I just had to register here to write that:
PFsense is considered by far more stable then OPNSense.
However, both had the issue that unbound itself is crashing and the last PFSense stable has other serious issues like NAT being broken in some cirumstances (yay - not that it wouldn't be a major issue/feature!).
Especially notice this comment:
EDIT: In the comments below Netgate say - there will be NO 2.5.2 release. It will be fixed in 2.6.0. They have no release date for 2.6.0. So fix might be years away from now( I think it took them 3 years for 2.5.x). So I would say options are: stay on 2.4.x or move to OPNsense.
OPNSense, due to it's nature encountered it a few months earlier (the issue with unbound), but they didn't manage to fix it in a fast way (not sure if even completely? I never used OPNSense).
pfSense on the other hand took years (I think it was really years not sure if my memory is tricking me) to upgrade to 2.5.x only to encounter ... the same issue!
So much for "stability".
Because the unbound PKG in the FreeBSD 12.2 repos is broken/unstable, that is even with 1.13.0.
By broken I mean - crashing.
Either within minutes or if you disable most usefull features for local resolving - hours sometimes even days. But far from what I'd call stable.
I never had that happen with any WRT, whatever port - despite all other issues with Wireless on some routers.
I've been pretty happy on PFsense so far, but I guess I'll go back to OpenWRT on arm64 now over amd64 seeing that OPNSense and PFSense both have more or less the same common issue:
A base system that's slow to tackle such serious issues (in my book).
On the other hand the Linux world is MUCH bigger and better maintained, even arm64 nowadays.
Do I really care if the base-system is less hardened? That the Kernel is more bloated?
I don't care if the system is stable for what it's made for.
Never had a Linux Machine break on me in the last years, no matter if amd64 or armv7 or arm64.
The worst of it all:
Old FreeBSD Packages need to be compiled from scratch (not sure about HardenedBSD).
There's litterally NO archive anywhere, so it's not easy to just install an old pkg.
You have to compile it yourself. Always.
And that compilation can't be done on the respective Firewalls itself, no matter how powerfull hardware they run because, obviously this features are optimized out for various reasons.
My advice is simple and sound:
Stick with OpenWRT.
If you need more - rather setup another small dedicated box or SBC, e.g. with PiHole or IPFire.
It will safe you lots and lots of nightmare.
If you really want to give either *Sense a try choose a stable OS like Proxmox VE (which, ironically runs on Debian) and run either of them in a VM.
There's just to much pain involved if things turn out bad (and it will, at a point).
I think the good old saying of BSD being more stable is slowly eating itself:
As old engineers go by (is Sony still using BSD for their newer consoles?), there are few newer ones coming to pick up their work (just guessing).
A system that isn't maintained properly can only go so far, no matter its great architecture.
The more complicated and sound the architecture, the harder it is to be maintained as well.