Why PFsense sucks



  • PFsense works. Ok. but after that it's pretty much a maze.

    Examples

    It's really easy to switch a dynamic Ip address to a static ip address with one click. Ok. Then try finding any way to delete that static setting back to a dynamic setting. Good luck.

    Go to the interfaces menu and choose WAN. Just click on the innocuously named 'insert local mac address' and voila your internet connection is gone, forever. Win 7 just will not reconnect under any circumstances (even a complete reinstall) because PF sense has turned your local system off. Hope you have a 2nd computer that can access PFsense and hope you have a backup of PFsense setting so you can fall back because if not you are SOL.

    Try setting up WHS remote access (Windows Home server for those here who always ask what is WHS) Good luck. WHS UPnP setup works on every router available from $20 cheapstreet routers to $3,000 ones however PFsense accepts the settings from WHS and then simply ignores them (really)

    and many many more.

    I actually like PFsense and I use it but it truly sucks.

    (oh yeah and i'm sure somebody here will say 'but it's so easy to do so & so' well yeah it may be 'for you' but that sort of makes my point (this being the PFsense user board)



  • I think the subject could be changed to Why Newbie/windows admins sucks.

    If you can't configure your pfsense with your windows(arg!) services, buy some support hours from core team to do it for you.

    As it is an open source firewall, you can get all your knowledge and help the project instead of complaining.



  • As you mentioned there is many other possibilities to use than only pfsense. Switch what ever you like



  • @memorymajor:

    Go to the interfaces menu and choose WAN. Just click on the innocuously named 'insert local mac address' and voila your internet connection is gone, forever. Win 7 just will not reconnect under any circumstances (even a complete reinstall) because PF sense has turned your local system off. Hope you have a 2nd computer that can access PFsense and hope you have a backup of PFsense setting so you can fall back because if not you are SOL.

    Sadly, that's a user problem.  All you need to do is temporarily change the NIC mac on the windows system to re-access the box.



  • @memorymajor:

    PFsense works. Ok. but after that it's pretty much a maze.

    Examples

    It's really easy to switch a dynamic Ip address to a static ip address with one click. Ok. Then try finding any way to delete that static setting back to a dynamic setting. Good luck.

    Services > DHCP Server > oh shit, the mapping it's there and there is a one click button to delete it… too complicated...

    @memorymajor:

    Go to the interfaces menu and choose WAN. Just click on the innocuously named 'insert local mac address' and voila your internet connection is gone, forever. Win 7 just will not reconnect under any circumstances (even a complete reinstall) because PF sense has turned your local system off. Hope you have a 2nd computer that can access PFsense and hope you have a backup of PFsense setting so you can fall back because if not you are SOL.

    You should know how to use a feature before you actually use it… its not pfsense problem.

    @memorymajor:

    Try setting up WHS remote access (Windows Home server for those here who always ask what is WHS) Good luck. WHS UPnP setup works on every router available from $20 cheapstreet routers to $3,000 ones however PFsense accepts the settings from WHS and then simply ignores them (really)

    so, it's a bug? you are sure? REALLY???? then report it, the pfsense team will be very pleased to address this bug on the next update.

    @memorymajor:

    and many many more.

    I actually like PFsense and I use it but it truly sucks.

    (oh yeah and i'm sure somebody here will say 'but it's so easy to do so & so' well yeah it may be 'for you' but that sort of makes my point (this being the PFsense user board)

    Many more like what?

    And finally, if you dont like pfsense, there many more others open source firewall, give a try

    Firewalls
    http://www.endian.com/
    http://www.smoothwall.org/
    http://www.clearfoundation.com/
    m0n0.ch/
    http://www.ipcop.org/
    http://www.brazilfw.com.br/

    and many more…



  • pfSense is not a perfect product, but with your help it can be made better. Unfortunately your post lacks the necessary details for anybody to offer any substantive help.

    If you are sincerely seeking help with your issues then you would be wise to separate each one into a separate thread in the appropriate section of this forum, and there provide the standard information that one should include when posting in any help forum (software versions, expected/observed behaviour, steps to reproduce, etc).

    If, on the other hand, you just came here to rant, then see the above responses. :)



  • @memorymajor:

    Try setting up WHS remote access (Windows Home server for those here who always ask what is WHS) Good luck. WHS UPnP setup works on every router available from $20 cheapstreet routers to $3,000 ones however PFsense accepts the settings from WHS and then simply ignores them (really)

    Do you ever setup NAT and Firewall rules? i'm using a http reverse-proxy on my box so I knew it would not work correctly with UPnP. Just create port forward rules for TCP 80, 443, 4125 and point them to your WHS box.



  • I hope you don't work in IT… People like you give us a bad name. Study up before you come on here spewing your bullshit.



  • It sounds like the complaint is this: "pfSense is powerful enough, and gives the user enough control, that the user is capable of shooting him/herself in the foot if they do something stupid."  The poster would rather have a dumbed down appliance that does a whole lot less, while requiring less of the user.

    I like power and control, and I understand that with that power comes risk.

    It sounds like the OP would do better with a different solution.  And no matter what, the OP should definitely stay away from any of the Unix/Linux versions out there.  Did you know that if you log in as root (the only user the system comes stock with) and accidentally run "rm -rf" from the top directory you'll delete everything on the server?  Worse, this bug has existed for more than 40 years!  It must be total crap…"=



  • @Derek:

    It sounds like the complaint is this: "pfSense is too powerful, and gives me to much control, that I am capable of shooting myself in the foot when I do something stupid."

    There, fixed it for you.

    @Derek:

    I like power and control, and I understand that with that power comes risk.

    And thus great responsibility.



  • Well..not worth saying that this kind of post should be avoided when dealing with any open source project. If you don't like a product clearly state why and, most important, how other porject faces the problem. Otherwise it is just like saying you don't like pfsense because of the icons in the web interface….

    Now, to get it real, I was used to have several linux firewalls and hardware gateways (e.g., zywall). I switched to pfsense a few years ago, and I'm amazed. First of all FreeBSD is probably the best operating system in the open source landscape. Second, pf is surely the best packet filtering. Third, the support (even not commercial) is great. Of course, all you get for free requires at least you study and understand it. Do your homework.

    Finally, what makes you thinking that is the pfsense product a mess and not your IT skills?



  • @memorymajor:

    "PFsense works. Ok. but after that it's pretty much a maze. "

    Seriously i hate saying this but talk like this makes you seem worse than a Newbie. You're the kind that thinks your an IT pro and can't tell your ass from your face. Pfsense is the least complicated thing out there to get working. If you don't know what port forwarding is then you should take up knitting and pay someone to help you.

    If you came on here to ask Questions, use the search! But flat out saying it's complicated! disconnect your router turn off your pc firewall and plug your computer directly to your modem there is nothing to worry about.

    :(



  • You know what?  After using PFSense on and off in the past year or two, I agree with you.  I did a lot of work with it when I needed to create a wireless (WAN) to wireless (LAN) bridged network.  After frustrating native driver support, I decided to go with Win XP and NAT32 instead.  It worked very well, especially since OEM driver support was WAY better than BSD.  And, really, the lack of 802.11N on BSD was another buzz kill.  Anyways, even when I got PfSense to work well with the wireless bridged network, I noticed a lot of cludgey or unstable things about PfSense.  I've worked in IT for over 12 years with enterprise J2EE software.  When we come across middleware that acts up when you change a setting, and STILL acts up after you revert back to the previous changes, we call that middleware UNSTABLE.  I mean, a stable system should revert back to its initial conditions when all modifications or changes are rolled back.  PfSense?  Nuh uh.

    Anyways, I've had to revert back to PfSense recently since WinXP only supports ad hoc networking for host ap mode.  I figured things must have improved since I was on 2.0 beta a year ago.  It did seem to be more stable at first and working well.  However, I'm now realizing that PfSense does weird things under the covers that makes the system still unstable.  For example, last night I connected our WAN to a new AP and made some changes to the WAN settings–I selected to block private networks.  I also have the WAN persist changes.  When I reboot, it starts up fine and connects to the AP; but, I'm no longer able to go out to the Internet.  WTF?  I also notice that PfSense can no longer detect updates.  So, that means it's not able to connect to the remote build server.  So, I try to ping from the machine to the yahoo.com.  No response.  I remember in  the past, when things like this go awry on the wireless WAN interface, rebooting several times some how miraculously works.  So, I reboot a couple of times, and lo and behold, it's working again.  WTF???

    Oh, and another weird thing I've noticed is that before, if you scan for wireless networks and the wireless interface is on a certain channel, PfSense will only detect AP's on that channel.  It was like that in Beta and in the final release build.  Some time since last night, and I did not update the build since I first installed PfSense a couple of months ago, I've noticed that no matter what channel I put the interface on (not auto), it will now scan ALL channels on the wireless status page.  WTF???  When did THAT change?  I mean, I'm not upset by that, because I think that's how it SHOULD work; but, it wasn't working like that before.

    I could go on and on about weird, quirky things like this in PfSense.  But, what's the point?  At the very least, though, I think people should be aware that it's somewhat cludgey and unstable.



  • I was a bit surprised to see Windows XP, although chunking up lots of CPU usage compared to PfSense on the small Asus 2g, actually held its own in terms of battery performance.  Both builds run approximately 2+ hours on an old battery.  Pretty impressed.

    And now you do a 180…

    I think Im more in agreement with marcelloc...

    I think the subject could be changed to Why Newbie/windows admins sucks.

    If you want to express your input on the project, why dont you use your 12 years experience and help by helping to fix any alleged problems.

    1. Bring your problems to light.

    2. Show how to reproduce.

    3. Help by testing the fixes.

    What you have complained about would be good to understand and get fixed if it exists. The devs here have built a first class product and would not want to have issues hanging out there.



  • @memorymajor:

    Go to the interfaces menu and choose WAN. Just click on the innocuously named 'insert local mac address' and voila your internet connection is gone, forever.

    "I created a MAC address conflict, why does my network no longer work?"

    Obviously you have no idea what you're doing. What you did there will break every network device on the planet.



  • @chpalmer:

    I was a bit surprised to see Windows XP, although chunking up lots of CPU usage compared to PfSense on the small Asus 2g, actually held its own in terms of battery performance.  Both builds run approximately 2+ hours on an old battery.  Pretty impressed.

    And now you do a 180…

    No, not really.  I was actually surprised that Win XP wasn't as much of a drain on the battery as I thought it would be.  I am pretty damn impressed by the way Win XP runs on that little guy as compared to a X-Windows-less system like PFSense on FreeBSD.

    Yes, and I still stick by my assertion now: I really do think PfSense, although nicely architected, is poorly implemented.  For instance, just now I could not log onto the LAN interface.  I was connected to the host_ap interface and received a DHCP lease on that subnet.  So, why wasn't I able to log on web configurator much less ssh or ping that machine???  Even after many reboots and debugging exercises, I had to move config.xml to / and then restore the entire system from factory default.  Then, after it rebooted and I went through that whole initial config spiel, I recopied config.xml from / to cf/conf.  I rebooted and only THEN was I able to get on web configurator.  I mean, WTF???  It was working fine one minute, then completely hosed the next??  I don't get it.

    And the weirdest thing is, I think the entire firewall table is hosed now.  I can see that the wireless WAN interface has a DHCP lease from our AP; I can see the IP information through ifconfig; but I can't ping any host on the Internet.  I went to check the NAT and firewall rules and everything seems to be make sense.  So, I deleted all the rules, etc…, and recreated them, rebooted, and I still cannot ping any host on the Internet.  WTF???

    You know what?  I give up.  I'm going back to Win XP and NAT32.  To hell with infrastructure AP.  I'm telling my guys to use their tablets at home.



  • More then 100.000 installs and you realy think the problem is with pfsense?
    I don't think so.

    Windows xp is old, unsecure and bug full.
    Real IT Administrators don't use Windows xp for nothing.
    Try something else, grow up your nowledge.

    Go to console, do some tcpdumps.


  • Netgate Administrator

    As a standard install I would expect Windows XP to have far better power management than pfSense.
    pfSense is not expecting to be running on a laptop. By removing or disabling many power management features that are present in FreeBSD the standard pfSense install is more stable and more secure.
    That doesn't mean to say that you can't add those same features back in you install. I have reduced the power consumption of my own box quite considerably by playing with the options but I also crashed it a number of times by enabling things that weren't fully/correctly supported by my hardware.

    I will agree with you that wireless is networking is not pfSenses strongest feature! I am using a mini-PCI card as an AP myself but I had to do some tweaking to get it running reliably.

    I'm sorry that your pfSense experience hasn't been a good one.  :(

    Steve



  • I can't decide if this was a troll or if this guy was legitimate.  I'm not sure which would be funnier.



  • @submicron:

    I can't decide if this was a troll or if this guy was legitimate.  I'm not sure which would be funnier.

    My thoughts exactly…

    Hmmm, pfSense or WinXP+NAT32, that's a tough decision  ;D



  • Here's even more weirdness about PfSense.  So, even after reloading the filters and rules that I recreated last night, PfSense would not see past the external gateway.  I checked the routing tables, deleted the routes, rebooted, and rechecked the tables.  Looked fine.  Anyways, still, I couldn't ping anything outside of the local domain on the WAN interface.  It was late at night, I left it alone and went to bed.  The next morning I check it out and it's miraculously working!!  WTF???

    I run this setup on a small ASUS 2G Surf laptop.  It's really no different than the network appliances you guys recommend people to use for PfSense.  Sometimes our gateway will be mobile using a long range point to point connection.  Most of the times it will be local.  It is important for me to test the current draw using either system.  I also notice the snide remarks and all I can say is sorry to crap on your beloved software.  From my experience, wireless as the WAN interface just blows.



  • mililani … I agree that wireless as a WAN sucks. But for me that sucks universally. pfSense once tweaked was still more stable than the last wireless for WAN that I used. That didn't last long as it was temporarily borrowing WAN from a friend while I waited for hookup.



  • @mililani:

    I also notice the snide remarks and all I can say is sorry to crap on your beloved software.  From my experience, wireless as the WAN interface just blows.

    The snide remarks were more in response to your comparison between pfSense and WindowsXP+NAT.  Its true that wireless as your primary Internet connection is painful at best, but its not exactly fair to blame pfSense for that.



  • I have to stop reading this thread as it just cracks me up. I'll agree that wireless support sucks but that doesn't have to do with pfSense for the most part but with the FreeBSD OS that is the foundation for pfSense. Check out the forums at freebsd.org and you will notice that wireless interfaces aren't 100% stable. This have to do with the drivers that are develop for FreeBSD. You just can't try a card in the box and expect it to be 100% stable without researching the wifi card and its driver for freebsd. There are some card that are 100% stable and user's love them.

    If you have to use a wireless wan, do some research on this forum and freebsd.org and find a card that everyone agrees is stable or just go out and buy a Wireless AP to handle the wifi part and connect it to your pfSense box.


  • Netgate Administrator

    @Cino:

    You just can't try a card in the box and expect it to be 100% stable without researching the wifi card and its driver for freebsd.

    I think that says it all. For many people that is a reason why pfSense sucks. For a M$ based solution (and increasingly Linux) you can just try a card and have a reasonable expectation that it will work well.
    As pfSense becomes more popular it is inevitable that more first time users are going to be disappointed. There are probably far more satisfied users but most of those don't complain.  ;)

    Steve



  • Why on earth would anyone complain for a piece of software that is FREE and free to change to anyway you like. Opensource is about collaborating and sharing of knowledge. The developers have given a lot to the project without asking you for a single dime (but of course you can donate or purchase support which would help them a lot to get more full time developers). I have these routers running in production environments for business where it is critical to them. Yes I am facing many problems but this forum itself is paying off as I would have been paying thousands of dollars for similar knowledge from other solutions. Please think before blaming anything.

    Eric



  • lol….What a great thread!  Reminds me of the MaximumPC threads back in the 90's.  I had figured that most trolls had by now contented themselves with participating in flame wars on YouTube comment threads...this OG troll is kicking it old school.  Bravo!!



  • @stephenw10:

    I think that says it all. For many people that is a reason why pfSense sucks. For a M$ based solution (and increasingly Linux) you can just try a card and have a reasonable expectation that it will work well.

    And do not forget that if you are going to build a decent firewall (and a server too), you first have to select good hardware, check that it is compatible and then install and run it. There is no point in being able to support a low-cost crappy wireless card if only a few are running a firewall with it; supporting good hardware matters most. This is not meant to be that FreeBSD (and pfsense) do not have to support all the hardware, but having a priority to good and server level one. That is my opinion.



  • @stephenw10:

    @Cino:

    You just can't try a card in the box and expect it to be 100% stable without researching the wifi card and its driver for freebsd.

    I think that says it all. For many people that is a reason why pfSense sucks. For a M$ based solution (and increasingly Linux) you can just try a card and have a reasonable expectation that it will work well.
    As pfSense becomes more popular it is inevitable that more first time users are going to be disappointed. There are probably far more satisfied users but most of those don't complain.  ;)

    Yeah this entire thread can be summarized as FreeBSD's wireless drivers for some cards really suck, and on the rest the guy has no idea what he's doing, things like creating MAC address conflicts and wondering why the network breaks.

    But Linux has much the same issues with drivers, you really have to research your cards before you buy one especially since many of the bigger manufacturers (DLink, Linksys, etc.) will change the chipset used in their cards without changing the model # at all, so even finding a working model # on some cards is no assurance you're going to get the same card they used to sell under that model.

    It looks like the situation with wireless will be getting a lot better with FreeBSD 9. Adrian Chadd has done quite a bit of work in FreeBSD 9 for a commercial software company that uses FreeBSD in their appliances and relies heavily on wireless. I have hopes that will be a great step forward on wireless.


Log in to reply