For the most part, you can begin installing and configuring pfSense packages without worrying too much about the effects they will have on your pfSense system. Nonetheless, some caution is called for when installing packages on mission-critical systems. First, having some basic knowledge of the technologies underlying the packages you want to install is helpful. For example, it would be ill-advised to install routed (the Routing Information Protocol daemon) without having some basic knowledge of how dynamic protocols work in general and how RIPv1 and RIPv2 work (in this case, reviewing Chapter 10, Routing and Bridging, is a good starting point).

Beyond that, you should be mindful of the fact that installing additional packages may consume additional resources. Simple packages such as arping and cron can be installed on virtually any pfSense system without much consideration, but they are the exception to the rule. Installing and configuring a proxy server requires additional disk space to store cached web pages. Many packages require additional CPU resources. Any dynamic routing protocol requires CPU resources to calculate routes, as do many intrusion detection systems. If you did not foresee installing such packages when you initially came up with the specifications for your pfSense box, you may have to adjust these specifications accordingly.

Installing and using packages without consideration of resource utilization can result in the following:

• CPU resources being taxed heavily, bringing pfSense to a crawl
• Disk space being completely used up, so that the DHCP server stops functioning, and no more DHCP leases are assigned
• pfSense cannot update, because there is insufficient disk space
• In some cases, insufficient disk space/CPU resources can render pfSense unusable, requiring a complete reinstallation of pfSense

All of these are outcomes we want to avoid in a production environment, so obviously some caution is justified when installing and configuring packages.

Furthermore, you should take into consideration the way packages interact with existing pfSense functionality and other packages. For example, some packages are installed in the same location as other packages and thus cannot coexist with each other (OpenBGPD, Quagga OSPF and FRRouting come to mind; each of these packages are intended to be mutually exclusive and are not compatible with each other - and if you don't remember this, you quickly will if you install one when one of the others is already installed; the package installer will erase existing incompatible packages). If you already have firewall rules in place upon which you rely, be aware that installing a proxy can affect outcomes, and traffic that was assumed to be blocked may no longer be blocked, as we will see when we cover Squid later in this chapter.