Odette wrote:
I need to substitute our production firewall, and I'd like to use PFsense
which I've already successfully used for home or small office environments.
The solution I'm going to substitute is based on Linux-iptables which requires
more than 1000 rules. I need more than 25 static routes, and 5 VPNs.
Furthermore, in the next future we are migrating 2 of 3 network branches on
Gbit.
The challenge is multiple-faced.
performance-wise, just use a decent modern hardware and you'll have no
trouble routing/filtering multiple Gbit networks. You might have
troubles using 10GBps NICs at full pipe capacity, though you're not
going to solve such problems using Linux either.
Just beware that encrypted VPN trafic requires many processor cycles, if
you need high -sustained- bandwidth VPNs, find a HW crypto accelerator.
feature-wise, the Linux routing capabilities are more advanced than
what's available in BSD. If you are using policy routing via 'ip route'
multiple routing tables, you may have to plan in advance (and test)
how your topology can be implemented in pfSense.
Unfortunately, this mean you have to actually try and configure your
test-firewall before you can know whether pfSense is your best choice or
not.
Angelo Turetta
