Why should I use pfSense?
I had a IPCop box that the motherboard died in. Right now I'm just using a DD-WRT router until I put together a new box. I was looking at some stuff on Linux firewalls, and I keept seeing post in forums and such saying that pfSense is better. What I want to know is why. I've spent a few hours looking into pfSense along with some other firwalls, and I am definetly interested. I especially like the Stunnel, because I think that I might be able to use it with HFS(http://www.rejetto.com/hfs/). The dual WAN seems to be a big selling point. I am interested in that because I have a cable connection, and have always wanted to add a DSL connection since I'm always seeing adds for $15 a month deals. Anyways, I have a few questions, and I would also like to hear why you guys use pfSense.
I also heard that the VPN works with windows VPN client, is this true? (honestly its not that big of a deal to me, I have other means that I can create a VPN)
My main concern is speed. I want my network to be as fast as possible. Is pfSense faster than other firewalls?
I'm interested in the wireless support, but I was wondering if its like IPCop where its a separate LAN, or is it more like a commercial router where its just an AP, or can you do both?
I thought that I saw somewhere that it has URL filtering, but I can't seem to find where I saw that. Does it have URL filtering, and if so which black list does it use?
Whats the deal with Snort?
One of the features of some of the other firewalls is virus checking. This was something that I planned on putting on my IPCop box, but after thinking about I wasn't sure if it was a good idea. It seems to me that checking each packet will reduce the speed of my connection. pfSense doesn't seem to have this ability. What are your guy's thoughts on virus checking at the gate?
The hardware that I will be using is:
2.13ghz Celey socket 478
1GB (2x512mb dual channel) DDR333
ASRock Intel based microATX motehrboard
Intel gigabit NIC
3com 100mb NIC
VPN with windows client: if you are talking about pptp: yes…
is pfsense fast ? yes...
wireless support: AP-mode, client mode, bridged to another net or building a separate network... all is possible...
url-filtering... can be established with the squid-package available in tha package section
snort is also available in the package section
virus checking... be patient... there's something in the pipeline... takes some time i think... but will come... but virus checking can make thinks death slow...
at least you should think about changing your 3com nic to another Intel-NIC... they are faster and work more reliable... there are some known bugs with 3com on freebsd... or at least it does not work as smooth as the intel fxps...
Sorry, I don't really get the whole packages thing. Do they come with the install, and just have to be enabled? Or are they like IPCop addons where you have to do some command line?
That sucks about the 3com card. I bought it brand new just for this project. Its suppose to be really good
I guess I could use the built in LAN, but its VIA based. I also have a Edimax realtek based NIC. I guess I could pick up another Intel NIC. I have some stuff to sell on ebay anyways. I only have 3 PCI slots on the board, so if I was going to have dual WAN and a wireless card I would have to use the onboard LAN. I guess I could use it for the crappy DSL. Sorry, just thinking out loud.
Any sujestions on which Intel NIC? Its for my WAN, so I don't need gigabit. And which wirless adapter do you guys suggest?
url-filtering… can be established with the squid-package available in tha package section
But is it one that I can use with a black list, or do I have to manually enter in the URLs that I want to block?
The package thing is available in full install, not on embedded platforms, but you will full install, because you do not have an embedded platform… so theres the package manager, you can install packages via the webgui in this manager, and after that it's enabled...
Until now there's not a processor for blacklists, you have to manually enter the urls...
you can have a try on 3com nic, but i tested it and it did not run very well... have a look at ebay or else for 100mbit intel nics they are also available as dual-port nics... they are not very expensive and work really good...
I use the dual-port-server-adapter 10/100 and it works like a charm...
Checked prices for intel NIC's on newegg, and the checked ebay, and wow ebay is way cheaper. So if I got the dual port NIC, do I have to 2 connections right now, or can I enable that latter?
So no black list huh, hmmm….. that sucks
Well its not that big of a deal. I already block everything on my desktops with adblock. I was hoping that it might help reduce spyware and such, but I don't seem to have any real issues there. I never seem to get any viruses or spyware, except tracking cookies. I guess it can't have everything.
you have got 2 connections from the start… they are recognized as 2 different nics and in a future version you can bundle them with FEC and else ...
and for the blocklist:
just paste the adblock content to the blacklist field in the squid package
OK. I'm almost sold. I just have one more question, and I'm going to repeat one from my original post.
You said that its fast, but is it faster? Like is it faster than IPCop, Smoothy, ect… I actually want to know if its faster than ClarkConnect, because Ive been trying to decide between these 2
So what do you like about pfSense? or What makes you use pfSense over other firewalls?
Any of them will perform basically equally, assuming your hardware is adequately sized. On some hardware FreeBSD (hence pfSense) is faster than Linux, on some Linux is faster than FreeBSD, but on most it's mostly a crap shoot. The main performance considerations are how much bandwidth can it push, and what packets per second rate can it handle, all without drastically increasing latency. None of that is a concern with either OS with properly sized hardware because you'll have something with adequate capacity that the small differences that may be present won't matter.
It really shouldn't be a consideration in which to choose - look at other things.
One exception might be if you're forced to push a lot of traffic through a slow machine. In that case you want m0n0wall 1.2x, it's based on an older FreeBSD release that blows away Linux and the new FreeBSD release pfSense uses - with slow, undersized hardware (talking sub-300 MHz and 50+ Mb throughput requirement).
I had heard that m0n0wall was really good, but it doesn't have squid which is why I won't use it. Squid is a must have for me.
So if pfSense isn't faster, then it must be the features. The feature that I want from pfSense that the others I'm looking at don't have is the SSL wrapper. Basicly I'm just trying to decide which firewall to use. I have seen a lot of posts by people in various forums and such that say pfSense is the best, but they don't say why. There generally statements like, "pfSense is way better", or something like that. What I want to know is why is it better. What is it about pfSense that you guys like better than the other firewalls? Honestly I've been considering this and ClarkConnect. ClarkConnect has a much better website IMO, and I can see its features very clearly, and everything is laid out so that its easy to understand. I just can't seem to get the same out of pfSense's website, so I came here to see what was great about it. On the other hand I have yet to get on ClarkConnect's forum. I have been waiting for a confirmation email so that I can login, but I think that is probably due to the crapy secondary email account that I used to sign up, I think its jacked up right now because it doesn't seem to be receiving any new mail. Sorry for the tangent.
So why do you like pfSense?
Why not try out pfSense and judge for yourself. You are asking questions that will obviously result in biased opinions.
It's a liveCD. Pop it in and start playing around with it… your wasting valuable time waiting for biased answers when you could be experimenting on your own :)
Well the hardware is being used for a server at the moment, and doesn't have all the hardware it need right now, so I can't really do that yet. I do this a lot, I start thinking about something and can't get it out of my brain until I figure it out. Maybe its because I'm a Virgo. You do have a point, there are other things that I should be doing right now, but to be honest I enjoy this stuff.
Who the hell else I'm I going to ask about pfSense. It only makes sense to ask the people that use it about it.
Cry Havok last edited by
Well, grab a copy of VMWare (there's a 30 day trial) and play with pfSense there. It's simple and painless :)
As for who else to ask - sullrich's point is very valid - people here are naturally going to tell you to dump your current choice and use pfSense.
VMware Server is completely free btw and will run pfSense just fine.
OK I'll check it out.
you say that squid is a must for you
you now that when you use squid you only use the the first wan and never the second wan ??
squid and all other aplications that run on the pfsense server can only make use of the first wan
No I didn't know that. Thanks for telling me, thats pretty important.