Switching from PFSense


I am System Administrator and using PFSense since last three years for my 80 users traffic. I am using below features of PFSense:

  • Squid
  • Squid Filter (content filter)
  • Multi WAN (Two ISP only)
  • Traffic routing between ISPs
  • Load Balancing & Failover
  • IPSEC (Two tunnels active all the time)
  • OpenVPN (For remote user to connect my site)
  • DNS
  • Bandwidth Monitoring

Above are must require features however I also use NRPE plugin to monitor my firewall performance, SARG reports to see proxy user reports, user bandwidth report live and archive both so can come to know who use what and how much.

However, since last three months PFSense become unstable and all features together doesn’t work properly so on one side I am trying to fix those issues and on second side I am looking for alternative and come to know about nethserver.org.

Do you think all above features are supported and will work in production environment? I am digging in installation and configuration documents on sites though for more details.




Hi @rahul.dhakan, welcome on NethServer community!

I’m a developer here and looking at the feature list above I think you should feel comfortable with NethServer. For instance, we’ve recently released some improvements of the Policy Routing interface for Multi-WANs. However there are a lot of firewall experts here that could help with a pfSense comparison!

@malvank @JOduMonT @filippo_carletti @giacomo @delusion @rothere @AZChas @davide_marini and many others

HI @rahul.dhakan,
I looked at the features you’re currently using on PFsense and I think you could switch quite easily, you’re covered on all points of your list and the new Routing Policy interface allows you to manage MultiWan routing without any hassle.
NethServer make use of lightsquid instead of sarg, because it provides similar results, but it’s faster and require less space on disk.
For the bandwidth Monitoring you can use ntopng that has interesting features specially on the live side, about the monitoring of firewall performances you can use collectd, both ntopng and collectd are present among the standard packets of nethserver.
If you want to use something that works with Nagios you should easily find something for CentOS 6.7.

I just want to point out one big difference beetween PFSense and NethServer:
while PFSense shows a lot of fields in the web UI and allows you to customize quite a lot of your configuration directly from web ui, NethServer instead has a simpler webUI interface that ask you almost just the strictly needed fields to make work your configuration.
Usually this kind of approach works well for all the majority of cases and is faster to configure.
For the cases not covered by the web ui you can still do anything you want using the console and the templates-custom approach.

1 Like

Hi Davide,

Thanks for your mail. I am having trouble at first configuration of my site to site IPSEC VPN from Sonicwall to new configured nethserver which is fine on my current running PFSense firewall.

Do you suggest any related document for the same?



Guys, I think Rahul plans to setup NS as IPSEC client (in office 2) for Sonicwall which is setup in office 1. NS will be replacing a pfSense installation should the above features met his requirements. He is now stuck in configuring NS as IPSEC client.

Rahul, did I get the facts right? What version of NS are you using? In anyways, I think the IPSEC documentation in Admin manual will be able to help you. I quote on how to setup 2 NethServer for IPSEC tunnel to tunnel connection:

If you are creating a tunnel between two NethServer, given the firewalls A and B:

  1. Configure the server A and specify the remote address and LAN of server B. If the Remote IP field is set to the special value %any,
    the server waits for connections from the other endpoint.
  1. Configure the second firewall B by mirroring the configuration from A inside the remote section. The special value %any is allowed
    in one side only!

If an endpoint is behind a NAT, the values for Local identifier and Remote identifier fields must be set to custom unique names prepended with @. Common names are the geographic locations of the servers, such as the state or city name.

Apologies, I have no VM to test the settings. You’ll need to configure NS to mirror the settings of IPSEC in Sonicwall.