Share your pfSense stories!

jdillard

This thread is meant to be a place for you to share your stories involving pfSense.

You can share implementations, specs, configurations – the idea is to help others gain insight and help them take design elements based on real implementations.

So, what is your case study?

Thanks to several people including Snailkhan, FlashPan, and jonesr for getting the idea going. I'll try and fill this description post out more in time.

Blade Runner

My goals were a reliable internet connection and a router that could handle torrents. Nothing worse than seeing that yellow caution icon without an internet connection. I overloaded two Asus routers with torrent activity. It was almost two months before determining the cause of my internet woes was the combination of consumer-grade router hardware and firmware with torrent activity. I considered Cisco, SonicWall, ZyXEL USG40/40W, Sophos, OPNsense before opting for pfSense. I wanted to configure router to send traffic through VPN with PIA. I have server-grade motherboards and compatible RAM for a pfSense device so it made a tough decision somewhat easier. I didn’t want either Linux based firmware or ‘another computer’. I have structured wiring which means wireless is not a concern. I do not wirelessly stream video or games. Wired clients are 5 HTPC, 2 HDTV, 4 WDTV boxes, server, tablet, NAS and PC equipment. Wireless clients are smartphones.

Specs
M/B: Supermicro X8SIA-F
CPU: Xeon X3470
RAM: 16GB ECC
HDD: WD Blue 250GB
WAP: Asus RT-N56U

Configuration
Snort
pfBlockerNG
Squid3

I’m still learning about packages and considering Surcata. I haven’t done anything elaborate with configuration.

I will be upgrading to Supermicro A1SRM-2758 with 8GB RAM to take advantage of features such as AES-NI and Quick Assist Technology for VPN.

jdillard

Thanks Blade Runner!

I'll go ahead and cross-post this "case study" /u/sysvival posted over on the pfSense subreddit a while back to keep the ball rolling:

https://www.reddit.com/r/PFSENSE/comments/1mk54f/building_an_enterprise_network_using_pfsense_and/

It's a great read.

jdillard

Here is another of someone replacing all of their remote Meraki devices with SG-2220s. They also had a MX90 at corporate and have replaced that with an SG-4860.

https://www.reddit.com/r/PFSENSE/comments/42syzb/bye_bye_meraki/

jonesr

I'm repeating myself from the comment jdillard referenced:

Myself, I have worked in IT for decade+ and have used pfSense for 8ish years. Until three years ago I was working for SMBs and what I do at home puts the earlier IT company employer's infrastructure to shame. Now I work in the IT department for a school and get excited whenever my boss mentions he is considering pfSense, after my strongest recommendations.

I think I started out with pfSense for similar reasons to Blade Runner, my ISP supplied modem/router would just freeze up if I "used too much internet". I would say I was one or two steps above absolute novice at the time, so my appreciation for pfSense beyond the usual its free/high quality/comprehensive features/expandability comes from how it made me want to try new things for the sake of it, improve my knowledge and learn new skills.

I used pfSense a fair bit when I worked at a IT training company. I delivered CompTIA's Network+, Security+ and Server+ and ended up replacing most of the labs in the training materials with pfSense equivalents, the students loved it. One in particular said to me in a breathless whisper "We pay £1000's for X and this thing does everything it can do and more".

jdillard

Thanks jonesr, it's great to hear stories of people growing their careers alongside pfSense!

Here is another story from /r/pfsense where he replaced a Cisco ASA with a SG-2440 (coincidently during the IKE vulnerabilities) with plans to replace more: https://www.reddit.com/r/PFSENSE/comments/45hw1t/out_with_the_old_and_in_with_the_new_i_received/

Here is some backstory where he asked if pfSense would be a good fit for his needs: https://www.reddit.com/r/PFSENSE/comments/45asyu/convert_from_an_asa_5505_ipsec_vpn_to_pfsense/

maverick_slo

Hi guys!

OK so I got inspired (for a little write-up) and want to share my experience with pfSense.
I`m working for a company which primary focus is IT security. 10 employees, nothing fancy.

So I started with Coyote firewall back in 2004, implemented it also in the company in 2006 and it worked for half of year. Needs were growing so I decided it`s time to move on. I picked up spare box and loaded few things up. I was choosing between monowall, smoothwall and ipcop. I settled with Smoothwall in the end. It is cool project but was lacking more advanced options and additional network segments (they only have green, orange, purple and red oh and also blue).
Then after few years I decided to try pfSense.

FreeBSD was new to me but yet similar to Linux so I kind of managed to get things going. Major drawback (and also huge favour I did to myself) was hardware support. My Dlink and realtek and some other crappy NICs just wouldn`t work. Some did but performance was awful. So I decided to get some Intel gigabit NICs and ever since no more problems AT ALL in this area. Important lesson learned here. 8)

I think I started with version 2.X back then in 2012 and since I havent moved to other product not at home or work. Hardware was supported quite well so no problems in this area. Now its naturally only better and 2.3 is really outstanding not only in this but also in other areas.

I`m running 8 internal networks, dual wan, snort, squid, using aliases, VLANs, ipsec site2site, openvpn for mobile clients, you name it… On a 200€ box.

But what is truly amazing here, are the developers and community. People are helping each other, ideas are accepted, devs are reachable and things get fixed really and I mean reaaaaly fast. This is the true strength of this great project. Good product+good devs+awesome community = :)

I think that I have resolved every single problem I had with the help of the forum members and alongside gained A LOT of knowledge and very important practices and principles of networking.

So in a nutshell, I was looking for a product that can replace Smoothwall and I found top product with awsome community :)

So this is it, I apologize for spelling errors etc. as English is not my primary language, and I hope I helped someone with this post :)

See you on forums :)

jdillard

Here is another well written story that was shared on reddit about replacing an ASA with pfSense:

https://www.reddit.com/r/PFSENSE/comments/4dcg9l/success_story_replaced_an_asa_with_pfsense/

fictionedge

I've been using pfsense for about 4 years now with 3 machines and stopped upgrading after 2.1.5 because of the errors with the Squid packages.
Finally I've installed from scratch the latest version and some of the problems I had with https sites have been solved and it's allot faster.
I'll be doing the same thing to the other 2 proxies.

that one guy

so I decided to upgrade my security for my home network and build a router.
installation went get, set up seemed to go smoothly as well, until I tried to get out to the internet.
the pfSense box will ping numerous websites so I know it's working with my modem.
accessing it from my computer to work with the GUI works perfect to. I sat everything up and tried to access the world wide web and nothing happens. Checked my rules and everything seems fine.
So then I started reading countless posts trying to find if I had set anything up incorrectly. I spent hours reading through this forum. I even ended up watching hours of setup videos that gave exactly NO information on writing permissions for web access.
The small handful of posts and vids that actually showed someone writing permissions I copied exactly. Still no internet access.
I've gone as far as re-configuring my NIC's, changing IP addresses and the results are always no external internet access.
Finally I lost connection to the GUI and that's the final straw.

I will not be using this software. I have spent days messing with this easy to use system and have grown tried of hearing its name.

chpalmer

@that:

so I decided to upgrade my security for my home network and build a router.
installation went get, set up seemed to go smoothly as well, until I tried to get out to the internet.

videos that gave exactly NO information on writing permissions for web access.
I will not be using this software. I have spent days messing with this easy to use system and have grown tried of hearing its name.

Since you used your first post to complain about the product one has to assume your intent was nothing more but to come here and troll. pfSense comes out of the box ready to access the web. If you set up your client for dhcp and still had problems the normal person would have asked around as to why it didn't work when over 100k other installs work so flawlessly. Including every install Ive ever done. If you decided to set your client static how did you set it? You could have made an error there.

My guess is that you immediately started changing settings with no real understanding of how to do so. But decided not to ask any questions for yourself or describe in a better place such as the general forum tab.

And videos- this forum and commercial support are the only official places for for obtaining support. If you are on youtube looking for someone to show you how you never know the level of skill or if that person has any real clue about what they are talking about.

Thus my belief that this is simply a troll. Please prove me wrong.

ismaelz

I've been hearing and reading about pfSense for about 3 years, which started because the IT administrator at my school accepted my request to have a look at their firewalls and server setup out of sheer curiosity, where I saw their untangle firewall and started doing my own research with old hardware and virtualization.

My Asus RT-N66U followed by an Edgerouter Lite served me well, but about a month ago I took the plunge after a long power cut at home and installed esxi on a laptop I had laying around and wasn't using (Toshiba Tecra R950-11F) and put pfSense on it. It took some screwing around to understand VLANs on my managed switch and to run my laptop as a router with a single ethernet port but it all worked out in the end.

My setup:
Modem on Unifi Switch port 1
Laptop on switch port 2
Everything else including 3 unifi access points on the remaining ports

100/6 internet connection

The setup took care of a 30+ device LAN party thanks to some simple flexible traffic limiters. Had 7 different steam downloads going at one point without a hitch or any interference with browsing and other streaming.

I'm sure I'm not doing this in the most power efficient and sensible way, and the laptop I'm using is definitely overpowered for this sort of stuff, but I've always loved experimenting with these things.

NetworkGuy

I had gone through my share of off-the-shelf firewall and router products, the stuff you can buy at Wal-Mart, all the way through to small Checkpoint and Netscreen products. All of them were less than satisfactory in one way or another. Some were cheap and it showed, others were expensive to acquire and maintain. None of which met my evolving needs. The open source stuff was kinda rough at the time, and I tried a few, but there was always something that hit me wrong. However, growing up on SystemV, I always had an attraction to the simplicity and power of Unix. Generally, my opinions of other OS's of the time was, Linux was a coagulation of shareware atop a Windows-like kernel and Windows itself was the devil. So, it all started for me with a Supermicro Intel D510 M/B, FreeBSD 7, an Intel 1G multiport NIC and pf, and I "rolled my own" for many years. Between 100-200Mb of blazing port-to-port throughput served me well for a long time!

Then, the long awaited pfSense 2.0 changed my life. The pf and FreeBSD tools I knew and loved, all bundled together in a reasonably fashionable and logical UI, and I've had no reason to change my mind yet.

Today, that same Intel D510 is a Stratum 1 time source, one of several. Supermicro and Intel are still my M/B and processor choice for all things. I've opened my mind a bit and embraced Linux for those things it's good for, ousted Windows in favor of OS X/MacOS, unless absolutely necessary, and FreeBSD is the basis for almost all my critical server needs, most of which run on top of VMware ESXi hypervisors, managed by VMware VCenter.

My PfSense build as it runs today:

Supermicro X9SCL+-F
Intel E3-1230v2
Intel i350-T4 for 2 WAN interfaces
Chelsio T520-SO-CR for all LAN-type interfaces (12 VLANs total)

VMware ESXi 5.5
PfSense 2.3.4_1

Multi-WAN
Avahi
DHCP
DNSMASQ
NTP
OpenVPN
FreeRADIUS
Snort

And while I don't have facilities to test the throughput capabilities of the 10G ports (the 10G interfaces are for aggregation of multiple 1G VLANs) or all ports simultaneously, VLAN-to-VLAN 1G throughput is a non-issue with a few rules in place, and I'm certain sustaining this level of performance over several interfaces simultaneously is a reality. Additionally, 100+Mb of OpenVPN throughput (WAN links are 100Mb and 150Mb per) are a reality.

For those concerned about pricing, this particular hardware build, and most of my builds frankly, have been and are "Frankensteins". The latest hardware iteration available is never a good choice, 1 or 2 hardware generations previous is fairly safe, older hardware, safest of all. I've enjoyed great success and trouble-free operation with a collection of both new and used hardware. I buy spares for 10-25% of the cost new for most wear items (fans, disk drives, etc.). CPU's, by and large, are indestructible, but do need to be handled carefully. Same for quality motherboards and NICs. Memory and hard drives, similar to CPU's, handle with care and buy spares. Virtualization minimizes hardware requirements, and makes things very easy.

The D510 was quiet, and I have had silent, low-power builds when needed. They are do-able and completely satisfactory. Just know that life is all about compromises, and silent/cool will almost always compromise performance in some way. Luckily, I have space and the environmental control to not worry about heat and noise now, so I don't.

Virtualization: Technological godsend. Makes upgrades, experimentation, mistakes, errors, and the occasional brain fart much easier to overcome. Snapshots and reversion are your friend. Type 1 is best, Type 2 will do if that's all you have. I know. I've done them both. Performance on Type 2 is 50% of Type 1. Type 1 is 97% of bare metal, mostly indistinguishable.

Security as it relates to pfSense and virtualization: Don't "share" physical pfSense interfaces with other VMs,or vSwitches, as the temptation will be there. Figure out another way - this falls under the "Don't do silly things with virtualization" rule. Other than that, the standard mantra applies. Less is always more. Fight for every rule. Remember pf doesn't allow anything to pass, by default, on an interface. Any rule added is a potential security hole.

I'm still very satisfied after many years. What other products can I say this about? Too damn few. Great job pfSense folks!

robi

Gonna kill this beast this week, just wanted to share it as a good memory of an outstanding reliable piece of software.
Runs inside VMware ESXi 3.5.0, on a recycled HP DL380 G4, originally put in operation in 2005. 8)
The physical machine was only stopped for a couple of minutes about 10 years ago, to add RAM. The 32 GB SCSI drives have been replaced 2 times (with used ones).

pfsense-longlive.png_thumb

johnpoz

While the ability for any software and your hardware/system to run for such a long time is nice.

That you would run your firewall on software that is no longer updated or maintained is BAD security.. 2.1.5 should of been updated when it went EOL.. Its still running esxi 3.5 that went end of extended support back in 2013 and end of even technical guidance back in 2015 is not good practice from any point of view especially security.

kejianshi

I began using pfsense for a few reasons. Basically, it appeared to me that the normal verizon actiontech routers were purposely designed to allow anyone to crack the wifi and access the router remotely.

The other major reason was that the ISP provided router did a horrible job with managing static DHCP and seemed to leave ports opened by u-pnp open forever.

Also, as mentioned previously pfsense can be provisioned with an enormous state table.

After using it, I also really liked all of the added features such as VPN.

It does what it is supposed to do very reliably and has been doing so for many years now.

robi

@johnpoz:

While the ability for any software and your hardware/system to run for such a long time is nice.

That you would run your firewall on software that is no longer updated or maintained is BAD security.. 2.1.5 should of been updated when it went EOL.. Its still running esxi 3.5 that went end of extended support back in 2013 and end of even technical guidance back in 2015 is not good practice from any point of view especially security.

Agree with everything! This box, however, was only handling internal routing between some private networks. Didn't have access to the internet either - updating wasn't easily possible. Was also a low-priority segment - it's now being killed forever and nothing comes in place.

Phatsta

I hope this thread is still alive :)

I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense.

I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source.

Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me!

...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.

detox

@Phatsta I am using PfSense now for about a year and find it to be a great tool!
I am still a very young novice in it's use, but saying that, it has saved my PC's from countless attacks and intrusion as well as providing a safe network a reality.

psp

We moved a couple of years ago from a Fortigate-HA/MPLS based solution to a full pfSense one. HQ plus 5 subsidiaries in EU and one in US are site-to-site connected. All hardware is based on Denverton C3K with IDS/IPS. No regrets at all.