Where does pfSense fit into the SD-WAN market?

coreybrett

I've seen a lot of marketing and products described as SD-WAN lately.

How does pfSense fit into that market?

I think of those products as units that can combine multiple Internet connections and use them to connect branch networks together with some type of magic sauce. Is there more to it than that? What's in the sauce? Can't I do that with pfSense already?

Harvy66

SD-WAN sounds like a marketing term around pre-existing network services. The only useful info I can get out of the term is that it implies a proprietary blend of QoS, load balancing, and optimizer.

I would hope that any company selling products of this kind have an easy to use UI to manage and coordinate all of these features. That could be useful, but it only lowers the barrier to entry and potentially make mistakes easier to spot and less likely to occur. From a functionality standpoint, none of the tech seems special. A "the whole is greater than the sum of its parts" situation, if done correctly.

johnpoz

SD-WAN is the hot buzz word of late sure.

You can for sure connect all your sites with pfsense now over the public internet using vpns - if you want to call that software defined ;) then sure..

But as you put it missing the "magic sauce" ;)

Now if you could get your pfsense boxes to call into a central location and easy setup for this box to call that box and route their different networks over the connections via say a web gui (software) then guess you could call it sd-wan.

But currently if you doing it all by hand by setting up then its just your typical old school wan ;) not software defined..

The bigger benefit of such sd-wan deployments is not so much ease of deployment but the ability to jump on a "private" or very well managed network that is global and scope with very little jitter in latency from pop A to pop B that might be on the other side of the planet. And then thrown in with this sauce is say wan optimization techniques, etc. etc.

Ping say London from NY over the public internet and your latency will be all over the board by multiple ms per ping most likely and this will drift over time depending on overall traffic on the internet, etc. If you jump on a pop few miles from your location ride this global "private" network where the latency is rock solid stable at X ms, and then jump off at a pop few miles from london.. So your only riding the "public" internet for a few miles vs 1000's and also throw in wan optimization techniques... Then yeah now you have that special sauce that makes it worth something..

All that being said - this sd-wan company might pop a device that you connect to your edge that simplifies and throws in the magic sauce to get to your other locations, etc. But your still prob going to want/need that edge device to control what traffic goes over the "sd-wan" and what goes to just the plain internet. You may want to do filtering before traffic enters the "sd-wan" because most likely your going to pay for traffic that goes over the sd-wan, etc..

So even when the company gives you the sd-wan box for free ;) Your still going to want/need a firewall/router at your edge or even internal to your network so pfsense can for sure still play heavy in that role of your network, etc.

JKnott

Here's an article that gives a bit of a description of SD-WAN:

Cisco Brings SD-WAN to 1 Million Edge Routers

Harvy66

Sounds more and more like "SD-WAN" is about a network that can dynamically change routing to min/max certain characteristics possibly based on conditions. This would require coordination among many routing devices to make sure the rules are honored.

coreybrett

Seems like adding TINC to the core and making it work with multi-wan would be a step forward in that market for pfSense .

Would love to have someone from Netgate chime into this.

fibrewire

Here we are a little over a year later since this conversation originally surfaced. Has any progress been made to use pfsense as a SD-WAN platform? If you think about it, how many active users are running pfsense for their corporations / enterprise / isp edge routers? I'd imagine there are already millions of pfSense boxes running right this second...

occamsrazor

ZeroTier is a great solution... I use it on a bunch of devices in 2 different countries and I can operate everything as if they were on the same LAN. But if we could get it integrated into pfSense and run it at the router level, the entire sites could do the same (not just specific devices running ZeroTier locally on each device).

https://forum.netgate.com/topic/91683/zerotier-one-as-a-package-100usd

Hampy

Sorry for replying to an old thread for those that find that reprehensible for some reason, but obviously I've landed on this through regular search channels and I think there is still contributions to make.

My view of it, which is influenced by experience with what Fortinet call SDN, is that it's a simply a mainstream and logical advancement on multi-wan configuration. Multi-wan has been available on PFSENCE for a very very long time and in fact is a rather basic function of any real router.

On a Fortinet Firewall, it adds some (for want of a better word) "dynamic" options in how it decides which WAN link to send specific traffic out. I'm not aware if there is now ability in PFSENSE that can match that in terms of functionality?

I will say that the marketing put behind "SDN" leaves the reality of SDN very underwhelming, at least in the Fortinet interpretation of "SDN". "They" market it as a way to use cheap internet connections to match expensive internet connections. The issue being that a bad/unstable internet connection is going to cause issues for you in ways that SDN is in no way going to "fix", in fact nothing you do on the firewall is going to take two crappy internet connections and magically make them work well, so it's a pipe dream in many ways.

There is something to be said for not paying ridiculous money for "managed" links that are no better than a more reasonably priced service, and when it comes to general provider network issues, you are always better off with diverse paths, so two cheaper but still business grade links through different networks is likely going to be better than one "managed" link through one that can still go down. You don't need "SDN" for that the be the case.

However, saying that, having more options in PFSENSE would of course be a great thing and offer more flexibility for people who have no choice than to use "less than great" links. Many I.T geeks in many parts of the world are in this situation for example on their home networks, so it would be very nice to see something in this area.

flat4

Meraki is big on this, I use it at work. Don't like it very much.

It gives any Joe the ability to think they know networking. It also uses cloud to access the dashboard of your networks. It's very neutered when dealing with complex setups.

Basically is a NAT device not a router.

Not to mention the ridiculous hardware price and licensing.

johnpoz

@flat4 said in Where does pfSense fit into the SD-WAN market?:

It gives any Joe the ability to think they know networking

hahaha - good one.. Hey I setup my home wifi router, what do you mean not qualified to run the global enterprise network, how different could it be ;) hehehe

coreybrett

@hampy
I agree with everything you said. I think the term "SD-WAN" has very little technical meaning. I've been extremely happy with pfSense over the years. I have 4 CE boxes and 13 Netgate units. I've been using OpenVPN S2S links to connect them all together in a HUB-SPOKE style, but it seems a bit hacky to me. I would much prefer a true mesh style of interconnect. I looked at TINC for a little while, but it didn't seem like something I really wanted to put into production. I've also looked at the WireGuard/Tailscale, but that doesn't really appeal to me either.

The thing I would really like to see is ZeroTeir support added into the core product. Only a minimal implementation would be necessary. Just the ability to join an existing network (which would create an interface) and a textbox that JSON could be copied into for ZT config. I would not want to run a ZT controller on my firewall anyway. This would allow for a true mesh VPN between multiple pfS boxes and ZT has multi-wan abilities built-in.

The other wish list item I have is a Netgate operated DDNS service that would work with the Acme package. I wouldn't really care what the actual address is. Something like 2876e61e-cbab-4bfa-a1c5-dc3d465b0cd0.ddns.netgate.com would be just fine.

coreybrett

I would be fine with ZT support only being available in the pfSense Plus product, and that would be another selling point for the Netgate appliances vs the CE version.

occamsrazor

I waited for Zerotier support in pfSense for far too long.. but have mostly moved over to Tailscale now.

Things I like about TS more than ZT:

• It's just a lot more polished than ZT, both in the client apps and in the web admin interface.
• The implementation in pfSense seems very good to me, pretty much everything I need is exposed through the GUI.
• Setting up subnet routers is extremely user-friendly in TS... as in.. I actually managed to do it, whereas on ZT I found it way too confusing.
• TS Mac and IOS app store versions easily updateable through the store, standalone packaged TS version uses (I believe) Sparkle, but either way it's easy to keep updated whereas ZT still has no autoupdate mechanism. When you are managing a bunch of devices, that is useful.
• Taildrop file-sharing actually works very nicely.

Things I like about ZT more than TS:

• This is a big one for me - ZT is more of a Layer 2 solution, connections between devices really are as transparent as if they were connected to the same LAN switch. Critically, that means Bonjour/Zeroconf multicast DNS works, and Apple devices transparently pick up and see services on other devices, making Apple Remote Desktop (ARD) work seamlessly. Tailscale cannot do that at all.
• I like to keep things organized by IP address, and on ZT you can manually set address ranges, fix IP addresses, etc etc. On Tailscale you can't. You can use their MagicDNS to match by TS hostname, but it's not quite the same.
• I don't like the whole SSO using Gmail aspect of TS authentication. I know there's other methods for larger deployments, and it does work very well I've no issues with that. It just seems unnecessary to me.

If Tailscale supported Bonjour I'd have few reasons left to keep ZT but for now at least I plan to keep running both. I almost moved to OPNSense purely because of their ZT support but in the end just didn't want to deal with reconfiguring an entire router firewall from scratch. As per @coreybrett if there was a decent implementation of ZT in pfSense it would be a real selling point.
This is a somewhat old but nice general comparison: https://news.ycombinator.com/item?id=27491133

coreybrett

@occamsrazor How does the service cost of ZT vs TS work out for you?

I am looking for ZT support mainly for S2S links, and not mobile clients. I'm quite happy with OpenVPN for mobile clients.

The built-in Multipath support in ZT seems like it would be a killer feature for pfS.

occamsrazor

@coreybrett said in Where does pfSense fit into the SD-WAN market?:

@occamsrazor How does the service cost of ZT vs TS work out for you?

I am just a home user, my main use is remotely managing my home router/network and family members' computers when I am away traveling. And so the free plans of each service are sufficient for my needs, which makes the cost of both work out... just fine.

@coreybrett said in Where does pfSense fit into the SD-WAN market?:

The built-in Multipath support in ZT seems like it would be a killer feature for pfS.

Wow, I hadn't heard about that. So you could for example bond a laptop connected to multiple 4G modems into a single faster link to a remote ZeroTier computer and get faster transfer speeds?

coreybrett

@occamsrazor said in Where does pfSense fit into the SD-WAN market?:

Wow, I hadn't heard about that. So you could for example bond a laptop connected to multiple 4G modems into a single faster link to a remote ZeroTier computer and get faster transfer speeds?

Yes - https://docs.zerotier.com/zerotier/multipath/

They have several modes Active/Active, Active/Backup and so on. That's why I think it would be such a great fit for mesh style S2S links. I have 10 sites that I could connect together with one ZT network / interface per router. That would replace a mess of OpenVPN links.

A Former User

@harvy66 said in Where does pfSense fit into the SD-WAN market?:

Sounds more and more like "SD-WAN" is about a network that can dynamically change routing to min/max certain characteristics possibly based on conditions. This would require coordination among many routing devices to make sure the rules are honored.

It is exactly what I was finding out about it.

Main of SD-WAN
ZeroTier , netFlow and openFlow are the main points if
it goes to SD-WAN market and many big payers will be
chime in, as it looks like now and let us say some years
backwards, because some networks will growing fast
and become unending big or huge.

Connectivity Parts
Tinc, Stunnel and Tailscale will be one more part either for network internal and /or external connections.

Additional parts
Grafana, mono logtash and Elastic will be also nice on top
to view and see the entire network or parts of them and
what is going or more how it is going.

This are now the parts without much more and more manpower on the need and/or "setting it up manually"

Not really a part of SD-WAN but also network based
and not unimportant (behind the scene let us call it)
PRTG and something such or like Netgears NMS300
will be then together from older days you think but for
it comes all together and is enriching the other one(s)
and play nice together with them all.

This is the part with more or the normal manpower
for the entire network.

It all depends more on the needs, dimensions and
your own which`s or the companies capabilities.

Now lets see what can be pointed to pfSense according to the main question of this thread I mean.

I would not call it SD-WAN ready, but here and there it
is "on its way" regarding the following points;

softflowd is able to add

Monitoring with (grafana logstash mono elk stack
kibana prometheus) is not pfSense internal based.

tinc, stunnel and Tailscale are there, OpenVPN, WG
and IPSec are also on board.

So openFlow and netFlow might be the both entire
important parts here as I see it.

coreybrett

I would also love to see a central management feature added to pfSense. Managing my 10 units from a central control panel would be amazing. That would save me the hassle of maintaining DDNS and LE ACME across all 10 units (for 3 wans on each). Also sharing alias tables and firewall rules across all of them would be pretty cool. I would think some basic monitoring could be done as well.

I think Netgate has talked about such a product in the past, but I'm not sure if TNSR has changed the plans for pfS.

pimpmyrouter

I've just received the hardware for a SW-WAN service. It looks like a rebadged SG-5100 and this triggers me a little as it will sit next to my own SG-5100 as an extra single point of failure!

JKnott

@johnpoz said in Where does pfSense fit into the SD-WAN market?:

It gives any Joe the ability to think they know networking

hahaha - good one..

I can top that. A few years ago, one customer thought she knew more about networks than I did, because her husband had read some magazines. She was upset because I had connected my computer to the switch with CAT5 cable, after we had run in CAT6. She thought it would slow everything down!

rcoleman-netgate

@pimpmyrouter said in Where does pfSense fit into the SD-WAN market?:

I've just received the hardware for a SW-WAN service. It looks like a rebadged SG-5100 and this triggers me a little as it will sit next to my own SG-5100 as an extra single point of failure!

We're not an OEM so that is likely from our partner Lanner.

pimpmyrouter

Having had a SD-WAN service for 6 months, I'll summarise it...

This is a service that sits in front on my pfSense. There's one primary public facing IP address which the SD-WAN provider manages. We have 2x standard FTTC connections and one standby 4G connection, all feeding via modems into an aggregation box that the provider gave us, that is the same hardware as a SG-5100. Each connection could in extremis be fed into my SG-5100 with its own publicly addressable IP address if the provider fell down. Essentially, the provider tunnels all data from the primary IP address to their box over the 2 FTTC connections, doubling the max throughput for one connection to about 140mbps. There's some QoS magic but the packets just arrive.

So what we get is double the throughput (not the same as load balanced WANs which can't use both connections for the same download), failover resilience, and above all a consistent external IP address for our OpenVPN server, independently of which physical last mile connections are active.

I have no doubt it would be technically feasible to run our client end on the same SG-5100 unit under a pfSense package, and that would reduce the power consumption and potential for failure, but (a) that's unlikely, and (b) you'd still need a very redundant and resilient gateway somewhere else to create these tunnels.

So pfSense can't really compete, unless something else was running the external gateway ...such as Cloudflare Tunnels.

michmoor

@pimpmyrouter Yep agreed.
SDWAN and Multi-WAN(with tiers) just isnt the same thing.
But i dont think pfSense is meant to be in the SD space anyway.