Common Deployments

The pfSense® project is used in about every type and size of network environment imaginable, and is almost certainly suitable for your network whether it contains one computer, or thousands. This section will outline the most common deployments.

Perimeter Firewall

The most common deployment of the pfSense project is as a perimeter firewall, with an Internet connection plugged into the WAN side, and the internal network on the LAN side. It supports multiple Internet connections as well as multiple internal interfaces.

The pfSense software accommodates networks with more complex needs, such as multiple Internet connections, multiple LAN networks, multiple DMZ networks, etc. Unlike many similar solutions, you can deploy systems with dozens of interfaces if needed.

Some users also add BGP capabilities to provide connection redundancy and load balancing.

LAN or WAN Router

The second most common deployment of pfSense software is as a LAN or WAN router. This is a separate role from the perimeter firewall in midsized to large networks, and can be integrated into the perimeter firewall in smaller environments.

LAN Router

In larger networks utilizing multiple internal network segments, the pfSense project is a proven solution to connect these internal segments. This is most commonly deployed via the use of VLANs with 802.1Q trunking. Multiple Ethernet interfaces are also used in some environments.


In environments requiring more than 3 Gbps or 1 million packets per second of sustained throughput, no router based on commodity hardware offers adequate performance. Such environments need to deploy layer 3 switches (routing done in hardware by the switch) or high end ASIC-based routers. As commodity hardware increases in performance, and general purpose operating systems like FreeBSD improve packet processing capabilities in line with what new hardware capabilities can support, scalability will continue to improve with time.

WAN Router

For WAN services providing an Ethernet port to the customer, the pfSense project is a great solution for private WAN routers. It offers all the functionality most networks require and at a much lower price point than big name commercial offerings.

Wireless Access Point

The pfSense project can be deployed strictly as a wireless access point. Wireless capabilities can also be added to any of the other types of deployments.

Special Purpose Appliances

Many deploy pfSense software as a special purpose appliance. The following are three scenarios we know of, and there are sure to be many similar cases we are not aware of. Most any of the functionality of the pfSense software can be utilized in an appliance-type deployment. You may find something unique to your environment where this type of deployment is a great fit.

VPN Appliance

Some users deploy the pfSense software as a VPN appliance behind an existing firewall, to add VPN capabilities without creating any disruption in the existing firewall infrastructure. Most pfSense VPN deployments also act as a perimeter firewall, but this is a better fit in some circumstances.

Sniffer Appliance

One user was looking for a sniffer appliance to deploy to a number of branch office locations. Commercial sniffer appliances are available with numerous bells and whistles, but at a very significant cost especially when multiplied by a number of branch locations. the pfSense software offers a web interface for tcpdump that allows the downloading of the resulting pcap file when the capture is finished. This enables this company to capture packets on a branch network, download the resulting capture file, and open it in Wireshark for analysis.

The pfSense project is not nearly as fancy as commercial sniffer appliances, but offers adequate functionality for many purposes at about 2% of the total cost.

DHCP Server Appliance

Some pfSense users deploy single interface pfSense installs as solely DHCP servers. In most environments this probably does not make much sense. But in some cases, the user's staff were already familiar and comfortable with pfSense software and this enabled further deployments without additional training for the administrators, which can be an important consideration.