Callam McMillan 06/11/2015 3 Comments
Having spoken previously about how I'm done with using Cisco for my networks, I now need a replacement. This has come in the form of pfSense. Given that it doesn't have the name recognition of a brand like Cisco, perhaps some explanation is necessary. The fundamental element of networking is moving packets of information across physical networks. Once upon a time, this required specialist hardware that could move these packets quickly enough, giving companies such as Cisco their market. Today, commodity hardware is cheap and powerful enough that it can act as a network router. This is where software such as pfSense comes in. Based on a Linux distribution, it provides this functionality. It is also worth clarifying from the outset, this is not a head-to-head test with the other software-based router platforms that are available. I have only tried pfSense, and while I like it, I don't have enough information to argue that its the best. What I can say, is that it is much better than traditional enterprise networking hardware supplied by the likes of Cisco. What follows is an assessment of the merits of pfSense.
Off-the-shelf or DIY. It's your choice
If you go to the pfSense website, you have two choices: You can either buy an embedded appliance running the pfSense software, or you can download the system and run it on your own hardware. To date I've built two pfSense systems, the two off-the-shelf appliances below are the closest to the hardware they run on and we'll use them for comparison.
pfSense SG-2440
CPU: 1.7GHz Intel Atom C2358 Dual Core
RAM: 4GB
Storage: 4GB
NIC: 4x Intel Gigabit
Power Consumption: 7W (Idle)
Size: 170mm x 170mm
Price as Specified: $499US (£324)
pfSense SG-4860
CPU: 1.7GHz Intel Atom C2558 Quad Core
RAM: 8GB
Storage: 4GB
NIC: 6x Intel Gigabit + 802.11a/b/g/n
Power Consumption: 7W (Idle)
Size: 170mm x 170mm
Price as Specified: $774US (£502)
Repurposed HP Microserver (N40L)
CPU: 1.5GHz AMD Turion II Neo Dual Core
RAM: 16GB
Storage: 250GB
NIC: 1 x HP Gigabit + 2 x Intel Gigabit
Power Consumption: ~15W (Idle)
Size: 260mm x 210mm x 267mm
Price as Specified: £22 for Used Intel NIC
Custom Built Platform
Case / PSU: 3U short depth rack mount + 700W
CPU: 3.0GHz Intel Pentium G3220 Dual Core
RAM: 8GB
Storage: 128GB
NIC: 1 x Realtek Onboard + 4 x Intel Gigabit + Atheros 802.11a/b/g/n
Power Consumption: ~15W (Idle)
Size: 483mm x 380mm x 133mm
Equivalent build price: £435
What the above shows is the sheer diversity of choice offered by pfSense. If you have to buy new equipment, then the smaller form factors, reduced power consumption, and manufacturer support mean that, given the costs are similar, the pfSense appliances are the best choice. If you can reuse old equipment and buy used components, then building your own can work out significantly cheaper. A 4-port Intel gigabit NIC costs around £170 new, but can be had used for £60.
Starting out
As with the Cisco equipment, the key to a reliable and functional setup is to plan ahead. This means producing a small but detailed physical and logical network diagram showing what you're planning. Here's one below showing a Multi-WAN setup routing to a LAN and a WLAN.
From this diagram, we can begin the pfSense installation, which begins by writing a USB flash drive with the software. This is used to boot the device, and later install it. At the initial setup, pfSense will ask for a WAN and LAN interface to be defined. This is where the earlier diagram is needed. In this case we would assign igb0 and igb2 respectively. The other interfaces can be configured later. If were configuring this system as a host on another network, and we have a spare port, we may also assign a management interface with a static IP. This will let us configure the router as if it was any other network host. Once the installation is complete, either connect to the LAN port if configured, or to the management port, and navigate to the address you set from a web browser. You're now done with the pfSense console.
Management made easy
With pfSense there's no command line, and no desktop software. All management of your router is done through a PHP web console hosted on your router. The design is clean and crisp, and provides a huge amount of information. The picture below shows the dashboard of my home router. From here, the system can be monitored, interfaces can be assigned, configured, and analysed. Firewall rules can be established and tested.
Advanced features are close at hand also. My favourites are the built in VPN server and the support for multiple WAN connections with link aggregation / load balancing, or redundancy. While I have no doubt that these features could be provided by a Cisco device, the ease with which it can be done via pfSense makes advanced network configuration a no brainer.
So what about the bad?
The only thing I would criticise pfSense for is the quality of some of the online documentation. Perhaps it'd be different if you pay the $99 per year for a gold membership. As standard however, the documentation is merely adequate. By way of an example, when setting up Multi-Wan, you have to route traffic in to the gateway groups rather than the default WAN gateway. The documentation says that you do this through firewall rules, but not which ones. While most of this can be figured out through trial and error, it is frustrating.
Overall though, the move to pfSense is rewarding. In future articles we'll look at the specifics of getting pfSense up and running and how you actually configure it to do various tasks.
Appreciate the recommendation. Let me try it out.|
Love playing with the open source offerings, so many options and you can just keep adding and upgrading. Also great for learning many aspect of networking without huge (or no) financial outlay.
I’ve built a number of setups using junkers over the years and had a lot of fun.
Have also enjoyed FreeNas and Ebox/Zentyal
Currently working a lot with Mikrotik (Router OS) stuff as a cheaper alternative to Cisco and other high end gear. A bit rough round the edges but they’re finally sorting out their release patterns to reduce bugs in stable releases.
Great to hear it. I got into pfSense thanks to my friend asking me about it. It looked interesting, so I built a test router, then moved my home router from a Cisco 3800 onto it. Finally I did a dual-WAN box for the friend that initially mentioned it to me. It’s a shame they don’t seem to sell the appliances in the UK though.