Introduction
With its origins coming from M0N0wall, pfSense is a firewall/router computer software distribution based on FreeBSD. pfSense Community Edition is the partially open source version while pfSense Plus has moved to a closed source model. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network.
How can I get started with pfSense?
There are several options when it comes to starting with pfSense. From the DIY’er to full business solutions, continue reading for your options.
With Internet Service Provider’s offering higher and higher speeds always make sure that you get hardware that can take advantage of these high speeds. Routing throughput and Firewall throughput are the two metrics you should pay attention to. These two metrics are directly associated with your hardware performance such as CPU and memory and of course your network card. Get hardware that meets or exceeds your ISP’s speed.
–DIY Hardware
pfSense firewall appliance minimum hardware spec recommendation
- CPU: 4 core, 1Ghz AMD GX-412TC (with AES-NI)
- RAM: 2GB DDR3-1333 DRAM.
- Network Card: 2 port or 4 port Gigabit network card
- Storage: 16GB mSata SSD.
- Routing throughput: 750Mbit/1Gbit on pfSense. 1Gbit/1Gbit on OpenWRT/IPFire/Linux.
- VPN: 100Mbit over OpenVPN, 650Mbit over WireGuard.
Many thin clients are very capable of running pfSense. Their cost to performance is fantastic. The HP t620 Plus or the more recent addition HP t730 meet and even well exceed the above minimum hardware recommendation and official appliances. My recent purchase of the t730 has proven to be a great one, its 4 core, 2.7 GHz base frequency, up to 3.6 GHz maximum CPU can handle a lot of throughput, gigabit in my case, perfectly well. Upgrading from the t620 Plus was as easy as backing up its pfSense config and restoring it on the t730 and I was up and running.
Ebay Thin Client search links
– Official Appliances
Netgate, the company behind the pfSense, provides “plug and play” appliances. These appliances come in several levels, from the SG-100, an entry level device but still powerful, to the XG-1541 1U, which packs a punch and is tuned for high traffic needs.
You can find more information and selection of appliances by visiting Netgate’s store.
https://www.netgate.com/products/appliances/
Non Official Appliances
There are more and more non branded appliances coming to the market, my opinion, is that buying one is somewhat debatable. Their cost is equivalent and sometimes higher than the official Netgate appliances and come with no software support.
–Virtual Machine
Virtualization hosts such as VMWare, Unraid, Proxmox and others can host a pfSense VM easily. Having this approach has its benefits but also comes with some caveats.
PROS:
- Easy to standup without requiring discrete hardware.
- Snapshots make it easy to retract any mishaps in your configuration.
- Migration from one VM host to another host is simple and quick.
- Load Balancing. In a high availability environment having redundancy is key and a VM makes this criteria super easy.
Cons:
- Downtime. If you need to do maintenance on your virtual host, you lose firewall, DHCP and many fundamental services needed for your network to operate. In a VM environment you may want decentralize your network services.
- Version maintenance. As pfSense versions get upgraded, issues may arise with compatibility with virtual network interfaces, always review the change notes of the release.
–Cloud Instance (Coming Soon)
The newest offering from Netgate is the ability to frontend your cloud environment with pfSense. Building an Amazon Web Services (AWS) or Azure instance is similar to building a VM and offers the same benefits but this comes with a cost. The cost model is either hourly or annually Netgate subscription, but also consider your tariff costs for bandwidth and compute power which are extra beyond your Netgate subscription. Consult your respective provider for the fully loaded costs.
More information here: https://www.netgate.com/solutions/pfsense-plus/#get-pfSense
Conclusion
Having a firewall for your home network is what I consider a must. If you run a business, a firewall is a nonnegotiable decision. pfSense offers a great product with a large community, and it is quick to help. There is, however, a possible negative trend happening at Netgate. I’m referring to pfSense Plus. Speculation is that all development efforts will favor the Plus subscription editions, leaving the community edition lagging behind. The recent upgrade from 2.4.5 to 2.5.0 left many, including myself, facing kernel panic errors freezing the firewall and taking down the internet due to network card drivers. Supposedly, a fix was made available to the Plus appliances and subscriptions but not for the Community Edition, at least not as of the time of writing this. I do understand that development is costly and trying to recover some costs makes sense, but Netgate runs the risk of neglecting the very community that made them who they are today.
I do hope Netgate continues supporting their CE community with feature and update parity. I will continue observing this dynamic subject but I am already searching for alternatives, one alternative that comes to mind being OPNsense. But more to come on that in the future.