Is there a good Linux based firewall distro that's similarly easy to use for homelab-types as OPNsense and actually supports FD, VPP, DPDK, etc?
Last edited:
Recommendations for Low-Power, Rack-Mountable Firewalls with 10Gb/2.5Gb Support
- Thread starter Jznbitz
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Another hardware option I've been using for 4 years now. It's compatible with Opnsense, pFsense, etc. I have the RJ10 model.
The brand is HUNSN. They specialize in firewall appliances. We have already talked about this brand on STH's forum. They offer rack-mountable versions.
HUNSN: Firewall Appliance
How do you think of this one ? It's not expensive.
https://www.amazon.com/HUNSN-Firewall-Appliance-OPNsense-RJ65/dp/B0DQQ169B6?ref_=ast_sto_dp&th=1
And this one ?
https://www.amazon.com/HUNSN-Firewall-Appliance-OPNsense-RJ16/dp/B0DQPXG8Z6?ref_=ast_sto_dp&th=1
The brand is HUNSN. They specialize in firewall appliances. We have already talked about this brand on STH's forum. They offer rack-mountable versions.
HUNSN: Firewall Appliance
How do you think of this one ? It's not expensive.
https://www.amazon.com/HUNSN-Firewall-Appliance-OPNsense-RJ65/dp/B0DQQ169B6?ref_=ast_sto_dp&th=1
And this one ?
https://www.amazon.com/HUNSN-Firewall-Appliance-OPNsense-RJ16/dp/B0DQPXG8Z6?ref_=ast_sto_dp&th=1
Last edited:
No, there are sadly not many easy to use router/firewall distros with VPP. VyOS supports it, but VyOS is CLI only. I run it at home (without VPP) and I find it reasonable easy to use once you get the hang of it, but it's certainly a learning curve for people used to clicking around a GUI.
They are supposedly still working on a hosted network controller GUI for it that looks pretty awesome in the concept images, but the CLI will still be the primary method of interaction as far as I know.
To me, the biggest downside with pfSense and OPNsense being based on FreeBSD is not VPP support (which has been ported to BSD too now if I'm not mistaken, although it will probably lag behind in terms of development), it's driver support. Not supporting modern NICs, sometimes more than a year after release isn't great. Neither is only supporting a few NIC vendors. People also seem to find it significantly slower than Linux based options now (even traditional kernel based networking), at least without a bunch of tweaking. I'm not sure why, since I would expect them to be mostly on-par.
In recent years we've seen more and more companies traditionally based on FreeBSD move to Linux (Juniper, iX Systems, Netgate, etc.), which also isn't a great sign for the health of FreeBSD.
Oof, I didn't realize all those bigger names were moving to Linux... yeah FreeBSD/HardenedBSD seems to not be doing so well... Maybe I'll take a look at VyOS despite it being CLI only... I've got a little experience with it already through the old UI EdgeRouter-X platform and am pretty comfortable with CLI for switching at least... learning to turn VyOS into a firewall can't be that hard, right??No, there are sadly not many easy to use router/firewall distros with VPP. VyOS supports it, but VyOS is CLI only. I run it at home (without VPP) and I find it reasonable easy to use once you get the hang of it, but it's certainly a learning curve for people used to clicking around a GUI.
They are supposedly still working on a hosted network controller GUI for it that looks pretty awesome in the concept images, but the CLI will still be the primary method of interaction as far as I know.
To me, the biggest downside with pfSense and OPNsense being based on FreeBSD is not VPP support (which has been ported to BSD too now if I'm not mistaken, although it will probably lag behind in terms of development), it's driver support. Not supporting modern NICs, sometimes more than a year after release isn't great. Neither is only supporting a few NIC vendors. People also seem to find it significantly slower than Linux based options now (even traditional kernel based networking), at least without a bunch of tweaking. I'm not sure why, since I would expect them to be mostly on-par.
In recent years we've seen more and more companies traditionally based on FreeBSD move to Linux (Juniper, iX Systems, Netgate, etc.), which also isn't a great sign for the health of FreeBSD.
Sadly there's a lot of current drama in VyOS-land ... see here: VyOS pulling their build tools to make own rolling/LTS builds easily and this article: Community, Contributors, User Base and LTS builds. If you donated $25 per month you would get a LTS ISO - now it's not only is it impossible BUT you cannot build your own ISOs easily any more. There was a move to have a GUI for VyOS and they deprioritized it claiming enterprise does not need one. Essentially they are looking for $$$ from enterprise users and don't care about homelab and home users any more
OPNsense/Franco have made it clear that they will not be moving to Linux in the foreseeable future
Oh, they got bought by Broadcom... alright never mind lol. I'll probably stick with OPNsense anyway... it's a firewall after all, so HardenedBSD being much more secure than Linux is very desirable. Especially since I don't really need higher levels of performance than BSD can provide at the moment anyway.
Most of them still have both FreeBSD and Linux based products, but the fact that they decided to recreate essentially the same product on Linux too is pretty telling.Oof, I didn't realize all those bigger names were moving to Linux... yeah FreeBSD/HardenedBSD seems to not be doing so well... Maybe I'll take a look at VyOS despite it being CLI only... I've got a little experience with it already through the old UI EdgeRouter-X platform and am pretty comfortable with CLI for switching at least... learning to turn VyOS into a firewall can't be that hard, right??
Yes, it's very similar to the EdgeOS CLI, but VyOS is based on a later version of Vyatta and a lot of code has been rewritten or updated and a bunch of features added.
No, it's not all that hard but it's a bit time consuming doing it from scratch.
My configuration file is roughly 1600 lines (created with 732 CLI commands), including IPv4, IPv6, NAT44 (SNAT, DNAT and Hairpin NAT rules), firewall, a Wireguard VPN server, DDNS, etc. Hairpin NAT was probably the most cumbersome thing as it doesn't generate those NAT rules for you automatically, unlike EdgeOS.There is a bit of drama, yes. It has been blown out of proportion in my opinion though. You get rolling releases and VyOS Stream releases for free. For a homelab, you don't need LTS releases. The rolling releases have been rock solid for me and lots of other people.
It's true that their main focus is enterprise customers, which is also true for pfSense and presumably also OPNsense. Unlike pfSense, you usually get the latest features as a free user on VyOS instead of an outdated "Community Edition" release that is missing features. OPNsense is also outdated in terms of features sometimes in the cases where they need to wait for Netgate to open source them. Netgate's VPP based pfSense alternative is not available for homelabs at all anymore.
It's no surprise that OPNsense (and presumably pfSense) will remain on FreeBSD. Moving to Linux would likely be a huge undertaking. I don't think pfSense will make the move either, but if they do I think OPNsense will be forced to sooner or later. After all, I don't think the OPNsense team makes a lot of major upstream contributions to FreeBSD. It's my understanding that the OPNsense project relies pretty heavily on Netgate's upstream contributions.
No, not even close.
It's mostly a bunch of people whining because they can't just use the LTS images for free anymore.If you don't need 10 Gbps or more, you should be fine with OPNsense.
Yeah, I was misunderstanding some comments... Vyatta was sold to AT&T after Broadcom acquired Brocade, VyOS was forked from Vyatta Core way before that... my understanding of the "drama" is more around the passive aggressive tone in the blog post hmw linked, and yet another project with perceived abuse of open source restricting access to their code, but I don't pretend to follow FOSS drama all that closely.No, not even close.
If you don't need 10 Gbps or more, you should be fine with OPNsense.
As far as I know the code remains open source. The problem is more that they stopped allowing you to download prebuilt packages from the LTS repo as a part of the build process so setting it up is more complex now as you need to build those as well. I could be wrong though as I stopped looking into the details after a while since it doesn't really affect me.
In the way I use it, everything is open source and I get the full feature set (now that VPP became available again for everyone). It has also been perfectly stable so far.
Yeah, it's "open source" but they're doing the thing some FOSSheads love to do and saying "well actually we're not REQUIRED to provide source code unless you ask for it, pay us, and only for the binaries you're specifically using!"
Their instructions for building it apparently don't work any more either, they removed the ability for donors to access prebuilt ISOs, and their blog posts about it have been extremely sarcastic and aggressive, on top of whining about having no contributors on a niche product that has suddenly become much harder to even use with their latest actions lol.
Seems like they're going down the well-trod path of shutting out and not caring about anyone but the top 10% of paying customers. Can't say I blame anyone for dropping them because of their shit attitudes.
VyOS poorly communicated the shift from the old model coupled with radio silence (and at least a couple maintainers posting like a negate owner) and a delay in the first Stream release, which allowed in some legit suspicion and rumor that the end of homelab use was near. The first stream release is out and rolling releases have continued though.
OPNsense is no longer hardenedBSD switched to freebsd a while back.
OPNsense is no longer hardenedBSD switched to freebsd a while back.
It's building LTS releases that's hard. Building rolling releases works like before if I'm not mistaken. That source code is freely available, as is the Stream source code as far as I know (i.e. the code base for the next LTS).
In what way is it harder to use? Rolling releases and Stream releases are just as easy to use as before.
If some people didn't insist on going against the project's repeated explicit requests not to publish custom built LTS ISOs publicly (especially under the VyOS name) they might not have even made this change. Those people have mostly themselves to blame.
That sounds almost like back in the days of people using NDISwrapper to use Windows XP WiFi drivers in Linux.
The only routers capable of 10 Gbps with 64-byte packets (14.8 Mpps) use either VPP or an ASIC.
For low power consumption, you can get a FortiGate 90G for < $1000 that does line-rate 10 Gbps routing, ACLs, and NAT. It has a great user interface unlike other 10 Gbps line-rate solutions.
For low power consumption, you can get a FortiGate 90G for < $1000 that does line-rate 10 Gbps routing, ACLs, and NAT. It has a great user interface unlike other 10 Gbps line-rate solutions.
Last edited:
In my experience, I agree with @kathampy, hence why I am skeptical of the Ubiquiti claims.
The Qualcomm chip has some hardware offloading (like most home router SoCs, from Broadcom and Mediatek). The usually implement NAT and L2 switching. These hardware offloads are power efficient but completely bypass the OS and CPU. When you want to do something more or else, you can't use them.
DPDK based solutions, also by pass the OS (not the CPU), but you get a full feature networking stack that runs in userland. You also can get various degree of hardware acceleration depending the NIC.
The Qualcomm chip has some hardware offloading (like most home router SoCs, from Broadcom and Mediatek). The usually implement NAT and L2 switching. These hardware offloads are power efficient but completely bypass the OS and CPU. When you want to do something more or else, you can't use them.
DPDK based solutions, also by pass the OS (not the CPU), but you get a full feature networking stack that runs in userland. You also can get various degree of hardware acceleration depending the NIC.
I don't think that's *quite* true; I was able to get 18+ Mpps through VyOS on an MS-A2, and I think I was actually running out of steam on my traffic generator (TRex w/ ConnectX-4), not the VyOS box, although it was close. With larger frames I was getting just shy of 100 Gbps. So it can be done, but it takes a moderately large amount of CPU and it draws a lot of power at full speed.
If you didn't care about NAT, then you could *probably* get most of 10G out of a Juniper MX150. They're around $1k used, but you can get a NFX250 for ~$250 and reflash it with a minor amount of work. IIRC they're DPDK under the hood, not VPP, but that's a bit of a quibble. I haven't actually tested their small-frame performance.
The Fortinet is probably a good choice, if you can cope with whatever their licensing model is right now. I haven't actually used one, but their specs look nice.
Having said all that, I don't really think many home users really need to worry about 10G of 64-byte frames. Downloads, backups, etc are all large frames and should eat up the bulk of the bandwidth.
...but 16 beefy AMD cores is a *far* cry from 4 small ARM cores, even with some offloading assistance. I'm getting really tired of seeing 4x decade-old ARM cores in allegedly high-performance networking devices. Something *always* breaks their offloading, and then you run out of CPU a couple milliseconds later.
On the FortiGate-VM, it seems that DPDK does not disproportionately increase the throughput of 64-byte packets. The performance seems to be doubled for all packet sizes, which still falls short of line-rate. Take a look at the VM-02S, vSPU On, Firewall Throughput results. This is for a single CPU core used for I/O. The results do seem low compared to DPDK numbers others have reported on other platforms.
For comparison, here are the numbers for the FortiGate 90G with its ASIC for < $1,000. It does line-rate for all packet sizes.
For comparison, here are the numbers for the FortiGate 90G with its ASIC for < $1,000. It does line-rate for all packet sizes.
Last edited: