Router on Backend Engineering Strategy Tools

Firewall and router OS options

Fri, 22 May 2026 00:00:00 +0000

Options for running a software-defined firewall or router, from homelab appliances to full routing OS deployments.

The main split: appliance vs routing OS

Most options fall into one of two categories:

Firewall appliances (OPNsense, pfSense, IPFire) — web UI-first, designed around the perimeter firewall use case. NAT, DHCP, DNS, VPN, IDS/IPS out of the box. Routing is possible but secondary.

Routing operating systems (VyOS, MikroTik RouterOS, FRRouting) — CLI-first, designed around dynamic routing protocols (BGP, OSPF). Firewall rules exist but feel like an afterthought compared to the routing capabilities.

For a homelab perimeter gateway: appliance. For BGP peering, complex routing topologies, or network-as-code: routing OS.

OPNsense

Open-source firewall and routing platform based on FreeBSD. Fork of pfSense, with a stronger emphasis on community ownership and more frequent security updates.

Full gateway function: stateful firewall, NAT, DHCP, DNS (Unbound), TFTP/PXE, VPN (WireGuard, OpenVPN, IPsec), traffic shaping, IDS/IPS (Suricata), DDNS.

BGP is available via the FRRouting plugin but is not a first-class feature — VyOS is better suited for BGP-heavy setups.

→ OPNsense reference

Best for: homelab perimeter gateway, home network, small office. The current actively-maintained community fork of the pfSense lineage.

pfSense

The original FreeBSD-based firewall appliance. Same underlying capabilities as OPNsense — they share a common ancestor (m0n0wall).

Now owned by Netgate. The Community Edition (CE) remains open source; pfSense Plus is commercial and ships only on Netgate hardware or as a cloud image. Development focus has shifted toward Plus; CE updates have been slower.

The practical difference between OPNsense and pfSense CE is increasingly small at the feature level. The main reasons to choose one over the other are familiarity, UI preference, and update cadence. OPNsense is the more actively developed option for community use.

Best for: environments where pfSense is already deployed, or where existing documentation/tooling targets it.

VyOS

Open-source network OS built on Debian. Configured via a CLI with a commit/rollback model (similar to Juniper JunOS). Native BGP, OSPF, IS-IS via FRRouting.

Configuration is declarative and version-controlled — the entire running config is a text file, which makes it automation-friendly (Ansible, Terraform).

The rolling release is free; LTS releases require a subscription.

→ VyOS reference

Best for: BGP peering, complex routing topologies, automation-driven network config, VM-based routing inside a cluster.

MikroTik RouterOS

Commercial OS that runs on MikroTik hardware and as a VM (CHR — Cloud Hosted Router). Full routing OS with BGP, OSPF, MPLS, and a firewall. Configured via Winbox GUI, web UI, or CLI.

Very capable at the price point. Hardware is inexpensive. The learning curve is steeper than OPNsense but shallower than VyOS for most tasks. Community is large and documentation is thorough.

CHR (the VM version) is free for speeds up to 1Mbps; licensed tiers above that. On physical hardware, the license is included.

Best for: cost-conscious deployments that need routing features, or environments already using MikroTik hardware.

IPFire

Linux-based firewall focused on simplicity and security hardening. Web UI, stateful firewall, IDS (Snort/Suricata), VPN (OpenVPN, WireGuard, IPsec), proxy.

Less feature-rich than OPNsense but lighter and more opinionated. No BGP. Easier to get to a secure baseline quickly.

Best for: simple gateway where you want a small attack surface and don’t need advanced routing or a plugin ecosystem.

Untangle / Arista Edge Threat Management

Commercial product with a free tier (NG Firewall). Web UI, application-layer filtering, content inspection, threat management features. More enterprise-oriented than the others.

Requires registration. The free tier is limited; the feature set that differentiates it from OPNsense is mostly in the commercial tiers.

Best for: environments that need application-layer filtering with a managed UI, or commercial support requirements.

Comparison

	OPNsense	pfSense CE	VyOS	MikroTik RouterOS	IPFire
Base OS	FreeBSD	FreeBSD	Debian	Proprietary	Linux
Primary interface	Web UI	Web UI	CLI	Winbox / CLI	Web UI
BGP / OSPF	Plugin (FRR)	Plugin (FRR)	Native (FRR)	Native	No
IDS/IPS	Suricata	Snort/Suricata	No	No	Snort/Suricata
WireGuard	Yes	Yes (Plus)	Yes	Yes	Yes
DDNS	Yes	Yes	Via script	Yes	Yes
Cost	Free	Free (CE)	Free (rolling)	Hardware license	Free
Community	Active	Slowing (CE)	Active	Active	Active

OPNsense

Thu, 14 May 2026 00:00:00 +0000

OPNsense is an open-source firewall and routing platform based on FreeBSD. It is a fork of pfSense, with a stronger emphasis on community ownership, a cleaner UI, and more frequent security updates. Both are descendants of m0n0wall.

It covers the full gateway function: stateful firewall, NAT, DHCP, DNS, TFTP, VPN, traffic shaping, and IDS/IPS — all through a web UI or via the API.

Feature overview

Feature	Notes
Stateful firewall	Zone-based rules, aliases, scheduling
NAT	Outbound, inbound (port forwarding), 1:1
DHCP	ISC DHCPv4 and Kea; supports network boot options
DNS	Unbound resolver with DNSSEC; optional forwarding
TFTP	Simple server at `/usr/local/tftp`; used for PXE boot
VPN	WireGuard, OpenVPN, IPsec
IDS/IPS	Suricata integration
Traffic shaping	HFSC, PRIQ, CAKE
BGP / routing	FRRouting plugin available (not enabled by default)

OPNsense vs pfSense vs VyOS

	OPNsense	pfSense	VyOS
Base	FreeBSD	FreeBSD	Debian Linux
License	BSD (true FOSS)	BSL (mixed)	GPL
Model	Firewall appliance	Firewall appliance	Network OS
Config interface	Web UI + API	Web UI	CLI (commit/rollback)
BGP	Via FRRouting plugin	Via FRRouting plugin	Native (FRRouting built-in)
Typical use	Edge gateway, firewall	Edge gateway, firewall	Router, BGP peer, lab router VM

OPNsense and pfSense are both appliance-style: you configure them through a UI and they manage all the underlying services for you. VyOS is a network OS in the Juniper/Cisco tradition — CLI-first, commit/rollback, intended for use as a router or BGP peer rather than a full gateway appliance.

OPNsense documentation
OPNsense plugins
iPXE + OPNsense — PXE boot configuration via OPNsense DHCP and TFTP
OPNsense in the homelab — current setup and planned redo

VyOS

Thu, 14 May 2026 00:00:00 +0000

VyOS is an open-source network operating system built on Debian Linux. It runs on bare metal or as a VM, and is configured via a CLI with a commit/rollback model similar to Juniper JunOS. Configuration changes are staged and only take effect when you explicitly commit — there is no live-editing a running config and hoping nothing breaks.

It ships FRRouting (FRR) as the routing engine, giving it native support for BGP, OSPF, IS-IS, and other protocols. This is its main distinction from OPNsense for homelab use: OPNsense is a firewall appliance that can do some routing; VyOS is a routing OS that can also do firewall.

Configuration model

vyos@router# set interfaces ethernet eth0 address '192.168.1.254/24'
vyos@router# set protocols bgp system-as '65001'
vyos@router# commit
vyos@router# save

configure enters configuration mode. set stages a change. commit applies it. save persists it to disk. rollback reverts to the last committed state if something goes wrong. The separation between staging and applying is genuinely useful when changing routing configuration remotely.

Key features

Feature	Notes
BGP	Via FRRouting; full eBGP/iBGP support
OSPF / IS-IS	Also via FRR
Static routing	Standard
VLAN	802.1Q trunking
NAT	Source and destination NAT
Firewall	Zone-based, stateful
WireGuard	Built-in
OpenVPN	Built-in
DHCP server	Built-in
VXLAN	Supported

VyOS vs OPNsense

VyOS is the right choice when you want a dedicated BGP peer or a router VM with a clean CLI config model. OPNsense is the right choice when you want a full gateway appliance with a web UI.

Automation

VyOS is designed to be automated — the commit/rollback model maps cleanly onto infrastructure-as-code workflows.

REST API — built-in HTTP API for retrieving and applying configuration programmatically. Useful for scripting config changes without SSH.

Ansible — official vyos.vyos collection on Ansible Galaxy. Modules for interfaces, BGP, firewall rules, and more. Changes go through the normal commit/rollback cycle.

Terraform — community provider available. Less mature than the Ansible collection but usable for provisioning router config alongside other infrastructure.

VyOS documentation
VyOS REST API
VyOS Ansible collection
VyOS rolling release downloads
BGP — protocol background
OPNsense — the complementary edge gateway
VyOS + BGP in the homelab — the actual setup

Router on Backend Engineering Strategy Tools

Firewall and router OS options

The main split: appliance vs routing OS

OPNsense

pfSense

VyOS

MikroTik RouterOS

IPFire

Untangle / Arista Edge Threat Management

Comparison

Further reading

OPNsense

Feature overview

OPNsense vs pfSense vs VyOS

Related

VyOS

Configuration model

Key features

VyOS vs OPNsense

Automation

Related