Checkout pfSense - have used it for years after trying m0n0wall. The recommended path forward, OPNSense, is a fork of pfSense. I have not tried it, and I get their reasons for forking and many of the improvements they are making are really, really needed - BUT the community isn't there yet where pfSense has a thriving community behind it.

I dont understand their reasons for forking.

If one of the active pfSense developers is asking this question[1], then Manuel Kasper's OPNsense endorsement is certainly confusing without additional context. Without a doubt, the endorsement certainly carries weight given m0n0wall's impact and legacy over the years.

[1] https://www.pfsense.org/about-pfsense/development-team.html

Outside of Manuel himself, no single person has put as much time and effort into m0n0wall as Chris Buechler has. Chris wrote most of what's on doc.m0n0.ch, and has by far the highest post count to the m0n0wall list. Chris also had a source commit bit. We host doc.m0n0.ch to this day.

Chris is honestly baffled by what Manuel wrote. It feels like a slap in the face.

This should serve as the gold standard for how to implement a decision like this.

How to make the decision? How to execute it?

And for what reason (what did you like about it?)

Several points: * A definitive decision with clearly defined dates. * Acknowledgement towards successors * The HUGE effort and endeavor to snapshot and maintain the archives for posterity.

I agree. Classy and humble. And considerate.

I basically replaced my linux firewall box with shorewall and xen a few years ago: http://shorewall.net/XenMyWay.html

Now I run a whole bunch of stuff on only one machine.

I did similar. Had a mini atx centos box I ended up throwing on ESXi and getting it in the front of the network through some layer 2 magic. I love shorewall.

Running all on debian stable I might add.

Moved to PFSense a few months ago and I cannot recommend it enough, I have it on a Thinkserver tower which hosts all my VMs on ESX and out of a second NIC comes my wifi router.

Pfsense is such a great piece of software, DNS forwarder and build in OpenVPN.

I don't understand why PFSense and OPNsense use FreeBSD and not OpenBSD which comes with a more advanced version of PF.

Is there any reasonable explanation for their choice? I'm using FreeBSD myself but not as a router. If I should choose an OS for router, I'd probably go with OpenWRT or OpenBSD.

PFSense has a note about that choice in their FAQ: https://doc.pfsense.org/index.php/Why_was_FreeBSD_chosen_ins...

Another lover of PFSense here. I started out with M0n0wall, but there were a few items that drove me to pfSense ultimately (the slightly strange way setting up rules/port forwards, and the need for different IPSEC encryption algos for a corporate firewall connection.) I have pf humming along on an older Alix2d3 kit, and have had ZERO problems. I now see that there's a more powerful APU board that will be my upgrade path when this box dies, or I upgrade my internet beyond ~50mbps -- whichever comes first.

that FAQ is a little old.

The statement that the "pf" in OpenBSD is "better" isn't necessarily true. The "pf" in FreeBSD and pfSense is a bunch faster, even on single-core.

the IPsec in FreeBSD and pfSense (especially AES-GCM) is also, much faster than that found in OpenBSD.

OpenBSD has a problem: it doesn't scale on multi-core CPUs, and the world has gone multi-core. FreeBSD took years to get this right (forking Dragonfly along the way due to disagreement about the MT model.)

I remember years ago we had a problem with pfSense because the way FreeBSD had implemented carp wasn't quite correct (WRT failover and groups of interfaces, IIRC). We had been relying on specific documented behavior in OpenBSD as we deployed OpenBSD firewalls, and whenwe switched to pfSense this bit us. There were workarounds at least.

The suggested OPNsense (https://opnsense.org) looks promising.

Presumably Manuel is busy with Threema.

Never heard of it.

Threema is a mobile messaging app that puts security first. With true end-to-end encryption, you can rest assured that only you and the intended recipient can read your messages. Unlike other popular messaging apps (including those claiming to use encryption), even we as the server operator have absolutely no way to read your messages.

https://threema.ch/en

Man, this brings back memories. My first job - started out as a summer intern at an MVNO. We needed access via RDP to the host carrier's billing platform, so we needed to establish an IPSec VPN to their network. Of course, our little WRT54G wasn't gonna do the job...

Spoke with a network engineer at the host carrier, who recommended we try out m0n0wall. Played with it for a little bit, but then was led to pfSense, which we ended up using.

That was 2006. Time does fly...

m0n0 was one of the greatest open source software i've ever used. It just worked.

For a flashback go to their gallery: http://m0n0.ch/wall/gallery.php

So awesome!

Thank you Manuel (and all the contributors) for creating and working on mOnOwall! It was a great project.

Any word on what Manual will be doing now? Is he going to work with pfsense or OPNSense guys?

Has it been just this one guy who worked on this project all along?

Of course not. I think all of the developers agreed on finishing the project and focus on the 'new generation' m0n0wall like the OPNsense.

These guys were the main contributors:

Andrew White (awhite) <andywhite at gmail dot com> Lennart Grahl (lgrahl) <lennart.grahl at gmail dot com> Manuel Kasper (mkasper) <mk at neon1 dot net> Pierre Nast (pnast) <pierre at coldev dot org>

I have fond memories of m0n0wall. Thanks for the great work.