Opnsense

2024, Sep 15    

I'm a big fan of virtualisation and have been since my first real IT job, working with just about every hypervisor there was (and getting the most out of them). Wherever possible I've made a conscious effort to maximise the utilisation of my hardware, trying to eek out every last drop of performance (while keeping the electricity bill as low as possible). Spending a considerable sum buying hardware firewalls is a new experience, and one that hopefully pays off.

Until recently I've been running multiple virtual firewalls on an 8-core Xeon-D system (with more physical network adapters than is sensible), however it's never been a perfect solution. Despite spending weeks tuning CPU affinity / scheduler thresholds / driver configurations / BIOS settings, there have always been glitches in the network that I've never managed to fix. After testing each component, testing different network switches, different cables, different SFPs, it always came back to the same components (the virtual firewalls). I've advocated for using them for a very long time (and in truth I still do), but for my own situation the time spent trying to troubleshoot (and inevitably fail) has reached the limit.

My firewall choices have been interesting over the years, including:

  • ZoneAlarm
  • ipchains / iptables
  • Cisco ASA (yup, back in my CCNA days)
  • m0nowall
  • GlassWire
  • Little Snitch
  • pfSense
  • Opnsense

I've gone through a few (clearly nowhere near the full list of firewalls created in my lifetime), and honestly its been a mixed experience. From the days of manually writing firewall rules on the CLI for L4, to UI-based L7 firewalls as of late (yes, I'm a big fan of Little Snitch), it's impressive to see how things have improved. Even at the enterprise level (be it on-premises or cloud) the configuration of stateful/stateless firewalls is significantly easier than it was before. With all that said, I still needed to choose one to use.

I make it sound like a drawn-out choice (when in fact it really wasn't). I've been testing Opnsense for the last 12 months (give or take), and honestly I've been impressed with it. Don't get me wrong, it's had its occasional issues (and the very recent IPv6 issue in the 24.7 release is a good example), but I've always been impressed with its speed of development and ease of use. With that in mind, I took the plunge and ordered two of their DEC750 models (leaving myself some scope for future connection upgrades).

Just under two weeks passed and I was greeted at the door by my new firewalls. The packaging was as you would hope, being constructed well and with ample protection to handle dents from the courier. As for the firewalls themselves, to use a britishism: chonky! In truth I had expected them to be mostly plastic with a metal top panel to act as the heat-sink, but the whole unit is solid metal and appears precision milled. It's hard to pick a flaw with them, though I would have preferred them to have a lockable DC barrel jack (as I'm all too familiar with unplugging a running mini-PC by accident).

Unboxing
Solid packaging (you would expect nothing less for the price

Design
Sturdy construction, and I love the passive cooling

Getting them configured took no time at all, with the initial details provided on a slip of paper included in the packaging. 20 minutes later and the first firewall was ready to replace its virtual counterpart. Of note, as these are official hardware with a business subscription they run the earlier version of Opnsense (no bad thing). What stood out the most was just how fast they reboot / are fully operational again, beating their virtualised counterpart by a country mile.

From a performance perspective they are exactly as you would hope / expect, fast! I can't say I've tested them to the extreme (yet), but so far they have been rock solid when I'm pushing multiple streams through (to saturate each Gigabit link). My 10Gb testing may show a different side to this, but for now all is well. The other aspect to these is the jitter, which with their virtual counterpart wasn't great. In fairness that may have been down to the different network adapters / driver support, but again, the advantage of buying vendor-provided hardware is that these issues shouldn't be a thing. Even running iperf between devices is now consistently smooth (something the virtual devices never managed).

Time will tell how I get on with these devices, especially once I enable the 10Gb links and start pushing them significantly harder. That said, I will likely wait until the 24.7 release is officially out as the business release as I know the underlying BSD version change is said to have significant performance improvements. Until then, I have more virtual firewalls to replace...