A more up-to-date pfSense?

  • I feel like I'm about to confess to a murder, but you'll see why this post is here....

    I use pfSense in both a home and a small busienss enviornment. It works very well and I've even been able to convert a dyed-in-the-wool Cisco user away from his ASAs. BUT...

    pfSense, even the 2.4.4.p1 release, lags far behind. Yes, I know about OpnSense, but they're really no better. If you look at the packages, they're usually a major version behind. Worse yet, the developers of those packages such as the FRR team, are open about the poin thtat they believe BSD is dying. Let us assume they are correct for the moment, they argue that:

    • The BSD kernel is older -- and less capapble at a device level compared to Linux -- people just aren't provinding the drivers for things like LTE modems.
    • The Linux kernel can support DPI
    • The Linux kernel WAS slow compared to BSD, but that's changed
    • Alternative network technologies (ZeroTier, 802.16, Zigbee) don't exist in BSD

    Combine that with a few of BSD's other quirks with things like some hard drive controllers that have been around for a decade or more and one starts getting pushed to look for a "pfSense for Linux".

    Don't get me wrong - it would take work, and I'd see it as a paid-for-product, but Netgate needs something to answer these points. I doubt I'll ever be able to use the ZeroTier LAN product or my Verizon LTE modems on pfSense because BSD really doesn't handle them well. Sure, I can write the drivers myself and use BSD ports, but they're not part of pfSense If I do that, pfSense does little for me.

    So now the big question. I've tried thef following:

    • pfSense (2.4.4.p1): Great for VPNs, good solid firewall, OK at routing, OK at hardware. Slow to add new features.
    • Ubiquiti Edgerouters/USGs: Nice UI, it's own hardware, but really doesn't expand. Unimpressed with support.
    • Mikrotik (6.47.8): Does just about every protocol in standards. Updated rapidly, tries to provide good support. UI is user-hostile. No way another person can just "manage it" It's a Cisco without the salesperson who pops out of the box when you open it.
    • OpnSense: Not sure why this is here --- it's slightly more up to date than pfSense, but it doesn't really expand on it.
    • OpenWrt: Like pfSense in some ways, but the build and maintenance process makes Mikrotik look friendly. Reminds me of what a child said to me "I asked my Dad for a football. He's a scientist. He said 'We don't need to buy one, I can make it. All I need is some bacon....'. No one plays with me"
    • Untangle: Does not support IPv6 very well because I guess 1995 is too new for them.
    • ZeroShell: Looks interesting, but lacks the routing features and package support
    • Roll-Me-Own(TM) Linux Router: Well, yes, it would do everything I want, once I finish building, tesitng and deploying Frankenrouter. Some young folk might say "Great, now you have job security!". It doesn't really work that way. It's more like taking care of Frankenstein. You get to do that forever, yes, whether you like or not.

    Right now, I'm stuck with:

    • Mikrotik RB1100AH as the edge router and BGP daemon
    • pfSense on i5 handling VPNs
    • Linux box running the weird stuff

    Have I missed a better option? What I wish I had... pfSense with:

    • Real USB modek support for LTE backup
    • DPI in the kernel
    • Up to date FRR please
    • Up to date HAProxy
    • ZeroTier support would be nice
    • GUI for package capture streaming -- going into the shell and typing TCPdump commands defeats the purpose. Mikrotik does it, and even their UI is friendly.

    Dare I say it, other than pf filters, what is BSD about pfSense that couldn't be ported to a modern Linux environment?

  • @jantypas said in A more up-to-date pfSense?:

    Dare I say it, other than pf filters, what is BSD about pfSense that couldn't be ported to a modern Linux environment?

    not much, just a gazillion lines of code that have to be changed one by one.

  • OK -- as I hear every day -- "It's just code, how hard can it be?" :-)

  • Rebel Alliance Moderator

    @jantypas said in A more up-to-date pfSense?:

    Dare I say it, other than pf filters, what is BSD about pfSense that couldn't be ported to a modern Linux environment?

    You've already heard of TNSR? There are a few things you scratch, why it's running on a Linux core (FD.io & DPDK and more). As SCLR was also mentioned besides TNSR a year or so ago, I was instantly thinking: Hmm.. 'pfSense 3.0' could very well be something along the lines of SCLR. Same fast core underneath with fd.io/dpdk with CLI, API etc. and "just" put a pfSense style UI on top (docked via API). So I don't think it impossible you get away with murder ;)

    OTOH some have to see, that pfSense Devs already do and commit much of their stuff upstream into FreeBSD so... calling BSD dying etc. has been going on for years. It's still there :) Any way I think we still have much to see where this is headed.


Log in to reply