Making NethServer better than pfsense

Continuing the discussion from help to understand openvpn:

I’m really curious about that
How should we improve NethServer to make it better than pfsense or comparable at least?
Which features are missing?

2 Likes

Why should that be an objective? pfSense is a dedicated router OS. Neth is a multipurpose server. Don’t try to beat the specialized device at its own specialty.

3 Likes

I think it’s not about making a mulipurpose system better than a dedicated one (which is not possible), it’s about being at least comparable and provide functions often needed.

I think that a multipurpose system needs a firewall too.
Pf/opnsense is a cool full of features firewall but it’s not simple/easy to use except you are already used to it.

So I’d really be interested which often used functions from pf/opnsense would be nice for Nethserver.

2 Likes

If you install a nethserver instance and only install the gateway module(s) nethserver becomes a dedicated firewall/gateway system. I think the call in this discussion to improve the firewall/gateway functionality so it is on par with dedicated systems like opnsense/pfsense.

So the question is: What is needed to get there?

1 Like

Just a few reasons:

  • Many people use NethServer just as firewall
  • They prefer the simple NethServer UI than a complex one
  • They don’t want to learn another administrative console and standardize their installations
  • We have already a business-only-firewall-solution with thousands of installations: http://nethesis.it/nethsecurity

That’s the right question, please pfsense experts comment here with your thoughts :smiley:

2 Likes

Just giving my own 2 cents and nothing more but I tend to agree 100% with this statement. Pfsense to me has better documentation & more smooth feel to the FW component while the modules they do support are natural to the product and easy to implement (Haproxy and ACME DNS/LE Certs, pfblocker to name a few).

My target Nethserver audience are small businesses between 5 - 50 employees (like a customer I’m working with right now) who are not yet 100% on the Microsoft train. Normally these businesses have residential/low end business class internet . When I am upgrading these networks and replacing those low end consumer ISP modems/routers I tend to use Unifi, Pfsense or some custom pfsense build. I need to consider not only my future use case/needs but also those who may come behind me to support these products.

When it comes to Nethserver in particular I find that sometimes it is hard for me to give NS my money. I can’t go to https://www.nethesis.it/nethsecurity/firewall-utm/ and look at available hardware/pricing or make any purchases on my own. I’ll admit that I’m most likely not the target audience for what NS is after but I can pass along some of my past experience.

@alefattorini

Hi Alessio

The same as @royceb, my target Nethserver audience are also typical SME clients (small to medium enterprises from 2-50 users).

Here, NethServer as universal server is asked for, eg to use as AD, Mail, NextCloud, Zabbix Monitoring.
But a firewall? My clients want a hardware box for firewall…

Most had either a provider supplied low end firewall/router (Some with max 8 possible entries only!) or an older Sonicwall, Zywall or something similiar.

I do admit, that the firewall in NethServer is very usable, also VPNs are very quick to set up.

But it’s also quite easy to screw things up, with a little testing on NethServer and not cleaning things up afterwards…

If things do get screwed up, then on NethServer things can get quite messy, and fast!
AD not working, FileStore not accessible, Internet also not working…
Now how do I connect to the Internet to see the forum or some other way to fix the mess?

A separate box does help a lot in such a use case!

Note:

A seperate NethServer does have these advantages too! (Kudos, where kudos belong!)

Problems come mainly when too many (not fitting together) components are squeezed onto one box/system! This is seen often in the forums…
Users trying to save money and equipment, but not having quite the needed know-how level to really think about their problem - and how to rectify it!

My main issue is that a second NethServer does solve a lot of problems with Firewall issues, but also uses much more resources, than eg OPNsense or PFsense. (Performance more or less equal!). Power usage, CPU, RAM…

Sure I can run NethServer now even on a Raspberry - but not as a halfway usable router/firewall, simply because a Raspberry only has one NIC and very low IO capabilities.
Yes, I can add in a USB3 NIC or two, and I could include the WLan…
But a Raspberry doesn’t have the IO to compete with a dedicated board like PCengines APU2/4 or similiar. It’s ok for 1-2 people (max)!

And with 2 USB3 NICs? It’s become a toy for geeks, not a real router! The cables open, USB connected are just too unstable for productive use!

My 2 cents
Andy

1 Like

Sorry, I can’t get what you’re saying. On pfsense you are not able to screw things up?

Again. As you said you can separate things.

That’s a good point. From your perspective NS with just firewall modules uses much more resources than pfsense?

So, the difference is the box? Let’s say we put a good box on about store with NethServer+firewall modules already installed. Would this make NethServer equal to pfsense?

Please give me some details. What’s missing in our documentation?

So do you prefer pfsense FOR this modules? We can think to add them if it can make NS more suitable

Sorry I can’t get it. How pfsense supports your future needs and people behind you?

@alefattorini

Hi Alessio

As you know, I don’t use PFsense, only OPNsense (Or NethServer!).

OPNsense / PFsense do not provide services like mail / files / AD or Nextcloud.

So these can’t be screwed up!

NethServer is Linux, based on Centos, itself based on RedHat.
A Linux distro contains much more than anything based on BSD. PFsense and OPNsense are both based on FreeBSD. The base install is VERY small. RAM usage is also much lower on BSDs than on Linux.

Besides that, just the fact that BSD is behind the firewall also settles a few things, like a Kernel Loadable Module attack is simply not viable on any form of BSD…

The “box” implies just that, a box which can be replaced with another box, or can be supported by someone else.

I think this is what Royce was implying:
PFsense, also OPNsense has a lot of users out there a bit familiar with what their using…

If we could have something almost equivalent, it might be interesting…

My 2 cents
Andy

1 Like

@alefattorini

As an afterthought:

For a firewall box, services like AD are critical!

Not only from a security point of view, but also for handling ports and IPs.
In NethServer, the AD is provided by a “jail” in Linux, basically a form of Linux Container, with it’s own MAC address and IP. These are running on the same interfaces as the NethServer firewall.

Note:
NethServer does a very good job so far of “taking care” of the AD and IP concerned.

Now, let’s start talking about virtual machines, also using MAC addresses and IPs…
Note NethServer knows about the AD, as that’s a part of NethServer and planned for.
But what about X different virtual machines? Maybe an Exchange Server is running in there…

Next step: If you’re aware of Dockers and what that means when it comes to IPs, Ports and Interfaces…
Especially whole pools of Dockers firing up because of access from Internet or whatever…
Almost the perfect nightmare for any firewall admin!

This needs to be REALLY well planned!

The amount of Interfaces with possible firewall rules or interaction goes up and up. So does complexity!

Can anyone (or even a huge team?) support something like this?
You’ld need plenty of people like @mrmarkuz … (My Kudos to Markus for his excellent support!)
And even then…

On a seperate box, it’s only two Interfaces, maybe a third for DMZ, a forth for Provider redundancy, and maybe an Interface for a Captive portal and a WLan… That’s a maximum of 6, and enough to cater for a fairly large client! But the ruling is relatively straightforward even in this case, as each Interface is predefined by usage…

My 2 cents
Andy

Ok… i gave a brief read of the request of @alefattorini and most of the answers but…
I still cannot “get” what’s lacking in NethServer compared to PfSense, as a plain list of features or accessories nested into features.

Few years ago i warned Nethesis to take a look on Endian Firewall for seeing a quite rich web user interface with a lot of features and ease of use. Cockpit enhanced a bit to NethGUI, but the firewall/traffic monitoring/connection status is still lacking, and a lot of these info are available through addon modules like NetData, NTOP and go on.
Also, i think that L2TP lacking is quite a “meh”, mostly because is already integrated into most used OS on computers and mobile phones.
Another “nice” addon could be the “1 click download” for the OpenVPN Connect with integrated configuration /self provisioning): in the magic world of wishes, the user should:

  • access to vpn.nethserver.dom (reverse proxy?)
  • login with username and password
  • webpage with one (best) or two links for download client (gather the OS from the web browser) and configuration file
  • install + config automagically

Just wishing and dreaming…

I was forgetting one thing: you can do a lot of thing with a swiss knife/multi purpose tool, but
you cannot beat to a specific tool for performance and adaptability

3 Likes

Well, to name a few:

  • HAProxy
  • DNS validation for certs
  • Recursive DNS resolver (this was in SME, but it isn’t in Neth)
  • Neth can only import OpenVPN config in some weird JSON-y nonsense, not in a standard .ovpn file

There may be others, but this is what comes to mind. As a proper firewall, I can’t draw a direct comparison, because I’ve made very little use of Neth’s firewall features (my Neth instance is in a VPS), but here the biggest feature I don’t recall seeing mentioned for Neth:

  • Aliases. For everything–ports, hosts, networks, interfaces, everything. Makes the rules much easier to set up, and to read later.

Now, there’s one enormous advantage Neth has over OPNsense specifically, and that’s support–OPNsense is a strong contender for the worst support I’ve seen in F/OSS.

3 Likes

I mean that Pfsense has large user base with multiple avenues of documentation (Youtube demos, their official docs, forum support) and the ability to hire someone with Pfsense experience in the future in case I am no longer around to support the product is much more likely. I’m positive Nethserver could handle most if not all the networking scenarios I’ve encountered. I don’t have any loyalty to one product over another but try to use right tool for the job.

2 Likes