
PfSense 2.3-Release Now Available - y0ghur7_xxx
https://blog.pfsense.org/?p=2008
======
blinkingled
With the crappy, underpowered consumer routers with gaping security holes
pfSense is a god send. Last few years I've been running pfSense and the
experience has been fairly great.

I had a backup server running Ubuntu with ZFS which was always on anyways so I
just had to install pfSense on OS disk and it imported the ZFS disks right
away. So for a long time it was both my backup server and the router/firewall.

But lately with all the upgrades (including 2.3 betas and RCs I ran) SAMBA
throughput was reduced significantly - not entirely sure if it were the
drivers, ZFS or something else. And I realized maybe it is not such a great
practice to make your router/firewall double up as a backup server. So I
virtualized the box using ESXi and ran pfSense and Debian in two VMs on it.

The box being weak and running virtualized along side another backup server VM
exposed the performance issues with pfSense - I had given a single CPU and
512Mb to it and with the GUI and other process overheads - DNS cache, pingers
etc. meant that I had noticeable slowdowns when both VMs were active.

I am giving VyOS a try - it's a debian based router distro and purely command
line based but resource utilization wise it seems to be doing fine with 512Mb
and single CPU.

Anyone having a low power dedicated box for pfSense should just use pfSense
though - the UI is way too good in 2.3 release and stuff just works - IPV6,
Tunneling, VPN are very easy to configure along with a bunch of other things
limited only by the box you're running it on.

~~~
htilonom
I recognized your reply from /r/pfsense. Dude, you are running unsupported
scenario and using your pfSense as NAS. That is a big no no

~~~
seanp2k2
If you're a BSD fan, why not use FreeNAS + pfSense on separate VMs? Let them
both do what they're good at :)

~~~
gonzo
I put Bhyve support in pfSense so people could do this.

------
FireBeyond
Not that a firewall needs to look pretty, and yes, I know it's Bootstrap, but
the new UI is so much more pleasant to look at! Worth it for this alone.

~~~
gonzo
And even then, the largest benefit of all that new GUI code is not the look,
but rather the regularity it brought to the source code for same, after over
12 years of organic growth of same.

------
switch007
I'd really love to see an API or a unified configuration system. At $WORK we
have a need for many small firewall appliances, but I refuse to use anything
we can't deploy zero-touch, automate, monitor and back up/restore in a semi-
sane way.

Either it needs a configuration language like Cisco/Juniper than can be
dumped/imported/configured over SSH, or a web API (supposedly on the roadmap
for pfsense 3.0 ... ?). I can't say I'm too familiar with the project, but it
feels like it's just not a priority and that it's is going to remain very web
UI focussed.

~~~
jannemann
pfsense was forked a year or two ago, their 2.3 is just to keep up with the
new kid on the block opnsense. And guess what, they have an API ;)
[https://opnsense.org/](https://opnsense.org/)

~~~
FireBeyond
I don't really see what OPNsense has done too much differently, other than
commence re-writing the UI in a different PHP framework and Bootstrap it.

To look at it, you're largely looking at pfSense.

I couldn't find a clear map of what has been changed or added to.

~~~
gonzo
One of the team members at OPNsense "liberated" the source to his former
employer's fork of pfSense (they were using it for their product.)

That's how they got to where they are. The pace of innovation in that project
has slowed since its launch.

------
imperialdrive
Such a wonderful product! Thank you everyone that works on the code!!! I'm
finally able to buy them from the store, feels good to give back after all
these years.

------
FullyFunctional
Hmm, it looks like pfSense doesn't support the one requirement I have of any
router: per-IP (not _interface_) statistics. Is this really such an unusual
thing to want? I want to know how much traffic each device on my network is
producing, in each direction. Ideally also: for suspect devices, I'd like to
know _who_ they are talking to.

~~~
pfg
Sounds like you're looking for the darkstat package, which is available in
pfSense.

~~~
FullyFunctional
Awesome. I got a Qotom Q190PG4 and am up an running.

------
KiDD
I just want to say I absolutely love pfSense! After going through so many
routers I decided to just build my own... For the same cost of a high end
consumer router I built my own 802.11AC Gigabit router that can handle
anything without crashing every day!

------
sashk
Yeah, old design was feeling dated when I had to make couple changes from my
phone.

Only wish list I have -- allow ZFS on root with zraid. Hope, it's possible in
the future.

~~~
gonzo
Very near future. We're changing the installer for 2.4 (based on 11). Should
be available later this year.

------
cpitkin
Great work. I have been using pfsense for 5.5 years now and it never
disappoints.

------
dockerlocker
In my last round of my linux firewall comparison I liked opnsense very much:

[https://opnsense.org/](https://opnsense.org/)

not affiliated, I just liked it. However the GUI is made of many php scripts
(if they did not change meanwhile) - so it would be great if many more eyes
would like to take a look at the code...

~~~
FireBeyond
They took those PHP scripts and rewrote / are rewriting them in a different
PHP framework, for better, or worse.

