What needs improvement with pfSense?

One area where Netgate could improve is communication with its user base. While they make an effort, much of their user base isn't composed of enterprise-level engineers who regularly read release notes and stay abreast of feature changes. A few years ago, they held a commendable meeting with forum moderators to discuss upcoming changes, which was appreciated. However, they could enhance their communication further by providing more precise information about changes and release timelines for new features.

I want pfSense to add some next-generation firewall features. The scalability has room for improvement.

When we were setting up VLANs, there was some information about the way the ports, switching, and other things were done inside. Their UI could have hidden some of the complexity better so that it was easy to understand or more general. They could have given some more clarification on the markings on the outside of the machine. There were some questions as to what port was what and how that links to what was being asked in the software. Those things were not always very clear. The features that I wanted have been added, but I have not taken the time to look at them. I am a big fan of WireGuard, and they have added that, but I have not taken the time to install it yet. Its features are complete for our needs. If I have to ask for anything, it would probably be more education on bolting on some of the XDR platform stuff that is out there, but it is feature-complete. I know that all this exists. It is just taking the time to get educated on it, which is probably on my side.

The overall documentation has room for improvement. Currently, we need to search forums for answers, as the official documentation by Netgate is not very helpful. The community support is excellent, and there should be a feedback loop to incorporate missing information from the community forums into the official documentation.

We are a security shop. It would be very useful if we could place pfSense appliances in customer environments and remotely manage them.

One thing that has always bothered me is that when I buy an appliance, there are two tiers of support: email-only and a premium tier, like TAC, that allows me to speak to someone on the phone. If I'm purchasing their hardware, I should have phone support for a certain period, even at the lower price point. My only complaint is that I need phone support, not just email, because if there's a support issue, I don't have time to wait for an email response. I need to speak to someone immediately. Therefore, I think I should receive TAC support for the Netgate pfSense for at least the first year after purchasing the hardware.

I would like them to have more security platforms. The pfBlocker is nice, but they don't have anything native for CrowdSec or Fail2Ban. I'm running CrowdSec on a web server instance on my server instead, but I'd like to move more of these services to the edge and put them in pfSense. I think that's something that's coming. I don't know if Failed2BAN is, but I'm sure CrowdSec is a popular platform, so it would be nice to have a package that's native to the platform.

The only thing that could be better is the hardware compatibility for LTE devices. This is a bit tricky for me; I wish the hardware compatibility were better for LTE devices. I wish the FQ_CODEL limiters were improved. They're very good, but the FQ_PIE limiters don't work well. FQ_PIE limiters are important for cable modem connections. In Germany, we have a lot of cable providers for these interfaces, and the FQ_PIE limiters don't work well in pfSense.

I would like to see a single pane of glass for multiple devices. From a service provider standpoint, it is a bulletproof operation to deploy. Aside from being able to manage and monitor multiple devices from a single pane of glass, that would be the only thing I would change.

I would like to see a subscription-based tech support option as opposed to this flat yearly rate. I'd like to see more of a monthly tech support feature. I think that would be helpful for a different type of consumer. So, there could be more room for Netgate to expand. To me, it would have been nice to have a little bit more tech support at first. But since I'm becoming so satisfied with this system I'm developing, I'm gonna step up anyway into the TNSR software. And when I do that, I get unlimited tech support. So, it's kind of like this: if I don't want to pay for tech support, I teach myself and learn how the device works. And that's what I've basically done to this point. It's pretty plug-and-play but some of it is, like, if you don't configure it correctly, it just doesn't work. I had a couple of instances where I was setting it up, and I set it up a certain way twice where I just didn't configure it in a way that it worked. I put so many security features in that I had locked myself out from even being able to log in. So, it would be better to make tech support more accessible because they're really good at what they do, like behind the scenes. They know how to configure things through the terminal differently than I was. System Reports: Reports would be good, like system reports and functionality. Dumbing it down a bit more would help, too. We do have a Setup Wizard , but it is even less complicated in terms of setting it up because the user guide is 2,000 pages long. So, the manual itself is, like, 2,000 pages for this device. If Netgate could make it a little bit less complicated for users. But, part of this appliance goes to IT departments anyway. So, they're more adept at setting it up than your average consumer. So that's generally who buys these things and sets them up. It's like your IT community usually gets involved with these because they understand that when you buy a computer, and you just start logging into the Internet, you've created a sort of dangerous atmosphere that not everybody understands by not making it safer. Everybody understands that when you log in if you don't even play with the settings on your computer. You're basically just setting yourself up to put your data out there like it's some type of free-for-all.

pfSense does offer a convenient single-pane dashboard, but I believe it could be improved with additional features. For instance, an administrator log for team members to record notes, such as adding a nameserver, removing user accounts, or other relevant information, would be beneficial. This simple log within the main status page could enhance communication and collaboration among the admin team. While the current status screen provides most of the necessary information, this extra feature would be a valuable addition. It would be beneficial if Netgate provided a table outlining the recommended maximum WAN port speeds for their various models. The documentation doesn't align with what I'm seeing on the console. This is frustrating because the online documentation doesn't match the dashboard, leaving me unsure of the correct steps to take.

I would like clear guidance on supported network interface cards, including detailed performance metrics for various models. While I understand the focus on selling appliances, more comprehensive documentation for those building their own systems would be beneficial. Specific throughput numbers and other statistics for Intel, Broadcom, Mellanox, and other cards are needed. Additionally, reinstating the ability to visualize long-term RRD data through built-in graphs would be valuable, as the current live traffic display offers limited insights.

I am unsure if it's feasible, but I have previously utilized a web VPN interface with Cisco Firewalls that allows VPN connections through a website, eliminating the installation of VPN software. Such a feature would be a valuable addition to pfSense. Additionally, an easy method to monitor pfSense within other monitoring software would be beneficial.

Sometimes it's a bit of a challenge to know how to do something when you want to do something, for instance, setting up a point to point VPN. Configuration is sometimes a challenge just due to a lack of knowledge on my side. I find that if I don't set up the rules correctly, and this goes to lack of knowledge of being an expert in the firewall space, it's a bit of a challenge sometimes in setting that up. I would ask them to update it to a more modern interface, as it does look a little tired compared to GUIs today. However, the features are there. A redesign would be greatly appreciated, just from a human engineering aspect. It might be easier if they separated things out a little bit more instead of putting all the aspects of what pfSense can do for you in a single menu. For instance, they have services, and they have all the services that you could have on your system. It's a lot. Sometimes I find it difficult to find the data visibility that I would need in the interface to then go make a data-driven decision. pfSense helps optimize performance. From a performance standpoint, setting up firewall rules does a great job of laying out exactly what those rules are. The layout of the firewall rules makes it easy to create a secure environment on my home network, albeit not very big. However, all the features are within the firewall, and I can create individual rules and organize the rules.

The first time we deployed it, it was kind of tricky. There were many configurations. You need to first configure the alias, then you have all the IPs ordered correctly, and you can start to manage the VLANs. It would be ideal if we could implement in an easier and efficient way. One time, we tried to configure a wireless AP to the firewall and that was tricky. Understanding the interface was hard. It could be easier. The displays of all the plugins could have a better layout. You have to search through all of them to find what you need. They need a search button.

I'm hard-pressed to think of a needed additional feature. It would be nice to see which packages are officially from pfSense and which are from a third party in the package manager.

Something that we would really love to see is a real single pane of glass management for multiple clients. Having a reseller portal of some kind that allows us to easily remotely access all the different pfSense gateways that we have out there (like Meraki does with their equipment) would be ideal. Right now, we have to manage client by client and just maintain access per site, basically.

It would be nice for the code optimization to run on even slower processes. It's optimized quite a bit, but there's always room for improvement.

Netgate pfSense needs to have a single dashboard for managing all devices. As an enterprise customer, I expect Netgate's sales personnel to inform me of the new devices that are coming out. For example, there was a time when I was getting ready to buy a device, and then I thought that I needed to hold on, and so the order failed. I thought I needed to wait a few days before ordering a new device. I was getting ready to order another device, which was Netgate 1541, but after two days, Netgate 8300 was released, and it was far better than what I was getting ready to buy. I was really disappointed that the salesperson from Netgate didn't ask me to hold off on my decision to buy Netgate 1541. You don't have to tell me that something brand new is coming out if you don't want to spill the beans or anything like that, but it would have been nice if Netgate had asked me to hold off on my decision to buy Netgate 1541. I was getting ready to buy a product that would have been, immediately two days later, an old technology. I just expect more from a salesperson. When going through Netgate's website, while trying to buy Netgate 1541, I saw there was a list of features at the bottom of the product page, so I had to select the features I wanted, but I couldn't have all the features at the same time, and the website would prevent me from adding extra features, which actually was the cause for the order to fail. I had added features that you can't have at the same time, but nowhere on the website did it say anything like that, and that led to a delay in my time frame. I was trying to get something to solve a problem at a certain time, and then it wasn't until a day later, a day and a half later, that Netgate called and said that I couldn't have all of the tool's features, which was something that messed up my installation time. Issues with the product are associated with feature requests. It is not necessarily the box itself but more of the company that needs to consider improving its approach. For the box itself, everything in a single frame should be released.

I think the tool requires more strategic improvements than we need it to be in the present. With Netgate, considering that I work in a firewall market, I know that its problem is not just in its features. It needs improvements in terms of the strategic vision, where the product should go, and what market it should be for in the future. Netgate needs to figure out if they want to strive for the SMB business and the home market or if they want to attempt to reach out at an enterprise level. I don't think Netgate knows where they want to go with or without a plan. I think Netgate is still trying to devise a plan by itself as to which market it wants to fall into, which can make it more profitable for the tool. There is nothing that Netgate pfSense could do to make me feel any better about the product. I love the product, and I will use it until I die. It is a really good product. Improvements are needed in the area of the company's strategic vision and based on where the solution needs to go in the future. I spoke about north to south and east to west since the world is moving towards the concept of zero trust. If you are a CISO or a CIO and you are trying to achieve a zero-trust architecture, you need to check if Netgate is on your list of companies that would help you achieve it. If I consider the CIOs I speak to, Netgate doesn't even get mentioned in our talks. I do not require improvements in the product. It is feature-complete. As a firewall, Netgate pfSense can be described as a very feature-complete product for the market space in which it currently operates. Strategy and vision of the product are the areas with shortcomings where improvements can be made so that Netgate pfSense can figure out where the product should go in the future. It will provide Netgate with choices like whether it wants to go towards a zero trust architecture if it wants to go towards the east-to-west direction if it wants to go towards big enterprise or go into Layer 7 traffic. My answer regarding the need for improvement in the product is going to be more of a strategic-based one rather than from a technical point of view because the product is excellent.

It would be great for the solution to have better logs. Some of the solution's graphs that show visibility on system performance or session count lack resolution. For example, you may only be able to see the session count by day if you want to look back more than a month. In contrast, we would want to see the session count fluctuate by an hour or five-minute increments. It would be helpful to be able to query larger data sets, even if you had to break them up into smaller subsets.

The solution should provide a single pane of glass and a management console for all devices.

Some of the functions are not menu-driven. You have to know to click here, then go over to this setting and click here. It would be nice if the solution had a wizard for some of the complex functions. When trying to walk people through something, I have to look at the video or read their document.

The solution's internal logging could be improved. However, it does have some external logging capabilities. It would be more problematic if you didn't have a very robust environment. We developed our own internal API about five to six years ago, but I hear all the time on newsgroups that one of the solution's biggest problems is API.

My only suggestion is that Netgate pfSense implement more graphical monitoring. While there are accounts with add-ons for graphical monitoring of data networking, IPS, IDS, and firewall-level events, having more graphical representations like blocks would make the tool more capable. Although it has commercial support and a good GUI, it can still be challenging for someone without firewalls, command lines, and networking knowledge. Adding features to the solution through packages is somewhat limited. The marketplace doesn't have as many options as you might expect. One example is the IPS/IDS system. Netgate pfSense still uses Snort 2.9, even though version 3.0 has been out for about a year. Version 3.0 offers important improvements like multi-core support, significantly speeding up processing. The solution seems slow to update to newer versions of these third-party packages. The tool should provide beta versions with the latest package updates sooner so users can benefit from new features and improvements. Another issue is the lack of a package marketplace. Despite being open source and customized by many developers globally, there isn't a wide selection of community-created packages. The reasons for this aren't clear to me - it could be security concerns or other factors. Based on my experience using Netgate pfSense for about four years, I can't say the improvements in our environment are solely due to the product. It's a combination of Netgate pfSense and another monitoring tool we use. Monitoring is crucial. The easier the monitoring and user interface, the simpler our team can work on and investigate issues. Accessing data becomes more difficult when you use commands or other complex methods. With our third-party tools, log viewing is very straightforward. The tool logs everything important. This was helpful when our site was slow, and we needed to determine why. The logs from Negate pfSense and our IT systems help us identify issues. However, the solution's combination with a third-party monitoring tool provides a graphical interface. This makes it much easier to review logs and pinpoint problems. If Netgate pfSense had a better graphical interface, it would be one of the best products available. I think the graphical interface should be much better and easier to monitor. For example, I encountered errors when I installed HAProxy, a load balancer available in the solution. It was difficult to determine the errors because the backend wasn't working properly. It took us a long time to identify the exact issue because more detailed error information isn't directly available in the current interface. You must go through different steps to trace and see what errors are coming up. If the tool could improve in this area and provide more error details directly in the interface, that would be beneficial. As for packages, if they could update to newer versions of third-party packages more quickly, that would be helpful. I understand they might not be able to use the very latest versions immediately, but if they could provide updates within three to six months of a new package release, users could try new features sooner. One additional feature that would be helpful is SAML authentication. Many companies now use Azure or AWS; in our case, we use Office 365 for email and authentication. If SAML authentication was available in pfSense, we could have integrated it with Office 365, allowing users to log in directly using their existing credentials. The tool can integrate with Azure AD internally, but SAML or two-factor authentication, such as SMS, would provide better security. Firewalls are usually kept behind the scenes and not exposed, but this feature would be useful in some cases. We've offered Netgate pfSense to many clients, managing it for them and migrating them from existing firewalls. They're generally happy with the change. However, some clients were looking for these additional authentication features. While we can integrate with Office 365, a direct connection option would be beneficial.

The configuration could be a little more intuitive. It's a little trickier to set up - things like the OpenVPN - than it should be. However, once you get this configured, it seems solid as a rock, and it just works. The solution needs better error messages in the VPN. It's kind of a bear to configure. That could be streamlined or smoothed out. That said, I do not do this 40 hours a week like some people. I wear a lot of different hats. Still, when it comes to configuring, it always seems to be a little more involved.

We do not have a single pane of glass management. It would be nice to have. There are some firewalls that let you have cloud-based management like software as a service. pfSense doesn't allow you to have a central place where you can check everything. I have to remote into local networks and then pull up an individual dashboard.

Having a single pane of glass management is on their roadmap. If you have multiple instances, you have to manage these deployments across a wide area. I'm required to keep a third-party product. The main feature that I could see them adding would be a management interface that lets me manage multiple pfSense instances. As an MSP or consultant, it would be very helpful if I could manage them all from one place. There are some modernization efforts on the operating system that are needed. Possibly looking at Linux-based operating systems to allow newer features, better hardware support, et cetera, would increase performance. They should continue to expand in bracing the software and appliance model and expanding reach to cloud providers other than just Amazon. It would be nice if they had a supported appliance on GCP as well. I have customers on Google Cloud, and this would be helpful. They need a more streamlined or documented approach to how they would like to see virtualized or alternate hardware deployments supported. If I build my own hardware, sometimes I don't know what the best type of hardware is to go with, and having some streamlined documentation and explaining the best practices would be helpful.

I'd like to see it become more of a next-gen firewall or deep packet inspection, however, I'm very happy with the way it is as of now.

The solution could improve by adding in some sort of user account credentials in the sense of accommodating more levels of users. From what I've found, everybody has basically the same access. A formal partnership with some sort of VPN vendor, like OpenVPN, would be nice.

We do have a sort of single pane of glass for management purposes. You do have to dig around. If we had, for example, ten pfSense routers deployed, it would be nice to have one console where you could see all ten devices, update them, and keep them all central. A management portal would be very nice.

I don't think pfSense's web filtering solution is the best, so I don't use it for that purpose. They could add a little better web filtering solution to pfSense. They have solutions in place, like SquidGuard, but they aren't very good. Another feature about pfSense I would improve is adding a single pane of glass management for multiple units I manage across the municipal district. I would love to manage all those devices through one single pane of glass, but that's not a deal breaker for me.

The intrusion protection system is provided by a third-party provider that's verified by pfSense. It would be best to have an option for IPS because when you deploy pfSense to a SOC, you have to subscribe to another IPS provider. The IPS should be a default feature. On the other hand, that's also the benefit of pfSense because you can also acquire another IPS solution.

PfSense could better utilize the interface and dashboard and include some packages in the built-in solution. For example, pfSense is sharing some other packages. You have to download and configure them within the package manager of pfSense. Some of those important ones, like the IPS and the monitor, could be installed on the solution's image and configured.

Two key areas need improvement: the traffic profile and better centralized management. It would be great if we could have a single pane of glass for managing multiple appliances running in different locations. Sophos has much better centralized management, but you're paying an arm and a leg for it. The management is good, but it's quite basic. If I have multiple instances deployed, I can't manage the information like I would when I use something like Sophos Central to manage multiple devices in different locations. The portal is still not well-tuned. There are still issues regarding implementation and its effectiveness. But besides that, everything else is great, from the purchase to implementation, setup, etc. Only the portal needs a lot of work.

We're doing a lot of OpenVPN tunnels, and some of the fields in the OpenVPN setup on the server side do not lend themselves to multiple sites. It's kind of ugly. It's a big list of allowed IP addresses. I'd much rather see that via the table individually. The individual firewalls have a single pane of glass view, but we have so many of them. You need to log into each to manage them.

I don't think pfSense is as good about monitoring as it could be. There are logs, but they're kind of hard to get to. You need to send it to a log monitoring system. It's good about monitoring and learning this. You'll get an alert if there's an issue with the firewall itself, but it's not detecting security attacks. PfSense has the bare necessities essentially, but it isn't an advanced firewall that protects against layer 7 attacks or DDoS. It's not on the same level as Palo Alto, for instance. You can add some higher-level security features, but it doesn't do that out of the box. Maybe there's another functoin we can add to it, but it feels like it's not catching more advanced attacks.

Snort or Suricata don't block things they should out of the box. It's always been a pain point of pfSense. If you turn on Snort or Suricata for IPS or IDS, no setting is effectively set and forget. Turning any commercial firewall to the lowest setting will provide you with a decent amount of security with almost zero false positives, but pfSense is not that way. You've got a babysit Snort and Suricata to the point where sometimes you turn it off. I know one of their rising competitors, OPNsense, has the ETS rules. I forget who provides it, but you turn on a rule set, and they just work. They have a built-in set of rules for Snort and Suricata that you turn on and it provides a reasonable amount of security. That has always been a pain in the neck with pfSense. It's the single biggest thing that they could do to improve it. Honestly, they're losing business OPNsense for that one reason.

pfSense is very flexible, but my only drawback in terms of flexibility is that it is web GUI-driven. I know that there are some shell interfaces, but it is not a very heavily developed API when it comes to automation or configuration-as-code management. I would love to see that developed in the future so that I am able to manage my network configuration in YAML and TOML text format, have those changes applied in a source code environment, and have those changes read into an API that could then drive the configuration rather than have always having to use the web GUI just to make some layout changes. Web GUI has its advantages, but there are times when being pinned into that workflow is less efficient. They should support the idea of configuration management as code from source code and provide a more robust API for managing the pfSense configuration. I know that with the web GUI, everything is dumped into an XML file. That is how it is backed up, and that is how it is imported. It is machine-readable and all that, but it is not necessarily a modern data format that would be used with API typically. They are maybe thinking of moving to REST API and SQLite backend. I do not know what they have in mind. I do not really care how they do it, but I would love to have the ability to interact with my configuration and make incremental changes via source code and utilize the API to implement those changes and roll them back with configuration as code as a strategy for managing my pfSense.

One or two of the plugins didn't do what I wanted them to do. Maybe that was a misunderstanding or it's not quite ready yet. Sometimes, it's hard to wrap my head around the way the firewall rules work.

There are a lot of features I want to see simplified in the product. I want to see the licensing model part to be improved in the product. Those who need to do certain functions from their house would purchase Netgate pfSense Plus while configuring their machine, but if they have another network added to it, then it would basically change the ID of the device, and they have to go and request to get relicensed. Netgate pfSense will help you with the relicensing part for one time, but if you need to do it a second time, then you will have to pay for a new license, and that, to me, is not very fair. I think if you have paid for a year of service, it shouldn't matter how many times you need to request to rekey the license as long as it is not every other day. Two to three requests in a year shouldn't be an issue, and if I add another network card, why should I pay for a new license when there is not much of a difference. The only thing that I would like to get some better utilization of is the ability to do free switching. If I need to go between different VLANs, I have VLAN 19.1 and VLAN 19.2, and I strictly use Netgate pfSense, but it doesn't route very efficiently and works quite slowly. I understand that it is not the router, but a lot of times, Netgate pfSense advertises it as a tool that is able to route traffic. I had to go in and purchase a separate router to manage my internal VLANs because Netgate pfSense was just choosing between the VLANs I had.

One thing that stuck out to me was the move to use plastic chassis on the Netgate devices or products. They are moving away from using metal chassis, and I find that the plastic seems to get hotter than the metal. Other than that, they are such great devices. They always seem to have all the cool things and bells and whistles. One thing I would like to see Netgate do is to have a cloud-based management portal, similar to SonicWall, WatchGuard, Ubiquiti, etc. With all these platforms, you create an account, and you have a way to cloud-manage these products. Currently, one of the challenges that we face is not being able to manage those things from a centralized platform. It has always been one thing I have dreamt of for Netgate. That is the only place where it falls short. Apart from that, they are far superior in building, keeping up with the times, and keeping things current.

I can’t get any area where improvements are needed in the tool off the top of my head. I haven't had any challenges I couldn't resolve between myself and the support. Maybe Netgate needs to see if a medium-level Netgate pfSense Plus can be created for smaller organizations. Most of what I need is already in the tool. If there is any need associated with it, I will be sure to report it to the support team.

It has a lot of features, but I wish there were even more features. Some of the features I am looking for are still not there in pfSense, like, for example, content control. Because I have kids, I want to control the content or what they watch. There is a feature in pfSense called pfBlocker, but it is limited. If I set that up, it is blocked by an IP address. Sometimes my devices are borrowed by my kids. They are able to get a full connection to the Internet, but their devices are limited. If content blocking is added to pfSense, it would be great. If I can block content by a user, that will be a preferred solution. The frequency of feature releases can be better. We have been waiting for some of the features for a while, but they have not been released. I know they prioritize what is used in the enterprise area, and then they provide some features for regular consumers like me. If they can balance that 50:50 and focus equally on the enterprise and consumer suggestions, it will be great. The interface and support are perfect for me. I saw a post on their blog that they will be moving to the Linux operating system. Hopefully, they would have better wireless because the wireless for pfSense is horrible or horrendous. If they move to Linux, hopefully, they will improve it.

The only feature I want to add is cloud management. I'll be an early adopter of that one. We're ready for that feature, and it's one of the few missing things, so that'll be excellent when it comes. Another thing that's primarily an issue for us is that Netgate may soon stop production of the 1100. That's what we use for our telephony gateway. It doesn't need to be high performance, but it does need to be low cost. If they stop it and make the 2100 the lowest, that will be problematic for us. We will need to start using something else because it will become too expensive for our purposes. Effectively, we are using it as just a VPN gateway, and 1100s are great for that. What's annoying is that we cannot buy the 1100s directly because we're not a partner, and it isn't approved for connection to Australia, so we need to buy it through a company that went out and got it approved. We lose a bit of margin doing it that way. We can buy 2100s and above directly, but we must go through a reseller to get 1100s.

Updating some of the packages can be a bit difficult. It's hard to stay on top of them all. There also might be a bit of a lag on updates. If they could get to something like Meraki, where I could remotely log in and not have to deploy a package to do that, that would be nice to have. It would be helpful if they had more documentation. Some online details seem out of date and you have to spend a lot of time going through forums to uncover what everyone else is doing.

Netgate pfSense can improve by adding a different OS layer other than FreeBSD.

pfSense lacks a centralized web dashboard for viewing all my clients' pfSense dashboards. A single pane of glass for both web access and management would be a game-changer. This missing interface is my biggest frustration with pfSense, and improvement is sorely needed. I have clients all over the United States and would deploy many more pfSense firewalls if it had a centralized web dashboard.

I'd love a centralized management system for multiple pfSense appliances. This is where Netgate could improve. Redesigning my network for seven pfSense units sounds like a daunting task, especially with the need for individual configuration. A single pane of glass for managing everything at once would be a game-changer, streamlining the process significantly.

We have not had any problems with it, and we also do not have a need for any new features. If anything, its reporting can be better. Sophos has better reporting than pfSense. Sophos has more detailed information. pfSense is not as detailed. It is summarized.

There are several levels of firewall configuration such as beginner, advanced, and expert configurations. At each level, it becomes more complex and more tricky to set up the firewall. For example, if you want to install the firewall on your computer system, it would be a lot easier if it just tells you that this is the internet NIC and this is the Wi-Fi NIC. It would also be interesting if we could add an interface for DNS versions. It will be a multisystem to make all the blocks of the DNS. I know that firewalls are different from DNS, but if we could take advantage of everything in a single system, that would be lovely.

For the third-party packages, I'd rather have it built-in, like a core feature of pfSense, part of the core model. This feature of pfSense would be great, instead of relying on a third-party module.

The Netgate forums and community don’t provide extensive discussions and topics related to every pfSense service.

Netgate pfSense needs to improve the configuration for a VPN.

They rely on third-party tools, unlike Fortinet, for example, which has its own tools. In comparison, we also use third-party tools on pfSense. For example, we had a situation where we needed a tool to identify authorized users, and when I searched for a solution, I found a third-party tool. However, using such tools may come with additional costs.

One concern I have with Netgate pfSense is related to packet filtering. Specifically, issues can arise with certain functionalities like GP, and, at times, there may be bugs. When creating IP lists, I've noticed that synchronization doesn't always function correctly. While it's not entirely dysfunctional, troubleshooting these synchronization problems can be quite challenging.

The solution’s interface must be improved.

The product must provide integration with other solutions.

It was difficult to configure our web printer through the solution. This process could be easier. Additionally, integration with SD-WAN solution.

The solution could be more user-friendly, and the graphical interface needs some work so that someone without an IT background can use the application. I would like the ability to manage the on-premise appliance from the cloud. When I'm not in the office, it would be great to connect to the pfSense server and administer the network remotely.

2FA for the GUI and command line.

Also, possibly something similar to RKHunter, to detect configuration file changes on the system.

More documentation would be great, especially on new features because sometimes, when new features come out, you don't get to understand them right off the bat. You have to really spend a lot of time understanding them. So, more documentation would be awesome. In terms of features, for my use, I don't see anything wrong with it. I basically get what I need from it by default. I build my firewall, so I only rely on the software. On the software side, there is not much to improve right now. So, at this point in time, I don't see anything, but I always welcome any kind of upgrades that they do. I always try them out and see if I can use them in the company or not, but so far, there are no complaints on my end.

I expect a better interface with more log analysis because I create my own interface.

The integration could be improved.

The web is evolving every day. So, the product should be constantly improved with more regular updates. Things are constantly changing. There are obsolete protocols, and then there are new protocols. For my own use, it is not an issue, but for somebody who is more at the forefront of internet browsing, it could be a problem. There could be a way to remote to it through a mobile app. You can always browse through your browser on your mobile phone or tablet, but it would be good to have a dedicated app. I understand that iOS and Android developers are expensive, but there should be a mobile app.

It would be great to add more to security. I know that pfSense has a lot of features, but I don't know how to configure and enable them. That is why I am looking into my support options. I am looking for better security and performance.

pfSense could improve by having a sandboxing feature that I have seen in SonicWall. However, maybe it is available I am not aware of it.

The user interface can be improved to make it easier to add more features. And pfSense could be better integrated with other solutions, like antivirus. For example, pfSense could add templates with firewall policies that a user can customize. I haven't tried to integrate pfSense with Microsoft Active Directory, but in Mozambique, we use many Kaspersky antivirus solutions. If pfSense integrated with these antivirus solutions, everything would be much more stable because most of the companies here have a different kind of security solution. Within a single company, you might find two or three different antivirus suites. So, for example, there could be an open-source solution that you get for free, but you can pay for the support if you want it. So for solutions like that, it would be great.

There is a need to increase the technology on the area of WAF, the web application firewall. I would like to be more knowledgeable about the firewall, so I may best use it to solve customer problems. The integration should be improved.

The usage reports can be better.

As an IT leader, it would be a benefit to have a mobile application to have certain features, such as mobile application notifications when a new device is added, or the ability to turn off or on firewall policies. Having these simple features would be very convenient and reduce the need to have to log into the console. I can use a web browser on my phone to access the pfSense site but I would prefer to have an application where I can toggle things, such as the policies. Some simple features within a mobile application would be valuable to me. I have evaluated other solutions and have determined this feature does not currently exist. However, Untangle has an application but it was not enough to compel me to change at this point. In an upcoming release, the reporting could be more user-friendly. For example, the reporting in graphs and charts for the host can be cumbersome.

I'd really love to see the web interface enhanced. It's good but it could be clearer and more straightforward. As a FreeBSD fan, I'd love to see a BSD license code, rather than a GPL license code. I'd also love to see a Sandbox and more security features. pfSense is a mature product, but if you compare it to other products in the market, you realize that pfSense is a little behind.

The stability could be improved. Whenever there is an update, in spite of developments I may have made, I am required to make certain changes to the coding.

There are some bias issues and some intrusions in our network that have to be addressed. So, we're thinking of changing this firewall to something like a professional hardware-enabled firewall.

pfSense has some limitations in detecting site sessions. We want to control internet usage based on sites and their content, and pfSense doesn't perform this function. The site itself could be improved; it's not easy to find the things that you want to implement and apply. It would be good if it had more features like Sophos does.

I tried pfSense, and it has a big issue with file system consistency, and this is what drove me to OPNsense. The file system stability is quite a big issue for us. We have a lot of outages related to power issues, and OPNsense is much more stable on this side. I would like it to be more stable on the file system part. It also has an issue with the ARP publishing, but it's common to BSD, and some providers experience issues with Layer 2 connectivity.

I have been using WireGuard VPN because it is a lot faster and more secure than an open VPN. However, in the latest version of pfSense, they have removed this feature, which is one of the main features that I need. They should include this feature.

We are at the moment looking to use it as a proxy service so that we can limit what websites people go and view and that sort of thing. That's an area I've struggled with a little bit at the moment and it could be a bit easier to set up. The only other thing I might look at would be some sort of antivirus type of aspect to check traffic coming in and out of the network. If they offered unified threat management, that would be an ideal outcome for us. I have been looking at it as a sort of an appliance, rather than installing it on an actual PC. However, that's for future research first.

The VPN feature of the solution could improve by adding better functionality and providing easier configure ability.

The integration of the plugins into the GUI could be better. It's sometimes hard to find where a setting can be found or how it might interact with other settings. Some documentation is outdate and plugins sometime have no documentation. Information can always be found on the fora but for novice users this can be a challenge.

We did have a strange issue with an update at one point, however, that was resolved quickly. If you want to take advantage of all of the solution's options, you need to have a bit of a technical background. It's not for a layperson. You do get a good solution for free. However, the trade-off is you need to be technical to really take advantage of it. The installation could potentially be faster.

The interface is not very shiny and attractive. Most of the people that use pfSense are highly skilled, so they don't even bother to go the extra mile when it comes to configuration or any protection mechanisms. With other firewalls, with just one click or with the assistance of a wizard, the service is already configured. With pfSense, you have to have some time to do your own research regarding how to fine-tune it. If that could be improved, then life would be much easier. This would help any entry-level users to adapt to the platform. Netgate, the mother organization that manages the pfSense platform, should offer organized security feeds for its users so that they can avoid configuring multiple types of feeds in multiple locations. That could generate extra revenue for the company, too.

As I said, the product is fantastic. It could use a little bit of improvement in the reporting — the reporting is virtually non-existent. Something like a reporting module would be a benefit. Otherwise, in terms of the performance, at least for my organization, I don't see much of a problem. By this, I mean that we cant generate reports of trends etc that could be exported out of PFSense in terms of a PDF etc to see how the firewall is functioning... Though I must say that the work around for this could be to use the pfsense zabbix plugin and integrate to a Zabbix platform and then use the Zabbix reporting capabilities to get the required reports... Not much of an effort for the technically sound persons but definitely not in the scope of those from a non technical perspective...

They can improve the dynamic of the input of IPs from outside. Determining the IPs that are outside would be another way to identifying potential threats. We can treat it or identify and then block it or determine the rules to work with that IPs from the outside and inside the network.

The access control aspect of the product could be improved. There should be more control over everything that the user is doing. It should be able to log and report on everything users are doing. The product no longer complies with new rules in Brazil. Therefore, we need to move off the solution.

The main problem with pfSense is that it lacks adequate ransomware protection. I would also like pfSense to be more robust like Cisco or Fortinet.

There's always room for improvement. In general terms, for someone who is not familiar with the product I think ease of use could be improved. When you're connecting, the interface is very difficult for an inexperienced user in the sense of setting everything up, as it all has to be set manually. I've also found that the more features you use influences performance and the drop can be drastic when you use advanced features. I want to achieve a certain level of security and at the same time maintain good performance. The solution is feature rich enough, but one of the things usually outside the UTM system or gateway system is SIEM. It's an advanced system for managing the possibilities and it would be nice to have a kind of interface in the UTM, to enable connectivity with most SIEM systems.

Ease of use is a problem for a user who is unfamiliar with this product because, in the interface, everything has to be set manually. It would be more user-friendly if things were set automatically. The drop in performance can be drastic when you use more advanced techniques. There is some trade-off between having a certain level of security and maintaining acceptable performance. One of the things that are usually outside of the UTM, or system on the gateway, is the SIEM. It is an advanced system for managing the possibility of threats. It is not normally part of such devices but it would be nice if the pfSense interface were integrated with it.

They could improve their commercial stance and be more agile when it comes to the commercial pricing of enterprise deals. For a feature update, they should increase the API integrations into decentralized identity platforms making it stronger.

I would like to see the dashboard modernized. If you look at some of the other providers, their dashboard is more modern looking. Also, simplifying the rules for the GeoIP. Making it simpler to understand would be an improvement.

Their support could be better in terms of the response time.

I cannot recall any features that are lacking. There's a bit of a learning curve during the initial implementation. You do have to pay extra for better customer service.

There is more demand for UTMs than a simple firewall. pfSense should support real-time features for handling the latest viruses and threats. It should support real-time checks and real-time status of threats. Some other vendors, such as Fortinet, already offer this type of capability. Such capability will be good for bringing pfSense at the same level as other solutions.

Many people have problems setting up the web cache for the web system. They should put an anti-spam in a web application firewall.

I've never tried it in large environments. All my clients are small businesses with a handful of employees, so I am not sure how it works in large environments. I keep up with recent versions, and there's nothing I'm waiting for, and nothing breaks when I get a new version.

The solution could use better reporting. They need to offer more of it in general. Right now, the graphics aren't the best. If you need to provide a report to a manager, for example, it doesn't look great. They need to make it easier to understand and give users the ability to customize them.

It would be ideal if the solution could integrate with Snort and OpenVPN. The technical support needs to be improved.

The problem with open-source is that no one can take responsibility. It needs to be more secure. Security needs improvement. It's always better to have an agreement, an SLA regarding security. You should outsource your security to another company.

As an open-source solution, there are so many loopholes happening within the product. By design, no one is taking ownership of it, and that is worrisome to me. Integration with other products could be improved. It needs log research integrated within it to make it more useful for our purposes.

Right now we have to use a lot of third party plugins with other providers that have their own built-in features so I'd like to see layer 7 advanced firewall features included in the solution. It would definitely improve the product.

The user interface could be improved, it's a bit clumsy and clunky.

The solution can be complex. It needs a bigger team with more coding skills than what we have at our disposal. With our skillsets, we're facing a lot of limitations. We're a team of four who handles 12 independent companies under a larger umbrella. Our workload is already quite high. We need solutions that lessen it, not enhance it. The solution requires a lot of administration. The solution would work better for us if the user interface had some kind of unifying feature that didn't just do firewalls. Sophos, for example, offers so much more. You get one license and you're good to go. Everything's handled from the anti-virus to the network and the traffic and monitoring. Sophos is really user friendly and easy to master. It's easy to get rules put in. pfSense offers none of these things beyond just the firewall capabilities.

The domain blocking lists need to be improved. The supported list for domain blocking is community-maintained, and I would like to see something from the manufacturers of pfSense that is a little more global. I would like to see different graphs available in the reporting.

I haven't experienced many problems when dealing with the solution, so I don't know if there are areas that need improvement. If a user doesn't have a large amount of experience in Linux systems, they will have problems using this solution. Users need to be highly skilled in troubleshooting competency. Users who do not have such skills will find the product difficult to use. Sometimes if your network goes down, you might experience an issue on the captive portal. This may require a restart and it also may require that you load it again. I'm used to the system, so I know what to do, but it can happen from time to time. It can be really easy to deal with Technical support. Technical support is avaible every time I call . But sometime if Technical support do not privide you the solution, so you should double check and solve the issue by your self.

ClamAV AntiVirus can cause some crashes. That service should be improved.

We would like to see ready-made profiles to cover most users' needs.

This product needs improvements with respect to reporting and auditing.

I would like to see SD1 integration into the software. That would be fantastic.

Some suggestions for improvement of pfSense are: * Adjustment in the interfaces: I had to adjust those interfaces manually and of course that is a great feature that you can restore it but it is immediately also one point for improvement. If you don't have to adjust, if it's just stamped and it works, that's great. * With regard to the Community Edition, when I installed it, we use Proxmox as an equivalent of PMWorks and I installed the Community Edition in Proxmox. That was very difficult to get to work at first. A lot of tweaking. That is very, very not easy. * When I'm inside of my network and I go to a URL, the URL points to a server inside my network. It doesn't hang, but I don't get a response. It just stays blank. * I can imagine that inside my network, I am going outside, and it points to the public address, so I can reach it. With eSoft, without any adjustment, it worked, and I was able to do that. I went to search pfSense for an option, and I had some documents open to read about how it is done, but it isn't clear enough. It's not that easy. I would appreciate it if I could get easy help on that.

It has everything I need, but the main drawback of pfSense is that it's not user-friendly. I hope to have something to make the interfaces more user-friendly. I would also like to see some documentation that can help with use cases or that has advice and tips. I have found some documentation available but it's usually from an earlier version. If they develop this, pfSense will be the best. The only thing that Fortigate is better than pfSense is that they have 24/7 support. pfSense also needs improvements in the intrusion detection area.

While I agree spam filtering is not included or an option with the system, I don't necessarily hold that against the product as there are a number of other services that do it far better than a firewall could. If you use Office 365, Microsoft's implementations are likely to be far superior to what you'll get from a firewall. However, with that said, the one item I wish it included, even if it was a subscription-based service, is the inclusion of an AV and/or threat intelligence. This would elevate the solution well above other alternatives.

* I would like to see multiple DNS servers running on individual interfaces. * It would be useful to manage firewall policies on a source interface and destination interface basis.

* The central point of management, like the long-rumored pfCenter. * Better parsing of logs: At the moment, you have to use an external server for this if you want a deeper analysis.

Layer 7 filtering has been taken away from pfSense. They would like us to use Snort, which is a good thing, but I would like them to make the Layer 7 thing easier. The one reason that we did not go with pfSense is that it is not centrally managed like Meraki, where you log into the website and can see all your services there. This is the only reason why we are going with Meraki. We would like to be able to see is all the configurations from a central interface on all our pfSenses.

A malware blocker should be included. I do not know if it is included yet. However, until now, we have not experienced a large malware invasion. There are a few features not included, and when you have to use those features, you have to pay for them. I know that I should change the current pfSense solution. I should change it because we have only one key port on it. Our internet access also has a key port now, I should have two key ports, one to the LAN and one to the WAN. Therefore, I want to change it, because it gives us less speed. I could provide the speed, but there are not two key ports on it. Therefore, I now have to choose a new pfSense solution, or I could look at another vendor similar to what we have.