• 0 Posts
  • 6 Comments
Joined 2 years ago
cake
Cake day: June 20th, 2023

help-circle
  • pfSense and OPNsense are firewalls. OpenWRT is router firmware. They’re all open source - to varying degrees - and they all have overlapping features and functionality.

    Quick breakdown:

    • OpenWRT: originally developed as a replacement for the firmware on Linksys wireless access points. It has grown into a full Linux-based networking OS with extensible features and broad hardware support. The target devices are still mostly wireless routers/access points and the use cases it services are still mainly about wireless networking.
    • pfSense: Originally a fork of m0n0wall, it’s a BSD-based firewall distribution. Designed primarily for firewall use cases, it can be loaded on bare metal or in VMs, but it’s generally deployed “upstream” from wireless devices - typically it’s the device that all of your network traffic passes through on the way in/out of the LAN. Extensible architecture and a rich ecosystem of plugins means that pfSense can also serve as a caching proxy, load balancer, intrusion detection server and logging host.
    • OPNsense: a fork of pfSense. Almost identical use cases. OPNsense has a more usable/modern UI, but lags slightly in support for new features and plugins.

    So the question of pfSense or OPNsense is either/or - you’d typically pick one or the other. Note that I’m staying away from the political comments that will invariably come up around this comparison. It’s enough to know that both have commercial offerings in addition to their open source versions and people have strong opinions one way or the other.

    Either one of either pfSense or OPNsense in conjunction with OpenWRT is common, with OpenWRT on the wireless devices and pfSense/OPNsense at the egress to WAN. In your case, Omada already does what OpenWRT would do - along with some very limited versions of what you could do with pfSense or OPNsense.

    It’s worth noting that folks often deploy these three open source tools as a method to regain control rather than using a third party cloud based solution like Omada. No judgement, just saying that Omada is the polar opposite of the ‘selfhosted’ esthetic.




  • Another real acronym with a funny story (maybe only to old geeks like me) is STONITH.

    Back when “high availability” meant two servers with shared storage and a “heartbeat” network connection, if one of the servers failed, the second one would notice there was no more heartbeat from the first and pick up the traffic so users would never know.

    However, if the servers lost the network connection, there’d be no way to tell if the other server was still running and if both continued accessing the shared storage, they could corrupt the application data. So each server could take over if it noticed the other wasn’t available by executing STONITH (Shoot The Other Node In The Head) basically sending a power down signal to the PDU, making sure the other node couldn’t corrupt data.