pfSense experiences

Michael L Torrie torriem at chem.byu.edu
Fri Jun 15 10:29:26 MDT 2007


On Fri, 2007-06-15 at 09:39 -0600, Steven Alligood wrote:
> "unlimited funds" and "1-4GB of traffic" being the key words here, I 
> would strongly suggest a commercial product.
> 
> You can do very well on the lower end traffic scale (a couple hundred 
> MB/sec) with open source and PC hardware, but once you start throwing 
> around some serious traffic, you will find that the commercial products 
> just handle it better, often with very nice reporting tools.
> 
> I am not saying that you cannot do it with non-commercial stuff, but you 
> will have a lot more headaches dealing with that amount of traffic.

Yeah I used to believe that too.  Until opened up our so-called
professional product.  This was a medium-end Cisco PIX.  Turned out it
had a Celeron processor in it and 3 ordinary, 100 Mb/s on-board nics.
And it's no different (except for a more powerful processor and gigabit
nics) on the higher end PIX's.

A PCI bus is a PCI bus.  Very few firewalls are anything but ordinary pc
hardware.  Slap a couple of gigabit, 64-bit cards (or PCI express) in a
beefy machine and you'll more than match the commercial solution.  No
really.

While it is true a router with ASIC hardware to do fabric switching is a
far cry from sticking a bunch of nics in a box, installing linux, and
calling it a router, I have not found the same idea to be true in the
realm of over-priced, so-called hardware firewalls.  I built a linux
firewall out of a dell 1U server that handily matched if not beat a
$10,000 solution in terms of throughput.

> 
> -Steve
> 
> Daniel wrote:
> > It sounds like pfSense is the way to go for the schools, given the
> > responses.  Thank you.
> >
> > Now let's say you had to secure about 1-4GBs of traffic and you had
> > unlimited funds would you still go with pfSense or would you go with a
> > commercial solution like Juniper, or Cisco?  Does anyone have
> > experience with a Juniper or any other commercial solution and
> > pfSense?
> >
> > -Daniel
> >
> > On 6/15/07, Lars Rasmussen <lars.rasmussen at gmail.com> wrote:
> >> Look no further than pfSense for your firewall.
> >>
> >> I've been using pfSense since the alpha releases - I previously used
> >> m0n0wall.  Before m0n0wall I was using a floppy disk to boot a Linux
> >> based firewall.  I've used pfSense at work and at home.
> >>
> >> pfSense will let you enforce QoS(even has a wizard for prioritization
> >> of VoIP & common applications/traffic types).  pfSense allows for
> >> failover & multiple WAN connections, and has multiple VPN types as
> >> part of the standard feature set.
> >>
> >> You can add features(packages) if you so desire.  One of my Windows
> >> buddies still marvels at how he doesn't even think about his pfSense
> >> box - it just sits in the closet and runs.
> >>
> >> I am currently using pfSense at home with Comcast & Vonage; it allows
> >> me to coexist with BitTorrent nicely, and the pfSense project seems to
> >> have more active development than any of the Linux-based firewall
> >> projects.
> >>
> >> It is straightforward to install pfSense yourself, but you could
> >> alternately buy an appliance that contains no moving parts & likely
> >> increase your uptimes to years.  Here's what the console portion of
> >> the pfSense installation looks like:
> >>
> >> http://www.metacafe.com/watch/584867/install_pfsense_1_2beta1/
> >>
> >> Configuration after this point is handled via the web interface.
> >> -- 
> >> Lars
> >>
> >> /*
> >> PLUG: http://plug.org, #utah on irc.freenode.net
> >> Unsubscribe: http://plug.org/mailman/options/plug
> >> Don't fear the penguin.
> >> */
> >>
> >
> > /*
> > PLUG: http://plug.org, #utah on irc.freenode.net
> > Unsubscribe: http://plug.org/mailman/options/plug
> > Don't fear the penguin.
> > */
> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */




More information about the PLUG mailing list