I'm a big fan of pfSense - heavy home remote worker user, it stays up and connects to multiple OpenVPN servers, routing their spaces for my network, runs a remote access server inbound, an IPv6 tunnel via Tunnelbroker, multiple static IPs, including straightforward outbound NAT for my Apple TV to access NBA League Pass games (since the NBA in its wisdom has decided that the Puget Sound should be blacked out for Portland games and that I can just "tune into CSN Portland").

Ive previously used PfSense as the main routers in offices on embedded hardware and in the data center on baremetal (for specific use cases). Its great. I recommend anyone to try this if you want low cost performance, without compromising on features.

We use it with about 30 offices, all connected via openvpn. 180GB transfer every day. No problem for months.... Hell of a software!

Curious why you chose OpenVPN for your site-to-site links. I use it extensively for mobile VPN users, but for an "infrastructure" VPN, I use IPsec, which I find to be a much superior solution for that use case than OpenVPN.

Not the OP, but I've found OpenVPN easier to configure, and performance to be adequate. In what ways have you found IPsec to be superior?

Well the #1 thing for me is that the majority of IPsec functions are in the kernel and don't require that a userland daemon be running (which OpenVPN requires). Beyond that, I've just found that, while a bit more arduous to configure initially, performance is far superior and stability is better than OpenVPN.

Beyond that, pretty much every router out there supports IPsec, so if you're needing to integrate with other non-pfsense hardware, IPSec is often your only option.

Maybe it's just one of those "feelings" but i think it's way more flexible... :)

Chris Buechler the main developer is also hands down one of the most approachable and friendly people I've ever met.

Is ARM support on the radar? There is more and more capable ARM hardware by the day, while x86 is not getting any cheaper.

I would be happy to try pfSense on something like BPI-R1 (dual-core 1 GHz Cortex-A7, Wi-Fi, etc., $69 for board)

http://www.aliexpress.com/store/product/Newest-arrive-BPI-R1...

http://www.bananapi.com/?layout=edit&id=59

MIPS is I believe planned first. Check out Netgate (company behind Pfsense), they already have development boards with MIPS.

Bigger upcoming feature is bhyve hypervisor on Pfsense :D

Worth noting that the Ubiquiti ERLite runs a MIPS board, but has TCP offload. It runs Debian current MIPS with Vyatta, and the web UI, while not as fully-featured as pfSense, is pretty usable. It still helps to be comfortable with CLI and Vyatta commands (very similar to Cisco IOS) for e.g. setting up L2TP VPN without an external RADIUS server.

I ran pfSense for years, and it does work great, but an x86 box running all the time just to do what a little 2-decks-of-cards box can do with 1/10th the power seems silly these days.

http://wiki.gentoo.org/wiki/MIPS/ERLite-3

Also worth adding that the ERL runs EdgeOS, which is actually a fork of Vyatta 6.3 with some added features and certain hardware accelerations. [1]

Vyatta was acquired by Brocade in 2012, after which the community edition was sidelined and the main product became closed source. Thankfully Vyatta core was forked in 2013 and re-branded as VyOS (free and open source) and is under active development. [2]

I've used pfSense in the past and VyOS currently and found both to be excellent.

[1] https://community.ubnt.com/t5/EdgeMAX/EdgeOS-vs-Vyatta/td-p/...

[2] http://vyos.net/wiki/Main_Page

How much power does the ERLite-3 use? I've run PCEngine APU (http://www.pcengines.ch/apu.htm) boards with pfsense and it's worked great with very minimal power usage. Although they are usually a bit more expensive than an ARM board.

I can't see where any trace of MIPS products by Netgate. Are you sure? http://store.netgate.com/

It looks like ARM and MIPS support was on their radar almost 5 years ago https://blog.pfsense.org/?p=472 so I guess we should not get our hopes high yet.

PfSense is great, I've been using it for a few years. 2.2-RELEASE holds special significance to me, because I contributed a feature to this one :)

Great news. I've been running pfSense at home and work for the past few years, and it's been great. Very stable, easy to configure, and quick with security fixes.

A pfSense box with a Ubiquiti UniFi access point is a really good combo. Far more stable than a typical consumer router, and not necessarily much more expensive.

I run this exact same setup (pfSense-based Mini-ITX router and several UAP-ACs), and it works outstanding. I had used DD-WRT for several years, but having hack pile up on top of hack to keep things running on DD-WRT. When we moved to a larger house, we could no longer adequately cover the house from a single router/access point combo, so I took the leap and built a pfSense machine. Absolutely don't regret it. After getting it set up, it just works with minimal intervention.

With a little work, you can get the Ubiquiti controller software running on the actual pfSense machine itself. http://community.ubnt.com/t5/UniFi-Wireless/Tutorial-UniFi-3...

I tried running the Ubiquiti controller software on the pfSense box for a while, but it was a pain - it took 5-10 minutes to start up, and it was lost whenever I did a pfSense upgrade. I've found it much easier to just point the access points at a general-purpose server (on-site if available, or on a remote VPS that I have already).

The startup time was a weird combination of unifi/java/freebsd. I haven't seen it in some time.

Weird. Other than the startup thing (which is not a big deal for me because I leave it running), I haven't had any problems upgrading. A few months ago I went to 2.1.5 and pretty much everything just worked.

Minor upgrades were fine. It was a major one (2.0 to 2.1) that wiped it out for me. This was on the embedded version of pfSense - the full version might behave differently.

Otherwise, the upgrade was one of the smoothest I've ever had for this sort of thing.

I have the exact same setup. Works great.

I ran PfSense for a year or so... never could get the QoS working completely right and all the tutorials I found weren't the greatest.

Has anything changed with the QoS configuration?

I've since moved to an Untangle VM that has worked great... yes the interface might be "dumbed down", but everything has been working excellent.

It's on FreeBSD 10.1 now. Nice.

PfSense and FreeNAS have really made me fall in love with FreeBSD all over again. It was my first foray into the ~*nix world, so lots of fond memories.

2.2-RELEASE also has a working 6rd implementation, so now I can finally use ipv6 :-)

You could have used it before with a gif tunnel. That's the way I've been doing 6rd on vanilla FreeBSD without any 6rd support.

edit:

Here's what you put in rc.conf

  cloned_interfaces="gif0"
  ipv6_activate_all_interfaces="YES"
  ifconfig_gif0="tunnel $MYIPv4 $THEIRIPv4"
  ifconfig_gif0_ipv6="inet6 alias $MYIPv6 $THEIRIPv6 prefixlen 128"
  ipv6_defaultrouter="$THEIRIPv6 -mtu 1280"

Great! Thanks!

This does have one limitation -- you cannot reach other IPv6 addresses also using the same 6rd gateway. It just doesn't work without handling the full 6rd protocol. But if you just want IPv6 to the wider internet and don't care about connecting to other users on your ISP over v6 this is a reasonable solution.

The tickets graph is impressive.

Does OpenBSD/newer PF have better throughput on 10Gbe+ hardware? I've heard that OpenBSD/PF tends to run into issues due to giant lock and SMP issues.

Since you seem knowledgeable, any pointers to information about that?

everything I've seen indicates OpenBSD pf wins on slower single cores but on fast multi core hardware FreeBSD pf wins.