replacing routers with BSD boxes

pfsense is a great router based on FreeBSD. I have replaced 3 routers with it. Very easy to install and configure. The oldest one is running for 8 years or so.
 
I've just finished an assignment where they used a lot of Linux boxes instead of proper routers. I can tell you, don't do it. It's not worth the hassle. Proper routers (Cisco, HP, Juniper) are much easier to maintain, less error prone and don't add a lot of latency.
 
I use vanilla FreeBSD on a MiniITX box to serve Internet over 802.11n Wi-Fi and wired LAN and it works great. It's all made possible with a combination of pf(4), if_bridge(4), hostapd(8), a few sysctl(8) tunables that affect pf(4) filtering on bridges, and a few rc.conf(5) settings that setup routing, wlan(4) interfaces and hostapd(8). It also serves local DNS so I can lookup my machines by hostname on the LAN, Samba, NFS, and Subversion.

I've had the same setup since 2010 and the system is routinely updated/upgraded. I seldom need to touch it. It currently runs FreeBSD 11-STABLE and runs like a champ.
 
There is a huge difference between a router that has 2 or 3 ports, serves a dozen clients, and has to handle a few Mbit/second (typical household), and a router that has a few hundred ports, serves a few hundred clients, and has to handle many Gbit/s. There is also a huge difference between a site that uses a single router, which is managed by logging into a shell, and a site that uses hundreds of routers, with a management framework.

At home, my FreeBSD box is router, NAT, DNS/DHCP/NTP server, file and print server, and handles other tasks like serving iTunes music and monitoring/controlling some hardware (for a while it was even a wireless AP, but that never worked well). My wife thinks it's my hobby (although she's perfectly happy to browse the web, print, and use it to look up scanned documents). I would never try to replace one of the 36-port EDR Mellanox boxes that we use at work with a FreeBSD machine.
 
pfSense is aimed more towards home users or small to medium businesses on standard, 'consumer' internet connections. BRP is more aimed towards enterprise/isp and focuses on the routing part instead of firewalling, thus it offers much more routing protocols OOTB than pfSense where it wouldn't make much sense to offer BGP or OSPF on a default installation. BRP also doesn't suffer from a GUI, so it is much more flexible and not limited to what the GUI-developers thought one might need or want to do...


I'm using plain FreeBSD as routers/firewalls (and on other servers) at my employees network with various 1U servers with 6-10 NICs (depending on the size of the branch) with PF for multiple zones, VLANs, VPNs (tinc) and WAN/upstream connections. I've replaced debian/devuan based routers, which suffered more and more from the systemd-fallout and several issues with the linux kernel routing and NAT. Throughput and especially latency on FreeBSD is _much_ better, which was also a key factor for VoIP between our branches.
Also, configuration on Linux for bigger/more complicated networks becomes an ugly mess really fast, whereas FreeBSD makes it quite easy to keep it all clean and maintainable with a simple and straightforward network configuration, FIBs and PF. If you really want to punish someone, make him migrate (and debug!) a PF ruleset and multiple routing tables to iptables and ip rule/ip route on linux ;)
 
Back
Top