A silly Question, is there a better alternative to pfsense for home use?

vl1969

Active Member
Feb 5, 2014
611
68
28
Weird, I have those features with my free license?
how old it your version? maybe you got the license code before put in more restrictions.
I have a license for version 6 or 7 that used to have the plugins as well, but at the time I did not have the hardware to put it on. version 9 I tried did not have the plugins and point me to subscription based store.
maybe I am doing something wrong, who knows.
 

vl1969

Active Member
Feb 5, 2014
611
68
28
I know I'm not doing what most people are doing, but that's why I thought I would throw the option out there.... this is only if you're really comfortable with Linux and you mention you have Linux computers; i've been using Linux OSes as network appliances for over a decade so this is what i'm comfortable with and chose to do...

i got myself a cheap N2930 based system that draws like <20W, 8GB RAM, a 512GB SSD for caching and other stuff, and a 32GB USB drive for booting OS. it came with 5x 1Gbps NICs. this doesn't have AES-NI and frankly, I don't need it; I can run half a dozen VPN connections and the CPU is hardly working - I think AES-NI would be great if you need to do more VPN stuff, but that's not my case. i just threw a very stable CentOS7 on it and between netfilter and all the other open source tools available, I'm routing between my 2 internet connections (1x cable modem, 1x gigabit internet fiber), a wireless zone, a dmz zone to my publicly accessible servers, and my internal private network. i have policy routing to manage traffic between my 2 internet connections and I can download Windows or Linux distributions at near 1Gbps from the internet and system is mostly idle. the system is dead quiet and hidden under one of my desks in the home office. i'm very comfortable on the Linux CLI, so it's very easy for me to setup what i need, no GUI is all the better for me as I really don't like web servers running on a network appliance connected to the internet.

I've tried other network router/firewall dedicated OSes and they are all fine, each with their pros/cons. I like CentOS because it is generic, super stable, has very long support cycle, and if I want to add any software on it, it's easy to find packages from the many repos, or setup a CentOS VM to compile/build whatever tools I want to put on the firewall/router and then just upload it. The last part, the flexibility, really appeals to me as I like to tinker and try things, or write my own programs/scripts to do this or that (e.g., I parse my logs for VPN connections and grab the GeoIP and send myself a message) and there's nothing special about doing development for a generic OS like CentOS (or whatever your favorite Linux distro might be).

i know this isn't for everyone, but if you're comfortable with Linux, and have an appreciation for flexibility, then you can probably just throw your favorite Linux distro on it (doesn't have to be CentOS) and do whatever you want with it; no need to have "another OS" just for firewall/routing.

P.S. based on comments above, i also want to throw out there that a generic Linux OS will have very broad hardware support too... so less restrictions on what you can use.
hi BLinux,
if you like centOS take a look @ NethServer.
based on CentOS and have a very nice webUI.
I am really thinking about using that instead of pfSense just so it is based on normal Linux distro.
 
  • Like
Reactions: BLinux

Rand__

Well-Known Member
Mar 6, 2014
4,547
901
113
how old it your version? maybe you got the license code before put in more restrictions.
I have a license for version 6 or 7 that used to have the plugins as well, but at the time I did not have the hardware to put it on. version 9 I tried did not have the plugins and point me to subscription based store.
maybe I am doing something wrong, who knows.
Code:
Registration Date:        06 January 2016
License Revision:        1
Special:        Home use only
Type:        Virtual
Model:     
Max. Users:        50
Max. Connections:        32000
upload_2017-12-14_21-28-20.png

That one is disabled - if it was on then a lot of the features I use (RED, HTML5 Portal etc) would *not* work
Maybe that is confusing?

upload_2017-12-14_21-29-57.png
 

mstone

Active Member
Mar 11, 2015
505
117
43
42
I agree with everything in your post but the above statement. If one is savvy enough to build their own router based on pfsense, then at the minimum they should look at building based on supported hardware.
Unless you do all that research and then the rules change, right? The only "supported hardware" is the stuff you buy from them.
 

Pri

Active Member
Jul 30, 2014
122
50
28
Well, the most common NICs in low priced gear are from realtek, and they are largely unusable in pfsense. The support for new hardware (e.g., denverton) is slow to roll out. The next version of pfsense is supposed to require AES-NI, which seems like a shot against a lot of common third party pfsense hardware based on J1900. They've been in a dispute with qotom (who sold a lot of J1900 boxes) which may be unrelated, but also makes one wonder what hardware they'll decide to drop next and why. There was a lot of hype about QAT a couple of years ago, and a lot of people ran out to buy QAT hardware for pfsense, then one of the devs said later on reddit they weren't going to release anything that worked on the rangeley QAT platform because there were more third party boards with rangeley QAT than netsense hardware, so it didn't make financial sense for them. None of this is to say that they're evil, just be aware that their goal is to make money, which they've decided to do by selling hardware and corporate support contracts, and that if the free version works for you that's a happy accident. It isn't a community project driven by user contributions or desires.
You raise a lot of interesting points. I do disagree with me not having any issues being a happy accident though. And also the RealTek thing is interesting because even some of their own units use RealTek NIC chips.

Personally on my own build I used an at the time Haswell based platform, brand new and it worked really well and its built in Intel NIC worked fine as did the add-in Intel NIC I paired with it. I chose not to use RealTek because their stuff doesn't perform as good as Intel's but that's true whether you're running them on Windows, Linux or BSD.

The rest of what you said I agree with, they're in it to make money and I think the AES-NI requirement was a calculated move to convert a lot of people with older hardware over to their new cheap $99+ ARM offering and so forth. To be honest I don't like the creators of pfSense, I follow the subreddit and they act like jerks way too often on there, some of their employees who post there have huge chips on their shoulder and make their company look very amateur.

But the OS is pretty neat, I like it a lot. If someone came out with something I perceive as being better I'd switch, I did try OPNSense but it lacked polish for me.

Anyways thanks for sharing your insight :)
 

mstone

Active Member
Mar 11, 2015
505
117
43
42
You raise a lot of interesting points. I do disagree with me not having any issues being a happy accident though. And also the RealTek thing is interesting because even some of their own units use RealTek NIC chips.
Nothing they currently sell/support.

Personally on my own build I used an at the time Haswell based platform, brand new and it worked really well and its built in Intel NIC worked fine as did the add-in Intel NIC I paired with it. I chose not to use RealTek because their stuff doesn't perform as good as Intel's but that's true whether you're running them on Windows, Linux or BSD.
I understand that's the pfsense party line, but weirdly the realtek gear performs at wirespeed under linux and just doesn't under pfsense. If you can saturate the line with either NIC, what's the performance problem? The response from pfsense devs is that since they don't sell realtek hardware they don't care. The real difference between realtek and higher end intel nics these days is virtualization functionality, which doesn't much matter for a low power firewall.
 

Pri

Active Member
Jul 30, 2014
122
50
28
Nothing they currently sell/support.


I understand that's the pfsense party line, but weirdly the realtek gear performs at wirespeed under linux and just doesn't under pfsense. If you can saturate the line with either NIC, what's the performance problem? The response from pfsense devs is that since they don't sell realtek hardware they don't care. The real difference between realtek and higher end intel nics these days is virtualization functionality, which doesn't much matter for a low power firewall.
You're right, I thought the SG-1000 was using RealTek but it's not, it's some other chip (non-Intel) and the rest of their products are all using Intel.

Personally I've found RealTek networking and sound to be lousy even on Windows. I do not get line speed with those nics, it's why I use only Intel on everything now actually, long before I ever heard of pfSense.
 

mstone

Active Member
Mar 11, 2015
505
117
43
42
Personally I've found RealTek networking and sound to be lousy even on Windows. I do not get line speed with those nics, it's why I use only Intel on everything now actually, long before I ever heard of pfSense.
So you're basing on this on some old/obsolete realtek hardware, as though they don't release new models?
 

Pri

Active Member
Jul 30, 2014
122
50
28
So you're basing on this on some old/obsolete realtek hardware, as though they don't release new models?
Essentially, yes. It has been three years or so since I last used any Realtek networking stuff. Though I still suffer today with their lousy audio chips. I am not a fan of their budget focused chips, I'd rather pay more to get a quality chip.

Right now I'm using X540-T2's from Intel, 10Gb. Realtek to my knowledge doesn't play in the 2.5Gb-5Gb or 10Gb space yet but I still think their 1Gb chips are lousy. It's just a coincidence that my view lines up with pfSenses.
 

Franko

New Member
Oct 21, 2014
19
3
3
47
I did a lot of investigation into this topic about two years ago and ran into three router os's that seemed to work well, Pfsense, ipFire, and Untangle. Pfsense was the most full featured, then ipFire, then Untangle being dead simple.

Hope this helps.
 

laserpaddy

Active Member
Jul 17, 2017
166
39
28
out there
Benn running untangle for over a year on a dell t3500 have 20 devices behind it, set and forget.
The cpu barely hits 3% we have 1gig service...
I think it was kindergarten compared to my pfsense box, just bought a edgerouter lite had one before the untangle and it was a PITA to get it to connect to my ISP and then they spent 1 billion in iowa on infrastructure and they are awesome. So i got it again.



Sent from my SM-G955U using Tapatalk
 

ruffy91

Member
Oct 6, 2012
71
11
8
Switzerland
If you like pfsense as software but not the community have a look on the OPNSense fork.
I use it since a year everywhere where I used pfsense before and am very happy with it.

Gesendet von meinem BLA-L29 mit Tapatalk
 

im2geek4you

Member
Feb 27, 2017
30
10
8
40
I used PFSense for a lot of years until they removed one of my favorite feature on it, the RRD graphics... Now I'm using OPNSense on a small PC using a mini-itx MB. It draws about 18W which is very nice to have powered on 24/7. It has basically the same functionality that PFSense has.
 
  • Like
Reactions: laserpaddy

Evan

Well-Known Member
Jan 6, 2016
3,098
515
113
I see more often that not these days that pfsense used to be the best but that it’s not nearly as liked today because of the horrible interface and the community that supports it.
 

Pri

Active Member
Jul 30, 2014
122
50
28
I see more often that not these days that pfsense used to be the best but that it’s not nearly as liked today because of the horrible interface and the community that supports it.
Personally I quite like the interface and I like the product in general.

But the people who make it, electric sheep or whatever they call themselves. They act so poorly, so childishly. Their owner and some of their employees talk terribly with users. Ever since OPNSense came on the scene I have noticed the pfSense employees accuse all kinds of users as being OPNSense "spies" and just silence them, delete their comments and ban them from their community portals even when they are asking poignant questions or delivering accurate criticism.

Their level of I guess you'd call it paranoia is off the charts and it has resulted in some of the worst conversations between their employees and enthusiasts that I've ever seen in any community online.

They can also be hostile to users that are asking for advice regarding self-builds. Their employees have a very strong "you're a freeloader for not buying our hardware so we don't care about you, your problems or your questions" vibe that is just disgusting considering how the project started as an open source community firewall. I mean sure they need to make money as a for-profit business but the rudeness towards people who even suggest their official hardware isn't the solution to every deployment is completely unnecessary.

It's enough to make me not want to speak up and recommend pfSense because frankly it's embarrassing for me when people google it and find all these random negative encounters between them and their own community, I certainly wouldn't suggest it to my boss for that reason alone, it really makes them look like a two bit operation run by frankly horrible people with zero social skills.
 
  • Like
Reactions: vl1969

vl1969

Active Member
Feb 5, 2014
611
68
28
that is why I am looking at alternatives.
I am thinking about trying Nethserver as DIY router
Sophos seams good too.
 

SamDabbers

Member
Apr 12, 2017
34
13
8
I wonder if pfSense/OPNsense can be shoehorned into a FreeNAS VNET jail. That might be an interesting and relatively low-overhead setup for those who already run a 24/7 FreeNAS server. Of course you could just run it as a VM, but where's the fun in that? :)
 

dswartz

Active Member
Jul 14, 2011
401
33
28
I have used (and liked) astaro security gateway. I think it's now called sophos utm or some such...