The solution's most valuable features are high availability and the VPN options. Netgate pfSense has the ability to support multiple interfaces and spin up virtual IPs.
What drew me to Netgate pfSense from the beginning is that it's free, open-source software. I wanted the solution for additional control over firewall routing, and there wasn't really anything else on the market that would do that.
Netgate pfSense is very flexible. I like that it can run on enterprise bare metal and Raspberry Pi. Obviously, Netgate has a lot of appliances ranging from extremely small to extremely large.
pfSense Plus is extremely low-cost. Its comparative features include high availability, the ability to tune system variables, and support for hundreds of interfaces.
It would be great for the solution to have better logs. Some of the solution's graphs that show visibility on system performance or session count lack resolution. For example, you may only be able to see the session count by day if you want to look back more than a month.
In contrast, we would want to see the session count fluctuate by an hour or five-minute increments. It would be helpful to be able to query larger data sets, even if you had to break them up into smaller subsets.
I have been using Netgate pfSense for seven years.
The solution's scalability is very poor past 5,000 clients and impossible past 10,000 clients.
I had a very poor experience with the solution's technical support.
I switched from Netgate pfSense to Fortinet. Scalability and high availability are significantly better with Fortinet. It took me about 10 to 15 hours to set up high availability in Netgate pfSense just because of the way it works with virtual IPs and CARP.
On the other hand, it takes about 15 minutes with Fortinet. It's just a completely different experience. Also, the performance availability for appliances is a thousand times better with some of the higher-end offerings at Fortinet versus the highest-end offerings that Netgate has.
The solution's initial setup is difficult because of the extensive setup it takes to achieve high availability.
In our case, it took us around 40 hours to fully deploy the solution from start to finish.
I think Netgate pfSense's TAC or support is a little expensive, considering how inexpensive everything else is. Netgate's most expensive appliance costs around $5,000. However, an annual subscription to TAC costs around $1,000, which is roughly 20% of what you pay for the hardware. It seems a little excessive.
I would say it's pretty easy to add and configure features to Netgate pfSense. However, if you add features that Netgate does not officially support, you can run into issues with your support contracts. It's easy to add features, but it's extremely difficult to support something that is not an official Netgate plug-in.
We saw the benefits of Netgate pfSense pretty immediately after deploying it. We have been scaling, though. As we got to a very large deployment across different sites, we started to see additional problems, but then we also saw additional value added. Initially, there's a lot of value, which increases over time, but eventually, you hit a wall where it's just not that valuable.
On the surface, it looks like pfSense Plus provides visibility that enables data-driven decisions. Unfortunately, after many back-and-forths with support, they say that it looks like the firewall has done something, but there's nothing in the log. There's no data to support their theories. On the surface, it looks like it should, but we found in practice that it was missing a lot of data that would help us make decisions that we needed to make.
The solution's total cost of ownership is good for what it is. I don't think I would ever use it in an enterprise environment anymore. As a value proposition, it's really good for a small business application or a company with multiple sites that you need to be able to interconnect.
You can set up an entire ecosystem for $ 5,000 to $ 6,000 with top-of-the-line hardware from Netgate. Unfortunately, with our user account, throughput, and bandwidth, we've just outgrown it and can't use it anymore.
We've bought appliances for Netgate pfSense's deployment, and we've also deployed the solution on separate machines. Most recently, we used the appliances.
Technically, we never got Netgate pfSense to a good solid state. For the four to six months we had it in production, it was constantly down and needed at least 20 hours of maintenance a week.
Overall, I rate the solution a six out of ten.
