pfSense rocks

pfSense rocks. There are no other words to describe it. My connection speed is faster with it compared to IPCop and SmoothWall. Traffic shaping (QoS) wasn’t as easy to setup, compared to the others, at first but it only took a little time to get it down. Snort, Squid and OpenVPN were easy to install and run flawlessly.

The only thing that is missing from pfSense QoS is Layer 7 traffic shaping. That would allow me to do QoS based on applications instead of just IP/port. The good news is that Layer 7 shaping is planned in the next major release. The bad news is there isn’t a set release date for the next major release.

Updates come out fairly often to correct minor bugs or to add functions for testing. The updates are released as snapshots and can be installed via the webconfigurator Firmware page.

I still have the Linksys BEFSX41 just in case of some kind of failure (hardware or software). It’s good to have a backup.

If you’re in a bad situation, don’t worry it’ll change. If you’re in a good situation, don’t worry it’ll change. - John A. Simone, Sr.

03.Feb.07 BSD, Networking, Security Comments (0)

pfSense Firewall

After testing ClarkConnect firewall for a while, I decided to test another firewall OS. ClarkConnect works really well but the resource usage is high. The system I’m using has an Intel Celeron 850 CPU and 512 MB of RAM. The utilization would always stay over 90% for RAM and over 60% for CPU. According to this page, the high memory usage is by design but I thought the CPU usage was a little too much for what was running. ClarkConnect ran well overall but I wanted to test other systems before settling on one.

The latest firewall OS I’m testing is pfSense. It’s based on FreeBSD 6.1. The install was tricky due to using a USB CD-ROM. Anytime I would boot from the CD, all I would get is a screen full of scrolling error messages. I checked the pfSense forums and found that it is a FreeBSD issue. I had to connect the hard drive to another machine, with a built-in CD-ROM, to perform the install. I moved the hard drive to the firewall enclosure once the install was complete and I was able to setup the LAN and WAN interfaces.

Once setup was complete, I connected to the web configuration page for pfSense. You have an idea about the interface for pfSense if you’ve ever seen the interface for m0n0wall. That’s because pfSense is a fork of m0n0wall.

pfSense comes with basic firewall functions but can easily be expanded to include Squid and Snort through package additions. I installed both of those packages so that it would match what was setup with ClarkConnect. Resource usage is nowhere near what it was for CC.

I have not completed all the testing for pfSense but so far I like it. My connection speed matches what it was with CC, which is a slight improvement over the Linksys router. My only complaint is Squid logging. Right now, there is no way to see if the Squid cache is being utilized or how much drive space is being used. Considering that this is only release 1.0.1 of pfSense, I’m sure that issue will be corrected soon enough.

More details to come.

18.Jan.07 BSD, Networking, Security Comments (2)