New pfSense Installation (reassurance needed)



  • So a little history, I've been a network manager for over 10 years.  I've always used the big named players for my firewalls.  Recently I've grown fond of a few opensource products, one of them being pfSense.  I've deployed pfSense at our corporate office, it's very small (60 users or so).  We use pfsense for standard filtering, dhcp, and vpn.  We've purchased the Gold subscription for auto backups.  I'm only a few days into running it in production and we've had no issues.  It's very smooth, interface is intuitive etc. It's running on a new Dell poweredge r320 with an intel quad nic.  My MBUF is at 56% so I was researching what that means and if I should make any changes.  Then I started reading some threads about packet drops with pfSense and certain hardware.  After that I felt panic like maybe I should have went with a tried and true FW instead of taking risks with open source.  So really I need some reassurance regarding running pfsense in production, as well as any concerns running on a new dell server with a quad core xeon, 8GBs mem? Is 56% MBUF usage an issue? I'm probably freaking out over nothing but I want to make sure I'm fully aware of what to expect. Thank you ahead of time for any assistance.



  • If you're that concerned then I must admit that I'm confused as to why you wouldn't just buy an appliance instead of a dedicated server with random parts.

    After that I felt panic like maybe I should have went with a tried and true FW instead of taking risks with open source.

    Open source software is no more "risky" than closed source.  Some would say it's less so since you can inspect the code.  You can read every line of pfSense if you want to.

    So really I need some reassurance regarding running pfsense in production

    The reassurance you seek should come from your in-house testing.  While good word of mouth can open doors and start trust-building, I don't believe in any technology until I see it in action, over time.


  • Rebel Alliance Global Moderator

    What I can tell you is there are 1000's if not 10 to 100 of thousands of pfsense in production setups.  Some quite HIGH demand, etc.

    But agree with Kom to the point all the word of mouth and testimonials aside doesn't mean all that much until you see it running yourself.. This could go for any of the big name players like cisco, palo alto, juniper, etc.

    if you feel the mbuf % is kind of high.. you can always just adjust the number
    https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards



  • -I didn't buy a dedicated appliance from the start because I tried pfsense in a testing environment and liked it.  In retrospect there is some concern, I believe that's human nature.

    -I wasn't necessarily commenting on the risk of open source vs closed source as much as pfsense and compatibility risks with different types of hardware.

    -My in-house testing went fine.  However, I'm sure you know that running something in a testing environment and running it in production are 2 completely different things.



  • I have been beating the crap out of pfSense on three different hardware platforms without any issues (well none that weren't created intentionally by me).  My MBUF hangs between 22% and 37% even during heavy traffic times.  I wouldn't worry too much about your installation.



  • I appreciate the feedback Tim.  I know I'm being paranoid but I'm just trying to make sure I give the pfsense the best chance to succeed.  What logs are good to review for system performance?



  • I watch CPU and memory. As you add more packages or create VPN tunnels, you'll use more of those resources.

    It's always fun to watch bandwidth graphs and quality graphs, but usually those things are out of your control over it leaves your network and hits your ISP's gear. But those graphs help when you need to keep your ISP honest.

    I tend to stick with big names such as Intel for my custom builds. There's a ton of support for the chipsets, and they are widely available. The specs on my box are in my signature. I've barely seen the CPU go above 25%, and that was done only during an artificial load on the box. Real-world the box is always 90%+ idle.



  • We have a $250,000 high end firewall that is loaded with bugs and limitations and could be easily replaced with $10k of machines and some opensource software that many companies use. Instead of learning the underling issues, "admins" resort to pre-configured systems that are really expensive, and if the system doesn't have a check-box for a certain situation, not much you can do.