More ramblings

 

 

My previous old hardware that was running pfSense failed catastrophically on 14th April 2025 after over three years of good service. It initially showed signs of high CPU usage and when I checked it was caused by the pfBlockerNG I forced an updated and rebooted, which in turn apparently bricked the system to the point it refused to POST ( even with SSD removed and RAM swapped - no other replaceable parts!) 

So after a major panic first thing on a Monday morning, I decided to order replacement server hardware with the exact same specs from the exact same eBay vendor I'd used in late 2021 

( Fanless Mini PC Intel Atom E3845 4 LAN 8G RAM/128G SSD )

and of course the exact same replacement hardware was considerably more expensive than the original purchase but I was confident that the performance should be the same 

(more on that later - at this point I had considered buying afforable hardware from Netgate but I was uncertain how their similar priced kit would compare performance wise...) 

Anyway, I then downloaded the current latest pfSense installer (after having to re-register with the Netgate store to buy it?!?) and verified the downloaded file. 

I then successfully wrote the image file to a spare 32GB Samsung bar USB3 stick which I had recently replaced with a card reader for my unRAID server. 

Unfortunately the pfSense installation refused to continue without establishing internet connectivity or recovering from an existing disk partition, 

none of the options presented by the newer pfSense installer were acceptable to me and I suspect that it wouldn't support recovery of the Home+Lab version of pfSense Plus license 

( more details here:
https://www.netgate.com/blog/addressing-changes-to-pfsense-plus-homelab ) 

which I'd been using on different physical hardware and so that the license was very likely locked by unique hardware MAC addresses or similar unique hardware identifiers. 

 

After realising that I'd run out of easy options with pfSense Plus I decided to try switching to using OPNsense as that is a free and open source fork of pfSense with fewer licence constraints 

and which shares FreeBSD as the underlying OS and pf as the packet filter which originated from OpenBSD: 

( so technologically I was hoping might be similar enough to easily migrate to - more on that later! ) 

 

Unfortunately my migration from pfSense to OPNsense presented a few unexpected challenges straight from the get-go, firstly that some important configuration items are different between the two systems 

and that means that conversion between their configuration XMLs is not always as trivial as one might hope! 

 

Firstly, in order to fully understand the complexity of what I had in terms of my pfSense config, I had to check the most recent backup that I'd taken - and that was a lot older than I expected, 

which made me doubt whether I'd made changes and forgotten to take a backup then lost them forever. 

 

So after downloading and verifying the installer for OPNsense I used Rufus to write the downloaded .img file to a bootable USB stick and inserted that in the new hardware. 

( more info here - https://opnsense.org/get-started/ ) 

I then booted up the OPNsense 'live image' version but WITHOUT any network cables plugged into any of the 4 physical ethernet ports, as wanted to see how far I could get without network connectivity, the good news is that booting up to the point of being able to log in as user installer with default password opnsense is easy and then installing to the SSD with default options is simple, the main thing that I realised quickly was that I needed to review my old pfSense XML configuration file if I wanted to remember which ports I had assigned to WAN and LAN. If you're starting completely from scratch this would not be an issue and only really a concern if you're migrating and want to keep the same port config!

Next I realised that the XML config files generated by pfSense are just about human readable but can be a little overwhelming as I must have spent hours ( maybe even days! ) over the last few years 

making configuration changes to aliases and rules and DHCP static IPs and pfblockerNG rules and VPNs and OMG the complexity I'd overlooked - had I made a huge mistake? 

 

After a second bout of panic about what I might have permanently lost from pfSense I decided to take a deep breath, dig deep and start looking into my various options at this point. 

I searched online for any software tools or scripts that might help with converting pfSense XML config files directly to OPNsense and found a few interesting options 

but one that I found rather useful was a python script which ran in a docker container and converted the XML then spat out a more human-readable markdown formatted file, 

which I managed to open on my local machine and format in a way which was just inherently more readable for manually copy the bits I needed. 

This was also the point where I realised that I had at least a handful of completely redundant static mappings from the dozens I had added over the last few years, 

including MAC addresses for some old network hardware that needed removing such as an old work laptop and a personal Macbook from 2008 that had no business being trusted online these days. 

Next, I realised that the actual user interface for OPNsense is different enough from pfSense that it is not immediately intuitive and so takes a while to get comfortable with it, 

for me personally it has take a few hours over the course of a few days to become settled with it but notable that 'muscle memory' from being comfortable with interfaces is often overlooked. 

Okay so next was on to the exciting point of actually defining interfaces and plugging in the LAN ( before I dared allowing any WAN connectivity! )  

 

After realising that I would be facing at least a few hours of work before having anything like the network config I had before, I decided to allow the crappy ISP provided router a few days more 

but all of my most important servers and other machines were left switched off till I had rebuilt enough trust in OPNsense running with a brand new configuration to allow public network connectivity. 

 

pfBlockerNG was something I definitely used before and is not present in OPNsense. The nearest equivalent is a package called Zenarmor / os-sensei but I haven't yet installed it - 

 

I did manage to install and set up another plugin called CrowdSec though which I'd been meaning to test anyway - https://docs.crowdsec.net/docs/getting_started/install_crowdsec_opnsense/ 

( this has already auto-banned some random Amazon hosted IPs for unsolicited port scans so hopefully a useful additional tool! )

 

Next thing I noticed missing was any direct integration with dedicated notification services like Pushover (which I'd used for things like cert expiry warnings) 

but there is a default 'Monit' service which I intend to look into later, for now I am still focused on getting basic firewall rules and basic connectivity sorted. 

 

Another tool which seems to be missing is the ability to run commands from the web GUI - perhaps I missed it or was a plugin on pfSense but I can't find that anywhere on OPNsense. 

 

Okay so one of the reconfiguration steps was setting up the Tailscale VPN which is really easy once you realise that there is no GUI option but CLI is trivially simple to setup. 

I went down a rabbithole of following intructions from here : https://tailscale.com/kb/1097/install-opnsense

 

but after it took hundreds of megabytes of downloads and AGES to manually uninstall and recompile to update Tailscale I simply ended up with the same version I already had - doh! 

Literally all that was needed was to log in to the CLI ( yes using a keyboard and screen physically plugged into the device running OPNsense!) as root then run a tailscale up command 

which outputs a message with a URL to log in from another machine like this: 

 

The next critically important thing I realised was I had to manually define some 'tunables' under the system settings menu in order to achieve decent download performance. 

^ many thanks to that page - inspiring! 

 

After getting all my static mappings, aliases, NAT rules, filter rules, tailscale, UPS, 'settings/tunables' performance parameters and other config items redefined I managed to set up automated encrypted backups to Google Drive by creating a new Google service account 

( basically a new Google email address linked to my personal Google account which has IAM controls ) and there is another plugin option to use SFTP too. 

 

On pfSense I was using Telegraf to point at InfluxDB2 running on unRAID based on some guidance here: 

but those instructions were no longer relevant on OPNsense and good news is that InfluxDB2 seems better supported, 

so I now have many more metrics being able to pass through to Grafana including my UPS state - nice!