https://backend-engineering-strategy-tools.github.io/site/tags/freebsd/Recent content in Freebsd on Backend Engineering Strategy ToolsHugo -- gohugo.ioen-usThu, 14 May 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/networking/opnsense/Thu, 14 May 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/networking/opnsense/<p>OPNsense is an open-source firewall and routing platform based on FreeBSD. It is a fork of pfSense, with a stronger emphasis on community ownership, a cleaner UI, and more frequent security updates. Both are descendants of m0n0wall.</p> <p>It covers the full gateway function: stateful firewall, NAT, DHCP, DNS, TFTP, VPN, traffic shaping, and IDS/IPS — all through a web UI or via the API.</p> <hr> <h2 id="feature-overview">Feature overview </h2><table> <thead> <tr> <th>Feature</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Stateful firewall</td> <td>Zone-based rules, aliases, scheduling</td> </tr> <tr> <td>NAT</td> <td>Outbound, inbound (port forwarding), 1:1</td> </tr> <tr> <td>DHCP</td> <td>ISC DHCPv4 and Kea; supports network boot options</td> </tr> <tr> <td>DNS</td> <td>Unbound resolver with DNSSEC; optional forwarding</td> </tr> <tr> <td>TFTP</td> <td>Simple server at <code>/usr/local/tftp</code>; used for PXE boot</td> </tr> <tr> <td>VPN</td> <td>WireGuard, OpenVPN, IPsec</td> </tr> <tr> <td>IDS/IPS</td> <td>Suricata integration</td> </tr> <tr> <td>Traffic shaping</td> <td>HFSC, PRIQ, CAKE</td> </tr> <tr> <td>BGP / routing</td> <td>FRRouting plugin available (not enabled by default)</td> </tr> </tbody> </table> <hr> <h2 id="opnsense-vs-pfsense-vs-vyos">OPNsense vs pfSense vs VyOS </h2><table> <thead> <tr> <th></th> <th>OPNsense</th> <th>pfSense</th> <th>VyOS</th> </tr> </thead> <tbody> <tr> <td>Base</td> <td>FreeBSD</td> <td>FreeBSD</td> <td>Debian Linux</td> </tr> <tr> <td>License</td> <td>BSD (true FOSS)</td> <td>BSL (mixed)</td> <td>GPL</td> </tr> <tr> <td>Model</td> <td>Firewall appliance</td> <td>Firewall appliance</td> <td>Network OS</td> </tr> <tr> <td>Config interface</td> <td>Web UI + API</td> <td>Web UI</td> <td>CLI (commit/rollback)</td> </tr> <tr> <td>BGP</td> <td>Via FRRouting plugin</td> <td>Via FRRouting plugin</td> <td>Native (FRRouting built-in)</td> </tr> <tr> <td>Typical use</td> <td>Edge gateway, firewall</td> <td>Edge gateway, firewall</td> <td>Router, BGP peer, lab router VM</td> </tr> </tbody> </table> <p>OPNsense and pfSense are both appliance-style: you configure them through a UI and they manage all the underlying services for you. <a class="link" href="https://backend-engineering-strategy-tools.github.io/site/public-notes/networking/vyos/" >VyOS</a> is a network OS in the Juniper/Cisco tradition — CLI-first, commit/rollback, intended for use as a router or BGP peer rather than a full gateway appliance.</p> <hr> <h2 id="related">Related </h2><ul> <li><a class="link" href="https://docs.opnsense.org/" target="_blank" rel="noopener" >OPNsense documentation</a></li> <li><a class="link" href="https://github.com/opnsense/plugins" target="_blank" rel="noopener" >OPNsense plugins</a></li> <li><a class="link" href="https://backend-engineering-strategy-tools.github.io/site/public-notes/hardware/hardware-provisioning/ipxe-opnsense/" >iPXE + OPNsense</a> — PXE boot configuration via OPNsense DHCP and TFTP</li> <li><a class="link" href="https://backend-engineering-strategy-tools.github.io/site/homelab/opnsense/" >OPNsense in the homelab</a> — current setup and planned redo</li> </ul>