pfSense - The Good and Bad

Originally I was going to do this as a video, but here we go!!!

If you're new to pfSense and want to get into more advanced features but could use some tips so you don't stumble, this might be for you. I'm going to cover some of the good things about pfSense and some of the broken things. I'll discuss the company, the hardware, and of course - pfSense!

pfSense is great because it allows you access to the OS and allows additional tools and troubleshooting features because it's more than just a firewall with firmware. Unfortunately this is also a drawback because all of the pieces of the pfSense puzzle were not originally designed to be one. This usually doesn't matter, but when it does it can be frustrating.

Relative to the competition, say SonicWALL, pfSense has a decent product. Whereas SonicWALL products are more complex requiring more support and having poor support. This makes pfSense compelling.

Netgate, the company behind the Open Source project, has recently come out with additional products which might be bad or maybe good. I get the feeling they are not concentrating as much on pfSense any more probably because it doesn't bring in much money. Maybe it's good TNSR is bringing in more money allowing them to pay salaries while pfSense isn't making as much? I'm not sure but the dissapointing fact is that they are two completely different product with very few synergies. Code and work from one can't be used on ther other. Everything about them is different. The kernel, admin interface, etc. And finally please oh please, "Jim, please bring your hangouts back!" If you don't know, Jim from Netgate used to do monthly in-depth videos on pfSense. They were insightful, detailed, and valuable. Now they release 2-3 minute vidoes on Youtube that are basically useless marketing fluff.

pfSense hardware has had some serious issues over the years. The recent models have been okay though. The SG-2440 and 2220 models had about a 30% failure rate after about two years. From my exerpience most of those units went into the bin, while a few made their way to get replaced under warranty. One addiitonal bit about the hardware is the integrated switch. Many of the units and also some of the XGs have a switch which is configured with software to be individual interfaces. This can be troublesome but knowing this ahead of time can avoid unpleasant surprirses.

Finally, onto the pfSense software itself. There are a number of features that are strange or broken. I'll just list them here as they appear in the GUI. These notes were taken as of 2.4.5-p1.

System -> Advanced Menu

  • Firewall & NAT / Firewall Optimization Options : Careful with VoIP, sometimes conservative helps
  • Firewall & NAT / Firewall Maximum Table Entries : This feature is strangely documented in the GUI. Notice if you change the value, it shows up as the "default"? Bug?
  • Networking / Allow IPv6 : If you don't want to see IPv6 packet drops in your logs, you have to enable this and then and do silent drop rules.
  • Networking / Network Interfaces : If you ever experience odd packet loss or traffic not passing, you might look under this section. It's discussed in the Netgate docs.
  • Miscellaneous / Power Savings : I like to save electricicty. I'm very curious how these affect power usage. Maybe there is a forum post about it?
  • Miscellaneous / Cryptographic & Thermal Hardware : These settings I'm never quite sure of. If you have AES-NI support, do you need the BSD module? One of these days I need to figure this out.
  • Miscellaneous / Spectre-Meltdown : I've disabled the software workaround for these security issues in a few cases because I was looking for potential extra performance. I expect it would be very difficult to exploit on a firewall like this. It would be nice to know the performance differences.

System

  • Cert Manager : Careful when using the cert manager with over ~50 certs. The GUI interface gets very slow. Unfortunately there is no option to use the cert manager from the command line.
  • High Availability : Do you have three public IPs? It is possible to get HA working with one IP but requres a few custom rules for outbound NAT. I did this once or twice with one IP and it wasn't ideal. Other than that CARP works well. There are issues to work out when accessing the standy unit because it's not primary. I seem to recall it's all documented.
  • Package Manger : Unfortunately documentation for packages is mostly non-existant. I've tried opening issues about it with Netgate but got shut-down. Also, some packages are completely broken so don't wonder why you can't get something to work. It might be intentinoal. One other thing, don't touch the package manager if you're not running the current version of pfSense!

Firewall

  • Aliases : Don't use DNS names in aliases. This feature has been partially broken for years. It's not as broken as it used to be but it still can have issues.
  • NAT : From my experience, you really only need to do things here if...
    • You're running CARP with a single IP
    • You're running CARP with VPNs
    • NAT issues with Games
  • pfBlockerNG - great package. No docs, but I recommend learning it.
  • Traffic Shaper : Don't confuse QoS and Traffic Shaping. This topic could be a whole book so I won't go into anything here.

Services

  • Auto Config Backup : This used to be a paid feature. Now it's free for everyone! I recommend using it.
  • DHCP Server : Be careful when using Dynamic DNS. It can cause the DNS process can restart so often that you have DNS timeouts.
  • DNS Resolver : Probably a bad idea to use this on large networks. The pfSense has a tendency to DoS itself on this and cause DNS resolution timeouts.
  • FRR : I've done quite a bit of OSPF with pfSense. 2.4.5 is much better than 2.4.4 was but it still has some issues.
  • UPnP : I tried this once and didn't have success with it. I didn't troubleshoot in detail but I got the feeling it didn't fully support UPnP properly.

VPN

  • IPSEC (Policy) : Standard IPSEC Works most of the time. You have to manually restart tunnels sometimes. I'm not yet sure why.
  • IPSEC (VTI) : This is more troublesome. The tunnels are a lot less reliable. I do like this option over Policy based personally but it is definately more broken.
  • IPSEC / Advanced / Asynchronous Cryptography : This feature used to be turned on by default. There are some known issues with it so it is now disabled. Enabling it can potentially speed up IPSEC 10x. Read more about it before turning it on.
  • OpenVPN : Works well. I've used this a lot for remote clients to connect. If you have a lot of Certificates, the GUI gets very slow.

Good luck with pfSense. It's a mixed bag of tricks sometimes. Even though it has its problems, I do prefer it over SonicWALL.

Comments !