Are pfsense firewalls any good for home or business? Which businesses are supported by pfsense? What are the advantages and disadvantages of using pfsense? How big can they go? Lots of questions! Fortunately Tom answers these and many more in this video. // MENU // 00:00 ▶ Introduction 01:29 ▶ What pfSense is and Tom's experience with pfSense 03:43 ▶ Tom and Open Source 04:38 ▶ The benefit of pfSense being Open Source 05:21 ▶ Systems Tom has deployed with pfSense 07:22 ▶ pfSense licensing cost 09:09 ▶ Using pfSense at home 11:45 ▶ Virtualization 12:28 ▶ Raspberry Pi support 13:02 ▶ Virtualization vs hardware 14:37 ▶ Tom's recommendation for small/medium businesses 19:43 ▶ pfSense actual cost (pfSense vs pfSense+) 22:22 ▶ Reasons not to use pfSense 24:45 ▶ Tom's biggest pfSense deployment 26:07 ▶ pfSense above 10G 27:11 ▶ pfSense and VPN 28:32 ▶ Handling lots of VPN connections 29:29 ▶ Advice for starting a consulting business 31:09 ▶ Technical skills vs sales skills 32:22 ▶ The benefit of having sales skills 35:58 ▶ It's about the customer, not the product you use 38:02 ▶ How Tom got his first customers 40:21 ▶ Why Tom has a RUclips channel 43:46 ▶ This video is not sponsored by a VPN company 43:53 ▶ Skills to learn in 2022 to get started 48:13 ▶ Story 1 - Hacked client 49:10 ▶ Story 2 - That will never happen in the real world 51:28 ▶ Story 3- We've all done it 52:40 ▶ Final advice 54:15 ▶ Networking with people // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal RUclips: ruclips.net/user/davidbombal // Tom's SOCIAL // Twitter: twitter.com/TomLawrenceTech RUclips: ruclips.net/user/TheTecknowledge Website: lawrencesystems.com/ LinkedIn: www.linkedin.com/in/lawrencesystems/ Instagram: instagram.com/lawrencesystems/ // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
PFSense is better than no firewall. However it pales in comparison to enterprise grade NGFW. As someone who has architected in the network security space for going on 12 years now, enterprise grade functions, filters, application awareness, cloud content analysis, AV engines, and vulnerability protections of Palo Alto, Fortinet, Checkpoint, and even firepower blow PFSense out of the water. However, would I trust PFsense in my home network? Yes. Would I trust it in a simple SMB? Yes. The differentiating factor for me is WHO is managing it. Is it mr CEO do it all? Or is it a MSP? However, vendors like fortinet for example have firewalls at a very affordable price. Heck Even Palo Alto has affordable firewalls now. I just finished a BOM where we bought 1Gbps firewalls with a bundle of NGFW features and we paid $2800 for 3 years.
After several failures with commercial firewalls that won't patch issues many of my vendors are now recommending OpnSense. I use it for many projects and would be comfortable using it at my workplace come hardware refresh time. Especially with the security features it has.
Tom has taught me so much about pfsense through his videos. I've been running it since 2015. I started off with a Netgate SG3100 but ran out of puff when I upgraded my WAN to 1Gb. So I bought a second hand Dell R210 M2 with a 4 port Intel NIC and rolled my own pfsense box. Reddit was useful to get suggestions for the best hardware platform for my needs and I paid about £170 in total for the machine, NIC and SSD that it runs on. I have multiple VLANs for different networks, WAN redundancy over 4G, multiple OpenVPN servers for me and the segregated guest network, custom firewall rules and UPS monitoring. All of this I've learned from Tom's videos. Tom's video's are a total wealth of guidance and help and his delivery is such that he gives a lot of confidence. If I want to do something with pfsense, Tom's channel is the first place I go to.
I have been running PFSense since at least 2011 Started with a Pentium 4 HT box and 100mb nic and gig intel pci nic and 512mb ram. As time went on i virtualized it in around 2015 and as of about 2019 run a dedicated box once again when I upgraded to gig internet connection. Which consists of an i3 2100 and 2 gigs ram with a couple intel e1000 nics. Great setup for just a regular geeked out family of 4. The virtual server I had was not coping too well with the gig connection and rather than upgrade a server that otherwise worked well for my needs, just build a dedicated box to make use of the hardware offload those inexpensive intel nics offer. And its hardware that allows me to tweak the voltages of the cpu and ram ect, so its undervolted a bit, and consumes very little power. Yet its performance is just wonderful. I have always loved PFSENSE.. it is great as well for traffic shaping.. When the kid has been playing on his computer a little too long, I can get in and start to get him to lag out ever so slightly. Where he can still play but gets a little frustrated and starts doing something more productive.... It is worth it for that alone lol.
@@wishusknight3009 I need to understand a little more about shaping - I'm looking to do that for the 4G WAN failover port and reduce download traffic to about 20Mbps and upload to about 2Mbps - reason being that the SIM is a prepayment with 25GB allowance and a 2 year expiry so only want it to be there for when it needs to be used. I also need to see if I can stop the dpinger process constantly pinging the 4G network when it's not required.
I love these kinds of videos. Although I have my own network setup but having videos where you have two big network youtubers having a real conversations without it being prescripted is refreshing.
@@davidbombal You’re a legend David. You give so much back to the community and help out so many people in need, it’s just admirable and inspirational. Wish you all the best 🙏🏻
I use it extensively. Primarily to control access to the management network, but also to protect guest networks and add a secondary control to VPN systems. Been using since 2011. It's great!
Stumbled upon this video after a few weeks of networking research (for setting up networking in my home). I'm a web developer who's dabbled in the business side of things as well and there's a ton of fantastic advice in your video here; thanks for much to the both of you for sharing!
I bought the Netgate SG 3100 several years ago as my edge firewall, router, etc and I absolutely love it. This is coming from a 17 year network engineering veteran that is defintiely a Cisco guy.
Pfsense is super good .As a network engineer , I primarily work on cisco equipment, barracuda ngf + wafs and fortigates. But I have used pfsense in a few businesses.
We use open source in the military. In one embarrassing moment I had to explain to an officer that his "new top secret battalion level chat room" was in fact just mIRC on a laptop and some of us had been using it since we were 14 years old.
I'm happy that you and Tom has had a time to conversation and sharing knowledge about firewalls. I hope there would be more videos between the two of you sharing your knowledge :)
I was using DD-WRT on my Linksys router before I found IPCop. OpenVPN on IPCop was easy as pie. Then I tried Monowall before it got forked to pfSense. So been using pfSense since 2008.
Im a huge fan of pfSense. For many years...even today many off the shelf solutions weren't optimized for bidirectional 1 Gbps throughput much less multigig. The ones that were cost thousands of dollars in hardware and licensing cost. Now ATT is offering 5 Gbps throughput to regular people. I can't think of any other solution other than pfSense that would be able to provide that much throughput.
I started in pf sense as recommended by a friend, after all my issues with commercially available Home network Routers. I started with the Netgate SG-1100 this unit failed so I returned it. In its place I obtained a Netgate 2100 which is so much better in every way. I acquired a book Safer @ Home with pfsense which I am still working my way through. I have watched many videos from Lawrence Systems. I will say my entire Home network has been much more stable since using the pfsense box. I went down the route of ASUS, D-Link, Netgate, Bitdefender Routers, I have a Cyber intrusion which syphoned off 7 Tb of Data and my ISP was going to charge me for the data overage. This was the beginning of the journey to make safe the Home Network System.
First time hearing about PFSense and already plotting how to deploy this... Thank you David for the interview... and Tom is a true salesman, definitely going to build a sales skill as advised by Tom.
I went to OPNSense after Netgate was in denial on leaking (my) personal data on their (old) forum. As they were not serious about securing their forum, I extended that observation to their products.
Been running pfsens on vmware at home since I was a student ~20yrs ago, and since having lots of projects using it, no matter big or small, from the cloud, DC to on-perm. Learn a lot from them and pfsense never let me down :D
I’ve been using pfSense for years and love it. There are four issues IMO that we're not covered in this video. 1) The lack of a good interface for inbound rules. Each interface has a page for outbound rules. This becomes an issue when controlling traffic between VLANs. You can use the floating tab to control inbound rules, but that’s one tab with rules for all interfaces. It’s really a bad design and makes understanding your rules and where and how they are applied confusing. Each interface should have an inbound and outbound rule page. I will use pfctl to look at rules for each interface to see exactly what's being filtered on each interface. However, since pfSense is designed t be operated via a web interface, there should be a clear way to see all rules via that interface. 2) There are several NAT limitations. The Port Forward NAT section has limitations, but should be as flexible as Outbound NAT. Also, there is no support for double NAT. I think Cisco calls this twice NAT. i.e. The ability to modify source IP and/or port on incoming packets and the ability to modify destination IP and/or port on outgoing packets. I can't recall if this is a limitation of pf or not, but it is useful in some situations. Cisco added "twice NAT" to ASAs around 8 years ago I believe. 3) The lack of a cli like you’d find in an SRX or VyOS. I get that not everyone is comfortable with a cli and new users probably just want a web interface, but if setting up bonded ports for wan and/or lan, you have to set up pfSense one way using their console cli, then get into the web GUI and then change everything to bond the ports. It can be a cumbersome process and one small mistake and you have to start over. There are other advantages of a cli like quickly being able to see a full config for something vs multiple pages in a web interface, easily copying config, making a few changes and applying it to the same or another device. 3) One more issue with pfSense is the limit of one IPsec VPN setup for remote users. We use OpenVPN to get around it, but back in the day some things had to be IPsec and not being able to have multiple setups for remote users were some users can access limited stuff and others can access more or everything was an issue. I have’t tried this in years, so things may have improved. Again OpenVPN works great for this provided your requirements don’t negate its use.
Great job on asking what feature he is not recommending to use in pfsense. All the positive stuff you find on a flyer but the negative things are the ones you can only get from someone that has experience with the product.
2nd comment sorry for littering... The sg6100 specifically- talk about hardened firewall out of the box... look what you got to go through to get a multiple clients on a lan party... cod anyone ? Nat on strict Compared to a udm pro out of the... nat = moderate Compared to majority of retail routers that have pnp enabled by default... nat = open This is why netgate will remain profitable until the pace of which end users start to understand how to properly config their unique configuration into that puppy... I suggest start off with buying a netgate device... the smallest device that you can afford that does not have a logical chip... all interfaces should be seperate... no vlan witchcraft .... Then build your own... fun to see it ALL come to life... Thanks Tom. Your informative in invaluable 🙏
David and Tom, this was a very useful video. I think the title of the video is underwhelming, because when I first saw the title, and that the video was 56 minutes long, I thought that there was no way that there could be a 56 minute discussion about pfSense. But the second half of this video was highly valuable for everyone in IT, especially for people who want to broaden their role in it, or to change careers to IT.
PFSense is a greatway to learn a lot about firewall, as well infact networking in general, I've got my firewall (PFsense) running on a VM and it works great.
The main difference between an expert and a novice is not that an expert doesn’t make mistakes, but that an expert knows how to recover from the mistake without panicking.
I run 5 smaller casinos ($100m Rev) off pfsense, been bulletproof for the last 6 years. Run them on our VMware clusters. I know other casinos are paying over $15K a year in Forti subscriptions. We use ipsec, pfblocker, snort, and openvpn.
Pfsense is great to work with, I set up a company a while back with a pre made box - but also for the cost of a network card built a back up machine that would plug and play if the pre made machine ever failed (they had an old PC they were not using - so for about an hour of my time I built the back up box) That is some very affordable redundency!
I've been virtualizing my pfsense firewall on a 4-node proxmox cluster along with numerous other VM's for several years now. The cluster is made from ivy bridge generation supermicro fat-twins. All VM data is backed by ceph. I use it for actual workloads and lots of training and experimentation for work.
Really like your insightful podcast videos on your channel David. Questions you've asked are really helpful especially to younger audience. Much appreciate to Tom who is open (not just open-source) and honest in sharing his opinion. Keep making more collabs like this with insightful questions!
I have used pfsense as a primary firewall for 75 user for the last company i worked for .It worked 11.5 years with out any issue. Behind our firewall there was fileserver and exchange server . but I suggest to get support if things get into problem you can recover in less down time. in 11.5 years I never took support.
I would really like to see something fleshed out as well as pfsense with turnkey hardware solutions, but on linux. The big reasons for me would be #1: vastly better hardware support #2: In-kernel wireguard #3: more flexibility and performance, nf/ip/x tables better scaling, etc
I've used OpenBSD as my firewall at home for years without any problems. The only problem is that it's not very good at Wi-Fi so the speeds would be low if I used it for that. Fortunately, I have an old router I can use for that. It works well for us.
Tom has helped me no end! Started with Freenas 9, Now on Scale with Pfsense & Cloudflare... It's been emotional at times! Would never of made it without Tom's help. Although I still can't get HA PROXY to work!! lol X
You are both amazing people sharing your knowledge, I think that’s what it’s all about, lots of respect, have been watching Tom’s vids for years fantastic!
Awesome video David! I appreciate Tom and you having this conversation. Very interesting and I enjoyed it. Thanks for all the videos you do. And to Tom as well. Great guys to learn from.
For the BGP issue and other similar issues, you should have an out of band private network connected to terminal servers with secure bastion hosts connected to the private network and internet from one or more 3rd party carriers so you can reach the network devices in major outage situations or something equivalent to this kind of setup. This is the problem with products like Unify for enterprise as they have no console, no out of band options, etc. Regardless of what you use, you should have a sensible disaster recovery plan appropriately designed for what you have deployed and should be prepared to execute that plan.
I use pfsense for home! I love it, switching back to my home router after my pfsense box went down, really sucked, my gf hated pfblockerng, now she doesnt mind it. The traffic is routed so efficiently. I set it up originally in 2018
I liked your interview one thing i have learned always be open to listing to people that have been out in field list to there experiences and never get a big head and put people down to make your self feel good no one is all knowing always be open one size does not fit every thing be felexable
Am looking into pfsense. Loved this video discussion to get a general sense of this software. Also great advice on developing sales skills, as this will help sell your business OR sell your solutions internally for getting the budget to actually implement it.
We use pfsense in our bussines since years, easy to set up and to maintain, need low resources, netgate products are good and cheap. Is fantastic when virtualized on modern and low power hardware (N95-N100) for small integate solution for mobility. VPN management is very good and quite fast if you have decent hardware.
I loved the Firepower question… I worked for a company that just pushed everything Cisco and Firepower is such hot garbage.. the amount of companies that paid me to install it.. then paid me to rip it out (EVEN THOUGH I TOLD THEM NOT TO USE IT MULTIPLE TIMES!!!) is mind blowing…
I completely agree with what you're saying about BSD does it first and Linux does it better. It's a shame that pfsense is only able to be compiled (by a normal user) for the x86_64 architecture. When something like OpenWRT (which is Linux-based) is able to be compiled for arm32, arm64, MIPS, MIPS64, PPC, x86, and x86_64. I mean, you can run OpenWRT on a Raspberry PI no problem. It sucks that overall platform + hardware support is so limited with pfsense. Hopefully, that will change in the future. OpenWRT could definitely use the competition. I'm a firm believer that "competition breeds innovation".
I was really surprised how easy it was to set up pfsense. I just reused my old pc, an intel skylake pc with 24gb of ram , pretty overkill but it's what i had!
I got Pfsense to work with Hyper-V as well. I was pretty happy with it but I moved over to hardware because my Microsoft server takes so long to update each month.
David, make video on "How to choose laptop which has pre-built wifi adapter which is suitable for hacking and where we get monitor mode, packet siffing and more" Consequently, make video on laptop that is suitable for hacking
I was confused about firewall which one should I bay Cisco firepower or fortigate.. ets, This is a great conversation, Best video that I've seen, you've been answered a lot of questions, Thanks a lot.
You can even setup a pfsense router with ONE nic and a managed switch. Its not the best from a performance or simplicity standpoint, but it 100% works.
Correction on Tom's statement that there aren't many firewalls that do TLS 1.3 decryption: All major firewall vendors do in fact support this. That information is very outdated.
The Major Firewall vendors also do cost a major amount more than the the pfSense. If TLS 1.3 is a requirement, you can better look somewhere else. Anyway it's tricky. Banks etc trying to keep you out the encrypted connection and Firewall vendors need continuously to work to keep themselves in
@@alfabètagamma-k7p nah, you can get affordable option that don't cost much more than a pfSense+Netgate+Snort-Subscription. Take Sophos XG firewalls, as an example. I work with SSL decryption on a daily basis, it isn't even half as complicated as people say it is. Sometimes connections can't be established due to certificate pinning, but that isn't an issue, you just exclude them (with a whitelist). When you start using it, you have to do a bit of fine-tuning, but once that's dialed in, you don't have to deal with it much anymore. It gives you so much better security, it's well worth the little bit of effort.
I started with m0n0wall before moving to pfSense over 10 years ago. I still wish it had better log searching and parsing like an enterprise firewall, but otherwise love it.
I went from using Win ME(don't judge me it had a easy to do networking wizard) as a router/firewall to using openbsd to using pfsense after my distant cousin told me about it... although I feel a bit self disappointment for not keeping on with using OpenBSD to this day, PFSense has been nice:)
Been using pfsense as my primary firewall at home for six or seven years now. Been rock solid if left alone. Only when I mess with things have there been issues. Almost always because I did something wrong. Been great and I no longer get calls from the wife about internet problems. At least not from things in the house.
Hey Lawrence we are from Battle Creek and have worked with that Detroit large medical conglomerate too. They ended up selling the BC facility so we have not worked with them for a few years.
pfSense works very well on the PC Engines APU series of boards. It's cheap, has 2-4 Intel NICs, 4-core AMD x86 CPU, 2-4 GB ECC DRAM, 2x USB, 1x Serial, WiFi slot, SD Card slot. All for around $150. I think the highest-end version is $200. It ships as an assimilable kit and gives some hands-on hardware experience.
First off nice video I enjoy it. I've used pfsense once in a business environment and my IPsec VPN kept dropping. My other endpoint was a Cisco ASA. The ASAs I've deployed have been rock solid. I will say pfsense is easier to setup works great at home.
Context matters. Had I known about pfsense 10 years ago I would have deployed if in a heartbeat. Fit the bill perfectly. When your one of 200 companies owned by a fortune 200 you use the equipment corporate wants.
David and Tom, thank you so much for this interview, you're both some of my best guys, I also use opensource solution for security and VoIP, for security I do use pfSense, and most of the configs I've done through Tom's videos. David Bombal my master, I've enrolled in couple of his udemy videos and it always help at some moment in tech life.
Thank you David Bombal. I have been on fence following you for a while and I must admit your content is super. You bring in the Top guns in subjects that we need now in real world. Thanks for bringing the likes of Neil Bridges, Tom Lawrence and Hammond. I am a fun and there is no going back....I love your content.
Thanks for interviewing Tom, David Bombal,(and Tom for agreeing!). When I need to research a network item Tom's channel is on the list. Love it when content creators I respect do this, appreciated the business and career focus. Especially talking points at 38:12, engaging and the comment on give more then you demand. Thank you.
Thanks for a great show, wish I was 20 again😎 now I have an extra 40+ years, but there's always something to learn. Tomorrow I will have to setup a pfsense lab for my home/office.
Right now a lot of job postings for systems engineers are no longer limited in scope to rack and stack, server administration, spinning up VM's or baremetal HV's. I have been seeing more and more jobs requiring some form of CI/CD pipeline knowledge, automation tools, and linux knowledge.
![I.N "HALLUCINATION" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/n5B5q1Hwt_U/mqdefault.jpg)
Are pfsense firewalls any good for home or business? Which businesses are supported by pfsense? What are the advantages and disadvantages of using pfsense? How big can they go? Lots of questions! Fortunately Tom answers these and many more in this video.
// MENU //
00:00 ▶ Introduction
01:29 ▶ What pfSense is and Tom's experience with pfSense
03:43 ▶ Tom and Open Source
04:38 ▶ The benefit of pfSense being Open Source
05:21 ▶ Systems Tom has deployed with pfSense
07:22 ▶ pfSense licensing cost
09:09 ▶ Using pfSense at home
11:45 ▶ Virtualization
12:28 ▶ Raspberry Pi support
13:02 ▶ Virtualization vs hardware
14:37 ▶ Tom's recommendation for small/medium businesses
19:43 ▶ pfSense actual cost (pfSense vs pfSense+)
22:22 ▶ Reasons not to use pfSense
24:45 ▶ Tom's biggest pfSense deployment
26:07 ▶ pfSense above 10G
27:11 ▶ pfSense and VPN
28:32 ▶ Handling lots of VPN connections
29:29 ▶ Advice for starting a consulting business
31:09 ▶ Technical skills vs sales skills
32:22 ▶ The benefit of having sales skills
35:58 ▶ It's about the customer, not the product you use
38:02 ▶ How Tom got his first customers
40:21 ▶ Why Tom has a RUclips channel
43:46 ▶ This video is not sponsored by a VPN company
43:53 ▶ Skills to learn in 2022 to get started
48:13 ▶ Story 1 - Hacked client
49:10 ▶ Story 2 - That will never happen in the real world
51:28 ▶ Story 3- We've all done it
52:40 ▶ Final advice
54:15 ▶ Networking with people
// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
RUclips: ruclips.net/user/davidbombal
// Tom's SOCIAL //
Twitter: twitter.com/TomLawrenceTech
RUclips: ruclips.net/user/TheTecknowledge
Website: lawrencesystems.com/
LinkedIn: www.linkedin.com/in/lawrencesystems/
Instagram: instagram.com/lawrencesystems/
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
How about OPNsense firewall, is it also good for home and small business firewall?
PFSense is better than no firewall. However it pales in comparison to enterprise grade NGFW. As someone who has architected in the network security space for going on 12 years now, enterprise grade functions, filters, application awareness, cloud content analysis, AV engines, and vulnerability protections of Palo Alto, Fortinet, Checkpoint, and even firepower blow PFSense out of the water.
However, would I trust PFsense in my home network? Yes. Would I trust it in a simple SMB? Yes. The differentiating factor for me is WHO is managing it. Is it mr CEO do it all? Or is it a MSP?
However, vendors like fortinet for example have firewalls at a very affordable price. Heck Even Palo Alto has affordable firewalls now. I just finished a BOM where we bought 1Gbps firewalls with a bundle of NGFW features and we paid $2800 for 3 years.
Awesome video, you two. Encouraging, informative, and would love to see more in the future!!
Which firewall would you recommend for a professional who works from home?
After several failures with commercial firewalls that won't patch issues many of my vendors are now recommending OpnSense. I use it for many projects and would be comfortable using it at my workplace come hardware refresh time. Especially with the security features it has.
This was a lot of fun! Thanks thanks for taking the time to do this.
I enjoyed it really, honestly two of the best tech RUclipsrs
Thanks so much for sharing your knowledge and experience with all of us Tom!
We Do Love David & Lawrence
Lawrence System made me love open source!
Both of my tech persons together. This was an awesome talk.
This is gold. Tons of respect for both of you guys.
Thank you!
David and Lawrence, always talking about the right stuff. These guys are gold.
Tom has taught me so much about pfsense through his videos. I've been running it since 2015. I started off with a Netgate SG3100 but ran out of puff when I upgraded my WAN to 1Gb. So I bought a second hand Dell R210 M2 with a 4 port Intel NIC and rolled my own pfsense box. Reddit was useful to get suggestions for the best hardware platform for my needs and I paid about £170 in total for the machine, NIC and SSD that it runs on.
I have multiple VLANs for different networks, WAN redundancy over 4G, multiple OpenVPN servers for me and the segregated guest network, custom firewall rules and UPS monitoring. All of this I've learned from Tom's videos. Tom's video's are a total wealth of guidance and help and his delivery is such that he gives a lot of confidence. If I want to do something with pfsense, Tom's channel is the first place I go to.
I have been running PFSense since at least 2011 Started with a Pentium 4 HT box and 100mb nic and gig intel pci nic and 512mb ram. As time went on i virtualized it in around 2015 and as of about 2019 run a dedicated box once again when I upgraded to gig internet connection. Which consists of an i3 2100 and 2 gigs ram with a couple intel e1000 nics. Great setup for just a regular geeked out family of 4.
The virtual server I had was not coping too well with the gig connection and rather than upgrade a server that otherwise worked well for my needs, just build a dedicated box to make use of the hardware offload those inexpensive intel nics offer. And its hardware that allows me to tweak the voltages of the cpu and ram ect, so its undervolted a bit, and consumes very little power. Yet its performance is just wonderful.
I have always loved PFSENSE.. it is great as well for traffic shaping.. When the kid has been playing on his computer a little too long, I can get in and start to get him to lag out ever so slightly. Where he can still play but gets a little frustrated and starts doing something more productive.... It is worth it for that alone lol.
@@wishusknight3009 I need to understand a little more about shaping - I'm looking to do that for the 4G WAN failover port and reduce download traffic to about 20Mbps and upload to about 2Mbps - reason being that the SIM is a prepayment with 25GB allowance and a 2 year expiry so only want it to be there for when it needs to be used. I also need to see if I can stop the dpinger process constantly pinging the 4G network when it's not required.
I love these kinds of videos. Although I have my own network setup but having videos where you have two big network youtubers having a real conversations without it being prescripted is refreshing.
2 of my favourite guys on RUclips. Loved every minute of the conversation. Best 1 hour spent. Legends 👍
Thank you Parry! Much appreciated!
@@davidbombal You’re a legend David. You give so much back to the community and help out so many people in need, it’s just admirable and inspirational. Wish you all the best 🙏🏻
I use it extensively. Primarily to control access to the management network, but also to protect guest networks and add a secondary control to VPN systems. Been using since 2011. It's great!
I've been using pfsense for almost 10 years now, was in ipcop before. I'm loving pfsense.
Stumbled upon this video after a few weeks of networking research (for setting up networking in my home). I'm a web developer who's dabbled in the business side of things as well and there's a ton of fantastic advice in your video here; thanks for much to the both of you for sharing!
an hour long video on pfsense, david bombal and Lawrence systems... i never knew i wanted this! 😃 i love this! 😊
Hope you enjoyed it!
I bought the Netgate SG 3100 several years ago as my edge firewall, router, etc and I absolutely love it. This is coming from a 17 year network engineering veteran that is defintiely a Cisco guy.
Two of the best RUclips! Learned Cisco from David and Unifi and pfSense from Tom. You guys keep rocking!! We are watching and learning.
I love the way Tom speaks and he is the sole reason I went pfSense after decades of Sonicwall.
Pfsense is super good .As a network engineer , I primarily work on cisco equipment, barracuda ngf + wafs and fortigates. But I have used pfsense in a few businesses.
Just curious, how is pfsense compared to hardware firewalls like Fortinet?
@@Seedlinux I crashed fortinet fuzzing several times in the past 10 years. They're popular in schools... Yah
We use open source in the military.
In one embarrassing moment I had to explain to an officer that his "new top secret battalion level chat room" was in fact just mIRC on a laptop and some of us had been using it since we were 14 years old.
Sounds extremely insecure.
@@tolpacourt Sure, if you don't have a clue.
I'm happy that you and Tom has had a time to conversation and sharing knowledge about firewalls. I hope there would be more videos between the two of you sharing your knowledge :)
I am so much fun listening to both of you guys, I've been using pfSense for more than a decade now.
I was using DD-WRT on my Linksys router before I found IPCop. OpenVPN on IPCop was easy as pie. Then I tried Monowall before it got forked to pfSense. So been using pfSense since 2008.
Im a huge fan of pfSense. For many years...even today many off the shelf solutions weren't optimized for bidirectional 1 Gbps throughput much less multigig. The ones that were cost thousands of dollars in hardware and licensing cost. Now ATT is offering 5 Gbps throughput to regular people. I can't think of any other solution other than pfSense that would be able to provide that much throughput.
Routing 5Gbps on pfsense will be hard, you will need some powerful hardware (like a 6 core) due to the kernel routing use 😔
@@theangelofspace155 the people who can afford a 5gbps internet can definitely afford a $600 computer
I started in pf sense as recommended by a friend, after all my issues with commercially available Home network Routers. I started with the Netgate SG-1100 this unit failed so I returned it. In its place I obtained a Netgate 2100 which is so much better in every way. I acquired a book Safer @ Home with pfsense which I am still working my way through. I have watched many videos from Lawrence Systems. I will say my entire Home network has been much more stable since using the pfsense box. I went down the route of ASUS, D-Link, Netgate, Bitdefender Routers, I have a Cyber intrusion which syphoned off 7 Tb of Data and my ISP was going to charge me for the data overage. This was the beginning of the journey to make safe the Home Network System.
I've been running pfSense for about 6 years. Initially I used an old PC, but for about 1.5 years on a Qotom mini PC. I'm quite happy with it.
First time hearing about PFSense and already plotting how to deploy this...
Thank you David for the interview... and Tom is a true salesman, definitely going to build a sales skill as advised by Tom.
Love pfsense. Started using it about 5 years ago. Thanks to Tom's channel. I do not use it to it's full capacity, but it works well and stable.
I went to OPNSense after Netgate was in denial on leaking (my) personal data on their (old) forum. As they were not serious about securing their forum, I extended that observation to their products.
Been running pfsens on vmware at home since I was a student ~20yrs ago,
and since having lots of projects using it, no matter big or small, from the cloud, DC to on-perm.
Learn a lot from them and pfsense never let me down :D
I trust Tom. He's reputable and he knows what he's doing.
I’ve been using pfSense for years and love it. There are four issues IMO that we're not covered in this video.
1) The lack of a good interface for inbound rules. Each interface has a page for outbound rules. This becomes an issue when controlling traffic between VLANs. You can use the floating tab to control inbound rules, but that’s one tab with rules for all interfaces. It’s really a bad design and makes understanding your rules and where and how they are applied confusing. Each interface should have an inbound and outbound rule page. I will use pfctl to look at rules for each interface to see exactly what's being filtered on each interface. However, since pfSense is designed t be operated via a web interface, there should be a clear way to see all rules via that interface.
2) There are several NAT limitations. The Port Forward NAT section has limitations, but should be as flexible as Outbound NAT. Also, there is no support for double NAT. I think Cisco calls this twice NAT. i.e. The ability to modify source IP and/or port on incoming packets and the ability to modify destination IP and/or port on outgoing packets. I can't recall if this is a limitation of pf or not, but it is useful in some situations. Cisco added "twice NAT" to ASAs around 8 years ago I believe.
3) The lack of a cli like you’d find in an SRX or VyOS. I get that not everyone is comfortable with a cli and new users probably just want a web interface, but if setting up bonded ports for wan and/or lan, you have to set up pfSense one way using their console cli, then get into the web GUI and then change everything to bond the ports. It can be a cumbersome process and one small mistake and you have to start over. There are other advantages of a cli like quickly being able to see a full config for something vs multiple pages in a web interface, easily copying config, making a few changes and applying it to the same or another device.
3) One more issue with pfSense is the limit of one IPsec VPN setup for remote users. We use OpenVPN to get around it, but back in the day some things had to be IPsec and not being able to have multiple setups for remote users were some users can access limited stuff and others can access more or everything was an issue. I have’t tried this in years, so things may have improved. Again OpenVPN works great for this provided your requirements don’t negate its use.
Thank you David for having Tom on a chat about pfsense
Great job on asking what feature he is not recommending to use in pfsense. All the positive stuff you find on a flyer but the negative things are the ones you can only get from someone that has experience with the product.
Two of my favorite influencers!!!
What a combination?
Tom is the best! I started to use pFsense because of him
and my networks are working fine and secure!!!
2nd comment sorry for littering...
The sg6100 specifically- talk about hardened firewall out of the box... look what you got to go through to get a multiple clients on a lan party... cod anyone ? Nat on strict
Compared to a udm pro out of the... nat = moderate
Compared to majority of retail routers that have pnp enabled by default... nat = open
This is why netgate will remain profitable until the pace of which end users start to understand how to properly config their unique configuration into that puppy...
I suggest start off with buying a netgate device... the smallest device that you can afford that does not have a logical chip... all interfaces should be seperate... no vlan witchcraft ....
Then build your own... fun to see it ALL come to life...
Thanks Tom.
Your informative in invaluable 🙏
After trying other firewalls and the cost of license, i am very satisfied with pfsense.
David and Tom, this was a very useful video. I think the title of the video is underwhelming, because when I first saw the title, and that the video was 56 minutes long, I thought that there was no way that there could be a 56 minute discussion about pfSense. But the second half of this video was highly valuable for everyone in IT, especially for people who want to broaden their role in it, or to change careers to IT.
PFSense is a greatway to learn a lot about firewall, as well infact networking in general, I've got my firewall (PFsense) running on a VM and it works great.
The main difference between an expert and a novice is not that an expert doesn’t make mistakes, but that an expert knows how to recover from the mistake without panicking.
My dear teacher David Bombal and my favorite IT coach. Thanks God. Bless you guys regards from Mexico.
I run Pfsense at home and love it. Very versatile and just chugs along. Running on an old HP Proliant NL54.
I run 5 smaller casinos ($100m Rev) off pfsense, been bulletproof for the last 6 years. Run them on our VMware clusters. I know other casinos are paying over $15K a year in Forti subscriptions. We use ipsec, pfblocker, snort, and openvpn.
Pfsense is great to work with, I set up a company a while back with a pre made box - but also for the cost of a network card built a back up machine that would plug and play if the pre made machine ever failed (they had an old PC they were not using - so for about an hour of my time I built the back up box) That is some very affordable redundency!
I've been virtualizing my pfsense firewall on a 4-node proxmox cluster along with numerous other VM's for several years now. The cluster is made from ivy bridge generation supermicro fat-twins. All VM data is backed by ceph. I use it for actual workloads and lots of training and experimentation for work.
Thank David tag with Lawrence, I am a longtime old fan of Lawrence, he is awesome with firewall & network stuff. Thanks again David
I am using pfsense for a while now, I use VirtualBox for it and it works great!
Really like your insightful podcast videos on your channel David. Questions you've asked are really helpful especially to younger audience. Much appreciate to Tom who is open (not just open-source) and honest in sharing his opinion. Keep making more collabs like this with insightful questions!
I have used pfsense as a primary firewall for 75 user for the last company i worked for .It worked 11.5 years with out any issue. Behind our firewall there was fileserver and exchange server .
but I suggest to get support if things get into problem you can recover in less down time.
in 11.5 years I never took support.
I would really like to see something fleshed out as well as pfsense with turnkey hardware solutions, but on linux. The big reasons for me would be #1: vastly better hardware support #2: In-kernel wireguard #3: more flexibility and performance, nf/ip/x tables better scaling, etc
I've used OpenBSD as my firewall at home for years without any problems. The only problem is that it's not very good at Wi-Fi so the speeds would be low if I used it for that. Fortunately, I have an old router I can use for that. It works well for us.
Tom has helped me no end! Started with Freenas 9, Now on Scale with Pfsense & Cloudflare... It's been emotional at times! Would never of made it without Tom's help. Although I still can't get HA PROXY to work!! lol X
You are both amazing people sharing your knowledge, I think that’s what it’s all about, lots of respect, have been watching Tom’s vids for years fantastic!
Thanks 👍 Tom's great!
Awesome video David! I appreciate Tom and you having this conversation. Very interesting and I enjoyed it. Thanks for all the videos you do. And to Tom as well. Great guys to learn from.
I‘am using pfsense since aged (in fact I was using momowall before). I have it in production virtualized with qemu and hyper-v. Works beautyfully
For the BGP issue and other similar issues, you should have an out of band private network connected to terminal servers with secure bastion hosts connected to the private network and internet from one or more 3rd party carriers so you can reach the network devices in major outage situations or something equivalent to this kind of setup. This is the problem with products like Unify for enterprise as they have no console, no out of band options, etc. Regardless of what you use, you should have a sensible disaster recovery plan appropriately designed for what you have deployed and should be prepared to execute that plan.
I use pfsense for home! I love it, switching back to my home router after my pfsense box went down, really sucked, my gf hated pfblockerng, now she doesnt mind it. The traffic is routed so efficiently. I set it up originally in 2018
My two favorite RUclips guys for Tech information.
pfSense definitely can be used for home and of course for business too, it's very powerful and secure solution
thanks for this video!
I liked your interview one thing i have learned always be open to listing to people that have been out in field list to there experiences and never get a big head and put people down to make your self feel good no one is all knowing always be open one size does not fit every thing be felexable
Am looking into pfsense. Loved this video discussion to get a general sense of this software. Also great advice on developing sales skills, as this will help sell your business OR sell your solutions internally for getting the budget to actually implement it.
Two of my favorite RUclipsrs in one video!!!
We use pfsense in our bussines since years, easy to set up and to maintain, need low resources, netgate products are good and cheap. Is fantastic when virtualized on modern and low power hardware (N95-N100) for small integate solution for mobility. VPN management is very good and quite fast if you have decent hardware.
Another well invested hour of my time :) Now I finally have to try out pfsense myself! Thank you gentlemen !
I loved the Firepower question… I worked for a company that just pushed everything Cisco and Firepower is such hot garbage.. the amount of companies that paid me to install it.. then paid me to rip it out (EVEN THOUGH I TOLD THEM NOT TO USE IT MULTIPLE TIMES!!!) is mind blowing…
We've used Cisco and FirePower in over 200 sites with no issues... we're only pulling them out now as the ones we deployed were end-of-life.
I completely agree with what you're saying about BSD does it first and Linux does it better. It's a shame that pfsense is only able to be compiled (by a normal user) for the x86_64 architecture. When something like OpenWRT (which is Linux-based) is able to be compiled for arm32, arm64, MIPS, MIPS64, PPC, x86, and x86_64. I mean, you can run OpenWRT on a Raspberry PI no problem. It sucks that overall platform + hardware support is so limited with pfsense. Hopefully, that will change in the future. OpenWRT could definitely use the competition. I'm a firm believer that "competition breeds innovation".
Great show. to me Tom Lawrence is the God of pfsense. I have learned so much watching his videos.
Thanks you sir David for a new video...
Hope you are doing well...
I was really surprised how easy it was to set up pfsense. I just reused my old pc, an intel skylake pc with 24gb of ram , pretty overkill but it's what i had!
I’ve set up a pretty strong home network with netgate and ubiquiti due to watching Tom’s videos. Thanks for this.
2 of the best in the industry in terms of sharing knowledge!
pfsense rocks, used it for many years, it was extremely stable, and tunnels are cinch to set up.
I got Pfsense to work with Hyper-V as well. I was pretty happy with it but I moved over to hardware because my Microsoft server takes so long to update each month.
I run my business on a Netgate 7100. I love it. It's completely overpowered for my needs, but that's ok.
David, make video on "How to choose laptop which has pre-built wifi adapter which is suitable for hacking and
where we get monitor mode, packet siffing and more"
Consequently, make video on laptop that is suitable for hacking
nice idea man you have
Amazing Interview. Thanks David and Lawrence.
Very happy to hear that!
I was confused about firewall which one should I bay Cisco firepower or fortigate.. ets, This is a great conversation, Best video that I've seen, you've been answered a lot of questions, Thanks a lot.
I'm late to the party here. But love this collab. Tom is a super re(open)sourceful guy.
You can even setup a pfsense router with ONE nic and a managed switch. Its not the best from a performance or simplicity standpoint, but it 100% works.
Correction on Tom's statement that there aren't many firewalls that do TLS 1.3 decryption: All major firewall vendors do in fact support this. That information is very outdated.
The Major Firewall vendors also do cost a major amount more than the the pfSense. If TLS 1.3 is a requirement, you can better look somewhere else. Anyway it's tricky. Banks etc trying to keep you out the encrypted connection and Firewall vendors need continuously to work to keep themselves in
@@alfabètagamma-k7p nah, you can get affordable option that don't cost much more than a pfSense+Netgate+Snort-Subscription. Take Sophos XG firewalls, as an example. I work with SSL decryption on a daily basis, it isn't even half as complicated as people say it is. Sometimes connections can't be established due to certificate pinning, but that isn't an issue, you just exclude them (with a whitelist). When you start using it, you have to do a bit of fine-tuning, but once that's dialed in, you don't have to deal with it much anymore. It gives you so much better security, it's well worth the little bit of effort.
I started with m0n0wall before moving to pfSense over 10 years ago. I still wish it had better log searching and parsing like an enterprise firewall, but otherwise love it.
I went from using Win ME(don't judge me it had a easy to do networking wizard) as a router/firewall to using openbsd to using pfsense after my distant cousin told me about it... although I feel a bit self disappointment for not keeping on with using OpenBSD to this day, PFSense has been nice:)
Been using pfsense as my primary firewall at home for six or seven years now. Been rock solid if left alone. Only when I mess with things have there been issues. Almost always because I did something wrong. Been great and I no longer get calls from the wife about internet problems. At least not from things in the house.
Hey Lawrence we are from Battle Creek and have worked with that Detroit large medical conglomerate too. They ended up selling the BC facility so we have not worked with them for a few years.
pfSense works very well on the PC Engines APU series of boards. It's cheap, has 2-4 Intel NICs, 4-core AMD x86 CPU, 2-4 GB ECC DRAM, 2x USB, 1x Serial, WiFi slot, SD Card slot. All for around $150. I think the highest-end version is $200. It ships as an assimilable kit and gives some hands-on hardware experience.
Men, the advice on here is legendary!!!!
Interesting collaboration of two interesting people about different interesting topics.
Tom is my go-to guy for pfSense how-to videos. pfSense is a Awesome product, that just works. I love it
First off nice video I enjoy it. I've used pfsense once in a business environment and my IPsec VPN kept dropping. My other endpoint was a Cisco ASA. The ASAs I've deployed have been rock solid. I will say pfsense is easier to setup works great at home.
Context matters. Had I known about pfsense 10 years ago I would have deployed if in a heartbeat. Fit the bill perfectly. When your one of 200 companies owned by a fortune 200 you use the equipment corporate wants.
Old Cisco, iPFire guy, new to PfSense, great interview and info.
A great conversation. Very much impressed with Tom's explanation even with tricky questions.
Love to see Tom on the channel!
Thanks for your support Ben!
David and Tom, thank you so much for this interview, you're both some of my best guys, I also use opensource solution for security and VoIP, for security I do use pfSense, and most of the configs I've done through Tom's videos. David Bombal my master, I've enrolled in couple of his udemy videos and it always help at some moment in tech life.
It always makes me happy 2 see 2 of my favorite u2bers 2gether 🤗
Thank you David Bombal. I have been on fence following you for a while and I must admit your content is super. You bring in the Top guns in subjects that we need now in real world. Thanks for bringing the likes of Neil Bridges, Tom Lawrence and Hammond. I am a fun and there is no going back....I love your content.
Thanks for interviewing Tom, David Bombal,(and Tom for agreeing!). When I need to research a network item Tom's channel is on the list. Love it when content creators I respect do this, appreciated the business and career focus. Especially talking points at 38:12, engaging and the comment on give more then you demand. Thank you.
Thank you James!
29:30 This reminds me of the advice from a former colleague of mine. "Features don't sell. Benefits do."
Awesome video, thanks David and Tom!
You can also virtualize pfSense within Hyper-V.
Thanks for a great show, wish I was 20 again😎 now I have an extra 40+ years, but there's always something to learn. Tomorrow I will have to setup a pfsense lab for my home/office.
Right now a lot of job postings for systems engineers are no longer limited in scope to rack and stack, server administration, spinning up VM's or baremetal HV's. I have been seeing more and more jobs requiring some form of CI/CD pipeline knowledge, automation tools, and linux knowledge.
This was a good watch from start to finish. I wonder what Tom thinks about Untangle.. I know he has done a few videos on it!..
At times it feels like supporting a video