OpenWrt vs pfSense vs ? on x86_64 for easy firewalling and VPN (wireguard)

Hi everybody,
I had an intel i5 2500t based machine unused with two NICs.
I would like to use in my network for firewalling and for making a wireguard tunnel to my external VPS, so all home traffic has forced to pass there without further configs on the client. I have a gigabit WAN, so the i5 with aes-ni instructions set onboard seems to be a good object to use for that tunnel.
I also have a router wifi r7800 that actually manages everything.
Look at the pictures for details about future solution.


Now, the question is:
I read that openWRT has a good firewall out-of-the-box, so 1) I could or install openWRT on the x86_64 machine and use it as router/dhcp/simple firewall with wireguard, or 2) I can install on that machine pfSense (or opnSense) and wireguard, leaving the routing activies to the router d7800?
My goal(s) are: have an easy, secure and maintable infrastructures: the solution one may be easy (same software on both hardwares), while the second may be more robust, because of the dedicated firewall hardware.

We'll.. for a start pfsense doesn't do wireguard yet. Opnsense does. However VPN speed isn't really an issue for a decent x86 box anyway. I'm getting 400-450mbs to my VPN provider through openvpn and L2 on a pretty cheap machine so wireguard just isn't a priority for me.

I have a very similarish setup to (1) and I've retried openwrt vs opnsense vs pfsense again recently for my needs on my main router. I'm not really interested in a debate on it but for my needs I found latency was much much lower for pfsense and opnsense and a deal maker. I've kept my r7800 APs and my bridged travel router on openwrt as it's still great for those purposes for me.

Openwrt does work well on x86 but pfsense and opnsense are intended to utilise the extra grunt.

There's much more help out there for pfsense than opnsense and in the end I've converged on pfsense.

Bottom line: all good environments and can achieve what you want though.

So, you have
modem <=> firewall x86_64 via pfSense + openVPN <=> router wifi via OpenWrt
(this is the solution 2. non 1. :slight_smile: maybe my fault in the description of the previous post), right?
Summarizing, for you, it's preferable to put an ad hoc firewall and software on my spare x86_64 hardware, instead of
modem <=> firewall x86_64 via OpenWrt <=> router wifi via OpenWrt?

I will try wireguard it seems easily to config and faster (I may have a 2.5Gbps line, next spring).

just a further note (I modified the thread name too): I dont know if I need a firewall or if it is a good approach to start with *sense (how are they difficult?), I just think that a distribution like *sense could be good for networking things.
Maybe for I first approach I could just use a linux distribution (suggestions?) put on it wireguard and just config the machine to forwarding package to the router... this:
modem <=> linux x86_64 + wireguard <=> router wifi via OpenWrt

from my experience I believe you should do firewalling/NAT on your most powerfull host - that is the x64 hw and leave openwrt just for wifi.

Agree with previous poster. The x86 machine's a beast so do as much as you can on that.

Yes to your 2nd post. Choice ultimately driven by latency in openwrt on x86. Don't know why it was so bad or if this is inherent to openwrt. It might not be of course.

Usability of pfsense and opnsense is supposed to be easier as they're designed to be entirely gui driven. I'm not totally sure they've achieved that. Openwrt is really usable because of its flexibility.

Worth also considering that pfsense doesn't support samba servers etc as they consider such services as an additional security risk. It's just a secure firewall router with a lot of features for that. Nothing else.

If you must use wireguard then your choices are reduced to opnsense or openwrt, though I'm still not sure why you would do with that cpu and presumably 1gbe nics. Pushing 2.5gbe round your lan is going to get expensive.

Opnsense in theory can do it all but does not have the same user base as either pfsense or openwrt and I struggled to get VPN working as I wanted. I'd like to give it another go as it should be the best of all worlds.

I think you're suggesting in your 3rd post to use a basic Linux distro. Yes possible but far from easy and probably not a good idea from a security angle.

I've kept an identical openwrt setup on my x86 as a fallback on a different disk and chainload pfsense through grub. Take them all for a spin and see which works for you? You can't brick it so you can have a bit of fun and see what works for you.

pfsense frome some time have a wireguard plugin 3th party but works good, i give up openwrt as main router simply becauce of poor performance soho hw. now i use openwrt router as ap and have second network by ac2600 mesh devices ( broadcom one) and mesh have a lot faster speeds. i dont't about other stuff like samba because i have dedicated synology servers (xpenology ) . i'm happy with that setup :slight_smile: