pfSense Plus Features (2024)

Features

A stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature used to invoke fine-grained security policies. pfSense Plus software does this by default, and can be configured to block traffic based on policy matches. Alternatively, one can just inspect and not block traffic, by adding pass rules for all traffic on each interface from any/to any as desired.

More information can be found in our documentation here.

IP/DNS-based filtering can block web traffic from entire countries, one mechanism for stopping cyber criminals from attacking your business. Network connections are blocked based on geographic location (information gathered from IP addresses) which can then be used to filter and prevent outgoing and incoming connections to and from your business.

pfSense Plus software by default implicitly blocks all unsolicited inbound traffic to the WAN interface.

More information can be found in our documentation under pfBlockerNG here.

Anti spoofing detects packets with false addresses which leads to increased security.

More information can be found in our documentation under Anti-spoofing Rules here.

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources.

More information can be found in our documentation here.

Time based rules allow firewall rules to activate during specified days and/or time ranges. Time based rules function the same as any other rule, except they are effectively not present in the ruleset outside of their scheduled times.

More information can be found in our documentation here.

A firewall connection limit policy allows or denies traffic based on a matching tuple: source address, destination address, and service; and connection count, which enables detection of anomalous connection requests.

More information can be found in our documentation here.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.

More information can be found in our documentation here.

Policy-based routing forwards and routes data packets based on specified policies or filters using parameters such as source and destination IP address, source or destination port, traffic type, protocols, access list, packet size, etc. to then route packets on user-defined routes.

More information can be found in our documentation here.

IPv4 address space is rapidly exhausting. IPv6 addresses are the future, but the two will need to peacefully coexist for years to come. Therefore NAT mapping for inbound and outbound traffic needs to support concurrent IPv4 and IPv6, making it easier to configure static routes on the router.

More information can be found in our documentation here.

Static routing occurs when a router uses a manually-configured routing entry, rather than information from dynamic routing traffic.

More information can be found in our documentation here.

IPv6-to-IPv6 Network Prefix Translation (NPTv6 or NAT66) is a specification for IPv6 to achieve address-independence at the network edge, similar to network address translation (NAT) in Internet Protocol version 4.

More information can be found in our documentation here.

IPv6 router advertisem*nt is used for IPv6 auto-configuration and routing. When enabled, messages are sent by the router periodically and in response to solicitations. A host uses the information to learn the prefixes and parameters for the local network.

More information can be found in our documentation here.

Multiple IP addresses per network interface allow the mapping of many host names (non-aliased), each to a single IP address also within a single server, even though that server might only have one physical network interface.

More information can be found in our documentation here.

Point-to-Point Protocol over Ethernet (PPPoE) is designed to manage how data is transmitted over Ethernet networks, allowing a single server connection to be divided between multiple clients, using Ethernet.

More information can be found in our documentation here.

Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) analyzes packets as well, but can also stop the packet from being delivered, helping to halt the attack.

More information can be found in our documentation here.

Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.

More information can be found in our documentation here.

Layer 7, the OSI (Open System Interconnection) Model application layer, supports application and end-user processes, such as HTTP and SMTP. Attacks at this layer present a security challenge as malicious code can masquerade as valid client requests and normal application data.

More information can be found in our documentation here.

Depending on choices around performance, security risk tolerance, and actual business applications in use, there are many ways to configure an IDS/IPS. pfSense Plus software supports the use of multiple sources of rules for both Snort and Suricata. Additionally, each of those packages have multiple categories for rules as well, including floating rules, interface group rules, and interface rules.

More information can be found in our documentation here.

An IDS/IPS solution can be configured to simply log detected network events, or both log and block them. This is performed through the use of detection signatures, called rules. Rules can be custom created by the user, or any of several pre-packaged rule sets can be enabled and downloaded. Pre-packaged rulesets offer added detection / protection against emerging threats in the wild.

More information can be found in our documentation here.

IP block listing filters out illegitimate or malicious IP addresses from accessing your networks. pfBlocker is a pfSense Plus software package that allows you to add IP block list and country block lists.

More information can be found in our documentation here.

pfSense Plus software is equipped with a number of automatically added firewall rules. Examples include anti-lockout, anti-spoofing, block private networks, block Bogon networks, IPsec protocol use and port access, default deny rule, etc.

More information can be found in our documentation here.

pfSense Plus software allows each LAN or WAN interface to be independently configured with firewall rules and other per-interface functionality.

More information can be found in our documentation here.

Each IDS/IPS security admin must ultimately decide their own alert volume tolerance, as only you know the type of traffic that is normal on your network. pfSense Plus software enables you to select specific ruleset and alerting policies on a per interface basis, as well as offering detailed guidance about how to eliminate noisy false positives.

More information can be found in our documentation under Alert Thresholding and Suppression here.

Deep Packet Inspection (DPI) enables security analysts to capture and evaluate full packet header and payload information to identify protocol compliance, spam, virus, intrusion, and other anomalous or malicious traffic. Snort, Suricata, and NTOPNG packages each support DPI capabilities.

More information can be found in our documentation here (NTOPNG), here (Snort) and here (Suricata).

pfSense Plus software leverages Snort and OpenAppID to detect, monitor and manage application usage on your network.

More information can be found in our documentation here.

IPsec is a group of protocols used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, where it both encrypts IP packets and authenticates the source from where the packets originated.

More information can be found in our documentation here.

OpenVPN is a VPN solution that implements secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

More information can be found in our documentation here.

WireGuard is an open-source VPN software solution designed with the intent of providing ease of use, high speed performance, and a low attack surface.

More information can be found in our documentation here.

Site-to-site VPNs allow multiple users' traffic to flow through each VPN tunnel. Remote-access VPNs only allow one user's traffic to travel through each VPN tunnel. pfSense Plus software supports both site-to-site and remote-access VPN capabilities via IPsec or OpenVPN.

More information can be found in our documentation here (IPsec) and here (OpenVPN).

Secure Sockets Layer (SSL) is an encryption-based Internet security protocol used to ensure privacy, authentication, and data integrity in Internet communications. OpenVPN is an SSL based VPN.

More information can be found in our documentation here.

OpenVPN supports clients on a wide range of operating systems including all the BSDs, Linux, Android, Mac OS X, iOS, Solaris, Windows 2000 and newer, and even some VoIP handsets.

More information can be found in our documentation here.

pfSense Plus software supports remote access VPN for a variety of Android and iOS devices. Other clients may work as well.

More information can be found in our documentation here.

OpenVPN can connect a site-to-site tunnel to either an IPv4 address or an IPv6 address, and both IPv4 and IPv6 traffic may be passed inside of an OpenVPN tunnel at the same time. IPv6 is supported both in site-to-site and mobile clients, and it can be used to deliver IPv6 to a site that only has IPv4 connectivity.

IPsec is capable of connecting to a tunnel over IPv4 or IPv6 phase 1 peer addresses, but with some traffic limitations.

More information can be found in our documentation here (OpenVPN) and here (IPsec).

Split tunneling allows a user to access dissimilar security domains, e.g., a public network and a local LAN or WAN at the same time, using the same or different network connections.

More information can be found in our documentation here.

pfSense Plus software supports the ability to establish multiple VPN tunnels over a single physical interface - useful, for example when securely connecting a number of office locations to one another.

More information can be found in our documentation here.

pfSense Plus software supports both OpenVPN and IPsec tunnel failover

More information can be found in our documentation here (OpenVPN) and here (IPsec).

pfSense Plus software supports both OpenVPN and IPsec tunnel failover

More information can be found in our documentation here (OpenVPN) and here (IPsec).

OpenVPN and IPsec tunnels can be configured using either auto-generated or custom-designed routes.

More information can be found in our documentation here.

pfSense Plus software allows for user authentication to be managed either by local user authentication, or by RADIUS/LDAP as an authentication source for a VPN.

More information can be found in our documentation here (OpenVPN) and here (IPsec).

Dynamic DNS automatically updates a name server in the Domain Name System, often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information. The Dynamic DNS client built into pfSense Plus software software registers the IP address of a WAN interface with a variety of dynamic DNS service providers. This is used to remotely access services on hosts that have WANs with dynamic IP addresses, most commonly VPNs, web servers, etc.

More information can be found in our documentation here.

A DHCP Server is a network server that automatically provides and assigns IP addresses, default gateways and other network parameters to client devices. It relies on the standard protocol known as Dynamic Host Configuration Protocol (DHCP) to respond to broadcast queries by clients. The DHCP Server in pfSense Plus software provides addresses to DHCP clients, and automatically configures them for network access.

More information can be found in our documentation here.

DNS forwarding determines how particular sets of DNS queries are handled by a designated server, rather than being handled by the initial server contacted by the client. pfSense Plus software is equipped with a DNS Forwarded that resolves DNS requests using hostnames obtained by the DHCP service, static DHCP mappings, or manually entered information.

More information can be found in our documentation here.

Most pfSense Plus software software configuration is performed using its built-in web-based GUI. Some tasks may also be performed from the console, whether it be a monitor and keyboard, over a serial port, or via SSH.

More information can be found in our documentation here.

The first time a user logs into the pfSense Plus software GUI, the firewall automatically presents a setup wizard, facilitating new users with a guided setup tour.

More information can be found in our documentation here.

pfSense Plus software supports several ways to remotely administer a firewall running pfSense Plus software - with varying levels of recommendation based on client restrictions, corporate policies, etc.

More information can be found in our documentation here.

The main GUI page of the pfSense Plus software is the dashboard. The dashboard page provides a wealth of information that can be seen at a glance, contained in configurable widgets.

More information can be found in our documentation here.

pfSense Plus software has a complete Backup and Restore capability accessible via the GUI Diagnostics menu option. Configuration file. Simply select your pfSense Plus software configuration backup XML filem click on the Restore configuration button, and your computer will upload the XML file and restore the pfSense Plus software configuration backup.

More information can be found in our documentation here.

pfSense Plus software supports export/import of system configuration information in XML through the use of GUI Backup, where a web browser prompts the user to save the file somewhere on an external compute environment.

More information can be found in our documentation here.

pfSense Plus software natively supports automatic encryption of backups for instant and secure offsite backups of a firewall with no user intervention.

More information can be found in our documentation here.

pfSense Plus software supports groupings of user privileges so they do not need to be maintained individually on every user account. For example, a group can be used for IPsec xauth users, or a group that can access the firewall dashboard, a group of firewall administrators, or many other possible scenarios using any combination of privileges.

More information can be found in our documentation here.

pfSense Plus software is available in 8 different languages, thanks to the efforts of over 400 translators.

More information can be found in our documentation here.

By default, update settings look for officially released versions of pfSense Plus software software, but can also be set to track development snapshots.

More information can be found in our documentation here.

Many configurations are forward-compatible, depending on the software version and its corresponding configuration revision numbers and whether the configuration backup is complete or partial.

More information can be found in our documentation here.

Basic configuration and maintenance tasks can be performed from the pfSensePlus system console. The console is available using a keyboard and monitor, serial console, or by using SSH. Access methods vary depending on hardware.

More information can be found in our documentation here.

Wake-on-LAN is an Ethernet or Token Ring networking standard that allows a computer to be turned on by a network message normally sent to the target computer by a program executed on a device connected to the same local area network, e.g., a smartphone.

More information can be found in our documentation here.

pfSense Plus software allows for a RADIUS or LDAP server to authenticate GUI users. Users and/or group memberships must be defined in the firewall in order to properly allocate permissions, as there is no method to obtain permissions dynamically from an authentication server.

More information can be found in our documentation here.

GUI user privileges can be set and administered on an individual or group basis. Privileges including page access, password management, remote connection/authentication, firewall configuration changes, and root-level access are controllable.

More information can be found in our documentation here.

pfSense Plus software supports the ability to set a date by which the firewall will automatically deactivate a user account.

More information can be found in our documentation here.

pfSense Plus software can use RADIUS and LDAP servers to authenticate users from remote sources.

More information can be found in our documentation here.

Attempting to login to the GUI or SSH and failing many times will cause the connecting IP address to be added to the lockout table.

More information can be found in our documentation here.

The protocol used by the GUI to accept web browser connections may either be HTTP (plain unencrypted HTTP, insecure and basic, but widely compatible and less likely to have client issues, or HTTPS (SSL/TLS) - encrypted “secure” HTTP which protects communication between the client browser and the firewall GUI. Best practice is to use HTTPS so only encrypted traffic is exchanged between the GUI and clients.

More information can be found in our documentation here.

Cross-site request forgery (CSRF, and sometimes represented as XSRF) is a malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. The pfSense Plus software WebGUI uses the csrf-magic library to protect against Cross-Site Request Forgery (CSRF) attacks.

More information can be found in our documentation here.

Referer (sic) headers contain the address of a request, e.g., the address of the previous web page from which a link to the currently requested page was followed, or the address of a page loading an image or other resource. While there are many legitimate uses - including analytics, logging, or optimized caching - there are also problematic uses such as tracking, stealing, or inadvertently leaking sensitive information. The pfSense Plus software GUI checks the referring URL sent by a client browser to ensure that the form was submitted from this firewall. This check prevents a form on another site from submitting a request to the firewall, and changing an option when the administrator did not intend for that to happen.

More information can be found in our documentation here.

DNS rebinding is a method of manipulating resolution of domain names, commonly used as a form of computer attack. In an attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. DNS rebinding circumvents this protection by abusing the Domain Name System (DNS). pfSense Plus software contains built-in methods of protection against DNS rebinding attacks.

More information can be found in our documentation here.

HTTP Strict Transport Security (HSTS) helps defend websites from man-in-the-middle attacks, e.g., protocol downgrade attacks and cookie hijacking. pfSense Plus software supports HSTS, which forces the browser to use only HTTPS for future requests to the firewall’s fully qualified domain name (FQDN), thus ensuring it does not accidentally or intentionally downgrade to an unencrypted connection.

More information can be found in our documentation here.

Secure Shell (SSH) access to a firewall is typically used for debugging and troubleshooting, but has many other useful purposes. An SSH key is an access credential in the SSH protocol which functions similarly to that of usernames and passwords. Keys, however, are primarily used for automated processes and for implementing single sign-on by system administrators and power users. pfSense Plus software supports the use of SSH access using only public key authentication, which is more secure than allowing access by password alone.

More information can be found in our documentation here.

High-availability clusters are groups of firewalls or routers that can step in for one another - in the event of a failure - to minimize down-time. pfSense Plus software leverages Common Area Redundancy Protocol (CARP) to provide failover redundancy for multiple firewalls / routers on the same local area network.

pfSense Plus in AWS support High Availability via CARP.

More information can be found in our documentation here.

The multiple WAN (multi-WAN) capabilities in pfSense Plus software allow a firewall to utilize multiple Internet connections to achieve more reliable connectivity and greater throughput capacity.

More information can be found in our documentation here.

A reverse proxy typically sits between remote clients and local servers, and allows for load balancing, failover, or other intelligent connection routing for public services such as web servers. pfSense Plus software uses HAProxy to address many types of proxy tasks, and has the benefit of scaling well for large deployments.

More information can be found in our documentation here.

Multiple remote servers can be configured on OpenVPN clients. If the first server cannot be reached, the second will be used. This can be used in combination with a multi-WAN OpenVPN server deployment to provide automatic failover for clients.

More information can be found in our documentation here.

Bandwidth throttling is the intentional slowing or speeding of an internet connection. It is used to regulate network traffic and minimize bandwidth congestion. pfSense Plus software supports bandwidth throttling through the use of traffic shaper queues. Each queue has settings specific to the scheduler and can be chosen through a traffic shaping wizard.

More information can be found in our documentation here.

The easiest way to get started with traffic shaping is by using the fSense Plus shaper wizard, which guides administrators through the shaper configuration process. Each step of the wizard sets up unique queues and rules that control what traffic is assigned into those queues.

More information can be found in our documentation here.

Limiters are an alternate method of traffic shaping that do not rely on alternate queuing (ALTQ). Limiters are currently the only way to achieve per-IP address or per-network bandwidth rate limiting using pfSense Plus software, and are also used by Captive Portal for per-user bandwidth limits.

More information can be found in our documentation here.

pfSense Plus software uses limits to enforce a total cap on user traffic and to dynamically manage the connections based on real network conditions — allocating more bandwidth per device when the network is quiet and less bandwidth per device when many clients are chatting at the same time.

More information can be found in our documentation here.

Using Captive Portal with pfSense Plus software allows administrators to not only restrict data rates on a per authenticated user basis, but also limit the total amount of bytes transferred in a given period of time. Traffic quotas are based on captive portal sessions, and can be set via the web interface or by retrieving traffic limits from RADIUS.

More information can be found in our documentation here.

pfSense Plus software dashboard widgets provide an excellent bird’s eye view of system-level status, log and graph-based information. Over 20 widgets are available, each containing a specific set of data, type of information, graph, etc.

More information can be found in our documentation here.

pfSense Plus software logs - useful for both troubleshooting and long-term monitoring - may be stored locally either in memory or written to disk.

More information can be found in our documentation here.

pfSense Plus software logs - useful for both troubleshooting and long-term monitoring - may be stored locally either in memory or written to disk.

More information can be found in our documentation here.

pfSense Plus software supports a host of local monitoring graphs covering system performance, traffic, WAN interface quality, VPN usage and more.

More information can be found in our documentation here.

pfSense Plus software is equipped with real-time traffic graphs which show interface traffic as it happens. Real-time graphs focus on what is happening “now”, as opposed to averaged data from RRD graphs - which are better suited for long-term traffic analysis.

More information can be found in our documentation here.

Simple Network Management Protocol (SNMP) enables remote monitoring of numerous pfSense Plus software software parameters including network traffic, network flows, pf queues, and general system information such as CPU, memory, and disk usage. Additionally, traps can be sent to an SNMP server for certain events.

More information can be found in our documentation here.

pfSense Plus software can notify administrators of important events and errors via several mechanisms including GUI menu bar alerts, SMTP E-mail, Telegram API, Pushover API and Growl.

More information can be found in our documentation here.

pfSense Plus software supports hardware monitoring of several popular chipsets. Specifically, the Thermal Sensors dashboard widget, or the CLI sysctl command allows Intel or AMD processor temperature to be monitored.

More information can be found in our documentation here.

pfSense Plus software is equipped with a rich set of diagnostics for easily managing network administration tasks.

More information can be found in our documentation here.