I'm looking to upgrade my perimeter firewall soon, moving away from my current SonicWall NSA-series appliance due to rising costs of security service licenses. I'm considering transitioning to an open-source solution like OPNsense or pfSense, and I'm particularly interested in the hardware options available: the Netgate 8300 series and the OPNsense DEC4240 appliance. I'd love to hear your thoughts on their overall reliability for a high availability setup, as we'll be deploying two units in an HA configuration with a hot standby. Additionally, insights on the efficiency of their web-filtering and anti-malware plugins, experiences with ZenArmor (especially regarding stability, performance, and configuration ease), as well as their longevity in terms of lasting over five years would be greatly appreciated.
5 Answers
It's tough to predict if these devices will reliably last five years unless you're looking at models that are already aged. Just a heads up, the hardware for pfSense comes from an Israeli company, if that influences your choice at all.
In 2025, I think web filtering should mainly be handled on the endpoint rather than through the firewall. It's resource-heavy and can lead to issues, plus many websites have mTLS or pinned certificates that can cause headaches for firewall filtering. It can lead to complaints about slow internet or broken sites, so it might be worth considering managing it differently altogether.
I've got several OPNsense appliances in place and they're doing great. If something goes wrong, accessing the console is easy with a mini USB cable. But just a note: I find pfSense has better web filtering options with its squidGuard plugin, while OPNsense's web proxy blocklist is quite limited. But really, with most sites on HTTPS now, the effectiveness of firewall filtering can diminish unless you go for SSL MITM, which can complicate things.
Just so you know, web filtering on OPNsense can be quite a task since it doesn't have a straightforward 'enable' option. You'll need to install plugins and manage everything yourself, which can be a pro or a con depending on your organization's needs.
I've used OPNsense and it has a friendly interface with a lot of packages available, which is a nice touch. I haven't used their hardware specifically, but from what I've seen, it's user-friendly and good for manageable installations.
Yeah, it does require more hands-on management. If you prefer less hassle, pfSense might be the way to go.