Share your pfSense stories!

  • I'm repeating myself from the comment jdillard referenced:

    Myself, I have worked in IT for decade+ and have used pfSense for 8ish years. Until three years ago I was working for SMBs and what I do at home puts the earlier IT company employer's infrastructure to shame. Now I work in the IT department for a school and get excited whenever my boss mentions he is considering pfSense, after my strongest recommendations.

    I think I started out with pfSense for similar reasons to Blade Runner, my ISP supplied modem/router would just freeze up if I "used too much internet". I would say I was one or two steps above absolute novice at the time, so my appreciation for pfSense beyond the usual its free/high quality/comprehensive features/expandability comes from how it made me want to try new things for the sake of it, improve my knowledge and learn new skills.

    I used pfSense a fair bit when I worked at a IT training company. I delivered CompTIA's Network+, Security+ and Server+ and ended up replacing most of the labs in the training materials with pfSense equivalents, the students loved it. One in particular said to me in a breathless whisper "We pay £1000's for X and this thing does everything it can do and more".

  • Administrator

    Thanks jonesr, it's great to hear stories of people growing their careers alongside pfSense!

    Here is another story from /r/pfsense where he replaced a Cisco ASA with a SG-2440 (coincidently during the IKE vulnerabilities) with plans to replace more:

    Here is some backstory where he asked if pfSense would be a good fit for his needs:

  • Hi guys!

    OK so I got inspired (for a little write-up) and want to share my experience with pfSense.
    I`m working for a company which primary focus is IT security. 10 employees, nothing fancy.

    So I started with Coyote firewall back in 2004, implemented it also in the company in 2006 and it worked for half of year. Needs were growing so I decided it`s time to move on. I picked up spare box and loaded few things up. I was choosing between monowall, smoothwall and ipcop. I settled with Smoothwall in the end. It is cool project but was lacking more advanced options and additional network segments (they only have green, orange, purple and red oh and also blue).
    Then after few years I decided to try pfSense.

    FreeBSD was new to me but yet similar to Linux so I kind of managed to get things going. Major drawback (and also huge favour I did to myself) was hardware support. My Dlink and realtek and some other crappy NICs just wouldn`t work. Some did but performance was awful. So I decided to get some Intel gigabit NICs and ever since no more problems AT ALL in this area. Important lesson learned here.  8)

    I think I started with version 2.X back then in 2012 and since I havent moved to other product not at home or work. Hardware was supported quite well so no problems in this area. Now its naturally only better and 2.3 is really outstanding not only in this but also in other areas.

    I`m running 8 internal networks, dual wan, snort, squid, using aliases, VLANs, ipsec site2site, openvpn for mobile clients, you name it… On a 200€ box.

    But what is truly amazing here, are the developers and community. People are helping each other, ideas are accepted, devs are reachable and things get fixed really and I mean reaaaaly fast. This is the true strength of this great project. Good product+good devs+awesome community = :)

    I think that I have resolved every single problem I had with the help of the forum members and alongside gained A LOT of knowledge and very important practices and principles of networking.

    So in a nutshell, I was looking for a product that can replace Smoothwall and I found top product with awsome community :)

    So this is it, I apologize for spelling errors etc. as English is not my primary language, and I hope I helped someone with this post :)

    See you on forums :)

  • Administrator

    Here is another well written story that was shared on reddit about replacing an ASA with pfSense:

  • I've been using pfsense for about 4 years now with 3 machines and stopped upgrading after 2.1.5 because of the errors with the Squid packages.
    Finally I've installed from scratch the latest version and some of the problems I had with https sites have been solved and it's allot faster.
    I'll be doing the same thing to the other 2 proxies.

  • so I decided to upgrade my security for my home network and build a router.
    installation went get, set up seemed to go smoothly as well, until I tried to get out to the internet.
    the pfSense box will ping numerous websites so I know it's working with my modem.
    accessing it from my computer to work with the GUI works perfect to. I sat everything up and tried to access the world wide web and nothing happens. Checked my rules and everything seems fine.
    So then I started reading countless posts trying to find if I had set anything up incorrectly. I spent hours reading through this forum. I even ended up watching hours of setup videos that gave exactly NO information on writing permissions for web access.
    The small handful of posts and vids that actually showed someone writing permissions I copied exactly. Still no internet access.
    I've gone as far as re-configuring my NIC's, changing IP addresses and the results are always no external internet access.
    Finally I lost connection to the GUI and that's the final straw.

    I will not be using this software. I have spent days messing with this easy to use system and have grown tried of hearing its name.

  • @that:

    so I decided to upgrade my security for my home network and build a router.
    installation went get, set up seemed to go smoothly as well, until I tried to get out to the internet.

    videos that gave exactly NO information on writing permissions for web access.
    I will not be using this software. I have spent days messing with this easy to use system and have grown tried of hearing its name.

    Since you used your first post to complain about the product one has to assume your intent was nothing more but to come here and troll. pfSense comes out of the box ready to access the web. If you set up your client for dhcp and still had problems the normal person would have asked around as to why it didn't work when over 100k other installs work so flawlessly. Including every install Ive ever done.  If you decided to set your client static how did you set it? You could have made an error there.

    My guess is that you immediately started changing settings with no real understanding of how to do so. But decided not to ask any questions for yourself or describe in a better place such as the general forum tab.

    And videos- this forum and commercial support are the only official places for for obtaining support. If you are on youtube looking for someone to show you how you never know the level of skill or if that person has any real clue about what they are talking about.

    Thus my belief that this is simply a troll.  Please prove me wrong.

  • I've  been hearing and reading about pfSense for about 3 years, which started because the IT administrator at my school accepted my request to have a look at their firewalls and server setup out of sheer curiosity, where I saw their untangle firewall and started doing my own research with old hardware and virtualization.

    My Asus RT-N66U followed by an Edgerouter Lite served me well, but about a month ago I took the plunge after a long power cut at home and installed esxi on a laptop I had laying around and wasn't using (Toshiba Tecra R950-11F) and put pfSense on it. It took some screwing around to understand VLANs on my managed switch and to run my laptop as a router with a single ethernet port but it all worked out in the end.

    My setup:
    Modem on Unifi Switch port 1
    Laptop on switch port 2
    Everything else including 3 unifi access points on the remaining ports

    100/6 internet connection

    The setup took care of a 30+ device LAN party thanks to some simple flexible traffic limiters. Had 7 different steam downloads going at one point without a hitch or any interference with browsing and other streaming.

    I'm sure I'm not doing this in the most power efficient and sensible way, and the laptop I'm using is definitely overpowered for this sort of stuff, but I've always loved experimenting with these things.

  • I had gone through my share of off-the-shelf firewall and router products, the stuff you can buy at Wal-Mart, all the way through to small Checkpoint and Netscreen products. All of them were less than satisfactory in one way or another. Some were cheap and it showed, others were expensive to acquire and maintain. None of which met my evolving needs. The open source stuff was kinda rough at the time, and I tried a few, but there was always something that hit me wrong. However, growing up on SystemV, I always had an attraction to the simplicity and power of Unix. Generally, my opinions of other OS's of the time was, Linux was a coagulation of shareware atop a Windows-like kernel and Windows itself was the devil. So, it all started for me with a Supermicro Intel D510 M/B, FreeBSD 7, an Intel 1G multiport NIC and pf, and I "rolled my own" for many years. Between 100-200Mb of blazing port-to-port throughput served me well for a long time!

    Then, the long awaited pfSense 2.0 changed my life. The pf and FreeBSD tools I knew and loved, all bundled together in a reasonably fashionable and logical UI, and I've had no reason to change my mind yet.

    Today, that same Intel D510 is a Stratum 1 time source, one of several. Supermicro and Intel are still my M/B and processor choice for all things. I've opened my mind a bit and embraced Linux for those things it's good for, ousted Windows in favor of OS X/MacOS, unless absolutely necessary, and FreeBSD is the basis for almost all my critical server needs, most of which run on top of VMware ESXi hypervisors, managed by VMware VCenter.

    My PfSense build as it runs today:

    Supermicro X9SCL+-F
    Intel E3-1230v2
    Intel i350-T4 for 2 WAN interfaces
    Chelsio T520-SO-CR for all LAN-type interfaces (12 VLANs total)

    VMware ESXi 5.5
    PfSense 2.3.4_1


    And while I don't have facilities to test the throughput capabilities of the 10G ports (the 10G interfaces are for aggregation of multiple 1G VLANs) or all ports simultaneously, VLAN-to-VLAN 1G throughput is a non-issue with a few rules in place, and I'm certain sustaining this level of performance over several interfaces simultaneously is a reality. Additionally, 100+Mb of OpenVPN throughput (WAN links are 100Mb and 150Mb per) are a reality.

    For those concerned about pricing, this particular hardware build, and most of my builds frankly, have been and are "Frankensteins". The latest hardware iteration available is never a good choice, 1 or 2 hardware generations previous is fairly safe, older hardware, safest of all. I've enjoyed great success and trouble-free operation with a collection of both new and used hardware. I buy spares for 10-25% of the cost new for most wear items (fans, disk drives, etc.). CPU's, by and large, are indestructible, but do need to be handled carefully. Same for quality motherboards and NICs. Memory and hard drives, similar to CPU's, handle with care and buy spares. Virtualization minimizes hardware requirements, and makes things very easy.

    The D510 was quiet, and I have had silent, low-power builds when needed. They are do-able and completely satisfactory. Just know that life is all about compromises, and silent/cool will almost always compromise performance in some way.  Luckily, I have space and the environmental control to not worry about heat and noise now, so I don't.

    Virtualization: Technological godsend. Makes upgrades, experimentation, mistakes, errors, and the occasional brain fart much easier to overcome. Snapshots and reversion are your friend. Type 1 is best, Type 2 will do if that's all you have. I know. I've done them both. Performance on Type 2 is 50% of Type 1. Type 1 is 97% of bare metal, mostly indistinguishable.

    Security as it relates to pfSense and virtualization: Don't "share" physical pfSense interfaces with other VMs,or vSwitches, as the temptation will be there. Figure out another way - this falls under the "Don't do silly things with virtualization" rule. Other than that, the standard mantra applies. Less is always more. Fight for every rule. Remember pf doesn't allow anything to pass, by default, on an interface. Any rule added is a potential security hole.

    I'm still very satisfied after many years. What other products can I say this about? Too damn few. Great job pfSense folks!

  • Gonna kill this beast this week, just wanted to share it as a good memory of an outstanding reliable piece of software.
    Runs inside VMware ESXi 3.5.0, on a recycled HP DL380 G4, originally put in operation in 2005.  8)
    The physical machine was only stopped for a couple of minutes about 10 years ago, to add RAM. The 32 GB SCSI drives have been replaced 2 times (with used ones).

  • LAYER 8 Global Moderator

    While the ability for any software and your hardware/system to run for such a long time is nice.

    That you would run your firewall on software that is no longer updated or maintained is BAD security..  2.1.5 should of been updated when it went EOL..  Its still running esxi 3.5 that went end of extended support back in 2013 and end of even technical guidance back in 2015 is not good practice from any point of view especially security.

  • I began using pfsense for a few reasons.  Basically, it appeared to me that the normal verizon actiontech routers were purposely designed to allow anyone to crack the wifi and access the router remotely.

    The other major reason was that the ISP provided router did a horrible job with managing static DHCP and seemed to leave ports opened by u-pnp open forever.

    Also, as mentioned previously pfsense can be provisioned with an enormous state table.

    After using it, I also really liked all of the added features such as VPN.

    It does what it is supposed to do very reliably and has been doing so for many years now.

  • @johnpoz:

    While the ability for any software and your hardware/system to run for such a long time is nice.

    That you would run your firewall on software that is no longer updated or maintained is BAD security..  2.1.5 should of been updated when it went EOL..  Its still running esxi 3.5 that went end of extended support back in 2013 and end of even technical guidance back in 2015 is not good practice from any point of view especially security.

    Agree with everything! This box, however, was only handling internal routing between some private networks. Didn't have access to the internet either - updating wasn't easily possible. Was also a low-priority segment - it's now being killed forever and nothing comes in place.

  • I hope this thread is still alive :)

    I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense.

    I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source.

    Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me!

    ...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.

  • @Phatsta I am using PfSense now for about a year and find it to be a great tool!
    I am still a very young novice in it's use, but saying that, it has saved my PC's from countless attacks and intrusion as well as providing a safe network a reality.

  • We moved a couple of years ago from a Fortigate-HA/MPLS based solution to a full pfSense one. HQ plus 5 subsidiaries in EU and one in US are site-to-site connected. All hardware is based on Denverton C3K with IDS/IPS. No regrets at all.

  • I recently switched to pfSense. I'm still pretty new to it. Here is my story.

    I used to have a $20 router. Now that I think about it, it's quite a piece of garbage. The router has a build-in reboot function. I can set the router to reboot itself every day or every week. So that the router won't acting funky. Back then, rebooting router is believed to be a necessary periodic action that everyone is expected to do.

    After about 1 or 2 years of use, I finally burnt out that little garbage router. It refuse to connect to internet anymore (or maybe refused to route, who knows). I then switched to a used old cisco/linksys router. I flashed a DD-WRT system on it. That's the first time I know that router can have an OS that's not from the factory. This cisco/linsys router is very reliable. I rarely need to touch it. It just always runs good.

    However, over the years, I gradually reached the limit of that cisco/linksys router. It still works fine, but I now need more functions that requires more powerful hardware. For example, OpenVPN won't work on that router because the CPU is too weak. This is when I learned that you can actually install a "router OS" on any computer. I started my research and finally landed my eyes on pfSense.

    My current network:
    Netgear modem (I don't know the model, but it's not the default modem that my ISP give me. This modem is very reliable)
    pfSense on a Qotom fanless pc. i5 5200U cpu, 8gb ram, 521gb SSD (I realized this big SSD might be a waste)
    Netgear 8 port switch
    Netgear access point.

    In this question I posted, I talked more about my pfSense settings if you are interested.

  • Quick story here, just to confirm a point about ProxMox adapter performance.

    I set up pfSense 2.4.5-RELEASE-p1 (amd64) on ProxMox on Friday, and when I was creating the VM it was crashing if I used the Virtio Parallel driver for the NICs so I changed to E1000.

    After install eveything worked but bandwidth throughput was slowed by half.

    I shut down pfSense and changed the NIC drivers to Virtio and started pfSense back up.

    On boot pfSense ran through interface assignments, but I was pleased to find that once I was back up and running, none of my configurations had been lost and everything was working as it should.

    I did have to reconfigure the Snort interface in order to get Snort running again but once I did that everything was running well.

    I ran speed test again and got full bandwidth and pfSense is running great.

    Moral of the story is anyone having throughput problems on ProxMox deployments, needs to make sure they are using the Virtio Driver (where supported) because it does make a huge difference (at least from my experience with Intel NICs)

    My set up is:

    2.4.5-RELEASE-p1 (amd64) with Snort in VM on ProxMox 6.2-4
    On HP T730 thin client 64GB M.2 SSD, and 16GB Memory
    Intel EXPI9404PTLBLK PRO/1000 PT 4-Port PCIE NIC


  • Hello
    I have been working in the IT business my whole career.
    When I retired I was not aiming as being a "couch potato" so I search for an activity as a volunteer
    and I discover Emmaüss Connect a caritative French association.

    Emmaüs Connect fights for the digital inclusion of the most vulnerable people in France,
    where a quarter of the population is unable to use the internet on a daily basis.

    I joined the local team in Lyon France where I provided lectures regarding basics used of laptops, smartphones
    and tablets.

    From an IT side I found that the small local network didn't have any protection aka the cable modem/routeur
    was directly connected to the PCs.

    Talking to the local responsible I suggested that we implement some basic strategy to protect our local network.
    The constraint was to make it at 0 Euros as you may understand.
    After looking around on what was available on the software market I choose pfSense because it got an excellent
    reputation, it was modular and available to be implemented on a recycled PC.

    So I moved that way and with the help of the pfSense user forum and the many excellent tutorials available on Youtube
    I end up with a pfSense configuration that is now up and running 24 hours a day.
    The Firewall protects our small network.
    I also added the following packages:

    pfBlockerNG : to filter what is going out because we don't want people going to "bad" sites using our network.
    Captive portal : so we can provide free vouchers to the people we are supporting to use our network to connect to the internet.
    OpenVPN : so I can do remote monitoring/maintenance on the firewall.

    I like to really thank the whole pfSense community for the great product they have made and keep maintaining actively.
    I will be a real advocate for it.
    If anyone is in the same situation I will be happy to help/share.

    Thanks again

  • I'm not sure how well this fits in with the topic, since I'm not a network admin or engineer, and I've only been using pfSense for a short time for my home network.

    I had been using some consumer-grade routers at home and found them unsatisfactory, often unstable, and generally unreliable.

    I had tried an inexpensive brand of routers that was less consumer-oriented and that worked ok. I also tried one of the mesh systems and that worked ok too. Neither was really ideal though.

    Some of my friends and co-workers had been telling me I needed to switch to pfSense. I resisted at first because I thought it would be overkill. I looked at the Netgate appliances and thought the SG-1100 might not be enough to allow for future growth and the SG-3100 seemed too expensive.

    I also wanted to try Untangle, IPFire, Sophos, and another project that I won't name.

    I got some hardware and tried these out and it didn't take long to decide that pfSense made the most sense to me and offered the features that I wanted. It was really easy to install and configure and has great docs.

    I've since found that some of the features I originally wanted, like Suricata, really didn't add anything for me at this time. I also talked to some people and found that faster internet is going to be a long time coming to my neighborhood, so I'm not going to need to handle gigabit speeds anytime soon.

    The SG-1100 would probably have been ideal for me, although I wouldn't have been able to try the other software on it, so it didn't seem as attractive until I really decided that what I wanted was pfSense. (The SG-2100 arrived a bit too late, but would have been an excellent choice too.)

    pfSense is the router/firewall for me. It feels comfortable and I'm looking forward to learning even more about it and finding ways to make it even more useful and informative.

Log in to reply