What needs improvement with OPNsense?

OPNsense should improve its performance in handling large volumes of voice traffic. It needs more support for Vigoroute and extensive VPN technologies. Enhancing its performance for significant amounts of data traffic would make it closer to a perfect solution.

SD-WAN (software-defined wide area network) is integrated into some restricted service providers for OPNSense. I pretty much like the solution's APIs, but it's somehow limited. I would like the APIs to be more mature and more developed and have more options to automate threat hunting. Also, I would like to see more drill-down possibilities. We have to rely on specific hardware for the in-depth analysis of NetFlow. Although we have an interface on OPNsense, it's not as easy to use on the security side as other solutions.

pfSense has better performance and quicker updates.

In terms of improvement, the performance could be enhanced.

If I require many site-to-site connections or prioritize advanced features, I might look at the other products.

You will need additional training before you can actually start to use it. You will need to gain some extensive knowledge.

The scalability needs improvement.

The interface is user-friendly, but there's room for improvement in terms of intuitiveness. The bundle management aspect requires additional attention to make it more intuitive, especially for inspecting high-level traffic. This is crucial, especially for larger companies where the existing features might not be the most optimal choice, given limitations like printer constraints. For high availability, it's crucial to have a method in place where a designated component oversees the entire process. Given that OPNsense plays a pivotal role as a firewall, safeguarding against various threats, having a reliable backup ensures uninterrupted protection even if unforeseen events impact the primary virtual machine. It would be beneficial if OPNsense supported additional virtualization platforms like Hyper-V from Microsoft and VMware, similar to how Kaspersky has integrated them.

The user interface could be improved, and the DNS section should be more intuitive.

There are some add-ons that need enhancements to make management easier for users, especially the reporting features. Some reports don't show the level of detail I'm looking for, and I've had trouble installing certain add-ons, especially for Internet bandwidth shaping within my company. So, this is an area of improvement for me.

The interface of the solution is an area with shortcomings. The interface of the solution could be made better. The user experience when we create policies can be made easier. Also, maybe some features should be added to the cloud.

When using the solution at the beginning was difficult. There was a steep learning curve. In a feature release, it would be helpful to have some features that the new generation firewalls have, such as IPS.

There is room for improvement in SSL inspection because that's where OPNsense, the open-source firewall software, just doesn't work well. So, I really use it for inspection.

I think the most important thing is that it should be easily accessible, but currently, that doesn't seem to be the case. We need a hardware platform that's based on common standards and open computing principles, which would be like a commodity and benefit us greatly. I believe an open computing platform could be the solution we need. If you provide these tools to a smaller group of people, especially those who may not have the financial means to support complex enterprise hardware with its maintenance and end-of-life issues, you will receive a lot of valuable feedback from a broader audience. Currently, even the basic documentation is too complex for everyday users or those who work from home, making it difficult for them to install everything at once. We need to simplify these hardware tools so that they have a basic set of installation documents, such as a guide or runbook, that people can easily review step by step. The first installation screen should provide a menu of options, numbered one through four, and require users to enter their IP address, which can be a bit confusing. Therefore, we must simplify the process to make it easier for everyone to understand. pfSense always requires an IP address, but if that IP is already in use and assigned to our router, the system will not work. Therefore, there needs to be a detection mechanism in place that can alert users and inform them that they must first change their router's IP address before proceeding with the installation. Making these changes will require significant updates to both the documentation and printer software. Our primary focus is to ensure the protection of customers' and consumers' data. To achieve this, we have developed robust malware capabilities within our pfSense and OPNsense platforms. One unique feature that sets us apart is our ability to filter traffic from devices like mobile phones that are connected to a router via pfSense or OPNsense. Our system can detect and alert users when a malicious URL is detected in traffic sent via WhatsApp or other messaging services. This additional layer of protection helps to further safeguard user data and prevent potentially damaging malware from being transmitted. Similar to the alerts we receive in email, these capabilities provide users with valuable information about the potential risks associated with a specific message. SPAN mode, or a very fuzzy mark, and all of the additional features should be put with the original message. Similarly, I receive my flagged details on WhatsApp. If someone re-orchestrates that capacity and starts adding some URL, or malicious URL, normal consumers or general citizens would not be able to detect that. If these features are incorporated into a firewall as a shared database somewhere, and any traffic originating from there on flagged should be recognized and communicated to the client, please do not click that link or make your own constructive decision.

An area for improvement in OPNsense is the hardware, which needs to be updated more frequently. An additional feature I want to see in OPNsense is a transparent proxy. DNS blocking is another good feature I want to be added to the solution, as that helps make processes faster. pfSense has a peer-blocking feature that I also want to see in OPNsense.

The IPS solution could be more reliable. The IPS functioning and internal prevention system functioning could be added to the system. I didn't have it in pfSense, which is why I'm moving to OPNsense, but it is still not working well. They could also have the LZN ones.

OPNsense could improve by making the configuration more web-based rather than shell or command-line-based. The timeline for new features could be better. They could be faster at updating features.

Its interface should be a little bit better.

The difficult part was the integration with Azure because OPNsense, in most cases, is not used on public clouds. It is on appliances that run on-prem. We did not like the fact that you have to configure everything with the graphic user interface. We have used other firewalls, such as FortiGate, that you can configure via code. OPNsense is not easy to integrate. When you are deploying via GitHub or another source repository, this is not possible. That's one thing we didn't like much.

While they do have paid options that actually give better features, for most of the clients, if they tend to take a paid option will instead opt for Fortinet. They should make it so that it's easier to reverse proxy integration.

The interface isn't so friendly user. But we have some technicians here who are quite confident with this tool. OPNSense could maybe add sets of rules so it's simpler to manage different groups with particular needs.

The logging could improve in OPNsense.

The interface needs to be simplified. It is not user-friendly. The bandwidth management is easy to use, but very hard to implement. The multi-provider internet is protected by OPNsence but the features are limited, and not stable. The high availability feature is not feasible when the hardware fails.

The solution could be more secure.

The vendor should offer compatibility-approved boxes, or at least stock one with OPNsense already installed. This would make it a one-stop-shop, and people would not have to worry about sourcing the hardware separately. I would like to see better SD-WAN performance. I think that could be a very good bonus because SD-WAN is all the rage these days. That is probably the big thing that people need to improve upon, in terms of combining two, three, or four links. The interface should continue to improve, which would make things a bit easier. For me, it was already easy, but nonetheless, it is quicker to install a FortiGate firewall.

The only thing that I would like to see improved is the Insight or the NetFlow analysis part. It would be good to have the possibility to dig down on the Insight platform. Right now, we can easily do only a few analyses. If this page becomes more powerful, it surely will be a well-adopted platform.

I have some issues with OPNsense. I have created a virtual machine that I've lost connection at times and I am not able to connect to the gateway or ping the internet. When I started with OPNsense, it worked right away. It may be an issue with the virtual machine itself. I am currently setting up the protection on all of the virtual machines so they will connect to OPNsense and the internet, or anywhere they need to access. I have tried to download some malicious files or a virus and it should dump the files and prevent the download, but I don't seem to get any notification or warnings. It may be an issue with the configuration but I am not sure. I would like to see improvements made to connectivity and alerting. I wanted to deploy this solution in our organization and some of the workstations from remote sites but it's not reliable enough to do that yet. In the next release, I would like to see real traffic monitoring and more visibility. Also, for the antivirus, I would like to see the files protected by ClamAV. I would like to see intelligence in OPNsense and have the option to apply it or not. They need a threat intelligence tool similar to the one they would find with Cisco. It will show you the file hashes, all of the IFCs, the niches, the address information, and more. With all of this information, you can be proactive and block the malicious file hashes, all of the malicious IP addresses, and the public IP addresses. It should help you be proactive. It would be helpful to have OPNsense be one of the plugins, and they should include traffic capturing. With Palo Alto, you can monitor and specify which interface you want to monitor, the source IP, or you can specify the network and see the traffic that is coming from the VLAN, the destination, and any files being transferred over the network. If you apply security profiles you can see the signatures.

There should be more technical documentation.

The solution can't compete with next-generation firewalls. The solution would not be suitable for anything large-scale.

The feature that I would like to see in the next release, I think, would be to improve the VPN (Virtual Private Network) selection. Specifically, I would like to improve the section where you can set the VPN IP address to high availability.

So far, everything is okay. We've just started using the solution. As long as they continue to ensure that we are protected, it will be perfect.

Something that needs to improve is the translation. This comes into play when you have a remote and a local site and you have to work with two different transfer networks for each direction. What I'm missing is user portal for downloading the configurations for SSL VPN clients. It's still not implemented so it seems that this product is still in a developing process. Sometimes it's a little difficult to find some examples for special scenarios. But we have to keep trying and I believe it is possible. It's quite a suitable possibility to use it for VPN connections. The monitoring is a little complicated and I have tried to use a plug-in, but it's quite complicated to configure. I had to write my own script. With the VPN solutions, it is possible to cover up all the scenarios which we have. For instance, if you have a customer and your local network is already in use, you have to work with source nat. It is possible and it works. Another issue that customers sometimes have Networks, which are already in use on out local site. It means you have to work with a destination nat but it is possible to create. I would, therefore, like to see the monitoring of the firewall being easier to configure, or to have more templates for this so that you can download the configurations for each scenario and get more detailed descriptions like how all the available plug-ins are performing.

On the customer-side, because I'm a small business, I need a cheaper or free solution option. To scale, you need a different package application. It's not compatible with pfSense. Maybe there should be a different package or a different setup, but it's a problem. I need a little package because I'm a small business. It would be nice if the solution offered virtual servers in the future. Compatible mutual servers with firewall specifications.

In our experience, OPNsense showed me some problems when using it in different environments. The problem is integration with a virtual server. In general, OPNsense is sweet, pretty, and neat. It's still in development. I expect the next release in the fall. Maybe they are going to polish it more. I would love a buy a new VPN. We experience problems with the old one. In high variables, it shuts off. We want to switch to a new one.