pfSense Poll (and a follow-up question)

From: David White 
Let's take a poll. Who has experience with pfSense?

I spoke with a (tech savvy) board member of a local nonprofit early last
year about moving their organization off of a different (closed source)
firewall onto pfSense, and he expressed concern that if I went away,  not
many others in Chattanooga know pfSense.

If I had to guess, several of you know it. I know that I know others here
who know it.

That said, I've just sent an email to the assistant director (and the exec.
director) over there, making another recommendation and push for pfSense.

I did a network analysis, and have never been able to get more than 45mbps
with their current box to the outside world, although they have EPB (and
bypassing the firewall, I was able to get 115mbps on my laptop, even though
they're paying for 100mbps).

The throughput of their current box (Watchguard XTM 23) is 40mbps for when
services are running (VPN, WebBlocker, etc...), and 195mbps when those
services aren't running.

The Watchguard box only has 256mb of RAM.

I'm making a recommendation to purchase an embedded, fanless system 1.8ghz
system with 2GB of RAM, and let me install pfSense onto an SSD.

Does anyone have specific experience in regards to pfSense throughput on
similar hardware when a few different services are running such as VPN and
SquidGuard (which I'll use for web filtering - they run a student computer

I'm almost certain I'll be able to increase their throughput up to the
amount EPB is giving them, but I wanted to run it by you guys and make sure
I'm not crazy.

David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide

=============================================================== From: Stephen Kraus ------------------------------------------------------ I thought pfSense was getting aged, is Sonicwall still popular? Ironically, this question comes just at the right time, we need to upgrade our firewalls at work.

=============================================================== From: Ashley Wilson ------------------------------------------------------ I Haven't done any throughput testing, but I have never been displeased by performance. I am using a Lanner FW-7535 fanless system with the OS on a Sandisk CF card. Only negative feedback has to do with the OpenVPN service DOS situation with some specific crypto settings. That is an old bug and may be fixed already. The DOS only affected the OpenVPN service, not the whole machine.

=============================================================== From: Nick Smith ------------------------------------------------------ +1 for pfsense, its stable and under active development. If you just want a basic firewall with port forwarding and dont go crazy and install snort or squid or something, those specs should work just fine. If you were trying to push a gig through that thing you might need more power as im sure others on here will verify.

=============================================================== From: David White ------------------------------------------------------ Ps... I love pfSense and did a successful implementation of it on the exact same hardware I am recommending a month ago at my church. I havent been able to do throughput testing though since they are still on comcast (moving to EPB this summer though).

=============================================================== From: Andrew Rodgers ------------------------------------------------------ I know it. Well. =E1=90=A7 s gh n z d r re

=============================================================== From: Rod ------------------------------------------------------

=============================================================== From: "Alex Smith (K4RNT)" ------------------------------------------------------ I prefer pfSense. m0n0wall and DD-WRT share 2nd place, depending on the host device. " ' With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and warning... The first time any man's freedom is trodden on we=E2=80=99re all damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG episode "The Drumhead" - Alex Smith - Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA

=============================================================== From: Jason Brown ------------------------------------------------------ As do I. I use it in some fairly high bandwidth situations and with advanced configurations: BGP failover , CARP synchronization, etc. The operations staff at EPB have experience with it too, and they even setup a mirror pfsense configuration at their office to test BGP with their setup before we deployed it. We can saturate our 700Mbit connection at the office, but only in testing. In real world usage the external endpoints just don't have enough bandwidth to keep up. I some cases we have to throttle because we can accidentally perform a very effective DOS event just sending some ftp data.. PfSense also has reasonably priced commercial support. --Jason

=============================================================== From: Aaron welch ------------------------------------------------------ I have also done some HA CARP configurations and about 50 installs worldwide using pfsense. It is my go to for cheap firewalls for businesses= . -AW ir . th B se d r re

=============================================================== From: Andrew Rodgers ------------------------------------------------------ So, has anyone on here done a direct comparison of pfsense to the Ubiquiti edgerouter? The only people I've talked to that are using the edgeRouter series, haven't been real familiar with pfsense. What do you lose between the two either way? I know that this "Dell Optiplex 755 Intel Core 2 Duo 3.00 GHz 4GB DDR2 Desktop" can do gigabit linespeed throughput, and I bought it on ebay for $45, I think I had an intel dual gig nic to stick in it, so total build might would be $100 if you bought on ebay. That's what's running my house. I've not been happy with pfsense on less than 3ghz x86 machines. Andrew =E1=90=A7 es. eir gh ta.. PB n ose N ure

=============================================================== From: David White ------------------------------------------------------ I love the Ubiquiti APs, but don't have any experience with the edgerouter. My particular client that I'm trying to move off of WatchGuard only needs to push 100mbps (at least, that's what's available to them from EPB), which is why I was thinking the specs I mentioned earlier would be sufficient. Anyway, I'm glad to know several of you are also pfSense fans. Helps my case. :) i n 's : ses. heir ugh ata.. EPB en hose PN sure

=============================================================== From: Mike Harrison ------------------------------------------------------ I use it in a few places, and have taught others. pfSense is mostly admin'd through a very capable Web-Gui just like every other similar device. It uses nice standard terms for what it does and it does it all well. No secret trade names and weird configs for what is really standard stuff. The OpenVPN support rocks. If it works, and they don't need the speed, does it matter? Running VPN, Squid and SquidGuard can suck up some serious cycles. I'd put it on a serious machine if doing a lot of that.

=============================================================== From: Matt Keys ------------------------------------------------------ +1 for pfsense but I'd go with a bigger box that you could virtualize with. pfsense also plays nice with sip/rtp traffic traversing the nat.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This was has not been my experience when using the interface IP address for your SIP/RTP translations. Without the SIP Proxy, I had one-way audio issues. Moving my SIP trunks to a VIP and 1:1 NAT resolved that issue. Same problem and fix I have on Cisco ASA boxen. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEbBAEBAgAGBQJS8Dh9AAoJEMP+wtEOVbcdM+8H928KBDb1H9Wf//Yqo5z3AKBu KGRM67emRoAwAU8YGH0l2nlrztInJ3ujntbdg2eKyHkJhlO5b2fDphVtG/q2o9jg o8r5PlxQ2jMF8K62kDBkLy652++htCVSWD61v5Em+fqgXUKo+53UflaebaiivDxm wOFvRv22Ki2OTYxQHEhUkblqEHf/Zp7Gh7UphxUzDb7k+jhluQsGB7awzUaL9+KM lswRrLu64+9aDLcRW7cD83sqK9lfjNWXwJs6IP21mTEAlKNKvQBGw0iuuS3ZYqJS jR8DoQcH7uHdEXr2Fc2KZx/wCyUYfpKTLng5hUiVU27swwkxWd+bfprNK+JJsw== =mMnn -----END PGP SIGNATURE-----

=============================================================== From: Matt Keys ------------------------------------------------------ SIP ALG "helpers" are usually the culprit on ASAs. On pf try system -> advanced -> firewall/nat -> "firewall optimization options" and enable conservative mode.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 policy-map global

=============================================================== From: Michael Scholten ------------------------------------------------------ Late reply on pfsense... Thanks to you guys I ended up replacing ipcop with pfsense at home. So far I'm liking it a bit more then ipcop. Much more user friendly. Running it on an old desktop right now. Four network cards, WAN, LAN, OPT1 and OPT2 but currently only using LAN and OPT1. Planning on using OPT2 for any random projects that might not play nice with the rest if the network. (DHCP, infected machines, etc...) My hope (for the past year) has been to get something installed on the Firebox x750e I picked up last year. I was planning on ipcop but now I think it'll be pfsense. I just need to get my hands on a cf card which means not being lazy and actually buying one... The other thing I want to figure out is how to get the portal capture to work. No real reason, just curious about it. So far no luck but then again I'm just clicking on random options. Haven't actually looked up how to set it up. -Michael SIP ALG "helpers" are usually the culprit on ASAs. On pf try system -> advanced -> firewall/nat -> "firewall optimization options" and enable conservative mode.