Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How I Killed Off Cisco And Saved Money And Confusion Along The Way

    General pfSense Questions
    7
    17
    1020
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Schnyde last edited by

      Hello,

      I wanted to give a quick shout out to the pfSense team, you've saved me so much time, money, and confusion over the years.

      I have now replaced over 20 Cisco ASAs with pfSense firewalls, and the benefits are abundant.  Not only can I use newer technologies than what Cisco provides (like OpenVPN for instance), I can use licensed Cisco features for free (like BGP, which the ASA can't even do), create more advanced networks (using VLANs and trunking, which again, the ASA does not do), better reliability, scalability, and performance than the ASA also.

      Over the last two years alone, I have saved my company countless time and money by deploying pfSense, and from a management perspective, it makes perfect sense for the enterprise.  My uptime and performance has increased significantly, and my operating cost of maintaining these firewalls is incredibly low.

      If your thinking about switching over to pfSense in your enterprise, do it, you will be very happy you did.

      Thanks again!

      1 Reply Last reply Reply Quote 0
      • P
        pan_2 last edited by

        @Schnyde:

        perfect sense

        That's definitely makes a perfect sense to use it as pfsense slogan and/or motto.

        1 Reply Last reply Reply Quote 0
        • M
          mkaishar last edited by

          @Schnyde:

          I can use licensed Cisco features for free (like BGP, which the ASA can't even do), create more advanced networks (using VLANs and trunking, which again, the ASA does not do), better reliability

          I am looking at BGP, which package did you use and is it stable?

          1 Reply Last reply Reply Quote 0
          • S
            Schnyde last edited by

            OpenBGPD off of the package manager, although my BGP needs have diminished recently, I did find it to be stable.  I was not doing anything fancy, just pushing routes to my provider.

            As the Docs say, conflicts with the OSPF package, so probably best not to run those together.

            Cheers!

            1 Reply Last reply Reply Quote 0
            • JKnott
              JKnott last edited by

              As the Docs say, conflicts with the OSPF package, so probably best not to run those together.

              ????

              You'd use BGP to connect autonomous systems but still need something for your own network.  If not OSPF, what???  RIP???

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Check out the FRR package in 2.3.4_1, 2.4. Please, if you can, switch a real workload to it and give feedback.

                Glad to have you in the pfSense camp but since when do ASAs not tag/trunk dot1q VLANs?

                1 Reply Last reply Reply Quote 0
                • S
                  Schnyde last edited by

                  I was surprised to find that out also, almost the hard way.  There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that…  I had mostly 5525Xs and 5512Xs.

                  Cheers!

                  1 Reply Last reply Reply Quote 0
                  • bingo600
                    bingo600 last edited by

                    @Schnyde:

                    I was surprised to find that out also, almost the hard way.  There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that…  I had mostly 5525Xs and 5512Xs.

                    Cheers!

                    Ahemm .. Cough..Cough  ;)
                    https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-vlan.pdf
                    Or
                    https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/interface-basic.html

                    Even my old 5505 can do vlan , but fancy stuff might require a PLUS licence

                    /Bingo

                    1 Reply Last reply Reply Quote 0
                    • S
                      Schnyde last edited by

                      As usual, the Internet is always right!  Good find, not a fan of sub-interfacing though…

                      Cheers!

                      1 Reply Last reply Reply Quote 0
                      • JKnott
                        JKnott last edited by

                        @Schnyde:

                        As usual, the Internet is always right!  Good find, not a fan of sub-interfacing though…

                        Cheers!

                        Why's that?  It's nice to be able to keep different services separate, so that you can apply CoS etc, without worrying about where something is plugged in.

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          pfSense generally does the same thing under the hood:

                          igb0
                          igb0_vlan100
                          igp0_vlan200
                          etc.

                          1 Reply Last reply Reply Quote 0
                          • S
                            Schnyde last edited by

                            Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

                            The one thing that Cisco does that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway.  We use that feature often at a few locations, and until pfSense (or BSD even) can do this, we cannot use it to replace the Cisco ASAs at these sites.  This is very unfortunate, and leaves me stuck with Cisco until this is sorted out.

                            Cheers!

                            1 Reply Last reply Reply Quote 0
                            • JKnott
                              JKnott last edited by

                              @Schnyde:

                              Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

                              Actually, there are a few technical reasons, such as fewer devices in a broadcast domain, isolation of traffic for increased security and CoS can be applied to some traffic.  A few years ago, I set up a network in a seniors residence.  There was the office traffic on the native LAN and VLANs for VoIP, the residents Internet access and one for network management.  The WiFi access points also used VLANs and multiple SSIDs for staff & resident access.

                              1 Reply Last reply Reply Quote 0
                              • P
                                PiBa last edited by

                                @Schnyde:

                                that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway.

                                I use outbound-nat on my management network to reach a few devices that dont have pfSense set as their gateway themselves. In pfSense there is no gateway configured on this management interface and outbound-nat works fine.. Am i missing something in where your configuration.?.

                                1 Reply Last reply Reply Quote 0
                                • Derelict
                                  Derelict LAYER 8 Netgate last edited by

                                  Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

                                  A more complicated network often adds complexity to a firewall/router configuration.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Schnyde last edited by

                                    Awesome, maybe you can help, although I posted this issue in the NAT section:

                                    https://forum.pfsense.org/index.php?topic=136579.0

                                    Labeled solved as the pfSense documentation states that any interface without an upstream gateway will not be considered for NAT.  Opened a ticket with pfSense support, and they stated that they could not find a solution.

                                    Basically, set an outbound NAT on the WAN interface to translate to a DMZ address that has no upstream gateway.  Reason being is that I have an IPSEC customer that requires that the network be a DMZ address, as it is currently on the LAN.  I was hoping that I could NAT it out, tried a bunch of different configs, even tried using the FW itself as the defined upstream gateway.  No matter what I did, the traceroutes from the host to that IPSEC client would go out the WAN and not translate to a DMZ address, then out the tunnel.

                                    Cheers!

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      PiBa last edited by

                                      Posted a reaction about natting on ipsec in that other thread.. Its not the same as for regular interfaces.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post

                                      Products

                                      • Platform Overview
                                      • TNSR
                                      • pfSense
                                      • Appliances

                                      Services

                                      • Training
                                      • Professional Services

                                      Support

                                      • Subscription Plans
                                      • Contact Support
                                      • Product Lifecycle
                                      • Documentation

                                      News

                                      • Media Coverage
                                      • Press
                                      • Events

                                      Resources

                                      • Blog
                                      • FAQ
                                      • Find a Partner
                                      • Resource Library
                                      • Security Information

                                      Company

                                      • About Us
                                      • Careers
                                      • Partners
                                      • Contact Us
                                      • Legal
                                      Our Mission

                                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                      Subscribe to our Newsletter

                                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                      © 2021 Rubicon Communications, LLC | Privacy Policy