times in the article already, but perhaps you don’t know exactly what it is, so let me fill you in. Zenarmor is basically a plugin that can be easily installed on your OPNsense firewall, which gives you next-generation firewall features such as:
- AI-based cloud threat intelligence affording Zenarmor the ability to detect and block malware, phishing attacks, and botnets in real time by leveraging deep content and TLS inspection that would otherwise bypass traditional DNS-based filtering.
- Fully customizable Application and Web Controls driven through policies, giving you complete control over which applications and web traffic are permitted on your network, including parental control, ad blocking, and enforced safe-search.
- Comprehensive reporting providing you with real-time visibility of your network.
- Enterprise integrations with Active Directory and SIEM solutions like Splunk, Datadog, Wazuh, ELK, etc.
- All this can be managed from anywhere using the Zenconsole cloud management dashboard available for free, regardless of the Zenarmor subscription you are on.
It’s also worth mentioning that Zenarmor can also be deployed on Linux or Unix-based operating systems other than OPNsense as a Secure Web Gateway in a cloud or SASE environment. It can also be installed on pfSense CE; however, due to pfSense Plus blocking third-party applications, Zenarmor support for pfSense Plus has ended.
It must be noted that your overall installation and user experience will be drastically improved using OPNsense because Zenarmor, through its partnership with OPNsense, has practically ‘baked’ Zenarmor into the firewall for a seamless experience.
So you are probably thinking this sounds great, but what does it cost? Zenarmor offers 4 plans including FREE, Home, SOHO, and Business, which I think are self-explanatory.
Figure 9: Zenarmor Policy Controls for Applications and Web Content
Scenarios to consider
So let’s consider the following scenario: you are a current pfSense user using your own custom-built hardware with a pfSense Plus Home+Lab license, which has recently been discontinued. You can’t justify paying $399 per year for a TAC subscription; however, you want regular major updates and security patches. You also don’t really want to revert back to pfSense CE. What should you do?
- Remove pfSense from your hardware, install OPNsense and migrate your settings across.
- Install the Zenarmor NGFW plugin on a free plan to benefit from enhanced security features.
The result: you will receive 2 major updates per year and a weekly security update with next-generation firewall features provided by Zenarmor at zero cost. This is a lot more valuable than running just pfSense CE in my opinion.
Let’s consider a second scenario. All of the above concerns apply; however, if you are enjoying Zenarmor and want to unlock more advanced security features and have better overall control of your NGFW, what should you do?
- Remove pfSense from your hardware, install OPNsense and migrate your settings across.
- Install the Zenarmor NGFW plugin on a Home plan to benefit from enhanced security features, advanced security, and more customizable control.
The result: you will receive 2 major updates per year and a weekly security update with next-generation firewall features provided by Zenarmor for $99 per year for up to 100 devices on your network. In addition to this, you get more advanced security functionality and customizable options. You are now essentially running a business-class next-generation firewall in your home lab for less than $10 per month.
I think it’s pretty clear by now, based on the above scenarios, that by combining OPNsense with Zenarmor, you are able to create a tremendously powerful network security solution with features usually only seen in much more expensive business-grade firewall solutions.
What to do next?
So are you ready to join the ever-growing OPNsense firewall community? If your answer is yes, it is really easy to get started. Head over to the OPNsense getting started page and simply follow the steps. Once you have successfully installed OPNsense on your hardware, don’t forget to install Zenarmor to build your own next-generation firewall at home.
If you want to explore all that Zenarmor has to offer, including its enterprise capabilities, you can get started by signing up for a 15-day free trial; no credit cards are required.