The pfSense project is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense software, with the help of the package system, is able to provide the same functionality or more of common commercial firewalls, without any of the artificial limitations. It has successfully replaced every big name commercial firewall you can imagine in numerous installations around the world, including Check Point, Cisco PIX, Cisco ASA, Juniper, Sonicwall, Netgear, Watchguard, Astaro, and more.

pfSense software includes a web interface for the configuration of all included components. There is no need for any UNIX knowledge, no need to use the command line for anything, and no need to ever manually edit any rule sets. Users familiar with commercial firewalls catch on to the web interface quickly, though there can be a learning curve for users not familiar with commercial-grade firewalls.

pfSense Features

pfSense® open-source software is a highly configurable, full-featured solution that meets any need from the edge to the cloud.


  • VPN Server
  • High Availability
  • Load Balancing
  • Traffic Shaping

  • Captive Portal
  • UTM Device
  • Firewall / Router
  • DNS / DHCP Server

  • IDS / IPS
  • Transparent Caching Proxy
  • Web Content Filter
  • And more …


Firewall and Router

  • Stateful Packet Inspection (SPI)
  • GeoIP blocking
  • Anti-Spoofing
  • Time based rules
  • Connection limits
  • Dynamic DNS
  • Reverse proxy
  • Captive portal guest network
  • Supports concurrent IPv4 and IPv6
  • NAT mapping (inbound/outbound)
  • VLAN support (802.1q)
  • Configurable static routing
  • IPv6 network prefix translation
  • IPv6 router advertisements
  • Multiple IP addresses per interface
  • DHCP server
  • DNS forwarding
  • Wake-on-LAN
  • PPPoE Server


  • IPsec and OpenVPN
  • Site-to-site and remote access VPN support
  • SSL encryption
  • VPN client for multiple operating systems
  • L2TP/IPsec for mobile devices
  • Multi-WAN for failover
  • IPv6 support
  • Split tunneling
  • Multiple tunnels
  • VPN tunnel failover
  • NAT support
  • Automatic or custom routing
  • Local user authentication or RADIUS/LDAP

Intrusion Prevention System

  • Snort-based packet analyzer
  • Layer 7 application detection
  • Multiple rules sources and categories
  • Emerging threats database
  • IP blacklist database
  • Pre-set rule profiles
  • Per-interface configuration
  • Suppressing false positive alerts
  • Deep Packet Inspection (DPI)
  • Optional open-source packages for application blocking

    Enterprise Reliability

    • Optional multi-node High Availability Clustering
    • Multi-WAN load balancing
    • Automatic connection failover
    • Bandwidth throttling
    • Traffic shaping wizard
    • Reserve or restrict bandwidth based on traffic priority
    • Fair sharing bandwidth
    • User data transfer quotas

    User Authentication

    • Local user and group database
    • User and group-based privileges
    • Optional automatic account expiration
    • External RADIUS authentication
    • Automatic lockout after repeated attempts

    Proxy and Content Filtering

    • HTTP and HTTPS proxy
    • Non Transparent or Transparent caching proxy
    • Domain/URL filtering
    • Anti-virus filtering
    • SafeSearch for search engines
    • HTTPS URL and content screening
    • Website access reporting
    • Domain Name blacklisting (DNSBL)
    • Usage reporting for daily, monthly, etc.



      • Web-based configuration
      • Setup wizard for initial configuration
      • Remote web-based administration
      • Customizable dashboard
      • Easy configuration backup/restore
      • Configuration export/import
      • Encrypted automatic backup to Netgate server
      • Variable level administrative rights
      • Multi-language support
      • Simple updates
      • Forward-compatible configuration
      • Serial console for shell access and recovery options

      System Security

      • Web interface security protection
      • CSRF protection
      • HTTP Referer enforcement
      • DNS Rebinding protection
      • HTTP Strict Transport Security
      • Frame protection
      • Optional key-based SSH access

        Reporting & Monitoring

        • Dashboard with configurable widgets
        • Local logging
        • Remote logging
        • Local monitoring graphs
        • Real-time interface traffic graphs
        • SNMP monitoring
        • Notifications via web interface, SMTP, or Growl
        • Hardware monitoring
        • Networking diagnostic tools