TNSR High-Performance VPN Concentrator vs. pfSense Plus Software on AWS
Netgate® TNSR® High-Performance VPN Concentrator offers routed site-to-site and remote access VPNs via IPsec or WireGuard® with no hidden fees. The product provides versatile management with a command line interface (CLI), RESTCONF API, and GUI, as well as advanced monitoring and troubleshooting with SNMP, Prometheus Exporter, and IPFIX Exporter. Standardized BGP, OSPF, and RIP routing protocols are also available. See features here.
pfSense® Plus software is a popular firewall, router, and VPN solution that can be deployed on Netgate appliances, virtual machines, and in public or private cloud environments. This comparison will focus on the VPN capabilities of the product on AWS®.
Netgate pfSense Plus Firewall/VPN/Router offers a wide range of VPN features, including site-to-site and remote access VPN, support for IPsec, OpenVPN®, and WireGuard protocols, IPv6 support, split tunneling, multiple tunnels, VPN tunnel failover, NAT support, automatic or custom routing, and more. See the full list of features here.
Like TNSR High-Performance VPN Concentrator, it can be used as a cloud VPN gateway.
TNSR High-Performance VPN Concentrator | pfSense Plus | |
Management | ||
Command Line Interface (CLI) | Yes | Yes |
Graphical User Interface (GUI) | Yes | Yes |
RESTCONF API | Yes | No |
Automation | ||
Ansible | Yes | No |
Saltstack | Yes | No |
Puppet | Yes | No |
Chef | Yes | No |
VPN Protocols | ||
IPsec | Yes | Yes |
Wireguard | Yes | Yes |
OpenVPN | No | Yes |
Monitoring/Logging | ||
DHCP Logging | Yes | Yes |
SNMP | Yes | Yes |
Prometheus Exporter | Yes | No |
IPFIX Exporter | Yes | No |
SPAN/ERSPAN | Yes | No |
Segmentation | ||
Virtual Routing and Forwarding (VRF) | Yes | No |
Security Add-Ons | ||
Access Control Lists (ACLs) | Yes | Yes |
Other Firewall Features | No | Yes |
Support
24x7 TAC Pro or Enterprise support is included for TNSR High-Performance VPN Concentrator, depending on the number of connected devices.
Customers with up to 50 connected devices can get expert answers within 24 hours via email or the support portal. They can also upgrade their support subscription to a 4-hour response time and live phone support. Customers with 100 or more connected devices can get expert answers within 4 hours via email, phone, or the support portal.
For pfSense Plus software, TAC Lite is included with AWS instances. Customers can also purchase additional TAC support: Pro ($399/Year) or Enterprise ($799/Year).
The Netgate community forum is available for both products.
Pricing
TNSR High-Performance VPN Concentrator is priced based on the number of VPN connections, with a discount for one year and multi-year contracts. There are no additional data processing fees. See here for more on pricing or contact sales@netgate.com to discuss your needs.
On AWS, the vendor recommended instance type for Netgate pfSense Plus Firewall/VPN/Router is m6i.large, which costs $2,099 annually, not including other AWS infrastructure costs.
Ease of Use
Documentation
TNSR software documentation is comprehensive and well-structured. From installation to advanced configuration, it covers a wide range of topics and includes examples to aid understanding.
pfSense Plus software documentation is also well-regarded for its thoroughness and clarity. It provides detailed guides and instructions for a smooth customer experience.
Installation
The documentation for getting started with TNSR software on AWS is straightforward. To get started, launch an instance of TNSR High-Performance VPN Concentrator from the AWS Marketplace. Access the instance via SSH for configuration, and follow a step-by-step configuration recipe. Terraform and CloudFormation can be used to integrate TNSR software into CI/CD DevOps pipelines, and templates are coming soon to further simplify the installation process.
Similar to TNSR software, the documentation for getting started on AWS with pfSense software is easy to follow. One difference is that most customers configure pfSense software using the HTTPS Graphical User Interface (GUI), though a limited set of configurations is possible through SSH (with optional key-based access). CloudFormation and Terraform templates are currently not available.
Management
There are multiple ways to manage TNSR software, including Command Line Interface (CLI), RESTCONF API, and GUI.
TNSR software configuration through both CLI and RESTCONF API enables the product to be managed by IT automation platforms like Ansible®, SaltStack®, Puppet®, or Chef™.
pfSense Plus software is primarily managed using the GUI, which features a dashboard and configurable widgets.
Basic maintenance tasks can also be performed from the pfSense Plus system console. The console is available via SSH (using optional key-based access).
Other Features
VPN
TNSR software supports WireGuard and IPsec (Site-to-Site and Mobile) VPN protocols.
pfSense Plus software supports IPsec, WireGuard, and OpenVPN VPN protocols.
Logging and Monitoring
TNSR software supports SNMP, SPAN / ERSPAN, Prometheus Exporter, and IPFIX Exporter for monitoring. It also supports DHCP logging, and general logs can be found in /var/log/syslog.
There is currently no direct integration with Amazon CloudWatch, but virtual machine information like CPU, MEM, and BW is available.
pfSense Plus software provides monitoring through its GUI, with a dashboard for tracking firewall and network status. The software also offers logging for system activities.
Like TNSR software, pfSense Plus software supports DHCP logging and SNMP. It also supports monitoring add-on packages like NtopNG and DarkstatIPFIX. SPAN / ERSPAN, and Amazon Cloudwatch are currently not supported.
Segmentation
Virtual Routing and Forwarding (VRF) is supported in TNSR. VRF enables multiple routing tables on a single router. The technology is used in VPNs to provide secure, segregated routing over shared infrastructure.
pfSense Plus does not support VRF.
Security Add Ons
TNSR supports Layer 2, Layer 3, and Layer 4 Access Control Lists (ACLs), scalable to over 100,000 rules. The product does not have other firewall features.
In TNSR, user authentication is done using either passwords or user keys.
Unlike TNSR software, pfSense Plus software is a powerful firewall with features like stateful packet inspection, IP/DNS-based filtering, captive portal, time-based rules, RADIUS and LDAP external user authentication, and more. See the full list of features here.