About 6 months ago, I switched from a Mikrotik router/firewall to an OpnSense HomeLab Firewall. This is my first foray into OpnSense, or any BSD-based firewall, for that matter. I have no regrets, and I’ll share with you some of the things I really enjoyed about it.
Having an open-source firewall is probably the thing I missed the most, since I stopped using Shorewall over 5 years ago, and moved to a RouterBoard rb800. I had some impressive hardware on the RB800, but it was limited by what the vendor allowed me to do with it. Since it wasn’t pure linux, I couldn’t use upstream packages. I had to rely on whatever they implemented. In this case, the rub was specifically about OpenVPN. They supported OpenVPN, but only barely. I could do TCP based vpns, and not much else. There’s a forum post about how it’s “coming,” but they’ve been saying that since 2012, so I’m not sure it’s ever going to actually be delivered. OpnSense supports OpenVPN as part of their core offering, and it works wonderfully.
In addition to just OpenVPN, I have access to things like VnStat, speedtest-cli, and other interesting networking possibilities. To be fair, the last one is also available on MikroTik, but the first two are not. I could have probably set up that functionality, but it would take a great deal more work than it does now. The speedtest-cli would never work, I’d have to run that on a different host anyway. It’s not critical that I have these things, but it gives me better visibility of my internet service, and if I’m getting what I paid for.
Finally, updates are far more frequent on the OpnSense homelab firewall than they were on the Mikrotik one. That’s a good, and a bad thing. Good: I’m more up to date with security flaws, and features. Bad: it affects the firewall’s uptime, and can introduce more bugs. In practical experience, the good outweighs the bad. If you enjoy tinkering, which is probably why you set up a homelab in the first place, you’ll like the frequent updates. If you want a rocksolid internet connection and never want to mess with it, you could choose to update less frequently 🙂
A powerful UI
OpnSense has an excellent WebUI. Even if you’re a beginner at firewalls, they have done a lot to make it easier to configure your homelab network. They even include some things that make it easier to do hairpin NAT, which I’ve never been successful at implementing. I’m pleased with the dashboard, and the ability to customize it to display the things I’d like to display. Plugins, like Wireguard mentioned later, even integrate with it, enriching the things you can present.
It supports a local netflow analysis, which is great for quick views of what’s going on through your firewall. You can also export that netflow to something more powerful, and dedicated to analysis.
One of my favorite things is the ability to extend it. OpnSense has a package repo that accepts contributions, and has some useful software in it already. Three things in particular for me:
I love having bandwidth usage statistics for my network. I don’t really do anything with it, at this time, except enjoy them, because I’ve got Uncapped Gigabit Fiber. It’s very satisfying to have, however. And I’ve done a bit of work to allow my OpnSense Homelab Router to connect directly to the fiber, rather than going through an additional router from ATT.
[email protected]:~ # vnstat -m ngeth0 / monthly month rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- Feb '20 539.07 GiB | 921.82 GiB | 1.43 TiB | 5.01 Mbit/s Mar '20 1.10 TiB | 708.15 GiB | 1.79 TiB | 5.88 Mbit/s Apr '20 1.02 TiB | 1.47 TiB | 2.49 TiB | 8.44 Mbit/s May '20 1.56 TiB | 2.33 TiB | 3.89 TiB | 12.77 Mbit/s Jun '20 1.63 TiB | 1.95 TiB | 3.58 TiB | 12.16 Mbit/s Jul '20 1.97 TiB | 2.42 TiB | 4.40 TiB | 14.44 Mbit/s Aug '20 1.00 TiB | 4.19 TiB | 5.19 TiB | 17.04 Mbit/s Sep '20 807.40 GiB | 1.64 TiB | 2.43 TiB | 8.25 Mbit/s Oct '20 148.67 GiB | 765.34 GiB | 914.01 GiB | 11.49 Mbit/s ------------------------+-------------+-------------+--------------- estimated 582.67 GiB | 2.93 TiB | 3.50 TiB |
You can kinda tell when the coronapocalypse started, and a lot more video work from home happened.
I’m also a huge fan of being able to test the speed from my router directly. Speedtests are pretty self-explanatory, so here’s a result.
[email protected]:~ # speedtest-cli --secure --share Retrieving speedtest.net configuration... Testing from AT&T U-verse (18.104.22.168)... Retrieving speedtest.net server list... Selecting best server based on ping... Hosted by Sprint (Fort Worth, TX) [17.16 km]: 9.604 ms Testing download speed................................................................................ Download: 843.77 Mbit/s Testing upload speed...................................................................................................... Upload: 597.00 Mbit/s Share results: http://www.speedtest.net/result/10219816671.png
With my Mikrotik RB800, I couldn’t even get a decent OpenVPN service running. Sadly, they have an open request to have a UDP based OpenVPN implementation that’s almost 7 years old now. I don’t expect them to ever deliver on it. Given that, I don’t expect them to ever deliver wireguard support either. Fortunately, there’s a wireguard-go implementation that works well enough on OpnSense (and other BSD based things) for it to work. I don’t know if there will be an in-kernel version like there is for Linux, because of BSD/GPL licensing conflicts.
There’s a nice UI for wireguard in OpnSense that makes it easier, and integrates things nicely.
The documentation for opnsense is impressive. I spent a lot of time pouring through it before taking the plunge. I wanted to know how it worked, how easy it was to configure, and how much fiddling I’d be able to do. Fortunately, the docs were excellent, and I felt really good about doing this.
I could’ve used pfSense, and it was recommended on the server forums that I have been reading. However, I’ve also read that they’re a bit on the old side, and I enjoy tinkering with newer features. OpnSense is a fork, based on Hardened BSD and provides more features.
Shorewall on Linux
I’ve had extensive experience with shorewall, and felt very comfortable building a firewall using this. I’d have to do everything by hand, and I’d have all the power in the world. I enjoyed my experience using the mikrotik UI, and configuring things that way. I had also never tried any BSD-based routing and firewall stuff before. I had always heard that BSD is very good at being a firewall, and extremely reliable, so I wanted to give it a shot. Shorewall would’ve worked also, and been perfectly fine. I wouldn’t have the nice webui, however. And given that I have other priorities that I’d like to work on, I’m okay if I bend a bit to use someone else’s designs.
I was running this before, and it performed quite well. It was powered over PoE, which eliminated another plug, and I loved that. It had a hardware watchdog, and would reboot itself if it ever got wedged. It booted up extremely quickly, and started forwarding packets quickly. It was very customizeable, and tweakable, and I don’t really regret buying the hardware. It just had a few limitations that were starting to rub me the wrong way. No OpenVPN UDP support, and no wireguard support were one. If I chose to purchase a VPN service, it would be difficult to set up for their optimum experience. Most VPN providers I’ve seen recommend the use of OpenVPN UDP.
Ultimately, I can highly recommend OpnSense as a firewall. I’ve started using wireguard on it, and deprecated my old OpenVPN configurations. It’s running on an inexpensive refurbished box that I bought off Ebay, and added a bit of flavor to. It’s got an NVMe drive to keep boot times as short as possible, and I slapped a quad port intel NIC into it, so I have enough physical wire connections to make everything work. Additionally, OpnSense is well suited to running inside of a virtual machine. If you wanted to, you could just have a VM be your OpnSense Homelab Firewall, and route/firewall traffic using software defined networks.