Anyone Daring Enough to Try pfSense 2 in Production?

  • Just curious, is anyone out there daring enough to be running pfSense 2 in production? If so, what is working well and what is not working well?

  • Did you even tried testing with it?

  • Yes, I've done some testing. So far so good. But this warning in the blog makes me nervous about trying it in production:

    These snapshots are guaranteed to include broken things, and many things that are not widely tested. This should be used in a test environment only, or in low risk production deployments (home firewall)

    My hope is that the small office where I want to deploy it counts as a "low risk production environment". The most important application they use is Citrix. They also have an OpenVPN for file transfers and email. As long as the OpenVPN implementation in pfSense 2 works and the Traffic Shaper can make sure that Citrix traffic takes priority and has low latency, pfSense should be good even if some other features are buggy or half-baked.

    Comments anyone? I am crazy to use pfSense 2 right now?

  • Banned

    Yes but what if the entire system brakes down because of a bug???

    Always use stable distro's in a production environment…..:)

    Setup a test environment or try it out in a VM. Thereby you can shift quickly.....

  • @Supermule:

    Yes but what if the entire system brakes down because of a bug???

    Yes, of course it wouldn't be good. I just asked the original question because one project's definition of alpha is different from another's. Case in point: Windoze. IMO, usually the last release candidate of a version of Windoze is actually the alpha, the first release is beta, if you're lucky, the first service pack is good enough for production.

    I gather from perusing these forums today that pfSense's definition of alpha probably is a true alpha.

    Okay, looks like 1.2.x for me.  ;)

    BTW, loving pfSense so far.

  • Hello,
      I'm using 2.0 at 2 sites in production.  So far it works great, well mostly great.  My experience is that as long as you can get it working, it will stay running.  I haven't come upon any bugs that show up after it has been running, only during configuration.  I'm nervous making any major configuration changes to those 2 sites remotely, but other than that I'm not too worried.

    I have needed the multi lan traffic shaping for several years, and got to the point where a couple sites were just about completely crippled by latency problems so I needed to switch to 2.0, or at least start testing it in production right away.  Everyone should throw wads of cash at ermal for the new traffic shaper, it is wonderful.

    I'm running one site using the nanobsd install on an alix and none of the nat rules will work, so I cannot remotely administer it.  There seems to be some issues with the new gateway setup code.  When I got on site to install it and switched it from a dhcp wan to a static it had a fit, and didn't actually switch to the new gateway until it was restarted. That image is a month old now, I haven't had a chance to test a new one, so that may or may not be resolved by now.

  • stompro, thank you for your comments.

  • @stompro:

    My experience is that as long as you can get it working, it will stay running.

    That's a good assessment, the kinds of issues you'll run across are of the type that either things won't work at all, or they'll work fine and stay that way.

  • Hello,

    I have just installed 2.0 in a production environment [ have a spare sdsl router pre configured as a dropin if needed ].
    So far its going ok - although I seem to be having some difficulty with multiwan ( load balancing ) - but this might be the inbalance of WAN bwidth between the connections
    1 is 2mb up/down, the other is 1.5mb up 20mb down :-)

    Having some difficulty with ftp…

    seems passive is fine for single wan but i cant find a way to make both connections head up the same wan in a multi wan install...

    active is not working - i think the ftp helper may not be setting up the nat rule for the servers data connection

    • I will update this post when I find out

  • There is no ftp-helper in 2.0 it is totally transparent.
    Can you please get me a tcpdump with total packet content if you continue to have problems in this mode?

    One side on the lan and the other on the wan.