pfSense® CE is a free distribution based on FreeBSD open-source, customized to be a firewall and router. Besides being a powerful firewall and router platform, it includes a long list of packages that allow you to easily expand the functionality without compromising system security.
pfSense® CE is a thoroughly tested project which now has more than 1,000,000 (end of first quarter 2011) downloads and countless installations around the world ranging from domestic up to large companies, public organizations, ministries and universities.
pfSense® CE includes most all the features in expensive commercial firewalls, and more in many cases. The following is a list of features currently available in the pfSense® CE 2.0 release. All of these things are possible in the web interface, without touching anything at the command line.
In addition to features, this page also includes all limitations of the system of which we are aware. From our experience and the contributed experiences of thousands of our users, we understand very well what the software can and cannot do. Every software package has limitations. Where we differ from most is we clearly communicate them. We also welcome people to contribute to help eliminate these limitations. Many of the listed limitations are common to numerous open source and commercial firewalls.
The firewall's state table maintains information on your open network connections. pfSense® CE is a stateful firewall, by default all rules are stateful.
Most firewalls lack the ability to finely control your state table. pfSense® CE has numerous features allowing granular control of your state table, thanks to the abilities of OpenBSD's pf.
PPTP / GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. A solution for this is currently under development.
CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense® CE also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall. pfsync ensures the firewall's state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
Only works with static public IPs, does not work with stateful failover using DHCP, PPPoE, or PPTP type WANs.
Outbound load balancing is used with multiple WAN connections to provide load balancing and failover capabilities. Traffic is directed to the desired gateway or load balancing pool on a per-firewall rule basis.
Inbound load balancing is used to distribute load between multiple servers. This is commonly used with web servers, mail servers, and others. Servers that fail to respond to ping requests or TCP port connections are removed from the pool.
IPsec allows connectivity with any device supporting standard IPsec. This is most commonly used for site to site connectivity to other pfSense® CE installations, other open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions (Cisco, Juniper, etc.). It can also be used for mobile client connectivity.
OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client operating systems. See the OpenVPN website for details on its abilities.
PPTP is a popular VPN option because nearly every OS has a built in PPTP client, including every Windows release since Windows 95 OSR2. See this article for more information on the PPTP protocol.
pfSense® CE offers a PPPoE server. For more information on the PPPoE protocol, see this entry. A local user database can be used for authentication, and RADIUS authentication with optional accounting is also supported.
RRD Graphs. The RRD graphs in pfSense® CE maintain historical information on the following:
Historical information is important, but sometimes it's more important to see real time information. SVG graphs are available that show real time throughput for each interface. For traffic shaper users, the Status -> Queues screen provides a real time display of queue usage using AJAX updated gauges. The front page includes AJAX gauges for display of real time CPU, memory, swap and disk usage, and state table size.
A Dynamic DNS client is included to allow you to register your public IP with a number of dynamic DNS service providers:
Captive portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access. For more information on captive portal technology in general, see the Wikipedia article on the topic. The following is a list of features in the pfSense® CE Captive Portal.