Hi
I discovered your youtube channel after an interview you had with David Bombal, and he said you are the Man on pfSense and in the interview and on your channel it shows you are using this on big networks in business usage.
I have used Cisco small business gateways, firewalls, switches and phones since 2006 so i only know Cisco as i never had any reason to step outside the eco system so to speak.
But now my gateway stands on the edge of EOL and Cisco is good stuff, but the prices is equally āgoodā too, so to speak. LOL
And after have spent a few days watching your pfSense playlist on youtube, pfSence seems as a potential candidate.
I tried to scroll here on the forum, but i didnāt find an answer on my question.
So my question to you all is.
Is pfSence OS/software as reliable and stable as Cisco small business products?
Uptime stability is my deal breaker in this world so to speak, as i need to know the only downtime i have is for critical important security patches or if a solar-storm kills the internet. LOL
smiling yeah i do know hardware failure happens to all electronics sooner or later, i have spent a few years at an company repairing hardware back in the days when it was cheaper to repair then to by new stuff.
It still is cheaper to repair if you can do it yourself. But it is harder now then 25years ago as everything is so tiny nowadays. LOL
But some time it is not the hardware that is the problem but the software when you have a long uptime. So thats why i focused the question to pfSense instead of the hardware its runs on. as i have zero experience of pfsense myself, so thats why i ask you guys that have all that precious experience.
Agreed @LTS_Tom, and Iād add to that the software stability factor, the ease of moving pfSense configs around - whether for (planned or not) hardware replacements, software upgrades or redundancy measures. Iāve seen configs containing elements that have survived 10 years of upgrades to both hardware & software.
That was what i was hoping for to hear.
as i have some time before EOL, Iām thinking of using an old HP proliant server i stopped using last summer to ālearnā how pfSense worksā¦ I saw a video in that playlist where you took a HP serverā¦ Mine is around those specsā¦
Best to test it before buying dedicated hardwareā¦
It feels almost a bit scary as i have been in the Cisco eco system for so many darn years without even look in another direction.
But thanks for the answer once again and i might have a few questions in the future.
Thanks
I really like when several people have the same opinion, as it feels a bit āsaferā so to speak
I love hearing numbers around 10years. smiling
I am well known for hating installing and configure/tweak systems with a passionā¦ i think Iām soon googleble on āwho hates installing operating systemsā and google will show a picture of me. *HAHAHAā
So saying high numbers is how you get my attention in the life of IT.
I think Iāve only been using mine for around 5 years on hardware that was built in 2012. Getting ready to āupgradeā to newer hardware from around 2016.
Iām also going to look into Zenarmor to do some of the things that you might have been getting with the Cisco products. Still trying to find the time at work to test some of this stuff.
Okayā¦ I have heard about Zenarmor but i have never looked at it, not even their homepageā¦ i might have to take a look on what it is as you bring it up.
I started to learn Linux 6years ago as i only have been working with Microsoft systems only and my friend told me Linux is soooo darn good you will never regret switching to Linux as a daily driver.
He was right on Linux and serversā¦ as for desktops and laptopsā¦ lets say i have a different opinion on them though(even i am on Debian typing this message). *LOLā
Generally Iāve found it to be pretty stable but honestly most firewalls are. Any no firewall is perfect and youāll run into finding edge case bugs that can cause issues when youāre trying to reconfigure things. Typically greenfield pfsense deployments are pretty good. Most of my pfsense pain comes from bringing pfsense configurations up through many years. If youāre using it to be your core firewall for hosting services youāll definitely want to put your test environment through the paces to get a good understanding of how all the services work with each other. I used to put it on white label boxes, now I just buy from Netgate.
Broke mine yesterday trying to fight a problem with e2guardianā¦ Ended up turning filtering off for now while I build a second firewall to test and replace. I actually got locked out on one interface from this! Was an exciting ten minutes or so.
I do expect pfSense to have a mood and some attitude. There is no system out there that is perfect, if it was everyone would use that ā¦ So it all boils down to which system that sucks less. *smilingā
Thanks for the tipā¦ i always test new stuff over an extended period of time and as last test i will run pfSense in parallel with what i have now. I use three gateways(3ISPs) as failover and also i use them for some load balancing and some private traffic is specific to one ISP
Uptime is my deal breaker as i mention in the start post.
It sounds as you still are smiling at least
If i know myself, i had needed four coffee and maybe a valium to avoid frustration and swearing. *LOLā
I have a bad temper when it comes to my own stuffā¦ But when i fix others systems i have patience and calmness that is out of this worldā¦
My problem was mostly user error with an unofficial package, so canāt blame the firewall. Before that Iāve had years of stable use, so I would say it is good enough. And Iāve run it on some pretty old equipment like Xeon X56xx processors on Supermicro X7 main boards.
That said, Iām also starting to mess with OPNsense, I decided I should spread my knowledge a little. Similar but different so far, canāt say if I like it yet because things are in different places.
Okayā¦ unofficial packages can cause interesting phenomenon on all systems, so yeah it can be hard to blame it on pfSense then. *smilingā
As far i have understood with pfSense so far out of Tomās videos, is that old hardware is no problem as long you dont need high throughput or run any heavy extra services.
So lets say you only need a home router with some fun extras and only an 100/100 connection then an old dualcore 2GHz with dd2 ram will almost be overkill.
Isnāt OPNsense almost the same as pfSense? i think i read a year or two back that one was a breakaway from the other. a bit like Linux distros often is a fork of another.
((things are in different places.)) classic with guisā¦ just look on modern switches GUIsā¦ they do the same thing but they always have their own layout. In the past it was CLI and different commandsā¦ i hate the terminal interfaceā¦ It is good to know, but if i can chooseā¦ i always use the GUI as it looks nicer and you get a better overview of thingsā¦ and a GUI is 100times faster to learn then start learning new terminal commands.
Yes OPNsense is a fork of pfsense which is a fork of monowall. Both PF and OPN do not have a direct GUI, but both use a web GUI for configuration. Once you get the initial configuration of either (basically just the LAN connection), everything else is normally done through the web GUI. I still connect monitor/keyboard to my firewalls, just for those times when things go badly and you need a direct connection (like yesterday). VGA KVM switches are cheap if you donāt need audio follow, so I have a few KVM switches around for things. A good one on my production system, and cheap ones for lab use.
The first two pfsense devices we bought from Netgate lasted just a couple of months past two years. Those were relatively inexpensive. In both cases, the onboard memory failed. I would avoid the ālow endā devices. After our 3100 failed, we bought a 2100, which proved too slow. Itās relegated to backup and we now run on a 4100. The 4100 has been replaced by the 4200, which is both less expensive and faster. After the first two devices failed, we looked around for something else, but weād invested so much in understanding how to configure pfsense that we decided to stick with it. (But we do have the 2100 for backup, although the config file is slightly different.) YMMV
Okay, i have never heard of monowallā¦ darn, now i have learned a new thing today too. *smilingā it do not pass a single day without learning new things. āLOLā
i was a bit sloppy when i wrote i did mean web gui, i thought i could be lazy in my writing.
Same here, i also use VGA KVM switches to my servers and lab-computersā¦ as it is easier maintain a higher security when you dont have remote administration accessā¦
Yeah that is sadly one of the most common rule of lifeā¦ you only get what you are paying forā¦ itās only a few exceptions that exists just to prove it is a rule. :-/
I have not looked at the netgate pricing, but i think it still cheaper then Cisco as you have to pay at least $200 extra to get the Cisco logo on the front. ālolā
I will have a serious look at pfSense and give it a fair chance over 6month period before i decide what way i goā¦ So far it all looks and sounds goodā¦ Now it just has to preform as good as it sounds.
Remember that you donāt NEED to buy Netgate hardware. You are able to buy a nice Supermicro server and run the paid versions on that hardware. Plenty of lower spec. Xeon processors out there (donāt need 36 cores with 72 threads), with your choice of network cards and your choice of amount and brand of RAM. Full control over your hardware choice, then just pay them the money for the license of your choice. For serious installs, Iād either go with one of the ābigā netgate devices, or build my own. Being able to have parts on the shelf with the build your own has a certain value if your situation is important enough.
Same goes for OPNsense. For some reason my IT department is on a Fortigate run because it is way cheaper than the Cisco we are using as the main appliance. I donāt think we are using half the features that either device offers, we could probably be fine with a PF/OPN firewall. But it might be an insurance thing where Cisco is a known product, and therefor easy to check off that box on the inspection form. The Forti is on our esports network, not sure if it has direct connection to the web, or goes through the main Cisco first. They generally forget I exist because I almost never need them to fix anything, so not entirely certain how they have it configured.
ā¦ So it all boils down to which system that sucks less. *smilingā 
