List of pfSense Features
The most comprehensive, up to date features listing can be found on the pfSense website.
A community contributed list follows.
- Firewall with stateful packet inspection
- Easy to use Web Based Graphical Interface
- Installation Setup Wizard
- Configurable Dashboard with many available widgets
- IPv4 and IPv6 support
- Wireless Access Point (must install a wireless interface which supports hostap mode), including VAP/MBSS support on certain chips.
- Wireless Client Support (802.11 and 3G/4G with supported devices)
- Ability to setup and filter/isolate multiple interfaces (LAN, DMZ, etc.)
- [[Category:Traffic_Shaping|Traffic Shaping] (ALTQ, Limiters, 802.1p match/set, DiffServ/DSCP matching)
- State Table controls (per-rule / per-host limits, timers, etc.)
- NAT (Port Forwards, 1:1 NAT, Outbound NAT, NPt)
- Redundancy/High Availability – CARP+pfsync+XMLRPC Config sync allows for hardware failover. Two or more firewalls can be configured as a failover cluster.
- Multi-WAN Support
- Server Inbound Load Balancing
- Network diagnostic utilities such as ping, traceroute, port tests via the GUI (more with packages, such as nmap)
- VPN – IPsec (including Phase 2 NAT), OpenVPN, L2TP
- PPPoE Server
- RRD Graphs
- Real-time interface traffic graphs
- Dynamic DNS
- Captive Portal
- DHCP Server and Relay (IPv4 and IPv6)
- Command line shell access (Via console and SSH)
- Wake on LAN
- Built in packet capture / sniffer
- Ability to backup and restore the firewall configuration via the web GUI
- Edit files via the web GUI
- Virtual interfaces for VLAN, LAGG/LACP, GIF, GRE, PPPoE/PPTP/L2TP/PPP WANs, QinQ, and Bridges
- Caching DNS Forwarder/Resolver
- Can be run in many virtualization environments
- Proxy Server (using packages)
- arpwatch – Arpwatch monitors Ethernet to IP address pairings and logs changes to syslog.
- Ipguard-dev – Attempts to maintain IP:MAC pairs by force.
- nmap – A utility for network exploration or security auditing.
- OpenVPN Client Export Utility – Allows a pre-configured OpenVPN Windows Client or Mac OSX’s Viscosity configuration bundle to be exported directly from pfSense.
- snort – An open source network intrusion prevention and detection system (IDS/IPS).
- SSHDCond – Defines SSH overrides for users,groups,hosts and addresses using Match in a convenient way.
- stunnel – An SSL encryption wrapper between remote client and local or remote servers.
- sudo – Allows delegation of privileges to users in the shell so commands can be run as other users, such as root.
- suricata – High Performance Network IDS, IPS and Security Monitoring engine by OISF.
- tinc – tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private mesh network between hosts on the Internet.
- Apache with mod_security – ModSecurity is a web application firewall that can work either embedded or as a reverse proxy.
- Avahi – Avahi is a system which facilitates service discovery on a local network.
- HAVP antivirus – HTTP Antivirus Proxy with a ClamAV anti-virus scanner.
- LADVD – Send and decode link layer advertisements. Support for LLDP (Link Layer Discovery Protocol), CDP (Cisco Discovery Protocol), EDP (Extreme Discovery Protocol) and NDP (Nortel Discovery Protocol).
- Lightsquid – High performance web proxy report (LightSquid). Proxy realtime stat (SQStat). Requires squid HTTP proxy.
- mtr-nox11 – Enhanced traceroute replacement
- netio – Network benchmark tool.
- nut – Network UPS Tools
- Proxy Server with mod_security – Web application firewall that can work either embedded or as a reverse proxy.
- siproxd – Proxy for handling NAT of multiple SIP devices to a single public IP.
- squid – High performance web proxy cache.
- squidGuard – High performance web proxy URL filter.
- Zabbix-2 Agent – Monitoring agent.
- Zabbix-2 Proxy – Monitoring agent proxy.
- bandwidthd – Tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization.
- darkstat – darkstat is a network statistics gatherer.
- iftop – Realtime interface monitor (console/shell only)
- pfflowd – Converts OpenBSD PF status messages (sent via the pfsync interface) to Cisco NetFlow datagrams.
- mailreport – Periodic e-mail reports containing command output, log file contents, and RRD graphs.
- ntopng – A network probe that shows network usage in a way similar to what top does for processes.
- softflowd – Softflowd is flow-based network traffic analyser capable of Cisco NetFlow data export.
- urlsnarf – HTTP URL Sniffer (console/shell only)
- vnstat2 – Vnstat is a console-based network traffic monitor. The vnstat PHP frontend and vnstati adds a more user friendly way of displaying traffic usage.
- Apcupsd – Set of programs for controlling APC UPS.
- arping – Broadcasts a who-has ARP packet on the network and prints answers.
- AutoConfigBackup – Automatically backs up the pfSense configuration file. All contents are encrypted before being sent to the server. Requires Gold Subscription
- bacula-client – Bacula is a set of Open Source, computer programs that manage backup, recovery, and verification of computer data across a network of computers of different kinds.
- bind – The most widely used name server software
- Check_mk agent – The basic idea of check_mk is to fetch “all” information about a target host at once. For each host to be monitored check_mk is called by Nagios only once per time period.
- Cron – The cron utility is used to manage commands on a schedule.
- Dansguardian – An award winning Open Source web content filter.
- dns-server – pfSense version of TinyDNS which features failover host support
- freeradius2 – A free implementation of the RADIUS protocol.
- git – GIT Source Code Management (console/shell only)
- haproxy-devel – The Reliable, High Performance TCP/HTTP(S) Load Balancer.
- imspector – An Instant Messenger transparent proxy with logging capabilities. Currently it supports MSN, AIM, ICQ, Yahoo and IRC to different degrees.
- iperf – A tool for testing network throughput, loss, and jitter.
- mailscanner – An e-mail security and anti-spam package for e-mail gateway systems.
- NRPE v2 – An addon for Nagios that allows plugins to be executed on remote Linux/Unix hosts.
- Open-VM-Tools – VMware Tools (open source)
- PHPService – PHP run as a service it can do anything PHP can do including but not limited to monitoring files, CPU, RAM, and send alerts to the syslog.
- Postfix Forwarder – Postfix mail forwarder acts as a relay server for a domain.
- Service Watchdog – Monitors for stopped services and restarts them.
- Shellcmd – The shellcmd utility is used to manage commands on system startup.
- spamd – Graylisting SMTP connection forwarder.
- syslog-ng – Syslog-ng independent syslog server.
- TFTP – Trivial File Transport Protocol is a very simple file transfer protocol.
- Varnish3 – Varnish is a state-of-the-art, high-performance HTTP accelerator.
- widentd – RFC1413 auth/identd daemon with fixed fake reply
- Backup – Tool to Backup and Restore files and directories.
- blinkled – Allows system LEDs to be used for network activity on supported platforms (ALIX, WRAP, Soekris, etc)
- gwled – Allows system LEDs to be used for gateway status on supported platforms (ALIX, WRAP, Soekris, etc)
- RRD Summary – Gives a total amount of traffic passed In/Out during this and the previous month.
- System Patches – A package to apply and maintain custom system patches.
- olsrd – The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol.
- OpenBGPD – OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4.
- Quagga OSPF – OSPF routing protocol using Quagga
- routed – RIP v1 and v2 daemon.
- File Manager – PHP File Manager
- Filer – Allows files to be created and overwriteen from the GUI.
- LCDproc – LCD display driver
- Notes – Track things to note for this system.
- pfBlocker – Introduces Enhanced Aliastable Feature to pfsense.
- Sarg – Squid Analysis Report Generator.