PfSense – Why I Use and Love it?

Like most people, I too started my journey on broadband internet with an ISP supplied modem-router device. It didn’t take me long to discover that these devices were a compromise – something the ISP supplied to meet a low price-point. They would stop working and need to be rebooted every few weeks if I was lucky, or every few days if I was not. In the beginning my allocated bandwidth was significantly lower than what the technology, ADSL at that time, supported. So I didn’t initially notice the capacity or performance weaknesses of these routers, but as bandwidth and subsequently number of devices and connections grew, these weaknesses became obvious. My ISP-supplied router would grind to a halt when subjected to a few hundred connections during a Bittorrent session.

Over time I did some research and learnt how better quality routers that you could get in the market could overcome these weaknesses. DD-WRT was the in-thing – a custom firmware that could add additional features, configurability and often better performance to many common router models than what the manufacturers’ firmwares could. I was using a TP-Link modem-router combo at that time. I had purchased it myself after my ISP-supplied one failed. It overcame many of the weaknesses of the ISP-provided one, but still was a low-end model wasn’t supported by DD-WRT.

It didn’t take me long to find out that I could use bridge-mode to use only the modem part of the modem-router so that I could use a different device as my router. I did have a Netgear wireless router at that time that I was using only as an access point. I could move the router function to this device but even this wasn’t supported by DD-WRT and by itself even this didn’t seem any better than the TP-Link modem-router in terms of routing performance.

This is when I came across pfSense. This was a OS and software combination that could transform a regular PC (with 2 network interfaces) into a really powerful router with lots of interesting features and add-ons.

I had enough hardware with me at the time to give this a try. I think I just had to get a cheap network card for the second interface.

And it was impressive! The user interface alone was nothing like I’d seen on a router firmware before. That was several years ago and the interface has gotten even better with time. Here’s how the dashboard looks like in the current version.

The pfSense dashboard. Some sensitive items are masked.

pfSense is primarily touted as a firewall and while it’s always good to have a capable firewall protecting your network, I was more interested in the routing capabilities and the ancillary features. And pfSense delivers on that front handsomely. I’m not talking about just the usual port-forwarding, dynamic-DNS and uPNP controls that most consumer-grade routers provide to varying degrees. Let’s see some of the features pfSense offers that I use.

  • DNS Resolver: Most routers forward all your DNS requests to one or two DNS resolver servers that you specify. Often these are your ISP’s but you could also try some that might be more reliable or even faster. Using different DNS servers can also let you bypass DNS-level blocks that your ISP might have put on some domains. But that’s besides the point here. With pfSense you can have your own DNS server running with the router. While you will still need to specify a few upstream DNS servers to resolve the domains, the resolver on your pfSense box will act as a cache to resolve frequently used domains right there instead of having to forward every request to the upstream servers. And you can specify a large list of upstream DNS servers (compared to the usual 2 on most routers) to have a good mix of speed and reliability.
  • HTTP cache: While this is becoming less relevant these days with the widespread use of HTTPS and ever-increasing bandwidth and data quotas, you can run a Squid transparent HTTP proxy and cache on your pfSense box quite easily. This will help cache frequently accessed pages and reduce your internet access traffic while letting you access the pages faster. But like I said before, almost everything nowadays is on HTTPS, so this isn’t of much use anymore.
  • DHCP server: Huh! What’s the big deal there? Every router has one! But the one in pfSense has some capabilities I really like. If you like having static/fixed IP addresses for your LAN devices, this lets you do that without having to set static IPs on each device. Just maintain a list of static mappings on the pfSense DHCP server configuration by linking MAC addresses to your defined static IP addresses, and the DHCP server will assign those addresses to the respective devices whenever they ask for one. Want to send out a different DNS server in your DHCP responses than the one your pfSense router provides. Possible! A different DNS server to particular DHCP hosts? Covered!
  • NTP server: You can run your own Network Time Protocol server for all your devices to sync their clocks to. Being on the local network, it’s much faster to access than anything on the Internet and hence more accurate. You specify a list of upstream NTP servers and it works out the most accurate time based on latency and other factors.
  • Built-in VPN options: pfSense has built-in clients for L2TP, IPsec and OpenVPN. While I used the OpenVPN client to connect to my remote OpenVPN server for a while to let me access my LAN from outside, I am no longer using this. I currently use Tailscale which is much more convenient.
  • Traffic monitoring: Want to know how much data is being passed in and out through your Internet connection every month, day or hour? You can do that with pfSense. If you have a data cap or quota from your ISP, this lets you track your usage and know how well you’re utilising your quota. While your ISP’s portal may also let you see this, I feel pfSense is much more accurate, flexible in displaying the data and easier to access.

While these are just a few of the features I use and like, pfSense has many more that may be of use to you. For example, you may be interested in utilizing the captive portal to control Internet access and quotas for your guest users. You can even set up traffic shaping.

Here’s something that I haven’t tried myself yet but is possible with pfSense. Get 2 different Internet connections from different ISPs. pfSense can let you you use both simultaneously, automatically load-balancing between the two and giving you redundancy in case of failure. A good option if you’re running a small office or business.

The firewall is also something I like having. My current ISP puts their users behind their own NAT. So all users are in something like a big LAN and are free to make mischief with other users. At times I have seen suspicious port scans on my router’s WAN interface and pfSense has successfully blocked these.

As for the hardware, pfSense doesn’t actually need much. While I initially started with some old leftover components, I later built a dedicated machine with the following components.

  • Gigabyte GA-J1800M-D3P Motherboard with built-in Intel Celeron J1800 2.41GHz dual core CPU
  • 2GB DDR3 RAM
  • A cheap 32GB SSD – pfSense barely needs any space
  • 2 Intel based network cards – non Intel chips like the ones from Realtek sometimes don’t work.

This CPU was important for me. Being a router, this would run 24×7 and under normal conditions pfSense is not very power-hungry. So I needed a CPU with low power consumption. The Gigabyte GA-J1800M-D3P motherboard comes with a pre-mounted Intel Celeron CPU and passive heat-sink (no fan). The Celeron J1800 only has a 10W TDP, so a passive heat-sink is enough. It would be quiet and wouldn’t have much of an impact on my power bills.

I got these in 2017 and they are doing a pretty good job for my 250 mbps Internet connection and 20-30 devices. If you have a Gigabit connection or if you have many more devices connecting simultaneously, you may need to increase your RAM and CPU specs a little. I’m sure you can get a much more powerful CPU at a similar TDP now. The pfSense website has recommended specs for different use cases.

So if like playing around with computers like me and want to supercharge your Internet router, give pfSense a try! I’m sure you’ll love just like I did!

Leave a Reply

Your email address will not be published. Required fields are marked *