Just use OpenBSD. They are the upstream developer of pf anyway.
pfsense uses FreeBSD's fork of pf, which is years out of date. They forked in order to add multithreading, ostensibly for performance. But the diff is too complicated to keep rebasing on top of upstream, so they're stuck with a pf from 2009.
Here are a few resources to get you started. You'll learn plenty about routing!
Compared to Linux, OpenBSD is starkly minimal. It can be a little bewildering when common programs seem to be missing, but the man pages are outstanding. And the system is very simple and reliable. Config files are almost comically short. My /etc/hostname.re0 config is just five bytes: `dhcp\n`.
I appreciate pfSense offering something that's better than the average firewall, but I really wish they would just build it on top of the latest release of OpenBSD.
OpenBSD and pf really is the best. As noted above, FreeBSD has wandered off into the weeds with pf for no good reason. There have been so many improvements to pf since 2009 that I wouldn't even consider using something that old.
I used pfSense years ago when I was first learning firewalls. These days the best GUI for me is no GUI but a CLI, but some people don't want to take the time to build a firewall. Granted, once you know how to do it, it doesn't take that much time to build a firewall, but it does take time to understand what you're doing and why. But really, not that much time, considering the aggravation it can save you down the road.
Dunno about Linux but OPNsense forked off them a while back. Can't speak about the rest but I know that fq_codel is supported because I use that myself.
(Frankly, I switched away from pfSense because I like the OPNsense developers and surrounding community better. I'm more confident that if they haven't already addressed those defects, they will soon or they'll welcome patches that do.)
I was going to say ipfire, which is particularly interesting to me because of grsec built in, which is awesome.
That being said, if you haven't already, it's time to start learning NFTables and skip right to the chase.
Personally, I tend to not like abstracting firewalls away via guis or other methods like firewalld. It's more work sure, but I understand whats going on and have better control.
You probably know, but pfsense is mostly just a nice UI on top of built in networking support in BSD. Linux network support has a lot more features on top of that.
You can do more than pfsense with a plain old Linux box but it takes some dense reading to learn to manipulate the traffic control and routing tables yourself.
The reason why most open source router distributions with a UI are pretty basic is because everyone doing things sufficiently advanced knows how to manipulate the network stack directly and only needs command line
"You can do more than pfsense with a plain old Linux box but it takes some dense reading to learn to manipulate the traffic control and routing tables yourself."
That's why having a nice UI adds already a lot of value :).
I wanted something under Linux and I ended up trying a combination of Shorewall and its Webmin plugin to have something similar, but a more holistic solution would be interesting.
Not to mention that PFSensenormalizes a lot of management. It provides an easy mechanism to queue changes and apply them, lof when changes were made and what the changes were, etc.
In a previous job we used to deploy OpenBSD firewalls to provide site-to-site VPNs. We switched to PFSense because management was easier when you have 10-20 of them to deal with, and multiple people might have access.
That said, we definitely would have preferred an equivalent interface on top of OpenBSD instead of FreeBSD. There were some differences in the CARP implementation in FreeBSD that made some features of CARP we relied on with OpenBSD unavailable in FreeBSD, and thus PFSense.
I wish there were better UI based ditros but the value is kinda limited since people doing the really advanced stuff know Linux specific networking like qdisks and iptables.
You pretty much learn the commands while reading about how the stuff works. I've seen a ton of horribly configured psfense boxes because it exposes all this functionality to people that honestly shouldn't have it and don't know what they're doing.
It's like regedit for networking. If you know enough about the registry to be fooling with it you don't really need a UI but it's nice to have
