Does a small business ( <30 devices ) need pfsense?



  • Does a small business ( <30 devices ) need pfsense?  What does a pfsense router offer over a consumer router, say an AC87U in terms of small business features?

    The business in question recently outgrew a 3yr old wireless router (it was becoming the bottleneck on a 50/10) connection.  I am trying to understand whether it will be worth it to invest in a pfsense based router (from store and not self built).

    The feature that I see that is nice that is definitely not supported in a consumer router (without dd-wrt/tomato/etc) is Squid Guard.  Other than that I haven't seen (or I simply am not aware of yet) functionality that I would need to have.

    How do you pick hardware for such an environment if indeed pfsense is warranted?  I see  SG-2440 on the pfsense site which is the first in the lineup that has gigabit throughput, how does that compare performance wise in terms of routing capacity and latency of a top end home consumer router?

    Thanks for any advice!



  • The device you need is the one that fits your requirements.  Not really sure what your requirements are.

    I installed it at a client site with 12 users.  Why?  Because they had an old PC laying around and for $30 I could add a NIC to it and they'd have a router with a built-in VPN.  That was my requirement.



  • The beauty of pfSense is its scalability. In every aspect.

    You can run it on old or low-power hardware and it scales beautifully with the hardware you throw at it. No configuration changes necessary (except for maybe assigning other NICs).
    And you can go from self-supported via community help to paid customer support if you like.

    That didn't even mention feature-set or additional functionality from packages yet.

    With the devices/software you mentioned you are pretty much stuck with a limited set of hardware which can only be replaced, not grown.



  • @tim.mcmanus:

    The device you need is the one that fits your requirements.  Not really sure what your requirements are.

    That's the best way to put it.

    Features and requirements aside, even if you don't need anything beyond what a consumer-grade router can offer, a lot of people get away from them for security reasons. Repeated serious security holes like this recent example on the AC87U in particular have rightfully scared people away from consumer-grade routers. Too many instances of built-in backdoors, stupid insecure default configurations, and a complete disregard for security in general.



  • One of the nicest capabilities pfSense adds is OpenVPN IMHO.

    With the ClientExport Wizard, you get license free Enterprise grade VPN capabilities.

    It quickly adds a whole new level of security to many operations while adding remote connection for many home/portable devices.

    With a little understanding of pfSense, the question becomes "why wouldn't you install pfSense?"



  • @grubgrub:

    Does a small business ( <30 devices ) need pfsense?  What does a pfsense router offer over a consumer router, say an AC87U in terms of small business features?

    The question really is "Does MY business need pfsense?" And you are pretty much the only one who can answer that. For instance, does your business host a website? Do you have a mail server operating on your work network? Do you need the flexibility of granular control over your inbound/outbound network traffic? You say you've 'outgrown' your old router but don't say in what way you've outgrown it. If you are looking for something which offers greater control over your network resources then pfSense would be able to do much more than the average high-end home router. Plus you have the added benefit of being able to add extra features and options which most, if not all, home routers lack.


  • LAYER 8 Global Moderator

    I wouldn't use a home soho router in my home ;) hehehe  They all suck!!  Some of the hardware can be ok if they would put decent firmware on it.  Some of the limitations of soho firmware these companies put on their hardware can sometimes be overcome with 3rd party firmware.

    But as stated without understanding your requirements its hard to say what you specifically need.  To your out growing of your old device - is it because it couldn't handle your uses traffic, or it that the bottleneck is really the 50/10 pipe?  Are you wanting filter their internet access so they don't use up the whole internet connection?

    But in general yes pfsense can be great for the smallest of small offices/homes to very large enterprise!!



  • Home user and IT enthusiast here and pfSense user, never look back to consumer router/firewall.



  • @cmb:

    even if you don't need anything beyond what a consumer-grade router can offer, a lot of people get away from them for security reasons. Repeated serious security holes like this recent example on the AC87U in particular have rightfully scared people away from consumer-grade routers. Too many instances of built-in backdoors, stupid insecure default configurations, and a complete disregard for security in general.

    This, and to add: and a complete disregard for CUSTOMERS in general, selling you cheap plastic trash and expecting you to buy a new one every two years since their 'product' is EOL.

    Better install pfSense, spend some beer money donation on the devs, and be happy.



  • @johnpoz:

    I wouldn't use a home soho router in my home ;) hehehe  They all suck!!  Some of the hardware can be ok if they would put decent firmware on it.  Some of the limitations of soho firmware these companies put on their hardware can sometimes be overcome with 3rd party firmware.

    But as stated without understanding your requirements its hard to say what you specifically need.  To your out growing of your old device - is it because it couldn't handle your uses traffic, or it that the bottleneck is really the 50/10 pipe?  Are you wanting filter their internet access so they don't use up the whole internet connection?

    But in general yes pfsense can be great for the smallest of small offices/homes to very large enterprise!!

    Thanks for all the replies.

    The most important thing (above any feature) will be that it runs without any degradation of latency compared to a top end home router (this may or may not be asking too much).  I am aware that home routers generally have simple architecture(good and bad) and dedicated silicon for routing/switching which can mean they are very fast at the simple job they do.  Given any of the prebuilt pfsense routers would they perform with the same response time as a top end home router?  Are there any gotchas for not losing performance ?


  • LAYER 8 Global Moderator

    which model are you looking at the SG-2220?  I think this becomes available end of aug.. That would prob be great option for a small location..  At $299 price point looks like great smb option.

    Something with a bit more umph and room for some growth prob the SG-2440 you could order now and be rocking..



  • A router is a router and routes packets from one network to one or more networks
    and a firewall is separating one network from one or more networks by setting up rules.
    Today this borders are really liquid floating over and some things comes above or on top of this.

    If you only have the urgent need of an fxckinx fast router that is offering the following;

    • SPI
    • NAT
    • some plain router functions
    • Easy and fault free to configure

    Then this is your device you should go with! Because if you miss configure the firewall your network is wide open
    to the whole Internet community! And the learn curve a those routers is definitely flat.

    The next step would be something like OpenWRT, DD-WRT with more capabilities and
    not really to difficult to configure, then LANCOM and CISCO IOS would be matching and
    on top we meet us at Juniper CLI course.

    But often when things comes above it will be then the trap all these peoples will be inside
    likes using Squid & SquidGuard, Snort or Suricata, HAVP and nDPI or OpenDPI, then you
    will need a greater and stronger hardware, capable to realize a liquid data flow!

    So the best thing would be to know at first what really is urgent for you.
    Each three years paying 199 € or $199 makes in 9 years 600 € or $600
    and then we are in the range of an SG-4860, that is capable to handle
    1 GBit/s Internet connection and some services on top, sorted with an mSATA,
    a WiFi card and a LTE modem for fallback or fail over set up.

    699 € for 10 years = ~70,00 € for one year = ~6 € a month : 30 employees = 0,20 €
    And 20 Eurocent at each nose or employees for 10 years will be really cheap or not!?

    For sure then you would be able to turn on more then only the SPI/NAT things, but turning on
    all and then fill the forum that you will be expecting other numbers and you love your consumer
    router, perhaps a Xeon E3-1286v3 and 32 GB ECC RAM is doing the job quite right for you.



  • @grubgrub:

    The most important thing (above any feature) will be that it runs without any degradation of latency compared to a top end home router (this may or may not be asking too much).  I am aware that home routers generally have simple architecture(good and bad) and dedicated silicon for routing/switching which can mean they are very fast at the simple job they do.  Given any of the prebuilt pfsense routers would they perform with the same response time as a top end home router?  Are there any gotchas for not losing performance ?

    Depends on which router specifically you're referring to, and how fast your connection is. If you have a 1 Gb connection that's PPPoE, there are performance restrictions on download because of this. https://redmine.pfsense.org/issues/4821 Where the ISP-provided cheap modem in that case is faster, can reach near the gigabit speeds where a 4860 tops out at 700ish Mbps on PPPoE in that circumstance because it's stuck to one core.

    Outside of PPPoE on gigabit links, things are usually faster than the hardware-processed traffic on consumer grade routers, where you're using decent hardware. The reason they have such hardware isn't that it's superior to doing it in a CPU, it's that it's much cheaper than the adequate CPU power to achieve such performance and the CPUs they put in them are way too slow. There are usually caveats to what gets handled in hardware as well, where some traffic ends up punted to the CPU.

    Often people switch to pfSense because their consumer router fell apart under load, especially where you have many simultaneous connections. Performance degradation not likely to be a concern.



  • Are there still "hardware routers" out there which "route in silicone"?
    I would expect that in the higher end enterprise market but surely not in the consumer domain.

    Every device that can be updated with firmware has some kind of CPU running a software stack (except for some special purpose devices with ASICs/FPGAs).

    Consumer devices are built with the paradigm to be as cheap as possible and sold in high volumes. If it fails then replace it and don't look back.
    Reliability, updates or repairability/upgradeability are not in the equation as it would cost money to implement.



  • Where the ISP-provided cheap modem in that case is faster, can reach near the gigabit speeds..

    In normal a modem is not doing SPI, NAT and passing firewall rules! So for sure the ordanary modem
    must be even faster, this is a must be! But connecting a PC or an entire network without SPI/NAT and/or firewall
    rules, will be a significant false and careless in mey eyes.

    ….where a 4860 tops out at 700ish Mbps on PPPoE in that circumstance because it's stuck to one core.

    With SPI and NAT you will loose even something around 3% - 5% of the whole throughput, depending on your hardware for sure. But often with other hardware I really think this would be not the end of the line, with a
    Xeon E3-1286v3, muchECC RAM and an intel server network adapter it would be also able to archive more throughput, but also holding the level of security! And in business it should be even called "safety first
    please" so perhaps then a second 1 GBit/s line and policy based routing should be the right way to get
    more MBit/s out of this.



  • @jahonix:

    Are there still "hardware routers" out there which "route in silicone"? I would expect that in the higher end enterprise market but surely not in the consumer domain.

    Yeah, a lot of the low end ARM and MIPS SoCs have some sort of hardware acceleration. It's nowhere near comparable to what you'll find in enterprise routers performance-wise (or even functionality-wise in some instances). But we're talking about ~$75-200 USD boxes, not tens or hundreds of thousands.

    The EdgeRouter Lite for instance can route 1 Mpps with its hardware acceleration. But, that comes with massive caveats. IPv4 only, can't NAT, can't filter traffic, … If you purely need to route IPv4, it's a hard box to beat. That's not a very common use case though, unless you're an ISP (in which case I hope you're using routers that cost more than a hundred bucks), or otherwise have some routing-only requirements. The low end routers all have some caveats along those lines.



  • @BlueKobold:

    Where the ISP-provided cheap modem in that case is faster, can reach near the gigabit speeds..

    In normal a modem is not doing SPI, NAT and passing firewall rules! So for sure the ordanary modem
    must be even faster, this is a must be!

    Not true, the modem is doing NAT in that case. And it has some basic SPI functionality as well. Keep in mind we're talking about single-stream throughput, the easiest case. I don't know how well those would stand up across much larger numbers of simultaneous connections.

    @BlueKobold:

    ….where a 4860 tops out at 700ish Mbps on PPPoE in that circumstance because it's stuck to one core.

    With SPI and NAT you will loose even something around 3% - 5% of the whole throughput, depending on your hardware for sure. But often with other hardware I really think this would be not the end of the line, with a
    Xeon E3-1286v3, muchECC RAM and an intel server network adapter it would be also able to archive more throughput, but also holding the level of security!

    Sure, in that case all you need is a CPU that has faster cores, so a single core can handle a higher traffic rate. I have no doubt a new Xeon would easily max out a 1 Gbps link in the PPPoE scenario (at least with large-ish packets, not at purely 64 byte frames). But that's also an unreasonably expensive firewall/router box for home and SMB uses.

    It's not true in general that you'll lose any throughput from SPI or NAT, as long as your system's adequately fast for your connection speed. We're talking microseconds of processing time from arrival of a packet on the LAN NIC to it exiting the WAN NIC, as long as there is CPU capacity to spare. That's such a tiny portion of your latency to any Internet destination it has no measurable impact. It's far less than just the jitter to close Internet destinations on high quality connectivity.


Log in to reply