What is the difference between: Nethsecurity and OPNSense?
The “DREAM” of making Nethserver better than Pfsense is over?
Hi @Francenildo
Is this support, a chat, an opinion or what? I do not quite understand.
OPNsense, the later, is a real firewall without compromises and a fully working GUI for DNS.
It’s also productive for several years now, and works rock solid in several disparate environments.
NethServer 7 was never a usable firewall, when being used as DNS server, gives back wrong PTR records. I never liked combining a server with a firewall anyways.
I only once played around with NethServer 7 as a firewall / all in one.
NethServer 7 as a server was great, but as a firewall? Not usable due to DNS issues, wrong PTR records in the logs, etc.
And NethSecurity is still not stable enough, IMHO…
Why would anyone dream of copying Crap like pfSense? They make fake claims about open source, but their “source” won’t even compile (Blob built in!). That’s also the reason the creator of Monowall (From where pfSense was forked from) suggests OPNsense instead of pfSense.
My 2 cents
Andy
3 Likes
Did you try It? It’s still the first version but it’s able to resolve a lot of problems 
@Andy_Wismer you should give to nsec a chance, I am really curious about your opinion
And no, it’s stable enough to use in production
3 Likes
Problems? Sounds like an interesting concept, must try out “problems” when I have some spare time!
But with OPNsense, I haven’t hardly encountered any, in the past 5 + years…
But, not to worry:
I do plan on testing NethSecurity out, with different scenarios in mind to see how it can cater for these scenarios, both with and without NS8 involved.
I have a range of Hypervisors to test this on, from very powerful to barely capable.
And I have 1-2 APU (4d4 with SSDs, 4 GB RAM, 4 NICs) boxes lying around, where I also plan on testing NethSecurity on with a “bare metal” install.
Disaster recovery scenarios are going to focus a bit on these hardware, as VMs in Proxmox or other Hypervisors are fairly stable to restore.
And I’m well known to favor dedicated boxes for firewall…
I can and will provide a “hands on” feedback in the form of a testimonial and hope to achieve the same quality of Testimonial as before!
My requirements are a bit steeper than this:
- At least released since one year.
- Running stable for one year.
- Rock solid.
We can argue about point 3, but points one and two are not quite fulfilled!
AFAIK, in Italy, just as in other places, a new Pizzeria doesn’t get the label “good” just because on the opening night no one had to go to Hospital!
I do like to think Italians are a bit more critical about their favorite pizzerias…
→
On the other hand, if nine of ten people you chance to ask say it’s among the best pizza joints in town, they’re probably right! And it won’t be an Americano, for sure!
If I’m satisfied, I’ll gladly be one of the nine!
But: DNS will be well tested!!!
My 2 cents
Andy
2 Likes
I tested everything on Nethsecuriry, everything is running perfect so far.
I would like to implement software RAID for small businesses such as: Pizzerias.
I really missed group and object management.
2 Likes
They’re in the roadmap, devs are working on it
I’m not asking to make it your preferred restaurant but just give it a try for a dinner
3 Likes
I do intend to do a serious test, including a Testimonial here, one of the next weekends or a quiet day…
This weekend Saturday is rainy, OK.
Next weekend (end of month) Saturday and Sunday look like rain and thunderstorms.
→ Just right to put NethSecurity through some “grilling” tests - outside grilling isn’t a real option in a Thunderstorm!!!
My 2 cents
Andy
1 Like
NethSecurty 8: OpenWRT + Nethesis.
OPNSense: m0n0wall really improved.
Currently OPNSense is far more powerful, featured, extensible and available. But has steeper learning curve.
NethSecurity 8 is more integrated with NethServer 8, so can expand easier the “bigger network” if interested.
If you know that the network configuration is simple (less than 5 subnets, less than 4 VPNs among RoadWarrior and Site to Site), maybe NethSecurity 8 is a faster deployment choice.
However on long term might be a “short blanket” if the team won’t be able to provide enough “accessories” for NethSecurity 8.
Another key difference (more than the underlying OS): OPNSense AFAIK currently has no company behind as “main developer”.
3 Likes
Decisio is the main developer of OPNsense…
From the web site of About OPNsense - High-end Security Made Easy™
More details at the link site…
My 2 cents
Andy
1 Like
Thanks for correcting me @Andy_Wismer
2 Likes
Maybe not…
OPNsense does easily allow for a quick preconfiguration. All config is in a single xml file, still like m0n0wall. That means all sites can be preconfigured before real on site installation happens.
This goes down to any detail in the configs. A DHCP reservation? Just need to know the MAC addr of that host, and it’s name - copy paste from an Excel sheet would suffice…
This is quite easy!
Restoring only parts of the config (eg VPN, DHCP) allows for building a standard config using the GUI (for a good part!).
My 2 cents
Andy
1 Like
Andy, your perspective on OPNSense is… not the newbie one.
You claimed and advertised countless times a long experience on OPNSense and you “sponsored” (ish) the distro quite often on this community. So what you say is not untrue… however come from a long experience of deploy and troubleshooting: you currently might be able to deploy a firewall configuration without accessing nothing more than a nice text editor and the “upload” page of OPNSense… 
I tried both OPNsense and nethsec 8 for few hours as “toy” (more or less 15). As a total newbye on both platforms I found NethSec 8 easier and faster to deploy.
So please… without playing the whole gig of how much customers you serve with X and Y project… might be useful to specify “where” your opinion comes from.
4 Likes
Pike, I fully agree with your accessment. OPNsense is VERY powerful, and is more geared to those who have special needs.
Knowing what one is doing always helps, no matter if OPNsense or NethServer…
Yes, I’ve also had to fiddle with not working Threatshield lists and such on Nethserver7…
And there’s also not much doku available of adding a full subnet of official, internet routable IPs to an OPNsense box running on / over DSL (also fiddling involved to get it “right”, but once done can be replicated a million times (OPNsense can clone almost any object via GUI!)…
And you are also right in your assumption with a text editor - adapting one of my “standard” configs and implementing it takes less than 15 minutes…
And I assume you did read this…
And no, I’m not being paid by either OPNsense or Nethserver!
My Profile does state 35+ years of experience - and you never found AS400s or Mainframes in SoHo environments (Even NetWare, hardly!) !
So the where my knowhow / experience comes from is also clear: A lot of years of “hands on” work, planning, learning, whatever involved…
I don’t (yet) have the option to do a brain dump, neither ZIP nor 7Zip nor Tar offer any such options so far. And I’m not voluntaring for any Musk ideas - I’m not crazy!
So this Forum is one option I have (and do use) to pass knowledge, experience and tips to other users, allowing them to benefit from a now 40+ years journey…
I hope this (my) mindset is compatible with your ideas / use cases for such a great forum as what we have here, this NethServer forum!
My 2 cents
Andy
3 Likes
I think you need to use NSEC. It’s pretty cool. OPNsense is nice but that shit sucks for WG VPN server or client. Confusing setup on opn.
I like the OPNsense GUI. Works well and isn’t confusing.
I have OPNsense woring with WG, it works rock solid with all three common VPNs: WG, IPsec, OpenVPN.
And: I can install it easily on almost any hardware or VM directly from ISO Image or USB with Live installer or Imaging.
I need a rock solid firewall, with a fast disaster recovery route, which works independant of anything else, but can be integrated.
Personally, I find Blue, Red, Green labeled NICs somewhat childish.
And I do hope for working DNS with CNAMES and correct PTR in NethSecurity, not like the crap DNS NS7 had (Not really DNSmasqs fault, rather the Cockpit implementation). Only CNAMES for itself, not for any other host. So inconsiquential, taking an All-In-One server ad absurdum, allowing Port Forwarding, yet no CNAMES? If it’s a single server only, why would one need port forwatding, if there’s nothing else reachable on that network? So logs full of wrong PTRs when needing to troubleshoot…
If something has not been around for at least a year, I will not consider putting that in production, simple enough!
I think you need to learn real networking, @beniamin !!!
Or maybe even better: wait for an AI supported firewall box called maybe HAL-NG?
Idiot-proof, Hacker-proof, but the AI won’t work if your Internet goes down.
“Sorry, I can’t do that”…
My 2 cents
Andy
I used pfsense for about decade (8 years) 
.
I use real networking. But thanks for the kind words.
Anyhow, I use Firewalla which is amazing. It costs a lot but easy to use and very powerful.
I would suggest watching this Andy, its quite insightful
Why I am Not Using OPNSense - YouTube
2 Likes
Sorry, this guy uses pfSense
I trust pfSense less than edHat and IBM together.
They lied with their FUD and Open Source - and lost before court!
'nuff said
My 2 cents
Andy
Again you’re talking about NS7
Please test nsec8 and let us know
3 Likes
I still plan on testing NethSecurity 8. This weekend looks more promising…
This past weekend was needed to provide a solution for a large, migrated NS7.
Solution working for now, clients happy.
My 2 cents
Andy
5 Likes