
pfSense 2.3.3 released - y0ghur7_xxx
https://blog.pfsense.org/?p=2325
======
kogepathic
pfSense is good, I've used it before.

But, anyone considering a firewall should also consider OPNsense. OPNsense is
based on FreeBSD 11 [0] (pfSense 2.3.3 is based on 10.3), while offering many
of the same features as pfSense.

Others have argued that OPNsense takes security more seriously:
[https://news.ycombinator.com/item?id=13615724](https://news.ycombinator.com/item?id=13615724)

[0]
[https://opnsense.org/opnsense-17-1-released/](https://opnsense.org/opnsense-17-1-released/)

~~~
zer0t3ch
Since you seem to have some idea of what you're talking about: how would you
compare the BSD-based firewall distros to the Linux-based firewall distros?
Personally, I'm partial to VyOS, simply because I have the most experience
with it. (Or rather, its fork, EdgeOS)

~~~
trome
I've got a few dozen businesses with PFSense with LTE backup, and at this
point I'm looking for alternatives. I've considered IPFire, and I've looked at
VyOS, Untangle, and OPNSense, but I just recently realized I completely
overlooked OpenWRT, which I already happen to have many positive experiences
with.

Long term I'm thinking I'll move things over to ARM/MIPS based routers running
OpenWRT, and where needed I'll use x86_64 boxes with OpenWRT (eg: Tor Relay at
home) as when things break on OpenWRT, its a lot less bad than on _BSD.

In particular, I've had issues with _BSD taking forever to boot (waited 4hrs
at 3am once), deciding it needed an Intel NIC firmware when it had no Intel
NICs, thus causing an outage while I drove down there with a WNR2000v3 running
OpenWRT, and LTE backup interface handling being poor, whereby the cellular
connection will go out (and we'll send a command to the SOAP API on the modem
to reconnect), but PFSense needs to cycle the interface for some reason when
it already has an internal IP from the modem. Combine that with having to walk
customers through any one of these scenarios every few months over the phone,
and its a joyous situation.

~~~
edwhitesell
Have you considered using Mikrotik?

I've heard about them for years, but just started using them in the last 12-18
months. So far, I've been very happy with the performance and features for the
cost.

~~~
deagle50
If you need openVPN don't run Mikrotik. I love routerOS but openVPN over TCP
is no good.

~~~
edwhitesell
FWIW I think that depends on the client. I use OpenVPN over TCP with Linux and
Windows clients for managing a remote customer location with no issues.

However, Android doesn't work at all. I suspect it's a configuration issue,
but the lack of meaningful logs makes it damn near impossible to troubleshoot.

If you happen to run an all Mikrotik routing environment, the SSTP tunneling
works well. I have a customer with hundreds of Mikrotiks out in the field,
each with an SSTP connection back to a cloud-based Mikrotik installation for
remote management/monitoring.

SSTP supposedly works with Windows clients too, though I've never tried it.

------
flipbrad
Lots of good fixes there. I've found pfsense rock solid and excellent to use,
over more than half a decade, both: \- for a 250+ device network balancing
loads across two consumer broadband connections, and \- as my home router and
firewall, running in a virtual machine on a somewhat ageing HP Microserver
N54L.

------
pyvpx
and if you don't need a GUI, you can always install OpenBSD -- no extras
required. it includes a useful OSPF and BGP daemon, BFD in the next release (I
believe), and a version of pf that isn't a few years old :)

