yay, unapproved for lulz! All Hail vBullettin!

No, I meant something that covers their actual needs, not something they install because they are afraid.

Yeah, problem is, anything that compromises the PC will also easily screw with the firewall on it, while a dedicated firewall device allows to set rules with more granularity than the PC firewalls, and more importantly is a PITA to hack as there is no communication whatsoever with it apart from SSH or web interface.

But as I said, whatever is in the router is usually enough for consumers, like say the usual by default keeping all ports closed even if the downstream device has them open for lulz, and things like that.

Dedicated firewalls also have the benefit of being a few devices doing firewall for any hundred billion devices downstream, so simplify the management of network security by like A LOT, but this matters for companies and places like that.

sigh. trying again

No, I meant something that covers their actual needs, not something they install because they are afraid.

Yeah, problem is, anything that compromises the PC will also easily screw with the firewall on it, while a dedicated firewall device allows to set rules with more granularity than the PC firewalls, and more importantly is a PITA to hack as there is no communication whatsoever with it apart from SSH or web interface.

But as I said, whatever is in the router is usually enough for consumers, like say the usual by default keeping all ports closed even if the downstream device has them open for lulz, and things like that.

Dedicated firewalls also have the benefit of being a few devices doing firewall for any hundred billion devices downstream, so simplify the management of network security by like A LOT, but this matters for companies and places like that.

Depends. I use either, depends on mood. Certainly prefer them both over Linux firewalls because pf's ability to handle very large IP alias tables with minimal performance penalty. If you want to run block lists in size of hundreds of thousands or millions of CIDRs, Linux firewalls having "ipset" included take much bigger performance penalty in comparison.

OPNSense has issues with some of the UEFI motherboards. If you try memstick install, it's in GPT format and some motherboards are going to complain over "bad firmware" regardless of the forced "legacy boot" selected in BIOS. You can bypass it by using cdrom install and going with MBR selection offered there but it means more hassle.

pfSense's memstick is by default using MBR scheme and does not have the issue. Also, their devs recently overhauled the UI completely.

pfSense means ton of custom patches on top of FreeBSD code,, OPNSense is inching back closer to the original FreeBSD code.. Take your pick. Both are siblings and after digging into menus, majority of logic and functionality are same.

WLAN support is inferior to Linux. It's there but you are going to be limited to abgn. Forget ac.

10Gbit cards support should be more or less equal and cellular 3G/LTE modems I've tried (admittedly only handful) have also all worked (over Mikrotik RB14EU adapter board) so if needed you can use OPNSense/pfSense as 3G/LTE router if necessary.

Some of the cellular cards I got to work on pfSense did not start working even on Windows over adapter because of OEM lock (Ericsson F5521gw, meant for Lenovo laptops,, somehow pfSense had no issues with the thing)

What else they can offer for general home user.. IDS/IPS (either Suricata or Snort), Squid proxy+SquidGuard or DansGuardian. For Windows machines, it means you don't really need "internet security" software, plain respectable antivirus is enough. Filtering for ads and other crap could also be done inside firewall. x86/x64 architecture. For Linux/BSD machines behind such firewall, better protection than their own firewalls.. Snort lists contain quite a lot of Linux/Unix/Android trojans and malware, you can enable those lists and actually have sorta antivirus-like entity.

pfSense has bunch of custom plugins, OPNSense has pretty much what I wrote about above. At the same time, majority of pfSense's plugins are ones home user rarely needs..

Wow, an actually useful post. It feel so weird here, on Phoronix, thanks a bunch.

Thank you ath0, very usefull. I would say I'm an Linux-only consumer running a webserver from home. Currently using a consumer router as a firewall. 4G/LTE support is also a plus since it is the only sensible option for my needs.

Add possibility of IDS/IPS watching over traffic coming into your webserver.. Especially if you are running something like WordPress. Suricata or Snort could detect exploit kit hacking attempts and block offending IP addresses automatically. Just set the appropriate rules for the detection engine for correct interface(s) and check the "block offending IP" option.

For the cellular modem support, before you are going to buy something, consult the FreeBSD forum/hw compatibility lists. It's likely there are also plenty of modems that are not supported or variations of models that come under identical model name but have different versions of hardware in it. Of which, some work, some not. I remember the frustration with plenty of Huawei mobile sticks under Linux years a go.. I only tested on xxSense cellular modems which all had mini-PCIe interface (bought from second hand, from owners of broken down laptops)

99% of huawei sticks I've seen need to be reflashed back to "Stick mode" (currently they run in "Hi-Link mode" some weird crappy remote-pwnable router-like mode with webinterface and all) and they will run with the standard driver, on linux.
This is an example tutorial I used for a batch of cheep huawei modems I got off ebay (2 external antenna connectors), that are also still available from east europe sellers.

Yeah, I think I had issues exactly when such Hi-links made their first appearance.. still, personally prefer mini-PCIe. Nothing dangling from the machines and interface itself is by design inherently more stable than USB.

btw, Latvia is geographically not "east europe" but Northern Europe, culturally Germanic, not Slavic.. Yeah, I know, looking from the other side of the globe, all the same 3rd world yahoos anyway..

Consider that mini-pcie also carries native usb bus, and many mini-pcie modems are in fact using USB bus even if on a mini-pcie slot (it's always fun and games if your device has a mini-pcie slot and you find out the hard way it is a "3g-only slot" i.e. you only have tracks to run usb devices in mini-pcie cards from it), mostly because an usb controller is cheaper for the modem's SoC, and because it's unlikely they fill USB 2.0 max realistic speed anyway (30 MB/s --> 240 Mbit/s).

There are straight and passive minipcie --> usb 2.0 converters too, like these for example http://www.ebay.co.uk/itm/Delock-Min...UAAOSwQjZXPuNg

Was not intended to offend, for most people in the "west europe" (the snob and richer nations that created EU) everything to the east of Germany is East Europe.

My Mikrotik adapter has separate USB interfaces but as far as I can tell, it's for the purpose of SIM card slots and serving their interfaces. 2 dedicated USB2 cables (I guess 1 serving 2 slots) have to be connected to PC motherboard's USB2 header. Adapter itself goes into PCIe x1 slot and each of 4 mini-PCIe slots on it can take either cellular modem or WLAN card. No USB needed as long as adapter has only WLAN modules screwed on. But after installing some cellular modem on it, it won't recognize the SIM card unless I connect the USB.

Another cheap Chinese USB/MiniPCIe adapter I got "just in case" is indeed "cellular only".. Tried WiFi card in it, no joy like you said. It does not even detect the wlan module.

Understandable, it was not so much offensive than tiring assumption. Quarter century has passed..