We’re trying to understand whether NethSecurity can realistically be considered an alternative to OPNsense — not in theory, but in real-world usage.
If you’ve used both (even briefly), I’d really like your unfiltered feedback.
What would make you choose NethSecurity over OPNsense?
(if anything at all)
If you tried switching, what worked better — and what didn’t?
What is missing today in NethSecurity that would prevent you from adopting it?
Real answers based on your experience.
This is not just curiosity: your feedback will directly influence future product decisions and roadmap priorities. If something is missing compared to opnsense, this is exactly the kind of input that can drive change.
Thanks to anyone willing to share their perspective.
I haven’t used NethSecurity, so my feedback may not be what you’re looking for–but I’d need to see NS do something, that I want, that OPNsense doesn’t do, doesn’t do as well, or doesn’t do as easily. And to move me to change, I’d need to hit a pain point with OPNsense. It’s nothing against NS, but I’d need to have a good reason to deal with the friction of the change.
Upfront: I am a very light user who already switched from OPNsense. That OPNsense device was bought from and setup by the highly appreciated late community member André Wishmer. Even though I switched to NethSecurity I’ll keep that APU4 OPNsense setup as-is and up to date in his remembrance. Andy’s opinion this matter would be invaluable.
Required Functionality:
2 isolated (V)LAN’s, 1 WAN
Local DHCP Server
DNS Server/Forwarder, note: local DNS server of 1 LAN is a (Samba) Domain controller
NAT
A (road warrior) VPN
DNS filter/sinkhole for more convenient www browsing experience
Nice to have:
Net (www) security / intrusion protection
Reverse proxy
What I liked more about OPNsense:
Configurable dashboard with meaningful dynamic contends, i.e. tiles of your choice. Known hosts/ip addresses as an example, most logins are to find the IP/Hostname of new device I just fired up.
C-NAME’s/Aliases for static DNS entries. I’m not the purist that demands to have C-NAME’s, if aliases are registered as A-records in the local DNS I’m oke with that.
What I like more about Nethsecurity (why I swichted):
Task driven UI rather than a UI (menu) for every implementation of a service. For instance, in OPNsense with the decrepitation of the ISC DHCP server you got yet another menu in de base for setting up an (DNSmasq) DHCP server. And because you can not hide unused implementation of a particular service the UI felt quite bloated.
Because of the above Nethsecurity is easier to use and learn.
I’m simply more familiar with Linux, especially in regard to altarch’s and (custom)kernels. The Free-BSD base for OPNsense moves much slower than Linux kernel. Only managed to get OPNsense running on a Raspberry PI and RK3399 based devices (a pity it’s not based on NET-BSD).
As said nice to have is a reverse proxy (ssl endpoint) which can be configured for some more exotic requirements. Now running nginx in a (LXC) container as my main reverse proxy to be able to configure it to my needs. Especially the (grommunio) mailsever with RPC over HTTP, MAPI over HTTP and autodiscovery/autosetup for outlook is demanding in this regard.
The only thing I’m missing which for the moment is a bit of a show stopper for me, is missing BGP.
I know that it’s not a feature everyone uses, but I use it in my network to divide tailscale routes for work and personal, now I can probably get it through the normal uci interface but that kind of defeats Nethsecurity in my mind, as I like the web interface much more then Uci itself.
I played with it earlier today, and I like the new things since I last tested it like HA, that works very well actually.
The reverse proxy is a nice to have but less used by me as I have traefik for that job.
“What would make you choose NethSecurity over OPNsense?”
For the moment we live in Brazil and the difficulty of small businesses, what impacts is the license value; and also the value of the Server, now with Nethsecurity we can only do RAID by hardware, because it is impossible to use the firewall without disk redundancy.
For medium companies I have used Fortigate and Sophos, because the content filter is still widely used and also why some companies trust those brands.
Perhaps it would be very useful to incorporate some additional features that are already quite common in more advanced environments. For example, the ability to configure DDNS directly from the web interface would greatly simplify management in scenarios with dynamic IPs, although I understand it can be configured with LuCI, it may cause inconveniences as noted in the documentation. It would also be interesting to have integrated captive portals, more complete dynamic routing options such as BGP, OSPF, or RIP, as well as DNS filtering capabilities and more advanced web filtering, which nowadays are practically essential in many networks.
Regarding authentication, complementing with more robust methods such as Radius would add significant value, especially in environments where centralized user control is required. At the monitoring level, a more refined logs panel would make a big difference: being able to group logs by severity, filter them easily, and navigate through them more intuitively would greatly help with troubleshooting tasks. Additionally, the option to forward logs to external systems (such as a centralized syslog server) would be a major plus for auditing and analysis.
It would also be worthwhile to improve traffic graphs so they feel more modern and better designed, although I assume there may be limitations. Even so, the live traffic panel pleasantly surprised me it is clear and genuinely useful for gaining immediate visibility into what is happening on the network.
Overall, it seems like a very solid tool. I am currently testing it on a virtual machine to evaluate what additional value it can offer compared to my OPNsense based firewall. That said, I must admit that the ease of configuration and the intuitiveness of the interface make it quite appealing.
Thank you very much for all this work, and above all for sharing it with us! (Soy de habla hispana he traducido algunas cosas dado que aun estoy perfeccionando el ingles! saludos desde Colombia!)
I have used OPNsense for a long time, so here is my unfiltered perspective.
What I didn’t like about OPNsense:
The biggest issue was a lack of support for >= 25 Gbps network cards (especially Broadcom).
The whole concept of System Tunables in OPNsense is a nightmare. And I really didn’t like having to learn the basics of FreeBSD just to get things running, as not everything is solvable directly from the GUI.
The performance of OPNsense was overall a disaster for my use cases, especially on QEMU/KVM with Virtio (even with a network card PCIe passthrough).
What I liked about OPNsense:
I really appreciated its modularity and the ability to add only the functions you need.
However, I understand this goes against a strictly task-driven UI. For example, there are multiple ways to handle DNS and DHCP in OPNsense, and every approach requires its own UI, which gets cluttered.
What is missing today in NethSecurity (Feature Requests):
Like others in this forum, I would love to see advanced features like RAID support and dynamic routing protocols (BGP, OSPF, RIP) etc…
With OpenWrt changing the package manager from opkg to apk, this could be a great starting point for introducing better modularity in NethSecurity. Of course, I realize this would require changing the way NethSecurity handles system updates.
I use Untangle today. Untangle Home license was discontinued so I am looking for an alternative.
I haven’t taken the time to transition off Untangle yet.
OPNSense and NethSecurity are contenders for my replacement.
I work on Palo/Cisco firewalls in my day job.
I like running Linux firewalls at home. I use a Dell Optiplex with an Intel multi-port NIC.
To make the NethSecurity product competitive with OPNsense, especially for small to medium sized businesses:
IPv6 Support
Dynamic Routing (BGP, OSPF, etc)
Route based IPSec with Virtual Tunnel Interfaces(VTI).
Dynamic Routing is usable with Route Based tunnels
Cloud providers tend to prefer Route based vs Policy based tunnels
TCPdump via CLI for quick traffic analysis. Still can use -w if you want.
GUI should allow for easy creation/download of pcaps as well.
Active Session Viewer
Searchable
Session info including Matched rule
Ability to kill a session
Displayed Columns Configurable
Unique logs for Firewall/VPN/IPS/System etc
Searchable
Hardware Health/Status
ARP View
View current cache
Ability to clear arp entries
Searchable
If I put something in the list that is already implemented or already planned, please disregard.
An all-encompassing list of features NethSecurity provides would make for an easy comparison.
NethSecurity looks to be a promising open-source Linux Firewall. Visually it looks way better than IPfire.
We’ll be taking notes and plan next steps, so keep the feedback flowing
For those who are unaware, this year we’re focusing on visibility and monitoring of what actually happens in the firewall and it’s clients, just released version 8.7.2 (announcement is minutes away) which is a step forward to that goal
Personally, I use both in lab and production: OPNsense (currently 26.1) and NethSecurity, so here’s my real-world experience.
OPNsense – very complete, but not always “friendly”
What I like the most about OPNsense:
Unbound DNS: extremely powerful and flexible (overrides, DNSSEC, advanced tuning)
Kea DHCP: a big step forward compared to the old ISC
New “Rules” environment: cleaner and easier to manage
Reporting & dashboard: very detailed and, most importantly, customizable (huge plus in daily usage)
Plugin ecosystem: integrations with tools like CrowdSec and Wazuh add a lot of value
Firewall log view: absolutely key → you can understand traffic at a glance
Technical note:
With version 26.1, based on FreeBSD, they improved drivers for Intel i225/i226 NICs → no more heavy tweaking of tunables just to get proper performance on FTTH.
That said, tunables still give a lot of room for optimization if you want to squeeze every bit of performance.
Extra:
Zenarmor at layer 7 is pretty cool (kind of a lightweight NGFW).
Downsides:
Learning curve is not trivial
Some parts can be frustrating
outbound NAT can be tricky
and there are still some annoying bugs here and there
NethSecurity – clean, modern, and full of potential
What I really like about NethSecurity:
Dashboard: clean, modern, and fresh
If it becomes customizable, it would be even better
VPN management: well designed and easy to use
DPI inspection: very interesting and promising
could become a real alternative to Zenarmor
dedicated reporting here would be a big win
It clearly focuses on:
usability
clarity
user experience
Where it still needs work (in my opinion):
IPS based on Snort → works, but not the strongest option today
Missing advanced networking:
BGP / OSPF
Less depth in:
logging
real-time traffic visibility
The real difference
OPNsense today is:
more feature-complete
more mature
more “enterprise-ready”
but also more complex and less immediate
NethSecurity is:
more modern in UX
easier to approach
heading in a very interesting direction
but still evolving on advanced features
Final thoughts
NethSecurity has huge potential in my opinion.
It’s not yet at the same level as OPNsense in some areas, but the direction is absolutely right — especially if they keep investing in:
visibility
reporting
advanced networking
Message to Alessio & the team
Having met Alessio Fattorini and part of the team last year at an event:
guys… it’s clear you’re putting real passion into this
You’re building something that:
is not just another clone
but has its own identity
So:
keep going
add some “nerdy toys” (BGP, OSPF, proper logging )
and you might seriously shake up the space
I have continued testing the firewall and have identified the following areas for improvement:
In WireGuard peers, it should be possible to view the public IP address from which each client connects. This would be very useful for monitoring purposes directly from the service interface (at least, I have not found this functionality in the tool so far).
The implementation of user roles is definitely a necessary feature.
It would be ideal to support scheduled policies with automatic expiration, for example:
Recurring: schedules that apply repeatedly at specific times and days of the week.
One-time: schedules that apply only once during a defined time period.
The ability to customize the dashboard would be a significant improvement.
It would be useful to have a geoblocking feature based on country IPs. I understand that OPNsense uses the MaxMind database for this purpose, which could serve as a reference.
I am not sure how feasible this is given current limitations, but would it be possible to apply QoS policies not only to interfaces, but also to existing traffic policies?
Message to Alessio & the team
