<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>The only issues we've had with pfsense are to do with PPTP. The main issue being that it isn't capable of inspecting outbound PPTP sessions and maintaining a table similar to an outbound NAT table (am I making sense). The problem that occurs is that you can only have ONE PPTP session up between any client on the inside and any server on the outside. So if you have users on the inside of a pfsense box and two of them try to fire up a PPTP session to the SAME remote endpoint, it won't work as it can't identify the two sessions in any way as they have the same source (outside public IP of the firewall) and same remote destination and same protocol
(GRE). Even inbound PPTP isn't the easiest either if you want to have outbound at the same time, you need to NAT outbound to a different public IP so it doesn't mess with inbound (which is fine if you have multiple public IP, but a bit harder if you only have a single IP).<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>Who still uses PPTP you might say ? It's insecure, get rid of it I hear ? The problem is the remote side of things which you don't control and user in dept X absolutely have to connect to vendor Y via PPTP session to do something "really important".<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new
roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;">Other than PPTP issues, we have no problems with it and have many pfsense firewalls deployed around the place.<br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>regards,</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new
roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>Tony.<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span><br></span></div><div><br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Joshua D'Alton <joshua@railgun.com.au><br> <b><span style="font-weight: bold;">To:</span></b>
Alex Samad - Yieldbroker <Alex.Samad@yieldbroker.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "ausnog@lists.ausnog.net" <ausnog@lists.ausnog.net> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, 9 August 2013 1:26 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [AusNOG] Application Firewall Recommendations<br> </font> </div> <div class="y_msg_container"><br><div id="yiv6499151309"><div dir="ltr">pfsense is pretty hard to beat as a fairly full-featured firewall, I've used it in a lot of situations that don't warrant the cost of a cisco or similar setup. Works brilliantly in a VM as well.</div>
<div class="yiv6499151309gmail_extra"><br></div></div><br></div> </div> </div> </blockquote></div> </div></body></html>