Alternative to pfSense for a production-ready firewall solution hosted in ESXi
The answer to this is most likely: don't do that. Whatever it was you were doing to break pfSense, figure out what is was and don't do that any more.
I've worked with a plethora of linux and BSD-based router distributions, and pfSense is by far the most stable and flexible one of the bunch.
While there are a few pfSense folks here on Serverfault, I'd recommend taking specific questions to the pfSense mailing list. The project founders and many of the core devs are active on the list, along with a much larger group of active pfsense users than we have here.
Related videos on Youtube
28 : 06
52 : 06
18 : 49
01 : 34
13 : 53
tacos_tacos_tacos
Updated on September 18, 2022Comments
-
tacos_tacos_tacos almost 2 years
I'm looking for an alternative to pfSense (2) that can be virtualized in VMWare ESXi. I've experienced several problems with pfSense to date and I feel like it is not a totally finished or polished product. Whenever anything goes wrong (IP address conflict, squid misconfiguration, etc) the whole thing goes berserk and it takes a reboot or at least 5 - 10 minutes to fix itself. In many cases even resetting state tables does not help and only serves to compound the issue.
I think part of the problem is that I probably really suck at pfSense, being new and all, but I've never had this many problems with a firewall appliance and this is coming from a background of using Checkpoint and Linksys and even the occasional D-Link. Of course we run all of our stuff off Cisco ASA at the moment (physical hosts, at least) and I wish I could just run ASA in VMWare but sadly that is not possible.
Please provide any recommendations for either a) guidance on getting pfSense stable, or b) other virtualizable firewall appliances.
-
voretaq7 over 12 yearsBased on what you've said above The best guidance I can give you for making pfSense stable is "Don't misconfigure your environment" -- If you would like to open a separate question with details (What you did, What the expected behavior was, What actually happened, and relevant sections of your configuration) I'm sure someone can give you more advice though :)
-
EEAA over 12 yearsIt's odd that you've had that many problems with pfSense. I've been using it more or less since it was forked from m0n0wall, and have never had anything like this. What version are you running? -
tacos_tacos_tacos over 12 years@voretaq7, the reason I didn't include those details was that it has happened time and time again with things like IP conflicts, installation of new packages (installed squid-reverse with no configuration and had issues right away), etc. For me it's not so much the instability itself, it's the fact that pfSense seems to take so darn long to recover. Maybe it's just me.
-
tacos_tacos_tacos over 12 years@ErikA according to webConf I am running 2.0-RELEASE (amd64) built on Tue Sep 13 17:05:32 EDT 2011 - I guess there have been updates since then, perhaps I should try installing those
-
Eric C. Singer over 12 yearsCisco is comming out with a virtual ASA FYI.
-
tacos_tacos_tacos over 12 years@EricC.Singer What? Please provide a link to that info... and a release date.
-
EEAA over 12 years@EricC.Singer - if it's like Cisco's other virtual appliances, it'll cost 50% more than the "standard" version.
-
Eric C. Singer over 12 years@jshin47 blogs.cisco.com/datacenter/…
-
Eric C. Singer over 12 years@ErikA no doubt, it really designed for datacenters that host VPS or other larger cloud setups. The idea is to give clients access to a cloud based ASA from my understanding
-
EEAA over 12 years@jshin47 - How did things work out with this?
-
-
tacos_tacos_tacos over 12 yearsThanks for the mailing list suggestion. I will stick with it and try to tough it out. I am left feeling like I really suck at it because I am basically using out of box configuration options, plus one P-ARP Virtual IP, one 1:1 rule, a couple WAN firewall rules, and a few L2L links. I will direct future questions to the mailing list when they are well thought-out. Thanks for the info again.
-
EEAA over 12 yearsSounds good. I'm on the list as well, and will reply if I'm able to answer any of your questions when they come through. Good luck!
-
voretaq7 over 12 years@jshin47 If you do discover what was causing your instability we would definitely appreciate you coming back here to ask (and answer) a question describing the cause and solution. We recommend pfSense deployments here pretty often, but we don't really have a good core of pfSense-specific knowledge if things go wrong -- that's something I'd like to see change :)
-
EEAA over 12 years^^^ What he said.
-
Philip over 12 yearsI really doubt you can diagnose the problem based on "I probably really suck at pfSense" and nonsense like "the whole thing goes berserk and it takes a reboot or at least 5 - 10 minutes to fix itself".
