How is PFsense 2.0 today?



  • Hi Guys…

    I think this is the third time in a little over a year I'm asking this question and would like to know what are your thoughts on the progress of PFSense 2.0?

    Is PFsense 2.0 stable enough for production use in an environment where three or more locations need to be linked together?

    In doing additional research, there appears to be only two real choices in open source firewalls and that is PFsense and Vyatta. How does PFsense compare to Vyatta in your experience / opinion?

    I understand that IPsec VPN uses less traffic to communicate between locations than OpenVPN, however, is IPsec more efficient than OpenVPN and which VPN solution works well in VLAN environments in your opinion / experience?

    Also, in order to conserve bandwidth using Squid webcache, would you recommend using another Pfsense 2.0 install behind the firewall for this purpose?

    Thanks for your time.



  • I can share my thoughts on your first three questions:

    How is PFsense 2.0 today?

    • much better than a few months ago, more polished, less annoying behavior.

    I think this is the third time in a little over a year I'm asking this question and would like to know what are your thoughts on the progress of PFSense 2.0?

    • the snapshots out today feel like version 3.0 compared to what was out in February.

    Is PFsense 2.0 stable enough for production use in an environment where three or more locations need to be linked together?

    • for me, yes. i use ipsec, load balancing on 2 wan links with mail and web servers behind. for this, it works very well.

    my recommendation for your other quesitons is to setup a lab environment and do the testing for yourself to see the behavior.



  • Thanks for the reply.



  • Please read the forums before posting questions like this, your answer was addressed here:

    http://forum.pfsense.org/index.php/topic,21606.0.html

    And in response to the question you're undoubtedly going to ask next, here is where you'll find the remaining open issues:

    http://forum.pfsense.org/index.php/topic,21269.0.html



  • okay, thanks for replying. So, installing pfsense 2.0 at a major company with thousands of customer data at hand would be a big fat hairy no,no. Got it! Think I'm gonna be sick.



  • Hi,

    So here's my story about v2 ;)

    I'm using it since may/june without any major problems for the following:

    OpenVPN for 8 remote workers (never had any issues with OpenVPN),
    ipsec (certificates) for 4 of our locations using a Lancom VPN gateway linked to our main location with pfsense (also never had any problems once I figured out what settings to use on the Lancoms),
    Load balancing / failover of 4 static wan connections and lan + dmz ,
    Traffic shaping (although haven't fully figured yet out how to configure it properly it works for me regarding some of our traffic)
    And since a bit more than a month DNAT and SNAT for our mailserver (separate ip, but same gateway as one of the wan connections).
    Using pfsense's dnsmasq  to override the mailserver ip in the local subnet + a local dns server for openvpn and ipsec in order to get remote connections not to route traffic to the mailserver through the tunnel and to fallback to pfsense's dnsmasq for the rest.

    Pfsense is running on an older ibm system x345 (i386). I'm planning to use HA with carp with two boxes running the same time, but I want to wait until the final release for this.
    Right now I'm using a second x345 in cold standby which is always a few snapshots behind that I can wake up remotely if something terrible goes wrong after an upgrade of the active pfsense box.

    I like OpenVPN much better than ipsec for its simplicity in setting it up, compression (which isn't implemented for ipsec, at least yet), a very good (free of course) windows client and because I think it's more flexible. I use OpenVPN whenever I get the chance to.

    I also like the certificate manager of pfsense very much. It's just strange that I had to use manually created in order to get ipsec work with the Lancoms, still don't know why, but didn't look into it any further since it's running without any problems. In fact it's far better than before where I used Lancom routers only.

    There were some snapshots which didn't boot and currently (as you can read in another thread) the load balancer doesn't work. Didn't have any boot issues after an upgrade for a very long time and never had those issues with the load balancer. I will downgrade to the snapshot from last monday as suggested in the other thread to have everything working again.



  • @jits:

    okay, thanks for replying. So, installing <<$beta_software>> at a major company with thousands of customer data at hand would be a big fat hairy no,no. Got it! Think I'm gonna be sick.

    There, fixed that for you.


Log in to reply