pfsense VS OPNSense

Where to get OPNSense opnsense.org/
Where to get pfsense www.pfsense.org/
Our pfsense tutorials
lawrence.technology/pfsense/
The Fork statement
docs.opnsense.org/history/thefork.html
Feature Comparison of the OPNsense Plugin Sensei by Sunny Valley Networks
homenetworkguy.com/review/opnsense-sensei-feature-comparison/
FreeBSD Wireguard Commits
git.zx2c4.com/wireguard-freebsd/log/?ofs=100
⏱️ Timestamps ⏱️
0:00 Intro pfsense vs OPNSense
2:33 m0n0wall pfsense OPNSense history
3:38 OPNSense fork
4:41 OS Differences and Security
7:33 OPNSense pfsense domain controversy
11:55 Real World Business Usage
14:50 Interface Differences
19:58 IDS IPS Snort Suricata
21:50 Wireguard
24:06 OpenVPN
24:55 Packages
27:04 Diagnostics
29:33 Logging

One thing I like about OPNSense is built-in ZeroTier One support through a community plugin.

19:15 automatically generated rules are hidden by default to keep the interface a bit cleaner in opnsense, you should find it when you click on the dropdown.

Thank you very much for this side-by-side comparison and a history lesson. One thing I think is worth adding, which is also the only reason I pick OPNSense over pfSense these days is the availability of the official API. I am running OPNSense as a VM and I have automation tools that allow changing things over an API… so the tool would take a snapshot, apply changes and perform a quick test. If everything goes well - it discards a snapshot. If something goes sideway - it just restores the snapshot and reports the problem for me to look at. This can be even more powerful in the HA setup.

Security is about trust. If you can't trust a vendor on the business side (domain scandal) and the technical side (wireguard mess), I don't know why anybody would stick with it.

Finally!!! Thank you for doing the comparison!

I moved over to OPNSense and prefer it now. I've also got Grafana and not setup too.

Thank you for navigating this topic. Despite all of the controversy thats all over this subject. You did a great job as always in explaining things without ranting and throwing more mud.

Thank you for acknowledging the time issue. YT vids have dates on them, but well over half the articles / techie how-to's and whatnots don't have the most basic journalistic feature ... the date. Or even a version you can deduce an approximate date from.

Thank you! Was deciding where to begin with open source firewalls and this video helped me solidify my choice.

Job listings (LinkedIn, Germany): pfsense: 49 / OPNSense: 16

Thanks for taking the time to review these two great products. I have customers using both products and must say they are very similar and it all comes down to personal preference with regards to the UI. I wish you had spent a little more time on OPNsense before comparing though.

Thanks Tom for this review and side by side comparison. I thi k you did a great job staying unbiased while throwing some personal pepper to the products. Afterall, everyone comes here to hear your opinion and not to hear what he/she wants to hear, so your subjective opinion also matters as long as it is funded. Thanks again.

Thank you for reviewing this in the way that you did! I was not expecting this video, and I'm SO GLAD you did this video! I love using OPNsense, and I'm really glad to hear your opinion of its comparison to pfsense.

Great job giving a well balanced overview of both systems. You’re definitly right to insist on the common origin of both systems. Have some common sense!! Love it

I've been waiting for this video for EVER... Literally.
Thank you, thank you, thank you. Your opinion and perspective align with mine in many areas and I respect your reviews.

Good work, First step is done. Now if you go deeper in Sensei, will find it very useful, even without subscription. In the web filtering you can set preset to Permissive, Moderate or High and after put in User Defined Categories whatever you need. Works like a charm and not slowing down the web like a proxy.

Drinking game: one shot each time Tom says “Nuances”

The difference: in pfBlocker you do all the hard work; in Sensei Murat Balaban does all the hard work and you sit down and relax. Bonus: Sensei does not work at DNS calls level, it actually inspects the connections to see where they go to.

As a first time user, I find the OPNsense search & side menu way more user friendly. Again, that's just me.
I don't use unbound. I have used NextDNS for a long time & have the CLI running on my OPNsense firewall. Works very well and gives me lot more control with kids in the house.
OPNsense has snort as well in addition to suricata.
The community is way more friendly on the OPN side to new users. The PF community seems very hostile from my experience to similar questions asked.

07:33 I used pfSense at home for 5-6 years before switching to OPNsense earlier this year, after an unsuccessful attempt to switch a couple of years earlier. The Netgate drama was a big part of my reason for wanting to switch, as was the Wireguard issue. On the latter, it wasn't so much that they'd contributed garbage code (they'd hired a dev whom they had every reason to trust to do good work), but their response when it became apparent that the code was garbage was to blame everyone but themselves. You provided this code, folks; you're responsible for it. Another point, not mentioned in this video, is that there's some serious question whether pfSense is truly Open Source--the claim is being made (and pretty credibly to my uneducated eye) that ESF/Netgate/whatever they're calling themselves now have not released all the source code, and that it's impossible to build pfSense with what they have released.

this is perfect!! i was wandering myself before i built a new router. i am glad it was you covering it as i knew it would be a more in-depth coverage.

Tom, fantastic objective review. Great job. Thanks for all of your great content.

Features of opnsense that's killng pfsense
Sensie
Wireguard
Netflow

This was a really, really good video and a very nice comparison!
Thank you a lot for this!

I know this is an old video but just wanted to let you know this was very very helpful. I did not know about the history, and this actually made me much more wary and cautious about trusting the stewardship of pfSense, and so I will select a more agnostic hardware solution.

Look at the TH-cam performance metrics on this video. I knew this topic would be a solid hit for your channel!

Pfsense need to add outbound ipv6 rdr support, opnsense has it. Useful for forcing all outbound dns queries to use the firewall dns.

Really liked this review with a reasonable context and perspective.

I've always perceived OPNsense as a better option for non-enterprise, home or hobbyist use, whereas pfSense is somewhat more complex to figure out (for non-network engineers) and more suitable for business or enterprise use.

Thanks so much for making this video! After watching, I'm unfortunately still no closer to figuring out which one I want to go with... Even have them installed in Virtualbox so I have been playing with both and I like them both for different reasons. They are both so balanced on my personal scale lol!

I like the OPNSense interface a lot more than pfSense. If I ever switch from Untangle it will be to OPNSense.
I also really like Sensai when I played with it.

Thank you. Great video. I use pfSense at work and OPNSense at home. Main reason for OPNSense at home is WireGuard. For me both are equal feature wise and little different in presentation, but both work great.

I only chose to go with pfsense because of your videos on how to set it up 😅

Honest and objective look at both of them.. Very helpful video!!!

Thank you for such an informative and unbiased comparison.

Thanks for doing this video. I was very curious to hear a comparison of this on TH-cam.

Just stumbled on this video and enjoyed the explanation. Thanks

Thanks for doing this video. I like opnsense, but would be equally fine with pfsense. When I set up my homelab I researched both, saw that the important bits were close enough to being the same, so I just went with what looked like it would be the easiest for me to get familiar with. Ended up being opnsense but in all of the videos and articles I've seen on pfsense since then I think it wouldn't have mattered one way or another. With the amount of "passionate" opinions people have on these two, you'd think there were massive differences between them or something like xp vs os x. Instead it's more like hoagies vs heroes.

Ve are in the process of migrating from pfsense to opnsense at my job for colleges and high schools. What caught our attention was the application filtering that pfsense does not handle.

In addition to the security issues, I think many companies don't disclose their product stack out of concern over IP issues. It's a lot easier to put together a plausible claim for patent infringement if you can say "and their network uses X software including Y code that practices claim Z" then if it is entirely a guess.

Finally, been waiting for this video 😁

Love your videos, so detailed from a professional point of view! I run OPNSense at home and very often just use PFSense tutorials to get stuff set up as it’s pretty much the exact same 😂 (there’s also very little tutorials on OPNsense compared to PFSense)

Tom, I am with you it is a matter of preference and mine is pf-Sense. I like the UI (more concise)better and pf-BlockerNG, One more thing you are right about the docs, pf-Sense docs are much better

What is that CommonSense which we should use? Another fork? Can you make a review of it please? LOL :-D

I like Opnsense because of API. It is very easy to create system of dynamic change of hosts aliases.
I've created the changes to the Opnsense api that allow to drop all current connections that already not allowed by the firewall rules after alias change.

I was a pfSense user until they were going to require AES-NI, which my hardware doesn't support. I decided to migrate to opnSense. Well, they decided not to make it a requirement after I had migrated and been running on opnSense for a while. Just decided not to switch back. There were things that annoyed me about pfSense and there are things that annoy me about opnSense. Overall, the documentation and available knowledge for pfSense is better. When looking for answers to something I don't understand in opnSense I usually only find the answer from a pfSense perspective or have to filter through a ton for pfSense before I find the 1 post on opnSense. I can mostly hash it out but sometimes they are different enough that I'm just stuck. I think they both did and do an excellent job.

The bottom line for me, there is way more online support for pfSense than you will find for OPNSense. And unless you are a firewall guru, you will value that support!

I like the firewall live view with the filter options in OPNsense but I could not find it in pfSense - do they have something similar?

I remember contemplating whether to switch from fli4l to m0n0wall in the early 2000s. Thanks for the trip down memory lane :)

Hi Tom, as always great video. for me, they both have almost same things. I find pfSense more user friendly. opnsense UI feels scattered.. for me their placement of diagnostic tools make no sense. for example i had to spend some time to find ping tool, i would have guessed it would be under diagnostics.. but seems its scattered. another thing is openvpn client export tool. pfsense give a nice installer for windows with cert and key and openvpn program itself. whereas in opnvpn it gives an archive of config, cert and key. also setting up GeoIP in opnsense was a bit confusing for me from adding a url and inserting license in the url, creating an update schdule and floating rules.. but in pfsense it was very easy to navigate through all, it made sense to me.. one thing i didnt like was pfsense didnt have sensei.. pfsense has pfblocker, which is a DNS sinkhole.. whereas sensei is application aware.. i think it uses application signatures and identifies apps at higher layers.. also sensei is free for most home and small office use cases... licensed version gives a bit of custmization.. free version have presets to allow deny apps and categories. I have had a scenario where i couldnt use pfblocker, I have vpn users who use openvpn with corporate DNS servers for remote work. pfblocker wouldnt work for me since am passing corp DNS to vpn clients and pfblocker was not seeing DNS requests since pfsense was not involved.. whereas sensei worked perfectly. they are both great firewalls full of features. but sensei is really nice to have. a free application aware firewall.. i've had to spend a lot on application filtering on all other devices.. cisco and checkpoint. for me, pfSense selling point is user friendliness and ease of use.. OPNSense, sensei. that's all

thank you for your vision!

I worked for an MSP in my area... And as you pointed out being an MSP business, you work with what's popular in the wild. I will say though, that 0% of my Linux foundings occured while working there given they were so focused on "what's popular in most businesses" that they only worked with Microsoft based OS's both on the client/ workstation end, and even though I wouldn't entirely recommend desktop Linux for organizational use (maybe in certain cases it be ok), I wouldn't say the same concerning servers which speaks for itself even though I'm not bashing WinServer... All in all I can understand the potential profit model behind reselling MS products vs Open source.
Concerning OPNS vs PFS... Hands down, I've had more PFS background, however I have dabled with OPNS lately on account of their cellular based packages which is nice given you can run it on IoT project boards (not saying you can't with PFS, but documentation might be less available).

I love that you don't have the pf sense sticker on your laptop. Wow great attention to detail! :)

Welp, I just spiraled down a rabbit hole of "what exactly is BSD?". Thanks for that :)

after watching this it made me satisfied that I delayed trying out the fork. I just stuck with pF sense lazily and so far it's been pretty dang stable. the upgrades were flawless. I do wish PSS would work on their menuing system, it is difficult to keep track. maybe a recently used or favorites menu? every user is different so they should be able to have their own favorites. I like what the fork project did with the filter text box, but I think favorites would be more useful or a great addition for both of them to be included. PF sense really needs to get things moving

There are still things that pf can do that iptables can't do or can't do nearly as well. One is the route-to option that allows on the fly policy based forwarding in filter rules. While not specifically a pf function, I believe pf based firewalls like pfSense handle multi-wan better than iptables based firewalls. Another is the use of ip lists with hostnames. The open source linux based firewalls designed for commercial use that would be comparable to pfSense and OPNsense seem to lack much in these areas.

If netgate wants to have 2 versions of pfsense, one that paid for and has additional features above the free CE versions that's fine. The problem is recently features that are identical between the 2 that are broken/bugged, like some multi-wan setups among others, are being fixed in the paid version but the CE users are being told not to expect fixes till the next major point release 2.6. Even though the code is already fixed and released in the paid version they are deliberately withholding those fixes from CE, one can only assume this is a strong armed tactic to try and force more people into the paid version. Those kinds of business practices will be the beginning of the end for them if they continue that way.

Full disclosure, I don't run either of these firewalls, so I have no dog in this fight. I've tried pfsense and it lacked the drivers for one or more bits of hardware in 3 of my computers, so it wasn't worth my time to build the drivers to boot an OS I don't even like, just to try-out some software. Opnsense had the drivers I needed in all those cases, so I played with it a bit on various hardware platforms.
I currently run OpenWRT with a ton of add-on software on my commodity router and I haven't wanted to do anything that OpenWRT didn't have a solution for already. On my router, I currently run Mosquito, Dynamic DNS, DNS, HTTPS DNS proxy, local DNS caching and recursive DNS forwarding, UPnP, DHCP, QOS, ZeroTier, OpenVPN, AD blocking, 3 wireless AP channels on 2 frequencies, port forwarding, and NTP.
I installed a hdd and squid once for fun, but I was caching for 1 workstation and it was slow AF, so what's the point? All this on a $50 commodity pig that I bought on Amazon last year (and a ton of 'free' time tweaking things).
Having said all that, I felt like your presentation was a bit biased. Beyond being more familiar with one software, your entire way of thinking and solving problems was being framed by your familiarity with those tools and how they are organized.
When you defend a pull-down combo-box of non-alphabetical choices, that exceeds the length of the screen, as a superior organization of ANYTHING, you need to step back and do a reality check. You have spent so much time in that familiar paradigm, that you don't even know the only tool you're holding is a hammer.

When I set up my firewall I used OpnSense over PFSense as they had native 2FA Support, even now I'm not sure if PFSense has that feature. WireGuard is now an added bonus even if it's living in US instead of Kernel. Overall, I felt the community has been overly hostile to anyone that uses OpnSense over PFSense especially first time users when I've looked up how to's. A fallout of the old Opn/PF wars from years ago. It's almost like the greybeard Linux vs MS debate now despite all the changes in the years since.

Ah! My gawd, thank you sir! Side by side - not a rant video about why one is the *best*. Subjective. What are they? Pfsense I have used (daily) since early 2009 or so? Interested in opensense but not want a rant vid. Thank you.

Thanks! I like that you tend to keep an open mind on the topic. Looking forward to your videos like "linux vs *bsd", "vim vs emacs" etc. :)

First time I've ever seen somebody actually logged into Wikipedia

Crowdsec is nativly (by one click) installed on OPNsense. That's a huge benefit over pfSense. Especially on a firewall device.

good compare. Due to the fact that I am not good in networking I am exchanging my opnsense box with an ubiquiti box.

Yeah, their version of pfTop where you can filter better is under "Firewall > Log Files > Live View"

Hi, Lawrence is this still debate the same now in July 23 a bit more than 2 years of this video? Thank you in advance, a subscriber and promoter of your channel. 😀

Thank you Tom!

@3:00 This same question came up even back then IPCop vs Monowall vs smoothwall. Which is best!? Tell me please?! @33.23 Great explanation. I've gone back and forth on which one I'd want to run. Laziness in the fact I'm running PFsense already is what's keeping me from doing anything about running or switching. Both looks like benefits and drawbacks. I'd like all logs together but the diagnostic separate is nice and the global search is as well. Every time I needed to search for the "Halt System/Reboot" since you don't do that often with firewalls, I've finally have it burned in my mind where it is under the diagnostic section. Great video.

Over beers with colleague who supports an environment I supported over a decade ago tells me they are still running the MonoWall I built for them... in 2004, on a Gateway 2000 desktop. LOL, I choked on my beer!

Thanks for the comparison. I went with OPNSense just because the Menu makes more sense but now I’m debating things because I’m looking at some of the L7-ish stuff available is Snort. Don’t know…

Hi Tomz, i know you using/used Surricata, is the package Zeek the same or are you familiar with it? Greetz, Mich.

OPNsense has unboundDNS blocklists which works similar to pfBlocker or PiHole. I find PiHole to be superior in features and detail to both of them.

Good, evenhanded comparison. Thanks.
At one point you cite Netflix, iXsystems, pfSense and OPN as the leading BSD projects. There are others. NetApp storage appliances are BSD-based, for example. Juniper routers and switches started with FreeBSD. And all Apple MacOS/iOS/iPadOS devices are arguably BSD descendants: All started with a Mach kernel and an old (4.3? Not sure) BSD userland, and forked the BSD part from there.
Personally, I run pf on OpenBSD. Who needs GUIs? :-P

I was surprised to see this video, but you covered the topic quite well.
I looked at OPNsense last year, but I found their community less than helpful and the documentation lacking.
pfSense did everything I needed it to do, there was documentation to covered the core product in detail (some of the packages not so much), and the hardware I purchased from Protectli was known to work with pfSense.
That is not to say that I have not had issues with the way NetGate handles things, or some of their decisions.
At this point, I will likely stay with pfSense until it no longer works for my use case.

Mac OS is also very large on FreeBSD. Apple's Darwin kernel is based on FreeBSD.

from my limited experience with opensense (running in lab vm), I got feeling that opensense is catering more to consumers/semi-prosumers with advanced features relegated to other category in menu or even hidden, lots of eye candy and more "modern consumer" oriented (IMHO). while pfsense is more complex for novices and brings lots of more complex features to the front, shows more stuff not necessary for most, so it may feel more clunky experience for most basic users.

Thank you so much. I intended to buy a modem for my home. Between Netgate and Protectli, I don't know which one I should buy. Could you give me a suggestion? 😄

If I recall correctly you would see the rule that you did for the nat in the wan automatically generated rules when you do a filter association rule

after having trouble with an edgerouter in my home lab set up, i went to build my own firewall and i chose opnsense simply due to the hardware support. pfsense seems to be lagging with the kernel upgrades, therefor leaving hardware support for newew (and sometimes older) hardware. i'm not doing anything fancy, just need a router/firewall that won't shit the bed anytime traffic gets heavy, which was a problem for me with linksys and edgerouters in the past.

This is the first time a tech said that tech needs money to live.

Firewalls are not the weak point in most networks. It's people.

what netgate categorie is recomanded for a production network of 100 users and 40 external access ?

Have you had any conversation with other people who use VyOS in work environment, and what were the pros and cons for them using VyOS?

this is weird....I was just looking for a video like this from your channel!

speaking of logging, isn't EFW better than both pfsense and opnsense in this regard?

hi,
i prefer OPNsense because there you get much more updates and doesent need to wait half year for updates.

I'm just getting my feet wet with this and considered I'd install them both as part of a multiboot, and then try to install them in proxmox as well to see how that goes. I ran into the issue that the OPNsense installer didn't let me manually partition my GPT disk and the only option it gave me (for GPT) was wiping the whole drive and installing OPNsense over all of it, but that doesn't seem to make much sense. I don't really know any BSD partitioning stuff so couldn't find a way to install OPNsense on my hardware, whereas PFsense did allow me to make a separate GPT partition for it and it did nicely add a UEFI NVRAM boot entry.

The domain squatting episode gave me a fairly bad impression of pfSense. They also go after anyone who sells hardware with pfSense installed, claiming that it amounts to "selling pfSense". Actually what you'd be selling is the hardware itself + the _service_ of pre-installing pfSense to save your buyer a little time. You can't sell freely available software ; you can only sell _services_ around that software (installing it and/or configuring it to suit a particular customer's needs).
Otherwise, although I prefer the way the OPNsense UI is organized, I still recognize pfSense as a sound choice. Particularly for a larger-sized business I'd be more inclined to recommend pfSense.

Very good overview thanks. Side note: It’s sensei like the Japanese for teacher 😊

great video as always

good stuff. I'll go with pfSense

Citrix uses FreeBSD for Netscaler if I remember correctly. Sony uses Orbis (FreeBSD fork) on PS4 and probably PS5.

pFsense,? OPNSense ? - just use some common sense. Brilliant way to finish off this video. Many thanks for the time and effort you put into these!

One thing which is cool about OPNSense is it has ET Pro Telemetry edition for free

pfBlockerNG is the killer feature of pfSense and I will stay with it for as long as that plugin is around. I could care less about the political fights between the two groups. Protecting my house trumps all that nonsense.

I used brazil firewall for many years. it worked great on an old pentium 100. could even boot from a floppy and run diskless

Internet: pfsense or OPNsense?
Tom: Common sense!

I would have continued using pfSense if the people running the company wouldnt be that arrogant.
Also retiring older hardware by requiring AES-NI made me switch to OPNsense. I dont regret it at all!

I used smoothwall for a long time then switched to OPNSense