I USE Netgate pfSense for home networks, lab environments, and R&D. In production, professional career-wise, I have built pfSense production firewalls that run in various configurations and high availability for different organizations serving a different number of clients and servicing any amount of requests throughout any given day.
It also serves thousands to tens of millions of requests a second a day from small to large deployments.
Netgate pfSense is an extremely flexible solution. It is an open-source tool that has a very large community of professionals, enthusiasts, and hobbyists alike. There is a lot of flexibility in doing whatever you want with it. It also offers enterprise-grade support so that you can have something equivalent to the Cisco enterprise-grade data center firewall product. You could build that with pfSense or OpenSense, which is a derivative of pfSense.
The initial benefit I saw of pfSense was way before I ever used it professionally. It is a robust tool that can replace your consumer-grade firewall router solution. I also saw immediate benefits in my professional career as it is a powerful solution that can be compared to other solutions like Palo Alto or Meraki today.
Netgate pfSense can be a fully functional L7 firewall. You can not only have the base Layer 3 functionality of the firewall, but you can add things like Snort and pfBlockerNG to build out and become an L7 firewall doing actual inspection and security analysis.
It is very easy to add and configure features to Netgate pfSense.
pfSense has a built-in auto-configuration backup. While that is technically data loss from the sense of protecting the firewall, it is a feature Netgate offers to every pfSense user, licensed or not. You get this feature if you have a Netgate appliance. Just using pfSense won't get you that. There are third-party packages you can use to set up pfSense configuration backups if you don't have pfSense Plus.
In terms of data loss outside of that, you configure it in a way that puts it as a security device. By default, pfSense is not inherently a security device. It is a Layer 3 filtering firewall. If you want it to be a security appliance beyond basic TCP/IP Layer 3 filtering, you can run Snort or pfBlockerNG to turn it into a security appliance. Doing so can aid in data loss prevention by using the tool for basic intrusion detection prevention.
Netgate pfSense provides a single-pane-of-glass management capability. Its dashboard has a lot of prebuilt functionality, allowing you to have a single-page view of the firewall's status and everything going on with it.
pfSense Plus provides features that help us minimize downtime as a supporting part of the infrastructure.
pfSense Plus provides visibility that enables us to make data-driven decisions. The kind of data-driven decisions that could be made with information from pfSense are things like how much bandwidth I am using and what is the throughput of all my band connectivity.
I can also decide whether I need to go from a 1 Gig network to a 10 Gig network or a 2.5 Gig network and whether I need to increase my commit for my WAN circuit because we see that we are averaging above 99%, etc. The kind of decisions that it can help you make are related to your network and your connectivity.
The visibility that pfSense Plus provides helps us to optimize performance. It could help you to improve performance on the network side. It is, after all, a firewall router, so it is a network piece of equipment. It could help improve performance in that if you are actively monitoring, pulling data from pfSense, or actively reviewing the different types of information and graphs that pfSense provides, you could make decisions to see that a machine is consistently using lots of network traffic.
I have been using Netgate pfSense for 15 years.
I have pfSense Plus in production. I have both pfSense Plus and pfSense Community Edition (CE) running at home. They are essentially the same, and the only difference between them is the support and auto-configuration backup.
Overall, I rate the solution a nine out of ten.
I have two different use cases. I use it as a firewall and security appliance. I also use it in layer three virtual routing scenarios.
The thing that sets pfSense apart from other competitors is the flexibility that it offers. You have a package manager, and there are so many options to choose from -whether it's security, a plugin, or even networking technologies. pfSense supports VPNs. It supports VLANs. It can be virtualized. It can run on physical hardware. You can be agnostic as to which vendors you're using. It is interoperable. It's a very versatile package and system. It's very easy to add features and configure them.
There's a graphical user interface that can be managed and used for almost every feature configuration item and function. There's also documentation on pfSense and NetGate's websites that outlines every configuration item package and configuration setting in extreme detail. There's also a strong community. The community has a support forum online. It is very easy to use.
I've witnessed the benefits pretty quickly. I started using it in production in 2012. Prior to that, I had used it personally from 2009 to 2011. That gave me time to kick the tires and see how it could be used. In 2012, there were very limited deployments of pfSense in the enterprise industry, and support was available, but not like it is now. So, by being able to use it personally, I saw where the benefit was. Then, when we deployed it in a production or enterprise environment, we were able to realize the benefits immediately. And those benefits were: security, supportability, and sustainability. Regarding security, it's backed with BSD, a well-known, tried and tested operating system, and is up to date on patches. It is much more user-friendly to configure than the competition, be it from Juniper or Cisco, HP or the other competitors that are out there. Sustainability is an extreme benefit. The feature parity, along with the cost and flexibility of being able to provide a variety of different hardware networking methods, pretty much sealed the deal.
The solution prevents data loss. pfSense offers an auto backup system, so your configuration and systems that you're running by default can be synchronized with pfSense and their cloud product, meaning that if you suffer a failure or a configuration issue that makes you need to roll back, you can actually rebuild a device or virtual appliance in a matter of minutes and have it back up and running just as it was. As far as other building features, it runs BSD, So you can use SFTP, which is a secure transfer protocol, as well as any other industry standard backup product. The main function that's built-in is the auto backup and restore functionality, which we use from time to time, and it's very helpful.
I use both the community and Plus versions of pfSense. For enterprise and production systems, I use pfSense Plus. I use that on both physical and virtual hardware. It works great. The pfSense community edition would be more for a testing environment or a personal deployment.
pfSense features that help to minimize downtime. pfSense comes with opportunities to configure for high availability. In the event of a failure, there are ways to bounce from one appliance or virtual appliance to the other. There is full documentation for that. It uses open standards. Also, on the individual appliances, there are wizards and configurations for WAN and multi-WAN failover bonding or anything in between. That includes failover for your Layer 3 routing firewall rules, filters, et cetera.
pfSense provides visibility that enables users to make data-driven decisions. pfSense supports many different monitoring and logging types. Out of the box, it can monitor. It also supports Syslog. It supports SMPP. You can create baseline reports and watch trends, and those trends could help you be prepared for an increase in bandwidth, routing capacity, or even CPU utilization for beefing up your security rules.
The visibility in pfSense helps you to optimize performance. You can get an accurate picture of what bandwidth is being used and determine where the bottleneck is. Performance isn't just bandwidth. It could be routing. It could be applications. It could even be firewall rules. This provides visibility into issues.
I've used pfSense on the Amazon EC two virtual machines in a limited capacity. I don't have any customers currently that are in production on AWS. However, if I did, I would certainly use their supported appliance or their virtual appliance on the marketplace.
Having a single pane of glass management is on their roadmap. If you have multiple instances, you have to manage these deployments across a wide area. I'm required to keep a third-party product.
The main feature that I could see them adding would be a management interface that lets me manage multiple pfSense instances. As an MSP or consultant, it would be very helpful if I could manage them all from one place.
There are some modernization efforts on the operating system that are needed. Possibly looking at Linux-based operating systems to allow newer features, better hardware support, et cetera, would increase performance.
They should continue to expand in bracing the software and appliance model and expanding reach to cloud providers other than just Amazon. It would be nice if they had a supported appliance on GCP as well. I have customers on Google Cloud, and this would be helpful.
They need a more streamlined or documented approach to how they would like to see virtualized or alternate hardware deployments supported. If I build my own hardware, sometimes I don't know what the best type of hardware is to go with, and having some streamlined documentation and explaining the best practices would be helpful.
I've been using pfSense since 2012.
The solution is extremely stable. I've never had a stability problem.
The scalability is excellent. However, when you get past a ten-gigabit connection, and we are seeing the opportunity for 20 and 100 connectivity methods, that's a bit of a struggle right now.
Technical support is fast and accurate. I would rate them as having the highest level of customer service from my experience working with customer service. They are excellent.
Positive
I've been in the industry since the late 90s. I've worked with a variety of solutions, including Cisco, Barracuda, Juniper, and more. pfSense is easy to use and much more flexible. It really cuts down your speed to value and time to delivery. There's not much of a comparison at all.
The initial deployment is extremely easy. If you're a professional in the networking industry and you have a working knowledge of OSI model networking, IP address routing, and firewalling, you'll be fine. The interface is the easiest and most user-friendly on the market.
For a small to medium-sized business, if I already have accurate information on their Internet connectivity and subnetting, I can get it up pretty fast. You can be up and running in a matter of hours. One person can do a deployment.
There may be some maintenance needed. It depends on what type of agreement I have. Some customers are technically astute enough to handle basic maintenance tasks like updates, security patches, and package updates on a regular basis. If not, I offer a service where I can also manage that for them.
The pricing model is good. It's right about where it needs to be. The total cost of ownership is low and the value is high.
I'm a pfSense customer.
I'd rate the solution eight out of ten.
If users are interested in pfSense, they should try the community edition. It's free to download, and you can just get started and try it out. Moving forward, I wouldn't hesitate at taking a look at the different types of hardware that they have, and to talk to sales.
We use pfSense as our main router.
We implemented pfSense to address the instability and limited customization options we experienced with our previous router.
pfSense is highly flexible, allowing for creating IPsec tunnels and various other configurations.
Adding features to pfSense is easy.
Since implementing pfSense, our overall stability has improved significantly over the last ten years as we transitioned from Prosumer equipment to a more robust tool. This success has allowed me to implement more pfSense routers in other locations. We saw the benefits of pfSense in less than a couple of weeks. Having that added stability is great.
pfSense Plus provides us with the visibility to make data-driven decisions. We can see historical data and bandwidth utilization, allowing us to make informed decisions about our internet connection based on that information.
The most valuable aspects of pfSense are the stability, hardware compatibility, and low cost.
I want pfSense to add some next-generation firewall features.
The scalability has room for improvement.
I have been using Netgate pfSense for ten years.
I rate the stability of pfSense ten out of ten.
Due to the absence of a single pane of glass management feature, scaling out pfSense becomes quite challenging. I'd rate its scalability a three out of ten, as the process is far from straightforward at present.
The few times we've had to engage support, they have been professional and incredibly knowledgeable. If we encounter someone who doesn't have the answer immediately, they can find it very quickly. In the past, they have even joined meetings with us and a client to work on a problem, providing a lot of insight and assistance throughout the process.
Positive
We previously used Prosumer routers, but their capabilities were insufficient for our needs.
Initially, it was a bit complex when I started using the system over ten years ago. pfSense required a deeper understanding than the Prosumer devices I had used before. I had to grasp the ramifications of every action. However, once I overcame that learning curve, it became knowledge I possessed.
It took us about two weeks to implement and learn how to use pfSense. I've noticed that with pfSense, I'm always learning something new. Just because we've used something for a long time doesn't mean we know all of its functionality. For example, I needed to establish an IPsec tunnel for the first time last year. I called in support, and we successfully established the tunnel to another location. There's always something new to learn, whether pfSense adds new features or we encounter a need for functionality we haven't used before.
pfSense Plus is cost-effective for what we're getting. I've been using Netgate hardware for a long time, and including the pfSense Plus license with the hardware offers significant value. Additionally, using pfSense software for free is of great value.
The total cost of ownership is very low. We've used pfSense historically in a simple configuration, and I've been able to train peers on how to use the Netgate hardware and pfSense Plus effectively.
I rate Netgate pfSense seven out of ten only because of the lack of ability to manage all our switching and WAP from one location.
We have three locations, and two to 25 users use a combination of wired and wireless devices and a typical broadband connection.
pfSense requires maintenance when new versions or patches are released. This does not happen often, but it does happen.
I recommend pfSense to others. Once you overcome the learning curve, it becomes almost second nature to use. The cost is also a major factor. Every year or so, I explore alternatives to Netgate hardware, but almost everything I find is subscription-based, like Cisco Meraki or other brands. I'd struggle to justify renewing a router license every 18 months or risk it stopping working. So, using a platform like pfSense without an annual fee is a huge benefit for our budget.
I use the solution in my home. It's my firewall, DNS server, DHCP server, intrusion detection server, and reverse proxy server.
The solution's web interface is very feature-rich and well-supported. There's a large community of users out there you can get to. There are many things that I'm not using at the time. It's got great support for VPNs. One of the ways that I'm using it is for VPN support as well. Netgate pfSense is a great product.
Netgate pfSense is an extremely flexible solution.
You'll see the benefits of Netgate pfSense immediately after you deploy it. The more features you use, the more benefits you get from it. I'm using the tool for VLAN support. That was something I implemented first, and it completely changed the way I was using my network. That was a real game-changer because it provided greatly enhanced security for my network and reduced the complexity of my network.
The firewall, the intrusion detection service, the VPN support, and VLAN support keep me from getting hacked and possibly having problems with ransomware and potential data loss.
pfSense Plus provides features that help us minimize downtime. You can create copies of different environments that you set up. If you want to try a setting but want to be protected from loss and downtime, you can create a copy of your current working environment.
You should try adding the new change to your pfSense configuration. If that doesn't work, you can easily go back to the working configuration with just a simple change from within the web interface. It also does automatic backups of its configuration.
The visibility of pfSense Plus helps us optimize performance. You can overcome latency issues through traffic shaping. I previously had buffer bloat issues, which I don't have currently.
If you have a slower connection, you can use traffic shaping limiters and priority queues to ensure that your VoIP traffic, internet TV traffic, or streaming traffic has enough guaranteed bandwidth. In my case, my broadband connection is wide enough, and I do not have to really use those features.
The cost of ownership of Netgate pfSense with the hardware cost was about $ 350.
It would be nice for the code optimization to run on even slower processes. It's optimized quite a bit, but there's always room for improvement.
I have been using Netgate pfSense for two years.
We haven’t faced any issues with the solution’s stability.
From my point of view, the solution's initial setup is pretty easy. Many YouTube videos are out there to help you get it up and running. There's a lot to try, a lot of things to do, and a lot of technology to play with, but I'm afraid I'm a bit of a tinkerer. To do what I initially wanted, I probably spent a day.
I would like to see the solution's price reduced.
There is some complexity to adding features to pfSense and configuring them. I would not say it's extremely complex, but it's got a high degree of complexity.
The website is all you need to configure Netgate pfSense. If you choose to, you can use its SSH terminal interface, but that's not something that most users would do. I would think they would stick with its fully developed, mature web interface.
The solution by itself does not need any maintenance. However, if you use the incursion detection plugins, you need to make sure that those are tuned properly. That involves periodic checks and possible adjustments. New users should be prepared to learn, read the manual, and utilize YouTube resources. It'll be worth it.
Overall, I rate the solution ten out of ten.
It's a straight-up front edge router used in various scenarios for front-ending multiple websites and multiple web applications for various marketing scenarios which require certain back-end firewalling that you would need to utilize. We found that it works much better than others. It's not like the Ciscos, which, at the time, were incredibly expensive and difficult to work with unless you had a CCNA who was programming it for you.
I was looking for routers that were capable of doing multiple firewalling, which it does. We wanted it for setting up demilitarized zones and setting up some failover for WAN for the internet. We looked at that, and we played around a little bit with Untangle. pfSense was just far easier to get configured and working, and there were no hidden costs or fees involved, which made it very nice to use.
They have a whole section of package management that you can add stuff to. We use pfSense to do a little bit more than what we would or what I would normally do today in a medium to large enterprise.
The flexibility of pfSense is fantastic. You can use it in a number of situations. I have it running on my home Netgate. At the same time, I can just put it on a slightly larger machine and run a massive, highly trafficked web environment. It will run anywhere.
It's easy to add features to pfSense and configure them assuming about web networking and routing and traffic through an edge router scenario. For a home user, it's probably a lot more than they would get through, but they wouldn't need to since you can just install it, and it just works right out of the box. Just about everything is easy. It's extremely well documented, and the amount of help that's available is fantastic.
I saw the benefits of pfSense immediately. When you need your router to do something more than, for example, a store-bought router for home, you immediately see it since now I can do things. I can set up multiple LANs. I can create a firewall between the LANs. I can open up a full demilitarized zone or just port forward into specific LANs and have the LANs porting between themselves in various ways. You don't get that stuff in your normal consumer-grade solution. You have to spend a lot of money to get a serious data center router - and on top of that, you need to get somebody to program that from the command line, which is very expensive. In contrast, pfSense has a graphical user interface, which makes it all very straightforward and easy to use to set up some pretty sophisticated routing scenarios.
I don't use pfSense to prevent data loss as I have backups, both on-site and off-site backups. It's effective for preventing data breaches.
pfSense gives users a single pane of glass as a type of management. There is everything in one instance. It has a graphical user interface. It'll come up with a dashboard that you can customize to put whatever you need to see up on there. I can customize the dashboard to show me the most important things to me. It's incredibly intuitive.
Managing multiple devices is easy enough. You just log in remotely to the device, and it's all connected through the IP. It's really quite simple.
There are two versions of pfSense: the community edition, which is free, and the plus version, which is paid. I'm using the paid one presently.
The solution minimizes downtime. Once it's configured, it works. I don't have to worry about it. I fully know it backwards and forwards since I've been using it for 15 years now and it pretty much just works. I have certain instances of pfSense that haven't even been rebooted in years since it's up and running and it keeps running, and it runs well. I rarely need to touch certain my installs after they've been set and configured.
The solution provides visibility that enables data-driven decisions. It has logging. It has intrusion detection systems, which will give you a whole lot of data that you can make decisions on. For example: Who do I need to block? Is somebody trying to attack me? It'll allow me to collect all that information to make critical decisions regarding exposing certain resources to the internet.
pfSense helps optimize performance in combination with the hardware that it's running on. That will determine what kind of performance you're going to be getting out of the box. It's a very lightweight software package. Depending on the hardware, you can hit it with lots of traffic, and it won't even hiccup.
I would like to see more active updates coming out of the developers. I like the FreeBSD. That said, the developers in FreeBSD are less productive than what you see out of the Linux community, where there are millions and millions of developers. Being FreeBSD-bound, it seems they're short of developers who have to specialize in that operating system.
I've used the solution since 2009.
The solution never crashes and never lags. It works. You fire it up, and it will work for the next 50 years. As long as the hardware is working, pfSense will just go on and do its thing.
Scalability all comes down to hardware. When you put pfSense on more robust hardware, it performs pretty well.
For the paid version, if I have an issue, I need to open a ticket. Before I had my business going, I used the community, and it worked it worked just as well. I haven't had a need to call support. However, I pay for pfSense Plus support in case something happens that's over my head that I need to speak to an expert about.
I contacted them when I had a question about a Snort setup, which is for intrusion detection and prevention. It turns out you have to contact their specialist, and that Snort requires you to pay extra for that help. It's a third-party plugin for pfSense. However, in relation to pfSense, issues, I have not needed help.
I've used Untangle and Cisco routers, and I've tried OPNsense.
I prefer pfSense. I'm comfortable with it. It's rock solid. I've never had an issue with it. I tell it to do something, and it does exactly what I tell it to do.
I have purchased NetGate appliances for customers. For my business, I have hardware that I've repurposed for pfSense.
The initial deployment, either way, is very easy. It would probably be easier than most commercial routers that people buy.
A simple instance where you're just using a firewall router with one LAN can take less than five minutes. You just install the software. It picks up the WAN IP and gives you a LAN IP, and it's up and working as quickly as the software will install, which is usually less than five minutes on most devices and most hardware.
I do the deployments myself. I don't see where a team would be required for this. It's just a firewall router. If you need a complicated setup, it might take one person, a couple of days of planning, and then implementation. That said, I don't see where you would need a team to do that unless you're installing a bunch of other network hardware at the same time, multiple switches, or a ten-gig, one-gig type of scenario. However, that's not a pfSense issue.
In terms of maintenance, generally, there is none. It will update itself. I see very few critical security updates. Most of them are our feature updates. I have certain installs that have been running without rebooting for five years, and it just installed them. Mostly, I'm leaving it alone.
The pricing is reasonable for what it is. I usually put it on my own hardware. The licensing for me is relatively inexpensive for what I'm getting out of it.
The Total Cost of Ownership (TCO) is fantastic. You can use the community edition and get expertise from the manufacturer. It's quite reasonable. It's quite a good setup.
I'd rate the solution nine out of ten.
I'd advise potential new users to install it, plug it in, get to know it, log into it, and you'll start to see how easy and robust it is. The more you use it, the more you learn, and you'll like it as much as I do.
I use pfSense as my primary home router and edge gateway. My professional background is primarily in security engineering, though I focus more on pre-sales technical engineering. Due to my extensive experience in direct and security information management over the past decade, I leverage pfSense's capabilities to generate much of the data in my SIM system. This data is essential for laboratory purposes, testing, rule development, and use case creation. As a result, pfSense is a crucial component in securing both my home network and laboratory environment.
I appreciate pfSense's flexibility because I previously encountered issues with hardware reliability. While I'll eventually order dedicated pfSense hardware, I experienced consistent problems with SSD corruption. Frustrated with this, I considered switching to OpenSense. However, I discovered its potential after running pfSense in a virtual environment. The ability to easily create snapshots and recover from mistakes is invaluable. Ultimately, I've decided to continue using pfSense virtually due to its flexibility and convenience.
The ease of adding features and configuring them in pfSense depends on a user's familiarity with FreeBSD and network analytics. While I have extensive experience building firewalls from raw FreeBSD, pfSense offers a user-friendly interface that accelerates setup for newcomers. Its underlying FreeBSD foundation allows advanced users to access and configure low-level features. I appreciate pfSense's intuitive GUI and the secure default configuration provided during initial installation.
After the initial setup process, I immediately recognized the value of pfSense. The straightforward configuration questions provided a solid foundation, making the benefits apparent. While every implementation requires tailored adjustments, pfSense offers a versatile platform to explore various use cases. My primary focus was extracting in-depth information beyond standard firewall logs, such as detailed Suricata events and DNS server activity. As I delved deeper, I discovered pre-built packages that simplified data export to tools like Prometheus and InfluxDB, often meeting most of my requirements without extensive customization.
The advanced pfSense firewall rules offer significant advantages, such as implementing threat intelligence to block malicious actors from accessing our network. Configuring pfSense for radius or two-factor authentication can enhance security by preventing unauthorized access to our environment. These features are among the reasons I appreciate pfSense.
pfSense offers a centralized view of network data, but its built-in dashboards are sufficient for many users. As a fan of Grafana, I prefer a consolidated approach and could utilize pfSense data through either Prometheus or InfluxDB. However, extracting all data for central aggregation, as I'm accustomed to in threat management, aligns more with my preferred workflow. Nevertheless, the ability to customize dashboards within pfSense to monitor firewalls, DNS, and other critical services is valuable and meets the needs of many users, including those focused on point-of-service operations.
pfSense offers several features designed to minimize downtime, including failover, synchronization between routers, and ZFS snapshotting. While these tools effectively reduce downtime, I believe virtualization snapshotting and backups provide the best solution for my needs. Ideally, I would have multiple pfSense routers with a redundant setup, but budget constraints currently limit me to virtualization. Ultimately, the best approach depends on individual requirements and resources.
pfSense provides visibility that enables me to make data-driven decisions.
pfSense's visibility into system performance enables optimization at various levels. The initial user interface provides valuable information about RAM usage, active services, and general health. In contrast, more advanced users can access in-depth kernel-level data for granular insights into system behavior. By offering tools for novice and experienced users, pfSense empowers practical understanding and management of system resource allocation.
I appreciate pfSense's foundation on FreeBSD, which enables me to leverage additional FreeBSD packages for expanded functionality. WireGuard, a core feature I constantly rely on, facilitates my home and mobile devices' constant connection to my home network, allowing complete traffic monitoring and filtering. I value Pia ad-block's effectiveness in network traffic filtering, ad blocking, and malware prevention. Unbound's flexible DNS server complements the robust firewall, which is user-friendly and flexible for rule creation.
I've encountered persistent issues with the solid-state drives built into pfSense hardware devices. The devices consistently malfunctioned despite repeated attempts to resolve the problem, including complete reinstallation. Power outages significantly contributed to the issue, as frequent system corruption occurred following these events. Even after reformatting, bad sectors persisted on several drives across at least three purchased devices. Unfortunately, this has rendered some units utterly unusable due to recurring disk corruption.
While there seems to be support for virtual environments, I believe some modules specifically support VirtualBox. Unfortunately, I've had to customize my own setup again. To accommodate users on platforms like Proxmox, I need to install the QEMU Guest package to provide native support for such environments, similar to other open-source virtualization solutions like KVM. Out-of-the-box QEMU Guest support would be beneficial. I appreciate the inclusion of Suricata, Snort, WireGuard, and Telegraph, which work well behind the scenes. The Prometheus node exporter is also present. Having used pfSense for a decade, I continually discover new functionalities. Surprisingly, some features I needed were already available, but better discovery mechanisms within the product could help users explore them. I would like to see out-of-the-box QEMU support.
I have been using Netgate pfSense for ten years.
Stability has been a concern for me. Hardware-wise, performance has been inconsistent. Software stability has also been an issue, particularly during significant upgrades. I've encountered various problems that required troubleshooting. However, I've noticed a substantial improvement in stability and ease of use for upgrades and patching over the past year or two. While there have been occasional setbacks, such as with the new packet exporter feature, pfSense has become much more reliable overall.
The scalability is good because I started with a simple network, WAN, and LAN setup and expanded it to multiple LANs, VPNs, and internal networks.
Technical support has been good, especially for hardware issues. Whenever my image was corrupted, I could always count on them to send a new NISO image within a few days without questions. However, I don't need much support for configurations or other technical aspects as I prefer to experiment and learn by trial and error in my lab environment. That's the fun part for me.
Positive
I was going to move to OpenShift, but I never made the jump. Eventually, I think my saving grace was my ability to virtualize pfSense. Once I do that, I can bounce back from misconfigurations or something wrong. I have had no problems with pfSense since I got off the harness.
A skilled networking engineer unfamiliar with pfSense can easily configure a firewall. Setting up a NAT barrier between internal and external networks is straightforward; this functionality is included by default. VLAN configuration and other initial setup questions are addressed during the product's initial setup process, the specifics of which depend on the intended use case.
The average time to set up one pfSense box is 15 to 20 minutes.
One person is enough to deploy pfSense.
I prefer the software licensing model. In contrast, hardware costs can be substantial; I once paid around $400 for a piece of equipment, perhaps two or three years ago. I believe they've made improvements since then, although I can't recall the exact model number, as I moved from the smaller SG 1100 to the SG 2100 to accommodate more advanced features requiring additional RAM. Unfortunately, I encountered another hardware failure with the latter.
The cost of ownership is low, especially when purchasing the pfSense Plus and virtualizing it.
I would rate Netgate pfSense eight out of ten.
I use the paid version of pfSense because I constantly was replacing faulty hardware. The previous physical appliances struggled to handle the network load, so I switched to a virtualized solution.
pfSense can be essentially set and forgotten in basic configurations, but utilizing advanced features like Suricata IDS and TF blocking necessitates regular maintenance to ensure rule updates and system synchronization. Consistent care and attention are required for optimal performance in these scenarios.
I recommend that new users keep things simple with pfSense. While I enjoy pushing my products to their limits, simplicity contributes to a more stable system overall.
I am using pfSense for its firewall, gateway, and intrusion detection. I used the Community Edition for years and then switched to the pfSense Plus free-from-home edition. There was a bit of turmoil when IXSystems announced that they would no longer offer the free-from-home edition
We immediately realized the power when we deployed it a few years ago. It exceeded our expectations. As time went on, I discovered more features in the different packages they provide and whether they fit my needs. Over time, it's been a learning process, and I've been greatly impressed with almost every aspect of this product. It has all the things I wanted but found lacking in other products.
All of the features work together to prevent data loss or any compromise of your data. It all boils down to the rule set. I have mine configured so that all the data goes out depending on my Netgate device. Some machines go through a particular VPN connection. If that connection goes down, I've got the rule set configured like a dead man's switch. It's cut off from the outside world, and I get an alarm, and it allows no more attempts to let traffic pass through that connection.
It helps to prevent downtime. Whenever there is an issue, it's the first place I look because I can check the statuses of various interfaces to check whether they're up and then zoom further out to see if it's something in my internet provider, like a faulty cable. It enables me to reduce downtime by quickly determining where the problem might be.
PfSense provides the visibility I need to make data-driven decisions. For example, if I have a spike in bandwidth usage, it shows me which devices on my network are suddenly eating more bandwidth. I can see what's causing that. It also greatly reduces the time spent maintaining my network, so there's a productivity boost.
PfSense has a learning curve, but once you've mastered that, it isn't that difficult. It's very flexible, and you can do almost anything necessary to secure a home network. It has packages that expand its capabilities. For example, you can install Snort if you want intrusion detection. If that's unimportant to you, you can use it to check the bandwidth of all the machines in your network.
Adding features is simple. You go into the menu to check which ones are available and click on the ones you want to install. If you've done your research on the packages you want and the settings you'd like to use, it's a matter of walking through the configuration in the menu. When removing the package, it will revert the settings 99 percent of the time.
I like the interface. You can arrange the windows to see the important information and put them in the order you want. You can see the various interfaces you have at a glance in a single pane of glass. I have certain bits of information I want to see first, and there are secondary or tertiary pieces of information. If you are using VPN connections, you can see their statuses. You can see hacking attempts, which are logged.
It's powerful. You can get quite granular in setting up a highly topical application of pfSense, but if you want just basic protection, you can do that easily. It depends on your needs and how brave you are. You can go deep into the system and do some cool things with it or set up the bare protection you would get from any firewall.
I'm trying to set up a gaming server for multiplayer games like 7 Days to Die. I spent three or four days trying to publish a private IP address through pfSense to the outside world. Some commercial and consumer-grade routers can do this, specifically gaming routers, but pfSense is not intended for this usage.
That's a feature I'd like to see added, where you can go into a submenu, turn it on, and specify which machine or IP address you want to publish. It's not a must-have, but it would be nice to have. I spent a long time trying to figure that out. Ultimately, I was successful, but it was not intuitive.
I have used pfSense since 2016.
I rate Netgate support 10 out of 10. You must have a license for pfSense Plus, and I called them about an unexpected hardware issue that caused me to switch machines. I emailed explaining the situation and got a response the same day. I provided all the information on the new box, and they gave me a license. It was a pleasant, non-stressful experience.
I have used Smoothwall and a few other things that have been abandoned. I liked the look and performance of Smoothwall's interface. It had many of the same features as pfSense, but its capabilities weren't deep enough. I've also used basic Linux distros set up as firewalls, but pfSense is oriented toward an enterprise-level deployment, and I find myself between hobby and enterprise. I also like the added features pfSense provides.
I am not using a Netgate appliance. I deployed pfSense on a very small machine that has plenty of RAM for the overhead, logs, and speeds I want for my network.
When I first installed pfSense, there was a bit of a learning curve. I had to sit down with the documentation and figure out what to do. It wasn't difficult— just time-consuming. That information has carried forward with me. Other people look at me like I'm some kind of expert but I'm really a few pages ahead of them in the manual.
PfSense isn't something you can turn on and forget about. You need to configure the solution and test it. Then you can turn it on and let it run. From time to time, you have to come back periodically to make sure everything is still fine. The initial deployment takes about 30 minutes. It was a one-person job.
I would like to see the price of pfSense lowered by about $50, or maybe they could create a category for home lab users like me with one device. I'm not running a business or profiting from it. I realize that people need to get paid for the work that they do, so I can't complain. They decided that they needed to change their model after providing the product for free for many years.
Before they changed and started to charge for pfSense, the total cost of ownership was phenomenal. It still offers tremendous value, but that was an adjustment. You can choose to go back to the community edition or just pony up the money.
I rate Netgate pfSense nine out of 10. I only give it a nine due to that recent issue setting up the game server. I eventually figured it out and published my solution to the forums. Otherwise, it would be a perfect 10.
We use pfSense internally to protect our management networks and provide VPN access to our internal staff. We also use it for customers needing a more sophisticated firewall than your home or small business WiFi router firewall package.
We deployed it at work when I got hired because we needed to replace the existing hardware solution. I've used pfSense for over 10 years, so I drew upon the experience from the experimentation I do in my home lab.
We're an ISP that provides managed services. We deploy pfSense as part of a larger solution, usually a contract for managed services. We provide their Internet circuit and a managed firewall so that they don't have to do that themselves. They pay part of the hardware cost—maybe 50%—upfront, and then the rest of it is applied against a contract, after which they will then own the hardware.
We use pfSense as a hybrid within our data centers, with some virtualized instances running pfSense community edition and some as Netgate hardware running pfSense Plus (the higher-end ones because we need a firewall that can handle 10 gigs of throughput). We've got multiple different models of the official hardware deployed for ourselves and some managed customers. They range from small businesses to a professional sports venue.
We use pfSense for work because I was already aware of its flexibility for our needs. The solution provides a great base level of network protection. PfSense is not a next-generation firewall, so it doesn't do in-line virus scanning or offer out-of-the-box IPS/IDS, but that can be covered by a manged antivirus suite and following good security practices. In terms of how secure pfSense is and how secure it keeps your network, it does that very well.
The biggest benefit of pfSense is its ease of setup, especially for VPN — both the end-user VPN and site-to-site VPN. It's easy to add features to pfSense via the package management system. We can just turn things on. They have made it much easier to deploy things like free radius, where we want to have enterprise authentication for WiFi. It's by far the most flexible firewall I have ever worked with. There are also packages for ACME for Let's Encypt SSL certificates, and HA proxy.
The pfSense Plus package has given us peace of mind, but we haven't had to open many trouble tickets with NetGate. Aside from the maintenance and support contract, the only feature we use from pfSense Plus is the wizard for building site-to-site VPNs from our locations to AWS VPCs. Building site-to-site IPSEC tunnels to AWS is a fairly complicated task, so having that wizard made it easier.
I would like a management console to manage and monitor multiple pfSense installs. We have several pfSense hardware devices installed and as far as I know, there is no single, unified pane of glass that I can use to manage all of them at once. That's the one thing I wish I had, just having a good single unified configuration interface for each install.
I have used pfSense at my current company for at least four years now, but I've used it personally for over 10 years.
I have to really dig deep to come up with any shortcomings. If you are using VLAN tagging, and making adjustments, restart the DHCP and DNS services manually, just in case.
As far as I know, there isn't a single console from which I can manage multiple installs. That is the only thing impacting their scalability. They max out at 10 gigabits per second, but anything above 10 gigs is such a niche market. To be honest, I doubt that's their target.
I rate Netgate support 10 out of 10. They turn around tickets quickly and their staff is fairly well educated. When I provide detailed information about the problem, they've been able to reply quickly with a solution or go research the problem and get back to us quickly with a fix. It's been pretty top-notch.
Positive
I've used OPNSense, a fork of the pfSense project, as well as Cisco ASA, PIX, Palo Alto, Ubiquiti's Unified Gateway, SonicWall, and FortiGate. Some bigger Ubiquiti firewall products are comparable to pfSense, and Cisco ASA has name recognition. SonicWall and FortiGate offer some enhanced features, like better threat management you get as part of a subscription, some block lists, and some more next-generation firewall features.
Overall, our chosen solution is pfSense, as it balances features and cost. It isn't the best at everything, but it's more than enough for almost everything you can throw at it, and it isn't ridiculously expensive like some solutions. It is massively flexible. Although it is missing some of the more esoteric features, you don't need those features 99% of the time. If you have the budget for it and need to do something more advanced than just the basic firewall, it remains the go-to solution we use every time. It's why I keep a couple in stock on the shelf so that I don't have to order them if we need one for an immediate customer install.
It's incredibly easy to deploy pfSense and takes no more than 30 minutes in a typical small office setup. A typical out-of-the-box setup for a small business can be running in five minutes flat. We usually have a two-person team with someone from our network engineering team responsible for the configuration and a field tech installing equipment on-site.
Regarding maintenance, you need to go back in occasionally and install the most current version of the software. We check for updates every couple of months, and that's it. That's it for maintenance. Once it's installed, we fire it and forget. It's there, and it works.
In-house
Priceless
I would say pfSense is competitively priced. It isn't the cheapest hardware, but I've never had a problem with it. It is far cheaper than big brand names like FortiGate and Cisco while delivering a feature set that's nearly the same across the entire list. The only places it falls short are esoteric features that almost nobody needs.
The support plan is reasonable. The pfSense Plus license with the warranty is either 400 or 800, depending on the level you want. For a commercial customer, that's more than reasonable and a lot cheaper than many solutions. We haven't had any sort of issues with the firewall hardware itself, so it's doing extraordinarily well on the total cost of ownership.
We did side by side comparisons of the feature sets and prices, and drew upon our experience with multiple vendors, including the equipment we had at the time.
I rate Netgate's pfSense 10 out of 10. I recommend turning on the built-in automatic configuration backup so that if you mess something up, you can easily restore the configuration from a backup and get it back up quickly. I also suggest downloading the community edition on a spare computer to play with and break because it's free.
