Share your pfSense stories!
-
Dell R430 with 32GB Ram and a RAID1. Running server 2016core hyper-v with veeam backup. 2x Failover PPPoE WANs supplying the network if failover gateway mode. Snort and PFblockerNG installed. We have been running pfsense for some time. R430 is a nice chassis but noisy.
currently on 2.4.5 as it is a gen2 hyper-v which wont play nicely with a 2.5.x upgrade (bootloops) so im waiting until I get a decent sized maintenance windows to park the VM, create a fresh gen1 VM and restore from backup.
-
Protectli Vault FW4B with pfSense v2.5.2. Running pfBlockerNG, Snort, and Squid. Zero issues. I must say that im pretty impressed with Protectli Vault build quality. The case is one solid piece of aluminum with cooling fins on top of it. You can literally run this unit over with your car, it wont be damaged. It is that solid. Oh and its completely silent, since there are no moving parts.
Only issue i had is that my DSL modem power adapter decided to die on the same day when Protectli box arrived. For some strange reason, faulty adapter on my DSL modem caused Protectli box to behave strange. That misled me to believe there might be some issue with the box or pfSense software. Took me a few days to figure out that power adapter was an issue. As soon as i replaced it, all issues that i have been experiencing were gone.
-
'Pfsense is the cosmic belch among network devices.' That's how I got it described 8 years ago from a friend, a Fortinet trainer. I never stopped using it since then, in Vmware esx, HyperV and Virtualbox.
Nice it has the .xml backup and restore features.That's an OS I can't stop recommending on IT encounters.
Flawless, lightweight, huge, capable...bsd? Wow!Too bad I rarely got an answer from Netgate forums. I enjoy reading anyway.
-
@nimrod
Your last bits about power. I'd bet that the power supply on the DSL box was causing issues with the ethernet devices, causing link to bounce at least as far as pfSense was concerned. But it's a good reminder that the order of debugging should always be:Physical connectivity (are my cables actually plugged in and are they good)
Power is stable and goodThen you can get to the "what did I muck up in my rules" and other complex things.
-
@mer said in Share your pfSense stories!:
@nimrod
Your last bits about power. I'd bet that the power supply on the DSL box was causing issues with the ethernet devices, causing link to bounce at least as far as pfSense was concerned. But it's a good reminder that the order of debugging should always be:Physical connectivity (are my cables actually plugged in and are they good)
Power is stable and goodThen you can get to the "what did I muck up in my rules" and other complex things.
I agree. But since i was new to pfSense, i was suspecting the hardware at first (Protectli), or some hidden option in pfSense which i was missing. I guess you can say that power adapter issue is not that common, especially if its "working" partially. It would be much easier to troubleshoot if the power adapter just died. But it was dying slowly, and voltage was dropping slowly, and thats what made it tricky to find. If i didnt had my trusty multimeter, i would never figure that out.
However, since replacing the power adapter, pfSense is working like a charm. ZERO issues with it. Its actually working so well, that it makes me feel kinda guilty for using it for free. There are paid solutions out there that cant get even close to what pfSense is offering. My next device will definitely be a Netgate device, because these guys are deserving all the support and respect for their work. And this forum/community is awesome. Im on these forums every day and reading all the posts from @johnpoz and @stephenw10 and learning a lot by just reading. They are super active and willing to help everyone. That is rare these days.
-
@nimrod Agree on the Netgate hardware and the folks on this forum. Of course "it would be nice if the hardware was cheaper" but having a few they are a solid build for the price point.
-
So I have been posting a few questions in the forums, but as of right now I am really happy with the setup. I will of course tweak it some more in the future but this is such an improvement over what I had. Now for the story.
In a galaxy far far away....oops wrong story.
In my little office in South Florida live an electrician who worked on a lot of IT stuff , mainly structured cabling, fiber and things like that. When not dealing with 3 phase motors or 277 volt light fixtures, I did Low Voltage. For years and years. I remember thinnet and thicknet, Type 9 and when cat 5 on Ethernet was becoming a big deal. I was dealing with OS/2 warp and RISC. In my office was Windows Me and I hated it. Blue screen constantly. Some friends from the irc would talk about FreeBSD. So I decided to give it a try and loaded FreeBSD 4.4 on my home computer. I used it as a desktop. And loved it. WindowsMaker, Opera, Aterm, Openoffice, Gimp, and dockable Icons. I was happy.Now I am running servers, not a major operation. I am just an electrician. I don't want my stuff on the cloud. I am in the field a lot, I don't get to spend as much time trying to learn outside of my clients operations as I would like. And time is often the enemy on what I can do.
In my latest location for my office. I had to setup with a linksys LT214 router. Not bad but very limited in the rules.
I wanted to get away from IPFW , IPTABLES, and IPF because they caused me to drink to deal with the migraines caused by those pieces of software. Don't get me wrong I love the command line but those programs are not always easy to work with. My bartender...er therapist will confirm.
I had some old equipment a old supermicro case with a fried motherboard. I bought a new one with 6 1000+ MB nics. a 3.5ghz CPU and 8 Gb of Ram, some fans, a cf card reader and a 4gig CF card. Some of these were just spare pieces I had laying around. Some of these were items I purchased last year in the hopes I would get to it. That didn't happen. Between pandemics, pandemonium, and sheer panic I was plenty busy.
So eventually I would just have to abandon family and friends to spend some time putting my Frankenstein monster together. Double sided tape is your friend. I stayed in contact with the people who actually matter, discord and the support forums, along with many youtube videos and upping my google fu.
Now I have a firewall with a DMZ for public IP servers, an office on a LAN. The ability to serve pages, store info, to be able SSH into my servers and block the hell out of a lot more than 50 ip address that are constantly trying to see if I have an open port they can take advantage of. Thank you pfblockerng.
I will probably be able to cut my virtual therapy sessions to twice a month instead of twice a week, at least until my daughter starts dating but that is a whole different story.
Thank you for your time. Have a beautiful day.
-
Mine is an unusual situation. I have for years been using an ASA5550 I picked up used probably 8 years ago. I had access to the firmware for that platform and its what we used at work so I could sometimes try things out at home. The thing was a tank. It was good for 1Gbps from LAN->WAN but had to share backplane from LAN->GUEST or LAN->ISOLATION (my workbench equipment) but that was fine for my needs. The two built in remote access VPN connections were enough for my needs and naturally it was fine for building S-2-S IPSec VPNs. It ran non-stop for all those years unless the power was out. Just rock-stable and reliable gear.
But with each year after it went EOL/EOS it became harder to keep it up. The issues with Java and all the security settings with the old ASDM GUI and later with browsers making TLS 1.1 a major PITA it was getting very involved to get into the GUI anymore. Sure, it has a rocking CLI but I'm visual and prefer seeing related parts of config. It's also a major electrical load to run every day every hour on top of my two other managed switches. I decided it was time to part ways with her.
I looked into Cisco gear again and the FP1100 but the price is just astronomical plus the requirement to pay yearly for every feature you want. That was a solid "no". Fortinet, SonicWall, and Sophos were others I looked at too but all would be locking me into some level of subscription and they are pretty pricy still for real 1Gbps throughput on all the inspections. I decided to take another look at pfSense to see how it had come along since I last saw it a decade ago.
That brought me to the Netgate hardware and It didn't take long to decide. I settled on the 4100. The features needed were there, the interface was pretty nice and feature rich (vs the Unifi Dream Machine I was considering) and the specs looked really good. Everything I was doing on the ASA could be done here and in a smaller, quieter, lower power setup. I waffled between 6100 and 4100 but I think this is already overkill for my home network needs.
Watched a few videos to get up to speed after ordering and my equipment arrived in 2 days. It took me about 4 hours to get basic setup in place and get it put in parallel with the ASA. Worked immediately and with a few tests done I went ahead and swapped it into place on the internal network. Most of the family had no idea it even happened. Another 4 hours and I had most of my other networks grafted onto it.
Day two and I had incoming port forwards done. Certificate setup done. OpenVPN working, single-pipe traffic limiting on my guest network and per-ip traffic limiting on my internal network. I have a plan for setting up a site-2-site VPN with a friend in another city to allow remote backup to an off-site NAS. This I will probably use a Netgate 1100 to implement.
So far I am impressed with this platform and software. I think a little more documentation in the box would be nice and with an ASA background figuring out if I really want some of the "we did that for you" items can be a little bit hard but I really have no major negatives. There are aspects of the ASA, CLI, and ASDM GUI that I will miss but not many. This is FAR FAR more intuitive to setup and VPN is a complete snap by comparison. Over a decade and Cisco ASA VPN is still a nightmare to setup and admin. I was happy with how quickly I could each new feature bolted into place.
Impressive project and product. Nice to see an open source project go this long and mature this well AND not be arcane. Kudos and I feel I made a really solid choice if the hardware lasts and the updates are solid.
AT&T Fiber Internet
2 C3750-X 48 port full PoE switches w/routing (1 home, 1 outbuilding)
1 Netgate 4100
4 Main subnets (Internal, Guest, Shop, Isolation)
3 Wireless APs.
16 to 24 connected devices average.
Work from Home office in the Shop building. -
hello all. before all i want start saying my English is not very well, but the thins i can do with pfsense are really good and is thanks to this magnific software and a great community, i'm using pfsense from year 2007, i'm was coming from ASTARO community edition, now i manage ~12 pfsense servers, across network at my job, one the most challenger thing i done was scripting some bash and php jobs to copy the acme cert to some my internal pfsense with no internet access, for this reason i can validate the domain, i missing some removed additional package like mail relay.... i wold like something like a control center in pf-sense like astaro control center; yes, i remember i was manage all my appliances from a unique console, share alias and objects, build ipsec tunels bettwen some appliances and monitoring all from one location. i never have a security inccident on my net involving pfsense it is very very good, the recover on faillure are really fast, the web GUI are complete , and i wanna thanks to all people are making possible this
-
I want to build a raspberry pi statum 1 NTP server and use it with PfSense.
I just need this part..
Does anyone else use a statum one NTP server?
-
@JonathanLee said in Share your pfSense stories!:
Does anyone else use a statum one NTP server?
I use 3 of them, but they're public, not my own. This provides stratum 2 to my LAN.
-
I think my first pfSense install was on an AMD K6-233 homebuild that I had in a cool Cisco-green AT case, 3x 10Mb NICS. Had been running a floppy install of Smoothwall previously.
Second was an old Nokia ip530 Checkpoint box I was given by my old MIS boss around 2010. Still on shelf, runs v. 1.2.3. As I recall, it was around $16K new, p3-700/512MB which I upgraded to p3-1000 and a gig. Could boot both Nano from CF and Gmirror from HDD.
Documented here ip530Third was a retired Stonegate SSL appliance with a VIA 1000MHz proc and a gig of RAM plus 4 Realteks, and absolutely the SLOWEST 4GB SSD (2004 tech).
Fourth, I finally went VM on Server 2012R2, built when 32 bit was dropped after v. 2.3.5. Still kept as backup.
Fifth and current is a total overkill Adlink MXE-5401 with a Gen4 i7, 16GB, 64GB Industrial SSD and a 500GB laptop drive for logs. The MXE was a $2K box when new and I got it on Ebay for $65. Still only pulls 25w and runs 800MHz most of the time. and only had 4.5 years operating time according to the BIOS. Barring a lightning strike, it will likely last longer than I do.
-
After many years of owning garbage consumer grade routers that had horrible security, little customization, poor performance, and terrible stability, i began looking at OpenWRT and some other firmwares, then found an article about PFSENSE and it seemed like it would be worth a shot. I tried it initially on a very old Core 2 Quad board with an Intel NIC and after about a week i decided this was the gonna be my new router. So I did a little research and found an incredible deal on a Lenovo Think-Centre M700 Tiny with an i5-6500T and 8gb DDR4 for the low low price of $75 and all i needed to add was a SSD which i already had. I also removed the wifi card and replaced it with a Gigabit LAN adapter so it would have two gigabit ports. I then got it installed and its been great for the past year.
In fact, PFSENSE has been so good with zero crashes and great speed that i kinda just stopped checking in on it until yesterday and noticed there was a big update a while back and i will likely install it tonight later.
What also caught my attention was the uptime. If that isn't a great indicator of stability, i don't know what is.
-
@Andrew-LB said in Share your pfSense stories!:
What also caught my attention was the uptime. If that isn't a great indicator of stability, i don't know what is.
Once you get away from Windows, that's the norm. PfSense is built on FreeBSD, a Unix type system, just like Linux. Over the decades, there have been many stories about Netware or OS/2 servers that just keep on running. If pfSense fails, it's likely a hardware issue. That's certainly my experience, when the only time it failed for me was because the computer I was running it on died.
-
This guy takes the cake.
-
@nimrod said in Share your pfSense stories!:
This guy takes the cake.
I suspect it's about due for an update.
Several years ago, I heard about a Novell Netware server that nobody could find. It had been walled in and nobody noticed it, because it just kept on working. Windows got us into the expectation computers are supposed to have problems. I used to be an OS/2 product specialist at IBM Canada. I provided 3rd level OS/2 support, as well as some apps on OS/2, Windows 95 and NT. I was also on the team that built standard systems for IBM Canada employees. There were very few problems on OS/2, some on NT and lots on W95. Years before I started at IBM, I was a computer tech, working on Data General Eclipse computers, VAX 11/780s and others. Again, they were very reliable.
-
@nimrod I have 3 routers getting close... @ version 2.5.1.
-
@JKnott said in Share your pfSense stories!:
Data General Eclipse computers, VAX 11/780s and others. Again, they were very reliable.
Ditto, same experience. Unfortunately, technical superiority does not guarantee success. I miss VMS & VAXELN. I'm glad Dave Cutler tried to set MS on the right path with NT - too bad it went sideways for a while.
-
@MaxK-0 said in Share your pfSense stories!:
I miss VMS & VAXELN.
The problem is technology moves on. I recall reading an article that said the new Intel 80386 CPU was as powerful as a VAX 11/780. I then realized I was working in a dying industry. A typical personal computer is far more powerful than those VAX computers were.
-
@JKnott said in Share your pfSense stories!:
Over the decades, there have been many stories about Netware or OS/2 servers that just keep on running.