pfSense Plus vs. TNSR

Which solution is right for your needs?

Bird’s Eye View

pfSense^® Plus and TNSR^® are both excellent secure networking software solutions. And, while they share some common ground, they are more different than alike in terms of feature set, performance, scalability, manageability, and targeted users.

pfSense Plus is a fully-featured firewall, VPN and router solution

Ideal for homes, businesses, educational institutions, government agencies and service providers
Proven firewall (including IDS/IPS attack prevention, proxy, content filtering) and VPN and router feature set
Scales well to the limits of kernel-based packet processing
Traditional management via GUI and/or CLI
Edge or cloud deployment

Get Started with pfSense+

TNSR is a high-performance VPN and router solution

Ideal for enterprise-class businesses, educational institutions, government agencies and service providers
High-performance router and site-to-site VPN solution
Extraordinary scale by leveraging Vector Packet Processing (VPP) and Data Plane Development Kit (DPDK)
Automated management via RESTCONF API or CLI
Edge or cloud deployment

Get Started with TNSR

Two Products Separated by Feature Set, Scale, and Manageability

pfSense Plus is ideal for users who need comprehensive firewall, routing and VPN capabilities for home, remote / branch office, corporate, or cloud locations. As well, it is easy to manage and has time-tested resilience and reliability.

Performance wise, pfSense can nearly saturate 1-10 Gbps WAN links when forwarding Iperf, or even IMIX, traffic. While the product is deployed across every vertical and continent for more demanding firewall and VPN applications, WAN link throughput will decline due to the limitations of kernel-based packet processing.

As throughput needs increase, especially where application (smaller packet) traffic and more robust encryption ciphers are used (high-performance VPN connections) come into play, TNSR soars in its ability to saturate 1,10, 40, and 50 Gbps native or bonded WAN links, nearly impervious to packet size. While fully-featured from an edge routing (including L2, L3, and L4 ACLs) and site-to-site IPsec VPN perspective, TNSR does not address common firewall use cases like iDS/IPS, content filtering. Finally, TNSR - as a high-performance router-based solution - is not equipped with a GUI, but rather a CLI and API, the latter of which lends itself to more advanced and automated configuration, management, and monitoring approaches.

A Rundown of Technical Specifications

A high-level comparison table is shown below. More detailed feature lists for pfSense software and TNSR software are here and here respectively. Product documentation provides the most definitive feature detail.

Feature

pfSense+ Software

TNSR Software

Target Market

Firewall/Router/VPN solutions for Homes, Businesses, and Service Providers

High-performance router solutions for Businesses and Service Providers

Lifespan

Project started 2004
First release 2006
Netgate controlling interest 2012

Introduced May 2018

Router

BGP
OSPF
Configurable static routing
Static ARP
IPv4/IPv6
IPv6 network prefix translation
IPv6 router advertisements
Multiple IP addresses per interface

BGP
OSPFv3 (OSPF6)
RIPv2
Static Routing
Static ARP
IPv4/IPv6
BFD with dynamic routing
Carrier-grade NAT (CGN or CGNAT)
ECMP
VRF
VRF-lite

Network Services

DHCP server
DNS Resolver
NTP Server
Dynamic DNS
NAT mapping (inbound/outbound)
1:1 NAT
Outbound NAT
NPT
Reverse proxy
DNS forwarding
Wake-on-LAN
PPPoE Server

DHCP client/server
DNS Resolver
NTP Server
Port Forwards
1:1 NAT
Outbound NAT
NPT
NAT44
NAT-T
CG-NAT (MAP-T/MAP-E)

VPN and Tunneling

IPsec Site-to-site
IPsec Remote Access
OpenVPN Site-to-site
OpenVPN Remote Access
VLAN support (802.1q)
802.1ad VLAN (QinQ)
Bridging
LAG
GRE

IPsec site-to-site (Multi-core routed)
WireGuard^® VPN
Public Key Infrastructure
IKEv2
DHGroups (Groups 1-24, and 31)
Encryption ( 3DES, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-ICV16-GCM-128, AES-ICV16-GCM-192, AES-ICV16-GCM-256, Camellia-128,Camellia-192, Camellia-256 and CHACHA20-POLY1305)
GRE
VXLAN- Bridging
802.1q, 802.1ad VLAN (QinQ)
Tap
Loopback
LAG
SPAN/ERSPAN
memif

Firewall

Stateful Packet Inspection (SPI)
GeoIP blocking
Anti-Spoofing
Time based rules
Captive portal guest network
Connection limits

L2 MAC/IP ACLs
L3 ACLs
L4 ACLs

IDS/IPS

Snort-based packet analyzer
Layer 7 application detection
Multiple rules sources and categories
Emerging threats database
IP blacklist database
Pre-set rule profiles
Per-interface configuration
Suppressing false positive alerts
Deep Packet Inspection (DPI)
Optional open-source packages for application blocking

Integrate with your preferred vendor via the TNSR RESTful API
Integration guidance is available here

Proxy and Content Filtering

HTTP and HTTPS proxy
Non Transparent or Transparent caching proxy
Domain/URL filtering
Anti-virus filtering
SafeSearch for search engines
HTTPS URL and content screening
Website access reporting
Domain Name blacklisting (DNSBL)
Usage reporting

Data Plane / Packet Processing

Kernel-based processing

TNSR is not kernel-based processing
TNSR leverages Vector Packet Processing (VPP) and Data Plane Developer Kit (DPDK) to deliver substantially greater packet-processing performance and throughput.

User Management

Local user and group database
User and group-based privileges
Optional automatic account expiration
External RADIUS authentication
Automatic lockout after repeated attempts

Local user database
User and group-based management via NETCONF Access Control Model (NACM)
RESTCONF
External RADIUS authentication

High Availability

Common Address Redundancy Protocol (CARP)
Dual-node only

Virtual Router Redundancy Protocol (VRRP)
VRRP Interface tracking
Multi-node

Performance

L3 Forwarding: 36.7 Gbps
iPerf packets L3 Forwarding
(pfSense Plus 24.03 on a Netgate 8300)
Firewall: 26.8Gbps
iPerf packets through a 10K ACL Firewall
(pfSense Plus 24.03 on a Netgate 8300)
IPsec: 14.6 Gbps
iPerf packets through an AES-128-GCM IPSec VPN tunnel
(pfSense Plus 24.03 on a Netgate 8300)

L3 Forwarding: 110Gbps
iPerf packets L3 Forwarding
(TNSR 24.06 on a Netgate 8300)
ACL Firewall: 108 Gbps
iPerf packets through a 10K ACL Firewall
(TNSR 24.06 on a Netgate 8300)
IPsec: 47 Gbps
iPerf packets through an AES-128-GCM IPSec VPN tunnel
(TNSR 24.06 on a Netgate 8300)