Where does pfSense fit into the SD-WAN market?

  • I've seen a lot of marketing and products described as SD-WAN lately.

    How does pfSense fit into that market?

    I think of those products as units that can combine multiple Internet connections and use them to connect branch networks together with some type of magic sauce. Is there more to it than that? What's in the sauce? Can't I do that with pfSense already?

  • SD-WAN sounds like a marketing term around pre-existing network services. The only useful info I can get out of the term is that it implies a proprietary blend of QoS, load balancing, and optimizer.

    I would hope that any company selling products of this kind have an easy to use UI to manage and coordinate all of these features. That could be useful, but it only lowers the barrier to entry and potentially make mistakes easier to spot and less likely to occur. From a functionality standpoint, none of the tech seems special. A "the whole is greater than the sum of its parts" situation, if done correctly.

  • LAYER 8 Global Moderator

    SD-WAN is the hot buzz word of late sure.

    You can for sure connect all your sites with pfsense now over the public internet using vpns - if you want to call that software defined ;) then sure..

    But as you put it missing the "magic sauce" ;)

    Now if you could get your pfsense boxes to call into a central location and easy setup for this box to call that box and route their different networks over the connections via say a web gui (software) then guess you could call it sd-wan.

    But currently if you doing it all by hand by setting up then its just your typical old school wan ;) not software defined..

    The bigger benefit of such sd-wan deployments is not so much ease of deployment but the ability to jump on a "private" or very well managed network that is global and scope with very little jitter in latency from pop A to pop B that might be on the other side of the planet. And then thrown in with this sauce is say wan optimization techniques, etc. etc.

    Ping say London from NY over the public internet and your latency will be all over the board by multiple ms per ping most likely and this will drift over time depending on overall traffic on the internet, etc. If you jump on a pop few miles from your location ride this global "private" network where the latency is rock solid stable at X ms, and then jump off at a pop few miles from london.. So your only riding the "public" internet for a few miles vs 1000's and also throw in wan optimization techniques... Then yeah now you have that special sauce that makes it worth something..

    All that being said - this sd-wan company might pop a device that you connect to your edge that simplifies and throws in the magic sauce to get to your other locations, etc. But your still prob going to want/need that edge device to control what traffic goes over the "sd-wan" and what goes to just the plain internet. You may want to do filtering before traffic enters the "sd-wan" because most likely your going to pay for traffic that goes over the sd-wan, etc..

    So even when the company gives you the sd-wan box for free ;) Your still going to want/need a firewall/router at your edge or even internal to your network so pfsense can for sure still play heavy in that role of your network, etc.

  • Here's an article that gives a bit of a description of SD-WAN:

    Cisco Brings SD-WAN to 1 Million Edge Routers

  • Sounds more and more like "SD-WAN" is about a network that can dynamically change routing to min/max certain characteristics possibly based on conditions. This would require coordination among many routing devices to make sure the rules are honored.

  • Seems like adding TINC to the core and making it work with multi-wan would be a step forward in that market for pfSense .

    Would love to have someone from Netgate chime into this.

  • Here we are a little over a year later since this conversation originally surfaced. Has any progress been made to use pfsense as a SD-WAN platform? If you think about it, how many active users are running pfsense for their corporations / enterprise / isp edge routers? I'd imagine there are already millions of pfSense boxes running right this second...

  • ZeroTier is a great solution... I use it on a bunch of devices in 2 different countries and I can operate everything as if they were on the same LAN. But if we could get it integrated into pfSense and run it at the router level, the entire sites could do the same (not just specific devices running ZeroTier locally on each device).