Networking 2015: Hello pfSense

Having spoken previously about how I'm done with using Cisco for my networks, I now need a replacement. This has come in the form of pfSense. Given that it doesn't have the name recognition of a brand like Cisco, perhaps some explanation is necessary. The fundamental element of networking is moving packets of information across physical networks. Once upon a time, this required specialist hardware that could move these packets quickly enough, giving companies such as Cisco their market. Today, commodity hardware is cheap and powerful enough that it can act as a network router. This is where software such as pfSense comes in. Based on a Linux distribution, it provides this functionality. It is also worth clarifying from the outset, this is not a head-to-head test with the other software-based router platforms that are available. I have only tried pfSense, and while I like it, I don't have enough information to argue that its the best. What I can say, is that it is much better than traditional enterprise networking hardware supplied by the likes of Cisco. What follows is an assessment of the merits of pfSense.

Off-the-shelf or DIY. It's your choice

If you go to the pfSense website, you have two choices: You can either buy an embedded appliance running the pfSense software, or you can download the system and run it on your own hardware. To date I've built two pfSense systems, the two off-the-shelf appliances below are the closest to the hardware they run on and we'll use them for comparison.

pfSense SG-2440

pfSense SG-2440 Appliance

pfSense SG-2440

CPU: 1.7GHz Intel Atom C2358 Dual Core
RAM: 4GB
Storage: 4GB
NIC: 4x Intel Gigabit

Power Consumption: 7W (Idle)
Size: 170mm x 170mm

Price as Specified: $499US (£324)

pfSense SG-4860

pfSense SG-4860 Appliance

pfSense SG-4860

CPU: 1.7GHz Intel Atom C2558 Quad Core
RAM: 8GB
Storage: 4GB
NIC: 6x Intel Gigabit + 802.11a/b/g/n

Power Consumption: 7W (Idle)
Size: 170mm x 170mm

Price as Specified: $774US (£502)

Repurposed HP Microserver (N40L)

HP Microserver N40L

HP Microserver N40L

 

CPU: 1.5GHz AMD Turion II Neo Dual Core
RAM: 16GB
Storage: 250GB
NIC: 1 x HP Gigabit + 2 x Intel Gigabit

Power Consumption: ~15W (Idle)
Size: 260mm x 210mm x 267mm

Price as Specified: £22 for Used Intel NIC

Custom Built Platform

Custom-built Router

Custom-built Router

Case / PSU: 3U short depth rack mount + 700W
CPU:
3.0GHz Intel Pentium G3220 Dual Core
RAM: 8GB
Storage: 128GB
NIC: 1 x Realtek Onboard + 4 x Intel Gigabit + Atheros 802.11a/b/g/n

Power Consumption: ~15W (Idle)
Size: 483mm x 380mm x 133mm

Equivalent build price: £435

What the above shows is the sheer diversity of choice offered by pfSense. If you have to buy new equipment, then the smaller form factors, reduced power consumption, and manufacturer support mean that, given the costs are similar, the pfSense appliances are the best choice. If you can reuse old equipment and buy used components, then building your own can work out significantly cheaper. A 4-port Intel gigabit NIC costs around £170 new, but can be had used for £60.

Starting out

As with the Cisco equipment, the key to a reliable and functional setup is to plan ahead. This means producing a small but detailed physical and logical network diagram showing what you're planning. Here's one below showing a Multi-WAN setup routing to a LAN and a WLAN.

Network diagram showing router, connections, and key details

Initial network diagram

From this diagram, we can begin the pfSense installation, which begins by writing a USB flash drive with the software. This is used to boot the device, and later install it. At the initial setup, pfSense will ask for a WAN and LAN interface to be defined. This is where the earlier diagram is needed. In this case we would assign igb0 and igb2 respectively. The other interfaces can be configured later. If were configuring this system as a host on another network, and we have a spare port, we may also assign a management interface with a static IP. This will let us configure the router as if it was any other network host. Once the installation is complete, either connect to the LAN port if configured, or to the management port, and navigate to the address you set from a web browser. You're now done with the pfSense console.

Management made easy

With pfSense there's no command line, and no desktop software. All management of your router is done through a PHP web console hosted on your router. The design is clean and crisp, and provides a huge amount of information. The picture below shows the dashboard of my home router. From here, the system can be monitored, interfaces can be assigned, configured, and analysed. Firewall rules can be established and tested.

pfSense Router Console

pfSense Router Console

Advanced features are close at hand also. My favourites are the built in VPN server and the support for multiple WAN connections with link aggregation / load balancing, or redundancy. While I have no doubt that these features could be provided by a Cisco device, the ease with which it can be done via pfSense makes advanced network configuration a no brainer.

So what about the bad?

The only thing I would criticise pfSense for is the quality of some of the online documentation. Perhaps it'd be different if you pay the $99 per year for a gold membership. As standard however, the documentation is merely adequate. By way of an example, when setting up Multi-Wan, you have to route traffic in to the gateway groups rather than the default WAN gateway. The documentation says that you do this through firewall rules, but not which ones. While most of this can be figured out through trial and error, it is frustrating. 

Overall though, the move to pfSense is rewarding. In future articles we'll look at the specifics of getting pfSense up and running and how you actually configure it to do various tasks.

Share

3 Comments

  1. bantal silikon

    Appreciate the recommendation. Let me try it out.|

    Reply
  2. Paul Ebrey

    Love playing with the open source offerings, so many options and you can just keep adding and upgrading. Also great for learning many aspect of networking without huge (or no) financial outlay.

    I’ve built a number of setups using junkers over the years and had a lot of fun.

    Have also enjoyed FreeNas and Ebox/Zentyal

    Currently working a lot with Mikrotik (Router OS) stuff as a cheaper alternative to Cisco and other high end gear. A bit rough round the edges but they’re finally sorting out their release patterns to reduce bugs in stable releases.

    Reply
    1. Callam McMillan (Post author)

      Great to hear it. I got into pfSense thanks to my friend asking me about it. It looked interesting, so I built a test router, then moved my home router from a Cisco 3800 onto it. Finally I did a dual-WAN box for the friend that initially mentioned it to me. It’s a shame they don’t seem to sell the appliances in the UK though.

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *