There are some limitations of pfSense 1.0 that maybe don't apply to your setup (also just a quick shot from what comes to my mind at once):
- The ftp-helper will only work at WAN when using multiwan/loadbalancing - loadbalancing only works for connections running through pfSense (services that run at the firewall directly like the squid package can't use loadbalancing or multiwan) - NAT reflection only works for portranges with less than 500 ports and not for 1:1 NATs - not all services work well with loadbalancing. this however is NOT a pfSense problem but poor protocol design or poor application code at the clientside. - you need static gateways to use the loadbalancing pool for outgoing loadblancing - trafficshaping only works for 2 interfaces correctly (at least from what you can do with the webgui) - if you run CARP (which is something that you should consider for an install of that size) each node needs a dedicated IP that can't be shared/handed over, however they still can be forwarded or used on the single node. - after CARP failover all already established connections will be in the default queues - IPSEC only will work with at least one static IP at one end - Routing via IPSEC needs parallel tunnels to work - shaping and filtering inside IPSEC tunnels doesn't work (however you can filter traffic incoming at the end before the traffic goes into the tunnel if you control both ends) - you only can bridge wireless interfaces to another interface if the interface is in hostap mode - you only can have a bridge group with 2 interfaces - traffic shaping won't work on a bridge - captive portal can only be enabled at one interface - DynDNS can only be used for the original WAN interface Several of these limitations are already fixed in the head release or seem to be fixable but need time to be implemented/tested. Keep in mind this is Version 1.0 and it's feature frozen for several month already while developement to the head codetree continued. We absolutley don't recommend to run HEAD atm and we don't support it either just in case you want to ask why not run HEAD ;-) Concerning Hardware: - You should consider using some highend machines with a fast PCI bus as all traffic has to pass the bus and the CPU and you plan to run several IPSEC tunnels - like Bill said, each state takes a bit of RAM. You should consider this when calculating your hardware Holger > -----Original Message----- > From: Odette [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 06, 2006 4:20 PM > To: [email protected] > Subject: [pfSense-discussion] Known PFsense Limits? > > > Hi all, > > I need to substitute our production firewall, and I'd like > to use PFsense > which I've already successfully used for home or small office > environments. > > The solution I'm going to substitute is based on > Linux-iptables which requires > more than 1000 rules. I need more than 25 static routes, and 5 VPNs. > > Furthermore, in the next future we are migrating 2 of 3 > network branches on > Gbit. > > I'd like to try with PFsense, but my boss (I'm sure) will > kill me in the event > I spend half a week in setting up the new PFsense and writing > down all the > rules to see that PFsense is not the right solution. > > Is there a rules number limit or a session number limit > implemented in > PFsense? > > Does somebody have some expertize in similar situations? > > Anybody able to supply info or suggenstions? > > Tanks in advance > > Odette > ____________ Virus checked by G DATA AntiVirusKit
