How much more secure is pfsense compared to normal routers?



  • Hi,
    I've been using a typical home netgear wired router (which I assume probably runs linux) and I'm guessing it is hardened, my question is would I really be gaining any extra security by using pfsense, the extra features (like packet shaping!) are great but they are not essential, I was just drawn to it because of the security aspect but now I'm not totally sure, very confused at the moment!.
    Any advice appreciated!



  • come on guys!, I've got the hardware all ready  :P , just want to know i'm making the right decision



  • A firewall is only as secure as how secure it is configured.

    I'd say that on most soho routers the default config is already quite secure, but you dont have may options to configure/features.
    With pfSense you have a router that can do stuff only routers in the upper price-segment can do (aliases for rules, timebased rules, multiwan, traffic-shaping, failover, etc.)

    With so many options availlabe there's always the risk bigger of misconfiguration.
    So if you misconfigure your pfSense you can easiely end up with a pretty unsecure network, but i hope that's not the case ;)



  • What GruensFroeschli said.  :)

    pfsense gives you the ability to be much better off than your typical SOHO-grade Linksys/Netgear/Dlink/etc. equipment, though in a default out of the box config there isn't much difference from a security perspective. You have substantially more flexibility with pfsense, which always means substantially more complexity.

    This isn't an easy to answer question without specifics about your network and how it's configured now. If you can detail your current setup, maybe we can offer suggestions as to what you could improve with pfsense.



  • Thanks a lot for the replies :)

    I'm not too worried about misconfiguration, I was using ipcop for just over a year and it worked out ok.

    Network setup is very simple, it will just be 2 PC's connected a switch, the switch connects to one interface while cable modem connects to the other, I actually built a VIA Epia machine which is low power usage and fanless, and has 2 nics onboard just for this purpose but I didnt think it thru :( , I just assumed my network will be so much secure for some reason.

    As for the rules I just forward some ports for azureus and thats it, no servers running behind the network etc.



  • For azureus you might want to look into the upnp-feature. (since azureus is upnp-able)



  • it also depends what your need is, Iptables isn't going to stand up against a real audit. but it will protect your home network just fine. there is nothing "worse" about a homebrew fire wall vs a linksys other then the lack of plug and play (not upnp but the ability to make it work dumb)



  • @spudgunman:

    it also depends what your need is, Iptables isn't going to stand up against a real audit.

    I guess it's good we run BSD and not Linux then!  ;D  The packet filter we use, pf from OpenBSD, is used by some of the highest security network environments in existence. It's used by a number of government agencies around the world, Fortune 500 companies, etc.

    pf is proven enterprise class, and would stand up fine to a "real audit" (if configured properly). Though for that matter, iptables configured properly would stand up to a "real audit" as well.



  • Thanks for the replies everyone.

    I've taken the plunge and set it up, took a whole day because had to rewire everything as I wanted the server in the loft, however its all done now and working.

    I've got a small problem though, my broadband speed has dropped, i'm on 4meg and used to be able to download at 420kb sec and now my max is 30, I have no idea whats wrong, either its a coincidence and somethings wrong at my ISP end or the pfsense box is causing it, which I doubt.


Log in to reply