0

I'm looking for an alternative to pfSense (2) that can be virtualized in VMWare ESXi. I've experienced several problems with pfSense to date and I feel like it is not a totally finished or polished product. Whenever anything goes wrong (IP address conflict, squid misconfiguration, etc) the whole thing goes berserk and it takes a reboot or at least 5 - 10 minutes to fix itself. In many cases even resetting state tables does not help and only serves to compound the issue.

I think part of the problem is that I probably really suck at pfSense, being new and all, but I've never had this many problems with a firewall appliance and this is coming from a background of using Checkpoint and Linksys and even the occasional D-Link. Of course we run all of our stuff off Cisco ASA at the moment (physical hosts, at least) and I wish I could just run ASA in VMWare but sadly that is not possible.

Please provide any recommendations for either a) guidance on getting pfSense stable, or b) other virtualizable firewall appliances.

tacos_tacos_tacos
  • 3,220
  • 16
  • 58
  • 97
  • 3
    Based on what you've said above The best guidance I can give you for making pfSense stable is "Don't misconfigure your environment" -- If you would like to open a separate question with details (What you did, What the expected behavior was, What actually happened, and relevant sections of your configuration) I'm sure someone can give you more advice though :) – voretaq7 Jan 30 '12 at 19:58
  • 1
    It's odd that you've had that many problems with pfSense. I've been using it more or less since it was forked from m0n0wall, and have never had anything like this. What version are you running? – EEAA Jan 30 '12 at 19:58
  • @voretaq7, the reason I didn't include those details was that it has happened time and time again with things like IP conflicts, installation of new packages (installed squid-reverse with no configuration and had issues right away), etc. For me it's not so much the instability itself, it's the fact that pfSense seems to take so darn long to recover. Maybe it's just me. – tacos_tacos_tacos Jan 30 '12 at 20:00
  • @ErikA according to webConf I am running 2.0-RELEASE (amd64) built on Tue Sep 13 17:05:32 EDT 2011 - I guess there have been updates since then, perhaps I should try installing those – tacos_tacos_tacos Jan 30 '12 at 20:01
  • Cisco is comming out with a virtual ASA FYI. – Eric C. Singer Jan 30 '12 at 20:54
  • @EricC.Singer What? Please provide a link to that info... and a release date. – tacos_tacos_tacos Jan 30 '12 at 21:04
  • @EricC.Singer - if it's like Cisco's other virtual appliances, it'll cost 50% more than the "standard" version. – EEAA Jan 30 '12 at 21:05
  • @jshin47 http://blogs.cisco.com/datacenter/a-new-virtual-asa-on-full-display-at-vmworld-in-las-vegas/ – Eric C. Singer Jan 30 '12 at 22:11
  • @ErikA no doubt, it really designed for datacenters that host VPS or other larger cloud setups. The idea is to give clients access to a cloud based ASA from my understanding – Eric C. Singer Jan 30 '12 at 22:14
  • @jshin47 - How did things work out with this? – EEAA Feb 07 '12 at 03:42
  • @ErikA It turned out to be an issue with the CARP configuration. Specifically, because one fw VM was cloned with an identical MAC address, and I forgot to change that one (that v adapter) to a new one in VMWare for some reason, it caused CARP to fail whenever the first host had any issue. – tacos_tacos_tacos Sep 26 '12 at 23:17

2 Answers2

9

The answer to this is most likely: don't do that. Whatever it was you were doing to break pfSense, figure out what is was and don't do that any more.

I've worked with a plethora of linux and BSD-based router distributions, and pfSense is by far the most stable and flexible one of the bunch.

While there are a few pfSense folks here on Serverfault, I'd recommend taking specific questions to the pfSense mailing list. The project founders and many of the core devs are active on the list, along with a much larger group of active pfsense users than we have here.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Thanks for the mailing list suggestion. I will stick with it and try to tough it out. I am left feeling like I really suck at it because I am basically using out of box configuration options, plus one P-ARP Virtual IP, one 1:1 rule, a couple WAN firewall rules, and a few L2L links. I will direct future questions to the mailing list when they are well thought-out. Thanks for the info again. – tacos_tacos_tacos Jan 30 '12 at 20:14
  • Sounds good. I'm on the list as well, and will reply if I'm able to answer any of your questions when they come through. Good luck! – EEAA Jan 30 '12 at 20:15
  • 2
    @jshin47 If you *do* discover what was causing your instability we would definitely appreciate you coming back here to ask (and answer) a question describing the cause and solution. We recommend pfSense deployments here pretty often, but we don't really have a good core of pfSense-specific knowledge if things go wrong -- that's something I'd like to see change :) – voretaq7 Jan 30 '12 at 20:19
  • ^^^ What he said. – EEAA Jan 30 '12 at 20:21
  • If you require guaranteed support, also perhaps consider purchasing commercial pfSense support. – Mxx Jan 31 '12 at 14:23
-2

In my experience, in order to get pfSense config sync/pfsync going, you need to have a) promiscious mode enabled on the port-group, and vswitch and b) set the flag in 

Advanced Settings -> Net -> ReversePathFwdCheckPromisc => 1

For whatever reason, traffic was not able to sync otherwise. My environment has 2 NICs in active/standby.

Without this setting, and the promiscious mode, I saw lots of weird behavior similar to what you're describing. Check on that and see if it can help you.

Jizaymes
  • 32
  • 3
  • I really doubt you can diagnose the problem based on "I probably really suck at pfSense" and nonsense like "the whole thing goes berserk and it takes a reboot or at least 5 - 10 minutes to fix itself". – Chris S Feb 05 '12 at 16:40