Hi Tom and Lawrence system and forums members. :-) Question about pfSense stability and reliability

Hi :slight_smile:
I discovered your youtube channel after an interview you had with David Bombal, and he said you are the Man on pfSense and in the interview and on your channel it shows you are using this on big networks in business usage. :slight_smile:

I have used Cisco small business gateways, firewalls, switches and phones since 2006 so i only know Cisco as i never had any reason to step outside the eco system so to speak.

But now my gateway stands on the edge of EOL and Cisco is good stuff, but the prices is equally “good” too, so to speak. LOL
And after have spent a few days watching your pfSense playlist on youtube, pfSence seems as a potential candidate.

I tried to scroll here on the forum, but i didn’t find an answer on my question.

So my question to you all is.
Is pfSence OS/software as reliable and stable as Cisco small business products?
Uptime stability is my deal breaker in this world so to speak, as i need to know the only downtime i have is for critical important security patches or if a solar-storm kills the internet. LOL :smiley:

I thank you all for answer in advance :slight_smile:

To answer your question - if you purchase a pfsense device you will get failures as with all hardware but it is a very very small percentage.

Been running pfsense for the last couple of years, and no issues at all

If you are worried about uptime, high availablity the devices.

Do you known what functions your required of the firewall - as pfsense may not fix the bill

1 Like

smiling yeah i do know hardware failure happens to all electronics sooner or later, i have spent a few years at an company repairing hardware back in the days when it was cheaper to repair then to by new stuff. :smiley:
It still is cheaper to repair if you can do it yourself. But it is harder now then 25years ago as everything is so tiny nowadays. LOL :smiley:

But some time it is not the hardware that is the problem but the software when you have a long uptime. So thats why i focused the question to pfSense instead of the hardware its runs on. :slight_smile: as i have zero experience of pfsense myself, so thats why i ask you guys that have all that precious experience. :slight_smile: :slight_smile: :slight_smile:

I have found pfsense on good hardware, such as the devices made by Netgate, to be a rock solid solution.

1 Like

Agreed @LTS_Tom, and I’d add to that the software stability factor, the ease of moving pfSense configs around - whether for (planned or not) hardware replacements, software upgrades or redundancy measures. I’ve seen configs containing elements that have survived 10 years of upgrades to both hardware & software.

That was what i was hoping for to hear. :smiley:
as i have some time before EOL, I’m thinking of using an old HP proliant server i stopped using last summer to “learn” how pfSense works… I saw a video in that playlist where you took a HP server… Mine is around those specs…
Best to test it before buying dedicated hardware…
It feels almost a bit scary as i have been in the Cisco eco system for so many darn years without even look in another direction. :scream:

But thanks for the answer once again :smiley: and i might have a few questions in the future. :slight_smile:

1 Like

Thanks :smiley:
I really like when several people have the same opinion, as it feels a bit “safer” so to speak :slight_smile:
I love hearing numbers around 10years. smiling :slight_smile:
I am well known for hating installing and configure/tweak systems with a passion… i think I’m soon googleble on “who hates installing operating systems” and google will show a picture of me. *HAHAHA’ :rofl:
So saying high numbers is how you get my attention in the life of IT. :smiling_face_with_three_hearts:

I think I’ve only been using mine for around 5 years on hardware that was built in 2012. Getting ready to “upgrade” to newer hardware from around 2016.

I’m also going to look into Zenarmor to do some of the things that you might have been getting with the Cisco products. Still trying to find the time at work to test some of this stuff.

Okay… I have heard about Zenarmor but i have never looked at it, not even their homepage… i might have to take a look on what it is as you bring it up. :slight_smile:
I started to learn Linux 6years ago as i only have been working with Microsoft systems only and my friend told me Linux is soooo darn good you will never regret switching to Linux as a daily driver.
He was right on Linux and servers… as for desktops and laptops… lets say i have a different opinion on them though(even i am on Debian typing this message). *LOL’ :smiley:

Generally I’ve found it to be pretty stable but honestly most firewalls are. Any no firewall is perfect and you’ll run into finding edge case bugs that can cause issues when you’re trying to reconfigure things. Typically greenfield pfsense deployments are pretty good. Most of my pfsense pain comes from bringing pfsense configurations up through many years. If you’re using it to be your core firewall for hosting services you’ll definitely want to put your test environment through the paces to get a good understanding of how all the services work with each other. I used to put it on white label boxes, now I just buy from Netgate.

Broke mine yesterday trying to fight a problem with e2guardian… Ended up turning filtering off for now while I build a second firewall to test and replace. I actually got locked out on one interface from this! Was an exciting ten minutes or so.

Hi there D/C :slight_smile:

I do expect pfSense to have a mood and some attitude. There is no system out there that is perfect, if it was everyone would use that :stuck_out_tongue: … So it all boils down to which system that sucks less. *smiling’ :smiley:

Thanks for the tip… i always test new stuff over an extended period of time and as last test i will run pfSense in parallel with what i have now. I use three gateways(3ISPs) as failover and also i use them for some load balancing and some private traffic is specific to one ISP
Uptime is my deal breaker as i mention in the start post. :slight_smile: :slight_smile:

It sounds as you still are smiling at least :slight_smile:
If i know myself, i had needed four coffee and maybe a valium to avoid frustration and swearing. *LOL’ :rofl:
I have a bad temper when it comes to my own stuff… But when i fix others systems i have patience and calmness that is out of this world…

My problem was mostly user error with an unofficial package, so can’t blame the firewall. Before that I’ve had years of stable use, so I would say it is good enough. And I’ve run it on some pretty old equipment like Xeon X56xx processors on Supermicro X7 main boards.

That said, I’m also starting to mess with OPNsense, I decided I should spread my knowledge a little. Similar but different so far, can’t say if I like it yet because things are in different places.

Okay… unofficial packages can cause interesting phenomenon on all systems, so yeah it can be hard to blame it on pfSense then. *smiling’ :stuck_out_tongue:

As far i have understood with pfSense so far out of Tom’s videos, is that old hardware is no problem as long you dont need high throughput or run any heavy extra services.
So lets say you only need a home router with some fun extras and only an 100/100 connection then an old dualcore 2GHz with dd2 ram will almost be overkill. :smiley:

Isn’t OPNsense almost the same as pfSense? i think i read a year or two back that one was a breakaway from the other. a bit like Linux distros often is a fork of another.
((things are in different places.)) classic with guis… just look on modern switches GUIs… they do the same thing but they always have their own layout. In the past it was CLI and different commands… i hate the terminal interface… It is good to know, but if i can choose… i always use the GUI as it looks nicer and you get a better overview of things… and a GUI is 100times faster to learn then start learning new terminal commands. :slight_smile:

Yes OPNsense is a fork of pfsense which is a fork of monowall. Both PF and OPN do not have a direct GUI, but both use a web GUI for configuration. Once you get the initial configuration of either (basically just the LAN connection), everything else is normally done through the web GUI. I still connect monitor/keyboard to my firewalls, just for those times when things go badly and you need a direct connection (like yesterday). VGA KVM switches are cheap if you don’t need audio follow, so I have a few KVM switches around for things. A good one on my production system, and cheap ones for lab use.

The first two pfsense devices we bought from Netgate lasted just a couple of months past two years. Those were relatively inexpensive. In both cases, the onboard memory failed. I would avoid the “low end” devices. After our 3100 failed, we bought a 2100, which proved too slow. It’s relegated to backup and we now run on a 4100. The 4100 has been replaced by the 4200, which is both less expensive and faster. After the first two devices failed, we looked around for something else, but we’d invested so much in understanding how to configure pfsense that we decided to stick with it. (But we do have the 2100 for backup, although the config file is slightly different.) YMMV

Okay, i have never heard of monowall… darn, now i have learned a new thing today too. *smiling’ it do not pass a single day without learning new things. ‘LOL’ :smiley:
i was a bit sloppy when i wrote i did mean web gui, i thought i could be lazy in my writing. :wink:
Same here, i also use VGA KVM switches to my servers and lab-computers… as it is easier maintain a higher security when you dont have remote administration access…

Yeah that is sadly one of the most common rule of life… you only get what you are paying for… it’s only a few exceptions that exists just to prove it is a rule. :-/
I have not looked at the netgate pricing, but i think it still cheaper then Cisco as you have to pay at least $200 extra to get the Cisco logo on the front. ‘lol’ :smiley:

I will have a serious look at pfSense and give it a fair chance over 6month period before i decide what way i go… So far it all looks and sounds good… Now it just has to preform as good as it sounds. :slight_smile: :slight_smile:

1 Like

Remember that you don’t NEED to buy Netgate hardware. You are able to buy a nice Supermicro server and run the paid versions on that hardware. Plenty of lower spec. Xeon processors out there (don’t need 36 cores with 72 threads), with your choice of network cards and your choice of amount and brand of RAM. Full control over your hardware choice, then just pay them the money for the license of your choice. For serious installs, I’d either go with one of the “big” netgate devices, or build my own. Being able to have parts on the shelf with the build your own has a certain value if your situation is important enough.

Same goes for OPNsense. For some reason my IT department is on a Fortigate run because it is way cheaper than the Cisco we are using as the main appliance. I don’t think we are using half the features that either device offers, we could probably be fine with a PF/OPN firewall. But it might be an insurance thing where Cisco is a known product, and therefor easy to check off that box on the inspection form. The Forti is on our esports network, not sure if it has direct connection to the web, or goes through the main Cisco first. They generally forget I exist because I almost never need them to fix anything, so not entirely certain how they have it configured.