How I discovered OPNSense firewall

Home networking has been my passion and obsession ever since I realized that the default all-in-one boxes that ISPs are loaning to us for low, low $10 or so per month don’t meet even the most basic geek needs. I mean, if you try to squeeze functionality of a firewall, router, switch and a wifi access point into a single cheap plastic box, you have to compromise somewhere. Well, not just somewhere; you have to compromise EVERYWHERE. So, if you are nerdy enough to read blogs titled “How I discovered OPNSense”, you should be nerdy enough to not settle for the simplest and cheapest networking box. If you care for your home, you should invest in better home networking equipment.

Let me first review what is wrong with common consumer networking routers and why should you care:

• Firewall control and filtering rules are very basic, opening the internal network to a whole bunch of possible surprises
• Router logic can’t understand source-based routing, preventing intelligent routing of traffic based on which device generated the request
• Minimal or no IPv6 support — even from ISPs that offer IPv6 addresses
• Built-in switch spams all Ethernet ports with minimal or no control, making traffic storms on all physical ports and often on Wifi as well
• No Quality of Service and traffic shaping, making all traffic equal — no matter if it is a video call, Xbox game, web browsing or smart TV sending telemetry to China.

Upgrade 1: OpenWRT firmware

I discovered OpenWRT firmware back in 2005 when I was looking to get better bandwidth monitoring and QoS control on my router. While originally designed for one specific router (the legendary Linksys WRT54G), there are now many models and generations of OpenWRT compatible devices.

The story of OpenWRT firmware is one of the most satisfying open-source wins ever. When Linksys used open-source software for their firmware of WRT54G router, they were required to release the whole firmware of the router to the public. The story is 15 years old, yet still an amazing read. Bunch of smart nerds dissected, improved and re-packaged the firmware code, adding strong enterprise features to a cheap consumer router — turning a $60 device into a $1,000 professional-like router. OpenWRT was not the only fork of WRT code — but it eventually became the most popular open-source router firmware for WRT generation of devices, creating a nice cottage industry of better home routers. I happily used my WRT-compatible Buffalo router for several years and even in 2020, OpenWRT is still very popular and actively in development.

Upgrade 2: Ubiquiti gear

I realized that bundling Wifi with firewall and router is a compromise too large to accept — no matter how good the firmware was, I couldn’t make an integrated network box as good as a couple of separate dedicated devices. The first thing that I isolated from my all-in-one box was a gateway/firewall — the thing that decides what to route out (and where), and what to let in. As I moved my Wifi access points to Ubiquiti Unifi, the most logical choice for a gateway was Ubiquiti EdgeRouter Lite — also known as ERL. Ubiquiti forked Vyatta Core software right at the time when Brocade bought Vyatta and turned it into a closed-source corporate asset, losing momentum, community and customers. If you enjoyed reading about the open-source win over Linksys, you will enjoy reading about tragic demise of Vyatta. Luckily Vyatta pieces were scooped and curated in vyOS project — a continuation of Vyatta’s past glory.

Playing with the network operating system in ERL was simply amazing. It could do IPv6 through a tunnel broker, it had a stateful firewall, it did multi-WAN routing, had integrated VPN, fine-tuned DHCP, the whole nine yards. I spent hours and hours (and hours) in SSH sessions connected to my ERL, learning how to properly configure network interfaces, how to offload traffic control to HW chipset, how to manually build firewall rules… If you want to learn networking fast, I can’t recommend anything more than playing with Vyatta-derived networking operating systems. You don’t need a Ubiquiti EdgeRouter — you can install VyOS router into any VM (locally or in the cloud) and give it a go.

Upgrade 3: OPNSense on HardenedBSD

Once I increased my internet bandwidth to 1 Gbps and got over 50 networked devices in my house, my little ERL started to melt under the network pressure. It was time for an upgraded gateway device that could handle my insanely over-designed and over-complicated home network. I was seriously considering to switch to a full proper VyOS firewall — I even bought one of the coolest fanless devices available on the market: the fantastic Protectli Vault (which I highly recommend). I was set and ready to put VyOS on it, when I stumbled upon alternative firewall packages that could also run on my Protectli. My oh my, VyOS was not the only one, there were a bunch of other packet-filtering firewalls! And that’s when I discovered (and got immersed into) the whole drama of PFSense vs. OPNSense fights.

In a nutshell, the high-end open-source firewall gateways typically run on BSD Unix. The two most common integrated BSD firewall packages today are pfSense by Netgate and OPNSense by Decisio. There was a lot of bad blood when OPNSense forked away from pfSense in 2017, creating a rift, drama, and two fighting community factions: pfSense zealots and OPNSense fanatics. Which faction should I join and follow — if any? Should I stick with superior, elitistic, UX-less VyOS, or should I switch to one of native BSD firewall packages?

After several weeks of evaluating and comparing vyOS, OpenBSD-based pfSense, and hardenedBSD-based OPNSense, I decided to adopt OPNSense as my new darling. Why? Because reasons. (I can feel pfSense zealots grinding their teeth and writing devastating responses in the comment section)

Anyhow, I installed and configured OPNSense on my Protectli device, enabling it to do stuff that I never thought I could squeeze from such a small box. Here is a taster of what I achieved with it:

• Traffic shaper based on CoDel (Controlled Delay) algorithm — to prevent Bufferbloat — at 1 Gbps throughput
• IPv6 configured through a HE tunnelbroker — my ISP is too conservative to spell IPv6 right
• IPv6 DHCP and Router Advertisements — so each of my devices can grab IPv6 when it wants
• Highly selective geo-sensitive routing — to prevent chatty Korean, Chinese and other devices to call home and send my stuff to their overlords
• Unbound DNS with blacklists — to block access to ads, spam, malicious sites and other garbage (yeah, OPNSense can do what PiHole does)
• DDNS registration to two different DDNS providers that I use
• Intrusion Detection of emerging network threats using Suricata
• UPnP — fine-tuned to support just silly xbox port spraying — and nothing else
• OpenVPN service to connect to my home from anywhere
• The Onion Router (Tor) node — to support really, really, REALLY secure browsing (so I can feel smarter than NSA)
• Support for NUT (Network UPS Tools) so it can talk to my UPS in garage

Why not VyOS, you ask? Why not use the network operating system that I mastered in ERL and enjoyed for years? The amount of plugins for OPNSense (and pfSense) is so much larger, I simply got spoiled. Or old. Or both. :-)

I also like OPNSense updating cycle, its community and features planned. Heck, I am even tinkering with a plugin or two to add to the OPNSense repository!

Let me know, what do you use on the edge of your home? And why? Would you like to know how my OPNSense is configured?