OPNsense vs. pfSense Round 5: BGP routing with FRR

Categories: OPNsense, pfSense

Both OPNsense and pfSense offer FRR. FRR is very versatile. It offers OSPF, BGP etc. At work we use BGP to route some IPv4 and IPv6 prefixes. I wanted to test both but can only use pfSense. More on that below:

pfSense:

Offers FRR version 7.5.1. Latest version. Jim Pingle (who is a Saint, btw) was the Netgate insider who championed bringing FRR to pfSense and maintaining it. FRR 7.5.1 can handle RPKI and session authentication. This here is a feature most upstreams will demand:

pfSense also has RPKI capabilities built into the GUI. RPKI validation and filtering are a trending topic right now and are deemed best current practice in 2021. The RIR such as RIPE, ARIN, APNIC etc, MANRS, Cloudflare and several Tier 1 carriers are pushing adoption. pfSense 2.5.1 with FRR 7.5.1 can be easily set up as a relying party to your RPKI Validator over RTR (1).

OPNsense:

Uses FRR 7.4.9 and has neither RPKI nor session authentication capabilities. People asked in various github issues about exposing custom configuration options in the GUI and the OPNsense response is always NO. They really do not like text boxes for custom options. WYSIWYG. In this case, critical features are missing and the user has no recourse. In pfSense you can always work around GUI limitations

In OPNsense choices are made for you and if a feature is taken away or lacking you are out of luck unless you are a dev and can get a PR accepted in github.

Verdict:

Point goes to pfSense. No doubt whatsoever. You can run a full IXP / ISP with pfSense using 2021 best current practices.

Nothing is lacking in the GUI and if you need something exotic you can create a RAW CONFIG and do anything FRR 7.5.1 can do. OPNsense in its current state is not suitable for most IXP / ISP operations.

RPKI and neighbor session authentication are must-have features. Similar to the issues I have with the way they handle tls-crypt in OpenVPN OPNsense are making choices for you that may or may not work for you. I can see where OPNsense are coming from. They’re trying to be good shepherds and not give you any ammo to shoot yourself in the foot with but is this an Enterprise Grade firewall / router product or a $99.00 Disney Router from Best Buy ? Don’t be Apple, don’t curate for me.

(1) RPKI / RTR Explainer

«
»

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.