Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Where does pfSense fit into the SD-WAN market?

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 12 Posters 28.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett @Hampy
      last edited by

      @hampy
      I agree with everything you said. I think the term "SD-WAN" has very little technical meaning. I've been extremely happy with pfSense over the years. I have 4 CE boxes and 13 Netgate units. I've been using OpenVPN S2S links to connect them all together in a HUB-SPOKE style, but it seems a bit hacky to me. I would much prefer a true mesh style of interconnect. I looked at TINC for a little while, but it didn't seem like something I really wanted to put into production. I've also looked at the WireGuard/Tailscale, but that doesn't really appeal to me either.

      The thing I would really like to see is ZeroTeir support added into the core product. Only a minimal implementation would be necessary. Just the ability to join an existing network (which would create an interface) and a textbox that JSON could be copied into for ZT config. I would not want to run a ZT controller on my firewall anyway. This would allow for a true mesh VPN between multiple pfS boxes and ZT has multi-wan abilities built-in.

      The other wish list item I have is a Netgate operated DDNS service that would work with the Acme package. I wouldn't really care what the actual address is. Something like 2876e61e-cbab-4bfa-a1c5-dc3d465b0cd0.ddns.netgate.com would be just fine.

      1 Reply Last reply Reply Quote 1
      • C
        coreybrett
        last edited by coreybrett

        I would be fine with ZT support only being available in the pfSense Plus product, and that would be another selling point for the Netgate appliances vs the CE version.

        1 Reply Last reply Reply Quote 0
        • occamsrazorO
          occamsrazor
          last edited by occamsrazor

          I waited for Zerotier support in pfSense for far too long.. but have mostly moved over to Tailscale now.

          Things I like about TS more than ZT:

          • It's just a lot more polished than ZT, both in the client apps and in the web admin interface.
          • The implementation in pfSense seems very good to me, pretty much everything I need is exposed through the GUI.
          • Setting up subnet routers is extremely user-friendly in TS... as in.. I actually managed to do it, whereas on ZT I found it way too confusing.
          • TS Mac and IOS app store versions easily updateable through the store, standalone packaged TS version uses (I believe) Sparkle, but either way it's easy to keep updated whereas ZT still has no autoupdate mechanism. When you are managing a bunch of devices, that is useful.
          • Taildrop file-sharing actually works very nicely.

          Things I like about ZT more than TS:

          • This is a big one for me - ZT is more of a Layer 2 solution, connections between devices really are as transparent as if they were connected to the same LAN switch. Critically, that means Bonjour/Zeroconf multicast DNS works, and Apple devices transparently pick up and see services on other devices, making Apple Remote Desktop (ARD) work seamlessly. Tailscale cannot do that at all.
          • I like to keep things organized by IP address, and on ZT you can manually set address ranges, fix IP addresses, etc etc. On Tailscale you can't. You can use their MagicDNS to match by TS hostname, but it's not quite the same.
          • I don't like the whole SSO using Gmail aspect of TS authentication. I know there's other methods for larger deployments, and it does work very well I've no issues with that. It just seems unnecessary to me.

          If Tailscale supported Bonjour I'd have few reasons left to keep ZT but for now at least I plan to keep running both. I almost moved to OPNSense purely because of their ZT support but in the end just didn't want to deal with reconfiguring an entire router firewall from scratch. As per @coreybrett if there was a decent implementation of ZT in pfSense it would be a real selling point.
          This is a somewhat old but nice general comparison: https://news.ycombinator.com/item?id=27491133

          pfSense CE on Qotom Q355G4 8GB RAM/60GB SSD
          Ubiquiti Unifi wired and wireless network, APC UPSs
          Mac OSX and IOS devices, QNAP NAS

          1 Reply Last reply Reply Quote 0
          • C
            coreybrett
            last edited by

            @occamsrazor How does the service cost of ZT vs TS work out for you?

            I am looking for ZT support mainly for S2S links, and not mobile clients. I'm quite happy with OpenVPN for mobile clients.

            The built-in Multipath support in ZT seems like it would be a killer feature for pfS.

            occamsrazorO 1 Reply Last reply Reply Quote 0
            • occamsrazorO
              occamsrazor @coreybrett
              last edited by occamsrazor

              @coreybrett said in Where does pfSense fit into the SD-WAN market?:

              @occamsrazor How does the service cost of ZT vs TS work out for you?

              I am just a home user, my main use is remotely managing my home router/network and family members' computers when I am away traveling. And so the free plans of each service are sufficient for my needs, which makes the cost of both work out... just fine.

              @coreybrett said in Where does pfSense fit into the SD-WAN market?:

              The built-in Multipath support in ZT seems like it would be a killer feature for pfS.

              Wow, I hadn't heard about that. So you could for example bond a laptop connected to multiple 4G modems into a single faster link to a remote ZeroTier computer and get faster transfer speeds?

              pfSense CE on Qotom Q355G4 8GB RAM/60GB SSD
              Ubiquiti Unifi wired and wireless network, APC UPSs
              Mac OSX and IOS devices, QNAP NAS

              C 1 Reply Last reply Reply Quote 0
              • occamsrazorO occamsrazor referenced this topic on
              • C
                coreybrett @occamsrazor
                last edited by

                @occamsrazor said in Where does pfSense fit into the SD-WAN market?:

                Wow, I hadn't heard about that. So you could for example bond a laptop connected to multiple 4G modems into a single faster link to a remote ZeroTier computer and get faster transfer speeds?

                Yes - https://docs.zerotier.com/zerotier/multipath/

                They have several modes Active/Active, Active/Backup and so on. That's why I think it would be such a great fit for mesh style S2S links. I have 10 sites that I could connect together with one ZT network / interface per router. That would replace a mess of OpenVPN links.

                1 Reply Last reply Reply Quote 1
                • ?
                  A Former User @Harvy66
                  last edited by

                  @harvy66 said in Where does pfSense fit into the SD-WAN market?:

                  Sounds more and more like "SD-WAN" is about a network that can dynamically change routing to min/max certain characteristics possibly based on conditions. This would require coordination among many routing devices to make sure the rules are honored.

                  It is exactly what I was finding out about it.

                  Main of SD-WAN
                  ZeroTier , netFlow and openFlow are the main points if
                  it goes to SD-WAN market and many big payers will be
                  chime in, as it looks like now and let us say some years
                  backwards, because some networks will growing fast
                  and become unending big or huge.

                  Connectivity Parts
                  Tinc, Stunnel and Tailscale will be one more part either for network internal and /or external connections.

                  Additional parts
                  Grafana, mono logtash and Elastic will be also nice on top
                  to view and see the entire network or parts of them and
                  what is going or more how it is going.

                  This are now the parts without much more and more manpower on the need and/or "setting it up manually"

                  Not really a part of SD-WAN but also network based
                  and not unimportant (behind the scene let us call it)

                  PRTG and something such or like Netgears NMS300
                  will be then together from older days you think but for
                  it comes all together and is enriching the other one(s)
                  and play nice together with them all.

                  This is the part with more or the normal manpower
                  for the entire network.

                  It all depends more on the needs, dimensions and
                  your own which`s or the companies capabilities.

                  Now lets see what can be pointed to pfSense according to the main question of this thread I mean.

                  I would not call it SD-WAN ready, but here and there it
                  is "on its way" regarding the following points;

                  softflowd is able to add

                  Monitoring with (grafana logstash mono elk stack
                  kibana prometheus) is not pfSense internal based.

                  tinc, stunnel and Tailscale are there, OpenVPN, WG
                  and IPSec are also on board.

                  So openFlow and netFlow might be the both entire
                  important parts here as I see it.

                  1 Reply Last reply Reply Quote 0
                  • C
                    coreybrett
                    last edited by

                    I would also love to see a central management feature added to pfSense. Managing my 10 units from a central control panel would be amazing. That would save me the hassle of maintaining DDNS and LE ACME across all 10 units (for 3 wans on each). Also sharing alias tables and firewall rules across all of them would be pretty cool. I would think some basic monitoring could be done as well.

                    I think Netgate has talked about such a product in the past, but I'm not sure if TNSR has changed the plans for pfS.

                    1 Reply Last reply Reply Quote 0
                    • P
                      pimpmyrouter
                      last edited by

                      I've just received the hardware for a SW-WAN service. It looks like a rebadged SG-5100 and this triggers me a little as it will sit next to my own SG-5100 as an extra single point of failure!

                      R 1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @johnpoz
                        last edited by

                        @johnpoz said in Where does pfSense fit into the SD-WAN market?:

                        It gives any Joe the ability to think they know networking

                        hahaha - good one..

                        I can top that. A few years ago, one customer thought she knew more about networks than I did, because her husband had read some magazines. She was upset because I had connected my computer to the switch with CAT5 cable, after we had run in CAT6. She thought it would slow everything down!

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • R
                          rcoleman-netgate Netgate @pimpmyrouter
                          last edited by

                          @pimpmyrouter said in Where does pfSense fit into the SD-WAN market?:

                          I've just received the hardware for a SW-WAN service. It looks like a rebadged SG-5100 and this triggers me a little as it will sit next to my own SG-5100 as an extra single point of failure!

                          We're not an OEM so that is likely from our partner Lanner.

                          Ryan
                          Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                          Requesting firmware for your Netgate device? https://go.netgate.com
                          Switching: Mikrotik, Netgear, Extreme
                          Wireless: Aruba, Ubiquiti

                          1 Reply Last reply Reply Quote 1
                          • P
                            pimpmyrouter
                            last edited by

                            Having had a SD-WAN service for 6 months, I'll summarise it...

                            This is a service that sits in front on my pfSense. There's one primary public facing IP address which the SD-WAN provider manages. We have 2x standard FTTC connections and one standby 4G connection, all feeding via modems into an aggregation box that the provider gave us, that is the same hardware as a SG-5100. Each connection could in extremis be fed into my SG-5100 with its own publicly addressable IP address if the provider fell down. Essentially, the provider tunnels all data from the primary IP address to their box over the 2 FTTC connections, doubling the max throughput for one connection to about 140mbps. There's some QoS magic but the packets just arrive.

                            So what we get is double the throughput (not the same as load balanced WANs which can't use both connections for the same download), failover resilience, and above all a consistent external IP address for our OpenVPN server, independently of which physical last mile connections are active.

                            I have no doubt it would be technically feasible to run our client end on the same SG-5100 unit under a pfSense package, and that would reduce the power consumption and potential for failure, but (a) that's unlikely, and (b) you'd still need a very redundant and resilient gateway somewhere else to create these tunnels.

                            So pfSense can't really compete, unless something else was running the external gateway ...such as Cloudflare Tunnels.

                            M 1 Reply Last reply Reply Quote 1
                            • M
                              michmoor LAYER 8 Rebel Alliance @pimpmyrouter
                              last edited by

                              @pimpmyrouter Yep agreed.
                              SDWAN and Multi-WAN(with tiers) just isnt the same thing.
                              But i dont think pfSense is meant to be in the SD space anyway.

                              Firewall: NetGate,Palo Alto-VM,Juniper SRX
                              Routing: Juniper, Arista, Cisco
                              Switching: Juniper, Arista, Cisco
                              Wireless: Unifi, Aruba IAP
                              JNCIP,CCNP Enterprise

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.