How Good is Pfsense now?



  • Hi All

    I've been watching the progress of PFSense for well over a year now and I was wondering how solid it is for use as a business router/firewall.

    Currently I'm using monowall 1.2 and it has been flawless. One of my mono routers has had an uptime of over a year.

    I have mono installed on a DELL SC430 512MB RAM using 2 x dual Intel GB Nic's. Will PFSense have a problem using this hardware?

    I make full use of the following items

    IPSEC VPN - VERY IMPORTANT TO ME
    PPTP VPN - VERY IMPORTANT TO ME
    DHCP
    Traffic Shaping
    NAT
    SNMP

    I'm very interested making use of the dual WAN option in Pfsense

    I would love to here from anyone else who may be using Pfsense in a critical business environment and their experiences with it.

    Is it safe to move away from mono over to Pfsense?

    Thanks for all your positive replies :-)

    Mark



  • This is from a nexcom CARP-Cluster (actually both machines have the same uptime). It terminates several IPSEC tunnels to non pfSense devices (cisco, sonicwall, …). PPTP is enabled and used several times a day. It manages NAT for a public /29 and traffic shaping is enabled. Only thing not in use is DHCP at this system.  ;D





  • In my opinion current version of pfsense is pretty stable release… I used m0n0 before, but it does not have many helpfull  features which pf does.  ;D
    It have a couple bugs i think. I used it on my production firewall, and once a two week it has a crash. I think crashes depends directly on additional packages installed like snort or ntop. If You want to use this packages you will have to put more RAM into your box, at least 1G. Sometimes I have problem with WAN interface, it stops responding I do not know why, mayby it hardware issue.. :-\



  • I have had a crash once with pfSense. An internal server error on the webConfigurator - someone was messing around with it and trying out stuff on the traffic shaper. m0n0 would be more stable, but that is because it is much older and has a much smaller feature set.



  • Older versions had some potential to footshoot yourself when setting up things incorrectly. Recent versions have more input validation checks to not accept such configurations anymore.



  • Thanks for all your comments so far.

    Any one else got a positive story to tell?

    Mark



  • I didn't have a good experience with PFsense.

    I'm currently running a WISP with about 100-150 users on m0n0wall. I'm using the captive portal + RADIUS.  I've been wanting to move away from captive portal to PPPoE.  I noticed that PFsense had PPPoE server built in, so I tried it out.

    One thing I noticed right away was very slow FTP session.  Games had a really hard time working well also.  And the captive portal was very, very slow.  If 5 or more people were logging in at the same time it would just die.  The box would just die about twice a day.  I'm running on a 1GHz system with 512MB RAM.  It should be flying.

    The RADIUS accounting didn't work either.  It would show users logged in multiple times and didn't track their usage very well.

    PPPoE would have been great, but there is no per user bandwidth monitoring.  No RADIUS interim updates.

    I only used it for a week, and I just could not get around the problems.  I switched back to m0n0wall and things are fine now.  I will keep my eye on PFsense and continue to test it, but I can't use it in my production environment.



  • Can you tell us what version you used that showed these problems? Concerning the captive portal I have to agree that it is slower than m0n0's CP atm. We haven't found the issue yet. The CP is nearly a 100% copy of the m0n0 code so all other features should work the same way like with m0n0. However I hope that we'll find the issue that causes the capture page to be that slow.



  • I'll say this again, I have a site that has 3000 users, 300 concurrent sessions on the captive portal and the site operator has never complained about it being slow…



  • @hoba:

    Can you tell us what version you used that showed these problems? Concerning the captive portal I have to agree that it is slower than m0n0's CP atm. We haven't found the issue yet. The CP is nearly a 100% copy of the m0n0 code so all other features should work the same way like with m0n0. However I hope that we'll find the issue that causes the capture page to be that slow.

    These tests actually have been done on wraps and on these platforms the CP is slower compared to m0n0wall. pfSense doesn't aim at these  platforms but I hope we can speed it up there as well some day.  ;)



  • I've run 1.0b2 for 6months without a problem functioning in the following fashion, before that beta .84 for at least 4 months. Both downtimes were not because of pfsense….one was from a failure in the generator to kick in and the other was someone tripping on the cord....oooops.

    1. PPTP server for about 5 users (with using LDAP to AD2003)
    2. IPSEC site-to-site link with two sites
    3. DHCP
    4. DNS
    5. NAT

    Dell Poweredge 1550
    dual 10/100 nics
    512megs ram

    Older versions had problem with the web config crashing.....ssh in and kill the hung php process....no downtime though. Since version 1.0beta2 I haven't had any problems running the stuff mentioned above, the only areas of problems that come for me are with my atheros wireless card (trying to run an all-in-one box at home) where the driver takes a dive when transfering large files.



  • Hi ZGamer

    That sounds very promising. I'm looking at putting PFSense on a DELL PE860 2.8GHZ Pentium D with 512MB RAM. I'm hoping the hardware will work with the latest build.

    Anyone got any good reports on running 2 boxes with CARP, mainly for failover. I'm also considering doing this.





  • It's the best…..really

    I have many clusters over the world now... with one site with more than 4K users and more than 50K sessions per second full time. Some of them running pptp server with more than 50 concurrent connections, some having outgoing loadbalancing over multiple WAN...

    Pfsense is stable, reliable and fucking powerful

    It Roxxxxxxxxxxxxxxx



  • @Juve:

    It's the best…..really

    I have many clusters over the world now... with one site with more than 4K users and more than 50K sessions per second full time. Some of them running pptp server with more than 50 concurrent connections, some having outgoing loadbalancing over multiple WAN...

    Pfsense is stable, reliable and fucking powerful

    It Roxxxxxxxxxxxxxxx

    ;D :) ;D :)



  • I don't know what I did wrong with my config then, because I can't get 100 users on a PFsense box without it blowing up on me.  I would like to take a look at your config.xml file for one setup with load balancing + captive portal.  FTP and Games must work to keep customers happy.  M0n0wall works great, but does not do load balancing, so we have to run two boxes and split our network up.

    When I configured mine, FTP would not work right, or was very slow, and games didn't work.  The biggest problem I had was the captive portal blowing up and crashing the box.  We are using the Perimeter™ B2/B4 Firewall (1GHz VIA C7, 256MB DDR2 533, 256MB IDE-Flash).  We have 100 users, normally 60-70 at a time.



  • pfsense 1.0.1 is running rock solid for 157 days (with UPS) without error as my NAT PPPOE router and PPPTP VPN server at home on old hardware and has transfered around 100 GB + by now.

    look at attached Screenshots for some more details.

    i'm using pfsense since pre 1.0 without much hassle execept for some trouble with outgoing ftp connections through nat (ftp helper doesn't work very well) Games working flawless with pfSense.

    System Specs:
    Version: 1.0.1 release
    Platform: pfsense (HDD)
    Packages: snort, openntp and some more
    Total Uptime: about 200 Day's +
    CPU: Intel P1-233MHz
    RAM: 128MB
    NIC: 3x 3Com 3C905C
    WAN Type: PPPOE, dynamic IP, German ISP with 24 disconnect

    Great work pfsense team, keep it going on!

    ![pfsense uptime.JPG](/public/imported_attachments/1/pfsense uptime.JPG)
    ![pfsense uptime.JPG_thumb](/public/imported_attachments/1/pfsense uptime.JPG_thumb)
    ![pfsense traffic.JPG](/public/imported_attachments/1/pfsense traffic.JPG)
    ![pfsense traffic.JPG_thumb](/public/imported_attachments/1/pfsense traffic.JPG_thumb)



  • Yeah, pfsense is bitchin. I've been using 1.2 Beta 1 for 3 months now and haven't had a single failure. I moved off Microsoft's ISA 2004 firewall.



  • @tacfit:

    I moved off Microsoft's ISA 2004 firewall.

    :o   thank goodness for that!  :)

    back in the day, I setup OpenBSD at my network edge and built the pf.conf by hand, mainly to learn, and liked it a lot. eventually got lazy, and setup a soekris/m0n0wall, but wished it was openbsd based or at least had pf.  then I heard about pfsense, but I just sort of followed the progress forever and never tried it.    eventually my network expanded and outgrew m0n0 and I required some of pfsense's better features like loadbalance, and I'm pretty impressed.  I don't use captive portal nor have tons of users, I just have a handful of very bandwidth hungry users and I wouldn't use anything other than pfsense at this point


Locked