Netgate pfSense Plus Firewall/VPN/Router (ARM64/Graviton)

I usually use it on premises, and I use it for different purposes. I use it for network security for my infrastructure, and I use it for my web servers and data servers that are on-premises.

My main use cases for Netgate pfSense  are proxy servers and IDS/IPS, blocking ads, clearing the network for adware and malware, and monitoring the network flow. 

As an open-source solution, Netgate pfSense is highly flexible because a person with kernel-level or code-level experience can control the firewall as per their requirements, and there are multiple packages and tools readily available to integrate with Netgate pfSense. In the IT industry, most of the tools can be integrated with pfSense.

Adding packages to Netgate pfSense is very easy. I just need to search for the required package and then install and configure it.

Netgate pfSense has a very intuitive dashboard. The information is readily available on the dashboard.

Netgate pfSense has routing facilities that help minimize downtime while having multiple internet connections. If one bandwidth goes down, it automatically diverts to the other. 

Netgate pfSense helps prevent data loss by monitoring data transactions and network protocols, allowing us to block certain amounts of data and implement policies to reduce malware and firewall threats. 

From my perspective, the best feature of Netgate pfSense is the load balancer, as I usually take multiple internet connections. I can use both internet providers' bandwidth as a single network bandwidth, which helps in a very smooth network traffic flow. Netgate pfSense has a very interactive and intuitive dashboard that provides all the major and informative information that is readily available.

Netgate pfSense has positively impacted my organization because when we look at other firewalls or alternatives, they are costly. 

For my requirements and use cases, it is sufficient for me, and I have never faced a need for additional features. AI would always be a plus point, and if pfSense could change its framework from FreeBSD and PHP to a different language and Linux OS, that could enhance security.

I have been providing services for network solutions and network security, and I have been using Netgate pfSense for almost four to five years.

Netgate pfSense is definitely stable; I've multiple sites using it, and they are live right now. I've at least 20 sites operational.

It is a scalable product. I would rate its scalability a seven out of ten.

I have never used the services of Netgate, but I can rate the product itself as a 10 out of 10 because it has been very helpful to me.

Neutral

I have previously used Fortinet and Sophos. The major reason I switched from Fortinet and Sophos to Netgate pfSense was to mitigate the financial aspect, as those alternatives were costing us lakhs.

Deploying Netgate pfSense is very easy because I used to deploy it on my personal hardware. Whatever spare hardware I have, I install it directly on that. Installing and configuring it is very easy for me.

I deploy Netgate pfSense  for various companies. There are many startups in India that require a cost-effective solution that allows them to use their hardware and provide basic security. 

Deploying infrastructure for a new company takes me approximately one day, unless there are separate requirements to configure, such as creating usernames and passwords for each user, which may take two to three days.

I do everything in-house by myself. I am the only person involved in the deployment.

I have seen a return on investment with cost savings after implementing Netgate pfSense, as other firewalls would cost me lakhs of rupees while pfSense is free.

Everything we need is covered in the free version of the open-source pfSense. I have never used the licensed version or required certified partner help to implement or deploy anything.

If we are not purchasing any support or incurring any Netgate costs, the total cost of ownership for Netgate pfSense is zero, as it is freely available to download and install, requiring only hardware for deployment.

The cost of other firewalls goes to thousands and lakhs of rupees compared to pfSense, which costs zero. If we opt for Fortinet, it costs about one lakh thirty thousand Indian rupees for the firewall, and then it costs up to almost fifteen to twenty thousand annually for the user subscription. With Netgate pfSense, all those things get covered at zero cost.

I did not evaluate any other options aside from Netgate pfSense because it was the only solution I could find that effectively met my needs. It works for our use cases.

In terms of data-driven decisions, there is a package that can help me understand each and every packet and time. I have not gone through that avenue yet, but it allows us to get all the data for data-driven decisions.

There is a paid feature to increase performance, but there are multiple tweaks available in the advanced settings that can help increase bandwidth or usability based on requirements.

I have not used pfSense Plus on Amazon EC2  VMs because there was no requirement. 

I would rate Netgate pfSense a ten out of ten.

We have been building local firewall systems since 2008. 

The main use cases for Netgate pfSense  are its exceptional stability and reputation as a premier network operating system worldwide. Millions of people are using it, and we have rolled out a new hotspot system that works from the cloud. The service is running under the pfSense portal.

Netgate pfSense impacts our organization positively because it's open source and has a free edition, which helps us significantly in building our own systems for our customers. It helps in building a new firewall system for the Turkish market. It helps us substantially.

Netgate pfSense 's best features are that it's open source and flexible. We have implemented IPsec VPNs, site-to-site VPNs, and client-to-site VPNs. 

We appreciate the flexibility of the Netgate pfSense solution, but we have waited approximately two years for new updates to the Community Edition. We are now moving to OPNsense.

I appreciate Netgate pfSense because we have been using it for approximately 18 years, which is a considerable amount of time. We are waiting for pfSense to integrate AdGuard , Pi-hole, or Zenarmor directly into the pfSense kernel. When I install packages, such as Snort or OpenVPN  client export tool, I need to install AdGuard or Zenarmor because it's very challenging to ban TikTok, YouTube, or social media for our customers. In the early days, we managed this using SquidGuard, but since the blacklist has changed, we are struggling. There are many other blacklists I have tried, but I couldn't make them work. It has to be much easier for engineers to implement this. It's easy to integrate AdGuard into OPNsense; it becomes a function under the firewall. You can easily switch blacklists on and off, and create custom blacklists to block all social media with a toggle. We would appreciate such facilities in pfSense as otherwise, we have to manually enter all the websites, DNS resolver, and DNS overrides. Writing numerous rules on the LAN side during installation takes considerable time.

We have been using Netgate pfSense since 2008.

Netgate pfSense is a stable solution for me.

It's a scalable solution. Two months ago, I purchased a brand new server edition, a Lenovo ThinkSystem server with 128 GB RAM. I installed this pfSense server in a data center, and it's working fine. Many people connect via VPN; three or four sites are connecting site-to-site, and we also established another IPsec connection to one of the biggest ISPs in Turkey. It's working great now.

We have never asked for technical support from Netgate. We rely on the resources on the web for information.

Neutral

Two months ago, we switched to OPNsense , and we are now studying OPNsense . We made a strong decision to switch to OPNsense because of the large solutions. There are many facilities, such as AdGuard  and Zenarmor, which can be easily installed under OPNsense. We are studying OPNsense, and we will likely switch to OPNsense in 2025 because we are still waiting for a stable version of pfSense. 2.7.2 is very old, and we have switched to the 2.8 beta version, but we are still making our tests now.

Since we have been using pfSense for almost 18 years, we have learned extensively about Netgate pfSense. We have worked extensively and watched many educational videos from the United States, and we have made ourselves ready for pfSense. If one understands the system, it's easy to handle, but without knowledge, it's very challenging for everybody. Many people try to work with pfSense in Turkey with the free edition, the Community Edition, but they couldn't succeed because it's a complex system. It's a vast ocean, and understanding every protocol is necessary. Basically, all firewall systems are the same. Brands such as Cisco, FortiGate , and Sophos sell well in Turkey, and we are competing with these companies. Our target market is the small market, not the big companies or holdings, especially in the hospitality sector, where we deal with hotels and motels.

We would appreciate seeing facilities similar to OPNsense for Community Edition. In Turkey, people generally don't want to pay for yearly subscriptions to firewall systems. We barely recouped our investment for our Safe Hotspot system in Turkey. Competing with other brands such as Sophos, FortiGate , and Cisco is challenging. These brands also require annual payments, and due to Turkey's economic conditions, everyone is eliminating such costs. We have produced our hardware for pfSense, but it was not Netgate; it was only pfSense in the early days. We made our own rack mount 5 or 8 port firewall systems in Turkey and sold many.

The initial setup of Netgate pfSense is not complex; it's very easy. I can even have one of our resellers burn a pfSense USB stick and install pfSense without knowing anything about it. 

Because the Community edition is free, we only charge for our services to the customers. In Turkey, we cannot demand normal pricing; if we were in Europe or the United States, we might collect more money from customers. The conditions in Turkey are very challenging, and collecting payment is difficult. We often charge half or one-third of the price compared to Europe.

We would like to buy Netgate hardware, but when I checked its price in Europe, it seemed expensive.

I would rate Netgate pfSense a 10 out of 10.

I prefer this product because it is open source. Another thing is that it is Unix-based, so it is not affected by viruses or attacks. Support is also available.

With the right hardware, its VPN capabilities and performance are amazing.

From my usage, controlling the bandwidth for each user is valuable. Also, the availability of working as a backup or aggregating downloads is useful. All these capabilities are key.

Its interface is simple and easy.

Maybe they can add two-factor authentication.

I have been working with this solution for almost four to five years.

It is very stable. I would rate it a ten out of ten for stability.

It is scalable. I would rate it a nine out of ten for scalability.

We have 60 to 65 users.

I have not taken any technical support from Netgate. I was able to get all the information from the web or Netgate forums. I did not use their technical support because it is an open-source and free edition.

Neutral

I used OPNsense .Using the module for controlling the bandwidth for the users in OPNsense required payment. There was also a subscription, and I dislike subscribing to any service.

It was not complex. It was straightforward. They had a wizard with ten steps. I just had to fill in the information.

It took me about 45 minutes to be completely up and running with my configuration.

There were no third parties involved. It was implemented on-site.

I am using the free version. 

I would recommend pfSense to others. It is free. Overall, I would rate it a nine out of ten. 

I use pfSense as a home router firewall on enterprise equipment purchased from eBay. I utilize it for personal interests and not in a professional IT capacity, mainly for home setups and maintaining VPNs to family members.

It is very easy. An enterprise person who has been doing this all day long will find it as easy as a command line if not easier than the command line. I would prefer not to have to set up another server to monitor my links and everything else. I like that I can go into my one dashboard. It is all running on that one box. I am happy. A large enterprise will have monitoring services, so this might not be as critical for them. For small and probably medium-sized businesses, having the user interface and being able to import configs is very powerful, but it is probably a mixed bag for larger companies that already have services and other things, and GUI does not matter to them.

It provides a single pane of glass. When I come in, I can immediately look at my gateways, link connections, services, etc. It shows my DNS blocker, CPU usage, and memory usage. I can see that my gateways are online, what traffic graphs I have selected, and all my services are up. That is what I like about it. This is what I will miss if I go to VyOS. I know I will have to set something else up specifically to show me all the monitoring and make sure that I have that warm fuzzy that everything is working.

Being able to see in a single pane of glass what is happening makes it very easy for me to react and know what is going on. For example, I changed some tunnels to my family in upstate New York. I am down in Philadelphia. We were having some connection issues, and through its interface, I was able to easily identify the issue. I had a tunnel configured wrong and changed some settings, and we were back up in ten minutes.

Its ease of use is great. If I do not continue forward with pfSense, it would be going to VyOS, which is all command line. pfSense's user interface is very nice for simpler configs and monitoring. It is very stable, and it works very well. Flexibility is great, and the plug-in model is very nice for pfBlocker and other things. It is a very robust solution that works very well.

They could do better with their licensing in the home use space. For me, that has been a struggle. 

I got three pfSense Plus licenses when they were giving them away to the community for free because pfSense decided that they do not enable the QAT. They do not enable the network acceleration function that is on the Intel Atom CPUs and some of the Xeon D's in the Community edition. IPSec acceleration and OpenVPN acceleration do not work on those smaller boxes because it is going to use the CPU, so I got the three licenses, which worked well. It was all good, but they decided to take that away and are charging $129 a year. Somebody savvy like me is going to pay for it. I will pay for it for myself, but I also maintain the routers of my parents, my mother-in-law, and a friend. I have IPSec tunnels to them, and they need the acceleration technology that is disabled, but they are not willing to pay $129. I wrote to the Netgate salesperson asking to consider a model with a $60 per year subscription because they are putting a barrier on themselves. They have abandoned the Community edition. There has not been an update in a year, but then you hear that they are contributing. They are making updates, but they have not released it. There is an opportunity to make more money in the home user space if they change their licensing model.

The other little hiccup that I see with it is they have it tied to MAC addresses. It generates a license based on the MAC address. If you change any MAC address, you have to issue a new license. They were nice about it for me when they did a one-time change for me, but if I put another Ethernet adapter in the box, it says it needs another license. They should work on that. It seems they are going to change this.

I have probably been using it for more than a decade at this point.

My instance has been up for over two years without a reboot, so it is very good.

It is a mixed bag because I have had 1 gig symmetrical Internet. I have 2 gigs now. As you get further up the stack, it is going to get worse. I do not have options past 2 gigs. I have 25 gigs between some servers. I have 10 gigs with a lot of machines. They have their TNSR project that sits at a thousand dollars a year, but I cannot even try that. They have entirely removed the Community edition for that, but it has been great with 2 gigs and 1 gig.

They are super fast, super nice people, and very accommodating. The quality of support is great. They are better than I would have expected them to be. I would rate them a ten out of ten.

Positive

Previously, I have mainly used VyOS, Cisco ASA , OPNSense, and Fortinet. 

Cisco ASAs are very nice. They compare very well, and they have their single pane of glass. They have GUI and no license fees yearly. Netgate will say the same thing. If you buy their hardware, you get the license for free, but they triple the price of a new piece of equipment.

The initial setup is not easy right now because I have to put my email in, and they send me a link. I would prefer to have separate images for the Community and Plus editions.  

When you go to the installer, it asks you if you want Plus. You have to put a valid license in to get it to install Plus. In my situation, all three of my Plus licenses have expired, and they all continue to work. If I need to reinstall that on a new box, I can only install the Community edition. When I boot it up, I cannot import my config because my config is from Plus. For me, it would make more sense if I could download and install a Plus image, and it gives you a 24-hour period to put in a license and have it activated. Something to that effect would make it easier because I cannot imagine I am the only person who has had this issue.

The licensing model needs improvement, especially for home users. There should be more flexibility to change licenses with hardware changes. The pricing model could be more accessible for home users.

The license is locked to a specific device. There are other services where you can buy a pfSense, and you get that license for a year. You can put it on any single device, and it moves with you. I do not want to have to call them to get the license changed. I would prefer that when I put it on a new device, they know it is registered to this new device. It is not on the old one. They should handle licensing differently for home users. They should try to differentiate it from enterprise.

There should be a cheaper tier of pfSense Plus for home users. They need to improve the pricing for a home user. They can look at the numbers. They know how many installs they have.

I would rate it an eight out of ten. It is a great product, but they have sold it in a way that does not align with the way I need to use it or the people that I have it with are going to use it. It practically does not make sense versus what else is out there. VyOS is free. Its Community edition is free, and they update their Community edition first. It is the opposite of what pfSense is doing. They are updating the Plus edition first and the Community edition comes second.

I have Netgate 4100 and pfSense Plus.

My career is in IT, and Netgate is part of my home network, which does hot failover between two ISPs because I work from home a lot and do not want to be disconnected. It handles all my home security, manages remote access to my systems when I am abroad, and hosts some services such as health checks from Route 53, WireGuard, etc.

I was able to see its benefits immediately. One issue it helped me solve was that I was hitting bandwidth caps from one ISP and did not understand why. It turned out that the ISP was counting all return traffic from outsiders probing my home network. They would find my Linux device and see that there was an open SSH port, and they would hammer at it. This generated an enormous amount of traffic. Installing pfSense allowed me to detect it accurately and shut down this traffic.

It is hard to say if pfSense helped prevent data loss in any way, but unauthorized access to my network and the data I have on my network from the outside is not feasible now.

I can do all the things I want to do from the device. I do not have to set up services on other hosts. I do not have to have any other UI in place. I can just go to pfSense and do all the things I need. The slight caveat to that is that I am not operating AWS or GCP from pfSense. I have set up my health check from Route 53. I have set a couple of very simple things in AWS, but I do the rest of the things from pfSense. It is pretty close to a single pane of glass.

I use pfSense Plus and found pfSense Plus to be more robust than the Community Edition. Any network device needs occasional prophylactic reboots. The frequency of issues, such as the tables being all dirty or memory being scrambled, has significantly reduced with pfSense Plus. The hardware has considerably improved. Because I was running Community Edition on an older Netgate, it is difficult to understand where I am getting the improvement from, but pfSense Plus has certainly been a lot more robust. I have fewer instances where one of the interfaces just stopped working. That used to happen with Community Edition fairly regularly. I have not had that trouble at all here. Upgrades have been a lot smoother. They are down to just a reboot, whereas, with Community Edition, I had to regularly wipe the device, reinstall the operating system on pfSense, and load in my configuration from backup, which I was able to do and usually worked. I spend a lot less time in system maintenance using pfSense Plus than with Community Edition.

Its out-of-the-box performance meets my needs. When I wonder whether my network is a little sluggish, I am able to go in and find out things, such as one of my ISPs being dropped out of my load balancing config because of too many latent pings. It has been very useful and easy to do those sorts of things.

It is very flexible. I have not found a use case that I could not satisfy with the device. There are more use cases I am not currently using. For instance, I do not have an HA setup. I use it for my internal home DNS and DHCP services and to split the VLANs so that I have Internet of Things and guest VLANs. I trust the device's VLAN. It helps me deny traffic from large areas of the world that do not need to interact with my firewall.

With such solutions, there is always a learning curve, but with enough foundation, I have never found that curve very hard to climb. Whenever I have tackled a new thing, a little bit of searching on the web and playing with the UI has always gotten me where I wanted to be.

It is best practice to remove all installed packages before you do an upgrade because most upgrade failures have to do with having installed packages. These are additional packages that supply functionality above and beyond what comes in the base operating system. We have to remove them one at a time. I would prefer being able to click a button that says," I am upgrading, so uninstall everything and store in the configuration file what I had installed." It already keeps the configuration of all the packages installed. Even if I do not install them again, the configuration for those packages is still there after the upgrade. It would be very nice to have a one-click feature. There can be a check flag on the upgrade screen to remove packages first and then another check flag to reinstall them after the upgrade. This would be extremely handy, particularly when I have a lot of packages. It takes me about 15 to 20 minutes to uninstall and reinstall them all after the upgrade.

A couple of weeks ago, I would have had another area for improvement, even though it was outside their purview. They are switching DHCP providers from ISV to something, but it did not have a feature I wanted, which was client hostname registration for statically served IP addresses. I rely on this for host management inside my trusted network, but that feature has been released now, so I feel more comfortable moving to the new DHCP version they support.

I have used the solution for at least seven years.

Since operating Netgate 4100 and pfSense Plus, anytime I wondered if the device itself was laggy, it was not the device. It was something upstream causing the issue. I have an HA configuration and a load balancer, so if one of the links goes down, the device gets a little laggy as it drops that interface and brings up the other one as the primary. If the ISP is flapping, this will happen continuously, introducing a lot of network lag, but that is trivial now that I understand what is happening. As soon as I start feeling lag, I check the logs to see if that is the cause. The device itself has not ever been latent or lagging. It has been rock solid.

I found it very scalable. I am out of ports on my device because of having multiple ISPs and VLANs. I do not have an HA setup, so the device scaled very well for my needs personally. When we deployed an HA pair in a professional situation, we had a much larger network, and it scaled to cover that easily.

I have only contacted them to get a download of the operating system image ahead of any upgrade attempt just in case I needed to start from scratch.

Neutral

I have used a number of different solutions. I have used firewall software and hardware of all kinds, both professionally and personally, reaching back to the early 2000s.

The initial deployment was done many years ago. I remember it being pretty straightforward back then. One of the things I enjoyed about the device is that the configuration file is like the starter batter where someone gives you a lump of yeast and dough pinched from someone else's. 

I have been able to roll my configuration file forward every time I switched devices or operating systems. This has made it a lot easier to maintain the device. Even when I had to completely wipe the machine and start over, it was pretty trivial in almost all cases. It has certainly been a lot easier since I started using pfSense Plus to get my configuration back up and running again.

When I ran an IT shop a few years ago, we had an off-the-shelf solution where years ago, somebody had built a firewall solution using a couple of rack-mount PCs and some open-source security package. It was a black box. Nobody around understood it anymore, and I needed to replace it. I went to look for hardware that my shop wanted to use, like Cisco, but the price was well out of our budget, so we went with a pair of HA Netgate devices and pfSense. That solved our problem. I thought it was a good price point for a good solution.

Their pricing is quite reasonable. It is very good. Every firewall is a router, but typically, in an enterprise situation, these are separate. My home is essentially a small office. My partner and I work from home a lot, and I am the system administrator, network administrator, and security administrator. The values are high because I am not maintaining two machines. I am not spending my own power on two different devices. For small office or home use, such as mine, pfSense is valuable because it combines multiple functions into one low-power device.

I would rate pfSense a nine out of ten.