Are you in the market for a new router (here’s how to pick one)? If you want to have enterprise-level features, consistent upgrades, and a reliable system you should consider building or buying a pfSense router. Here are 6 reasons why.
Like many, I started off buying a router because I wanted multiple devices on my network to have access to the Internet. I purchased routers primarily based on cost. As I started to get more sophisticated I was drawn to DD-WRT. The ability to take a regular router and add support for static leases, improved firewall features, better traffic analysis and many other features were too much to pass up. I ran DD-wrt on my routers for a while. Eventually, my old Netgear WNDR4000 started to show its age, and I decided it was time for a new router.
Initially, I considered buying a new router that was DD-WRT compatible, but I started to look at custom build options too. I was intrigued by all the support and positive information about pfSense and as I researched I found it clicked all the boxes of standard features I was using with DD-WRT:
- LAN/WAN Router
- Port Forwarding/NAT
- Wireless access point
- Static DHCP leases
- IPv4 and IPv6
- Logging in a standard syslog format for easy log centralization using graylog.
It also allowed me to step my game up around many other features. I chose to go with pfSense over other router options (e.g. buying off the shelf, Sophos, DD-WRT, and others) for the following 6 reasons.
1. Advanced security
If you have read a few of my other articles, you know that I believe security is of paramount importance for your home network. It is increasingly important as more sensitive information in our lives goes digital and we increase our interactivity with technology. I decided to get serious about improving my home network security and I use the following pfSense features to do so:
- Snort. This is an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) that uses sophisticated and regularly updated rules to detect and prevent attempts by hackers to penetrate your network. As an alternative to Snort, you can also run Suricata on pfSense. I went with Snort because I had some familiarity with it from running Security Onion.
- pfBlockerNG (excellent tutorial from Rob Turner on TecMint). This package allows you to block known lists of malware sites, hacker IPs, block regions, and other blocks of sites in order to protect your network. These lists can be automatically updated, allowing you to set up this protection and then just let it run.
- Squid and ClamAV (credit for this tutorial to Kapitein Vorkbaard). These packages prevent you from visiting sites with known malware and speed up your web browsing by intelligently caching pages locally. This really can speed up some browsing when you have many different devices connecting to the same sites.
2. VPN options
Running a VPN service on your home network has a number of advantages including:
- Securely allowing you remote access to your home network resources. When you are away from home you can use VPN to securely do things like view your security cameras, view media on your home network, and view and configure home systems
- Secure and encrypt your Internet transmissions when you are on an untrusted network. By default, you shouldn’t trust guest and public wifi hotspots. Using a VPN to encrypt your network traffic on these connections protects your privacy
pfSense offers several VPN options, including IPSec, PPTP, L2TP, and OpenVPN. I have configured OpenVPN at home and which affords me secure access to my home network as well as privacy on public networks. I even get notified whenever someone connects to my VPN.
3. Network management options
pfSense has networking functions that many basic SOHO off the shelf routers don’t have. Ones I find of use are:
- Time-based Internet access. You can apply schedules to firewall rules which allows you to have granular control over which devices on your network have Internet access at specific times.
- VLANs. Virtual LANs allow you to segment your network resources. You can use this to give priority Internet access to certain network resources or to prevent some network devices from accessing other network devices, such as segmenting your IOT devices.
- Traffic Shaping (QOS). This allows you set rules for how what types of traffic receives priority Internet access on your network. This is useful to make sure your streaming videos aren’t constantly buffering or to make sure your online gaming receives preference.
4. You can choose your own hardware
The ability to choose your own hardware allows you to match the specs of your router with the needs of your network. You may have 2 WAN connections or desire multiple VLANs. Then you can purchase hardware with the appropriate amount of network cards. Maybe you already have great access points like I do, in which case you don’t have to buy any wireless gear for your router.
You may need to buy more powerful hardware if you are going to run a VPN server or IDS/IPS like snort or Suricata. You can even decide to virtualize your router.
You can also replace the router provided by your Internet service provider, often even if they say it is required. I did this when I switched over to fiber.
The point is you can buy hardware to your exact specifications, and then you can extend that hardware if your needs change. Here’s help choosing the right hardware for pfSense.
5. Failover tolerant
pfSense has a couple of different ways in which it provides failover tolerance.
- Multi-WAN. This allows you to have more than one Internet connection for increased speeds and/or failover. A good failover strategy would be to have your primary hard-wired Internet connection failover to a cellular connection using a cellular dongle or by using a bridge to connect to a wifi hotspot.
- CARP. CARP stands for Common Address Redundancy Protocol and it allows multiple routers to share a virtual IP address so that when one goes down, the other one immediately takes over and the rest of the network goes on as if nothing happened. Setting this up might be the way to go for those of you paranoid about always having your Internet connection and other routing features up and running. You’ll need 3 IPs from your ISP.
6. pfSense is well-supported
When using pfSense you have a lot of avenues for support:
- Updates. pfSense regularly releases security and feature updates. You never feel that you are using software that is falling behind
- Official Documentation. pfSense has its own documentation site that is extensive, searchable and regularly maintained. You can find everything from how-tos to technical documentation.
- Forums. The pfSense support community is strong, knowledgeable and responsive. You can get an answer to almost any problem here, as well as assistance troubleshooting or implementing features.
- Paid Support. Although most home users will not be interested, there are paid support options. Honestly, for the home user, the documentation and forums should be more than enough support.
- Unofficial documentation. I even have some tips and tricks to help you get the most out of pfSense on this site, as well as 6 configurations tips you should consider after you complete your install.
These are the primary reasons I use pfSense. Since switching, I have been very happy with the stability, features, and support. I’ve even taken steps to virtualize my pfSense router so I can easily spin one up on any host. If you need more reasons to use pfSense have a look at its full feature set. If you’ve already selected your pfSense hardware and are ready to start your install read this pfSense planning advice first. Finally, once you’ve got pfSense up and running, you’ll want to keep pfSense upgraded the right way.
Do any of you use pfSense or some other homebuilt router solution? Let us know what and why in the comments or contact me on Twitter.
Also, if you enjoyed this article can I ask you for a favor? Please do at least one of the following:
- Share this article on social media
- Subscribe to this site
- Share this article with a friend
I really appreciate it!