How I Killed Off Cisco And Saved Money And Confusion Along The Way



  • Hello,

    I wanted to give a quick shout out to the pfSense team, you've saved me so much time, money, and confusion over the years.

    I have now replaced over 20 Cisco ASAs with pfSense firewalls, and the benefits are abundant.  Not only can I use newer technologies than what Cisco provides (like OpenVPN for instance), I can use licensed Cisco features for free (like BGP, which the ASA can't even do), create more advanced networks (using VLANs and trunking, which again, the ASA does not do), better reliability, scalability, and performance than the ASA also.

    Over the last two years alone, I have saved my company countless time and money by deploying pfSense, and from a management perspective, it makes perfect sense for the enterprise.  My uptime and performance has increased significantly, and my operating cost of maintaining these firewalls is incredibly low.

    If your thinking about switching over to pfSense in your enterprise, do it, you will be very happy you did.

    Thanks again!



  • @Schnyde:

    perfect sense

    That's definitely makes a perfect sense to use it as pfsense slogan and/or motto.



  • @Schnyde:

    I can use licensed Cisco features for free (like BGP, which the ASA can't even do), create more advanced networks (using VLANs and trunking, which again, the ASA does not do), better reliability

    I am looking at BGP, which package did you use and is it stable?



  • OpenBGPD off of the package manager, although my BGP needs have diminished recently, I did find it to be stable.  I was not doing anything fancy, just pushing routes to my provider.

    As the Docs say, conflicts with the OSPF package, so probably best not to run those together.

    Cheers!



  • As the Docs say, conflicts with the OSPF package, so probably best not to run those together.

    ????

    You'd use BGP to connect autonomous systems but still need something for your own network.  If not OSPF, what???  RIP???


  • Netgate

    Check out the FRR package in 2.3.4_1, 2.4. Please, if you can, switch a real workload to it and give feedback.

    Glad to have you in the pfSense camp but since when do ASAs not tag/trunk dot1q VLANs?



  • I was surprised to find that out also, almost the hard way.  There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that…  I had mostly 5525Xs and 5512Xs.

    Cheers!



  • @Schnyde:

    I was surprised to find that out also, almost the hard way.  There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that…  I had mostly 5525Xs and 5512Xs.

    Cheers!

    Ahemm .. Cough..Cough  ;)
    https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-vlan.pdf
    Or
    https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/interface-basic.html

    Even my old 5505 can do vlan , but fancy stuff might require a PLUS licence

    /Bingo



  • As usual, the Internet is always right!  Good find, not a fan of sub-interfacing though…

    Cheers!



  • @Schnyde:

    As usual, the Internet is always right!  Good find, not a fan of sub-interfacing though…

    Cheers!

    Why's that?  It's nice to be able to keep different services separate, so that you can apply CoS etc, without worrying about where something is plugged in.


  • Netgate

    pfSense generally does the same thing under the hood:

    igb0
    igb0_vlan100
    igp0_vlan200
    etc.



  • Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

    The one thing that Cisco does that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway.  We use that feature often at a few locations, and until pfSense (or BSD even) can do this, we cannot use it to replace the Cisco ASAs at these sites.  This is very unfortunate, and leaves me stuck with Cisco until this is sorted out.

    Cheers!



  • @Schnyde:

    Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

    Actually, there are a few technical reasons, such as fewer devices in a broadcast domain, isolation of traffic for increased security and CoS can be applied to some traffic.  A few years ago, I set up a network in a seniors residence.  There was the office traffic on the native LAN and VLANs for VoIP, the residents Internet access and one for network management.  The WiFi access points also used VLANs and multiple SSIDs for staff & resident access.



  • @Schnyde:

    that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway.

    I use outbound-nat on my management network to reach a few devices that dont have pfSense set as their gateway themselves. In pfSense there is no gateway configured on this management interface and outbound-nat works fine.. Am i missing something in where your configuration.?.


  • Netgate

    Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

    A more complicated network often adds complexity to a firewall/router configuration.



  • Awesome, maybe you can help, although I posted this issue in the NAT section:

    https://forum.pfsense.org/index.php?topic=136579.0

    Labeled solved as the pfSense documentation states that any interface without an upstream gateway will not be considered for NAT.  Opened a ticket with pfSense support, and they stated that they could not find a solution.

    Basically, set an outbound NAT on the WAN interface to translate to a DMZ address that has no upstream gateway.  Reason being is that I have an IPSEC customer that requires that the network be a DMZ address, as it is currently on the LAN.  I was hoping that I could NAT it out, tried a bunch of different configs, even tried using the FW itself as the defined upstream gateway.  No matter what I did, the traceroutes from the host to that IPSEC client would go out the WAN and not translate to a DMZ address, then out the tunnel.

    Cheers!



  • Posted a reaction about natting on ipsec in that other thread.. Its not the same as for regular interfaces.