Thursday, September 11, 2008

pfSense 1.2: 6-month review

After spending more than 6 months running pfSense 1.2-RELEASE at the perimeter of our production environment I thought I’d do a short good/bad/ugly review of the experience to help anyone that might be considering using it. In my experience, pfSense has been a great solution. Besides being free, and fast, it has the functionality of ostensibly higher-end solutions like the Cisco PIX/ASA, or Microsoft’s ISA, with the ease-of-use of a Cyberguard SG, or Sonicwall product.

Yeah, but what about the SMB-market – does it make sense?

Our pfSense box sits at the perimeter of our LAN, protecting us from a 10MB Full-Duplex Internet connection. Like most businesses of our size we have a handful of crucial services being served up to the Internet – a stack of LOB apps, and some assorted contractor requirements that can create challenges. While it’s not quite what I'd call a zero-effort experience, everything has run very well and I’ve been quite impressed.

The Good:

The web-interface… it works well. You can do practically anything you need from it – including editing FreeBSD config files if the should arise. Also, since pfSense is based on FreeBSD, you also have the ability to SSH into the shell and work from there. But don’t let that scare you off – you probably won’t ever have the need to do so.

VPN support… pfSense supports just about everything you’d expect. It has a PPTP server built into it, and you can use a local account database, or a RADIUS server for authentication. WINS works across VPN tunnels – which is nice, and something not every PPTP server I’ve used has implemented fully. IPSec is of supported, and pfSense can serve as an end-point and seems to work okay with the Cisco stuff I’ve seen at the other ends of some of our tunnels. OpenSSL is supported… if you’ve not worked with SSL-based VPN’s before – they’re nice – especially if you have remote users who work on-site behind large corporate firewalls that block outbound PPTP, or IPSec.

Traffic… there’s a handy real-time traffic graph that you use to watch inbound/outbound traffic across the firewall. There are also a host of RRD graphs depicting things like traffic, link quality, and processor utilization over time... All handy when it comes to troubleshooting your internet connection, or engaging your ISP should they fail to meet the terms of their SLA.

The ability to do packet captures is one of my favorite features of pfSense. Besides being useful for troubleshooting issues at your office, it’s quite handy when you have pfSense deployed at client sites (yes, we’re selling it to clients). Login to the interface, and start capturing packets to see whose consuming all of your bandwidth for instance.

The Bad:

While there’s not a whole lot of “bad”- I have run into a few challenges – most of which are documented elsewhere on this site.

Hardware support... I’ve mentioned this before, and you probably know that FreeBSD doesn’t have quite as broad of hardware support as Linux or Windows. I ran into some issues with non-Intel NICs and off-brand Wireless cards which were painful. That said, I’ve run into issues with Broadcomm NICs and HP-branded NICs on windows servers before too – so take that with a grain of salt. It’s just a data point and not intended to discourage you. If you're just throwing a box together from spare parts – remember to use Intel NICs that are on the FreeBSD hardware list and you’ll be fine.

FTP Support... The FTP protocol is just plain clunky. It’s been around for decades, and every vendor has a different way of implementing it. There is no security – passwords and data traverse the internet unencrypted – in short, it’s kind of a mess. Pfsense has passive FTP support, and an FTP proxy. In our deployment, we have users who complain about not being able to connect to our FTP site when in the office (i.e. looping out and back in). I understand why they would want to do this (even if from a technical perspective, it doesn't make much sense), but in order to support outbound FTP you need to run the pfSense FTP proxy. Turning that on breaks the ability to loop-out and come back in for FTP which can be frustrating (and yes, a split-DNS configuration would resolve this).

The Ugly:

PPTP... Good and Ugly? Yes indeed. There are some ugly parts to the PPTP support in this version of FreeBSD and pfSense. Like the FTP protocol, PPTP isn’t great. But, like FTP, PPTP is perceived by many to be easy to use and support, and thus is still widely in use. The problem with PPTP support… which is actually highlighted on the pfSense web site is... “there is a pf limitation that stops any outbound PPTP connections from working if the PPTP Server on pfSense is enabled. This is a known issue with no known work around.” Which really means that if you enable the PPTP server on pfSense, internal users supposedly can’t VPN out to a remote PPTP server. In my experience, this is not entirely true. You can turn-on the PPTP server on pfSense, and internal users can often connect to remote PPTP servers. What I mean by “often” is… I’ve found that among our customer base, most have firewall appliances running PPTP servers, and we no have problems connecting to them. Further, we’ve had no problem connecting to any Microsoft PPTP servers (including those running on 2000, 2003, and 2008). Finally, we can connect to nearly all of our Cyberguard SG series firewalls that have PPTP servers. But there are a few of those that we can’t connect to via PPTP. I’ve compared models and firmware revisions, but don’t see any consistency between those units which I can point to as the cause. We’re able to work around this given the small number of clients that were having problems PPTPing into, but it is irritating, and might be a show-stopper for some IT service providers that work in the SMB market.

PPTP continued… There’s another limitation in the version of FreeBSD that pfSense is using which limits the number of simultaneous outbound connections to a given PPTP server to just 1 connection. This means that you can VPN into a client site which lives at a given IP, but if someone else behind pfSense tries to VPN into that exact same remote IP, he/she will not be able to establish a second session. In other words, you can have thousands of simultaneous outbound PPTP connections going on, but you cannot have more than one connection to the same remote IP at a given time. While this is rarely an issue – it does come up from time to time and it may be a show-stopper for some IT service providers.

The good news on the “ugly” front is that both PPTP and FTP are being worked on by for the next release due in 2009 and promising… “Better PPTP and FTP handling in NAT. The PPTP fixes will allow multiple outbound connections to the same external PPTP server using a single public IP. Details of that issue on the Features page on the website under PPTP/GRE NAT limitation”. I’ve been monitoring what’s going on with pfSense 1.3 Alpha – and have it running on a firewall at home, but it’s under continuous development and not production ready. One notable improvement is the configurable dashboard which gives you status and highlight information.

Is it “just work” easy?

I don’t think pfSense necessarily meets the zero-thought, “just work” criteria. If you’re building a box, instead of buying one, then no – it requires some limited thought to find a supported mix of FreeBSD hardware, then you have to install, configure, and use the product. Is it more difficult to configure than something like a Sonicwall, or Cyberguard Snapgear, or other similar appliance? Only because you have to build-it… otherwise, the software and features of the interface are excellent and, in many ways exceed those of the prior-mentioned solutions.

Does it make sense for SBS-sized networks?

Given that the infrastructure business on the low-end is evaporating, selling pfSense into that market might not be a good fit, or make sense… but from a technical standpoint, or if you’re looking more at that middle tier from 50 – 250 users and up, than I think pfSense is a great fit. As I mentioned, I like it so much that I use it at home and keep up with the 1.3-ALPHA updates.


Curtis LaMasters said...

I'm the Sr. Network Engineer for a SMB consulting company in the midwest and I find that the majority of companies we do business with that are 50 or less users don't have local IT staff. So depending on their needs, pfsense is still a great fit for most companies, especially if they need to have a redundant firewall setup. I don't think many people could argue against the cost savings with pfsense version Cisco or the like in that scenario.

As for hardware support with pfsense, I guess I have gotten pretty lucky. I buy most of my firewall boxes through IronSystems and have otherwise put them on Dell servers. So far, knock on wood, I haven't had any issues with installation or hardware detection.

Nick said...

Curtis - Oh, I very much agree that pfSense fills a very important need in the SMB segment... both in sub-50, and greater than 50 roles. I'm also a fan (so far anyway) of the product-ized version of pfSense that Centipede makes.

Thanks for the heads-up on Ironsystems, I'll check them out... are you just buying the "general purpose" boxes to run pfSense like the IR110?

We've used Dell server-grade equipment in the past... mostly with success. Most of my hardware pains were during testing when I just grabbed a white-box workstation off-the-shelf.

Ty Swicegood said...

Thank you for posting your thoughts on pfSense. I am currently in the process of replacing our failed Sonicwall ($3k a year of updates/support gets old fast) and found this writeup a good sign that pfSense might work in our production environment.

Anonymous said...

I just discovered pfsense last month while setting up a captive portal for my little village's library offering Internet access and I have been impressed. The small ISO size and all features it got.
I was going to use m0n0wall but I was missing ssh to the box for easy remote admin.
I had to install a few other packages to rework the captive portal (mysql, php-mysql) , I know, this should not seat on a firewall but for this project , this is fine.
All works great. No problem with the hardware as I am recycling an old P3, all NIC (based on NE2000) are recognised. However I had some trouble to get the proxy filtering working but now it is ok.

Good llittle firewall !!

Anonymous said...

I've had great luck with the SuperMicro 1U Atom based servers. The dual core motherboards come with two NICs (the better boards have Intel chipsets, but even the realtek seem to work OK) and you can get them for just under $300 on sale - pretty hard to beat! The LAN activity LEDs on the front of the case are a nice touch too :)

Masroor P Mohamed said...

Hi All,

Iam a newbie to this. But it looks awesome..I have just started discovering all the features and finds it interesting.