[nycbug-talk] router/firewall recommendation ?

Chris Buechler nycbug at chrisbuechler.com
Wed Dec 24 12:28:48 EST 2008 

pete wrote:
> sheesh, try to get some work done and you miss a whole thread ;^)
>
> one thing that i was pleasantly surprised with pfsense was the built-in rrd
> graphing.  you can turn off the webUI too if you want, but i found it quite
> nice to not have to setup snmp and a rrd graphing server in our small
> office.
>
> having said that - heck yea, {open,free,net}BSD might be the way to go if
> you have the time and/or interest to get everything up and running by hand.
>   

That's the key part - time and interest. It's not just about setting up 
a pf.conf. Got a PPPoE connection?  You'll need to learn MPD. Want a 
VPN?  You'll need to learn <insert preferred VPN method here>. Need 
server or multi-WAN load balancing?  You'll need to learn relayd or slbd 
too. Caching DNS server?  Learn your pick of software there. Want HA?  
Have to learn CARP, pfsync, and determine how you will sync your config 
between hosts. Multi-WAN? Don't forget little caveats like adding 
reply-to on WAN rules (and negate them as needed with rules for the 
WAN's subnet sans reply-to). There are a lot of little things like this, 
especially when you get into more complex setups like HA, multi-WAN, 
etc. There are numerous things that we do automatically that you don't 
even have to think about, much less spend significant time trying to 
figure out.

The amount of logic in the pfsense code base that ties all these various 
components together to make them work seamlessly is incredible. That's 
the point of the project, and why even many of you here, even those who 
are perfectly capable of configuring all the underlying components by 
hand, use it.

If you're starting with little knowledge of all these underlying 
components, and you want anything more than a simple two interface LAN 
and WAN NAT box with filtering, you could easily be looking at 100+ 
hours of effort for something you could have running with pfSense in 2 
hours even starting with little to no knowledge. If you're curious and 
have time to burn, setting it all up yourself would be a great learning 
experience. But it's something most people would rather not mess with.

On the contrary, if you're a guru with all these aforementioned 
underlying components and everyone who ever has to touch your firewall 
also is, then there likely isn't any reason to consider a customized 
GUI-fied distro like pfsense.

best,
Chris

More information about the talk mailing list