FpSense Required Features



  • Hi, I need some answers as what pfSense if capable of.  Here is a short list that excludes many of the basic features…

    We need to...

    1. assign up and down bandwidth rules to devices, networks, users and groups.  (easily slowdown, speedup, or block apps like Facebook for a specific user at a specific time),

    2. easily implement a rule scheduling system with granular support,

    3. real time monitoring by user, ip, macs, device, service or circuit...  (not talking about logging here), instead we need to see in real time the results of changes to bandwidth, firewall, schedules and throttling rules,

    4. easily create a voip setup that always prioritizes its traffic above everything else, and releasing that bandwidth back to other traffic if voip traffic is not present,

    5. full logging abd reporting,

    6. easy to understand the "from what perspective does the rule apply", where the dialogs and/or wizards are very clear about whether its external or internal, of a device), (there's been lots of confusion with other competing products regarding this)

    7. Virus detection with auto blocking and bypass provisions via a username/password dialog in the case of false positives or whatever.

    8. Spam detection with auto blocking and auto emails stating that the specific email was blocked and a bypass provision that allows easy access to to the blocked email,

    9. Full NATing and routing,

    10. Is there any way to configure pfSense to detect and stop a virus coming from one machine over the Lan from infecting other Lan users from something like a flash drive infection?  The idea here is to isolate the virus to the originating system and stop any other infections from occurring.

    11. How can pfSense protect from the various Ransomeware viruses that encrypts data on network shares and local machines?

    12. More to come...

    Please list any add-on products needed to provide the functionality if the pfSense base full install doesn't provide it.

    We've been using Microsoft's ForeFront Gateway TMG 2010 for the past 3 years with a Bandwidth Manager add-on product installed.

    Currently, I'm using Sophos's software version on an Intel I7 box, however if I can get a pfSense install working as needed, then we will go that route.

    Any suggestions is highly welcomed as I am completely new to pfSense.

    Thanks,
    Stanley



  • You're going to be disappointed.  Mostly because I think you have an incorrect view of what a router & firewall do.

    If you really need all that then you're better off with a few separate network appliances plus software on your client computers for AV.



  • Thanks Jason for a quick reply…

    You're going to be disappointed.  Mostly because I think you have an incorrect view of what a router & firewall do.
    Really...  Is pfSense really that lacking?  Hard to believe after digging around in here.  As for my views, I have been doing much of what I would be asking pfSense using TMG with bandwidth manager and Sophos, so lets go thru the list again...

    Regarding my questions:
    1. I used TMG with bandwidth manager for the past 3-4 years with great success and now I'm using a trial version of Sophos both of which does this very well,
    2. same as 1, however Sophos is harder to setup with many more steps involved,
    3. TMG does an excellent job at this and while Sophos does some of this, I've had to dig thru the logs for the simple thru-put numbers.  The Bandwidth Manager for TMG really makes this easy,
    4. I've done voip on both and both take a fair amount of time to configure correctly,
    5. Sophos has more in depth logging and reporting that TMG, however TMG's logging has always been adequate for us,
    6. TMG is much easier than Sophos regarding the perspectives,
    7. No current Virus protection in TMG as it is discontinued, however Sophos is very rich, however it would be better if it offered a bypass mechanism,
    8. No Spam mechanism in TMG, however Sophos is very rich, however it too needs a bypass mechanism,
    9. Both TMG and Sophos do this very well and easy to understand,
    10. This is just a general question of whether this is doable with pfSense or not,
    11. Great Ransomware protection with Sophos, and none with TMG,

    I've been using client side AV for many many years now and have come to not totally trust it due to a whole host of issues, therefore if a centralized lan solution that could actively participate in over all lan protection.  Just a thought that would be nice to implement if it was capable,

    Also Jason, it would be more helpful if you could elaborate on the go and no-go feature set I've discussed, as the "I'll be disappointed" answer doesn't give me anything to work with...

    Thanks, Stanley



  • Read this

    https://doc.pfsense.org/index.php/Special:Categories

    I'm only saying that because you have a lot of questions which really isn't that much of a problem but it would probably be more efficient to read the docs. Also, from what I hear, if you become a Gold Member you will then have access to the most current Pfsense guide. Don't panic though. A pro is surely to help you out but in the mean time you can do some reading to see what it is capable of.



  • I generally haven't had much luck in the past posting a long list of criteria and then sitting back and waiting for others to do my homework for me.  pfSense isn't a total security appliance; it's a firewall with some addons.  A lot of your questions could be answered yourself if you would take the time to play with it for 30 minutes. You can find a list of features here:

    https://www.pfsense.org/about-pfsense/features.html

    Wikipedia even has some answers to your questions here:

    http://en.wikipedia.org/wiki/PfSense

    If you make an effort to show that you've at least spent some of your own time trying to find your answers, others will be more willing to spend their time in helping you.



  • if you become a Gold Member you will then have access to the most current Pfsense guide.

    Interesting that a Gold member has a better guide than an evaluator, or someone with a long list of questions such as I…

    if you would take the time to play with it for 30 minutes.

    So far I've spent probably 5-6 hours doing web searches and documentation reads which is why the specific question in the specific areas.  Plus, it will take another 3-4 hours to find a machine, do the install and config a base network and voip install, and temporarily replace the trial Sophos gateway, before getting to play with it.  So, its certainly not a 30 minute ordeal.

    I was hoping that some qualified user could do a quick run thru of my list saying yes, yes, no, maybe, use this addon or that addon, so I could either move on or dedicate more resources to pfSense.  More like a high level flight overview with pointed questions stemmed from incomplete explanations or from my previous experiences with TMG, Sophos, and other AV products.

    Then I get a "I'll be disappointed" message and a "which really isn't that much of a problem" message causing me to wonder if pfSense is not as full featured as TMG and/or Sophos.  So far no one has mentioned any of the addons by name needed to do what my list indicates so I can do further research.  And some has mentioned multiple devices are needed to achieve my list's functionality.  Are they too open source, and if so, names please.

    So, one last question...  Is Sophos a better product to do the basic firewall stuff plus the functionality on my list?  I know there is a cost for the rich feature set, but there always is even with pfSense.  If something free (open source) can't do the job, then free really doesn't matter.

    BYW, I am spending time with all the articles that has been referenced, and thank you for them...

    If you make an effort to show that you've at least spent some of your own time trying to find your answers, others will be more willing to spend their time in helping you.

    Agreed, so lets see...  so far I've  spent 8+ hours with pfSense from the original research plus 3 or more hours reading and studying the links that has been offered.

    Please understand at this point, I need justification that pfSense is a good candidate to achieve the functionality on my list.

    Also, I don't need how-to help, but rather, "what can it do, or not do natively and/or with help of some addon?".

    A look back to the very first line of my post, it states: "I need some answers as what pfSense if capable of."  No how-to's, just a simple can it do this or can it do that...

    Thanks, Stanley



  • Reading docs and FAQs has never been a good substitute for hands-on, IMO.  From what I have seen in these forums, not very many people use all or most of the features, so not many people other than pfSense staff are going to know the answers to all of your questions.  pfSense is built on FreeBSD, and while it has a GUI, it isn't for the faint of heart or network noobs in general.

    1. Bandwidth rules and traffic shaping are not easy topics in pfSense.  Easy start but quickly can get complex.
    2. Too vague, what do you mean specifically?
    3. There are several real/near-time views, depending on what you're looking for
    4. This is easy using the Traffic Shaping wizard
    5. Lots of logging, some reporting
    6. It can be confusing here too
    7. HAVP antivirus available but rudimentary, no password bypass that I am aware of
    8. No spam detection or email handling in any way
    9. Yes
    10. Not that I;m aware of
    11. If HAVP doesn't catch it, tough luck.  Use client protection.

    Install it and play with it for an hour.  You'll likely end up knowing more than an hour worth of abstract web searches would give you.


Log in to reply