Before you continue...
Truly turn-key solution
The PF Firewall Solution is a customized distribution of FreeBSD tailored for use as a firewall and router based upon an unmodified version of pfSense® CE. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability.
pfSense® is a registered trademark of Electric Sheep Fencing LLC.
Currently all PF Firewall appliances are installed with 2.3.4 Release.
Other versions can be offered upon request.
PF Firewall includes most of the features available in expensive commercial firewalls, and more in many cases.
Below is a list of features of the currently installed release. All of these things are possible in the web interface, without touching anything at the command line.
- Stateful inspection firewall
- Granular control over state table
Network Address Translation (NAT)
Network address translation (NAT) is a methodology of modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device for the purpose of remapping one IP address space into another. More information can be found in this wiki.
- Port forwards including ranges and the use of multiple public IPs
- 1:1 NAT for individual IPs or entire subnets.
- Default settings NAT all outbound traffic to the WAN IP. In multiple WAN scenarios, the default settings NAT outbound traffic to the IP of the WAN interface being used.
- Advanced Outbound NAT allows this default behavior to be disabled, and enables the creation of very flexible NAT (or no NAT) rules.
- NAT Reflection - NAT reflection is possible so services can be accessed by public IP from internal networks.
LimitationsPPTP / GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. PPTP is insecure and should no longer be used.
Traffic shaping (also known as "packet shaping") is the control of computer network traffic in order to optimize or guarantee performance, lower latency, and/or increase usable bandwidth by delaying packets that meet certain criteria. More specifically, traffic shaping is any action on a set of packets (often called a stream or a flow) which imposes additional delay on those packets such that they conform to some predetermined constraint (a contract or traffic profile).For more information on pfSense trafficshaping capabilities see PFSenseDocs.
Captive Portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access. For more information on captive portal technology in general, see the Wikipedia article on the topic. The following is a list of features in the pfSense Captive Portal.
- Maximum concurrent connections - Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.
- Idle timeout - Disconnect clients who are idle for more than the defined number of minutes.
- Hard timeout - Force a disconnect of all clients after the defined number of minutes.
- Logon pop up window - Option to pop up a window with a log off button.
- URL Redirection after authenticating or clicking through the captive portal, users can be forcefully redirected to the defined URL.
- MAC filtering - by default, pfSense filters using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.
Authentication options - There are three authentication options available.
- No authentication - This means the user just clicks through your portal page without entering credentials.
- Local user manager - A local user database can be configured and used for authentication.
- RADIUS authentication - This is the preferred authentication method for corporate environments and ISPs. It can be used to authenticate from Microsoft Active Directory and numerous other RADIUS servers.
RADIUS capabilities o Forced re-authentication
- Able to send Accounting updates.
- RADIUS MAC authentication allows captive portal to authenticate to a RADIUS server using the client's MAC address as the user name and password.
- Allows configuration of redundant RADIUS servers.
- HTTP or HTTPS - The portal page can be configured to use either HTTP or HTTPS.
- Pass-through MAC and IP addresses - MAC and IP addresses can be white listed to bypass the portal. Any machines with NAT port forwards will need to be bypassed so the reply traffic does not hit the portal. You may wish to exclude some machines for other reasons.
- File Manager - This allows you to upload images for use in your portal pages.
- Voucher support
- Multi-interface capable
- Multi instance Captive Portal
- Multiple Captive Portal RADIUS authentication sources (e.g. one for users, one for cards)
Limitations"Reverse" portal, i.e. capturing traffic originating from the Internet and entering your network, is not possible.
Only entire IP and MAC addresses can be excluded from the portal, not individual protocols and ports.
802.1Q VLAN support
VLANs are virtual LAN segments of a managed switch, and when pfSense is plugged into a trunk port it can utilize VLANs to have multiple virtual interfaces, one for each available VLAN. In this manner, you can have pfSense talk to a large number of networks without the need for more physical interfaces.More information about VLAN's in pfSense is available in the PFSenseDocs.
Virtual Private Network
A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network, while benefiting from the functionality, security and management policies of the private network.pfSense® offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP:
More information can be found in this wiki.
IPsec allows connectivity with any device supporting standard IPsec. This is most commonly used for site to site connectivity to other pfSense® installations, other open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions (Cisco, Juniper, etc.). It can also be used for mobile client connectivity.
OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client operating systems. See the OpenVPN website for details on its abilities.
PPTP is a popular VPN option because nearly every OS has a built in PPTP client, including every Windows release since Windows 95 OSR2. See this Wikipedia article for more information on the PPTP protocol. The pfSense PPTP Server can use a local user database, or a RADIUS server for authentication. RADIUS accounting is also supported. Firewall rules on the PPTP interface control traffic initiated by PPTP clients.
LimitationsBecause of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work.The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page.
Dynamic Domain Name System
Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames, addresses or other information. For more information see this wiki.
A Dynamic DNS client is included to allow you to register your public IP with a number of dynamic DNS service providers.
- Custom - allowing defining update method for providers not specifically listed here.
- Route 53
- A client is also available for RFC 2136 dynamic DNS updates, for use with DNS servers like BIND which support this means of updating.
- Dynamic DNS
The Common Address Redundancy Protocol or CARP is a protocol which allows multiple hosts on the same local network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, especially when used with firewalls and routers. In some configurations CARP can also provide load balancing functionality. For more information see this wiki.
CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active.
pfSense® includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.
Synchronized State Table
pfsync ensures the firewall's state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
LimitationsOnly works with static public IPs, does not work with stateful failover using DHCP, PPPoE, or PPTP type WANs
- Hardware failover
Load balancing is a computer networking method for distributing workloads across multiple computing resources, such as computers, a computer cluster, network links, central processing units or disk drives. Load balancing aims to optimize resource use, maximize throughput, minimize response time, and avoid overload of any one of the resources. For more information see this wiki.
Load Balancing Outbound
Outbound load balancing is used with multiple WAN connections to provide load balancing and failover capabilities. Traffic is directed to the desired gateway or load balancing pool on a per-firewall rule basis.
Inbound Load Balancing
Inbound load balancing is used to distribute load between multiple servers. This is commonly used with web servers, mail servers, and others. Servers that fail to respond to ping requests or TCP port connections are removed from the pool.
- Load Balancing Outbound
DHCP Server and Relay
The Dynamic Host Configuration Protocol is used by computers for requesting Internet Protocol parameters, such as an IP address from a network server.
The protocol operates based on the client-server model. For more information take a look at this wiki.
- pfSense® includes both DHCP Server and Relay functionality.
Reporting & Monitoring
The RRD graphs in pfSense maintain historical information on the following:
- CPU utilization
- Total throughput
- Firewall states
- Individual throughput for all interfaces
- Packets per second rates for all interfaces
- WAN interface gateway(s) ping response times
- Traffic shaper queues on systems with traffic shaping enabled
Real Time Information
Historical information is important, but sometimes it's more important to see real time information.
SVG graphs are available that show real time throughput for each interface.
For traffic shaper users, the Status -> Queues screen provides a real time display of queue usage using AJAX updated gauges.
The front page includes AJAX gauges for display of real time CPU, memory, swap and disk usage, and state table size.
- RRD Graphs
pfSense® is equiped with a package manager that gives you access to many additional features, such as:
- VOIP, through the Freeswitch package
- Intrusion detection with the Snort package
- High Availability package
- Internet Proxy, uses the Squid package
- and many more...
Note / Limitations regarding packagesSome packages require a hard drive to work properly, this includes all packages that require to write to the drive, such as a proxy.
Packages can complicate upgrading as they may be depended on a specific version (more on upgrading can be found here).
Most packages can be installed on a Flash Based version, but we recommend to use a flash storage of minimal 1GB.
For information about pfSense® CE see www.pfsense.org
High quality enclosure, build with the best materials available.
Our 19" rack enclosure is a durable 1U powder coated rack mountable enclosure, especially designed and build for our OPN line of open source appliances.
|Name||PF Firewall Quad Core Gen4 10GB SSD|
|Country of Origin||The Netherlands|
|Dimensions [W x H x D]||485mm x 44mm x 359mm|
|Firmware||based upon pfSense® CE|
|CPU||Intel® Xeon™ E3-1225V5 3.3Ghz Quad Core|
|Storage||128Gb Solid State Drive|
|Ethernet ports||8x GbE [Intel® I210-AT], 2x Intel® X710-BM2|
|Remote Management port||optional IPMI|
|Total Firewall Throughput||~18000Mpbs|
|Maximum packets per second||~1.500.000 PPS|
|Maximum Port to Port Throughput||~9400Mbps|
|Maximum VPN Throughput||IPsec: ~470Mbps (AES256) OpenVPN: ~550Mbps (AES256) / ~640Mbps (AES256+LZO) all with single tunnel|
|Maximum Concurrent Sessions||3.000.000|
|Maximum VLANS||4093 [above 50: GUI restrictions may apply]|
|Power Supply||Integrated with standard 3-pin C14 socket, AC 100~240V@50Hz~60Hz|
|Regulatory Compliance||FCC part 15 Class A, CE, Rohs|
|Storage & Operating conditions||Operating: 0 to +45°C / 10 to 90% r. H. non cond., Storage: -20 to +70°C / 10 to 90% r. H. non cond.|
|Package Content||19" rack appliance, Matching powercord, Configuration cable, Quickstart guide|