Providing comprehensive network security solutions for the enterprise, large business and SOHO, pfSense solutions bring together the most advanced technology available to make protecting your network easier than ever before. Our products are built on the most reliable platforms and are engineered to provide the highest levels of performance, stability and confidence.
CPU: AMD G T40E, 1 GHz dual Bobcat core with 64 bit support, + 512K L2 cache per core
RAM: 2 GB DDR3-1066 DRAM
Storage: Boot from SD card, external USB or m-SATA SSD. 1 SATA
Net: 3 Gigabit Ethernet channels (Realtek RTL8111E)
I/O: DB9 serial port, 2 USB external + 2 internal, three front panel LEDs, pushbutton
Firmware: CoreBoot open source system BIOS with support for iPXE and USB boot
Power: About 6 to 12W of 12V DC power depending on CPU load, AC adapter with Euro plug
Performance, Estimated Ethernet IMIX throughput
Routing: 154 171 pps, 437Mbps
ipfw Impact: 114 152 pps, 324Mbps
pf Impact: 88169 pps, 250Mbps
Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
Limit simultaneous connections on a per-rule basis
pfSense software utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense software allows for that (amongst many other possibilities) by passively detecting the Operating System in use.
Option to log or not log traffic matching each rule.
Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
Enabled in the pfSense software by default
Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
Disable filter – you can turn off the firewall filter entirely if you wish to turn your pfSense software into a pure router.
The firewall’s state table maintains information on your open network connections. The pfSense software is a stateful firewall, by default all rules are stateful.
Most firewalls lack the ability to finely control your state table. The pfSense software has numerous features allowing granular control of your state table, thanks to the abilities of FreeBSD’s ported version of pf.
Adjustable state table size – there are multiple production pfSense installations using several hundred thousand states. The default state table size varies according to the RAM installed in the system, but it can be increased on the fly to your desired size. Each state takes approximately 1 KB of RAM, so keep in mind memory usage when sizing your state table. Do not set it arbitrarily high.
On a per-rule basis:
Limit simultaneous client connections
Limit states per host
Limit new connections per second
Define state timeout
Define state type
State types – the pfSense software offers multiple options for state handling.
Keep state – Works with all protocols. Default for all rules.
Sloppy state – Works with all protocols. Less strict state tracking, useful in cases of asymmetric routing.
Synproxy state – Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined.
None – Do not keep any state entries for this traffic. This is very rarely desirable, but is available because it can be useful under some limited circumstances.
State table optimization options – pf offers four options for state table optimization.
Normal – the default algorithm
High latency – Useful for high latency links, such as satellite connections. Expires idle connections later than normal.
Aggressive – Expires idle connections more quickly. More efficient use of hardware resources, but can drop legitimate connections.
Conservative – Tries to avoid dropping legitimate connections at the expense of increased memory usage and CPU utilization.
Network Address Translation (NAT)
Port forwards including ranges and the use of multiple public IPs
1:1 NAT for individual IPs or entire subnets.
Default settings NAT all outbound traffic to the WAN IP. In multiple WAN scenarios, the default settings NAT outbound traffic to the IP of the WAN interface being used.
Advanced Outbound NAT allows this default behavior to be disabled, and enables the creation of very flexible NAT (or no NAT) rules.
NAT Reflection – NAT reflection is possible so services can be accessed by public IP from internal networks.
The combination of CARP, pfsync, and our configuration synchronization provides high availability functionality. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. The pfSense software also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.
The firewall’s state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
Multi-WAN functionality enables the use of multiple Internet connections, with load balancing and/or failover, for improved Internet availability and bandwidth usage distribution.
Server Load Balancing
Server load balancing is used to distribute load between multiple servers. This is commonly used with web servers, mail servers, and others. Servers that fail to respond to ping requests or TCP port connections are removed from the pool.
IPsec allows connectivity with any device supporting standard IPsec. This is most commonly used for site to site connectivity to other pfSense installations, other open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions (Cisco, Juniper, etc.). It can also be used for mobile client connectivity.
OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client operating systems.
PPTP was a popular VPN option because nearly every OS has a built in PPTP client, including every Windows release since Windows 95 OSR2. However, it’s now considered insecure and should not be used.
The pfSense software offers a PPPoE server. A local user database can be used for authentication, and RADIUS authentication with optional accounting is also supported.
Reporting and Monitoring
DHCP Server and Relay