OPNsense vs. pfSense Round 3: Backups

Categories: OPNsense, pfSense

Restoration from backups works well for both OPNsense and pfSense but the way backups are created is very different.

pfSense:

Has the now free of charge ACB (auto configuration backup) module. This used to be a sweetener for people who paid for pfSense Gold, which was a nice way home users or small biz users could show Netgate some love without breaking the bank. Now it is part of pfSense out of the box. It can send an encrypted backup when manually triggered, when changes are made or on a schedule.

Two issues with this:

1) The backup destination is a Netgate server. Recovering a config.xml after some catastrophe depends on your access to and relationship with the company.

2) The “Automatically backup on every configuration change” trigger is really bad. Here is an example why: The other day we had to modify an attribute on 80+ objects. With pfSense this means we are potentially pushing a backup out every time we hit save. This slows down the save and also means older backups are being pushed out.

The documentation says

Some minor configuration changes are safely ignored if they do not impact functionality.

It is not clear which cases will trigger and which cases won’t. You can save manually triggered backups from auto deletion but the case remains. Changing 80 attributes and hitting Save 80x means you may now have 80 backups from today and you have obsoleted a bunch of older ones that may have been more useful. Of course the obvious workaround is to make a manual backup, disable ABC, make your 80 changes, turn ACB back on. Or alternatively just set it to a “once a day” sort of schedule but the side-effect there is that after 100 days of not making any changes, all your backups are the same. Want to roll back to the one before your last change 101 days ago ? It’s gone.

OPNsense:

Absolutely fantastic. Out of the box you can backup to Nextcloud or Google Drive. I have also seen a git plugin so you can track changes in github or gitlab but I did not test this plugin. I have tested Nextcloud and Google Drive. In terms of scheduling, OPNsense nailed it out of the box. To quote from the documentation:

After set-up, the backup feature will run a first backup of the OPNsense configuration file. Then, if the configuration is subsequently changed, a new backup will be run. Only one backup is run per day after configuration changes.

Verdict:

Point goes to OPNsense because the backup scheduling is more sensible and you have data sovereignty. Access to your offsite backup is not contingent on your relationship with the company.

«
»

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.