pfSense exceeds 100,000 known live installs

November 2nd, 2011 by Chris Buechler

One of the common questions we get is how many installs are out there. While we don’t have any means of definitively knowing, we do have one metric that can be counted. Each month every system updates its IPv4 bogons list once, pulling from one of our servers. By counting the number of unique public IPs using FreeBSD’s fetch to pull that file within one calendar month, we know how many live installs are out there that have Internet connectivity at least.

October 2011 is the first month that number has exceeded 100,000, with a total of 103,137. We’re adding 3000 net new installs on average every month in 2011, with over 4000 additional installs in October.

This under-counts the total for several reasons:

1. Only versions from November 2008 and newer pull this file from our servers, so it does not include older versions. While I expect the vast majority are on newer versions than that, we routinely encounter systems running versions that old and much older.
2. Some systems do not have DNS configured and hence cannot fetch the update.
3. Some systems are on private internal networks that cannot reach the Internet.
4. Some networks have multiple systems that go out from a single public IP, which we only count once.

No telling how many total installs are actually out there, but it’s definitely in excess of 103,000.

Thanks to all our users for helping us reach this significant milestone!

40 Responses to “pfSense exceeds 100,000 known live installs”

  1. Markus Fischer Says:

    I’ve installed about 50 systems at the moment. In schools, companies and tax consultants. With Squid + squidguard and HAVP (clamav), with email (Postfix + amavis + clamav + spamd) and is growing every day. It is stable, consumes few resources, and it is simply brilliant.

  2. bmanske Says:

    A good point is made here about connecting to the Internet. Would it be possible to build in a configuration knob or button to disable external checks for pfSense installs that ARE knowingly sequestered from the Internet? By that I mean, “no checking for updates, no checking for bogons, no images, icons or content pulled from external ‘net resources.”

    But it IS awesome to see pfSense grow as it is. The 2.0 release is amazingly stable and has been since its alpha-alpha status for most functionality on everything from Soekris boxen to Wyse thin clients to full-blown HP servers.

    “Great job” goes out to each and every pfSense team member and developer. Thank you, one and all.

  3. Andrea Says:

    Pfsense over the top!

  4. Joshua Says:

    We are using a few here at our company and plan to add a few more. Keep up the great work guys!

    Oh, and btw while this might not be the appropriate forum to request something, I’m going to do it anyway.

    I’ve been playing with Untangle for a bit. They’ve got some good stuff but I REALLY like the bandwidth enforcement/limiting stuff. Any major changes coming to compete with something like this?

  5. Chris Buechler Says:

    Joshua: we can do everything Untangle can do in bandwidth limiting and then some.

    bmanske: only things that contact us are the update checks and the bogons fetching, we won’t add an option to disable things that would make people miss out on important updates and possibly leave them with a misbehaving system. Yes they’re pointless when you’re in such a network, but not hurting anything. But you can of course take out that source yourself if you’re so inclined.

  6. Oliver Says:

    This is great to hear! It’s a nice piece to tell people/customers when they have not heard of the best firewall/routing platform out there.

  7. Dan Lundqvist Says:

    I have been running pfSense in an VMWare (with physical NICs) for lab during a couple of years but have finally moved into a standalone physical box. As soon as my WiFi-card arrives and is installed/working I will move this box into “production” mode as the primary router.

    Right now it is connected to WAN but as secondary and one computer on LAN is using it as primary.

    I’m looking forward to the 2.1 which hopefully will contain the IPv6 stack as well. (I saw that much of the v6 code has been merged now)

  8. Mitch Says:

    We’ve installed pfSense for remote end to end vpn tunnels, test network firewalls on vmware and production network firewalls on physical hardware. It’s outstanding! You guys ROCK

  9. Gertjan Says:

    Running pfSense since 2006.
    I needed a simple Captive Portal for my clients (hotel), a safe access to the net for our own LAN. I foudn all that with pfSense.
    Add to that, that pfSense delivers, is stable and easy to manage.
    I always dedicated pfSense to its own box, a recycled Dell office PC. Hooking it up to an UPS, it often showed me up times running for one year or more.
    I’m running “2.0 Stable” for several weeks now, its as good as 1.2.3, and I did not even discover half the possibilities.

    It’s a real no-Nonsense firewall.

    Btw: counting the “unique public IP” will probably counts ‘me’ more then once.
    My Internet connections is a pppoe, and my IP WAN changes every week.

  10. Chris Buechler Says:

    Thanks for the comments.

    Gertjan: that’s not counting dynamic IPs multiple times, since the update only happens once a month each system is only there one time.

  11. Andrew Rimmer Says:

    These stats are great news for tech savvy suppliers such as ourselves. I frequently have to grit my teeth when externals refer to my pfsense routers as homemade. In reality the interface and documentation makes them far superior to many so called professional systems.

  12. Chris Buechler Says:

    Andrew: Yeah the perception by some people who are enamored with commercial systems is sometimes not great, when the rest of us know the reality is we offer at a minimum a comparable product, and at times a superior one. These stats should go a long way to helping companies like yours, as they clearly illustrate we’re one of the most widely deployed firewalls in the world, with a considerably larger deployed base than some of the commercial names who people probably see as “bigger.”

  13. Joost van den Broek Says:

    First of all, that are great stats. I’ve installed pfSense on about 10 systems myself. But one thing that concerns me, and I know this shouldn’t be the thread to start this discussion, but what happens if the bogon list get hacked and filled with legitimate networks? How can we be sure the bogon list is valid?

    Other than that, I’m happy to see pfSense growing this rapidly!

  14. Chris Buechler Says:

    Joost: that’s one of two primary reasons we moved the URL from pulling direct from the cymru list to pulling a copy of their list from our servers back in 2008. One is not having someone else’s servers get that load, but more so is trusting our servers over anyone else’s. We know servers we fully control are properly managed and secured, we don’t have that assurance on servers others control. We also have a number of sanity checks on the list, internal and external. And none of our official servers are some low rent shared hosting, they’re all dedicated servers we have full control over.

  15. Diego Lopez Says:

    I have been using pfsense at least during the last 3 years. Countless firewalls have been deployed and they work without a glitch. Keep mantaining pfsense as useful as it is.

    Excellent work guys!

  16. Max Conrad Says:

    For what it’s worth, I’m in the Army and I use ever opportunity to talk up pfsense over well-known “professional” network solutions. With budget cuts looming, I might get to see my ideas implemented in some fashion. If I had my way, I would wipe every commercial hacker-magnet OS from the entire Department of Defense and have them all replaced with *BSD systems. Great job, guys!

  17. dian Says:

    i use pfsense about 1 year ago.. starting from pfsense 1.2.3 release and now i can easily upgrade to pfsense 2.0 release.. very good performance.. thanks guys.. pfsense is excellent ..

  18. Shali K R Says:

    We are using pfSense 2.0 in our college and its working fine thanks a lot….

  19. Emel R Says:

    We are using PFsense RC 2.0 in our company, works perfect and stable… connecting 3 subnets via openvpn !!!
    Keep on going you guys !!!

  20. Dustin Decker Says:

    We’ve run an iptables-based roll-your-own firewall for quite some time, cobbled together with some bandwidthd here, a little ntop there… some custom mrtg scripts… the list goes on.
    We’re in a VMWare environment, and pfSense made a WONDERFUL replacement for all of it, reducing our overhead and streamlining most of what we needed from our firewall and gateway into a single host.
    And of course, pptp actually “works” which is quite lovely on top of it all. Bravo to the pfSense crew!

  21. Tobias Hoellrich Says:

    Maybe add a query-parameter (primary NIC’s MAC address?) to the fetching of bogon IPs in order to address point 4 above?

  22. John Wright Says:

    I was a long time IPCop user who switched to PFSense two years ago because I was looking for something that IPCop could not do — I won’t go into the details because what I found out was that neither IPCop or MonoWall could do have the things that PFSense does! I have installed PFSense through out my City’s network, at first it was because I needed a quick switch for a replacement while waiting on a $600 L3 switch, well once I found out how well it worked I decided to leave the 10 year PC in place and never ordered the L3 switch — FANTASTIC!! I place one in another department over the summer (2011) after a thuderstorm took out a DLINK L3 switch I used another PFSense box to replace another blown L3 switch after hurricane Irene came through too.

    Please keep up the great work!! I love your products and now I’m considering using a PFSense box for my main network firewall/switch, maybe I’ll order one of the prebuilt rack mount models.

  23. Stephane Benoit Says:

    I run about 5 alix based pfsense boxes and intend to replace all iptables based fw of my clients. I just tried on an openvox IPC100 board and it works great too. Thanks for the great work.

  24. Kane Says:

    Great work! Set it and forget it, I love it LOL

  25. Christian Says:

    I have installed near 30 pfsense from 1.2.2 to 2.0.1 in fitness clubs as vpn gateways to the data center. In the data center I use a pfsense 1.2.3 in ha configuration to hold the 30 vpn do squid and mail gateway.

    You do a great work!!!!! Thanks a lot!!!!!!!!!!

  26. Peter Says:

    We’ve running pfSense now for a few years and can only say one thing:
    I LOVE IT!
    We’ve running within my company currently total 3 pfSense boxes; 1 as ‘router only’ and one HA-config running with 2 WAN’s, 11 VLAN’s and OpenVPN etc.
    Keep up the good work!

  27. Ross Says:

    I have two business, one is systems consultant firm and the other is a photography studio. I have been a long user of pfsense and I have 1 edge device and 4 on vSphere 4.1 doing internal tasks that do not see the internet.

    For my system consulting I always ask my clients when their routers give them headaches do you have an old laptop laying around. Surprisingly most do and I tell them about pfsense. I have only had a few say no, that they would want to stick with a retail based router. Most on their own figure out how awesome it is to have an enterprise firewall that has its own UPS system for power outages.

    I really like pfsense and with the Atom servers from Supermicro I am installing more and more of them into larger companies because they are in a 1U configuration and sit int he racks. You get 2 Intel NICs to start with and a PCIe slot for upto 4 more Intel NICs if you need to divide the network up for wireless clients, DMZ’s, wired connections that can not see your internal network for customers and client presentations, the list goes on.

    You guys are awesome! Thanks

  28. Patrick Stewart Says:

    I have just found pfsense as an option in our virtual datacenter. I created an instance and faster then I ever was able to get a test WAN gateway up routing to the LAN and a VPN to my remote clients. It was most impressive and as I discover more packages and what they add to pfsense I get all excited as this is more then a firewall or router project this is a insanely rich application framework for deploying any type of network appliance or service with the right package installed. Awesome, I have been converted and cannot wait to dive in to more pfsense.

  29. Paul Edwards Says:

    Hi there,
    Have been looking around for a solid opensource firewall for our test beds and have found pfsense has ticked all the boxes. Very tempted to put this on our production network as it seems solid!
    One request would be the possible integration of some form of web proxy filtering like DansGuardian would be excellent.
    Forgive me if this is something it can already do but I’ve been too blind to spot it!

    Keep up the excellent work guys – awesome stuff.

  30. Adam Says:

    Rolled out 4 PFsense boxes at different locations and have it running at home as well. Many techs I know have deployed it at home. 100k is surprisingly low seeing as I can think of a dozen installs in my immediate area.

  31. Chris Buechler Says:

    We’re up to 120,000 in March.

    Most vendors don’t put out numbers so it’s hard to say how that compares. That’s over double Astaro’s install base. Cisco put out a number in recent years that they have a bit in excess of 1 million PIX/ASA boxes out there, and they’re the most widely deployed comparable firewall. To have maybe 10% of Cisco’s install base is very significant.

    I’m sure it doesn’t compare to what Linksys has out there in home grade routers, but that’s not the market we play in, just like Cisco isn’t focusing on selling ASAs to the home market.

  32. Richard Martin Says:

    I have 4 installs too… to start with – wouldn’t use anything else and the support is 110% :)

    I’m telling everyone in the Ireland government – use it – why would you use anything else?

    Used many, many different firewalls and this is the best…

  33. Chris Buechler Says:

    Update for April 2013 – now 167,697 known live installs.

  34. Will M. Says:

    I’ve used pfSense 3 years now easily. I have been extremely happy as the config files for openBSD’s PF were just getting to wild to manage across many devices because I just didn’t have the time to build a platform to manage them myself.

    Thank you guys @ pfSense. It’s a great solution and community.

    By the way, I don’t care that you monitor bogons. I am super paranoid on these things, but you’ve given me a stable, open source product that I can’t find anywhere else. I could probably stop that from happening, but I don’t care.

    YOU CAN HAVE THE BOGON DATA. :).

  35. Goliator Says:

    Congratulations Team !!!!!

    And go for OpenSource !!!!

    The best firewall no comercial by difference.

    Also think that you’re doing great FreeBSD.

    Thanks

  36. Hollander Says:

    I have it running for 1 month now, after having gone through great trouble getting it to work: but this was my ISP’s fault and hardware faults, not PFSense’s fault. After having bought new hardware, and thanks to the *great* support of the forum members (with an ultra-special word of thanks to Steve :-)). It has been rock- and rock stable, and I am very happy I went this route. Of course, although I am by no means a rich man, I’ve sent a small financial donation to the team, hoping they’d enjoy a beer on my behalf :-)

  37. Slick Says:

    I run 2 in a school district. One as the edge NAT router and the other as a internal non nat router so I can firewall between the subnets as needed. I do run a untangle in between for filtering purposes. Each pf has 3 interfaces. On the edge 1 is wan 1 is lan and 1 is guest access. On the int, 1 is “wan” which goes to the untangles int and the other 2 are bonded using lagg for extra throughput between VLAN’s. The boxes are toting 3.1 Ghz i3-2100 with 8Gb of ram. When I assembled these boxes I tested their configuration together and was able to max out the gigabit nics.

    This is one of the best products I have ever used. I get better features and speed than name brand routers for fraction of the cost. And I dont have to remember all the cli commands to make even the smallest change.

    Thank you to the devs at PFSENSE! Keep up the good work.

  38. The Ninja Geek » pfSense 2.1 Release is finally here! Says:

    […] to become one of the most widely used network firewalls in the world, with in excess of 167,000 known live installs  as of April 2013. […]

  39. Dave Says:

    We have many pfsense boxes operating within commercial environments such as mines, mills, financial firms,industrial factories and a number of car dealerships with user count ranging from 30 users to 800 users. We have multiple pfsense boxes running on different networks in cluster. I am a big fan of pfsense and my boss worships the thing. it really is an amazing creation. We constantly have sophos reps trying to get us to adopt the sophos UTM but every time a POC is done by sophos we match the results with a pfsense box.
    PFsense does everything we require from a FW and more we will not be leaving pfsense.

  40. Matt Crevier Says:

    There are only two commercial firewall solutions that I would pick over pfsense. The stability, features and flexibility of pfsense amazes me, and the fact that it’s free just blows my mind.

    I’ve used pfsense in my home environment for over 5 years, and have only had to reboot the firewall for updates. I use it heavily in lab environments to test out topologies for my customers. It’s deployed as a virtual machine, so I can scale the performance to meet my needs.

    Recently I had a customer deploy a C**** A*A 5585X active/passive solution. The pain and drama that I went through getting the A*A’s to meet the customer’s needs was unreal. Only to have them fail due to a software bug 8 hours after going live. I tested out the same topology with pfsense, and it worked immediately. Not only does it work, I can use both firewalls simultaneously since I am syncing TCP state information. Load balancing is handled through BGP by originating a default route downstream.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply