PF Any opinions on pfSense?

P

Phil-K

Hello,

I'm curious to hear if anyone has some opinions or takeways regarding pfSense. I've been heavily exposed to it at work and while it accomplishes what is required, I am getting some quality issues with the overall experience. I believe these issues can be resolved obviously, but that solution doesn't appear to present itself in the web configuration. I'm at the point now where I need to develop an advanced understanding of this system to troubleshoot out any finer issues I come across (right now I'm having throughput and VOIP issues on a pfSense appliance designed for home office). I'm wondering though if instead of finding/purchasing training material for pfSense, I should instead get training material for freebsd PF which the system is based on. I already have a good grasp on FreeBsd and use the pfSense cli regularly. It seems studying up on PF is better use of my time perhaps?

Interested to hear your two cents.

Thanks!
 
The logical path is to graduate from pfsense and freenas and whatever else to freebsd and configure a better system yourself...
 
Phil-K said:
I'm curious to hear if anyone has some opinions or takeways regarding pfSense.
Click to expand...
Decent firewall, definitely too excessive for me because I think it's a bit far fetched to dedicate a whole OS to one specific task (such as a firewall). Of course on the other end it also makes the firewall functionality a lot more accessible thanks to the web interface.

Phil-K said:
I'm at the point now where I need to develop an advanced understanding of this system to troubleshoot out any finer issues I come across (right now I'm having throughput and VOIP issues on a pfSense appliance designed for home office). I'm wondering though if instead of finding/purchasing training material for pfSense, I should instead get training material for freebsd PF which the system is based on.
Click to expand...
Why not both?

The FreeBSD environment is well explained in the FreeBSD handbook, and chapter 30.5 is fully dedicated to PF. So you don't really need any training, just some motivation to actually read through the documentation and perhaps try it out for yourself using a VM (which should also be easily installed).

But I wouldn't substitute this for pfSense training. Sure, the underlying routines may be somewhat the same, but that doesn't mean that you'll know how to apply those. pfSense is obviously heavily customized, and that's an important detail as well, something which you won't learn otherwise.

There's really nothing new here... Knowing your way around Windows is by no means any guarantee that you'll also know how to administrate a Windows server. Knowing about one Linux distribution is most likely not going to help you at all with another. In this sense even having a solid understanding of Unix won't do you much good (though you would know where to start looking for answers). FreeBSD really isn't that much different; knowing all about FreeBSD for example is no guarantee at all that you'd be able to administrate our servers. Simply due to the heavy customization.

Ergo: do both.
 
I totally agree with above. After 3 years on FreeBSD I still use pfSense. I use an APU2 and I couldn't be happier with it.
My complains are thus:
pfSense got rid of NanoBSD releases
pfSense eliminated i386 builds
pfSense now requires AES-NI instructions on your CPU

For a new user I would recommend OpnSense. They have maintained the status quo and strive to make their project as compatible with stock FreeBSD as possible. You can even convert a FreeBSD install into a OpnSense installation.

Now pfSense is a FreeBSD sponsor and Netgate has many paid developers who contribute to FreeBSD. So that a plus.
I just like to present all options to you. It's your choice.
I have bought hardware from Jim and the crew in Austin and it was quality gear. They also offer support contracts which can be valuable to some folks. They did change their license to Apache and I didn't care for that. There were times when they were quite defensive of their open source code and the optics looked poor to an end user.
 
It's been a while now but I ran a pfSense Dell tower with a P4 and 2GB RAM IIRC a couple years and was very happy with it. It was an electricity hog though and when I switched to cable shelved it.

Personally, I think it would make more sense now to have a dedicated FreeBSD pf setup. I already use pf and wouldn't need to Admin through a browser. My router carries out SPI, but I have much more faith in pf than NetGear.

I wonder if I can find another card on the whitelist so I can re-purpose a Thinkpad? ;)
 
If you know your way around PF and you have a solid understanding networking then pfSense might not be for you. The whole point of it is to provide a nice GUI frontend to the packet filtering firewall and other associated services for people who want to use a GUI for adminstration and don't have the skills for doing everything by hand on the command line.

Otherwise pfSense is quite wonderful and has certain features that are hard to implement on a stock FreeBSD.
 
I am quite happy with my Netgate SG-3100. I don't have the space for another computer so it fits the bill perfectly. It's overkill for a home user, yes, but all of my computing involves overkill...
 
Being an embedded guy I did want to try out their spin of the BeagleBone (TI AM35xx)- The SG-1000.
They have the price point right but I am hoping I could find a used one cheap one day.. I already have too many toys.

The OpenVPN facilities built into pfSense are really top notch and make tunnels easy.
 
Phishfry, you do know my whitelist remark was jokingly intended for you...

I posted at the Thinkpad forum to see if they could tell me which network card I should be looking for to use with a T61.
 
pfSense is generally very good, it makes features much more readily available, as it can be configured via a GUI and it handles all the dirty messy stuff for you.

However its not perfect, an example of this is the traffic shaping, it does one thing that goes against FreeBSD documentation, I reported this on the pfSense forums a couple of years back and was called out as an idiot, it remained broken for a while (I fixed it before that by reconfiguring my rules to FreeBSD documentation which worked fine), and then when the version of that code went out of BETA into Release, other users started reporting the same issues, but were taken more seriously than me as they were in a decent sized number vs my single complaint, and they fixed it, me been curious I checked the bug report and the github code log, and it turns out pfSense apply a custom patch to change the behaviour of PF which is why it was broken because on the BETA release they forgot to apply their patch and it was as such conforming to FreeBSD standards, basically gotchas like this could catch you out if you used to FreeBSD, or if you get used to pfSense and then migrate to FreeBSD.

There is also OPNSense which has my interest because they are using HardenedBSD, so have better exploit protection in place. But OPNSense has less features than pfSense. However I have noticed its faster on weak hardware.
 
You must log in or register to reply here.
Back
Top