Acronis Bitdefender Fortinet Microsoft Cisco Duo HPE Adobe Adobe Green Rocket Acronis Bitdefender Fortinet Microsoft Cisco Duo HPE Adobe SolarWinds Green Rocket
⌘K
Netgate product

pfSense firewall and VPN platform for enterprise networks

Deploy secure routing, multi-WAN, IDS/IPS, and zero-trust connectivity with a proven open networking platform.

Talk to a pfSense expert See TNSR
500K+
Installations worldwide
15+
Years of development
99.99%
HA with CARP
100+
Available packages

What is pfSense

pfSense combines next-generation firewalling, VPN, routing, and network services in a single, hardened platform.

  • Stateful firewall, NAT, and traffic shaping
  • Secure site-to-site and remote access VPN
  • Multi-WAN, VLANs, and advanced routing policies

Designed for Netgate appliances

Hardware and software tuned for predictable performance.

Validated throughput for routing, firewall, and VPN

High availability with CARP and sync

Package ecosystem for IDS/IPS and DNS security

Granular logging and monitoring

Key features

Capabilities aligned with enterprise security and compliance.

Stateful firewall

Granular policies, aliases, and application-aware controls.

VPN suite

IPsec, OpenVPN, and WireGuard for secure connectivity.

IDS/IPS

Snort or Suricata packages for advanced threat detection.

Dynamic routing

BGP, OSPF, and IPv6-ready routing policies.

High availability

CARP failover with configuration and state sync.

Extensible services

DNS filtering, traffic analysis, and add-on security packages.

Security and operations built in

Operational features from the pfSense documentation help teams deploy and manage securely.

  • User management, certificates, and authentication
  • Traffic shaping, captive portal, and services
  • Backup, recovery, and upgrade workflows
  • Diagnostics and monitoring dashboards

Configuration recipes

Documented templates for common deployments.

System visibility

Real-time insights into interfaces, VPNs, and services.

Compliance-ready

Granular logging, auditing, and reporting support.

Use cases

Branch and campus security

Protect users and sites with segmented networks and resilient WAN access.

Hybrid cloud connectivity

Securely connect on-prem networks to cloud workloads with VPN and routing.

Service edge

Deliver firewalling and VPN services for distributed environments.

Why teams choose pfSense

Lower total cost

Enterprise capabilities without high appliance licensing.

Security depth

IDS/IPS, DNS security, and segmentation in one platform.

Operational control

Familiar UI, automation hooks, and backup workflows.

Netgate support

Access to global support and expert guidance.

Performance at scale

1M+

Installations worldwide

20+

Years of development

CARP

HA with CARP

100+

Available packages

Ecosystem and integrations

Deploy pfSense across appliances, virtualization, and cloud services.

AWS deployments
Azure deployments
VMware and KVM
Netgate appliances
OpenVPN, IPsec, WireGuard
Snort and Suricata
Expert Analysis

What is pfSense and why is it the most trusted open-source firewall?

TUTARI S.A. — Certified pfSense Engineers

Expert Analysis Latin America and the Caribbean

pfSense is a FreeBSD-based firewall/router distribution developed and maintained by Netgate since 2004. With over 1 million active installations worldwide, it is the most deployed open-source firewall in enterprise environments. TUTARI deploys pfSense Plus (the commercial edition with official support) for organizations requiring enterprise-grade security without proprietary firewall licensing costs.

Our certified pfSense engineers configure full enterprise capabilities: stateful packet inspection, VPN (IPsec IKEv2, OpenVPN, WireGuard), CARP high availability with state synchronization, multi-WAN load balancing, IDS/IPS with Suricata (ET Pro rules), transparent proxy with Squid, DNS filtering with pfBlockerNG, and RADIUS/LDAP authentication for centralized management.

pfSense runs on dedicated Netgate hardware with AES-NI crypto acceleration, delivering up to 50+ Gbps throughput depending on the model. TUTARI provides custom sizing based on required throughput, concurrent connections, and active security services (IDS/IPS reduces throughput ~30%). Every deployment includes complete technical documentation and a disaster recovery plan.

Expert-verified content TUTARI S.A. — Certified pfSense Engineers
FAQ

Frequently Asked Questions about pfSense Plus

Answers to the most common questions about our services

What does the Netgate pfSense Plus license include?
The pfSense Plus license includes: updated FreeBSD kernel with exclusive security patches, optimized network drivers (Intel ixl/ix, Mellanox), native WireGuard encryption with hardware acceleration, priority security updates (before CE), access to official validated package repositories, and eligibility for Netgate TAC support. On Netgate hardware, pfSense Plus comes pre-installed with a perpetual license tied to the device.

How does TUTARI configure high availability with pfSense?
We implement HA using CARP (Common Address Redundancy Protocol): two firewalls in active-passive cluster with shared virtual IP, connection state synchronization (pfsync) for transparent failover without session loss, configuration sync (XMLRPC) to keep both nodes identical, and interface monitoring with automatic failover. Failover occurs in under 2 seconds. For multi-WAN, we configure gateway groups with IP monitoring and failover.

Can pfSense function as an enterprise IDS/IPS?
Yes. pfSense integrates Suricata as the IDS/IPS engine supporting: Emerging Threats Pro rules (subscription included in TUTARI plans), Snort VRT rules, automatically updated malicious IP lists, protocol inspection (HTTP, TLS, DNS, SMB, SSH), and real-time malware/C2 detection. TUTARI configures Suricata in inline IPS mode with per-interface policies, false positive whitelisting, and alerts integrated with our SOC for event correlation.

What real throughput can I expect from pfSense?
Throughput depends on hardware and active services: Netgate 1100 achieves 1 Gbps (pure firewall) / 500 Mbps (with IDS/IPS), Netgate 2100 achieves 5 Gbps / 2.5 Gbps, Netgate 4100 achieves 10 Gbps / 5 Gbps, Netgate 6100 achieves 20 Gbps / 10 Gbps. IPsec VPN with AES-NI reaches ~80% of base throughput. TUTARI performs iperf3 throughput testing and real throughput monitoring during deployment to validate requirements are met.

Can I migrate from SonicWall/Palo Alto to pfSense with zero downtime?
Yes. TUTARI executes zero-downtime migrations: first we document existing configuration (rules, NAT, VPN, routes), replicate on pfSense in parallel, validate with test traffic, and perform cutover during maintenance window with instant rollback available. We have migrated organizations with 100+ firewall rules, 20+ VPN tunnels, and complex BGP routing from SonicWall, Palo Alto, and WatchGuard. The typical process takes 2-4 weeks including validation.

Does pfSense Plus include web filtering and application control?
pfSense Plus offers web filtering via pfBlockerNG (DNSBL lists with millions of categorized domains, GeoIP blocking) and Squid proxy with SquidGuard (URL categorization by content). For Layer 7 application control, Suricata with application identification rules or ntopng for traffic visibility are used. While it lacks a proprietary DPI engine like Fortinet, the pfBlockerNG + Suricata + Squid combination covers 95% of enterprise use cases.

Start with pfSense

We design a secure architecture, validate hardware, and support implementation.

Request pfSense assessment