Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Networking Open Source Operating Systems Upgrades BSD

FreeBSD-Powered Firewall Distro OPNsense 16.1 Released ( 64

An anonymous reader writes: OPNsense, the open-source firewall project powered by FreeBSD that began as a fork of pfSense, is out with a new release. OPNsense 16.1 was developed over the past half-year and is a big update. OPNsense 16.1 has upgraded to using a FreeBSD 10.2 base, support for a high-speed IPS mode, a redesigned captive portal, firewall improvements, and a wide range of other work.
This discussion has been archived. No new comments can be posted.

FreeBSD-Powered Firewall Distro OPNsense 16.1 Released

Comments Filter:
  • am i the only one who read it as opnonsense?

    • Yes, you are.
  • by Anonymous Coward

    How about linking to the site instead of the clickbait at Phoronix ?

  • Why they forked (Score:5, Informative)

    by ilsaloving ( 1534307 ) on Thursday January 28, 2016 @03:51PM (#51390879)

    My most immediate question, before even reading the feature set, was why they forked in the first place. I had to do some digging (ie: click multiple links and read a couple different pages to find what I was looking for), so to save others time, here's the why: []


    We had technical reasons to fork. As much as we love the functionality/feature set of pfSense, we do not enjoy the code quality and anarchistic development method. We like structure, achievable goals set forth in a roadmap with regular releases and a decent framework.

    On the security part the main issue was the need to separate logic. The GUI should not perform tasks that require root access.

    As for quality, all new features will be built using a solid framework with a Model View Controller. For this purpose we choose Phalcon as it is the fastest open source PHP framework available. And we will gradually migrate parts inherited from pfSense to the new framework to avoid a big-bang approach.

    A thriving community can only exist when people are willing to share. We want to make it easier for people to join and help to build the community. With pfSense this has been rather difficult as the tools to build it are difficult to use and often do not work in the first few attempts. And since 2014 year they are not freely available any more, you need to apply for access with ESF. We believe a good open source project has nothing to hide so access to the sources should be there for all. It will remain a mystery why ESF made that move as commit rights and read rights are totally different.

    ESF has since changed their policy and the source code is now available under their 6 clause ESF license.


    A real concern with pfSense is transparency. Since Netgate bought the majority share of pfSense and renamed the company to ESF it has been difficult to understand the direction they want the project to go. Removing the tools from github without prior warning and using the brand name to fence off competitors has scared quite a lot of people. Also the license had changed for no apparent reason
    Restore a firm open source project

    With OPNsense we have restored a stable project with clear goals and a very simple license that is suitable for forking and making OEM versions. We think a community project is there for all to use and work with.

    • by cHiphead ( 17854 )

      The OPNsense project wants to partner with business and make a success of it together. This is why we have a partner program where businesses get project benefits while supporting the project financially.

      To get listed as partner of the OPNsense project means an annual investment of € 2500.
      Special partners are assigned the Platinum Partner status. These are the partners that made an exceptional contribution to the project.

      Meet the new boss, same as the old boss.

      These guys just want their version to be the go to version so they can cash in on OSS on their chosen terms instead of ESF's, all while riding others works...

      • Re:Why they forked (Score:4, Insightful)

        by thoromyr ( 673646 ) on Thursday January 28, 2016 @05:01PM (#51391479)

        how are they "cashing in"? If it is freely available, open source, and under a mainstream license (such as Apple, BSD, GPL, Apache) then there are about two ways to make money off of it:

        1) sell customized versions
        2) reputation from the product

        Neither one seems like "cashing in" as it requires them to do work. And the licensing was only one part identified (such as separation of privileges is a failure major point) so "their chosen terms instead of ESF's" is focusing on a single part of the reason.

        In fact, the only people who I can see having a gripe would be ESF as this dilutes "their product". Welcome to the world of open source...

      • by swb ( 14022 )

        Does anyone have real complaints about Netgate's cashing in?

        The product AFAICT remains free to use. About the worst it has gotten might be the "Gold" menu that shows up in the UI.

        I guess at some point it's not hard to see why there's some level of monetization of these projects and that it's not necessarily a bad thing. It might maintain some development focus and quality and semblance of stability, especially if it staves off some of the fragmentation and forking into a half-dozen similar projects, all o

    • Re:Why they forked (Score:4, Informative)

      by Fez ( 468752 ) on Thursday January 28, 2016 @05:43PM (#51391773)

      [Disclaimer: I am a pfSense dev of many years and an ESF Employee]
      The bulk of that notice is the very definition of FUD.

      First: Fear of going closed source. pfSense was never "closed source" (any part of it), and was never not "freely available" despite what they attempt to claim about policy changes. The only time the build tools were inaccessible was for a couple days while the repo was being moved to a private git server. (And it's since been moved back to github, and later made obsolete when the build process was rewritten).

      Second: Uncertainty about "direction" -- there have been many blog posts on about the direction the project is going. There is no problem with transparency except what they are dreaming up. Also, OPNsense is run by Deciso, no mention of that in there, so much for transparency.

      Third: Doubt -- vague accusations of code and development quality trying to make people doubt the pfSense project source in general.

      • Re:Why they forked (Score:5, Informative)

        by saleenS281 ( 859657 ) on Thursday January 28, 2016 @06:27PM (#51392085) Homepage
        As a user (still on pfsense) who watched it all go down, I'm going to scream BS. ESF basically shut down the build tools and went *COMPLETELY DARK* for almost two weeks as I recall it. Not responding to anybody, and basically saying "give us time to figure out what we're going to do". You guys were pissed that there were third parties selling hardware when that was your primary source of revenue, and nobody had any idea what your plans were.

        After much outcry from the community, things slowly started opening back up. If nothing else, OPNsense seemed to kick the team in the ass to actually make a GUI that doesn't look like it's from the early 90s. I love pfsense, but this whole "we didn't do anything wrong, we have no idea why they reacted like that" is complete and utter bullshit. You guys made it very clear your intent was to stop other people from selling hardware using the PFsense logo/name, and were originally planning on making it EXTREMELY difficult for people to make customized builds of pfsense as a way to accomplish that.
        • Re:Why they forked (Score:5, Informative)

          by Fez ( 468752 ) on Thursday January 28, 2016 @06:41PM (#51392169)

          The problem was not people selling hardware including an unmodified version of pfSense. That's fine and always has been. The problem was people taking pfSense, modifying it in unknown ways, building their own copy and selling the result as still being pfSense, which it wasn't at that point. It was a trademark violation to do that. That and some others were using the trademark inappropriately in various ways on their web sites. See [] for some more background (it's been posted elsewhere but I had that link handy)

          That's like someone buying Coke, adding their own unknown ingredients, re-bottling it, and selling it as Coke. I doubt Coke would be very happy about that, either. Same thing with Mozilla and Firefox vs Iceweasel. The same resolution there applies here as well. Name the product something different and clearly distinct, removing the name "pfSense" and logo, but keeping the copyright/license notices, and then there would not have been a trademark issue.

          We had some vendors that were making some really weird changes and then people were coming to us for support on things we didn't do, questioning why things were broken, etc. Since it was still called "pfSense" and it had code we didn't write and wasn't in our repository, there was a lot of confusion even outside the legal problems...

  • no complaints so far (Score:5, Informative)

    by epine ( 68316 ) on Thursday January 28, 2016 @03:57PM (#51390917)

    I've been running two instances for about six months. Both have been totally stable. Neither is presently configured to do much beyond basic firewall, dhcpd, and name server duties. I have no complaints.

    I chose OPNsense over pfSense because their roadmap made vague claims about becoming closer to base FreeBSD, and since I'm running plenty of FreeBSD and PC-BSD elsewhere, the closer the better. I had not at that time encountered the highly charged discussions that took place between the two teams.

    As much as OPNsense has worked out for me so far, it has certainly lacked the polish of a larger project. Some of the documentation was scanty to non-existent. So I'll be waiting a good four weeks before updating these hosts.

    I did have one issue associated with a old PCI-based Intel network card. There's this thing about whether this card delivers interrupts as an electric signal or as a data packet. This particular card is right on the brink of when one method gave way in favour of the other. It has some ability to emulate the packet method, but obviously it's not rock solid, because the card would freeze up for ten minutes at a time once or twice a week. Then a watchdog would reset it and all would be normal again.

    My fussing with sysctl didn't manage to lock the card into the right mode, for whatever reason, so I pulled the card and switched to the on-board LAN port (some ostensibly crappier thing) and it's worked perfectly ever since.

    Congratulations to the OPNsense team for getting this far. I look forward to another uneventful six months.

    • by Anonymous Coward

      Just a quick question. How well does the CARP work with this using the captive portal?

      That is a setup with two firewalls using CARP both inside and outside and requiring users inside to authenticate using the captive portal.

      We had pfSense 1.2 to 2.1 and it worked pretty nice, but since 2.2 upgrade it was broken (freebsd carp was rewritten or something like that and it broke lot of thing). I haven't had a look since september, I'm now running ESX virtualised and that takes care of clustering, but maintenance

      • by LDAPMAN ( 930041 )

        I'm not sure why your being so apologetic. pfSense makes a BETTER firewall than many commercial options.

  • This project seems like a joke in many ways despite having valid goals. They also took over the m0nowall domains from it's creator and instead of maintaining them as-is, they redirect to their own domain and crown themselves as successors to the legacy of that project, when really, pfSense is that.
    • by Anonymous Coward

      You should really learn how to use search engines:

      m0n0wall, from the get go, endorsed OPNsense on their own :)

    • by cHiphead ( 17854 )

      TThey also took over the m0nowall domains from it's creator and instead of maintaining them as-is, they redirect to their own domain and crown themselves as successors to the legacy of that project, when really, pfSense is that.

      If that m0n0wall piece is true, these guys are obviously looking more at $ and not community.

Overflow on /dev/null, please empty the bit bucket.