pfSense Firewall Protect Your Network
By purchasing Netgate hardware from us or through a Netgate Partner, you are not only supporting the project, you are simplifying the process of selecting the right hardware for your needs.
Netgate security gateway appliances have been tested and deployed in a wide range of large and small network environments. What’s more, eligible pfSense® Plus hardware purchases from the store can be bundled with Netgate Global Support.
pfSense Firewall Plus Appliance Guidance
The following outlines the best practices for choosing the appliance best suitable for your environment.
pfSense Firewall Feature Considerations
Most features do not factor into hardware sizing, although a few will have a significant impact on hardware utilization:
VPN – Heavy use of any of the VPN services included in the pfSense software will increase CPU requirements. Encrypting and decrypting traffic is CPU intensive. The number of connections is much less of a concern than the throughput required. AES-NI acceleration of IPsec significantly reduces CPU requirements on platforms that support it.
Captive Portal – While the primary concern is typically throughput, environments with hundreds of simultaneous captive portal users (of which there are many) will require slightly more CPU power than recommended above.
Large State Tables – State table entries require about 1 KB of RAM each. The default state table size is calculated based on 10% of the available RAM in the firewall. For example, a firewall with 1 GB of RAM will default to 100,000 states which when full would use about 100 MB of RAM. For large environments requiring state tables with several hundred thousand connections, or millions of connections, ensure adequate RAM is available.
Packages – Some of the packages increase RAM requirements significantly. Snort and ntop are two that should not be installed on a system with less than 1GB RAM.
pfSense Firewall Hardware Requirements and Guidance
The following outlines the minimum hardware requirements for pfSense software version 2.x. Note the minimum requirements are not suitable for all environments. You may be able to get by with less than the minimum, but with less memory you may start swapping to disk, which will dramatically slow down your system.
|Requirements Specific to Individual Platforms:
pfSense Firewall Network Card Selection
Selection of network cards (NICs) is often the single most important performance factor in your setup. Inexpensive NICs can saturate your CPU with interrupt handling, causing missed packets and your CPU to be the bottleneck. A quality NIC can substantially increase system throughput. When using pfSense software to protect your wireless network or segment multiple LAN segments, throughput between interfaces becomes more important than throughput to the WAN interface(s).
NICs based on Intel chipsets tend to be the best performing and most reliable when used with pfSense software. We therefore strongly recommend purchasing Intel cards, or systems with built-in Intel NICs up to 1Gbps. Above 1Gbps, other factors, and other NIC vendors dominate performance.
pfSense Firewall CPU Selection
The numbers stated in the following sections can be increased slightly for quality NICs, and decreased (possibly substantially) with low quality NICs. All of the following numbers also assume no packages are installed.
|We recommend a modern (less than 4 year old) Intel or AMD CPU clocked 500MHz or greater.
|We recommend a modern 1.0 GHz Intel or AMD CPU.
|No less than a modern Intel or AMD CPU clocked at 2.0 GHz. Server class hardware with PCI-e network adapters, or newer desktop hardware with PCI-e network adapters.
|Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters.
Remember if you want to use your pfSense installation to protect your wireless network, or segment multiple LAN segments, throughput between interfaces must be taken into account. In environments where extremely high throughput through several interfaces is required, especially with gigabit interfaces, PCI bus speed must be taken into account. When using multiple interfaces in the same system, the bandwidth of the PCI bus can easily become a bottleneck.
pfSense Firewall Hardware Compatibility List
As pfSense is based on FreeBSD, its hardware compatibility list is the same as FreeBSD’s. The pfSense kernel includes all FreeBSD drivers.
Securely Connect to the Cloud
Netgate virtual appliances with pfSense Plus software extend your applications and connectivity to authorized users everywhere, through Amazon AWS and Microsoft Azure cloud services. Network your employees, partners, customers, and other parties to share resources in site-to-cloud, cloud-to-cloud, and virtual private cloud (VPC) connectivity. Full firewall/VPN/router functionality all in one available in the cloud starting at $0.08/hr.
Get Professional Help From The Source
Get support from the team who knows pfSense® software best. With Netgate® Global Support, we have more than just an expert knowledge of pfSense solutions. The Netgate team is the host of the open source pfSense firewall project and contributes leadership, engineering, test, and infrastructure assets to the project. We have the most informed and capable people to help you with any pfSense installation, deployment, or configuration issue. If you purchase your hardware appliance directly from us, our support team will be more empowered to provide end-to-end solutions which encompass the hardware or the firewall application.
We know the challenges you face are complicated. Netgate staff can help you implement effective solutions to solve those problems. We will help you plan, design, implement, operate, and manage the right technology strategy to improve the way you do business. From network security to high-availability to firewall conversions, we provide effective solutions so you can focus on running your business. Find out more at the Netgate website.
Global, Access, Knowledge
Netgate training is the only official source for pfSense courses! Our expert team provides quality on-line and on-site pfSense training to individuals and organizations of all sizes. We keep our class sizes small to provide each student the attention they deserve. The curriculum is designed to scale in detail from new pfSense users to senior network engineers, and can be customized to suit the needs of your business.
Consulting and Implementation Services
For new, large-scale deployments, customers typically engage with us for an end-to-end implementation. We specialize in requirements gathering, solution design, installation support, integration testing, and go-live / production roll-out.
For customers with an existing firewall looking to convert to pfSense software, we can configure your pfSense software to match the settings of your existing firewall product. We have experience with a wide range of commercial and open source firewalls, and extensive expertise and experience with Cisco PIX and ASA.
Software upgrades often present unexpected challenges, significant risk and unplanned downtime. Remaining current is essential to remaining secure. We manage hundreds of production-level upgrades and over time, this has helped us develop an extensive set of best practices around keeping customers up to date with the latest version of pfSense software.
VPN Architecture and Deployment
Before you can begin to design a network, you first must determine your needs. What services must you provide to your user community? What are the resources you’ll need? You have to take into account network protocols, applications, network speed, and, most important, network security issues. Another important factor your management will probably force you to consider is cost — you can’t forget the budget.
Netgate offers in-depth courses for increasing your knowledge of Netgate products and services. As the primary developer, sponsor and official host of the pfSense project, we offer the only authorized training on pfSense software. When you need to maintain or improve the security skills of your staff or offer highly specialized support to improve your customer satisfaction, Netgate is your best choice.
Stateful Packet Inspection (SPI)
A Stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature used to invoke fine-grained security policies. pfSense Plus software does this by default, and can be configured to block traffic based on policy matches. Alternatively, one can just inspect and not block traffic, by adding pass rules for all traffic on each interface from any/to any as desired.
IPsec is a group of protocols used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, where it both encrypts IP packets and authenticates the source from where the packets originated.
OpenVPN is a VPN solution that implements secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.
WireGuard is an open-source VPN software solution designed with the intent of providing ease of use, high speed performance, and a low attack surface.
Site-to-site and remote access VPN
Site-to-site VPNs allow multiple users’ traffic to flow through each VPN tunnel. Remote-access VPNs only allow one user’s traffic to travel through each VPN tunnel. pfSense Plus software supports both site-to-site and remote-access VPN capabilities via IPsec or OpenVPN.
Secure Sockets Layer (SSL) is an encryption-based Internet security protocol used to ensure privacy, authentication, and data integrity in Internet communications. OpenVPN is an SSL based VPN.
VPN client for multiple operating systems
OpenVPN supports clients on a wide range of operating systems including all the BSDs, Linux, Android, Mac OS X, iOS, Solaris, Windows 2000 and newer, and even some VoIP handsets.
L2TP/IPsec for mobile devices
pfSense Plus software supports remote access VPN for a variety of Android and iOS devices. Other clients may work as well.
OpenVPN can connect a site-to-site tunnel to either an IPv4 address or an IPv6 address, and both IPv4 and IPv6 traffic may be passed inside of an OpenVPN tunnel at the same time. IPv6 is supported both in site-to-site and mobile clients, and it can be used to deliver IPv6 to a site that only has IPv4 connectivity.
IPsec is capable of connecting to a tunnel over IPv4 or IPv6 phase 1 peer addresses, but with some traffic limitations.
Split tunneling allows a user to access dissimilar security domains, e.g., a public network and a local LAN or WAN at the same time, using the same or different network connections.
pfSense Plus software supports the ability to establish multiple VPN tunnels over a single physical interface – useful, for example when securely connecting a number of office locations to one another.
VPN tunnel failover
pfSense Plus software supports both OpenVPN and IPsec tunnel failover
pfSense Plus software supports both OpenVPN and IPsec tunnel failover
Automatic or custom routing
OpenVPN and IPsec tunnels can be configured using either auto-generated or custom-designed routes.
Local user authentication or RADIUS/LDAP
pfSense Plus software allows for user authentication to be managed either by local user authentication, or by RADIUS/LDAP as an authentication source for a VPN