I've been reading up a bit around pfSense. Both have really strong communities. The biggest delineation between the two seems to be the target hardware and hence 'meatier' packages are available for pf.
That said, is there any real difference in the underlying security/performance of the two distros? Is pfSense also using IPTables on the backend?
Given a dual-core x86 system with 4GB ram, and assuming that OpenWRT has all the packages and functionality you need, I would have thought (given the smaller footprint and less overhead) that OpenWRT is going to have better routing/firewall performance Mhz for Mhz than pfSense.
I'd go as far and say that they have different goals. pfSense is a full featured firewall/IDS/IPS system which requires beefier hardware by default but on the other hand also provides you with a better integrated system where as OpenWrt mainly targets "low-end" embedded systems and wireless which in turn comes with its own limitations and/or advantages.
OpenWrt runs on fairly low power devices and has much better wireless support thanks to the Linux kernel and wireless stack although having that in mind you're going to look at a few compromises compared to a fully fledged Linux distribution. That said, there is work being done on FreeBSD regarding wireless connectivity but as most of the user base are using it as a network appliance and/or server related tasks wireless networking doesn't get much priority.
pfSense uses FreeBSD and pf primarily which is a different beast compared to Linux and iptables. In terms of performance they're pretty much the same even on rather slow devices like MIPS64 although you would most likely see better performance on FreeBSD if you were to use ipfw instead of pf however. There's also some (experimental) work being done porting over npf as pf is getting a bit dated.
In terms of performance on beefier systems you'll probably see lower on OpenWRT unless you compile your own firmware with a few tweaks as x86/x86-64 targets (and packages) are compiled for pretty old CPUs due to compatibility and size.
As far as updating and security goes pfSense has a nicer patching/updating path IMHO.
In short, if you're planning to use x86 that's relatively new I'd go for pfSense because of its "completeness" but if plan to use MIPS or ARM devices (at least to some extent) with wireless integrated OpenWrt is more or less your only option.
I installed pfSense on some spare hardware last night to have an experiment.
I haven't had chance to test the like-for-like performance yet, but here are my initial thoughts on the setup differences.
Pros
pf has a USB based installer which does a good job of quickly getting you up and running on x86 hardware without having to DD anything or roll a live USB etc. It located, partitioned and imaged the embedded eMMC in my system without any problems in under 5 mins.
There are specific and easy to activate options to run on flash based systems which redirects /var and /tmp to RAM and syncs back to disk at configurable intervals.
There is a really comprehensive web UI for configuring everything. Aside from being a little more 'modern' than LUCI I would say the biggest improvement is the amount of tips/guidance on options. Also that the default suggested options for most packages (OpenVPN etc) are the 'best' or the generally agreed 'secure' options and this makes setup of those packages achievable quickly without the need to refer to a tutorial or Wiki guide.
There is an included certificate and cert authority manager that makes applying SSL to the UI and other modules (VPN included) very easy. However I do wonder about the ultimate security of storing your CA key on an internet facing device.
The terminal console defaults to an option-based menu to guide you through configuring (or recovering) the most basic options (like interface IP config and resetting the webUI password). This is a nice touch for x86, probably not much relevance for OpenWRT on embedded systems.
Log management in the UI is far superior, broken down by service and sub-system with options to filter and sort the logs, making finding things a lot easier.
Options to enable DNSSEC are built in to the UI for the default DNS resolver. No additional packages required.
Cons
Installing actually didn't work for me first time. There is a bug in the current release that stops the console working on Intel Atom with HD Graphics systems (just hanging with no error). I guess it was just bad luck that I had that exact setup, and the fix was trivial once I googled it, however I feel the OpenWRT community does better job of cross-platform testing prior to release.
There is a lot of commercialization. You have to accept several stark warnings/disclaimers about redistribution and decline 'Premium Support' options several times during setup. Even after there is a 'Support Options' dialog on the Web UI home screen that can't be easily muted.
The firewall rule config, for me at least, seems a lot more complex to understand. Perhaps it's fundamental differences in the way the two underlying systems operate. With no default 'zone' options it isn't clear to me whether pf is configured to be 'secure' out-of-the-box. I actually find the LUCI firewall UI superior in this sense but maybe this is a case of familiarity. The pf firewall is based entirely around a rule priority list (either deny specific then accept all, or accept specific then deny all) and you have to stack and order the rules yourself. I know this is traditionally how commercial firewalls have worked, but it's not clear to me if this is actually any better/more flexible than how iptables/UCI does it.
Right now, I'll be sticking with OpenWRT, unless the x86 performance is significantly different when I get chance to test.
You have a lot of hardware to support and there may be edge cases, I can assure you that FreeBSD in that regard is very well tested in general given the installed user-base and there's a lot more testing of packages than what's done in OpenWrt in that regard.
The firewalling part is actually more "logical" if you think about the flow of packages but it boils down to preference and it's safe to use out of the box. As far as flow of rules goes his is how iptables also operates. The commercial support notifications are there for legal reasons.
I think most of these things boils down to familiary in the end and ofc it might not be for everyone.
Realtek ethernet controllers are in general crappy NICs that aren't very reliable under load and the accounts for all operating systems. There's a reason why you have Broadcom, Intel etc at the upper end if you're looking at entry level hardware.
I agree (Intel/Broadcom much better than Realtek), but in PfSense every 2/3 days Realtek NIC's hangs, in OpenWRT the same hardware is working fine for weeks, maybe the driver is better implemented in OpenWRT than in PfSense.
I've had Realtek working for months and I know many others so that might be your specific revision however the driver doesn't get much love because of the nature of the controllers themselves being unreliable.
i used opnsense for about one year before switching to openwrt on x86 hardware, so I can tell you what was my experience. First, I use realtek card (no choice here) and despite all claims, they work well in opnsense, I didn't have issues with them. Of course, they work well too in openwrt, even better since I saturate my GB link with nat, no problem here. In fact, freebsd drivers for realtek at least aren't as fast as linux drivers, thats why I moved. While in opnsense I've got about between 70-90MB/s, in openwrt I got the 113M/s (lan<>wan<>lan). The only thing that is better in opnsense is the gui and pf's alias, other things like embedded vm hypervisor, bhyve is flawed, usb passthrough doesn't work, and other drivers in freebsd are weak and buggy like the asix ax88179 which is a total mess.
But opnsense guys are doing a great job at updating and correcting bugs. Can't tell for pfsense, since they are more closed.
I can't comment on pfSense or OpenSense as they were too far behind FreeBSD release cycles for my taste, and I don't need a GUI as I craft my own firewall rules. I have found FreeBSD to have more understandable and robust firewall capabilities than iptables and even nftables (which, alas, is still not mature and robust, in my experience). I have also found the performance of native FreeBSD to meet or exceed that of Linux-based OSes for routing and server roles.
Yes, Linux offers a wider range of "consumer" drivers, but I don't need a Logitech QuickCam on my server. FreeBSD is focused on server applications, not end-user applications.
The Realtek hardware has been historically unreliable when pushed hard. This has been the case no matter the kernel and drivers. When the hardware bugs, it bugs. You can hide it with a driver, but you've still got a bug.
I miss a generic UI for IDS however but I'm also running bare metal FreeBSD on my boxes with great results. I've recently started to play around with Allwinner H3 and H5 boards running FreeBSD and they run great.
Do I need an all in one security ( mid-large business ) gateway > pfsense ( even if I have to buy alternate hardware )
imho front end teething problems are worth the hassle if a solution is easily managable and maintenance friendly....
openwrt from a management perspective has a learning curve. which is why for anything other than fundamental gateway work, i'd recommend pfsense to anyone who asked me to recommend a production device.
the advantages of openwrt start to become much more attractive when;
you have many small sites, and want to integrate management AND functionality
