Nethsecurity 8 project

And, it’s also worth noting, that OpenWRT includes IPsec, OpenVPN and Wireguard, allowing one to use whatever VPN matches the requirements best…

I just made my first Wireguard VPN as Site2Site VPN for a client, using OPNsense on both sides…
OPNsense also allows all three VPNs to be used, albeit the GUI is a bit better than OpenWRT.
As a router, OpenWRT is faster than OPNsense on the same hardware.

Wireguard is almost twice as fast as OpenVPN!

Then again, it may be too “new” for some people here, some here seem to like using horse drawn chariots as transport instead of a car or public transport… :slight_smile:

I just hope these people aren’t trying to run NethServer on a 2.0 Kernel…

My 2 cents


L2TP missing (again).
Anyway, thanks for the “abusing” badge. Really appreciated.


Don’t forget the original PPTP, so you can have secure VPN connections with your Windows 98 SE and Windows ME… :slight_smile:

Then again, LT2P was just a BAD redesign of PPTP, see this in Wikipedia:

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in [IETF](Internet Engineering Task Force - Wikipedia) RFC 3193

No encryption!

A simple Man in the Middle attack can read ALL data!

If you’re a TelCo, L2TP make make sense, ie in transporting PPP packets to End-Users devices…

But forcing the use of IPsec, when IPsec can do the job better than L2TP, and much more secure, means there is no “real” need or use for L2TP…

IPsec, OpenVPN and Wireguard cover all current use cases for VPNs (Site2Site, RoadWarriors), provide good encryption, clients for RoadWarriors and are generally well integrated with commercial products.

IPsec is still counted as “The Standard” for VPNs, and allows for several different encryption methods. But both OpenVPN and Wireguard are valid runners up to the crown!

My 2 cents

1 Like

…and you’re clearly determined to find fault with this project. If you actually have a need for L2TP, surely you can recommend that and it would be considered. But if all you’re trying to do is poke hokes, I’d strongly encourage you to reconsider your course of action.

It wasn’t Andy who flagged your post, but it was I who agreed with the flag, because your post was pointlessly confrontational.

1 Like

I won’t because there’s not to reconsider about. If something wrong is found I report it. If I don’t like someting, I tell it. If you don’t like the way I express myself, I’m sorry but anyway I never told someone bad words.

Stirring once more the wording repeating the already known about goals for the project won’t make me consider better the status or the path. I see some faults and I’m wording that explaining why it’s not good for me.

I cannot take out from your mind malevolence, disingenuous if you see that in me. It’s your mind and I’m for free thinking. Take it as you want it, it’s out of my control what do you think of me and I am no marketing team for make you believe what I want you to believe.

About L2TP.
I won’t use L2TP (which by the way is already in every consumer OS for computers, tablet and smartphones, so might totally be a nice feature for every appliance…) without IPSec, and some recent Android ROMs started to delivering that on IKEv2 instead of the prehistoric IKEv1. For team “Pike is tedious” you never read me about two familes of products and 4 brands that still are providing L2TP/IPSec. Might be unfair and unpolite to poke that…

L2TP/IPSec is perfect? No. For 4 reasons.

  1. The ports are known and part of the RFC/Protocol requirements. So filtering the communications for L2TP and IPSec is quite piece of cake for network admins and others interesting entities that want to shut down the use of VPNs

  2. The subset of cypers and settings is something exterminate, so if the producer of the implementation do not allow to use the already estabilished settings of the environment, is quite a no-go.

  3. On clients might be unnerving to configure. Not all the OS producers label parameters in the same way and buildin the usual babelfish between your stuff and the new stuff might be … not that smooth

  4. Several network equipment brands use licensing and features like the automated provisioning of the client for more revenues. L2TP/IPSec currently cannot provide that, but some products are delivering scripts for faster configuration of the connection on Windows (in Powershell), like Neth7 and Neth6 provided pre-cooked OpenVPN client configurations.

Last but not least: wording and explaining a vision outside the “kumbaya we are all friends here and everything will be allright” is not pleasant. And I don’t consider any of the people working on the project less than capable and committed. You have your opinions, @danb35, you’re convinced that everything but me is allright and it’s just a matter of waiting.
I am not.
And NethSecurity based on IPCop (yes, there was) when after the login to the web interface admin was able to disconnect the internet “for good” (and only thing to allowed connection again was… clicking on the connect button) with others hiccups and strange designs is still there to remind me. Better decision could be taken and happened. Firewall section of Neth6 and Neth7 (in cockpit especially) is parsec forward and much more well built.

I am confident that this is a step back and I’d be very glad for the project if i’ll be wrong.

In fact it’s going to be only a base for our development, like centos was for the nethserver 7 firewall (centos isn’t a firewall too). Our devs are building on that base the new firewall.

1 Like

In fact compared to current state of NS 7 firewall features is a downgrade.

Sure, just port PFBlocker into OPNsense, and I will do that ASAP.


I couldn’t care less for PFBlocker, as PFsense is an absolute No-Go for me.
I would not touch PFsense with a long long pole - I can’t trust liars nor people spreading fake FUD…

If you’re an uncurable Fan, use PFsense, not my problem!

My 2 cents

Don’t know, why you straight away paint me as Uncurable FAN.

You are free to not trust PFSense or Netgate great, but I only stated that I like the piece of software called as PFBlocker-NG which is an Add-on which does my job, which is still not available in the OPNSense, and huge knowledge base in their forum, obviously relative to opnsense forum bigger.



You’re just as free to use PFBlocker-NG on PFSense, not my problem…


Probably the reason it’s not available on other platforms is that it’s not open-source, meaning no one can fork the code. Or it won’t compile. No idea, i never tried.
Not the first time for Netgate…

And that’s enough for me not to trust such a company, and not to advocate their products.
My freedom of choice.

The functionality of PFBlocker-NG is covered in OPNsense…

My 2 cents

Probably, at the moment. We’re not yet even in the alpha stage. Be hopeful :slight_smile:

We’re a bit off-topic. Don’t you think?

Sorry Alessio. Is binary, not a probability check.

Has now NextSecurity the same functionalities of NS 7?
Yes => It’s not a downgrade.
No => It’s a downgrade.

The future is not here, here is the present. Currently NextSecurity is a downgrade. You can stirr it as you want, try to paint the facts with marketing and goals. But now the statemet is correct.

I Trust it :smiley:

1 Like

Well, some people like to pick arguments about Alpha Software…

My 2 cents


When I saw the progress made since october to NS8, I just can say please wait, if something is wrong, be sure it will be fixed or enhanced.
Nethsecurity is a loved child to Nethesis, they have a long story with firewall, whom recall the time of ipcop rebuild, it was also a product that Nethesis has sold support.


And really appreciated. But as other comments indicated too, progress and achievements are not too visible. Trello etc are not very good instruments (way too tech savy) nor sexy enough to draw public attention :wink:

1 Like

You’re right, we are going to find ways to show our achievements

Yes, now the statement is correct but you miss the point. We have rebuilt our product entirely, so it’s normal that in those stages feature parity is not achieved, yet.


Few posts ago I wrote

did you missed that?

But currently I can’t install promises, Alessio. I can’t use install something that’s not here, and the thing that’s here found lacking. You also admitted too… after 65 retry to extract facts, not promises or hopes.
Hardware (phisical or virtual) can’t bootload a “yet”.

Where is the IPS functionality? Or is this missing?

Unfortunately it looks like the NS8 is a big step backward from NS7, which as a highly integrated featureful plattform administered with a conistent interface. Now lot’s of features are missing, firewall features missing, no consistent interface.