pfSense Firewall/VPN/Router
Netgate | 2.3.4Linux/Unix, Other FreeBSD pfSense 2.3.4/FreeBSD 10.12 - 64-bit Amazon Machine Image (AMI)
External reviews
External reviews are not included in the AWS star rating for the product.
It's pfSense with a few rough edges
pfSense is great, so I'm happy that there is a way to use it in AWS. A few notes:
- The throughput issues can be fixed by going to System->Advanced->System Tunables and changing net.inet.tcp.tso to 0 instead of 1 (default). There's an issue with the xen network driver on FreeBSD that necessitates this. After that, the speed is great. They shouldn't make end users figure this out.
- The in-place upgrades have been disabled, so applying security updates means spinning up a new instance based on an updated ami from netgate, and then exporting and reloading a config. I've not yet experienced the time it takes for Netgate to publish new AMI's after pfSense updates, so this may or may not be an issue.
- I found the documentation to be lacking for my particular setup. Given this is a subscription based AMI, I'd like for there to be better support options.
Otherwise, it's the same great pfSense we all know and love.
- Leave a Comment |
- Mark review as helpful
Consistent decent performance after tuning
We sit close to 300mbps over our OpenVPN link after we used the system tunable mentioned here: https://forum.pfsense.org/index.php/topic,47567.0.html
Performance is decent and the product is great for the rest of our private networking and NATing needs - we still use elastic load balancers for publishing content to the net.
warning: drastically reduced network performance
we've tried virtualizing pfsense before with XenCenter and with VMWare. unless you have some really fancy set of drivers and linux build and hypervisor that can forward the NIC hardware directly to the vm in the most near-real-time way, pfsense will cause your network performance to suffer greatly when used as an internet gateway.
we thought that the pfSense Certified label would mean they had this kind of fancy setup, but alas there is no magic here. i would not recommend for anything but the most basic services that do not have a high performance network requirement.
if you just need openvpn access, install a micro instance with ubuntu and use the openvpn package, and then stick with the regular aws-provided vpc + internet gateway + elastic ip + security group firewall setup for WAN internet access.
pfSense is a great product, and we love to use it everywhere we can, and we're really sad we can't use it at AWS--it was worth a try, but it really only performs well on bare-metal.
WITH Netgate pfSense tcp iperf = 2-5Mbits throughput, with wildly fluctuating ping times.
WITHOUT Netgate pfSense tcp iperf = 50-100Mbits throughput, with consistent ping times.
Our test was using an m3.xlarge instance.
Simple to setup and exactly what I expected!
After messing around with other OpenVPN and Firewall products, I stumbled upon Netgate's pfSense appliance and almost jumped up and down! A super-easy to use and configure solution, I had users VPN'ed into my VPC within 30 minutes of launching this AMI! Documentation was simple and clear, and I couldn't be happier!
It's technically a great product, but pricey for its business value
Working everyday with products from the large telecom vendors, I tend to get the rationale of the 0.07$/h price-point, which represents a 613.20$ annual total-cost (0.07 x 24hours x 365days).
However, what's disappointing is that when I look around at the medium-class vendors (the non top-5 brands), all their base support/software maintenance plans average 40-50% of what pfSense AMI is listing.
To add to that disappointment; no clear support number, or even a registration process to recognize that I am indeed operating a commercial license of pfSense.
I hope Netgate plans to introduce some form of added value in the near-future; I'd hate to have to move to another platform because I can't come-up with any decent business arguments to justify the costs.