Netgate pfSense Reviews

I use pfSense as a home router firewall on enterprise equipment purchased from eBay. I utilize it for personal interests and not in a professional IT capacity, mainly for home setups and maintaining VPNs to family members.

It is very easy. An enterprise person who has been doing this all day long will find it as easy as a command line if not easier than the command line. I would prefer not to have to set up another server to monitor my links and everything else. I like that I can go into my one dashboard. It is all running on that one box. I am happy. A large enterprise will have monitoring services, so this might not be as critical for them. For small and probably medium-sized businesses, having the user interface and being able to import configs is very powerful, but it is probably a mixed bag for larger companies that already have services and other things, and GUI does not matter to them.

It provides a single pane of glass. When I come in, I can immediately look at my gateways, link connections, services, etc. It shows my DNS blocker, CPU usage, and memory usage. I can see that my gateways are online, what traffic graphs I have selected, and all my services are up. That is what I like about it. This is what I will miss if I go to VyOS. I know I will have to set something else up specifically to show me all the monitoring and make sure that I have that warm fuzzy that everything is working.

Being able to see in a single pane of glass what is happening makes it very easy for me to react and know what is going on. For example, I changed some tunnels to my family in upstate New York. I am down in Philadelphia. We were having some connection issues, and through its interface, I was able to easily identify the issue. I had a tunnel configured wrong and changed some settings, and we were back up in ten minutes.

Its ease of use is great. If I do not continue forward with pfSense, it would be going to VyOS, which is all command line. pfSense's user interface is very nice for simpler configs and monitoring. It is very stable, and it works very well. Flexibility is great, and the plug-in model is very nice for pfBlocker and other things. It is a very robust solution that works very well.

They could do better with their licensing in the home use space. For me, that has been a struggle. 

I got three pfSense Plus licenses when they were giving them away to the community for free because pfSense decided that they do not enable the QAT. They do not enable the network acceleration function that is on the Intel Atom CPUs and some of the Xeon D's in the Community edition. IPSec acceleration and OpenVPN acceleration do not work on those smaller boxes because it is going to use the CPU, so I got the three licenses, which worked well. It was all good, but they decided to take that away and are charging $129 a year. Somebody savvy like me is going to pay for it. I will pay for it for myself, but I also maintain the routers of my parents, my mother-in-law, and a friend. I have IPSec tunnels to them, and they need the acceleration technology that is disabled, but they are not willing to pay $129. I wrote to the Netgate salesperson asking to consider a model with a $60 per year subscription because they are putting a barrier on themselves. They have abandoned the Community edition. There has not been an update in a year, but then you hear that they are contributing. They are making updates, but they have not released it. There is an opportunity to make more money in the home user space if they change their licensing model.

The other little hiccup that I see with it is they have it tied to MAC addresses. It generates a license based on the MAC address. If you change any MAC address, you have to issue a new license. They were nice about it for me when they did a one-time change for me, but if I put another Ethernet adapter in the box, it says it needs another license. They should work on that. It seems they are going to change this.

I have probably been using it for more than a decade at this point.

My instance has been up for over two years without a reboot, so it is very good.

It is a mixed bag because I have had 1 gig symmetrical Internet. I have 2 gigs now. As you get further up the stack, it is going to get worse. I do not have options past 2 gigs. I have 25 gigs between some servers. I have 10 gigs with a lot of machines. They have their TNSR project that sits at a thousand dollars a year, but I cannot even try that. They have entirely removed the Community edition for that, but it has been great with 2 gigs and 1 gig.

They are super fast, super nice people, and very accommodating. The quality of support is great. They are better than I would have expected them to be. I would rate them a ten out of ten.

Positive

Previously, I have mainly used VyOS, Cisco ASA, OPNSense, and Fortinet. 

Cisco ASAs are very nice. They compare very well, and they have their single pane of glass. They have GUI and no license fees yearly. Netgate will say the same thing. If you buy their hardware, you get the license for free, but they triple the price of a new piece of equipment.

The initial setup is not easy right now because I have to put my email in, and they send me a link. I would prefer to have separate images for the Community and Plus editions.  

When you go to the installer, it asks you if you want Plus. You have to put a valid license in to get it to install Plus. In my situation, all three of my Plus licenses have expired, and they all continue to work. If I need to reinstall that on a new box, I can only install the Community edition. When I boot it up, I cannot import my config because my config is from Plus. For me, it would make more sense if I could download and install a Plus image, and it gives you a 24-hour period to put in a license and have it activated. Something to that effect would make it easier because I cannot imagine I am the only person who has had this issue.

The licensing model needs improvement, especially for home users. There should be more flexibility to change licenses with hardware changes. The pricing model could be more accessible for home users.

The license is locked to a specific device. There are other services where you can buy a pfSense, and you get that license for a year. You can put it on any single device, and it moves with you. I do not want to have to call them to get the license changed. I would prefer that when I put it on a new device, they know it is registered to this new device. It is not on the old one. They should handle licensing differently for home users. They should try to differentiate it from enterprise.

There should be a cheaper tier of pfSense Plus for home users. They need to improve the pricing for a home user. They can look at the numbers. They know how many installs they have.

I would rate it an eight out of ten. It is a great product, but they have sold it in a way that does not align with the way I need to use it or the people that I have it with are going to use it. It practically does not make sense versus what else is out there. VyOS is free. Its Community edition is free, and they update their Community edition first. It is the opposite of what pfSense is doing. They are updating the Plus edition first and the Community edition comes second.

I use pfSense at home, and my friends and family use it in their homes. I'm also the IT solutions administrator for a council of governance organizations, and I use it for them. I use pfSense Plus at home and the community edition at some of my friends and family's houses.

I pfSense Plus at home and use the community edition at my friends and family's houses. I have used the community edition multiple times in labs, but I use pfSense Plus for all of my enterprise applications.

I started seeing the benefits when I began playing with it at home 10 years ago. It was an immediate success when I put it in enterprise locations because it was much cheaper than WatchGuard. I was familiar with pfSense, so I quickly trained my staff on it. They know how to operate everything well in pfSense.

With pfSense, you can do a failover. I have used that before, and I see it as a benefit, but there are some drawbacks. You have to use multiple external IP addresses to set it up, but it works well. However, I don't use the failover anymore because of the price. You can have two of these things on the shelf, and in the event of a failure, you can get another one up within five minutes by throwing it on there, configuring it, and plugging it in. That's my failover plan for all my main locations.

PfSense's visibility enables me to make data-driven decisions. I love the way they do geoblocking. You can see where you're improving. The logging ability is diagnostic. You can see all kinds of data. For example, when I make a new rule, Immediately know what's going through that rule. That visibility is very helpful in knowing immediately if my rules are being applied correctly. 

The most valuable feature of pfSense is that it's a stateful firewall. I also like the way the rules are implemented on the firewall. It makes things much easier to see at a glance. 

PfSense is the most flexible device I've ever used. It's open-source software. I've used all the big names, including Palo Alto, WatchGuard, and Sophos. In terms of dependability, this is the best of them. 

It's simple to add and configure features and easier than some of the big competitors like WatchGuard. The front dashboard on pfSense is very customizable. You can get it at first glance. Everything you need to do is in that single box. It shows you if your LAN and interfaces are up. You can see what kind of traffic is going across each interface because they give you a traffic graph that you can do for each interface. 

You can see if your gateway is up and precisely how much data passes through each interface. I like how you can get direct visibility over your IP address updates. If you're not running a static IP address, there's another cool thing on the front page where it shows when the dynamic DNS updates. The way you can customize that dashboard is cool. I haven't seen that with other firewalls, and pfSense gives you good visibility at first glance.

I don't think pfSense's web filtering solution is the best, so I don't use it for that purpose. They could add a little better web filtering solution to pfSense. They have solutions in place, like SquidGuard, but they aren't very good. 

Another feature about pfSense I would improve is adding a single pane of glass management for multiple units I manage across the municipal district. I would love to manage all those devices through one single pane of glass, but that's not a deal breaker for me.

We have used pfSense for around 10 years.

I rate pfSense 10 out of 10 for stability. I've never had a Netgate system fail on me.

The scalability of pfSense is great. It costs very little to expand to multiple systems across multiple locations. It'd be better if they had a mass edit platform where you're running multiple systems. I've heard quite a few people in the community talking about that. I heard someone in France was developing a dashboard that gives you visibility across multiple boxes, but the cost of deployment is very cheap. It's easy to put boxes out there and write rules for them. 

I rate Netgate support 10 out of 10. Most of the tech people I have contacted seem to know exactly what they're doing. They've got, like, 10 people named Chris working support. Every Chris that I've ever spoken to has been spot on. Every once in a while, if I call after hours or something, I might get someone who isn't as adept at it, but they quickly escalate it to someone who can fix the issue. 

Positive

I have used Palo Alto, WatchGuard, and Sophos, and all the major competitors, but I would compare pfSense to WatchGuard, the one I have the most experience with. In my type of environment, pfSense wins hands down over WatchGuard because it's a stateful firewall. One thing I've hated about WatchGuard is that it's not a stateful firewall. It's rules in and rules out. You end up getting thousands of rules over a four or five-year period. PfSense enables you to put notes on your rules. 

If you have a question about a rule, you can read the note you made when you made that rule. Having the ability to document your rules in the dashboard has been a game-changer for me. After you have used a stateful firewall, it's hard to go back because it's much harder to make rules on both sides. 

Deploying pfSense is as easy as any other system. It helps that pfSense has a massive user community and some great YouTubers, so you can go to YouTube University and become a professional with pfSense quickly. You can learn to do some complicated edits and set up complex VPNs. It takes only 20 minutes from start to finish. For maintenance, you only need to update it when the updates come out and change the configuration of your rules as needed. 

PfSense offers huge savings. The price is the lowest in the business. The only thing you can use in place of pfSense is a fork like OPNsense. I'm more familiar with pfSense, so I never got on the OPNsense bandwagon. 

I rate Netgate pfSense 10 out of 10.

I have two different use cases. I use it as a firewall and security appliance. I also use it in layer three virtual routing scenarios.

The thing that sets pfSense apart from other competitors is the flexibility that it offers. You have a package manager, and there are so many options to choose from -whether it's security, a plugin, or even networking technologies. pfSense supports VPNs. It supports VLANs. It can be virtualized. It can run on physical hardware. You can be agnostic as to which vendors you're using. It is interoperable. It's a very versatile package and system. It's very easy to add features and configure them.

There's a graphical user interface that can be managed and used for almost every feature configuration item and function. There's also documentation on pfSense and NetGate's websites that outlines every configuration item package and configuration setting in extreme detail. There's also a strong community. The community has a support forum online. It is very easy to use.

I've witnessed the benefits pretty quickly. I started using it in production in 2012. Prior to that, I had used it personally from 2009 to 2011. That gave me time to kick the tires and see how it could be used. In 2012, there were very limited deployments of pfSense in the enterprise industry, and support was available, but not like it is now. So, by being able to use it personally, I saw where the benefit was. Then, when we deployed it in a production or enterprise environment, we were able to realize the benefits immediately. And those benefits were: security, supportability, and sustainability. Regarding security, it's backed with BSD, a well-known, tried and tested operating system, and is up to date on patches. It is much more user-friendly to configure than the competition, be it from Juniper or Cisco, HP or the other competitors that are out there. Sustainability is an extreme benefit. The feature parity, along with the cost and flexibility of being able to provide a variety of different hardware networking methods, pretty much sealed the deal.

The solution prevents data loss. pfSense offers an auto backup system, so your configuration and systems that you're running by default can be synchronized with pfSense and their cloud product, meaning that if you suffer a failure or a configuration issue that makes you need to roll back, you can actually rebuild a device or virtual appliance in a matter of minutes and have it back up and running just as it was. As far as other building features, it runs BSD, So you can use SFTP, which is a secure transfer protocol, as well as any other industry standard backup product. The main function that's built-in is the auto backup and restore functionality, which we use from time to time, and it's very helpful.

I use both the community and Plus versions of pfSense. For enterprise and production systems, I use pfSense Plus. I use that on both physical and virtual hardware. It works great. The pfSense community edition would be more for a testing environment or a personal deployment.

pfSense features that help to minimize downtime. pfSense comes with opportunities to configure for high availability. In the event of a failure, there are ways to bounce from one appliance or virtual appliance to the other. There is full documentation for that. It uses open standards. Also, on the individual appliances, there are wizards and configurations for WAN and multi-WAN failover bonding or anything in between. That includes failover for your Layer 3 routing firewall rules, filters, et cetera. 

pfSense provides visibility that enables users to make data-driven decisions. pfSense supports many different monitoring and logging types. Out of the box, it can monitor. It also supports Syslog. It supports SMPP. You can create baseline reports and watch trends, and those trends could help you be prepared for an increase in bandwidth, routing capacity, or even CPU utilization for beefing up your security rules.

The visibility in pfSense helps you to optimize performance. You can get an accurate picture of what bandwidth is being used and determine where the bottleneck is. Performance isn't just bandwidth. It could be routing. It could be applications. It could even be firewall rules. This provides visibility into issues. 

I've used pfSense on the Amazon EC two virtual machines in a limited capacity. I don't have any customers currently that are in production on AWS. However, if I did, I would certainly use their supported appliance or their virtual appliance on the marketplace. 

Having a single pane of glass management is on their roadmap. If you have multiple instances, you have to manage these deployments across a wide area. I'm required to keep a third-party product.

The main feature that I could see them adding would be a management interface that lets me manage multiple pfSense instances. As an MSP or consultant, it would be very helpful if I could manage them all from one place. 

There are some modernization efforts on the operating system that are needed. Possibly looking at Linux-based operating systems to allow newer features, better hardware support, et cetera, would increase performance. 

They should continue to expand in bracing the software and appliance model and expanding reach to cloud providers other than just Amazon. It would be nice if they had a supported appliance on GCP as well. I have customers on Google Cloud, and this would be helpful.

They need a more streamlined or documented approach to how they would like to see virtualized or alternate hardware deployments supported. If I build my own hardware, sometimes I don't know what the best type of hardware is to go with, and having some streamlined documentation and explaining the best practices would be helpful.

I've been using pfSense since 2012.

The solution is extremely stable. I've never had a stability problem.

The scalability is excellent. However, when you get past a ten-gigabit connection, and we are seeing the opportunity for 20 and 100 connectivity methods, that's a bit of a struggle right now.

Technical support is fast and accurate. I would rate them as having the highest level of customer service from my experience working with customer service. They are excellent.

Positive

I've been in the industry since the late 90s. I've worked with a variety of solutions, including Cisco, Barracuda, Juniper, and more. pfSense is easy to use and much more flexible. It really cuts down your speed to value and time to delivery. There's not much of a comparison at all.

The initial deployment is extremely easy. If you're a professional in the networking industry and you have a working knowledge of OSI model networking, IP address routing, and firewalling, you'll be fine. The interface is the easiest and most user-friendly on the market. 

For a small to medium-sized business, if I already have accurate information on their Internet connectivity and subnetting, I can get it up pretty fast. You can be up and running in a matter of hours. One person can do a deployment.

There may be some maintenance needed. It depends on what type of agreement I have. Some customers are technically astute enough to handle basic maintenance tasks like updates, security patches, and package updates on a regular basis. If not, I offer a service where I can also manage that for them.

The pricing model is good. It's right about where it needs to be. The total cost of ownership is low and the value is high.

I'm a pfSense customer.

I'd rate the solution eight out of ten.

If users are interested in pfSense, they should try the community edition. It's free to download, and you can just get started and try it out. Moving forward, I wouldn't hesitate at taking a look at the different types of hardware that they have, and to talk to sales.

We use it as a firewall. I've got a few deployed at different customer sites. All of them use OpenVPN for VPN software.

We really started out with general-purpose firewalls, and I used a different firewall. I've used SonicWall in the past and one of the other firewalls had a yearly subscription fee if you want to protect from different sorts of security threats. pfSense uses open software, so you don't have to pay a security fee for that.

The dashboard is pretty good. It lets you control different things. It also has widgets, and you're able to control which sockets are open or not, and you're able to have some open software that allows you to do geofencing. You can restrict the ability to access certain countries.

It's been flexible enough for everything that we've needed to do with it. I have a small operation, so we don't have some of the requirements that a larger one would have. 

Since it's open software, there are typically open modules that you can add. The firewall software also has a menu option that allows you to download different new features. For instance, there's a piece of software called Notes that allows you to make some notes, so you can go into your firewall and look up configuration notes that were written there in the past. There's backup software, so there's another piece of software that allows you to back up the configuration to a file or a PC connected to the firewall. If you have a sufficiently bad power outage, you can lose your configuration. However, it has some features that allow you to track suspicious access to a device. You get a record of intrusion. You still need to interpret it yourself. However, you are alerted to potential hacks.

We began to see the value immediately. It made a big made a big difference not to have to pay that annual fee. There was some learning curve involved. I like to learn new things. 

We do not have a single pane of glass management. It would be nice to have. There are some firewalls that let you have cloud-based management like software as a service. pfSense doesn't allow you to have a central place where you can check everything. I have to remote into local networks and then pull up an individual dashboard.

I've been using the solution for three and a half years.

The stability is good. I haven't had any issues with the firewall crashing spontaneously. What I have seen is, if you have a power glitch, it will go up and down. We have battery backup so that those power glitches don't happen. However, if it does, that can damage the memory storage device inside the firewall and then you have to reload it. 

The quality has been very good. If I had paid support, it would be faster. When you get a new firewall, you get 30 days of telephone support for the device while you are initially configuring it. After that, you have email support. You can pay for support every year. However, I work for a lot of non-profits that do not have big budgets. 

Positive

We've had SonicWall or WatchGuard in the past, among others. They had less flexibility and you did have to pay an annual fee.

The initial setup was maybe 50% more difficult than I thought it would be. That said, it wasn't too bad. There are good instructional videos on the internet and the help documentation that Netgate provides is good too. They also have good technical support. The free level of technical support is an email ticket system. If you have a problem, you can raise a ticket, and then it gets solved, maybe not right away, but eventually. It might take a day or two to get solved.

The first time it was deployed, it probably took a day - maybe 12 hours. After that, it takes anywhere from a couple of hours to up to five hours to fully load a firewall with all the different pieces of software I need. 

I handled the deployment myself. 

There is a bit of maintenance needed. I will either go remote to the different firewalls or on-site and update the software. I can download the latest version from Netgate and basically reload it. 

I use the community version of the solution. It is free to use.

I don't consider the cost of how many hours it would take to learn it versus the cost of the annual subscription; however, once I get sufficiently comfortable on many firewalls, that'll average out to zero in terms of cost.

I'm a registered reseller.

I'd rate the solution nine out of ten. It's a good firewall that operates without you having to pay attention to the costs. 

It's really important to back up your configuration. Sometimes, you do have to reload it. It's more important to document the procedure that you take to load and configure the firewall. If you're used to WatchGuard or SonicWall, then there's more of a cut-and-dried procedure to that. With pfSense, you really have a lot of latitude and a lot of flexibility in how you want to configure it. If you just do the minimal configuration, you probably aren't getting the advantage of all the features you would want to have. That's why it pays to document that.

We are a large church, and we use Netgate as the main firewall appliance. We have multiple WAN connections coming in, and we have about 500 endpoints connected to our network, so we use it to make all the bits travel where they need to be.

We were using some other products that were closed-source, and they did not have some of the features that I liked. I liked OpenVPN. In terms of the VPN infrastructure, I had a lot of great information from people online. I could follow a lot of reviews and very good technical documents. It was about unchaining myself from a different licensing program that was charging me almost an extortionary rate for a firewall appliance but did not give me any better security than I would get through pfSense.

I like the idea of packages because I work on Linux all the time. Adding packages is a nice way of adding features. We do iPerf3 testing. With just a few clicks, I can have an iPerf3 server set up on my pfSense. All the tooling has been easy to integrate.

Everybody loved it when I switched over to the VPN. It was easy to use. OpenVPN has a great piece of software. Everybody loves how easy it is to use the VPN to get onto our network but also how secure it is. 

The fact that I do not hear much about it is one of the best parts. The Internet has not been 100% solid here, but we never get to know it because the WAN failover takes us from one endpoint to another without even noticing it. I had the Internet provider come, and he was going to change some hardware. He was asked if we needed to tell anybody. We did not because they would not even know that we were doing it. That is a pretty good feature that it works so flawlessly. If you are going to take your main connection to the Internet down, you have two backups, and nobody is going to know the difference.

I can look at my network as a whole. It is great to see the traffic on my network. I can see where it is coming from and where it is going, and I am able to follow through. The screens are helpful for telling the story of what is going on at the moment with the data. I look at my firewall quite often. If there are any questions, that is one of the first places I go to for troubleshooting.

pfSense Plus and the service program have definitely helped minimize downtime. The fact that I have help on the way anytime I need it is great. I do not have an estimate about the reduction in the downtime because as soon as I got here, I swapped over. I do not have any previous data points on that.

Running their hardware and software helps a lot with the performance.

The customer support is very good. Setting up the VPN is pretty straightforward and easy. 

We have multiple VLANs, and with assistance, it was easy to get everything set up and running in our organization the way we needed it to. We have the flexibility and the ability to adapt things over time as needed. When I needed to add an extra WAN connection, I could. It was not locked behind a paywall. I did not have the issue of not having enough ports on the machine for that. I had all the ability and all the hardware I needed to do all the things that I needed.

When we were setting up VLANs, there was some information about the way the ports, switching, and other things were done inside. Their UI could have hidden some of the complexity better so that it was easy to understand or more general. They could have given some more clarification on the markings on the outside of the machine. There were some questions as to what port was what and how that links to what was being asked in the software. Those things were not always very clear.

The features that I wanted have been added, but I have not taken the time to look at them. I am a big fan of WireGuard, and they have added that, but I have not taken the time to install it yet. Its features are complete for our needs. If I have to ask for anything, it would probably be more education on bolting on some of the XDR platform stuff that is out there, but it is feature-complete. I know that all this exists. It is just taking the time to get educated on it, which is probably on my side.

I have been using Netgate pfSense for about three years.

I have not seen any downtime, so I have to give them a ten out of ten on that. There has not been a time when it has not done what it needs to do.

There is a long way to go above me, but I would not be looking to change if we grew by a lot. I would rate it an eight out of ten for scalability, but I do not know what it would be like in a data center.

It is being used at a single location. We are a fairly large church that has quite a bit of data flowing in and out, but we have just a single location. It is me who works with it, and I have a junior sysadmin and our managed service provider working with it. Three of us interface with it.

They are amazing. They are great. They followed through very well when I had issues. Usually, the issues I had were kind of self-inflicted wounds, and they walked right through everything with me with great continuity. I cannot say enough good about them. I would rate them a nine out of ten.

Positive

We used Sophos. One of the main reasons for the switch was the license model. The way they charge for their software was pretty expensive. I did not feel that we got a lot for those IT dollars. I knew that I could set up pfSense and pay for the service plan so that I have a live person on the other end to help me when I needed it and it would still be way under what we were paying for Sophos.

It is deployed on-prem. We have a couple of Netgate appliances. We have one that is a spare and we have one running in production. In case one goes down, we will just move over to the other. We have a couple of pieces of equipment in our rack locally.

My managed service provider helped me with the deployment. In one night, it was done. It was pretty painless.

In terms of maintenance, there are always updates to do.

There were three of us involved, and it took about four and a half hours to get everything configured. From taking out the old to getting the new in and getting it configured took about four and a half hours.

Compared to what we were doing with Sophos, it provides a great value financially and in terms of time savings. For the most part, I do not have to mess with it. It does not require me to go in and touch it unless I have something I want to change, and that is a win. The upgrades are easy, and they have been flawless. That is a good return on investment. That dollar is well spent.

We are probably paying about 30% of what we were paying previously.

The price is fair. I buy the Netgate hardware so that I can support pfSense and Netgate and I have somebody designing the next layer of software for me in the future. I like their model. It is a high-value piece of equipment with a great team behind it.

With the inclusion of firewall, VPN, and router functionalities, we get a good value.

I would recommend it because it is a good value in terms of the price, performance, scalability, and usability of the metrics that it gives. It is definitely what I would go with.

I would rate pfSense a nine out of ten. It would be a ten if they offered free training and told me about what the free training is. There are probably a few things out there like that, but more one-on-one free training would be the main thing they can do better.

I primarily use it for hybrid home/business power usage at a very small scale. It is both home and business because of working from home. pfSense is serving us as the main routing firewall and network configuration tool. It is the front-end brain for everything in our mixed environment.

pfSense allows me to manage both home needs and business needs and keep them relatively separate or at least appropriately separate. A key feature was to be able to use a small-scale device. I am using Netgate SG-1100, which is built to run pfSense on an RM platform. It has low power consumption, and it is economical. I did not need massive amounts of compute power, but I did need the feature set that typically, you can only get in enterprise-grade product lines such as Cisco.

pfSense is extremely flexible. The areas where I find it very flexible are the sheer number of configuration tools that are available and the extra packages that can be used to augment the core functionality. Even within the core functionality, it is capable of adapting to a massive number of different scenarios and network environments and needs. You can adapt to the needs of your network environment to the outside with ISP and internal needs. You can accomplish what you want to achieve internally with the product. It seems to have pretty much everything under the sun laid out.

It is pretty easy to add features to pfSense and configure them. If I am adding something for the first time, the web GUI is the most helpful tool because the layout is pretty logical in terms of how the forms are organized and fields are named and described. There are help callouts, and, of course, documentation. I have always found the official documentation to be helpful, but it is not uncommon to do some forum searching and read the discussions. Other people might be following a workflow that does not fit quite cleanly in there, but they made it match. Typically, it is pretty easy. Some of the things that I have done with pfSense are not inherently easy processes, but I feel that pfSense has made them much easier than they would be on different platforms.

I was able to realize its benefits immediately. I am an IT professional, but my use of pfSense is not as an IT professional. It is more like a solo entrepreneur for my wife and her business. When I look at the network administration that I am doing here, it says a homeowner and a business co-owner. IT and networking are not the kinds of things I want to dominate my time. It should not be dominating my time spent. From that standpoint, I was able to get the baseline configuration set up so quickly when I first set it up about seven years ago. I definitely felt a big value-add with the configuration backup and restore process. The first time I broke something on pfSense, I was able to revert my last configuration very quickly. That was a big win.

In terms of pfSense helping to prevent data loss, auto configuration backup is probably the number one feature. When I think about data loss in pfSense, I would mostly be concerned with losing the configuration itself. Having my own backups but also having Netgate backups available for me to pull down helps. I just have to make sure I keep the encryption password, and we are good to go. That is a big win.

I use pfSense Plus. I am pretty sure that auto configuration backup is a Plus feature. I am on my second generation of official Netgear appliance, so my experience with the Community Edition is limited. I am not sure if this feature is available to others, but for minimizing downtime, having the auto configuration backup is a big one. There is a restore option for quick reverts if a change did not go quite well. They are incremental, so reverting to whatever snapshot or revision version I need to revert to is very easy.

pfSense does not give a single pane of glass management, but I also would not expect that because it is doing so much and is capable of doing so much. In my environment, it is managing so many different aspects of the whole Netgate, but there is not a single pane. I use the logs a lot, but I have to look through individual logs. I am not aware of any log aggregation and analysis components that are already baked into pfSense. As I understand it, I need to ship my pfSense logs into another system to do a higher-level analysis and insight querying. An area that I am interested in working on is effective outbound traffic filtering. It is on our priority list because it is a tricky one. You do not want to let any outbound traffic go, but you also need to be careful how you are filtering outbound traffic so that you do not break things you are relying on for your functionality. A lot of people use a web proxy, but that only catches web traffic. With smart home devices and business stuff going on, you have to pay attention to it. I am very interested in being able to analyze the traffic logs that are being captured by pfSense with an IO, the outbound traffic, and the existing and potential firewall rules that I have in place for those. My current efforts have been focused on doing so with a different product because I do not believe that pfSense delivers that. I honestly did not expect that it would.

iperf helps with performance. We are able to do iperf bandwidth tests as both client and server to various endpoints and turn on a quick listener and see what is going on with who can get where fast. The diagnostic menu list is probably the longest one in there. That is a good sign because it just means that they have got a lot of tools available for me to use if something is not quite working right. If I want to improve performance, I have to take a measurement and take a look at what is going on currently and compare that to what I would expect to see. There is a wide variety of toolsets. I am not asking for this because it is not the kind of system that I would want to run, but there is no troubleshooting or performance improvement wizard that kind of walks you in a logical step. I know that there is one initial configuration wizard that is meant to get people going quickly for the first time and in a fairly simple setup, but even that was not a great value to me because I want to get quickly into more advanced configurations. It has what I expect for performance tuning.

Being able to configure VLANs on such a small device is one of the key unique features that made it attractive to me.

pfSense is very flexible, but my only drawback in terms of flexibility is that it is web GUI-driven. I know that there are some shell interfaces, but it is not a very heavily developed API when it comes to automation or configuration-as-code management. I would love to see that developed in the future so that I am able to manage my network configuration in YAML and TOML text format, have those changes applied in a source code environment, and have those changes read into an API that could then drive the configuration rather than have always having to use the web GUI just to make some layout changes. Web GUI has its advantages, but there are times when being pinned into that workflow is less efficient.

They should support the idea of configuration management as code from source code and provide a more robust API for managing the pfSense configuration. I know that with the web GUI, everything is dumped into an XML file. That is how it is backed up, and that is how it is imported. It is machine-readable and all that, but it is not necessarily a modern data format that would be used with API typically. They are maybe thinking of moving to REST API and SQLite backend. I do not know what they have in mind. I do not really care how they do it, but I would love to have the ability to interact with my configuration and make incremental changes via source code and utilize the API to implement those changes and roll them back with configuration as code as a strategy for managing my pfSense.

It has been about seven years.

The device is rock solid. I have not had any hardware concerns or issues. I do not have to reboot it. If I am having some kind of network issue, I do not have to restart my pfSense. Why I wanted the free BSP base is that I know that the core layer is rock solid. It is possible that something could happen where I would need to restart, but it almost never does.

It may have been with the older device for which I have worked with them twice. I opened a ticket to get the download link for recovery firmware on the SG-1000, and they gave it to me. That was very easy. That was fine. They responded quickly, no big deal. I appreciate it. I did not really need support. It was something that I could not get directly from the website myself.

I am not sure, but when I bought SG-1000, I might have had to send it back. They sent a replacement. It was less than a year since I had it. I still had a full warranty on the hardware. At some point, everything froze, and all functionality completely stopped. I tried the power cycle, and it would not even boot anymore. They did the serial console connection, and it literally was not even booting. They opened up a case and verified the same symptoms that I described. They replaced the board and sent it back to me, and it worked. It was solid from that point for five years that I continued to use it. After that, I upgraded it. Every once in a while you get bad hardware, but I was glad I could just send it back. The biggest fear I have, and probably the only reason I still have the old one lying around is that if something were to happen to this hardware and I had to send it back for support, I need to be able to keep my network running in the meantime. Even as a home and home business user, you start to creep into that space where you start to think that this is critical. How do you get by without the Internet? I know that I could get Internet back up, and I could plug in any off-the-shelf routers lying around and get basic Internet service back up, but the question is how much work would I have to put in to restore other services that pfSense is performing. I recognize that I did not invest in a high availability solution for my home and home business, so that is just a risk that I have to take.

I would rate their support a ten out of ten. There is nothing difficult about it.

Positive

Prior to my first pfSense appliance, back in 2017, I was running DD-WRT, which is not a commercial alternative. It is an open-source project that does not even have a paid or commercially supported version. It is meant to be flashed onto OEM hardware as a replacement for their firmware. pfSense can be used like that, but Netgate is doing something different with the commercial support and building the appliances and all that. In terms of the baseline functionality, DD-WRT is very similar.

In terms of comparison, pfSense is much more robust. It is a comprehensive solution for networking needs that bridges the gap between a shelf router and building a full enterprise stack, which would be overkill. Most small businesses and home users would not want to do that, make that kind of investment, and keep that kind of compute running all the time. pfSense lands right in that sweet spot. I know that OPNsense and a few other software products are out there. There are some Linux-based ones. I am definitely a fan of pfSense being built on free BSD. That gives me greater peace of mind with the networking stack and everything. I am a Linux guy too, but when it comes to core services, I prefer free BSD. If I have to, I might just go with the vanilla, free BSD system and build it out with automation from scratch, but pfSense does all that for me. I do not have to do all that initial work. They have got the configuration and tuning done already.

If you have general networking knowledge and understand the terminology, it is very easy. It depends on how detailed or how extensive is your configuration and what is the target use case. Are you using a VPN? One of the features I use is OpenVPN.

I go through the box. I have a single WAN connection. I have half a dozen VLANs configured. I have a VPN remote access interface configured. I have got DHCP servers. I also have IPv6 configured. I have extra configurations for each interface that need to be considered, including the VLAN interfaces. There are also firewall rules.

You can start with the baseline, and you can get the thing up and connected to the Internet easily within five to ten minutes. Once you start doing your internal configurations and firewall rules, it scales pretty quickly. With a couple of VLANs, like I have, you spend another half hour to get the VLAN to spec out. With OpenVPN, you have to work on certification generation and certificate matching and exporting. Configuring the client's side tends to be time-consuming. If you have four clients, it could take another hour to three, and then there are firewall rules. It depends on how you write them. If you write your rules well, you do not need to have so many of them. It also depends on how you configure your space. I have a lot of interfaces and a lot of rules. With a good, clear plan and no guessing and backpedaling, you could probably redeploy what I did in three to four hours, but it would actually take longer because of mistakes, troubleshooting, and all that.

In terms of maintenance, I certainly keep up with updates from upstream and make sure that I am aware of any software updates that I need to install. I like to stay updated with patches and all that. That was the main reason I finally upgraded from SG-1000. It was no longer getting the updates. There is always a bit of extra maintenance. It is not because pfSense demands maintenance. It is because the environment demands continual maintenance and monitoring. Paying attention to logs is a healthy practice.

I always make updates via pfSense whenever I am making updates in the environment for adding new DHCP reservations for various hosts in the environment and other things like that. I moved my local DNS services from pfSense because I had to go into the web GUI and clumsily add in new host entries. It was getting burdensome. I just wanted to be able to do this in a text file like I could on a Linux server. You just add your entry to the host file and you are done. I moved to DNS services on the Pi-hole software. Pi-hole is a partial competitor because it does not do everything pfSense does, but it can do some of the things. It focuses on ad blocking and filtering as well as providing local DNS resolution. A nice thing with Pi-hole is that you can literally open up a text file and add your entries there, and they just start working. You do not have to move from a terminal-based workflow to get that change made. Clicking through a web browser is not my favorite. It is a disruption to a workflow. So, maintenance is directed by requirements in the environment.

I buy the appliance and accept whatever comes with it, but I am not bought into paid support. When it comes to the pricing of the appliances, they are pretty competitive. The price is pretty competitive.

I just bought a Netgate SG-1100. Within the past year, I upgraded my Netgate SG-1000 from 2017 to Netgate SG-1100. I looked at some of the higher-spec products, but they started to get pricier. For example, Netgate 2100 was a consideration. The difference between the 1100 and 2100 is double. I looked at the specs of 2100 and what it could deliver. I did not need all the extra specs. I do not need to perform at that level although it might be nice to have some extra ports on my box. I then looked at 1100. I could get by with those specs. It was an improvement over the tiny SG-1000 that I was running, so it was a win, but the question always is whether there is something competitive and similar that I can build for less money and whether it would deliver the same value. You can get these Small Form Factor PCs. You can get ARM systems and x86 systems and similar form factors. You can get them with multiple NICs already installed. This is more or less your hardware with no support. You get a warranty on the hardware, but they are not selling you the software. You put whatever you want on it and build your system. You can install pfSense CE on that or build your own router on a device like that. Why I chose to buy it from Netgate was the peace of mind of the full stack support because it is probably the most critical portion of my entire home network. I decided to invest a little bit more and trust somebody else a little bit more to have my back. Peace of mind comes from having bought the official appliance. It has a very reasonable and competitive price model.

In terms of the total cost of ownership, you have the hardware price. You are combining the price of any hardware support contracts that you may or may not be paying for and somehow estimating the administrative time that is required to actually manage the system itself and billing somehow for that appropriately. That is a tough one because that is where there is a gray area of home business usage. Aside from that gray area, the investment rolls off very quickly. I can recoup this investment within a year.

I would rate pfSense a nine out of ten. It is delivering on my needs. There is little room for improvement. They can just close the gap. You always want to keep closing that gap when it comes to usability, inconvenience, and meeting the workflow, but it is definitely delivering to my expectations very well.

It's a straight-up front edge router used in various scenarios for front-ending multiple websites and multiple web applications for various marketing scenarios which require certain back-end firewalling that you would need to utilize. We found that it works much better than others. It's not like the Ciscos, which, at the time, were incredibly expensive and difficult to work with unless you had a CCNA who was programming it for you.

I was looking for routers that were capable of doing multiple firewalling, which it does. We wanted it for setting up demilitarized zones and setting up some failover for WAN for the internet. We looked at that, and we played around a little bit with Untangle. pfSense was just far easier to get configured and working, and there were no hidden costs or fees involved, which made it very nice to use.

They have a whole section of package management that you can add stuff to. We use pfSense to do a little bit more than what we would or what I would normally do today in a medium to large enterprise.

The flexibility of pfSense is fantastic. You can use it in a number of situations. I have it running on my home Netgate. At the same time, I can just put it on a slightly larger machine and run a massive, highly trafficked web environment. It will run anywhere.

It's easy to add features to pfSense and configure them assuming about web networking and routing and traffic through an edge router scenario. For a home user, it's probably a lot more than they would get through, but they wouldn't need to since you can just install it, and it just works right out of the box. Just about everything is easy. It's extremely well documented, and the amount of help that's available is fantastic.

I saw the benefits of pfSense immediately. When you need your router to do something more than, for example, a store-bought router for home, you immediately see it since now I can do things. I can set up multiple LANs. I can create a firewall between the LANs. I can open up a full demilitarized zone or just port forward into specific LANs and have the LANs porting between themselves in various ways. You don't get that stuff in your normal consumer-grade solution. You have to spend a lot of money to get a serious data center router - and on top of that, you need to get somebody to program that from the command line, which is very expensive. In contrast, pfSense has a graphical user interface, which makes it all very straightforward and easy to use to set up some pretty sophisticated routing scenarios.

I don't use pfSense to prevent data loss as I have backups, both on-site and off-site backups. It's effective for preventing data breaches.

pfSense gives users a single pane of glass as a type of management. There is everything in one instance. It has a graphical user interface. It'll come up with a dashboard that you can customize to put whatever you need to see up on there. I can customize the dashboard to show me the most important things to me. It's incredibly intuitive.

Managing multiple devices is easy enough. You just log in remotely to the device, and it's all connected through the IP. It's really quite simple.

There are two versions of pfSense: the community edition, which is free, and the plus version, which is paid. I'm using the paid one presently.

The solution minimizes downtime. Once it's configured, it works. I don't have to worry about it. I fully know it backwards and forwards since I've been using it for 15 years now and it pretty much just works. I have certain instances of pfSense that haven't even been rebooted in years since it's up and running and it keeps running, and it runs well. I rarely need to touch certain my installs after they've been set and configured.

The solution provides visibility that enables data-driven decisions. It has logging. It has intrusion detection systems, which will give you a whole lot of data that you can make decisions on. For example: Who do I need to block? Is somebody trying to attack me? It'll allow me to collect all that information to make critical decisions regarding exposing certain resources to the internet.

pfSense helps optimize performance in combination with the hardware that it's running on. That will determine what kind of performance you're going to be getting out of the box. It's a very lightweight software package. Depending on the hardware, you can hit it with lots of traffic, and it won't even hiccup.

I would like to see more active updates coming out of the developers. I like the FreeBSD. That said, the developers in FreeBSD are less productive than what you see out of the Linux community, where there are millions and millions of developers. Being FreeBSD-bound, it seems they're short of developers who have to specialize in that operating system.

I've used the solution since 2009.

The solution never crashes and never lags. It works. You fire it up, and it will work for the next 50 years. As long as the hardware is working, pfSense will just go on and do its thing.

Scalability all comes down to hardware. When you put pfSense on more robust hardware, it performs pretty well. 

For the paid version, if I have an issue, I need to open a ticket. Before I had my business going, I used the community, and it worked it worked just as well. I haven't had a need to call support. However, I pay for pfSense Plus support in case something happens that's over my head that I need to speak to an expert about.

I contacted them when I had a question about a Snort setup, which is for intrusion detection and prevention. It turns out you have to contact their specialist, and that Snort requires you to pay extra for that help. It's a third-party plugin for pfSense. However, in relation to pfSense, issues, I have not needed help. 

I've used Untangle and Cisco routers, and I've tried OPNsense.

I prefer pfSense. I'm comfortable with it. It's rock solid. I've never had an issue with it. I tell it to do something, and it does exactly what I tell it to do.

I have purchased NetGate appliances for customers. For my business, I have hardware that I've repurposed for pfSense.

The initial deployment, either way, is very easy. It would probably be easier than most commercial routers that people buy.

A simple instance where you're just using a firewall router with one LAN can take less than five minutes. You just install the software. It picks up the WAN IP and gives you a LAN IP, and it's up and working as quickly as the software will install, which is usually less than five minutes on most devices and most hardware.

I do the deployments myself. I don't see where a team would be required for this. It's just a firewall router. If you need a complicated setup, it might take one person, a couple of days of planning, and then implementation. That said, I don't see where you would need a team to do that unless you're installing a bunch of other network hardware at the same time, multiple switches, or a ten-gig, one-gig type of scenario. However, that's not a pfSense issue.

In terms of maintenance, generally, there is none. It will update itself. I see very few critical security updates. Most of them are our feature updates. I have certain installs that have been running without rebooting for five years, and it just installed them. Mostly, I'm leaving it alone.

The pricing is reasonable for what it is. I usually put it on my own hardware. The licensing for me is relatively inexpensive for what I'm getting out of it.

The Total Cost of Ownership (TCO) is fantastic. You can use the community edition and get expertise from the manufacturer. It's quite reasonable. It's quite a good setup.

I'd rate the solution nine out of ten.

I'd advise potential new users to install it, plug it in, get to know it, log into it, and you'll start to see how easy and robust it is. The more you use it, the more you learn, and you'll like it as much as I do.

We use pfSense internally to protect our management networks and provide VPN access to our internal staff. We also use it for customers needing a more sophisticated firewall than your home or small business WiFi router firewall package.

We deployed it at work when I got hired because we needed to replace the existing hardware solution. I've used pfSense for over 10 years, so I drew upon the experience from the experimentation I do in my home lab.

We're an ISP that provides managed services. We deploy pfSense as part of a larger solution, usually a contract for managed services. We provide their Internet circuit and a managed firewall so that they don't have to do that themselves. They pay part of the hardware cost—maybe 50%—upfront, and then the rest of it is applied against a contract, after which they will then own the hardware.

We use pfSense as a hybrid within our data centers, with some virtualized instances running pfSense community edition and some as Netgate hardware running pfSense Plus (the higher-end ones because we need a firewall that can handle 10 gigs of throughput). We've got multiple different models of the official hardware deployed for ourselves and some managed customers. They range from small businesses to a professional sports venue.

We use pfSense for work because I was already aware of its flexibility for our needs. The solution provides a great base level of network protection. PfSense is not a next-generation firewall, so it doesn't do in-line virus scanning or offer out-of-the-box IPS/IDS, but that can be covered by a manged antivirus suite and following good security practices. In terms of how secure pfSense is and how secure it keeps your network, it does that very well.

The biggest benefit of pfSense is its ease of setup, especially for VPN — both the end-user VPN and site-to-site VPN. It's easy to add features to pfSense via the package management system. We can just turn things on. They have made it much easier to deploy things like free radius, where we want to have enterprise authentication for WiFi. It's by far the most flexible firewall I have ever worked with. There are also packages for ACME for Let's Encypt SSL certificates, and HA proxy.

The pfSense Plus package has given us peace of mind, but we haven't had to open many trouble tickets with NetGate. Aside from the maintenance and support contract, the only feature we use from pfSense Plus is the wizard for building site-to-site VPNs from our locations to AWS VPCs. Building site-to-site IPSEC tunnels to AWS is a fairly complicated task, so having that wizard made it easier.

I would like a management console to manage and monitor multiple pfSense installs. We have several pfSense hardware devices installed and as far as I know, there is no single, unified pane of glass that I can use to manage all of them at once. That's the one thing I wish I had, just having a good single unified configuration interface for each install. 

I have used pfSense at my current company for at least four years now, but I've used it personally for over 10 years. 

I have to really dig deep to come up with any shortcomings. If you are using VLAN tagging, and making adjustments, restart the DHCP and DNS services manually, just in case.

As far as I know, there isn't a single console from which I can manage multiple installs. That is the only thing impacting their scalability. They max out at 10 gigabits per second, but anything above 10 gigs is such a niche market. To be honest, I doubt that's their target.

I rate Netgate support 10 out of 10. They turn around tickets quickly and their staff is fairly well educated. When I provide detailed information about the problem, they've been able to reply quickly with a solution or go research the problem and get back to us quickly with a fix. It's been pretty top-notch.

Positive

I've used OPNSense, a fork of the pfSense project, as well as Cisco ASA, PIX, Palo Alto, Ubiquiti's Unified Gateway, SonicWall, and FortiGate. Some bigger Ubiquiti firewall products are comparable to pfSense, and Cisco ASA has name recognition. SonicWall and FortiGate offer some enhanced features, like better threat management you get as part of a subscription, some block lists, and some more next-generation firewall features.

Overall, our chosen solution is pfSense, as it balances features and cost. It isn't the best at everything, but it's more than enough for almost everything you can throw at it, and it isn't ridiculously expensive like some solutions. It is massively flexible. Although it is missing some of the more esoteric features, you don't need those features 99% of the time. If you have the budget for it and need to do something more advanced than just the basic firewall, it remains the go-to solution we use every time. It's why I keep a couple in stock on the shelf so that I don't have to order them if we need one for an immediate customer install.

It's incredibly easy to deploy pfSense and takes no more than 30 minutes in a typical small office setup. A typical out-of-the-box setup for a small business can be running in five minutes flat. We usually have a two-person team with someone from our network engineering team responsible for the configuration and a field tech installing equipment on-site.

Regarding maintenance, you need to go back in occasionally and install the most current version of the software. We check for updates every couple of months, and that's it. That's it for maintenance. Once it's installed, we fire it and forget. It's there, and it works.

In-house

Priceless

I would say pfSense is competitively priced. It isn't the cheapest hardware, but I've never had a problem with it. It is far cheaper than big brand names like FortiGate and Cisco while delivering a feature set that's nearly the same across the entire list. The only places it falls short are esoteric features that almost nobody needs.

The support plan is reasonable. The pfSense Plus license with the warranty is either 400 or 800, depending on the level you want. For a commercial customer, that's more than reasonable and a lot cheaper than many solutions. We haven't had any sort of issues with the firewall hardware itself, so it's doing extraordinarily well on the total cost of ownership.

We did side by side comparisons of the feature sets and prices, and drew upon our experience with multiple vendors, including the equipment we had at the time.

I rate Netgate's pfSense 10 out of 10. I recommend turning on the built-in automatic configuration backup so that if you mess something up, you can easily restore the configuration from a backup and get it back up quickly. I also suggest downloading the community edition on a spare computer to play with and break because it's free.