

PfSense 2.2-Release Now Available - kossmac
https://blog.pfsense.org/?p=1546

======
FireBeyond
I'm a big fan of pfSense - heavy home remote worker user, it stays up and
connects to multiple OpenVPN servers, routing their spaces for my network,
runs a remote access server inbound, an IPv6 tunnel via Tunnelbroker, multiple
static IPs, including straightforward outbound NAT for my Apple TV to access
NBA League Pass games (since the NBA in its wisdom has decided that the Puget
Sound should be blacked out for Portland games and that I can just "tune into
CSN Portland").

------
willejs
Ive previously used PfSense as the main routers in offices on embedded
hardware and in the data center on baremetal (for specific use cases). Its
great. I recommend anyone to try this if you want low cost performance,
without compromising on features.

------
dexcs
We use it with about 30 offices, all connected via openvpn. 180GB transfer
every day. No problem for months.... Hell of a software!

~~~
anderiv
Curious why you chose OpenVPN for your site-to-site links. I use it
extensively for mobile VPN users, but for an "infrastructure" VPN, I use
IPsec, which I find to be a much superior solution for that use case than
OpenVPN.

~~~
organsnyder
Not the OP, but I've found OpenVPN easier to configure, and performance to be
adequate. In what ways have you found IPsec to be superior?

~~~
anderiv
Well the #1 thing for me is that the majority of IPsec functions are in the
kernel and don't require that a userland daemon be running (which OpenVPN
requires). Beyond that, I've just found that, while a bit more arduous to
configure initially, performance is far superior and stability is better than
OpenVPN.

Beyond that, pretty much every router out there supports IPsec, so if you're
needing to integrate with other non-pfsense hardware, IPSec is often your only
option.

------
listic
Is ARM support on the radar? There is more and more capable ARM hardware by
the day, while x86 is not getting any cheaper.

I would be happy to try pfSense on something like BPI-R1 (dual-core 1 GHz
Cortex-A7, Wi-Fi, etc., $69 for board)

[http://www.aliexpress.com/store/product/Newest-arrive-
BPI-R1...](http://www.aliexpress.com/store/product/Newest-arrive-
BPI-R1-Opensource-Router-Original-Banana-pi/302756_2045261784.html)

[http://www.bananapi.com/?layout=edit&id=59](http://www.bananapi.com/?layout=edit&id=59)

~~~
htilonom
MIPS is I believe planned first. Check out Netgate (company behind Pfsense),
they already have development boards with MIPS.

Bigger upcoming feature is bhyve hypervisor on Pfsense :D

~~~
seanp2k2
Worth noting that the Ubiquiti ERLite runs a MIPS board, but has TCP offload.
It runs Debian current MIPS with Vyatta, and the web UI, while not as fully-
featured as pfSense, is pretty usable. It still helps to be comfortable with
CLI and Vyatta commands (very similar to Cisco IOS) for e.g. setting up L2TP
VPN without an external RADIUS server.

I ran pfSense for years, and it does work great, but an x86 box running all
the time just to do what a little 2-decks-of-cards box can do with 1/10th the
power seems silly these days.

[http://wiki.gentoo.org/wiki/MIPS/ERLite-3](http://wiki.gentoo.org/wiki/MIPS/ERLite-3)

~~~
ddeck
Also worth adding that the ERL runs EdgeOS, which is actually a fork of Vyatta
6.3 with some added features and certain hardware accelerations. [1]

Vyatta was acquired by Brocade in 2012, after which the community edition was
sidelined and the main product became closed source. Thankfully Vyatta core
was forked in 2013 and re-branded as VyOS (free and open source) and is under
active development. [2]

I've used pfSense in the past and VyOS currently and found both to be
excellent.

[1] [https://community.ubnt.com/t5/EdgeMAX/EdgeOS-vs-
Vyatta/td-p/...](https://community.ubnt.com/t5/EdgeMAX/EdgeOS-vs-
Vyatta/td-p/411816)

[2] [http://vyos.net/wiki/Main_Page](http://vyos.net/wiki/Main_Page)

------
wrboyce
PfSense is great, I've been using it for a few years. 2.2-RELEASE holds
special significance to me, because I contributed a feature to this one :)

------
organsnyder
Great news. I've been running pfSense at home and work for the past few years,
and it's been great. Very stable, easy to configure, and quick with security
fixes.

A pfSense box with a Ubiquiti UniFi access point is a really good combo. Far
more stable than a typical consumer router, and not necessarily much more
expensive.

~~~
peckrob
I run this exact same setup (pfSense-based Mini-ITX router and several UAP-
ACs), and it works outstanding. I had used DD-WRT for several years, but
having hack pile up on top of hack to keep things running on DD-WRT. When we
moved to a larger house, we could no longer adequately cover the house from a
single router/access point combo, so I took the leap and built a pfSense
machine. Absolutely don't regret it. After getting it set up, it just works
with minimal intervention.

With a little work, you can get the Ubiquiti controller software running on
the actual pfSense machine itself. [http://community.ubnt.com/t5/UniFi-
Wireless/Tutorial-UniFi-3...](http://community.ubnt.com/t5/UniFi-
Wireless/Tutorial-UniFi-3-1-4-running-on-pfSense-2-1-RC/td-p/539534)

~~~
organsnyder
I tried running the Ubiquiti controller software on the pfSense box for a
while, but it was a pain - it took 5-10 minutes to start up, and it was lost
whenever I did a pfSense upgrade. I've found it much easier to just point the
access points at a general-purpose server (on-site if available, or on a
remote VPS that I have already).

~~~
peckrob
Weird. Other than the startup thing (which is not a big deal for me because I
leave it running), I haven't had any problems upgrading. A few months ago I
went to 2.1.5 and pretty much everything just worked.

~~~
organsnyder
Minor upgrades were fine. It was a major one (2.0 to 2.1) that wiped it out
for me. This was on the embedded version of pfSense - the full version might
behave differently.

Otherwise, the upgrade was one of the smoothest I've ever had for this sort of
thing.

------
shyne151
I ran PfSense for a year or so... never could get the QoS working completely
right and all the tutorials I found weren't the greatest.

Has anything changed with the QoS configuration?

I've since moved to an Untangle VM that has worked great... yes the interface
might be "dumbed down", but everything has been working excellent.

------
dexcs
It's on FreeBSD 10.1 now. Nice.

~~~
seanp2k2
PfSense and FreeNAS have really made me fall in love with FreeBSD all over
again. It was my first foray into the ~*nix world, so lots of fond memories.

------
olavgg
2.2-RELEASE also has a working 6rd implementation, so now I can finally use
ipv6 :-)

~~~
feld
You could have used it before with a gif tunnel. That's the way I've been
doing 6rd on vanilla FreeBSD without any 6rd support.

edit:

Here's what you put in rc.conf

    
    
      cloned_interfaces="gif0"
      ipv6_activate_all_interfaces="YES"
      ifconfig_gif0="tunnel $MYIPv4 $THEIRIPv4"
      ifconfig_gif0_ipv6="inet6 alias $MYIPv6 $THEIRIPv6 prefixlen 128"
      ipv6_defaultrouter="$THEIRIPv6 -mtu 1280"

~~~
olavgg
Great! Thanks!

~~~
feld
This does have one limitation -- you cannot reach other IPv6 addresses also
using the same 6rd gateway. It just doesn't work without handling the full 6rd
protocol. But if you just want IPv6 to the wider internet and don't care about
connecting to other users on your ISP over v6 this is a reasonable solution.

------
agumonkey
The tickets graph is impressive.

------
tmp00110011
It still ships an oudated port of PF. Horrible. Go run OpenBSD instead.

~~~
gaadd33
Does OpenBSD/newer PF have better throughput on 10Gbe+ hardware? I've heard
that OpenBSD/PF tends to run into issues due to giant lock and SMP issues.

Since you seem knowledgeable, any pointers to information about that?

~~~
feld
everything I've seen indicates OpenBSD pf wins on slower single cores but on
fast multi core hardware FreeBSD pf wins.

