PFSenseDevWiki: Why pfSense Sucks

5.) Missing input validations for gateways. The gateway IP is within the IP subnet of the interface selected and the monitor IP is not used on any other gateway (otherwise the static routes can't be added properly).
Online reviews about PFSense:
1. [[http://addicted-to-it.blogspot.com/2008/09/pfsense-12-6-month-review.html pfSense 1.2: 6-month review]]
2. [[http://www.freesoftwaremagazine.com/articles/configure_professional_firewall_using_pfsense Configure a professional firewall using pfSense]]
3. [[http://www.superiorpapers.com/homework.php Homework help]] : [[http://bradgillette.com/wordpress/archives/34 PFSense review & thoughts]]

4) The build scripts are a big mess. Maybe we should start looking forward to 3.0 and improve the build system to make it more elegant, maybe start a Git branch to follow FreeBSD SVN, and simplify, simplify, simplify. The builder menu is great, but the stuff behind it should be as nice.

1) PPTP issues - Cannot have more than 1 pptp sessions outbound through nat at the same time to the same server. This only applies to outbound sessions to a single PPTP server. You can connect a million clients to a million different PPTP servers, but only one client at a time to the same PPTP server. If you have the PPTP server enabled on pfsense you cannot connect out to any PPTP server on the Internet. Fix in progress for 2.0.
2) FTP on multi-wans do not work w/ the FTP helper. Fixed in 2.0.
3) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Fixed in 2.0.

1) PPTP issues - Cannot have more than 1 pptp sessions outbound through nat at the same time to the same server. This only applies to outbound sessions to a single PPTP server. You can connect a million clients to a million different PPTP servers, but only one client at a time to the same PPTP server. If you have the PPTP server enabled on pfsense you cannot connect out to any PPTP server on the Internet. This looks like it will be fixed in 2.0.
2) FTP on multi-wans do not work w/ the FTP helper. Should be fixed in 2.0.
3) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Some improvements in this area are in the works for 2.0.

1) PPTP issues - Cannot have more than 1 pptp sessions outbound through nat at the same time to the same server. This only applies to outbound sessions to a single PPTP server. You can connect a million clients to a million different PPTP servers, but only one client at a time to the same PPTP server. If you have the PPTP server enabled on pfsense you cannot connect out to any PPTP server on the Internet. This looks like it will be fixed in 2.0.
2) FTP on multi-wans do not work w/ the FTP helper. Should be fixed in 2.0.
3) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Some improvements in this area are in the works for 2.0.
Have feature requests? Post them at http://redmine.pfsense.org

1) PPTP issues - Cannot have more than 1 pptp sessions outbound through nat at the same time to the same server. This only applies to outbound sessions to a single PPTP server. You can connect a million clients to a million different PPTP servers, but only one client at a time to the same PPTP server. If you have the PPTP server enabled on pfsense you cannot connect out to any PPTP server on the Internet. This looks like it will be fixed in 1.3.
2) FTP on multi-wans do not work w/ the FTP helper. Should be fixed in 1.3.
3) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Some improvements in this area are in the works for 1.3.
In the System:General Setup page, there are only two possible entries for DNS servers. m0n0wall has three entries, which is helpful when configuring a "split brain" dns setup. The DNS entries here are sent out to DHCP clients. I would like them to query an internal DNS first, then go to the internet using the other two DNS servers. I could use a DNS forwarder to forward dns queries to my ISP, but I have no redundancy in my internal DNS, so if that goes down the internet name resolution fails as well. Right now I have two dns entries, internal dns and my ISP primary dns server. If the ISP primary dns goes down, I do not have a secondary dns to fall back on. Setting up three dns entries in pfsense shouldn't be too hard.

2) FTP on multi-wans do not work w/ the FTP helper. Should be fixed in 1.3.
3) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Some improvements in this area are in the works for 1.3.
In the System:General Setup page, there are only two possible entries for DNS servers. m0n0wall has three entries, which is helpful when configuring a "split brain" dns setup. The DNS entries here are sent out to DHCP clients. I would like them to query an internal DNS first, then go to the internet using the other two DNS servers. I could use a DNS forwarder to forward dns queries to my ISP, but I have no redundancy in my internal DNS, so if that goes down the internet name resolution fails as well. Right now I have two dns entries, internal dns and my ISP primary dns server. If the ISP primary dns goes down, I do not have a secondary dns to fall back on. Setting up three dns entries in pfsense shouldn't be too hard.

1) FTP on multi-wans do not work w/ the FTP helper. Should be fixed in 1.3.
1) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Some improvements in this area are in the works for 1.3.

This page is a constructive area to point out significant limitations in pfSense. All software has limitations, we're just more up front than others about them and put them out here in hopes people will help contribute to resolve them. This list has grown much shorter with each release, and 1.3 should remove most of these remaining things. More information about limitations can be found on www.pfsense.org on the Features page.
Current items/areas that suck:
1) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Some improvements in this area are in the works for 1.3.

This page is meant to be a constructive area to point out big gaping flaws in pfsense. This page is not for silly comments like "It's not linux", etc. It should serve as a good area for a person investigating if pfSense is right for them. In a nutshell this should be a good place for "seasoned users" to sound off on how pfSense can be better. Please note that we serve the right to remove an item if we feel its not a legitimate issue (ie: not a bug/feature). //**Nor is this page meant to gripe about timeline and or roadmap.**//
Current items/areas that sucks:
1) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Improved capabilities here will exist in 1.3.

1) PPTP issues - Cannot have more than 1 pptp sessions outbound through nat at the same time to the same server. This only applies to outbound sessions to a single PPTP server. You can connect a million clients to a million different PPTP servers, but only one client at a time to the same PPTP server. If you have the PPTP server enabled on pfsense you cannot connect out to any PPTP server on the Internet. This looks like it will be fixed in 1.3.
1) FTP on multi-wans do not work w/ the FTP helper. Should be fixed in 1.3.
1) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement. Improved capabilities here will exist in 1.3.

1) PPTP issues - Cannot have more than 1 pptp sessions outbound through nat at the same time to the same server. This only applies to outbound sessions to a single PPTP server. You can connect a million clients to a million different PPTP servers, but only one client at a time to the same PPTP server. If you have the PPTP server enabled on pfsense you cannot connect out to any PPTP server on the Internet.
1) Traffic shaping limitations - Lack of support for trafficshaping/filtering inside IPSEC-Tunnels, multi-interface shaping not supported
1) FTP on multi-wans do not work w/ the FTP helper.
1) Higher layer capabilities - no existing ability for any layers higher than L4. Application layer inspection would be a substantial improvement.
1) OpenVPN access is unfiltered so you cannot use it to provide limited access ('extranet' services) to 3rd parties
1) Cannot filter on OpenVPN tunnels
1) No support for DDNS remote GW on ipsec vpn

1) No support for DDNS remote GW on ipsec vpn

1) Cannot filter on OpenVPN tunnels

1) OpenVPN access is unfiltered so you cannot use it to provide limited access ('extranet' services) to 3rd parties

PFSenseDevWiki : WhypfSenseSucks

Revision [1112]

Deletions:

Revision [1111]

Additions:

Revision [977]

Additions:

Revision [878]

Additions:

Deletions:

Revision [850]

Additions:

Deletions:

Revision [849]

Additions:

Deletions:

Revision [349]

Additions:

Deletions:

Revision [348]

Additions:

Deletions:

Revision [298]

Additions:

Revision [185]

Additions:

Revision [158]

Additions:

Revision [31]