My first impressions on pfSense

  • I've worked in the private sector my entire professional life with Cisco gear for networking and Microsoft for server things.  I recently took a job in my local county's government.
    I've dabbled at home on my T1 - hosting email and web for friends and family, churches, and a small business here & there.  I've always considered myself "a Cisco major with a Microsoft minor" - Cisco for the network, Windows Server NT/2000/2003 for the servers.

    Here at the county we've got all Cisco network electronics, but now that I'm in the public sector and no longer have the "billable hours!" driving force, I've had the time and encouragement to learn FreeBSD, and as a result I have learned and implemented a few open source solutions here - RT and Zenoss to name two.  I am really digging FreeBSD, it's awesome.  :)

    A couple weeks ago I had to power cycle my PIX 506e at home, and I noticed it seemed to be running very hot.  It's pretty normal for a 506e to run pretty warm - but I thought this was too hot.  I began to think about alternatives to my PIX - I could not be without a firewall if that thing burned up.  I made sure I had a fresh copy of its running config, and started looking around… I found pfSense.

    I promptly obtained an old Dell Optiplex GX150 small form factor desktop chassis:  1GHz P3, 512MB PC133 RAM, 10GB hard drive, one integrated 10/100 NIC and one low-profile D-Link 10/100 PCI NIC.
    I downloaded the LiveCD, booted it up and ended up with a hard drive install of pfSense.  I spent about 2 hours exploring & replicating my PIX 506e's config into pfSense.  I have a /29 of public IPs, with a couple of them NAT'd into services running on my private ten-dot network.  Doing the Virtual IPs then doing the Static 1:1 NATs threw me for a loop at first, but everything else went very smooth and trouble-free.  In a PIX, you simply write the NAT statement, and those public IPs you are NAT'ing into private IPs kind of just "float" without being formally assigned to any particular interface anywhere.  Proxy ARP, etc. just happens automatically when you write your static NAT statement.  The Virtual IPs was an extra step, but certainly no big deal - just something new to learn.

    I turned on HTTPS and added a firewall rule so I could get at it from the public subnet at work, and the next day had OpenVPN working perfectly, thanks in large part to this thread by Frewald - thanks Frewald! ;)

    I am EXTREMELY pleased with pfSense!  :)
    For me it a complete and never-look-back replacement for my Cisco PIX 506e at home.  All the built-in functionality rocks, OpenVPN gives me the exact same connectivity I had running the Cisco VPN Client v5 with my PIX, and my throughput & overall performance feels significantly better.

    I see a lot of potential with this - county government has many different tendrils of connectivity into other state and local agencies - pfSense will be a nice economical alternative to a Cisco PIX or ASA when I need to properly firewall & secure things around here.

    Thanks for a great product!


  • We are always happy about that kind of feedback. Thanks  :)

  • @hoba:

    We are always happy about that kind of feedback. Thanks  :)

    Like Kris, I too have been nailed down to the Microsoft/Cisco world.  My background is just the opposite of Kris, I'm more major in Microsoft and minor in Cisco.  I am the CIO and Vice President of a small San Antonio based IT company.  For the past 8 months I have been actively seeking a solution to replace the costly Cisco equipment and have installed and tested about 6 packages from the open source distro world.  Narrowed it down to Astaro, Vyatta and Endian.  Astaro being the best of them from a GUI and features standpoint and Vyatta being the best from the CLI side.  Endian, good GUI, lacks functionality in the GUI and quite frankly, just lost interest in it.  Astaro, excellent product, absolutily terrible price for value added service that we typically provide, and after fighting with some sales people, I told them where to get off.

    So, faced with renewing some Cisco equipment, I hit Google one more time and found pfSense.  What an outstanding product!  I can't tell you how impressed we all were with it and when we told our clients, they had the option to renew the Cisco stuff or go with a free firewall, you guys became the heros.  We've installed 2 of these and are planning to offer it to any of our other clients for exactly what we paid for it.  ;)  And as soon as I have time to really take it apart and mess with all it's bells and whistles, we will be offering up some bounties to make future resleases even more robust.  So, keep up the good work and don't hesitate to let us all know if there is something you need to keep you creative!


  • @DoctorIT:

    ….  So, keep up the good work and don't hesitate to let us all know if there is something you need to keep you creative!

    Where should we send the list to?  ;D

  • nice done…maybe i will change my pix 515 even for pfsense.
    btw: i can recomand OTRS ticket system....i use it for some years and it's quite nice.

Log in to reply