Where does pfSense fit into the SD-WAN market?

coreybrett

@hampy
I agree with everything you said. I think the term "SD-WAN" has very little technical meaning. I've been extremely happy with pfSense over the years. I have 4 CE boxes and 13 Netgate units. I've been using OpenVPN S2S links to connect them all together in a HUB-SPOKE style, but it seems a bit hacky to me. I would much prefer a true mesh style of interconnect. I looked at TINC for a little while, but it didn't seem like something I really wanted to put into production. I've also looked at the WireGuard/Tailscale, but that doesn't really appeal to me either.

The thing I would really like to see is ZeroTeir support added into the core product. Only a minimal implementation would be necessary. Just the ability to join an existing network (which would create an interface) and a textbox that JSON could be copied into for ZT config. I would not want to run a ZT controller on my firewall anyway. This would allow for a true mesh VPN between multiple pfS boxes and ZT has multi-wan abilities built-in.

The other wish list item I have is a Netgate operated DDNS service that would work with the Acme package. I wouldn't really care what the actual address is. Something like 2876e61e-cbab-4bfa-a1c5-dc3d465b0cd0.ddns.netgate.com would be just fine.

coreybrett

I would be fine with ZT support only being available in the pfSense Plus product, and that would be another selling point for the Netgate appliances vs the CE version.

occamsrazor

I waited for Zerotier support in pfSense for far too long.. but have mostly moved over to Tailscale now.

Things I like about TS more than ZT:

• It's just a lot more polished than ZT, both in the client apps and in the web admin interface.
• The implementation in pfSense seems very good to me, pretty much everything I need is exposed through the GUI.
• Setting up subnet routers is extremely user-friendly in TS... as in.. I actually managed to do it, whereas on ZT I found it way too confusing.
• TS Mac and IOS app store versions easily updateable through the store, standalone packaged TS version uses (I believe) Sparkle, but either way it's easy to keep updated whereas ZT still has no autoupdate mechanism. When you are managing a bunch of devices, that is useful.
• Taildrop file-sharing actually works very nicely.

Things I like about ZT more than TS:

• This is a big one for me - ZT is more of a Layer 2 solution, connections between devices really are as transparent as if they were connected to the same LAN switch. Critically, that means Bonjour/Zeroconf multicast DNS works, and Apple devices transparently pick up and see services on other devices, making Apple Remote Desktop (ARD) work seamlessly. Tailscale cannot do that at all.
• I like to keep things organized by IP address, and on ZT you can manually set address ranges, fix IP addresses, etc etc. On Tailscale you can't. You can use their MagicDNS to match by TS hostname, but it's not quite the same.
• I don't like the whole SSO using Gmail aspect of TS authentication. I know there's other methods for larger deployments, and it does work very well I've no issues with that. It just seems unnecessary to me.

If Tailscale supported Bonjour I'd have few reasons left to keep ZT but for now at least I plan to keep running both. I almost moved to OPNSense purely because of their ZT support but in the end just didn't want to deal with reconfiguring an entire router firewall from scratch. As per @coreybrett if there was a decent implementation of ZT in pfSense it would be a real selling point.
This is a somewhat old but nice general comparison: https://news.ycombinator.com/item?id=27491133

coreybrett

@occamsrazor How does the service cost of ZT vs TS work out for you?

I am looking for ZT support mainly for S2S links, and not mobile clients. I'm quite happy with OpenVPN for mobile clients.

The built-in Multipath support in ZT seems like it would be a killer feature for pfS.

occamsrazor

@coreybrett said in Where does pfSense fit into the SD-WAN market?:

@occamsrazor How does the service cost of ZT vs TS work out for you?

I am just a home user, my main use is remotely managing my home router/network and family members' computers when I am away traveling. And so the free plans of each service are sufficient for my needs, which makes the cost of both work out... just fine.

@coreybrett said in Where does pfSense fit into the SD-WAN market?:

The built-in Multipath support in ZT seems like it would be a killer feature for pfS.

Wow, I hadn't heard about that. So you could for example bond a laptop connected to multiple 4G modems into a single faster link to a remote ZeroTier computer and get faster transfer speeds?

coreybrett

@occamsrazor said in Where does pfSense fit into the SD-WAN market?:

Wow, I hadn't heard about that. So you could for example bond a laptop connected to multiple 4G modems into a single faster link to a remote ZeroTier computer and get faster transfer speeds?

Yes - https://docs.zerotier.com/zerotier/multipath/

They have several modes Active/Active, Active/Backup and so on. That's why I think it would be such a great fit for mesh style S2S links. I have 10 sites that I could connect together with one ZT network / interface per router. That would replace a mess of OpenVPN links.

A Former User

@harvy66 said in Where does pfSense fit into the SD-WAN market?:

Sounds more and more like "SD-WAN" is about a network that can dynamically change routing to min/max certain characteristics possibly based on conditions. This would require coordination among many routing devices to make sure the rules are honored.

It is exactly what I was finding out about it.

Main of SD-WAN
ZeroTier , netFlow and openFlow are the main points if
it goes to SD-WAN market and many big payers will be
chime in, as it looks like now and let us say some years
backwards, because some networks will growing fast
and become unending big or huge.

Connectivity Parts
Tinc, Stunnel and Tailscale will be one more part either for network internal and /or external connections.

Additional parts
Grafana, mono logtash and Elastic will be also nice on top
to view and see the entire network or parts of them and
what is going or more how it is going.

This are now the parts without much more and more manpower on the need and/or "setting it up manually"

Not really a part of SD-WAN but also network based
and not unimportant (behind the scene let us call it)
PRTG and something such or like Netgears NMS300
will be then together from older days you think but for
it comes all together and is enriching the other one(s)
and play nice together with them all.

This is the part with more or the normal manpower
for the entire network.

It all depends more on the needs, dimensions and
your own which`s or the companies capabilities.

Now lets see what can be pointed to pfSense according to the main question of this thread I mean.

I would not call it SD-WAN ready, but here and there it
is "on its way" regarding the following points;

softflowd is able to add

Monitoring with (grafana logstash mono elk stack
kibana prometheus) is not pfSense internal based.

tinc, stunnel and Tailscale are there, OpenVPN, WG
and IPSec are also on board.

So openFlow and netFlow might be the both entire
important parts here as I see it.

coreybrett

I would also love to see a central management feature added to pfSense. Managing my 10 units from a central control panel would be amazing. That would save me the hassle of maintaining DDNS and LE ACME across all 10 units (for 3 wans on each). Also sharing alias tables and firewall rules across all of them would be pretty cool. I would think some basic monitoring could be done as well.

I think Netgate has talked about such a product in the past, but I'm not sure if TNSR has changed the plans for pfS.

pimpmyrouter

I've just received the hardware for a SW-WAN service. It looks like a rebadged SG-5100 and this triggers me a little as it will sit next to my own SG-5100 as an extra single point of failure!

JKnott

@johnpoz said in Where does pfSense fit into the SD-WAN market?:

It gives any Joe the ability to think they know networking

hahaha - good one..

I can top that. A few years ago, one customer thought she knew more about networks than I did, because her husband had read some magazines. She was upset because I had connected my computer to the switch with CAT5 cable, after we had run in CAT6. She thought it would slow everything down!

rcoleman-netgate

@pimpmyrouter said in Where does pfSense fit into the SD-WAN market?:

I've just received the hardware for a SW-WAN service. It looks like a rebadged SG-5100 and this triggers me a little as it will sit next to my own SG-5100 as an extra single point of failure!

We're not an OEM so that is likely from our partner Lanner.

pimpmyrouter

Having had a SD-WAN service for 6 months, I'll summarise it...

This is a service that sits in front on my pfSense. There's one primary public facing IP address which the SD-WAN provider manages. We have 2x standard FTTC connections and one standby 4G connection, all feeding via modems into an aggregation box that the provider gave us, that is the same hardware as a SG-5100. Each connection could in extremis be fed into my SG-5100 with its own publicly addressable IP address if the provider fell down. Essentially, the provider tunnels all data from the primary IP address to their box over the 2 FTTC connections, doubling the max throughput for one connection to about 140mbps. There's some QoS magic but the packets just arrive.

So what we get is double the throughput (not the same as load balanced WANs which can't use both connections for the same download), failover resilience, and above all a consistent external IP address for our OpenVPN server, independently of which physical last mile connections are active.

I have no doubt it would be technically feasible to run our client end on the same SG-5100 unit under a pfSense package, and that would reduce the power consumption and potential for failure, but (a) that's unlikely, and (b) you'd still need a very redundant and resilient gateway somewhere else to create these tunnels.

So pfSense can't really compete, unless something else was running the external gateway ...such as Cloudflare Tunnels.

michmoor

@pimpmyrouter Yep agreed.
SDWAN and Multi-WAN(with tiers) just isnt the same thing.
But i dont think pfSense is meant to be in the SD space anyway.