Open-source can do more. Router OS alternative for remote infrastructure

Open-source can do more. Router OS alternative for remote infrastructure

Read 6 minutes

The organization of a modern remote office infrastructure involves the use of a virtualizer like Proxmox or VMWare on servers, which is due to the need to deploy a number of virtual machines with different levels of access, limited inter-server communication and access to the global network. The simplest option for controlling access to a virtual machine inside a virtualizer is to use an edge software router with a powerful firewall, which is installed on one of the virtual machines on the server.

Router OS is the clear winner among software routers. However, it does not have a full free version. There are several alternative open-source solutions based on FreeBSD - pfSense and OPNSense. These are comprehensive software routers-firewalls with a full set of modules and plug-ins necessary to manage the network and access to end devices of the remote infrastructure.

pfSense is a logical continuation of the m0n0wall project

pfSense is supported and developed by Netgate as one of its core products. The software router does not require payment and can be used completely free of charge because this product is supplied under the Apache 2.0 license. Available as an ISO image and can be installed on a virtual machine with very modest parameters.

Open-source can do more. Router OS alternative for remote infrastructure

pfSense features

Please note that this product has many pre-installed modules and also allows the installation of additional plugins that expand the standard capabilities of the router.

Firewall 

Here are just a few main characteristics that reveal the capabilities of this module:

  • stateful packet inspection (SPI), which allows you to filter network connections
  • filtering based on IP addresses and DNS along with anti-spoofing protection
  • there is support for rules based on time and limiting the number of connections
  • bidirectional NAT mapping enabled

Router

From the features listed below, it becomes clear that this pfSense component is completely self-sufficient:

  • supports multiple IP addresses per interface
  • support for multiple WANs is enabled for fault tolerance and/or load balancing
  • integrated PPPoE server
  • policy-based routing is supported
  • simultaneous operation of IPv4 and IPv6 routing is allowed

VPN

Perhaps one of the most important components of a software router for remote infrastructure:

  • the most popular and popular virtual private network protocols and technologies are supported - IPsec, OpenVPN, WireGuard
  • it is possible to organize a site-to-site connection with SSL encryption
  • configurations for VPN clients on different OS are available in the GUI
  • there is support for multi-tunneling with failover between tunnels
  • RADIUS or LDAP authentication is available, which is convenient if you have AD within the infrastructure

Preventing attacks

In the context of modern cyber threats, a block of functions and mechanisms for analyzing passing traffic is an undoubted advantage of pfSense:

  • Snort is used as a packet analyzer (IDS/IPS system)
  • analysis and detection of L7 applications is supported thanks to the integration of a database with an updated list of threats
  • it is possible to configure the security system individually on the selected interface with deep packet inspection

Other features of pfSense

Listing all the modules and services would take up more than a page of the blog, but for a more objective understanding of the capabilities of the software router, we can highlight the following:

  • availability of standard network services - DHCP server, DNS forwarding
  • ease of setting up backups and rolling back to restore points
  • a single update repository with the ability to update with the click of a button
  • traffic shaper is supported by channel speed or data volume
  • thanks to a convenient GUI, a readable log of what is happening on the router is provided
  • it is possible to receive notifications from the router by email
Open-source can do more. Router OS alternative for remote infrastructure

OPNSense — a fork that can outperform the original code

OPNSense is a software router that is functionally very similar to pfSense. The obvious difference for most, even experienced users and system administrators, will be a completely redesigned interface. Another difference is the set of plugins and add-ons in the repository of additional software for installation. Due to the similarity, it is difficult to single out individual features of OPNSense and the user can make a choice based on the convenience of the GUI or preferences in the set of available plugins.

Instead of a conclusion

From a quick review of the functionality of pfSense and its fork OPNSense, it becomes clear that this software router is aimed at very complex infrastructure projects, including not only remote servers and services, but also local offices. User protection and authentication mechanisms are suitable for building both a small hybrid office infrastructure and a large corporate network with dozens of remote servers, employees and office branches.

VPSServerES