Is Pfsense good or do I need any other firewall

I am upgrading my whole infrastructure. So, one of my friend told me to switch to some good firewall like WatchGuard. But the thing is I don’t want to spend for subscription fees every year. He suggested me FIREBOX T20. But I just want to ask is our Pfsense capable enough to do all that things which this WatchGuard device can do ??

1 Like

this might help …

The one big feature pfsense is missing is good web filtering, other than that it’s a solid and secure system.


Good and simple web filtering takes effort, which is why it usually costs money. It would make a good paid option from Netgate.

1 Like

pfSense is great, if you need web filtering, Sophos endpoint protection offers that and much more plus the web filtering will follow the device since it’s built into the AV.

1 Like

I am owning a small business with about 20 devices on lan and 20 on wifi. Do you think I need to upgrade to a paid option?? Or staying with pfsense is good

It will depend on your use case. What do you need your firewall to do? If you state your use case, the community can provide information what would be good for you.

1 Like

So, I own an pharma company. Usually everything works locally. None of my server even has internet access. Only clients have access to internet for office 365 apps and other things. Guest wifi which is on separate VLAN. For client security every device has an antivirus software installed. Severs are on linux distribution.

Also one more thing to ask…
Right now i have local user account on every client. But as said we are expanding so the client will increase. So I am planning to put this user on windows server AD. If anyone can suggest something about that also…

Do you need to do packet inspection, to check what your employees trying to access the internet or what applications are trying to access the Internet? If not on my opinion pfsense will still be good for you or if you want to inspect the packet/proxy either you use the Squid proxy + squid guard or you use 3rd party do this.

In regards to your local account, when you move to AD. I suggest you implement LAPS, this will randomize the password local admin account.


I don’t want to inspect them, but I want to make sure that they are not trying to open something malicious on internet. And if there is any package in pfsense which I can implement on guest network than you can suggest me that I can use to avoid outsiders doing anything wrong from our Public IP

If this is about IP reputation you should probably not offer a guest network on the same IP you are running a mail server or other critical services. If it’s just a small business / residential connection, with a dynamic IP, and you don’t run anything critical on it, I would not care too much about IP reputation, they are on some default blacklists anyway, and as long as people don’t do illegal stuff, like torrenting movies or worse things, you’ll most likely be fine.

OP, I would recommend a Fortigate over any Watchguard/Sophos/Cisco product any day if you need filtering of any sort (application, web, etc) without breaking the bank - but you will need to pay for it yearly as this is a subscription - but it really works!

What you need to know is what will be the traffic and how many hosts do you need to protect, then you will know what kind of devices you should buy. As Tom said, the only thing missing to pfsense is filtering AND central management.

If you are still going to be a small company, look at Zentyal for your AD needs. It isn’t as slick as a Windows server, but it does work and you can try/use the community version for free.

That said, if you and going to get into Group Policy then a Windows server will make life much easier. GPO can be done on Zentyal, but you’ll need to install the RSAT tools on a Windows 10 or 11 client to manage the policies. I haven’t done this yet, but it’s on my list of things to try. I do use RSAT with my Windows AD servers, but often just RDP into a server and work on things.

Also thanks for the tip on LAPS, I’ll have to look into this more closely as I rebuild my system from physical to virtual. Might be a very useful thing to have running on my AD servers.

For years we’ve used WatchGuard which isn’t a bad firewall for corporate environment. Then we switched to Fortigate. What a steep learning curve that was in terms of configuring the policies, vlans and etc. Once everything is configured it works well blocking bad things from getting into our corporate network.

I’ve started deploying Netgate 4100 appliances to remote small offices to save on costs of a Fortigate. All traffic passes through Fortigate at the data center via IPsec so it’s already doing web filtering anyway.

I may look into setting up pfblocker on those netgate appliances so it don’t have to rely on the Fortigate for filtering. Right now using pihole at home for that.

Fortigate is great for what it is but they’re expensive in terms of subscriptions. There is nothing wrong using pfsense in a corporate environment long as it fits the business needs.

I am running pfsense as a VM to run WireGuard VPN for our remote users. It’s running behind Fortigate at the data center. It’s rock solid despite the fact the Wireguard packages are experimental. Also the WebGUI makes it easy to setup and manage the Wireguard peers. I have a script to create the Wireguard configuration file which spits out the keys and allowed IP so I can copy and paste into pfsense. Wish it can do this automatically within the Wireguard packages. Maybe in the future it will?

The two firewalls I recommend are Palo Alto and Fortinet. Both offer SSL decrypt/inspection and anti-malware/IPS functionality which do require a paid subscription, but it keeps you up to date on new threats. Can’t imagine running a firewall without these features either.