
The pfSense Book - ingve
https://www.netgate.com/docs/pfsense/book/
======
mrmondo
A great resource for an excellently flexible and rock-solid reliable platform.

Have been running pfsense and pfsense clusters for many, many years and had
practically nothing but ultra-reliable success stories.

~~~
AnIdiotOnTheNet
> rock-solid reliable platform

Eh... I've had a lot of issues with it on my flakey Charter internet[0]
connection. Php-fpm hangs so often I added a cron job to restart it every
fifteen minutes, it doesn't always run dhclient when an interface has been
down for a bit and then comes back up (cron to the rescue again), the gateway
monitor did weird and stupid things and had to be disabled, services aren't
always restarted when they crash (Unbound recently) stuff like that.

[0] I am aware that this combination of words is redundant.

~~~
willejs
What hardware are you running pfsense on?

~~~
AnIdiotOnTheNet
Some overpowered former thin client. It isn't likely to be the hardware, which
can run Windows 7 comfortably.

~~~
mrmondo
‘Windows 7’... doesn’t mean much to be honest, if that OS didn’t corrupt its
filesystem it’d crap out on its poor kernel or registry design and regardless
why would you run a presumably important routing system on the same hardware
you thought was suitable for ‘Windows 7’ (rhetorical).

~~~
AnIdiotOnTheNet
High end routers made for enterprises run on significantly fewer resources
than Windows 7 requires. If pfSense can't manage on this hardware then it is
exceptionally bloated for its job.

------
pmorici
Anyone had experience using this to setup up an ipsec VPN? I am looking for
something that can do ipsec at 10Gbps which seems like it should be possible
with an x86 processor that supports AES-NI but a lot of anecdotal benchmarks
I've seen on randon websites seem to suggest it is difficult to achieve.

~~~
godzillabrennus
YMMV with Pfsense. I've been using it since Scott and Chris were in Kentucky
working on it together... that'll date me for sure...

Anyway, I found that unless someone else has already done it and proven the
hardware can handle it then it's all an experiment you conduct on your own
dime.

FYI - Netgate, the parent company of PFSense, went after OPNSense by scooping
their domain and used it to spread FUD. Just dirty stuff.

[https://en.wikipedia.org/wiki/OPNsense](https://en.wikipedia.org/wiki/OPNsense)

~~~
gonzo
> YMMV with Pfsense. I've been using it since Scott and Chris were in Kentucky
> working on it together... that'll date me for sure...

You've been "using" it. We've been directly supporting it (and before it,
m0n0wall) with cash on the barrel every month since before it was first
released (Oct 2006). In Sep 2012, we bought out Scott, and started investing
even more heavily in pfSense development.

~~~
godzillabrennus
I also “paid” for netgate hardware and recommended to many companies that they
buy it. So in essence I helped you invest in the pfsense development.

What you did was still dirty.

------
late2part
Use it in prod. 10gbps throughput on egress NAT on commodity x86 hw. 5 stars
would recommend.

------
Bucephalus355
Anyone used the commercial firewall / IP list you can slap on top of pfSense?

There is the community version, but then there is also this:
[https://www.proofpoint.com/us/threat-insight/et-pro-
ruleset](https://www.proofpoint.com/us/threat-insight/et-pro-ruleset)

My understanding is it’s around $900 or so a year for a license. That kind of
sucks. But on the other hand I know it’s very easy to install, just a one-
liner in the GUI of pfSense (which is how I found out about it).

~~~
56chan4
Community version is 30day old or behind the paid version. Problem with alot
of IDS/IPS is it needs to see the contents of the packets before it can block,
unless it breaks the encryption its not going to work. So its not a panacea
but then nothing is, and its hard to tell if this is already provided by AV
products with web browser addons. If you take Kaspersky, they are the only AV
product which uses CPU virtualisation to scan for malware running in memory on
a windows box for their Safe Money web browser facility. CPU virtualisation is
one of those areas that can bypass alot of security products, so if you can
stack up enough zero days to get into an OS and mod a bios, you can hide for a
long time. Single core CPU's also have their uses as well, but you dont see
that mentioned much either in the security arena.

------
KiDD
Well Worth It!

~~~
StudentStuff
PFSense was nothing but a failure for me. Installing it at multiple clients
caused me to have nightmarish drives to fix simple issues (PFSense would
refuse to boot if the 2nd WAN port was down, decide it had an Intel NIC and
take hours to boot, get wedged, etc).

The real kick in the pants was when they killed UDP multicast forwarding with
no warning when upgrading, just boom, IPTV no longer works! We moved to Lede,
which has been extremely fault tolerant. I no longer worry that I won't be
able to remotely fix a router just cause it had a minor hardware issue.

~~~
berti
You also gain extra hardware and protocol support by going to a Linux based
solution e.g. BSD does not support 6LoWPAN or any IEEE 802.15.5 hardware to my
knowledge.

~~~
stock_toaster
I love FreeBSD, but as a routing platform, VyOS/EdgeOS are pretty nice.

~~~
Fnoord
There's also Router7 recently shown on HN: "Show HN: Router7 – A pure-Go
implementation of a small home internet router" [1]

PC Engines APU2 [2] is a good hardware platform, and then there's the more
expensive but complete Turris Omnia / Turris Mox.

[1]
[https://news.ycombinator.com/item?id=17530086](https://news.ycombinator.com/item?id=17530086)

[2] [http://www.pcengines.ch/apu2.htm](http://www.pcengines.ch/apu2.htm)

~~~
gonzo
router7 is really cool.

