I run an infrastructure/security team for a medium size organization. We currently have Cisco ASAs at each location. Cisco VPN is used for remote access through the ASAs in my datacenter. Due to a lot of complication, my company wont pay support or licensing fees for this any longer (I get it, the security and stability argument has been made to management). I’m considering putting up a new solution for remote access (unfortunately must be free) was considering PFsense CE on my virtualization platform, but it seems they changed the licensing and this may not be legal , or even really getting support updates? cant tell.
PFSense CE is still free and can be used commercial and will get updates
You could upgrade CE to CE Plus, but the licensing changed and you are now charged for the license - this is probably what you are referring to
One note I would not virtualize PFSense - if the host server goes offline or issues with PFSense you will lose internet access - not good when businesses rely on internet access
For a business I would purchase a Netgate device and be supported by Netgate
2 Likes
thanks Paul. I do agree with purchasing an appliance however, we are permitted to spend zero dollars. so virtualization would be my only option.
I’d have to take a stand here, if they can’t afford $300 per endpoint for hardware devices, then they really don’t want access. Even I could manage to bargain in a few hundred for my system if needed.
If you are lucky, you could get brand new HP T740 thin clients, and add in some Intel 4 port gigabit cards and bigger drive for around $300usd each. I recently bought some new in box that a bank liquidated for $200 shipped and did exactly this. Running OPNsense on one right now testing for production. Production will be an old (but still decent) 1u server I pulled after moving all my stuff to a hypervisor.
Re the virtual side of things, I see no problems with virtualising it even more so if like an environment I work in has multiple hosts to provide HA/DRS/Failover conifg within Vmware. If you are running on a single host, then yes I wouldn’t virtualise.
exactly, my virtualization env has 6 hosts, so its pretty safe
I cant say too much, but the company is in bad financial shape. so no, 300$ would be out of the question, they cant even afford front end equipment , let alone back end
Sounds like time to get off the ship. 
2 Likes
100% , you hiring ? 
OP, if you want to go free, as least buy some Netgate devices that will get you some support for a reasonable prices. Any other solution will cost you at least x5 more, unless you want to risk it with Unifi firewalls and their new Pro Support they are offering at 8h x 5d / week for now.
Where do you live? Do you know these networking technologies:
Sophos
Fortinet
Watchguard
SonicWall
Aruba
Datto
And can you speak french?
French, sorry no. I speak english and bad english
1 Like
thanks, but again, corporate America. i cant make monetary decisions and was told there is NO money for security (yes , i know, feel free to cringe)
If there is no money, disconnect the main router and go home. Wait until they call you can start negociating your NEW salary and budget for the next 12 months.
that’s hilarious. if it weren’t critical infrastructure (would harm a lot of folks) …
You can also look at OPNsense, it’s “different” but should provide most of what you need in the free version.
I think you need to look for a new job, that Cisco money is being spent somewhere, and probably for trivial things. If it is Critical Infrastructure, there is federal money for this stuff, your supervisors just want to look good cutting the budget, right up to the point where they are compromised and that critical function goes dead. Then your job is on the line for installing “this piece of junk” and getting the system wrecked.
Keep every email and written order to install “inferior” product without support for the time when you need to turn whistleblower and save your backside. Also don’t do anything on verbal communications, make sure everything has a trail you can save externally. You know you are going to need it, probably just after that supervisor watches porn in his office and gets infected.
1 Like
Just take an old pc they have with Intel chipset and buy an Intel RJ45 card for $20. This gives you two NiC cards and you could put it under pc repair cost. Then you will have a LAN and WAN interface. Install pfsense on the pc. Boom firewall with openVPN
This. Every business has some old OptiPlex or Lenovo SFF laying around. Currently my home “router” is an old 9020 SFF dell with the intel 350 dual port 1gbe nic that has the half height bracket.
1 Like
I was going to suggest this. You can find used server network cards on ebay for few bucks. Keep in mind for enterprise and corporate environment this is just a band-aid setup till the company makes money again. Find a couple of old OptiPlex PCs and make use of HA in case one dies.
Since you mentioned vmware I’m sure the company is aware of the massive price increase on licensing and support. I use ProxMox for that reason and several others.
ProxMox is 100% free and you get enterprise grade features. You can get a subscription for support when the company is able to.
Thanks Noah and everyone that mentioned physical gear. I’m still going to stick with virtualization for this as we already have the infrastructure and purchasing something on ebay is still spending money.
@NoahD yes, heard about the VMware pricing. Fortunately we purchased a new Nutanix cluster last year before the funds vanished, with 3 year licensing. Were running AHV so at least were insulated from the VMware price gouge.