FreeBSD.software
Home/Guides/pfSense CE on FreeBSD: Firewall Distribution Review
review·2026-04-09·11 min read

pfSense CE on FreeBSD: Firewall Distribution Review

Review of pfSense CE on FreeBSD: hardware requirements, package system, VPN options, traffic shaping, high availability, and comparison with OPNsense.

pfSense CE on FreeBSD: Firewall Distribution Review

pfSense Community Edition is a FreeBSD-based firewall and router distribution that has been in active development since 2004. Built on top of FreeBSD's network stack, it provides a web-based interface for managing firewalls, NAT, VPNs, traffic shaping, and a wide range of network services. This review covers the current state of pfSense CE, its hardware requirements, package ecosystem, VPN capabilities, traffic shaping, high availability, and how it compares to OPNsense.

What pfSense CE Is

pfSense CE is a complete operating system image derived from FreeBSD. You do not install it on top of an existing FreeBSD system. Instead, you flash the pfSense installer to a USB drive, boot from it, and it takes over the entire machine. The underlying FreeBSD is customized and locked down for routing and firewall duties.

Key characteristics:

  • Based on FreeBSD (current releases track FreeBSD 14.x)
  • Web-based GUI (PHP, built on the pfSense dashboard framework)
  • Stateful packet filtering via pf (Packet Filter)
  • NAT, DHCP, DNS, VPN, and traffic shaping out of the box
  • Package system for extending functionality
  • Free to download and use (CE edition); pfSense Plus is the commercial variant

pfSense is not a general-purpose FreeBSD installation. You cannot easily install arbitrary FreeBSD packages or run unrelated services on it. It is purpose-built for network edge duties.

Hardware Requirements

pfSense runs on x86-64 hardware. ARM is not supported in CE. Minimum and recommended specifications depend heavily on throughput requirements.

Minimum Hardware

  • 64-bit CPU (AMD64)
  • 2 GB RAM
  • 8 GB storage (SSD or eMMC preferred)
  • 2 network interfaces (at minimum, WAN + LAN)
  • Multi-core CPU (Intel Atom C3000 series, AMD EPYC Embedded, or similar)
  • 4-8 GB RAM (more if running Suricata or Snort)
  • 32 GB SSD or larger
  • Intel NICs (igb, ix, ixl drivers) for best FreeBSD compatibility
  • AES-NI support for VPN acceleration

Hardware Compatibility Notes

pfSense inherits FreeBSD's hardware support. This means Intel NICs are first-class citizens. Realtek consumer NICs (re driver) work but are less reliable under high packet rates. Broadcom NICs vary by model. Wireless support is limited and not recommended for production use.

sh
# Check NIC driver in use from pfSense shell
ifconfig -a | grep -E "^[a-z]"

The output shows interface names that correspond to FreeBSD driver names: igb0, ix0, em0, etc. If you see re0, consider replacing the NIC for production workloads.

For dedicated hardware, Netgate sells official pfSense appliances. Third-party options from Protectli, Qotom, and similar vendors work well if you verify NIC chipset compatibility first.

Installation Process

Installation is straightforward. Download the CE image from the pfSense website, write it to a USB drive, and boot.

sh
# On a FreeBSD or Linux workstation, write the image to USB
dd if=pfSense-CE-2.7.2-RELEASE-amd64.img.gz of=/dev/da0 bs=4m status=progress

The installer is text-based and walks through disk partitioning, filesystem selection (UFS or ZFS), and initial interface assignment. Post-install, you access the web GUI at https://192.168.1.1 with default credentials (admin / pfsense).

Initial Configuration Checklist

After the first boot:

  1. Change the admin password immediately
  2. Set the hostname and domain
  3. Configure WAN interface (DHCP, static, PPPoE)
  4. Set DNS servers (or configure DNS Resolver)
  5. Disable the default "allow all" rule on LAN if you want strict filtering
  6. Enable SSH access if needed (disabled by default)
sh
# From the pfSense console menu, option 8 gives you a shell
# Check system version
uname -a

The Web Interface

The pfSense web GUI is functional rather than elegant. It is built on PHP and provides access to nearly every configuration option. The dashboard is customizable with widgets showing system health, interface status, traffic graphs, and service states.

Navigation follows a menu hierarchy: Firewall, Services, VPN, Status, Diagnostics, System. Most tasks are accomplished through the GUI, though the underlying FreeBSD shell is always accessible via console or SSH.

Strengths of the GUI:

  • Comprehensive coverage of pf firewall rules, NAT, and aliases
  • Visual rule ordering (rules are processed top-down)
  • Built-in packet capture and diagnostic tools
  • Configuration backup and restore in XML format
  • Real-time traffic graphs per interface

Weaknesses:

  • PHP-based interface can feel sluggish on large rule sets
  • Some advanced pf features are not exposed in the GUI
  • No dark mode in CE (pfSense Plus has one)
  • Mobile responsiveness is limited

Package System

pfSense extends its base functionality through packages installed via the GUI under System > Package Manager. Packages are curated and maintained specifically for pfSense. You cannot install arbitrary FreeBSD packages via pkg.

Essential Packages

| Package | Purpose |

|---------|---------|

| pfBlockerNG | IP/DNS blocklists, GeoIP filtering |

| Suricata | IDS/IPS with ET Open and Snort rulesets |

| Snort | Alternative IDS/IPS |

| HAProxy | Layer 7 load balancing and reverse proxy |

| Squid | HTTP caching proxy |

| ntopng | Network traffic analysis |

| Darkstat | Lightweight traffic monitoring |

| Open-VM-Tools | VMware guest integration |

Installing a Package

From the GUI: System > Package Manager > Available Packages. Search and click Install. From the shell (not recommended but possible):

sh
# pfSense uses its own package management
pkg-static install pfSense-pkg-pfBlockerNG

pfBlockerNG deserves special mention. It provides DNS-level ad blocking (similar to Pi-hole), IP blocklists from threat intelligence feeds, and GeoIP-based filtering. It is one of the primary reasons people choose pfSense over simpler router firmware.

VPN Capabilities

pfSense supports multiple VPN technologies out of the box.

OpenVPN

OpenVPN is deeply integrated. The GUI provides a wizard for setting up both site-to-site and remote-access VPN configurations. Certificate management is built in via the pfSense Certificate Manager.

sh
# OpenVPN status from the shell
sockstat -4 -l | grep openvpn

Key features:

  • TLS authentication with certificate and optional username/password
  • Push routes, DNS, and domain settings to clients
  • Per-client override rules
  • Client export package generates ready-to-use .ovpn files
  • Supports UDP and TCP transports

IPsec

IPsec support covers IKEv1 and IKEv2 using strongSwan as the backend. Configuration is done through the GUI under VPN > IPsec. It supports:

  • Site-to-site tunnels with PSK or certificate authentication
  • Mobile clients via IKEv2 (EAP-MSCHAPv2, EAP-TLS)
  • Multiple Phase 2 entries per tunnel
  • VTI (Virtual Tunnel Interface) mode for route-based VPN
sh
# Check IPsec SA status
ipsec statusall

WireGuard

WireGuard support was added as a package. It uses the FreeBSD kernel-level WireGuard implementation. Configuration through the GUI covers peer management, allowed IPs, and interface assignment.

sh
# Check WireGuard interface status
wg show

WireGuard on pfSense is stable for site-to-site and remote access use cases. Performance is significantly better than OpenVPN for most workloads, with lower CPU overhead and higher throughput.

Traffic Shaping

pfSense provides traffic shaping through ALTQ (Alternate Queueing) integrated with pf, and through the newer Limiters feature using dummynet.

ALTQ-Based Shaping

The traffic shaping wizard under Firewall > Traffic Shaper creates queues using PRIQ, CBQ, or HFSC disciplines. You define queues with bandwidth allocations and assign traffic to queues via firewall rules.

sh
# View current ALTQ queue statistics
pfctl -vsq

ALTQ works but has limitations:

  • Does not support multi-WAN shaping per interface group
  • Queue configuration changes require a filter reload
  • Limited to interfaces that support ALTQ in their drivers

Limiters (dummynet)

Limiters provide per-IP bandwidth caps using FreeBSD's dummynet. This is the right tool for enforcing bandwidth policies per user or per subnet.

sh
# View dummynet pipe configuration
ipfw pipe show

Limiters are configured under Firewall > Traffic Shaper > Limiters. Each limiter defines a bandwidth cap and optional delay/packet loss for WAN simulation.

High Availability

pfSense supports active/passive high availability using CARP (Common Address Redundancy Protocol), pfsync for state table synchronization, and XMLRPC for configuration sync.

Setup requires:

  • Two identical pfSense installations
  • Dedicated sync interface between the two nodes
  • CARP VIPs on each interface pair
  • pfsync enabled on the sync interface
  • XMLRPC sync configured on the primary node
sh
# Check CARP status from shell
ifconfig | grep carp

Failover is automatic. When the primary node goes down, the secondary takes over the CARP VIPs within seconds. State table sync ensures existing connections survive the failover (for TCP, this works reliably; UDP is stateless anyway).

Backup and Restore

pfSense stores its entire configuration in a single XML file: /cf/conf/config.xml. This file contains all firewall rules, NAT mappings, VPN configurations, package settings, and user accounts.

sh
# Backup from command line
cp /cf/conf/config.xml /tmp/config-backup-$(date +%Y%m%d).xml

The GUI provides backup/restore under Diagnostics > Backup & Restore. You can also enable automatic configuration backups to an encrypted cloud service (AutoConfigBackup) if you register a Netgate account.

Performance Characteristics

pfSense routing and firewall performance depends on hardware. On modern x86-64 hardware with Intel NICs:

  • Routing throughput: line rate on gigabit, 5-10 Gbps on 10G hardware
  • Firewall rule evaluation: minimal overhead with pf, even with large rule sets
  • OpenVPN: 200-500 Mbps with AES-NI on modern CPUs
  • WireGuard: near line rate on gigabit
  • IPsec: 500 Mbps-2 Gbps depending on cipher and CPU

Running Suricata or Snort with full rulesets will reduce throughput significantly. On a 4-core Intel Atom C3558, expect 500-800 Mbps with Suricata active.

sh
# Quick throughput test using iperf3 through pfSense
# Run on LAN client
iperf3 -c <WAN-side-server> -t 30

pfSense CE vs OPNsense

This is the inevitable comparison. Both are FreeBSD-based firewall distributions forked from the same m0n0wall ancestry.

| Aspect | pfSense CE | OPNsense |

|--------|-----------|----------|

| Base OS | FreeBSD 14.x | FreeBSD (HardenedBSD patches) |

| GUI Framework | PHP custom | Phalcon PHP (MVC) |

| Plugin System | Curated packages | Extensive plugin repository |

| Update Cadence | Slower, less frequent | Faster, more frequent |

| IDS/IPS | Snort or Suricata (package) | Suricata (built-in) |

| WireGuard | Package | Built-in |

| API | Limited (xmlrpc) | Full REST API |

| License | Apache 2.0 | BSD 2-Clause |

| Commercial Model | pfSense Plus (Netgate) | OPNsense Business Edition (Deciso) |

pfSense CE has a larger install base and more community documentation. OPNsense has a more modern GUI, a proper REST API, and more frequent updates. For new deployments, both are viable. If you need API-driven automation, OPNsense has a clear advantage. If you rely on specific pfSense packages like pfBlockerNG, pfSense is the better choice. See the OPNsense review for the other side of this comparison.

Common Issues and Troubleshooting

DNS Resolution Failures After Install

The DNS Resolver (Unbound) is enabled by default. If you also configure DNS Forwarder (dnsmasq), they will conflict on port 53. Disable one.

sh
# Check what is listening on port 53
sockstat -4 -l | grep :53

Package Installation Fails

pfSense packages require matching the repository to your pfSense version. If packages fail to install, verify your version and check Diagnostics > DNS Lookup to confirm DNS resolution is working.

Slow GUI on Large Configurations

With thousands of firewall rules or aliases, the GUI can become sluggish. Use aliases aggressively to reduce rule count. Bulk operations are better handled via the shell and pfctl.

sh
# Reload pf rules from shell
pfctl -f /tmp/rules.debug

Frequently Asked Questions

Is pfSense CE still free?

Yes. pfSense CE remains free to download and use. pfSense Plus is the commercial product sold with Netgate hardware and available as a software subscription. CE continues to receive updates, though at a slower pace than Plus.

Can I run pfSense in a virtual machine?

Yes. pfSense runs well on VMware ESXi, Proxmox, and bhyve. Assign at least 2 vCPUs, 2 GB RAM, and pass through or use virtio NICs. Performance will be lower than bare metal, particularly for VPN workloads.

Does pfSense support VLANs?

Yes. VLANs are a first-class feature. Configure them under Interfaces > VLANs. Each VLAN gets its own interface with independent firewall rules, DHCP, and DNS settings.

Can I use pfSense as a transparent bridge firewall?

Yes, but it requires specific configuration. Set up a bridge interface under Interfaces > Bridges, assign the member interfaces, and configure filtering on the bridge. This is less common than routed mode.

How do I update pfSense CE?

From the GUI: System > Update. pfSense checks for available updates and provides a one-click upgrade process. Always back up your configuration before updating. Major version upgrades may require a clean install.

Is WireGuard stable on pfSense?

WireGuard on pfSense uses the FreeBSD kernel module and is stable for production use. Earlier implementations had issues, but the current kernel-native version is reliable.

Can I run pfSense on ARM hardware like Raspberry Pi?

No. pfSense CE requires x86-64 hardware. There is no ARM build. If you need a FreeBSD-based firewall on ARM, OPNsense has experimental ARM support.

How do I migrate from pfSense to OPNsense?

OPNsense includes a pfSense configuration importer. Export your pfSense config.xml, install OPNsense, and use the import tool during initial setup. Not all settings transfer perfectly, so plan for manual verification.

What is the difference between pf and ipfw in the context of pfSense?

pfSense uses pf (Packet Filter) exclusively. ipfw is not used by pfSense. The traffic shaping limiters use dummynet pipes, which are technically part of ipfw, but firewall rules are all pf.

How many firewall rules can pfSense handle?

There is no hard limit. pfSense deployments with 10,000+ rules exist. Performance impact is minimal because pf uses optimized rule evaluation. The GUI is the bottleneck, not pf itself.

Get more FreeBSD guides

Weekly tutorials, security advisories, and package updates. No spam.

Previous

Suricata on FreeBSD: IDS/IPS Review

Next

PF Firewall on FreeBSD: The Complete Review

Related Guides

review

ClamAV on FreeBSD: Open Source Antivirus Review

Review of ClamAV on FreeBSD: installation, freshclam updates, clamd daemon, mail server integration, on-access scanning, and performance impact.

review

IPFW on FreeBSD: Firewall Review

In-depth review of IPFW on FreeBSD: rule syntax, stateful filtering, dummynet traffic shaping, NAT, in-kernel processing, and comparison with PF and IPFilter.

review

Nmap on FreeBSD: Network Scanner Review

Review of Nmap on FreeBSD: host discovery, port scanning, service detection, OS fingerprinting, NSE scripts, and practical security audit workflows.

review

OpenSSH on FreeBSD: Secure Shell Review

In-depth review of OpenSSH on FreeBSD: base system integration, configuration hardening, certificates, jump hosts, agent forwarding, FIDO2 keys, and security best practices.