pfsense VS OPNSense

Where to get OPNSense opnsense.org/
Where to get pfsense www.pfsense.org/
Our pfsense tutorials
lawrence.technology/pfsense/
The Fork statement
docs.opnsense.org/history/thefork.html
Feature Comparison of the OPNsense Plugin Sensei by Sunny Valley Networks
homenetworkguy.com/review/opnsense-sensei-feature-comparison/
FreeBSD Wireguard Commits
git.zx2c4.com/wireguard-freebsd/log/?ofs=100
⏱️ Timestamps ⏱️
0:00 Intro pfsense vs OPNSense
2:33 m0n0wall pfsense OPNSense history
3:38 OPNSense fork
4:41 OS Differences and Security
7:33 OPNSense pfsense domain controversy
11:55 Real World Business Usage
14:50 Interface Differences
19:58 IDS IPS Snort Suricata
21:50 Wireguard
24:06 OpenVPN
24:55 Packages
27:04 Diagnostics
29:33 Logging

One thing I like about OPNSense is built-in ZeroTier One support through a community plugin.

Thank you very much for this side-by-side comparison and a history lesson. One thing I think is worth adding, which is also the only reason I pick OPNSense over pfSense these days is the availability of the official API. I am running OPNSense as a VM and I have automation tools that allow changing things over an API… so the tool would take a snapshot, apply changes and perform a quick test. If everything goes well - it discards a snapshot. If something goes sideway - it just restores the snapshot and reports the problem for me to look at. This can be even more powerful in the HA setup.

19:15 automatically generated rules are hidden by default to keep the interface a bit cleaner in opnsense, you should find it when you click on the dropdown.

Finally!!! Thank you for doing the comparison!

Security is about trust. If you can't trust a vendor on the business side (domain scandal) and the technical side (wireguard mess), I don't know why anybody would stick with it.

The difference: in pfBlocker you do all the hard work; in Sensei Murat Balaban does all the hard work and you sit down and relax. Bonus: Sensei does not work at DNS calls level, it actually inspects the connections to see where they go to.

As a first time user, I find the OPNsense search & side menu way more user friendly. Again, that's just me.
I don't use unbound. I have used NextDNS for a long time & have the CLI running on my OPNsense firewall. Works very well and gives me lot more control with kids in the house.
OPNsense has snort as well in addition to suricata.
The community is way more friendly on the OPN side to new users. The PF community seems very hostile from my experience to similar questions asked.

I moved over to OPNSense and prefer it now. I've also got Grafana and not setup too.

Thank you! Was deciding where to begin with open source firewalls and this video helped me solidify my choice.

Thanks Tom for this review and side by side comparison. I thi k you did a great job staying unbiased while throwing some personal pepper to the products. Afterall, everyone comes here to hear your opinion and not to hear what he/she wants to hear, so your subjective opinion also matters as long as it is funded. Thanks again.

Great job giving a well balanced overview of both systems. You’re definitly right to insist on the common origin of both systems. Have some common sense!! Love it

Thank you for navigating this topic. Despite all of the controversy thats all over this subject. You did a great job as always in explaining things without ranting and throwing more mud.

Good work, First step is done. Now if you go deeper in Sensei, will find it very useful, even without subscription. In the web filtering you can set preset to Permissive, Moderate or High and after put in User Defined Categories whatever you need. Works like a charm and not slowing down the web like a proxy.

Thank you for reviewing this in the way that you did! I was not expecting this video, and I'm SO GLAD you did this video! I love using OPNsense, and I'm really glad to hear your opinion of its comparison to pfsense.

Thanks for taking the time to review these two great products. I have customers using both products and must say they are very similar and it all comes down to personal preference with regards to the UI. I wish you had spent a little more time on OPNsense before comparing though.

Drinking game: one shot each time Tom says “Nuances”

Thank you for acknowledging the time issue. YT vids have dates on them, but well over half the articles / techie how-to's and whatnots don't have the most basic journalistic feature ... the date. Or even a version you can deduce an approximate date from.

07:33 I used pfSense at home for 5-6 years before switching to OPNsense earlier this year, after an unsuccessful attempt to switch a couple of years earlier. The Netgate drama was a big part of my reason for wanting to switch, as was the Wireguard issue. On the latter, it wasn't so much that they'd contributed garbage code (they'd hired a dev whom they had every reason to trust to do good work), but their response when it became apparent that the code was garbage was to blame everyone but themselves. You provided this code, folks; you're responsible for it. Another point, not mentioned in this video, is that there's some serious question whether pfSense is truly Open Source--the claim is being made (and pretty credibly to my uneducated eye) that ESF/Netgate/whatever they're calling themselves now have not released all the source code, and that it's impossible to build pfSense with what they have released.

Features of opnsense that's killng pfsense
Sensie
Wireguard
Netflow

I've been waiting for this video for EVER... Literally.
Thank you, thank you, thank you. Your opinion and perspective align with mine in many areas and I respect your reviews.

this is perfect!! i was wandering myself before i built a new router. i am glad it was you covering it as i knew it would be a more in-depth coverage.

I know this is an old video but just wanted to let you know this was very very helpful. I did not know about the history, and this actually made me much more wary and cautious about trusting the stewardship of pfSense, and so I will select a more agnostic hardware solution.

Tom, fantastic objective review. Great job. Thanks for all of your great content.

Pfsense need to add outbound ipv6 rdr support, opnsense has it. Useful for forcing all outbound dns queries to use the firewall dns.

Look at the UA-cam performance metrics on this video. I knew this topic would be a solid hit for your channel!

Really liked this review with a reasonable context and perspective.

Thank you for such an informative and unbiased comparison.

This was a really, really good video and a very nice comparison!
Thank you a lot for this!

Finally, been waiting for this video 😁

Ve are in the process of migrating from pfsense to opnsense at my job for colleges and high schools. What caught our attention was the application filtering that pfsense does not handle.

I only chose to go with pfsense because of your videos on how to set it up 😅

Honest and objective look at both of them.. Very helpful video!!!

I've always perceived OPNsense as a better option for non-enterprise, home or hobbyist use, whereas pfSense is somewhat more complex to figure out (for non-network engineers) and more suitable for business or enterprise use.

Thanks for doing this video. I was very curious to hear a comparison of this on UA-cam.

Thank you. Great video. I use pfSense at work and OPNSense at home. Main reason for OPNSense at home is WireGuard. For me both are equal feature wise and little different in presentation, but both work great.

Just stumbled on this video and enjoyed the explanation. Thanks

The bottom line for me, there is way more online support for pfSense than you will find for OPNSense. And unless you are a firewall guru, you will value that support!

I like the OPNSense interface a lot more than pfSense. If I ever switch from Untangle it will be to OPNSense.
I also really like Sensai when I played with it.

Thanks so much for making this video! After watching, I'm unfortunately still no closer to figuring out which one I want to go with... Even have them installed in Virtualbox so I have been playing with both and I like them both for different reasons. They are both so balanced on my personal scale lol!

Ah! My gawd, thank you sir! Side by side - not a rant video about why one is the *best*. Subjective. What are they? Pfsense I have used (daily) since early 2009 or so? Interested in opensense but not want a rant vid. Thank you.

I like the firewall live view with the filter options in OPNsense but I could not find it in pfSense - do they have something similar?

What is that CommonSense which we should use? Another fork? Can you make a review of it please? LOL :-D

I remember contemplating whether to switch from fli4l to m0n0wall in the early 2000s. Thanks for the trip down memory lane :)

thank you for your vision!

I was a pfSense user until they were going to require AES-NI, which my hardware doesn't support. I decided to migrate to opnSense. Well, they decided not to make it a requirement after I had migrated and been running on opnSense for a while. Just decided not to switch back. There were things that annoyed me about pfSense and there are things that annoy me about opnSense. Overall, the documentation and available knowledge for pfSense is better. When looking for answers to something I don't understand in opnSense I usually only find the answer from a pfSense perspective or have to filter through a ton for pfSense before I find the 1 post on opnSense. I can mostly hash it out but sometimes they are different enough that I'm just stuck. I think they both did and do an excellent job.

Love your videos, so detailed from a professional point of view! I run OPNSense at home and very often just use PFSense tutorials to get stuff set up as it’s pretty much the exact same 😂 (there’s also very little tutorials on OPNsense compared to PFSense)

@3:00 This same question came up even back then IPCop vs Monowall vs smoothwall. Which is best!? Tell me please?! @33.23 Great explanation. I've gone back and forth on which one I'd want to run. Laziness in the fact I'm running PFsense already is what's keeping me from doing anything about running or switching. Both looks like benefits and drawbacks. I'd like all logs together but the diagnostic separate is nice and the global search is as well. Every time I needed to search for the "Halt System/Reboot" since you don't do that often with firewalls, I've finally have it burned in my mind where it is under the diagnostic section. Great video.

Welp, I just spiraled down a rabbit hole of "what exactly is BSD?". Thanks for that :)

Thanks for doing this video. I like opnsense, but would be equally fine with pfsense. When I set up my homelab I researched both, saw that the important bits were close enough to being the same, so I just went with what looked like it would be the easiest for me to get familiar with. Ended up being opnsense but in all of the videos and articles I've seen on pfsense since then I think it wouldn't have mattered one way or another. With the amount of "passionate" opinions people have on these two, you'd think there were massive differences between them or something like xp vs os x. Instead it's more like hoagies vs heroes.

In addition to the security issues, I think many companies don't disclose their product stack out of concern over IP issues. It's a lot easier to put together a plausible claim for patent infringement if you can say "and their network uses X software including Y code that practices claim Z" then if it is entirely a guess.

Thank you Tom!

I love that you don't have the pf sense sticker on your laptop. Wow great attention to detail! :)

I like Opnsense because of API. It is very easy to create system of dynamic change of hosts aliases.
I've created the changes to the Opnsense api that allow to drop all current connections that already not allowed by the firewall rules after alias change.

after having trouble with an edgerouter in my home lab set up, i went to build my own firewall and i chose opnsense simply due to the hardware support. pfsense seems to be lagging with the kernel upgrades, therefor leaving hardware support for newew (and sometimes older) hardware. i'm not doing anything fancy, just need a router/firewall that won't shit the bed anytime traffic gets heavy, which was a problem for me with linksys and edgerouters in the past.

First time I've ever seen somebody actually logged into Wikipedia

Hi Tomz, i know you using/used Surricata, is the package Zeek the same or are you familiar with it? Greetz, Mich.

I'm just getting my feet wet with this and considered I'd install them both as part of a multiboot, and then try to install them in proxmox as well to see how that goes. I ran into the issue that the OPNsense installer didn't let me manually partition my GPT disk and the only option it gave me (for GPT) was wiping the whole drive and installing OPNsense over all of it, but that doesn't seem to make much sense. I don't really know any BSD partitioning stuff so couldn't find a way to install OPNsense on my hardware, whereas PFsense did allow me to make a separate GPT partition for it and it did nicely add a UEFI NVRAM boot entry.

This is the first time a tech said that tech needs money to live.

If I recall correctly you would see the rule that you did for the nat in the wan automatically generated rules when you do a filter association rule

Hi Tom, as always great video. for me, they both have almost same things. I find pfSense more user friendly. opnsense UI feels scattered.. for me their placement of diagnostic tools make no sense. for example i had to spend some time to find ping tool, i would have guessed it would be under diagnostics.. but seems its scattered. another thing is openvpn client export tool. pfsense give a nice installer for windows with cert and key and openvpn program itself. whereas in opnvpn it gives an archive of config, cert and key. also setting up GeoIP in opnsense was a bit confusing for me from adding a url and inserting license in the url, creating an update schdule and floating rules.. but in pfsense it was very easy to navigate through all, it made sense to me.. one thing i didnt like was pfsense didnt have sensei.. pfsense has pfblocker, which is a DNS sinkhole.. whereas sensei is application aware.. i think it uses application signatures and identifies apps at higher layers.. also sensei is free for most home and small office use cases... licensed version gives a bit of custmization.. free version have presets to allow deny apps and categories. I have had a scenario where i couldnt use pfblocker, I have vpn users who use openvpn with corporate DNS servers for remote work. pfblocker wouldnt work for me since am passing corp DNS to vpn clients and pfblocker was not seeing DNS requests since pfsense was not involved.. whereas sensei worked perfectly. they are both great firewalls full of features. but sensei is really nice to have. a free application aware firewall.. i've had to spend a lot on application filtering on all other devices.. cisco and checkpoint. for me, pfSense selling point is user friendliness and ease of use.. OPNSense, sensei. that's all

When I set up my firewall I used OpnSense over PFSense as they had native 2FA Support, even now I'm not sure if PFSense has that feature. WireGuard is now an added bonus even if it's living in US instead of Kernel. Overall, I felt the community has been overly hostile to anyone that uses OpnSense over PFSense especially first time users when I've looked up how to's. A fallout of the old Opn/PF wars from years ago. It's almost like the greybeard Linux vs MS debate now despite all the changes in the years since.

Job listings (LinkedIn, Germany): pfsense: 49 / OPNSense: 16

Have you had any conversation with other people who use VyOS in work environment, and what were the pros and cons for them using VyOS?

Thank you so much. I intended to buy a modem for my home. Between Netgate and Protectli, I don't know which one I should buy. Could you give me a suggestion? 😄

after watching this it made me satisfied that I delayed trying out the fork. I just stuck with pF sense lazily and so far it's been pretty dang stable. the upgrades were flawless. I do wish PSS would work on their menuing system, it is difficult to keep track. maybe a recently used or favorites menu? every user is different so they should be able to have their own favorites. I like what the fork project did with the filter text box, but I think favorites would be more useful or a great addition for both of them to be included. PF sense really needs to get things moving

Over beers with colleague who supports an environment I supported over a decade ago tells me they are still running the MonoWall I built for them... in 2004, on a Gateway 2000 desktop. LOL, I choked on my beer!

Tom, I am with you it is a matter of preference and mine is pf-Sense. I like the UI (more concise)better and pf-BlockerNG, One more thing you are right about the docs, pf-Sense docs are much better

this is weird....I was just looking for a video like this from your channel!

There are still things that pf can do that iptables can't do or can't do nearly as well. One is the route-to option that allows on the fly policy based forwarding in filter rules. While not specifically a pf function, I believe pf based firewalls like pfSense handle multi-wan better than iptables based firewalls. Another is the use of ip lists with hostnames. The open source linux based firewalls designed for commercial use that would be comparable to pfSense and OPNsense seem to lack much in these areas.

I worked for an MSP in my area... And as you pointed out being an MSP business, you work with what's popular in the wild. I will say though, that 0% of my Linux foundings occured while working there given they were so focused on "what's popular in most businesses" that they only worked with Microsoft based OS's both on the client/ workstation end, and even though I wouldn't entirely recommend desktop Linux for organizational use (maybe in certain cases it be ok), I wouldn't say the same concerning servers which speaks for itself even though I'm not bashing WinServer... All in all I can understand the potential profit model behind reselling MS products vs Open source.
Concerning OPNS vs PFS... Hands down, I've had more PFS background, however I have dabled with OPNS lately on account of their cellular based packages which is nice given you can run it on IoT project boards (not saying you can't with PFS, but documentation might be less available).

Very good overview thanks. Side note: It’s sensei like the Japanese for teacher 😊

Yeah, their version of pfTop where you can filter better is under "Firewall > Log Files > Live View"

Crowdsec is nativly (by one click) installed on OPNsense. That's a huge benefit over pfSense. Especially on a firewall device.

I remember there was massive toxic drama between pfsense and OPNSense few years ago, was it the domain squatting? I think it was more than just that... If I recall correctly, the actual project founder of pfsense left and started working for Ubiquiti. After few incidents (that I don't recall) I remember I had concerns with the direction and leadership of netgate that I no longer trusted them. Which is when I began leaning towards OPNsense and moving away from pfsense.

hi,
i prefer OPNsense because there you get much more updates and doesent need to wait half year for updates.

Thanks! I like that you tend to keep an open mind on the topic. Looking forward to your videos like "linux vs *bsd", "vim vs emacs" etc. :)

from my limited experience with opensense (running in lab vm), I got feeling that opensense is catering more to consumers/semi-prosumers with advanced features relegated to other category in menu or even hidden, lots of eye candy and more "modern consumer" oriented (IMHO). while pfsense is more complex for novices and brings lots of more complex features to the front, shows more stuff not necessary for most, so it may feel more clunky experience for most basic users.

Thanks for the comparison. I went with OPNSense just because the Menu makes more sense but now I’m debating things because I’m looking at some of the L7-ish stuff available is Snort. Don’t know…

Hi, Lawrence is this still debate the same now in July 23 a bit more than 2 years of this video? Thank you in advance, a subscriber and promoter of your channel. 😀

so i tried opnsense it was much faster to load pages then pfsense but that really was it’s only benefit. traffic log in pfsense will show you the name not just the ip opnsense i couldn’t find a way to show me the names.
also getting open nat was not working the same although i think it was just a mistake of not putting them on a /32 instead probably left it /24 when setting up the specific ips to allow upnp to talk to.
it’s odd that things in opnsense are not by name i say suracata is installed by default but it just names intrusion detection.
i have to install themes not sure how i feel about that.
the traffic shaping i feel has potential to be easier to configure control to whole network and then add lower tiers for special ips but pfsense was easier to add a new traffic shaper from the start

good compare. Due to the fact that I am not good in networking I am exchanging my opnsense box with an ubiquiti box.

If netgate wants to have 2 versions of pfsense, one that paid for and has additional features above the free CE versions that's fine. The problem is recently features that are identical between the 2 that are broken/bugged, like some multi-wan setups among others, are being fixed in the paid version but the CE users are being told not to expect fixes till the next major point release 2.6. Even though the code is already fixed and released in the paid version they are deliberately withholding those fixes from CE, one can only assume this is a strong armed tactic to try and force more people into the paid version. Those kinds of business practices will be the beginning of the end for them if they continue that way.

what netgate categorie is recomanded for a production network of 100 users and 40 external access ?

Mac OS is also very large on FreeBSD. Apple's Darwin kernel is based on FreeBSD.

speaking of logging, isn't EFW better than both pfsense and opnsense in this regard?

Good, evenhanded comparison. Thanks.
At one point you cite Netflix, iXsystems, pfSense and OPN as the leading BSD projects. There are others. NetApp storage appliances are BSD-based, for example. Juniper routers and switches started with FreeBSD. And all Apple MacOS/iOS/iPadOS devices are arguably BSD descendants: All started with a Mach kernel and an old (4.3? Not sure) BSD userland, and forked the BSD part from there.
Personally, I run pf on OpenBSD. Who needs GUIs? :-P

OPNsense has unboundDNS blocklists which works similar to pfBlocker or PiHole. I find PiHole to be superior in features and detail to both of them.

great video as always

Firewalls are not the weak point in most networks. It's people.

Didn't the dev for snort move a long time ago and offer a paid service? I feel like snort was abandoned years ago with no meaningful updates to address major performance issues (like multi threading). That's why everyone has basically moved to other tools like suricata, bro, etc

So how much free time will this video free up out of your day now to have formally answered that question? ;) It would be nice to see pfblocker port a version over as opnblocker eventually since the systems are so similar.

Internet: pfsense or OPNsense?
Tom: Common sense!

Full disclosure, I don't run either of these firewalls, so I have no dog in this fight. I've tried pfsense and it lacked the drivers for one or more bits of hardware in 3 of my computers, so it wasn't worth my time to build the drivers to boot an OS I don't even like, just to try-out some software. Opnsense had the drivers I needed in all those cases, so I played with it a bit on various hardware platforms.
I currently run OpenWRT with a ton of add-on software on my commodity router and I haven't wanted to do anything that OpenWRT didn't have a solution for already. On my router, I currently run Mosquito, Dynamic DNS, DNS, HTTPS DNS proxy, local DNS caching and recursive DNS forwarding, UPnP, DHCP, QOS, ZeroTier, OpenVPN, AD blocking, 3 wireless AP channels on 2 frequencies, port forwarding, and NTP.
I installed a hdd and squid once for fun, but I was caching for 1 workstation and it was slow AF, so what's the point? All this on a $50 commodity pig that I bought on Amazon last year (and a ton of 'free' time tweaking things).
Having said all that, I felt like your presentation was a bit biased. Beyond being more familiar with one software, your entire way of thinking and solving problems was being framed by your familiarity with those tools and how they are organized.
When you defend a pull-down combo-box of non-alphabetical choices, that exceeds the length of the screen, as a superior organization of ANYTHING, you need to step back and do a reality check. You have spent so much time in that familiar paradigm, that you don't even know the only tool you're holding is a hammer.

very good overview

3:04. I'd love it if you did a history video!

I have not experienced opnsense at all.. I've had pfsense for ages but I feel that it's waaaaaay too convoluted for simple things.
Ex: I want to create a VPN tunnel to my provider and have all traffic relative to netflix/hbo max from my xbox to go through it. I can accept also having all traffic from the xbox go through that tunnel.
The sheer amount of steps to just get that done is crazy...
I 100% appreciate being able to go into details to death with CLI but there needs to be some simple steps for common tasks.
The UX (to me) is not fun and for the first time I'm starting to consider going Unifi - especially with the UDR about to be released (unless if OPNSense can do it for me :D )

Using Opnsense here. Its getting more popular every day. A great product.

This guy and Network Chuck are my two and only two GoTo Guys for networking and IT information. Fantastic content!

good stuff. I'll go with pfSense