pfSense Firewall/VPN/Router
Netgate | 2.3.4Linux/Unix, Other FreeBSD pfSense 2.3.4/FreeBSD 10.12 - 64-bit Amazon Machine Image (AMI)
License cost increased by 476% from July 2017 without notice!!!
We decided to use pfSense with 100,80$ of licence per month.
Then I realized that from July, the license cost is 476,16$ per month.
No advice received in advance.
- Leave a Comment |
- Mark review as helpful
POSTROUTING and PREROUTING not possible
It seems to be a nice appliance for VPN NAT-T IPSEC tunnels, but there is not any possibility to use POSTROUTING and PREROUTING rules from iptables, and for me they are essential.
It just a simple firewall, I will keep my Openswan
Fantastic as always
At the last minute, I needed to move part of my AWS solution to multiple external dedicated server providers (bandwidth costs!). So, machines that used to live in the private cloud with all their friends suddenly had to live in a faraway place. How could they talk to their friends? Netgate pfsense to the rescue. It was easy to set up a VPN on pfsense, and easy to configure the remote hosts with openvpn. It just worked. It was easier than setting up AWS's Virtual Private Gateway, and can handle multiple clients! I am a huge pfsense fan, so no surprise that this solution was perfect for me.
Good product, but phenomenal support
We're migrating away from NAT instances and six Virtual Private Gateway connections to a single instance running pfSense. So far, everything works well and we'll cut our VPN costs by more than 50%. Good stuff. But wow, what support! I opened a ticket to get some help configuring IPSec tunnels, and was instantly into a live session with their support rep – and it turned into a multi-hour marathon with a highly capable tech on the other end. We wound up debugging a whole bunch of things beyond the simple IPSec problem, and he stuck with it until we had everything up and running smoothly. So yeah, the product is good, the pricing is good, but the people behind it are awesome!
2 hours in and I've made no progress
The "quick start guide" (that's anything but) isn't up to date, isn't easy to read and I think makes assumptions that aren't clear to me (new to VPCs and networking on AWS, but I have 15 years in planning and building networks).
I wanted to like this despite the $50/mo premium, but I can't get it running for lack of clear documentation so for now, it's useless.
Works like charm.
I have been using pfSense for many years. Its amazing project/product having more 200 000 users globally. I have build own AMI for AWS and understand a lot of work put in to pfSense to run on AWS. New version coming 2.3 will brings a lot that helps to upgrade process on AWS with Repositories etc.
If you understand how AWS network plumbing works then you will have no problem to use pfSense. It is reasonable price for all features it offers. If you can take advantage of many features you will save a lots of money using pfSense compare to other products. Its all about to be able do design it all well.
We use pfSense on AWS and is great to forward AWS DNS records using DNS resolver. Multi global IP address allocation per single interface using Virtual IPs functions with Elastic Global IP. Provide internet access to many servers and much more.
I recommend this product for AWS.
Nice product
AWS native VPNs cant have more than 1 tunnel between the same endpoints ( 2 per region ) .
Pfsense Software VPNs solve the problem .
- Not in AMI user guide : disable Source/Destination Check for the instance created on AWS console. I waste a lot of time to figure this out .
It's pfSense with a few rough edges
pfSense is great, so I'm happy that there is a way to use it in AWS. A few notes:
- The throughput issues can be fixed by going to System->Advanced->System Tunables and changing net.inet.tcp.tso to 0 instead of 1 (default). There's an issue with the xen network driver on FreeBSD that necessitates this. After that, the speed is great. They shouldn't make end users figure this out.
- The in-place upgrades have been disabled, so applying security updates means spinning up a new instance based on an updated ami from netgate, and then exporting and reloading a config. I've not yet experienced the time it takes for Netgate to publish new AMI's after pfSense updates, so this may or may not be an issue.
- I found the documentation to be lacking for my particular setup. Given this is a subscription based AMI, I'd like for there to be better support options.
Otherwise, it's the same great pfSense we all know and love.
Consistent decent performance after tuning
We sit close to 300mbps over our OpenVPN link after we used the system tunable mentioned here: https://forum.pfsense.org/index.php/topic,47567.0.html
Performance is decent and the product is great for the rest of our private networking and NATing needs - we still use elastic load balancers for publishing content to the net.
warning: drastically reduced network performance
we've tried virtualizing pfsense before with XenCenter and with VMWare. unless you have some really fancy set of drivers and linux build and hypervisor that can forward the NIC hardware directly to the vm in the most near-real-time way, pfsense will cause your network performance to suffer greatly when used as an internet gateway.
we thought that the pfSense Certified label would mean they had this kind of fancy setup, but alas there is no magic here. i would not recommend for anything but the most basic services that do not have a high performance network requirement.
if you just need openvpn access, install a micro instance with ubuntu and use the openvpn package, and then stick with the regular aws-provided vpc + internet gateway + elastic ip + security group firewall setup for WAN internet access.
pfSense is a great product, and we love to use it everywhere we can, and we're really sad we can't use it at AWS--it was worth a try, but it really only performs well on bare-metal.
WITH Netgate pfSense tcp iperf = 2-5Mbits throughput, with wildly fluctuating ping times.
WITHOUT Netgate pfSense tcp iperf = 50-100Mbits throughput, with consistent ping times.
Our test was using an m3.xlarge instance.