Unfortunately it was very loud and took a lot of power to run, and since Cisco stopped providing updates for this model of router years ago I decided to look elsewhere for something a bit less bulky, a bit quieter, and a bit more modern.
 |
| It weighs as much as one of my children and it sounds like a jet engine when you turn it on. |
Although I'm not a complete amateur when it comes to this sort of thing (I use OpenWRT on my access points and most of the little devices in my house run some kind of pre-hacked linux) I didn't want to build something from the ground up. I wanted some kind of "integrated" system that let me get things up and running and go from there.
I considered a few alternatives including OpenWRT, DD-WRT, pfSense, ipFire and others. All of these have a nice web based gui and lots of useful "add ons" and "plugins" that allow you to perform a great deal of customization.
I eventually settled on OPNSense which is based on the FreeBSD operating system.
I've never had much to do with the FreeBSD operating system before so I was a little hesitant, but after hearing about how strong and powerful the FreeBSD networking stack was meant to be, I decided to go with it. I was particularly convinced by a smart looking guy called George Neville-Neil who mentioned that the FreeBSD networking stack is what's being used by the Mars Pathfinder mission to communicate with Earth!!
 |
| George has written textbooks, spoken at conferences, has a cool beard and his code is on a space ship....he's everything I want to be. |
Now for the exciting part of the post. The bit where things went wrong and I tell you why I failed. There are two reasons why OPNsense didn't work for me.
1) OPNSense is nothing like Cisco IOS
When I say this I don't mean "The commands weren't the same" (which is true). I mean that Cisco IOS is a truly integrated routing system where each part of the router software knows about all the other parts whereas OPNSense is nothing like that. In addition the commands and tools on a Cisco router generally follow a consistent style and pattern whereas each plugin in OPNsense is a kingdom unto itself.
OPNSense is essentially a shell that fits atop dozens of different programs that don't natively know anything about each other and were probably not written with many of the other programs in mind. This applies equally to other open source style routing systems like OpenWRT and pfSense. DD-WRT seems to be better integrated than its cousins, but consequently it has far less functionality and ability for customization.
In most cases this is fine because if you run a standard combination of services, then they'll have been tested adequately with each other and the OPNSense system can successfully integrate their functionalities together. However, if you stray off the beaten path a little, then that's when you run into trouble.
For example, in my network I need to route multicast traffic. It took me over a week to get it working with OPNsense and this is why. In some circumstances the OPNsense firewall component (pf) is programmed to transmit routed multicast traffic with an INCORRECT DESTINATION MAC ADDRESS WHICH MAKES IT ABSOLUTELY BLOODY USELESS (See OPNsense issue 3629). It seems like the maintainers of this part of the code has absolutely no plans to fix this issue.
 |
| This picture isn't here for any reason. I love everybody and I am at peace with the universe. |
I came across about a dozen other feature interaction issues like this one. Most of them were trivial but a few were very tedious to overcome indeed.
Now I'm not saying that products made by big proprietary network vendors don't have problems, especially when weird combinations of features are used but I can guarantee that if something like multicast routing wasn't working then it would be fixed very very quickly.
 |
| I actually know a guy who worked for the now defunct Bay Networks router company. You wouldn't believe some of the bugs he found! |
Are you old enough to remember OS/2? One of my professors introduced me to it back when Microsoft Windows was pretty much completely dominant in desktop computing.
It was great! It performed better and more reliably than Windows did, and it even ran (some) Windows applications! It's nowhere to be seen now.
 |
| If it's made by IBM then how can you go wrong? |
The issue I had with it was that in those rare instances where I had a problem with OS/2, there was every possibility that I was the first and only human being on the planet to have experienced that particular issue because the user base of OS/2 wasn't what you'd call "vast".
And even though there were hundreds of brilliant people on forums and mailing lists who could probably help me, I was a "newb" and my requests for help weren't looked upon with much respect.
FreeBSD has kind of the same problem. Even though there are some very appealing aspects of FreeBSD, such as the package and ports system, and the extensive documentation of the base operating system, getting help isn't always easy. That seems to be because the user base is numerically much less than that of Linux, but also the FreeBSD user base all seem to be universally brilliant people who aren't always interested in helping "newbs".
 |
| These people aren't worthy to smell an experienced FreeBSD user's dirty socks!! |
 |
| Linus Torvalds, the creator of Linux, is widely acknowledged to be one of the kindest and most patient men in the world. |
To anyone who says I didn't give OPNsense enough of a chance, I actually ran it as my home's main gateway for a whole month as I tried to incrementally enable features I needed and troubleshot problems. I eventually had to give up after weeks of my OPNsense system's Ethernet interface randomly losing it's link about once every 36 hours.
I promise I did extensive troubleshooting. I replaced cables, moved switch ports and went through a large permutation of settings, driver updates and debugging but I could find no sign of why the problem was happening or what to do to fix it.
All of that being said, seeing how OPNsense works has given me some great insight into the tools that open source routing and firewall systems use. For that I am grateful.
I basically plan now to run a very basic linux system as my gateway (maybe on a Raspberry Pi?) but without a unifying Gui/web interface sitting above all the tools. I plan to just use the individual base programs like ipfw, dnsmasq and quagga and take control of the interactions between them myself.
Obviously this won't be as pretty as using a nicely integrated GUI but you have to admit, it will be very hardcore!
 |
| You know this guy edits his firewall config files with "vi" instead of "nano". |
