pfSense® sofware firewalls - the Whats and Whys

Firewalls with pfSense® software: What are they and why should I use one?

Firewalls with pfSense® software: What are they and why should I use one?

Firewalls with pfSense® software: What are they and why should I use one?

The firewall, that ubiquitous piece of technology that should be a part of every network, is a crucial choice. Many networking engineers look to Cisco as the default, but a growing number are using open source firewall options like pfSense® software. You might have heard of the pfSense® software project. They recently received a good amount of buzz from the much anticipated 2.1 upgrade, but what is it that is so attractive?

Who is pfSense®?

Before we dive into what it does, lets look at the pfSense® software project as a whole for a moment. Anyone in networking has heard of Cisco, but the pfSense® software brand might be unfamiliar to you. It began as an offshoot of the m0n0wall project in 2004, taking the work it started in embedded firewall applications and applying the advancements towards device driven firewalls. pfSense® software has become a favored alternative for network firewalls, with over 167,000 recorded live installs as of April 2013.

What is pfSense® software?

In their own words:

“pfSense® software is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.“ – pfsense.org

Basically pfSense® software is an engine that makes a firewall go, but not the actual hardware. This means that a firewall with pfSense® software is not an apples to apples comparison to a Cisco, SonicWall or HP firewall. Those devices are an all-in-one solution with hardware and OS rolled into “off the shelf” solutions, where much of your customizability is in the licensing models you are willing to pay for.

pfSense® software was designed to be a customizable platform that could be hardware agnostic. This allows the engineer to meet the needs of the project with a device with the right I/O and specifications, and then customize the pfSense® software settings to their needs.

The Hard Line on Hardware

As mentioned, pfSense® software is hardware agnostic. The minimum specifications — a 100 MHz Pentium CPU, 128MB of RAM, and a 512 MB storage medium — are easy to reach, but a firewall with pfSense® software is as good as the parts you build it from. Most network engineers utilize small, power-efficient, appliance-like computers for firewall applications that support connectivity (5 LAN for example) and desired throughput (200 Mbps) while having good speed of CPU and RAM.

Firewalls: pfSense® software vs Cisco

The case for pfSense® software is similar to the one made for use of Linux based OS’s in business environments, which should not be a surprise since its core is FreeBSD. The open source, flexible, customizable free version vs. known, pricey, off the shelf option. Lets take a second and look at the pfSense® software project as compared to Cisco, the industry leader:

Cisco Logo

PFSense Logo

Pros Pros
  • Brand name recognition
  • Industry Leader
  • High quality hardware
  • High quality software
  • Single solution
  • Many support options
  • Well documented solutions
  • Inexpensive
  • No licensing fees
  • Free upgrades
  • Simple but effective design
  • Lowered cost for redundancy
  • Open source (Linux software)
  • Customizable
  • Hardware agnostic
  • Easy Installation
Cons Cons
  • Expensive initial investment
  • Expensive licensing
  • Req Cisco certifications
  • Slow to upgrade
  • Limited offerings
  • Limited SMB targeting
  • Not modular, closed source
  • Limited free support
  • Little brand recognition
  • Limited safetynet
  • No update schedule

When should I select a firewall with pfSense® software instead of another?

There is not an easy “If/then” solution to this. Cisco Firewalls, as well as Barracuda, HP, Sonicwall and others, are all good devices. Each has their own strength and weakness. Where a pfSense® software-powered firewall makes sense is when cost and customizability are a concern; when your network engineer feels comfortable with the choice; or when you need a firewall that has a feature just not found in another option.

Firewalls are one of the most important parts of a network. Picking the right firewall should be done carefully, but a network’s needs are not always served by throwing money at the problem and more often than not, the firewall that ends up being used is overkill. Find the right firewall for you, but don’t discount pfSense® software as an inexpensive alternative.

Comments (5)

  1. April 27, 2014

    Very well said in the review. I am also using a pfsense firewall appliance and I recommend this to all My friends because its very helpful for me and for My kids.

  2. May 7, 2014

    We are also using a firewall appliance in our home, I enjoy the internet with greater confidence specially when My younger brothers and sisters will be the one to use the computer.

  3. October 1, 2014

    I have been using pfSense since it forked from m0n0wall, in fact, I still have a m0n0wall device that has been in continuous service for 13 years. pfSense really did take off running with some great features and now they have real-live support and for $99/yr you can automagically backup your config files to their cloud.

    pfSense is my #1 choice for any perimeter firewall, it works as a physical box or in a VM, it is a drop-in fix for a number of network services like DHCP and DNS if you have having issues. It also is incredibly easy to maintain, particularly when using commodity desktop hardware, because you can just keep swapping parts as needed and have a hot-spare right there in case of hardware failure.

  4. Andy Crawford
    May 21, 2018

    I’m sorry to say the following, but… First, I’m a Logic Supply fan, and have purchased your hardware for years. I’ve also done a lot of Cisco work over the past 2 decades. However, I’ve become a complete convert to pfSense or BSD based routers over the past few years. But I can say, your chart does a complete disservice to pfSense and to what I presume is your viewpoint. When this was first shared with me, when they just shared the chart, I assumed they were a avid Cisco support. In many cases this comparison is just wrong, and in dangerous ways. For example, pfSense is NOT LINUX, that’s a dangerous comparison. I love Linux, have ran it since the mid-90’s, and while Linux is a great web server, db server, virtualization hypervisor, etc., it’s an awful firewall. Linux was never designed for such security. Linus Torvalds and others made compromises in the way of performance over hardening, or flexibility over stability. BSD was designed around security hardening from the get go, and with stability as a priority. Comparing it to Linux as horrible for anyone in the know about OS internals. And to use “Limited Free Support” as a Con, when Cisco has ZERO free support. Whereas pfSense has numerous free forums available and a rich community of free support, anyone saying such a thing hasn’t Googled pfSense + anything before. And then to call it “simple” when pf is one of the most complex, and powerful, firewalling deamon’s to have every graced an operating system, but it’s quite complex. Hence the reason the original developers wrote a distribution to add some sense to pf, hence pfSense. Now, let me clarify again, I really like you guys, but this chart does a complete disservice to you, your product offerings, to pfSense, and is easily a tool to be used against people like me who deploy pfSense into security corporate networks. I would love to see a better chart and write up, but in the absence of that, this desperately should go away. pfSense is spectacular, and as a security professional I find this so woefully inaccurate as to be shameful.

  5. Darek Fanton
    Darek Fanton
    May 31, 2018

    Andy, thank you for the comment, and for sharing your thoughts about pfSense. We certainly agree that prSense is a powerful platform and we appreciate you adding your opinion to the conversation. We’ll take a look at this post (which was written back in 2013) and see if an update is in order.

Leave a Comment

Your email address will not be published.