OPNsense is a fork of pfSense, which in turn is a fork of the FreeBSD firewall software m0n0wall. pfSense took what made m0n0wall so good and dialed it up further to create an excellent, robust firewall solution that could be deployed anywhere from a small two-bedroom house all the way to a bustling enterprise data center. It didn't turn out to remain that way with the launch of OPNsense, which caused many (myself included) to eventually make the switch.

When I eventually got around to building my first firewall for home, I loaded up pfSense since it was what I used back when I was managing a commercial network in an office. I recalled it offering a robust and feature-rich firewall solution, and it was no different when I deployed pfSense on a mini PC. But I wasn't happy with how things have been handled between the competitors and pfSense licensing. I changed from pfSense to OPNsense last year, and I haven't looked back since.

That whole pfSense debacle

Not cool, Netgate

If you're unaware, the company behind pfSense, Netgate, entered some hot water a few years back. The reason for OPNsense to fork away from pfSense in the first place was largely due to code quality and openness. The founders felt that pfSense code had become monolithic and difficult to maintain. Some major changes were planned after forking, including separating the web UI logic from root privileges for enhanced security, though this has yet to happen.

What has been made possible is a more open build process and a predictable release schedule. pfSense was often updated once a patch was deemed ready for the live environment, whereas OPNsense created a schedule for two major releases per year, with minor updates released more often. It ensures OPNsense is running the latest packages, whereas pfSense firewalls would often lag until a major release was ready, though OPNsense can be affected by sprouts of instability.

pfSense is trademarked and enforced throughout the software, though the actual code is distributed, adhering to the Apache 2.0 license. The license has been altered over the years and was viewed as more restrictive, though OPNsense is available through a simple two-clause BSD license. This makes it considerably more approachable for budding developers who feel like they have something to offer the project, whereas pfSense could be viewed as slightly more limiting.

What's worse is that Netgate reportedly attempted to tarnish the reputation of OPNsense by purchasing a domain, a subreddit, and Wikipedia edits. It's not a good look and can harm the trust one places in the brand, especially when the product is something as important as the primary line of defence of your entire local network. The domain opnsense.com was purchased, configured, and used to smear the OPNsense project and its developers using a clip from the movie Downfall, depicting Hitler.

After a request to the World Intellectual Property Organization (WIPO), the owner of the domain turned out to be Jamie Thompson, the president of Netgate. WIPO ruled that Netgate must hand over the domain to OPNSense developer Deciso. Other claims included the /r/OPNScammed subreddit in another attempt to smear the name of OPNsense, but overall, it simply wasn't a good look for Netgate or pfSense. It's why many lost confidence in the product and decided to jump ship.

Why I made the switch

OPNsense powers my firewall now

I'm a huge fan of OPNsense's approach to the user interface. pfSense was stuck in the past, while its free alternative had a mobile-friendly, responsive design and improved dashboards. It looks like the real deal. The process of switching was straightforward, too, since it's familiar enough to get started without much thought, but there are countless features and changes that make it worthwhile.

Rocking a cheap mini PC with passive cooling and an Intel CPU, OPNsense installed without issue. Rocking 8 GB of RAM, there's more than enough system resources to fully utilize all the additional benefits over pfSense. One of my favorite parts of OPNsense is the native plugins, such as VPN support, traffic shaping, and intrusion detection. The modular plugin system is super-easy to extend and create the ultimate firewall tailored to your precise needs.

I also noticed an uptick in performance, especially when fully using all available CPU cores. 2.5 GbE networking and a fiber connection are no match for OPNsense running on the mini PC, even with numerous clients running in tandem. That said, pfSense does many of the things OPNsense can do (and vice versa). It's what makes this such a unique situation. Both options are viable for securing your network against intruders.

What's great about building your own firewall and router solution is that when it works as well as it could, you end up forgetting it's even there. OPNsense and pfSense both like to stay out of your way, allowing you to get on with everything you wish to do on your LAN. So really it comes down to personal preference, like everything in life, but there's plenty to think about when it comes to picking the best firewall firmware for your network.

Interestingly, even m0n0wall recommends using OPNsense on the official website. I love my OPNsense, because it's open in every sense of the word, though I appreciate all the work that pfSense brought to the table so that OPNsense could be forked.