PfSense vs commercial firewalls
I have a Fortigate 200B today and it has never failed me. However, having just IPS requires an expensive maintains contract on the unit + a IPS-subscription. In addition, they stop supporting/deliver upgrades to these units, so you would need to buy a new one every 2-3 year. This makes me look for other solutions and I came over pfSense.
- 1 Gbps WAN speed (FG200B supports 5, but I don't have that traffic/link from my ISP).
- 4 Ports (two of them in redundant mode, so that I can have two paths to two switches and then two servers bounded to both both swtiches).
- Transparent mode (important)
- Public-IP on BOTH Wan and LAN side (by this, I mean that we only have public static assigned IP-addresses)
- A well laid out and nice looking rule manager - here is where 70% of the solutions fall off - FortiGate has an excellent method to group dest-ip, dest-ports and group them in each their interfaces.
I have been talking to other fw-vendors (Kerio for instance), but they look at me like I'm an alien when I say I want public-ips on the LAN-side. We don't run a office with private-ips, so a transparent fw is easy instead of having to do NAT-rules and lot of work to get traffic through.
I have found small view of v2.3 on youtube and it looks like they are having a bootstrap-interface and that is very positive start. If I had only seen the older version only (before 2.3), I would have walked away. It doesn't show the rule-management in any details (just very quick), but it looked promising.
Will pfSense meet my demands with little trouble, at least from a technical side? I only need fw rules + IPS. I have looked at buying the same hw-unit that pfSense sells, it looks affordable at about $1000 and then I don't have any more expenses and IPS.
Start here. https://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives
I have not yet found out if I can group port like I can in FortiGate. Is that possible? It saves a LOT of rules when you run it for many servers. Similar to group single hosts with IPs (that I hope is available under Alias).
Thank you, I just managed to get access to admin area and I see it works perfectly :)