The two are very good options with the difference that openwrt is aimed to small routers at home/office and opnsense/pfsense are not, but for smb. Both are very secure but if you want to harden it even further, the secret is in the configuration and the ability to find a balance between security and usability.
Note: this whole post is half-troll. Please don't take seriously.
Both are secure in terms of protecting your network and resistance to external hackers. Actually, by virtue of being modular and extensible, but small by default, OpenWrt does great on the attack surface minimization. But in my experience, what matters to the auditors is compliance and accountability (i.e. proper logging). I.e. organizational security, not network security. Let's consider a situation that a rogue sysadmin misuses his legitimate access and deliberately misconfigures something, and you have two sysadmins. So you need to be able to detect the unauthorized change and put the blame correctly. And here OpenWrt fails spectacularly:
Only one "root" user. Yes there is a separate "luci-app-acl" package, but in practice, it is so rarely used that one cannot count on it being usable.
No way to connect to LDAP and take users from there.
No logging of what exactly has been changed via LuCI and when.
No way to tell which of the admins did the change.
Too many real-world setups require configuration via ssh, which exposes the raw shell, which is not logged.
Thankfully, logs CAN be sent to a central server.
OpenWrt is more the WiFi and such. It lacks a lot and lags behind very very much OpnSense if you want to do anything serious regarding firewall, NAT, VPNs, etc. It can do those but just not like OpnSense.
OpnSense is the other way round. It's a full blown NGFW/firewall/vpn concentrator etc. all that and much more. It can probably do some WiFi things - never tried never even considered - but definitely way worse than OpenWrt.
I'd advise you to use both for what they're best for. They make a great couple together. No need to choose just one :)
If your platform is x86, I find OpnSense to be a more manageable solution largely for the much smoother update process. I do use OpenWRT for my access points though.
Security-wise, OpnSense has the edge due to more frequent updates.
One thing to remember you can only compare those both on the same HW / VM...
*Sense can run 10gbps and 100k+ connections same with OpenWRT but on x86...
OpenWRT (compatible routers Linksys , TP-Link, Xiaomi, etc...) are usually underpowered for such tasks...
EDITED: For a better explanation of x86 vs OpenWRT compatible routers.
You said "you can only compare those both on the same hardware"... then don't list any hardware at all.
Saying that "OpenWRT is underpowered" is a factually false statement.
I have nothing against opnsense, but the current release of pfsense is based on an End of Life version of FreeBSD that doesn't even support multithreading. The next version will fix this, but it's 2023 FFS.
The two are very good options with the difference that openwrt is aimed to small routers at home/office and opnsense/pfsense are not, but for smb. Both are very secure but if you want to harden it even further, the secret is in the configuration and the ability to find a balance between security and usability.
Note: this whole post is half-troll. Please don't take seriously.
Both are secure in terms of protecting your network and resistance to external hackers. Actually, by virtue of being modular and extensible, but small by default, OpenWrt does great on the attack surface minimization. But in my experience, what matters to the auditors is compliance and accountability (i.e. proper logging). I.e. organizational security, not network security. Let's consider a situation that a rogue sysadmin misuses his legitimate access and deliberately misconfigures something, and you have two sysadmins. So you need to be able to detect the unauthorized change and put the blame correctly. And here OpenWrt fails spectacularly:
Only one "root" user. Yes there is a separate "luci-app-acl" package, but in practice, it is so rarely used that one cannot count on it being usable.
No way to connect to LDAP and take users from there.
No logging of what exactly has been changed via LuCI and when.
No way to tell which of the admins did the change.
Too many real-world setups require configuration via ssh, which exposes the raw shell, which is not logged.
Thankfully, logs CAN be sent to a central server.
OpenWrt is more the WiFi and such. It lacks a lot and lags behind very very much OpnSense if you want to do anything serious regarding firewall, NAT, VPNs, etc. It can do those but just not like OpnSense.
OpnSense is the other way round. It's a full blown NGFW/firewall/vpn concentrator etc. all that and much more. It can probably do some WiFi things - never tried never even considered - but definitely way worse than OpenWrt.
I'd advise you to use both for what they're best for. They make a great couple together. No need to choose just one :)
More replies
If your platform is x86, I find OpnSense to be a more manageable solution largely for the much smoother update process. I do use OpenWRT for my access points though.
Security-wise, OpnSense has the edge due to more frequent updates.
More replies
Opnsense is only supported on x86 processors, so is not going to run on most routers.
More replies
I would vote for OpenWrt as it's Linux kernel based and as you may or may not know, Linux is known for being secure.
There is a lot more development on linux than FreeBSD.
More replies More replies
One thing to remember you can only compare those both on the same HW / VM...
*Sense can run 10gbps and 100k+ connections same with OpenWRT but on x86...
OpenWRT (compatible routers Linksys , TP-Link, Xiaomi, etc...) are usually underpowered for such tasks...
EDITED: For a better explanation of x86 vs OpenWRT compatible routers.
You said "you can only compare those both on the same hardware"... then don't list any hardware at all.
Saying that "OpenWRT is underpowered" is a factually false statement.
I have nothing against opnsense, but the current release of pfsense is based on an End of Life version of FreeBSD that doesn't even support multithreading. The next version will fix this, but it's 2023 FFS.
More replies More replies