General question on pfSense capability and suitability
We've got a couple of Dells set up with 2.3.3-RELEASE-p1, which we're in the process of moving over to from some older Linux firewalls which have served us well, but they're old, and we wanted something that didn't limit admin to those of us who like the command line. So we ended up with pfSense on the advice of an employee who has since left.
Recently I've run into these problems:
1. Can't get a stable IPsec connection to a Cisco ASA, despite the settings on both sides being what we'd used with Openswan and Linux for a couple of years with no trouble.
2. Sporadic xml_rpc complaints related to failures to update firewall rules from master to slave – not always, just sometimes
3. After CARP running smoothly between them for a few months, it failed and both took master. This despite that the interface for that is directly cabled between them, the hardware on both systems is identical, and they can be pinged between just fine on that interface.
4. While double-checking settings just now on the backup system, after disabling CARP, the web interface failed, requiring restarting PHP-FPM.
5. The web interface for setting up Strongswan when multiple subnets are involved on each side is horrendously labor-intensive -- despite that it's a standard, simple configuration file that comes out on the back end. (Is there an option to ditch it for the CLI for Strongswan?)
Now, there are many possible answers to these serious problems. Maybe an upgrade to 2.3.4 would do it. Or maybe the Dells have hardware problems. Or maybe for IPsec we just have to figure out how to get pass through working on pfSense and run it on as Openswan again on Linux VMs behind it. Or maybe if we got paid support for pfSense there are undocumented secrets that solve all this.
Or maybe I need to pitch to management that the former employee steered us badly, and we need to pony up for something else. That would be a real problem though in terms of timelines and goals. So any advice on how to salvage pfSense for our use is most welcome!
As of now this has been read 68 times, I see, with no response. Even just general responses, such as "Our experience has been much better," or "Troubles like yours are par for the course," or
The paid support does/does not make all the difference," will be most useful in finding our way here.
Thanks in advance!
You might get a better response if you provide details regarding your config on both ends . The request is very vague and difficult for someone to respond without understanding how you have configured you're a piece of connection. Vague questions are usually answered with Vague answers