@viktormadarasz pf is a stateful packet filter. Pretty versatile, with an easily readable configuration language, but still a packet filter. It won't give you any fancy "NG" firewall features or much in the way of IDS/IPS - though some of the statistics-based options like max-src-conn-rate can take you in that direction.
Setting up clusters is not too hard, and IPSEC works well enough.
@galaxis Any way to add Nextgen FW features in it?
@viktormadarasz Sorry, never tried, so I wouldn't know.
You can certainly install any of the common IDS/IPS engines, but I have no idea if any of them has infrastructure to be meshed into pf rulesets (except for fail2ban, which I have been using successfully on OpenBSD).
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!