pfSense vs. Airport Extreme
I’ve been running a pfSense machine since the start of the year as a replacement for my Airport Extreme[1]. There are some pretty big benefits, but also some downsides and I thought I’d cover them for anyone thinking of making a similar switch.
Why Airport Extreme?
Airport Extremes are expensive devices low on functionality — much like other Apple products (zing!). However in my experience you are paying for day-to-day reliability and they are amongst the best at getting out of your way, but are also pretty capable at outputting a strong wireless signal and coping with plenty of traffic (I’ve set them up in busy offices before with no issues).
Why pfSense?
Firstly, pfSense and Airport Extreme aren’t really the same type of appliance. pfSense is a FreeBSD-based operating system that gives you a fully-featured, rock-solid firewall/router appliance on an x86 device (e.g. a spare PC or a purpose-built miniITX machine). It performs a large part of the Airport Extreme’s job, but it doesn’t handle your wireless connection.
Advantages of pfSense
- Traffic shaping: Even on a low-usage network, some kind of traffic shaping is handy. People massively over-complicate traffic shaping but the fact is on a home network your traffic shaping probably needs to solve just one problem: Bufferbloat. Bufferbloat, put simply, is caused by asymmetric connections and bad packet handling in cheap modems[2]. Fortunately Bufferbloat is really easy to solve with a system called CoDel. CoDel is supported by pfSense along with fancy traditional shaping systems, and trust me you probably don't need the fancier stuff. I might do a blog post all about CoDel in the future, because documentation on the web is thin on the ground.
- Decent VPN options: pfSense supports OpenVPN out of the box. Not only that, but it supports it really well. You get a nice certificate manager and some web-based tools for managing all the configuration. Again, people often really over-complicate configuring OpenVPN, and pfSense is no exception. But it does make it easier. You can also run IPSec, L2TP and PPTP VPNs all together.
- Freedom to choose WiFi solution: By relieving your WiFi access point of the job of routing all your traffic, you're giving yourself much more freedom to pick anything available on the market. Why not investigate Ubiquity Unifi AP? Or maybe you can pick up some second-hand enterprise hardware? This also means that when your next phone has a new WiFi standard you want to take advantage of, you don't have to replace the device acting as your router as well.
- Metrics: Out of the box your pfSense will tell you a lot of information about what is happening on your network, including DHCP leases, traffic, traffic queues, network quality, packet loss, connected VPN clients, current UPnP ports, realtime graphs and bandwidth utilisation, and a lot more
- Extendable: pfSense has quite a few third-party packages, and you can always shell in and do your own stuff because it’s just FreeBSD behind the scenes, which is cool.
Disadvantages of pfSense
- You need some hardware…: You can run pfSense on any PC from the last 10 years (even a laptop!) without too much trouble. But you still need to find that hardware and you might need to buy an extra network card or two.
- …and it might break: Your internet is now powered by an entire PC, with all the points of potential failure that brings: power supply, motherboard, fans, hard drive (or flash drive), network cards[3]. It’s also a lot more power hungry. You can buy dedicated pfSense devices that are simpler, but cheap ones tend to be quite underpowered and still have a lot that can go wrong.
- It's not as friendly as an Airport Extreme: An Airport Extreme is a consumer device. pfSense is a professional utility designed for use in enterprise environments. But then you wouldn’t be considering it if you didn't understand it. Obviously running a custom firewall is not for the faint-hearted.
- If you have ADSL, you’ll still need a modem and ethernet ADSL modems have always been a rare commodity here in the UK. You may have to repurpose an old modem-router and turn off all its functionality, leaving it acting as a dumb modem, but now you’re adding yet another layer of routing to mess with your traffic and go wrong. This is becoming less of an issue as more people move away from ADSL, and usually an ethernet-based model is supplied to you (e.g. a fibre or cable modem).
- More moving parts in general: Using a single device for all your networking needs means that you have less things that can break. Not only could your pfSense machine break, but your WiFi access point could break, your modem could break, your Ethernet switch could break.
If you’re looking to move away from commodity routers, I’d definitely recommend taking a look at pfSense. You may also be looking at OpenWRT or other custom firmware. If you are, definitely think about pfSense too.
[1] Strictly speaking it replaces a Linksys N750, but I wasn't using that for very long in between. Not because it isn't capable, just because it was a transition device.
[2] It’s easy to see if your network suffers with Bufferbloat; ping a machine on the Internet (e.g. 8.8.8.8) and saturate your upload. If your ping times rocket up to one second or more your network suffers from Bufferbloat. This is why P2P traffic slows down connections, but you don't need to shape P2P traffic specifically (your ISP already does enough of that!), you just need to solve Bufferbloat.
[3] In my experience off-the-shelf routers have a tendency to be unrelaible too, so this may be psychological.