Why I Moved fw01 from OpenBSD to OPNsense

#openbsd #opnsense #networking #homelab

I wrote a post not long ago about why I chose FreeBSD for this homelab. I could write a nearly identical one about OpenBSD on the firewall. The man pages, the security posture, pf — OpenBSD is one of the most coherent operating systems I've ever used, and fw01 ran it well.

So why did I replace it with OPNsense?

I wrestled with this for longer than I probably should have. Changing your firewall feels like a statement. I've written about pf. I've defended the "just learn the config file" approach. Switching to a web UI felt like a betrayal of something.

But pragmatism won.

The Actual Problem

My ISP bumped me to a 2 Gb/s connection. Theoretically great. In practice, I needed my firewall to actually push that throughput across the NICs I had available.

OPNsense gave me more flexibility in how those interfaces were handled — driver support, offloading options, tuning knobs exposed through the UI. Getting the same result on OpenBSD would have meant more digging, more testing, more time spent on the firewall instead of everything the firewall is supposed to protect.

I didn't want to spend a weekend tuning network drivers. I wanted 2 Gb/s to work.

Why Not pfSense

Before this homelab, I ran a Netgate 4200 with pfSense. It worked fine, but the UI felt like it hadn't been touched since 2012. Cluttered, inconsistent, hard to navigate. Every time I needed to do something non-obvious I was digging through three menus wondering if I was in the right place.

OPNsense is a different experience. The interface is clean, the layout makes sense, and it moves at a pace that feels like a maintained project. It's also based on FreeBSD — so under the hood, it's still pf, still the networking stack I trust.

Choosing OPNsense wasn't a hard call once pfSense was off the table.

The Migration

I expected this to be painful. It wasn't. My pf rules translated cleanly. VLAN configuration that I'd built up over time moved over without drama. The concepts are identical because the underlying system is the same — OPNsense just wraps it.

If you're coming from OpenBSD's pf, OPNsense's firewall rules section will feel familiar. The mental model is the same. You're still thinking in terms of interfaces, states, and explicit allows. The GUI is just a different way of expressing those rules.

The Part I Didn't Expect to Care About

Here's the thing I didn't anticipate valuing: if something goes wrong with the firewall while I'm not home, someone in my family can actually do something about it.

With a text config and an SSH session, the answer to "the internet is down" is "call me and I'll walk you through it." With OPNsense, it's "open a browser, log in, click here, click there." That's a meaningful difference in a home environment.

I'm not designing a data center. I'm running a homelab that also happens to be the internet connection for my household. Resilience includes other humans being able to use it.

What I Gave Up

I won't pretend there's no loss here. OpenBSD's simplicity is real. The config file is auditable in a way no web UI ever fully is. There's a directness to pfctl -sr that no amount of GUI polish replicates.

But I still have pf. I still have the BSD networking stack. The firewall is still doing exactly what I'd configure it to do manually — I'm just configuring it differently.

The Honest Takeaway

Sometimes the right tool isn't the purist choice.

I still believe in OpenBSD. I still think pf is the best firewall I've used. None of that changed. What changed was an honest accounting of what I actually needed from this specific machine — throughput, flexibility, and something my household can survive without me.

OPNsense delivered that. The ideology didn't need to.