Differences

This shows you the differences between two versions of the page.

--- pfsense:about_pfsense [2020/11/27 12:36] – created peter
+++ pfsense:about_pfsense [2020/11/27 19:34] (current) – peter
@@ Line 6: / Line 6: @@
 ===== State Table =====
-The firewall’s state table maintains information on your open network connections. pfSense is a [[http://en.wikipedia.org/wiki/Stateful_firewall|stateful]] firewall, by default all rules are stateful.
+The firewall’s state table maintains information on your open network connections. pfSense is a [[http://en.wikipedia.org/wiki/Stateful_firewall|stateful]] firewall, and by default all rules are stateful.
 Most firewalls lack the ability to finely control your state table. pfSense has numerous features allowing granular control of your state table, thanks to the abilities of OpenBSD’s pf.
@@ Line 39: / Line 39: @@
   * NAT Reflection – in some configurations, NAT reflection is possible so services can be accessed by public IP from internal networks
-----
-===== NAT Limitation =====
+<WRAP info>
+**NAT Limitation**
-PPTP / GRE Limitation – The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server.  This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet.  A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server.  The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server.  This is not a problem with other types of VPN connections.  A solution for this is currently under development.
+PPTP / GRE Limitation – The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server.
+This means if you use [[http://en.wikipedia.org/wiki/Pptp|PPTP]] VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet.
+A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server.
+The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server.
+This is not a problem with other types of VPN connections.
+A solution for this is currently under development.
+</WRAP>
 ----
@@ Line 49: / Line 61: @@
 ===== Redundancy =====
-CARP from OpenBSD allows for hardware failover.  Two or more firewalls can be configured as a failover group.  If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active.  pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.  pfsync ensures the firewall’s state table is replicated to all failover configured firewalls.  This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
+CARP from OpenBSD allows for hardware failover.
+Two or more firewalls can be configured as a failover group.
+If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active.
+pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.
+pfsync ensures the firewall’s state table is replicated to all failover configured firewalls.
+This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
 ----
@@ Line 61: / Line 83: @@
 ===== Load Balancing =====
-Outbound load balancing is used with multiple WAN connections to provide load balancing and failover capabilities.  Traffic is directed to the desired gateway or load balancing pool on a per-firewall rule basis.
+Outbound load balancing is used with multiple WAN connections to provide load balancing and failover capabilities.
+Traffic is directed to the desired gateway or load balancing pool on a per-firewall rule basis.
 ----
@@ Line 73: / Line 97: @@
 ===== VPN =====
-pfSense offers three options for VPN connectivity, IPsec, OpenVPN, e PPTP.
+pfSense offers three options for VPN connectivity, [[http://en.wikipedia.org/wiki/IPsec|IPsec]], [[http://openvpn.net/|OpenVPN]], and [[http://en.wikipedia.org/wiki/Pptp|PPTP]].
 ==== IPsec ====
-IPsec allows connectivity with any device supporting standard IPsec.  This is most commonly used for site to site connectivity to other pfSense installations, other open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions (Cisco, Juniper, etc.).  It can also be used for mobile client connectivity.
+IPsec allows connectivity with any device supporting standard IPsec.
+This is most commonly used for site to site connectivity to other pfSense installations, other open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions (Cisco, Juniper, etc.).
+It can also be used for mobile client connectivity.
 ==== OpenVPN ====
-OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client operating systems.  See the OpenVPN website for details on its abilities.
+OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client operating systems.
+See the [[http://openvpn.net/|OpenVPN]] website for details on its abilities.
 ==== PPTP Server ====
-PPTP is a popular VPN option because nearly every OS has a built in PPTP client, including every Windows release since Windows 95 OSR2. See this [[http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol|article]] for more information on the PPTP protocol.
+PPTP is a popular VPN option because nearly every OS has a built in PPTP client, including every Windows release since Windows 95 OSR2.
+See this [[http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol|article]] for more information on the PPTP protocol.
 ----
@@ Line 93: / Line 125: @@
 ===== PPPoE Server =====
-pfSense offers a PPPoE server.
+pfSense offers a [[http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet|PPPoE]] server.
-For more information on the PPPoE protocol, see this [[http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet|entry]].  A local user database can be used for authentication, and RADIUS authentication with optional accounting is also supported.
+A local user database can be used for authentication, and RADIUS authentication with optional accounting is also supported.
 ----
@@ Line 115: / Line 147: @@
 ===== Real Time Information =====
-Historical information is important, but sometimes it’s more important to see real time information.  SVG graphs are available that show real time throughput for each interface.  For traffic shaper users, the **Status -> Queues** screen provides a real time display of queue usage using AJAX updated gauges.  The front page includes AJAX gauges for display of real time CPU, memory, swap and disk usage, and state table size.
+Historical information is important, but sometimes it’s more important to see real time information.
+SVG graphs are available that show real time throughput for each interface.
+For traffic shaper users, the **Status -> Queues** screen provides a real time display of queue usage using AJAX updated gauges.
+The front page includes AJAX gauges for display of real time CPU, memory, swap and disk usage, and state table size.
 ----
@@ Line 141: / Line 179: @@
 ===== Captive Portal =====
-Captive portal allows you to force authentication, or redirection to a click through page for network access.  This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access.  For more information on captive portal technology in general, see the Wikipedia article on the topic.  The following is a list of features in the pfSense Captive Portal.
+[[https://en.wikipedia.org/wiki/Captive_portal|Captive portal]] allows you to force authentication, or redirection to a click through page for network access.
+This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access.
+The following is a list of features in the pfSense Captive Portal:
   * Maximum concurrent connections – Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.
@@ Line 148: / Line 190: @@
   * Logon pop up window – Option to pop up a window with a log off button.
   * URL Redirection – after authenticating or clicking through the captive portal, users can be forcefully redirected to the defined URL.
-  * MAC filtering – by default, pfSense® CE filters using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.
+  * MAC filtering – by default, pfSense filters using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.
   * Authentication options – There are three authentication options available
     * No authentication – This means the user just clicks through your portal page without entering credentials
@@ Line 168: / Line 210: @@
 pfSense includes both DHCP Server and Relay functionality.
+----
+===== References =====
+https://www.netgate.com/solutions/pfsense/features.html