Common Deployments pfSense is used in about every type and size of network environment imaginable, and is almost certainly

suitable for your network whether it contains one computer, or thousands. This section will outline the most common deployments. Perimeter Firewall: The most common deployment of pfSense is as a perimeter firewall, with an Internet connection plugged into the WAN side, and the internal network on the LAN side. It supports multiple Internet connections as well as multiple internal interfaces. pfSense accommodates networks with more complex needs, such as multiple Internet connections, multiple LAN networks, multiple DMZ networks, etc. Unlike many similar solutions, you can deploy systems with dozens of interfaces if needed. We can add BGP capabilities to provide connection redundancy and load balancing. LAN or WAN Router: The second most common deployment of pfSense is as a LAN or WAN router. This is a separate role from the perimeter firewall in midsized to large networks, and can be integrated into the perimeter firewall in smaller environments. o LAN Router: In larger networks utilizing multiple internal network segments, pfSense is a proven solution to connect these internal segments. This is most commonly deployed via the use of VLANs with 802.1Q trunking. Multiple Ethernet interfaces are also used in some environments. o WAN Router: For WAN services providing an Ethernet port to the customer, pfSense is a great solution for private WAN routers. Wireless Access Point: pfSense can be deployed strictly as a wireless access point. Wireless capabilities can also be added to any of the other types of deployments. VPN Appliance: Some users drop in pfSense as a VPN appliance behind an existing firewall, to add VPN capabilities without creating any disruption in the existing firewall infrastructure. Most pfSense VPN deployments also act as a perimeter firewall, but this is a better fit in some circumstances. Sniffer Appliance: One user was looking for a sniffer appliance to deploy to a number of branch office locations. pfSense offers a web interface for tcpdump that allows the downloading of the resulting pcap file when the capture is finished. This enables this company to capture packets on a branch network, download the resulting capture file, and open it in Wireshark for analysis. DHCP Server Appliance: One pfSense user deploys single interface pfSense installs as solely DHCP servers. DNS Server Appliance: There is a pre-built DNS Server appliance available, pfDNS. This is a custom version of pfSense with a simplified web interface, providing only the functionality desired on a system functioning strictly as a DNS server. Voice over IP (VoIP) Appliance: A FreeSWITCH package is available.

Case Studies http://www.bgnd.com/pfsense: pfSense is the an Enterprise-Grade opensource firewall. It has features that are normally found on high priced firewalls of proprietary nature. There are no licensing issues, has every feature that top brand name firewalls offer, and all it takes to deploy is some time and energy. BGND currently recommends and deploys pfSense opensource Firewalls on many of its customers networks, and specializes pfSense consulting. SGCI Networks: SGCI networks are an Internet Service Provider. Pfsense has been deployed for the SGCI networks as a DNS Server with capitative portal for users to logon to the network and traffic shaper for controlling and limiting of bandwidth for users. PPPoE protocol has been implemented with local user database and using RADIUS server for authentication. Multiple WAN to LAN connections are been enabled and a CARP solution for redundant firewall has been installed. http://www.nycbug.org/index.php?NAV=Home;SUBM=10262

Advantages of pfsense: pfSense is a very powerful and stable project with advanced features. Users of pfSense have reported that it performs well even with hundreds of computers operating behind the firewall. pfSense has all the features of the SOHO units and much more. You can have multiple network subnets separate from each other using firewall rules. It is a very comprehensive and poweful firewall / router Excellent RRD (MRTG like) graphs so you can see visually what is happening with your traffic every which way.

pfSense includes most all the features in expensive commercial firewalls, and more in many cases. FIREWALL STATE TABLE NAT LOAD BALANCING REPORING AND MONITORING DHCP AND RELAY SERVER REDUNDANCY Firewall Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic Able to limit simultaneous connections on a per-rule basis pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Option to log or not log traffic matching each rule. Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.) Aliases allow grouping and naming of IPs, networks and ports. Transparent layer 2 firewalling capable - can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes). Packet normalization - Description from the pf scrub documentation - "'Scrubbing' is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations." o Enabled in pfSense by default o Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations. Disable filter - you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router. State Table The firewall's state table maintains information on your open network connections. pfSense is a stateful firewall, by default all rules are stateful. Adjustable state table size On a per-rule basis: o Limit simultaneous client connections o Limit states per host o Limit new connections per second o Define state timeout o Define state type State types - pfSense offers multiple options for state handling. o Keep state - Works with all protocols. Default for all rules. o Modulate state - Works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) on behalf of the host.

Synproxy state - Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state combined. o None - Do not keep any state entries for this traffic. This is very rarely desirable, but is available because it can be useful under some limited circumstances. State table optimization options - pf offers four options for state table optimization. o Normal - the default algorithm o High latency - Useful for high latency links, such as satellite connections. Expires idle connections later than normal. o Aggressive - Expires idle connections more quickly. More efficient use of hardware resources, but can drop legitimate connections. o Conservative - Tries to avoid dropping legitimate connections at the expense of increased memory usage and CPU utilization. Network Address Translation (NAT)

Port forwards including ranges and the use of multiple public IPs 1:1 NAT for individual IPs or entire subnets. Outbound NAT o Default settings NAT all outbound traffic to the WAN IP. In multiple WAN scenarios, the default settings NAT outbound traffic to the IP of the WAN interface being used. o Advanced Outbound NAT allows this default behavior to be disabled, and enables the creation of very flexible NAT (or no NAT) rules. NAT Reflection - in some configurations, NAT reflection is possible so services can be accessed by public IP from internal networks. Load Balancing

Outbound Load Balancing: Outbound load balancing is used with multiple WAN connections to provide load balancing and failover capabilities. Traffic is directed to the desired gateway or load balancing pool on a per-firewall rule basis. Inbound Load Balancing : Inbound load balancing is used to distribute load between multiple servers. This is commonly used with web servers, mail servers, and others. Servers that fail to respond to ping requests or TCP port connections are removed from the pool. VPN

pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP. IPsec: IPsec allows connectivity with any device supporting standard IPsec. This is most commonly used for site to site connectivity to other pfSense installations, other open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions (Cisco, Juniper, etc.). It can also be used for mobile client connectivity. OpenVPN: OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client operating systems. PPTP Server: PPTP is a popular VPN option because nearly every OS has a built in PPTP client, including every Windows release since Windows 95 OSR2. The pfSense PPTP Server can use a local user database, or a RADIUS server for authentication. RADIUS accounting is also supported. Firewall rules on the PPTP interface control traffic initiated by PPTP clients. PPPoE Server pfSense offers a PPPoE server. A local user database can be used for authentication, and RADIUS authentication with optional accounting is also supported.

Reporting and Monitoring RRD Graphs: The RRD graphs in pfSense maintain historical information on the following. CPU utilization Total throughput Firewall states Individual throughput for all interfaces Packets per second rates for all interfaces WAN interface gateway(s) ping response times Traffic shaper queues on systems with traffic shaping enabled Real Time Information: Historical information is important, but sometimes it's more important to see real time information. SVG graphs are available that show real time throughput for each interface. DHCP Server and Relay pfSense includes both DHCP Server and Relay functionality

Redundancy CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall. pfsync ensures the firewall's state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.