AiFw vs OPNsense vs pfSense
A fair, honest comparison. Where a competitor is stronger, we say so. This matrix is generated from reading the code — AiFw features are verified against the repo, OPNsense and pfSense from their official docs.
| Feature | AiFw | OPNsense | pfSense |
|---|---|---|---|
| Firewall & filtering | |||
| Stateful packet filtering | ✓ | ✓ | ✓ |
| Rule scheduling | ✓ | ✓ | ✓ |
| Aliases (IP/port groups) | ✓ | ✓ | ✓ |
| IPv6 support | ✓ | ✓ | ✓ |
| VLAN support | ✓ | ✓ | ✓ |
| Static routing | ✓ | ✓ | ✓ |
| Multi-WAN / failover / LB | planned | ✓ | ✓ |
| Captive portal | — | ✓ | ✓ |
| NAT | |||
| SNAT (outbound) | ✓ | ✓ | ✓ |
| DNAT / port forwarding | ✓ | ✓ | ✓ |
| 1:1 NAT (binat) | ✓ | ✓ | ✓ |
| NAT64 | ✓ | plugin | ✓ |
| NAT46 | ✓ | — | — |
| VPN | |||
| WireGuard | ✓ | ✓ | ✓ |
| IPsec | ✓ | ✓ | ✓ |
| OpenVPN | — | ✓ | ✓ |
| IDS / IPS | |||
| Suricata rules | ✓ | ✓ | pkg |
| Snort rules | — | — | ✓ |
| Sigma rules | ✓ | — | — |
| YARA rules | ✓ | — | — |
| AI/ML threat detection | ✓ | — | — |
| DNS | |||
| DNS resolver | rDNS | Unbound | Unbound |
| Host/domain overrides | ✓ | ✓ | ✓ |
| DNSSEC | ✓ | ✓ | ✓ |
| Dynamic DNS client (WAN) | — | plugin | ✓ |
| DHCP | |||
| DHCPv4 server | rDHCP | Kea/ISC | Kea/ISC |
| Reservations | ✓ | ✓ | ✓ |
| HA failover | ✓ | ✓ | ✓ |
| DDNS | ✓ | ✓ | ✓ |
| Traffic shaping | |||
| CoDel | ✓ | ✓ | ✓ |
| HFSC | ✓ | ✓ | ✓ |
| PRIQ | ✓ | ✓ | ✓ |
| CBQ | — | ✓ | ✓ |
| High availability | |||
| CARP (virtual IPs) | ✓ | ✓ | ✓ |
| pfsync (state sync) | ✓ | ✓ | ✓ |
| Config sync | ✓ | ✓ | ✓ |
| Reverse proxy | |||
| Built-in proxy | TrafficCop | — | — |
| HAProxy | — | plugin | pkg |
| Authentication | |||
| Local users | ✓ | ✓ | ✓ |
| TOTP 2FA | ✓ | ✓ | RADIUS |
| LDAP | — | ✓ | ✓ |
| RADIUS | — | ✓ | ✓ |
| OAuth / SSO | ✓ | — | — |
| API keys | ✓ | ✓ | community |
| RBAC (granular perms) | 34 perms | ACL | user/group |
| Plugins & extensibility | |||
| Package/plugin system | beta | ✓ | ✓ |
| WASM plugins | planned | — | — |
| Architecture | |||
| Web UI technology | React/Next.js | PHP | PHP |
| REST API | Rust/Axum | ✓ | community |
| CLI tool | ✓ | limited | limited |
| TUI (terminal UI) | ✓ | — | — |
| WebSocket live dashboard | ✓ | — | — |
| Config management | |||
| Backup / restore | ✓ | ✓ | ✓ |
| Versioning + diff | ✓ | ✓ | ✓ |
| Commit confirm (auto-rollback) | ✓ | — | — |
| OPNsense config import | ✓ | n/a | — |
| Certificate Authority | |||
| Built-in CA | ✓ | ✓ | ✓ |
Where AiFw wins
- AI/ML threat detection — 5 built-in behavioural detectors (port scan, DDoS, brute force, C2 beacon, DNS tunneling) with auto-response and TTL blocks. Implemented in
aifw-ai/src/detectors/. - Sigma + YARA rule support — modern rule formats neither OPNsense nor pfSense support. Full parsers in
aifw-ids/src/rules/. - NAT46 — IPv4→IPv6 translation. Nobody else has this out of the box.
- OAuth / SSO — first-class auth method, not a plugin.
- Commit confirm — auto-rollback if you lock yourself out. Default 300-second timeout, cancellable via oneshot channel. Both competitors have this as a years-open feature request.
- Modern React/Next.js UI — static export, no Node.js runtime on the appliance. Not PHP.
- WebSocket live dashboard — per-second metrics push, not poll-every-30s.
- 257-endpoint REST API — Axum-based, generated from structured route config.
- Rust single-binary services — the API process measures under 15 MB private RSS, not a PHP-FPM pool.
Where AiFw is behind
Honesty matters. Things you’ll miss if you switch:
- No OpenVPN — both competitors have it. If you need OpenVPN specifically, don’t switch (yet).
- No LDAP / RADIUS — AiFw uses OAuth/SSO instead. Big companies often need LDAP.
- No Multi-WAN failover / load balancing — planned but not shipped.
- No captive portal — if you run a café/hotspot, stay put.
- No dynamic DNS client for WAN IP updates (DDNS is only DHCP→DNS integration).
- No CBQ traffic shaping (has CoDel, HFSC, PRIQ).
- No Snort rules — Suricata-compatible only.
- No HAProxy / Nginx — built-in TrafficCop instead.
- Young project — OPNsense and pfSense have years of community knowledge, mature plugin ecosystems, and forum Q&A. AiFw is new.
Should you switch?
Stay on pfSense/OPNsense if:
- You rely on OpenVPN, captive portal, multi-WAN load balancing, or LDAP
- You value a large community for Q&A
- Your stack is already stable and you’re not hitting any pain points
Consider AiFw if:
- You want modern, AI-assisted threat detection out of the box
- You’ve been burned by PHP-era admin interfaces
- You need OAuth/SSO without writing custom FreeRADIUS configs
- You care about commit-confirm safety
- You run this professionally and want reproducible, auditable Rust code
Try both — AiFw has an OPNsense XML config importer, so you can move a full config over without re-doing it by hand.