What is our primary use case?
Our primary use case of this solution is for VPN connections. We are currently supporting an SAP company, which has many customers, and most customers need a site-to-site active set connection for maintaining the SAP systems. We currently have round about 200 VPNs.
What is most valuable?
The feature I find most valuable is that the program helped me to realize all the requested functionality that was needed:
- IPsec VPN connections to remote gateways from various Vendors
- IPsec VPN connections with SNAT (our local network in use at remote site)
- IPsec connections with DNAT (remote network in use at our local site)
- Let's Encrypt certificate for WebGUI
- SSH Access by Putty to the device
What needs improvement?
Something that needs to improve is the translation. This comes into play when you have a remote and a local site and you have to work with two different transfer networks for each direction. What I'm missing is user portal for downloading the configurations for SSL VPN clients. It's still not implemented so it seems that this product is still in a developing process.
Sometimes it's a little difficult to find some examples for special scenarios. But we have to keep trying and I believe it is possible. It's quite a suitable possibility to use it for VPN connections.
The monitoring is a little complicated and I have tried to use a plug-in, but it's quite complicated to configure. I had to write my own script.
With the VPN solutions, it is possible to cover up all the scenarios which we have. For instance, if you have a customer and your local network is already in use, you have to work with source nat. It is possible and it works. Another issue that customers sometimes have Networks, which are already in use on out local site. It means you have to work with a destination nat but it is possible to create.
I would, therefore, like to see the monitoring of the firewall being easier to configure, or to have more templates for this so that you can download the configurations for each scenario and get more detailed descriptions like how all the available plug-ins are performing.
What do I think about the stability of the solution?
I am currently running it on Hyper-V and so far I have had no problems. It is currently stable enough.
What do I think about the scalability of the solution?
We have 250 people in our company using this program who are able to run the SAP systems with side-to-side connections between the company and the customers. We have six people for deployment and maintenance. I am responsible for the networking.
How are customer service and technical support?
There is no technical team in the Netherlands, but so far I fixed my own issues by reading up on the internet.
If you previously used a different solution, which one did you use and why did you switch?
We are using several VPN gateways. We are using our primary solutions in our company, making all the IT for the complete caller group. The caller group has around about 1,600 people in 10 companies. They are part of this group. We have one, main office and several branch offices.
We are using Juniper SSG Firewalls for Site2Site IPsec connections to customers and this Equipment is working really good. Unfortunately this devices will be running out og supprot soon, so we have to look for some alternatives.
The central equipment we use is Sophos UTM/SG and Sophos XG configured as high availability. The branch offices are connected by Sophos RED and we mainly use Sophos RED 50 with the AP 55 access points configured as WPA2 Enterprise. For central management, everything is managed in the main office. We are using SMTP proxy with anti-span and anti-virus on SG solutions. This is the only one that doesn't work because we have a problem in that our exchange users are too many, and there are too many accounts - this fact caused the Appache runnig out of ressources.
An example would be if you have one workstation with two smartphones, and each person has maybe three or four sessions opened on the exchange. If you have 1,400 accounts, you can reach 8,000 sessions. If the Appache message scoreboard is full is comming up, no further users can connect. We have contacted Sophos support to solve this but they were not able to do this - the only effect was a correction of the sizing guide from Sophos.
How was the initial setup?
The setup was straightforward and the only mistake you can make is not to log in at the installer during the setup. I made this mistake once and configured a lot of features. After doing this I could not save the configurations on a disc. Generally, it was quite easy to install and to configure.
The initial deployment took about two hours but figuring out how it works in detail and to run a roundabout took two or three days.
What's my experience with pricing, setup cost, and licensing?
There are no licensing costs for OPNsense.
Which other solutions did I evaluate?
We had to evaluate other solutions because our primary solution was Juniper SRX, but we were not happy with the features. So we had no other choice and we were forced to look for something else. We use the Sophos XG firewall because we can configure it directly from Azure.
We found the OPNsense solution interesting because there are no costs. In Azure, you only pay for the virtual machine.
What other advice do I have?
My advice would be to compare all the solutions because they all offer something different. Find out what's available and get a feeling for the product and look at the configurations on the firewall.
In the next version, I would like a friendlier user interface where the users can look at and download the configurations for the OPNsense clients.
My rating for this solution is a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.