• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

State of the Union (in pfSense land) - Opinions?

Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
37 Posts 10 Posters 5.2k Views 6 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K Offline
    keyser Rebel Alliance
    last edited by keyser May 30, 2022, 9:04 AM May 30, 2022, 9:03 AM

    Hi all.

    I have been using pfSense for 10 years+ now, and are generally very happy with it because it is very simple and intuitive to configure.

    However, I have stepped up my usecases considerably the last couple of years with a lot of my customers and private installations I manage (since pfSense+ release and the new generation of white SG-xxxx appliance boxes).

    This added use has brought quite a few headaches, as I have noticed a fairly general issue with pfSense compared to other boxes and projects:

    There seems to be areas of pfSense that gets no love from development, and where features/usability is on a basic “we tick the box” homeuse level - and stays there.

    Looking to redmine I can see feature and pull requests have been asking for fixes/features for years and years on these subjects.
    But is almost like once an area is “lost”, the activity and use of pfSense in that respect goes away along with it.
    Afterwards it seems its just generally accepted you cannot really use pfSense for that, and no further deveolpment happens - or there is a cumbersome and really annoying workaround for something very simple/basic - and people live with it….

    Just these last 3 months I have been involved in projects, where basic features caused me to spend days and days finding manual workarounds and patches to getting basic stuff working.

    Examples of my observation:

    1: IPSec - Even basic grouping of mobile users to IP pools does not work - and never has. The consensus seems to be: Use OpenVPN instead, IPSec is for Site2Site.
    A few years back Mobile IPSec didn’t even work properly for mobile users across the 5 major client OS’s.

    2: Traffic Monitoring - There are no worthwhile traffic monitoring packages apart from NtopNG. But that package is barely maintained, and needs a lot of manual patching to actually be usable. Almost no activity is present on NtopNG here - probably because its been useless for many years.

    3: IPv6 - The IPv6 DHCPv6 client in pfSense is more or less useless as it cannot be configured with most DHCP options. So it doesn’t work with even basic ZTE ISP equipment, or in most of europe where ISP’s require all sorts of DHCPv6 options present to work. There seems to be no real work done on this for years, and I see a lot of people using OPNsense, Linux or other projects to get Basic IPv6 going.

    4: Cellular connectivity as a backup WAN - Just forget it. It requires you to use pretty old and generally unavailable hardware to work, and even then - it requires a lot of tweaking to actually be usable.

    5: DNS registration of DHCP clients in Unbound - That still doesn’t work unless a full unbound restart is acceptable. The suggested fix has been available for years, but never implemented - it just seems it has been accepted that you do not need that feature in pfSense land…

    What is your experience with the current development on pfSense?

    Love the no fuss of using the official appliances :-)

    1 Reply Last reply Reply Quote 0
    • S Offline
      stephenw10 Netgate Administrator
      last edited by May 30, 2022, 1:04 PM

      Cellular hardware compatibility is certainly an issue. It's hard to recommend anyone uses a modem in pfSense directly with the current device support. The same is true for wifi hardware of course. Both are limited by the available FreeBSD drivers.
      It would be very nice to see umb(4) ported from OpenBSD. There is at least one port for FreeBSD that was completed and the authors were talking about upstreaming it but that unfortunately never happened.

      Steve

      1 Reply Last reply Reply Quote 0
      • C Offline
        Cool_Corona
        last edited by May 30, 2022, 1:15 PM

        Basically I am looking in other directions right now for our production environments.

        For the very reason we havent implemented IPv6 as of yet.

        Traffic monitoring and reporting to clients is a hazzle and in this modern age we should have a dashboard that can show clients realtime where and how they are attacked based on the logs from Snort or Suricata.

        A basic VPN tunnel. Site 2 site. Is a MAJOR hazzle in pfsense. I have started to use RRAS for the same reason. Basic setup and it works like a charm. I gave up on pfsense in regards to VPN.

        F S 2 Replies Last reply May 30, 2022, 1:57 PM Reply Quote 0
        • F Offline
          fireodo @Cool_Corona
          last edited by fireodo May 30, 2022, 1:57 PM May 30, 2022, 1:57 PM

          @cool_corona said in State of the Union (in pfSense land) - Opinions?:

          in this modern age we should have a dashboard that can show clients realtime where and how they are attacked based on the logs from Snort or Suricata.

          This is a Feature I'd like to see/have too 😏 🙂

          Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
          SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
          pfsense 2.8.0 CE
          Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

          1 Reply Last reply Reply Quote 0
          • S Offline
            stephenw10 Netgate Administrator @Cool_Corona
            last edited by May 30, 2022, 2:19 PM

            @cool_corona said in State of the Union (in pfSense land) - Opinions?:

            A basic VPN tunnel. Site 2 site. Is a MAJOR hazzle in pfsense.

            Hmm, well I'd struggle to see that. I must have set up thousands of site-to-site VPNs and the vast majority of time it just works without any significant hassle. That's using any of the available VPN technologies.
            What is the 'major hassle' you're seeing there? Obviously if we can make it easier we would like to.

            Steve

            K 1 Reply Last reply May 30, 2022, 2:34 PM Reply Quote 0
            • S stephenw10 moved this topic from General pfSense Questions on May 30, 2022, 2:20 PM
            • K Offline
              keyser Rebel Alliance @stephenw10
              last edited by May 30, 2022, 2:34 PM

              @stephenw10 said in State of the Union (in pfSense land) - Opinions?:

              @cool_corona said in State of the Union (in pfSense land) - Opinions?:

              A basic VPN tunnel. Site 2 site. Is a MAJOR hazzle in pfsense.

              Hmm, well I'd struggle to see that. I must have set up thousands of site-to-site VPNs and the vast majority of time it just works without any significant hassle. That's using any of the available VPN technologies.
              What is the 'major hassle' you're seeing there? Obviously if we can make it easier we would like to.

              Steve

              I agree with Steven here. S2S is fairly simple (As simple as Generic IPSec can be - its no Wireguard :-)).

              For me the issue is with Mobile User IPSec and the very limited user/firewall rules control it offers.
              I recently found a way to hack the pfSense scripts so it actually supports grouping of users to specific IP Pools (Allows you to create firewall rules pr. group). But the fact this never worked natively is a VERY good example of a "dead" area in pfSense. How can something SO basic not have been supported for at least the last decade? IPSec VPN is after all the only VPN client built in to almost all OSs, so a MAJOR hassle with OpenVPN client management could have been avoided.

              Love the no fuss of using the official appliances :-)

              N 1 Reply Last reply May 30, 2022, 3:06 PM Reply Quote 0
              • N Offline
                NogBadTheBad @keyser
                last edited by NogBadTheBad May 30, 2022, 3:14 PM May 30, 2022, 3:06 PM

                @keyser said in [State of the Union (in pfSense land) - Opinions?]

                For me the issue is with Mobile User IPSec and the very limited user/firewall rules control it offers.

                Have you tried using FreeRadius and Framed-IP ?

                "andy" Cleartext-Password := "XXXXXXXXXX", Simultaneous-Use := "1", Expiration := "Apr 11 2027", NAS-Identifier == strongSwan 
                
                	Framed-IP-Address = 172.16.8.2,
                	Framed-IP-Netmask = 255.255.255.0,
                	Framed-Route = "0.0.0.0/0 172.16.8.1 1
                

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                M K 2 Replies Last reply May 30, 2022, 3:14 PM Reply Quote 0
                • M Online
                  mcury Rebel Alliance @NogBadTheBad
                  last edited by May 30, 2022, 3:14 PM

                  @nogbadthebad Indeed, freeradius works perfectly..
                  Using freeradius for authorization and accounting. LDAP for authentication.

                  #start pfsense GUI
                           if (LDAP-Group == "pfsense_admins" && NAS-Identifier == "webConfigurator-pfsense.home.arpa") {
                           update  {
                                   reply:Class := "pfsense_admins"
                           }
                                  noop
                          }
                  #end pfsense GUI
                  #start WIFI WPA-2 Enterprise   
                          if (LDAP-Group == "wireless_users" && NAS-IP-Address == "192.168.199.3") {
                           update  {
                                   Simultaneous-Use := "1"
                                   control:Max-Daily-Session := "7200"
                           }
                                  noop
                  dailycounter
                          }
                  #end WIFI WPA2 Enterprise
                  #IPSec road warrior static IP for AD_USER
                          if (&control:LDAP-UserDN =~ /cn=AD_USER,cn=users,dc=home,dc=arpa$/i && NAS-Port-Id == "con-mobile") {
                           update  {
                                   reply:Class := "pfsense_admins"
                                   reply:Framed-IP-Address := "172.16.98.100"
                                   reply:Framed-Netmask := "255.255.255.0"
                           }
                                  noop
                          }
                          elsif (LDAP-Group == "vpn_access" && NAS-Port-Id == "con-mobile") {
                            update {
                                reply:Class := "vpn_access"
                          }
                                  noop
                          }
                  #end IPSec road warrior VPN
                  

                  dead on arrival, nowhere to be found.

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    keyser Rebel Alliance @NogBadTheBad
                    last edited by keyser May 30, 2022, 7:03 PM May 30, 2022, 7:02 PM

                    @nogbadthebad said in State of the Union (in pfSense land) - Opinions?:

                    @keyser said in [State of the Union (in pfSense land) - Opinions?]

                    For me the issue is with Mobile User IPSec and the very limited user/firewall rules control it offers.

                    Have you tried using FreeRadius and Framed-IP ?

                    Yes I have and Windows NPS as well, but like I wrote in the initial post, it doesn’t scale. (EDIT: Sorry, I wrote that in some of my several other posts on the subject)
                    Some of my customers have several hundred users - some thousands. You cannot assign static IP’s to all those users. You need them to be assigned to a specific IP range/subnet based on group memebership determined by the Radius authentication source (Active Directory or some other LDAP). That way you create firewall rules for IP ranges/subnets - which in effect is rules for a group of users.

                    Love the no fuss of using the official appliances :-)

                    A 1 Reply Last reply May 30, 2022, 8:14 PM Reply Quote 2
                    • A Offline
                      aduzsardi @keyser
                      last edited by aduzsardi May 30, 2022, 8:15 PM May 30, 2022, 8:14 PM

                      @keyser
                      I think at some point pfSense people will need to acknowledge that using freebsd as base os is not the best option.
                      The development is very slow, from what i've read the networking stack is vastly inferior to Linux (yeah, i know ... some feeling will be hurt), needless to say anything about drivers and hardware compatibility

                      Hard to say where this project is headed but there are not a lot of choices if you're not willing to pay a monthly/yearly subscription or license + hardware cost for a commercial firewall appliance.

                      K 1 Reply Last reply May 30, 2022, 8:40 PM Reply Quote 0
                      • K Offline
                        keyser Rebel Alliance @aduzsardi
                        last edited by May 30, 2022, 8:40 PM

                        @aduzsardi said in State of the Union (in pfSense land) - Opinions?:

                        @keyser
                        I think at some point pfSense people will need to acknowledge that using freebsd as base os is not the best option.
                        The development is very slow, from what i've read the networking stack is vastly inferior to Linux (yeah, i know ... some feeling will be hurt), needless to say anything about drivers and hardware compatibility

                        Hard to say where this project is headed but there are not a lot of choices if you're not willing to pay a monthly/yearly subscription or license + hardware cost for a commercial firewall appliance.

                        I agree with parts of your post insofar that drivers and ports for a “small” platform as FreeBSD obviously is an issue.
                        But I suspect the integration between the GUI, services and pffilter parts are far to tight to ever see it migrate to a linux flavor OS.

                        I do however feel that the situation is a bit the hen and eeg problem. PfSense/Netgate is missing customers because there are to many underdeveloped parts that prevents popularity.
                        Corona and working from home was a great example. I dunno how many VPN bokses/routers where commisioned during that period, but pfSense was of very little help because, as a company you could not do basic user separation, unless you subscribed to the hassle of OpenVPN client distribution and configuration.
                        The ONLY VPN client that is easier to use than Cisco/Fortinet level clients are the OS native ones - which you cannot use in pfSense @ scale/ease - which is what companies are looking for.

                        Just for the record, My customers - and I - are only using official Netgate Hardware and pfSense+.
                        But I know developer ressources is the major issue here, so we just have to manage.

                        Love the no fuss of using the official appliances :-)

                        A P 2 Replies Last reply May 30, 2022, 8:56 PM Reply Quote 1
                        • A Offline
                          aduzsardi @keyser
                          last edited by aduzsardi May 30, 2022, 8:56 PM May 30, 2022, 8:56 PM

                          @keyser
                          We are using the 7100 model, but we don't have a lot of users , i think probably around 80, and not everybody needs VPN in my situation.
                          But even so, i started to separate sevices to their own boxes and manage them separately using APIs or custom scripts.

                          not sure if we'll continue using pfSense on the long run, there are talks about getting one of those NGFW appliances

                          1 Reply Last reply Reply Quote 0
                          • P Offline
                            psp @keyser
                            last edited by psp May 31, 2022, 7:00 AM May 31, 2022, 7:00 AM

                            @keyser said in State of the Union (in pfSense land) - Opinions?:

                            The ONLY VPN client that is easier to use than Cisco/Fortinet level clients are the OS native ones

                            Right. I'm using pfSense in all our subsidiary, but to properly handle all our road warriors VPNs I had to setup Softether as a concentrator. All users are simply required to configure their native L2TP/IPSec clients.

                            K 1 Reply Last reply May 31, 2022, 7:34 AM Reply Quote 0
                            • C Offline
                              Cool_Corona
                              last edited by May 31, 2022, 7:22 AM

                              Instead of moving on to new versions now and then, patch the running ones like 2.5.2.

                              Fix the monitoring, reporting and VPN parts. Make them useful and modern.

                              Its like Windows 10. Its patched all the time. Windows 11 have arrived but 10 is still patched.

                              If you upgraded to 2.6.0 youre stuck with errors and VLAN performing bad unless you run a script when the damn thing boots or disable RSC. Imagine needing to turn of your headlights to get the heating working in the car during winter....

                              If the goal is to create an alternative to Palo Alto or any of the larger brands then pfsense are lightyears behind.

                              If the goal is just to be geeks and have fun then pls. continue. But the user base will sip away slowly....

                              K S 2 Replies Last reply May 31, 2022, 7:50 AM Reply Quote 0
                              • K Offline
                                keyser Rebel Alliance @psp
                                last edited by May 31, 2022, 7:34 AM

                                @psp said in State of the Union (in pfSense land) - Opinions?:

                                @keyser said in State of the Union (in pfSense land) - Opinions?:

                                The ONLY VPN client that is easier to use than Cisco/Fortinet level clients are the OS native ones

                                Right. I'm using pfSense in all our subsidiary, but to properly handle all our road warriors VPNs I had to setup Softether as a concentrator. All users are simply required to configure their native L2TP/IPSec clients.

                                I understand - but for the record I have now created a simple hack to pfSense, that allows you to use the IPSec Mobile User VPN with group based authentication and group based IP Pools (Firewall rules for group of users).
                                It works with the OS native VPN client on all the major client OSs, and a feature pfSense has been lacking for FAR FAR FAR to long.
                                It works beautifully at a costumer with about 500 Mobile VPN Users :-)

                                I have created a redmine request to have it fixed in coming releases, but since it’s beyond my skills to create/edit the code myself and create a proper Pull Request, I fear it won’t happen.
                                But it’s simple to do, so I will just rehack the install at every version upgrade.

                                Love the no fuss of using the official appliances :-)

                                1 Reply Last reply Reply Quote 1
                                • K Offline
                                  keyser Rebel Alliance @Cool_Corona
                                  last edited by May 31, 2022, 7:50 AM

                                  @cool_corona I hear you, but the point of my post is not that pfSense is generally useless/pointless.

                                  I think it’s a great - really great product - that just suffers some “black holes” in features/fixes. So my point of the post is not to create a complaint thread - I would prefer we actually ended up commending the developers for the hard work they do.
                                  I am pretty happy overall with pfSense and think they deserve a lot a credit - A LOT :-)

                                  I would like this thread to revolve around what we can do to have pfSense “pick up” on the missing/dead feature ends it has. Any ideas?

                                  Creating redmine requests seems to have little effect unless it’s a bug or you can create the codeedits yourself and actually make a pull request.
                                  This forum is more or less dead in the areas where the functionality have been missing for years - a good indication of my point - so posting here has equally little effect.
                                  There’s even quite a few posts that very heavily attempts to persuade users that those features are not needed, and they should actively try and do something else/use workarounds.

                                  Perhaps a voting system with some kind of “product manager” that actively seeks out posts/threads that actually makes a good point for a feature/fix? The product manager could then clean up and formalize it as a feature request that could be voted on for popularity?

                                  Love the no fuss of using the official appliances :-)

                                  A 1 Reply Last reply May 31, 2022, 8:12 AM Reply Quote 1
                                  • A Offline
                                    aduzsardi @keyser
                                    last edited by May 31, 2022, 8:12 AM

                                    @keyser
                                    so what do you think we should do to have a more active development commitment from Netgate ?
                                    I'm a systems administrator , not sure what or how could i help in the development area since i don't know anything about software development, otherwise i would gladly help in any way i can.

                                    K 1 Reply Last reply May 31, 2022, 9:28 AM Reply Quote 0
                                    • K Offline
                                      keyser Rebel Alliance @aduzsardi
                                      last edited by May 31, 2022, 9:28 AM

                                      @aduzsardi said in State of the Union (in pfSense land) - Opinions?:

                                      @keyser
                                      so what do you think we should do to have a more active development commitment from Netgate ?
                                      I'm a systems administrator , not sure what or how could i help in the development area since i don't know anything about software development, otherwise i would gladly help in any way i can.

                                      Yeah that is the question - I'm in the same situation as you, and would also like to help.
                                      PfSense really is a very very good and easy to use product, with the most intuitive GUI of all the Firewalls I have ever worked with. But there are these feature caveats.

                                      The most problematic thing is probably "turning things around" for the dead branches of pfSense.
                                      It will first require some development to actually bring it to a working and dependable state.
                                      Then it will take a lot of time for users/the world to actually start using and believing in those features again on pfSense.

                                      My experience is that Netgate/pfSense have improved on their communication skills, but they are still very hard to get out of the bushes. So the first point on the agenda would be to get them to talk about how we can help.
                                      I have no insights into how they select what to fix/change/add to pfSense, but it seems to me that process is broken, because of the heavy focus on parts of the product and complete negligence of other parts. I'm not even arguing for new major features - just more feature completeness in the already included services.
                                      22.05 is at the brink of release, but that seems to be bug fixes/security updates only, so that's not going to change any of the dead areas.

                                      Perhaps persuade them to do a focused next release that aims to make already included services in pfSense more fully functional/dependable across platforms?

                                      Love the no fuss of using the official appliances :-)

                                      1 Reply Last reply Reply Quote 0
                                      • G Offline
                                        gabacho4 Rebel Alliance
                                        last edited by gabacho4 May 31, 2022, 9:59 AM May 31, 2022, 9:53 AM

                                        So quick question for the group here as I’ve wanted to know this for some time. You compare pfsense to other commercial products but how many of you are actually using it on Netgate hardware (PfSense+) or paying for a license/support plan versus using the CE version?

                                        Development requires people and people require payment. It’s entirely possible that the things you want are valid but Netgate’s paying customers aren’t asking for it. If paying customers are making these requests, I wonder if the number who have made that request is large enough for Netgate to dedicate resources/money to? If large enough, Netgate should justify why they are ignoring that need. But first and foremost, you can’t compare free PfSense (CE) with very much not free alternatives.

                                        I’m not a troll. I’m not affiliated with Netgate. I am a former CE user who went to Netgate hardware to help support the company and development. I’ve seen so much entitlement expressed since the announcement for Plus was made, by people who seem to forget that nothing in life is truly free (one way or another it has a cost), that I’ve struggled to see where the line between ungrateful whiners, and those who are actually contributing to the longevity of the product, lies.

                                        Edit: not accusing anyone in this thread of being a whiner. Just asking an earnest question and expressing my observations.

                                        C A 2 Replies Last reply May 31, 2022, 11:01 AM Reply Quote 5
                                        • C Offline
                                          Cool_Corona @gabacho4
                                          last edited by May 31, 2022, 11:01 AM

                                          @gabacho4 But if a product lacks the basic things, would you pay for it or look elsewhere?

                                          First and formost, you deliver a solid and modern product with a little to no issues. Thats the basic requirement nowadays.

                                          When things like VPN, reporting and monitoring is a hazzle, then people are hesitent to pay. Because they are not promised to get it done. as @keyser mentioned... it has been dormant for years.

                                          Thats what bounties are for. Get a package going. Like pfblocker in the early with Marcello, snort and suricata with @bmeeks asf.

                                          If you eliminated Snort, Suricata, zeek and pfblocker, what would make pfsense a great FW??

                                          Exactly. :)

                                          G 1 Reply Last reply May 31, 2022, 11:34 AM Reply Quote 0
                                          20 out of 37
                                          • First post
                                            20/37
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received