pfSense Plus vs. TNSR

Which solution is right for your needs?

Compare Products

Bird’s Eye View

pfSense® Plus and TNSR® are both excellent secure networking software solutions. And, while they share some common ground, they are more different than alike in terms of feature set, performance, scalability, manageability, and targeted users.

workers at servers

Two Products Separated by Feature Set, Scale, and Manageability

pfSense Plus is ideal for users who need comprehensive firewall, routing and VPN capabilities for home, remote / branch office, corporate, or cloud locations. As well, it is easy to manage and has time-tested resilience and reliability.

Performance wise, pfSense can nearly saturate 1-10 Gbps WAN links when forwarding Iperf, or even IMIX, traffic. While the product is deployed across every vertical and continent for more demanding firewall and VPN applications, WAN link throughput will decline due to the limitations of kernel-based packet processing.

As throughput needs increase, especially where application (smaller packet) traffic and more robust encryption ciphers are used (high-performance VPN connections) come into play, TNSR soars in its ability to saturate 1,10, 40, and 50 Gbps native or bonded WAN links, nearly impervious to packet size. While fully-featured from an edge routing (including L2, L3, and L4 ACLs) and site-to-site IPsec VPN perspective, TNSR does not address common firewall use cases like iDS/IPS, content filtering. Finally, TNSR - as a high-performance router-based solution - is not equipped with a GUI, but rather a CLI and API, the latter of which lends itself to more advanced and automated configuration, management, and monitoring approaches.

A Rundown of Technical Specifications

A high-level comparison table is shown below. More detailed feature lists for pfSense software and TNSR software are here and here respectively. Product documentation provides the most definitive feature detail.

Feature

pfSense+ Software

TNSR Software

Target Market

Firewall/Router/VPN solutions for Homes, Businesses, and Service Providers
High-performance router solutions for Businesses and Service Providers

Lifespan

  • Project started 2004
  • First release 2006
  • Netgate controlling interest 2012
  • Introduced May 2018

Router

  • BGP
  • OSPF
  • Configurable static routing
  • Static ARP
  • IPv4/IPv6
  • IPv6 network prefix translation
  • IPv6 router advertisements
  • Multiple IP addresses per interface
  • BGP
  • OSPFv3 (OSPF6)
  • RIPv2
  • Static Routing
  • Static ARP
  • IPv4/IPv6
  • BFD with dynamic routing
  • Carrier-grade NAT (CGN or CGNAT)
  • ECMP
  • VRF
  • VRF-lite

Network Services

  • DHCP server
  • DNS Resolver
  • NTP Server
  • Dynamic DNS
  • NAT mapping (inbound/outbound)
  • 1:1 NAT
  • Outbound NAT
  • NPT
  • Reverse proxy
  • DNS forwarding
  • Wake-on-LAN
  • PPPoE Server
  • DHCP client/server
  • DNS Resolver
  • NTP Server
  • Port Forwards
  • 1:1 NAT
  • Outbound NAT
  • NPT
  • NAT44
  • NAT-T
  • CG-NAT (MAP-T/MAP-E)

VPN and Tunneling

  • IPsec Site-to-site
  • IPsec Remote Access
  • OpenVPN Site-to-site
  • OpenVPN Remote Access
  • VLAN support (802.1q)
  • 802.1ad VLAN (QinQ)
  • Bridging
  • LAG
  • GRE
  • IPsec site-to-site (Multi-core routed)
  • WireGuard® VPN
  • Public Key Infrastructure
  • IKEv2
  • DHGroups (Groups 1-24, and 31)
  • Encryption ( 3DES, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-ICV16-GCM-128, AES-ICV16-GCM-192, AES-ICV16-GCM-256, Camellia-128,Camellia-192, Camellia-256 and CHACHA20-POLY1305) 
  • GRE
  • VXLAN- Bridging
  • 802.1q, 802.1ad VLAN (QinQ)
  • Tap
  • Loopback
  • LAG
  • SPAN/ERSPAN
  • memif

Firewall

  • Stateful Packet Inspection (SPI)
  • GeoIP blocking
  • Anti-Spoofing
  • Time based rules
  • Captive portal guest network
  • Connection limits
  • L2 MAC/IP ACLs
  • L3 ACLs
  • L4 ACLs

IDS/IPS

  • Snort-based packet analyzer
  • Layer 7 application detection
  • Multiple rules sources and categories
  • Emerging threats database
  • IP blacklist database
  • Pre-set rule profiles
  • Per-interface configuration
  • Suppressing false positive alerts
  • Deep Packet Inspection (DPI)
  • Optional open-source packages for application blocking
  • Integrate with your preferred vendor via the TNSR RESTful API
  • Integration guidance is available here

Proxy and Content Filtering

  • HTTP and HTTPS proxy
  • Non Transparent or Transparent caching proxy
  • Domain/URL filtering
  • Anti-virus filtering
  • SafeSearch for search engines
  • HTTPS URL and content screening
  • Website access reporting
  • Domain Name blacklisting (DNSBL)
  • Usage reporting

Data Plane / Packet Processing

  • Kernel-based processing
  • TNSR is not kernel-based processing
  • TNSR leverages Vector Packet Processing (VPP) and Data Plane Developer Kit (DPDK) to deliver substantially greater packet-processing performance and throughput.

User Management

  • Local user and group database
  • User and group-based privileges
  • Optional automatic account expiration
  • External RADIUS authentication
  • Automatic lockout after repeated attempts
  • Local user database
  • User and group-based management via NETCONF Access Control Model (NACM)
  • RESTCONF
  • External RADIUS authentication

High Availability

  • Common Address Redundancy Protocol (CARP)
  • Dual-node only
  • Virtual Router Redundancy Protocol (VRRP)
  • VRRP Interface tracking
  • Multi-node

Performance

  • L3 Forwarding: 1.18 Gbps per core
    IMIX packets L3 Forwarding
    (pfSense 2.4.4-p3 on an Netgate XG-1541)
  • ACL Firewall: 0.57 Gbps per core
    IMIX packets through a 10K ACL Firewall
    (pfSense 2.4.4-p3 on an Netgate XG-1541)
  • IPsec: 0.43 Gbps per core
    IMIX packets through an AES-128-GCM IPSec VPN tunnel
    (pfSense 2.4.4-p3 on an Netgate XG-1541)
  • L3 Forwarding: 9.84 Gbps per core
    IMIX packets L3 Forwarding
    (TNSR 19.05 on a Netgate XG-1541)
  • ACL Firewall: 9.47 Gbps per core
    IMIX packets through a 10K ACL Firewall
    (TNSR 19.05 on a Netgate XG-1541)
  • IPsec: 7.03 Gbps per core
    IMIX packets through an AES-128-GCM IPSec VPN tunnel
    (TNSR 19.05 on a Netgate XG-1541)

Manageability

  • GUI
  • Console Port
  • CLI
  • RESTCONF API
  • SNMP
  • Prometheus Exporter
  • IPFIX Exporter
  • Link Layer Discovery Protocol (LLDP)

Open Source Scope

  • Source code available (pfSense CE)
  • Underlying open-source projects provide source code
  • TNSR is only available as a binary

Commercialization

  • Free Binaries - pfSense CE
  • Chargeable Binaries