Quick Links
Do you remember when you purchased your Wi-Fi router? Probably not. If you’re like most people, you likely got it from your ISP potentially many years ago. Here’s another question: when was the last time you updated its firmware? Never? Highly likely.
I’ve been using the excellent (and free) pfSense CE and OPNsense firewall and router software for a while now, and I wouldn’t go back to an off-the-shelf router. Below are six reasons why.
1 Open Source Security
Both pfSense CE and OPNsense are based on FreeBSD, a Unix-based open-source operating system known for its focus on security. Because they’re open-source applications, security researchers can review the codebase to ensure the software does what it’s supposed to and doesn’t contain any apparent bugs or vulnerabilities.
By comparison, most off-the-shelf commercial routers use proprietary code and cannot be reviewed. You need to hope the developers of that software have robust cybersecurity practices and test things rigorously.
2 Frequent Updates
Many commercial router manufacturers seldom update their products’ firmware. They tend to focus on bringing the next model to market rather than updating older products. That may make business sense, but it’s bad security practice. People often keep their commercial routers for ten-plus years without ever updating their firmware.
If you use pfSense CE or OPNsense, you get frequent updates to protect you from emerging threats. Case in point: pfSense CE and OPNsense issued updates to mitigate the Spectre and Meltdown vulnerabilities shortly after these major vulnerabilities were discovered. What about your store-bought router?
3 Customizations Galore
This one is for your inner geek. While most off-the-shelf routers provide all the functionality your everyday user needs, those who like to play around with their network by setting up servers and experimenting with various configurations (lab setup) will be much better served with pfSense CE and OPNsense.
By navigating their respective UIs, you’ll quickly see just how customizable the software is. Both will accommodate practically any networking scenario. It’s also a great way to learn about networking.
4 A Massive Number of Add-Ons
Out-of-the-box, both pfSense CE and OPNsense pack a ton of functionality. But they also come with a large repository of optional add-on software. These are optional because if you don’t need that extra functionality, you’re better off not installing add-ons, as they could grow your attack surface if not properly configured.
But they’re there if you want them.
Some popular add-on packages (supported by both operating systems) are:
- HAProxy: A reverse proxy you can use to access your local servers from the internet
- Squid: A caching proxy server you can use to filter and cache content.
- Avahi: A mDNS proxy that allows you to route mDNS traffic between subnets.
- ACME: An implementation of the ACME protocol enabling you to obtain free valid SSL certificates for your servers.
There are many, many more. So it’s worth taking your time to browse the selection.
5 Detailed Logging for Easier Troubleshooting
When most folks have an issue with their internet connection, they’ll attempt to fix it by rebooting their router, and if that fails, they’ll promptly contact their ISP. There’s nothing wrong with that, of course. Most off-the-shelf routers have limited logging capabilities and don’t provide the ability to filter logs by keyword, making the experience of viewing your router logs a jumbled mess.
With pfSense CE and OPNsense, you get highly detailed logging, organized by category, with all the filtering you could want. It makes troubleshooting issues much easier—even for those who are less tech-savvy. You might still need to call your ISP’s support department, but at the very least, you’ll have a better idea of what the issue may be and can better assist the rep on the phone.
6 It Runs on Old Hardware
pfSense CE and OPNsense are free and open-source, but you’ll still need some hardware to install them. The good news is that you don’t need to go out and buy a high-end machine. pfSense CE and OPNsense will run on older hardware you may have lying around already.
Note that you can run either firewall as a virtual machine, but that’s a different beast than running the firewall on dedicated hardware. Plus, you’re going to need a powerful base system for that.
The minimum hardware requirements are:
- 64-bit amd64 (x86-64) compatible CPU
- 1GB or more RAM
- 8 GB or larger disk drive (SSD, HDD, etc.)
- One or more compatible network interface cards
- Bootable USB drive or high-capacity optical drive (DVD or BD) for initial installation
I’d recommend the following, if possible:
- 64-bit amd64 (x86-64) compatible CPU
- 4GB of RAM
- 64 GB disk drive (SSD, HDD, etc.)
- Two compatible network interface cards (WAN, LAN)
- Bootable USB drive or high-capacity optical drive (DVD or BD) for initial installation
Those are some of the reasons I find pfSense CE and OPNsense compelling, and I do, in fact, use both. There are other reasons, but with the current state of the internet, in which marketers, big tech, governments, and malicious actors all want a piece of your data, the added security benefits take the crown.