I don't comment on videos often. I just wanted to drop a line and say how much I appreciate your channel and videos. Super helpful and so helpful. Keep up the good work, I am a fan
5 років тому+18
I don't always comment on videos but when I do, I comment on yours
Hi, old pfSense contributor here. I originally rolled into this project when using a M0n0wall router internally. After some further investigating we started using pfSense in the pre 1.0 days. Later on I wrote the RRD graphs, IPv6 support in the UI as well as implementing the Gateways, Gateway Groups and some other things. Eating one's own dog food is *very* useful. Things like the duplicate button that only existed on the firewall page was replicated to VPNs and other items. Because it just make life so much easier. The gateway groups came to pass from load balancing, wanting to assign weights, that sort of thing. The drawback of a lot of this is that you need to define everything before you can asssign it. Sorry for that. But if you manage a lot of routes that makes it very readable and easy to grasp. Alos glad that apinger was replaced with dpinger :) Then you need things like PXE network booting and pfSense just has the ISC dhcpd logic to pass the right BIOS, EFI32 or EFI64 image. Things that otherwise are really hard to get rid, or only give you a single Boot file option, booo. We ended up building a internal vlan router with this eventually, with a Dell PowerEdge server with Intel X520 10Ge dual port card. That worked really well for 7 years or so and 1 upgrade cycle. The base box was less then 1500 euro a piece. HA was a cinch. Other plus is a readable configuration, and through the exec.php page I had a PHP interface to this config. So on regular occasions I wrote some conversion code to modify ~350 IPSec vpn tunnel endpoints or encryption settings using this page. I never found another that has sonething similiar, and I had a tip that only Juniper currently has something comparable. For comparison, I now use a Watchguard XTM M4600 (~14k euro a piece), the aliases are not sorted alphanumerically in the Windows Policy manager, and listed in a really small select screen. The OpenVPN server can only be used for mobile clients, and only has one server. To make matters worse, the webserver it runs is on 443, so if it reloads rules you ocassionally connect to watchguard openvpn config server instead. Not so much fun. No support for OpenVPN client tunnels or extra servers with different settings or certs. Still, it does do a lot of inspection and offers inspection capabilities, but with some network bending drawbacks. Min boggingly, if you need to look up the ARP table, that is only available in the WebUI, and not in the Windows manager. I guess each brand has their own issues and finnicky things. I left the project after it went from BSD Perimeter to Netgate, it required signing a legal waiver for code contributed to github, and I just never did. Good memories though.
The guys at Lawrence Systems are absolutely awesome. My IT skills are limited, but I had watched enough UA-cam videos to know that these guys knew their stuff. I live in Texas and I hired them to help me build and deploy a ubiquiti network. They provided great advice, acquired and program all of the equipment, and then shipped it to me for install. I was going to use the usg, but they recommended the netgate 3100. The network has been up an running for a little over a year and has worked flawlessly.
Hey guys! I deployed the netgate for a client that needed several vlans, one is a public wireless network. The venue is a performing arts theater and it has to handle a thousand connections both wired and wirelessly. It works great even running Surricata and other modules. It was super easy to configure, runs stable, but a little warm. I'd recommend it to anyone!
Many years late to the party, but want to thumbs up to PFsense! Use a microtik box with two 2 Smoothwall S8's running PFsense below. Separates my work and personal LAN. PFsense is so configurable its great. :) Suggest everyone give it a go.
I am so glad to see that Untangle gets your seal of approval. After struggling with PFSense, despite watching countless hours of video tutorials, and having to set up a second network for my wife to use, I switched over to Untangle in October. I went with the home subscription, and I don't think I will look anywhere else. Definitely worth the $50 price tag for ease of use, and the features that you get. Plus I don't have to upgrade my box for awhile!
I've been running an untangle box for my router at home for about 4 years now and it's been great. Free license for all of it except one year I got the $50 one to check out content filtering and all that. Which do you prefer, untangle or PFsense? My buddy who got me into Untangle went to PFsense but I don't see any need for it.
Edge router x is amazing! I've had one up for 2 years now. No downtime. Great alternative to crappy consumer all in one's. Pair with a ac pro and you have a nighthawk killer.
@@Questchaun lol, I had a look, I have an Asus Rt-AC68U, no nighthawk. Obviously I haven't looked closely. Same thing, it is just an AP and it works well. I've had it for a number of years.
Great video with lots of detail. I can only imagine the newbs having a hard time grasping the 'white box' comment when you picked up the black hardware case and having the 'black box' right behind it which was white in colour. Always makes me smile inside.
I'm an MSP and have been using Untangle at all my client sites for the last 6yrs exclusively. I don't have near the experience you seem to have with other solutions, but I've been highly impressed with Untangle. As of yet, I haven't run into any config I couldn't achieve using Untangle. One of my favorite things is the OpenVPN app is part of the open source base, so I can get essential network config, reporting, and a VPN installed without a subscription. But when you get a subscription the possibilities are seemingly endless. At one of my clients, Untangle tarpits streaming media services based on the end user's Active Directory group membership! That's some really well integrated networking right there. But I did discover the Protectli devices on your channel, so I'm 0retty sure my hardware costs can go down now ;-)
I used pfsense from 2002 timeframe roughly until 2007. Then I became a "real" network engineer and went to various Asa's and srx's. Ran untangle at a couple customer sights until around 2015. Now I'm Unifi all the way just for simplicity. UDM pro at home replaced my ER-4 which replaced a few previous Mikrotik's. Order of pref for feature and performance, SRX, Mikrotik, Edge Router, Unifi. For ease of use, Unifi, ER, SRX, Mikrotik. I've tried various other open source and paid solutions over the years, and these are what I always come back to. I now use Palo Alto at work, they are NOT carrier grade, miss my ASR's, and MX's, but they do cover a lot of features and use cases. They are very expensive, even compared to Cisco, and I wouldn't recommend them for small business use at all! My life is simplified now that I'm older (42) so I have no DC's or anything crazy anymore, and just StarLink vs multiple load balanced connection in my past life. UniFi really does knock it out of the park, even with all their issues. Like getting IPsec VPN working over StarLinks CGNAT.... But it does work!
I put in an edgerouter pro (rackmount unit) with 54 VLANs on a gb fibre connection and it's been working great for about 2 years now. It's a 52 unit apartment complex with 9 Ruckus APs for wifi with a separate SSID and VLAN (plus 1 for public and management) for each unit. Also used UBNT POE switches and no issues there either.
Great information, and really appreciate that you also talk to those of us that build & manage networks for our SMB customers. Having your knowledge on-hand is how we look good for them! Cheers!
The ER-X can push ~200Mbps with QoS enabled and is the only router in the group with a dedicated switch chip. For small offices the ER-X is a little beast when you need to QoS your WAN and want to run VLANs bridged on the switch ports.
Thanks. This has been really helpful. I have a Sonicwall but refuse to pay Dell’s annual fees after the initial 3 years ran out. I’ve played around with pfsense but Untangle might be even easier and I can handle $50 a year. Your videos are some of the best of their kind on the web.
The Ubiquiti also supports BGP, ipsec, and VTI. I use all these to establish tunnels between branches, AWS, and other datacenters as the BGP advertisements make things simple. That said, the low end devices have a lot of features but they lack processing power. The Lite and ER-8 are used in branches while PFSense runs as a VM in the datacenter.
pfSense is great, I have 6 years experience deploying and using it in datacenters and office space. About 6 months ago I started trialling OPNSense which is equally great and a fork of pfSense. I recommend looking at that as well given the community edition / commercial split vibe I currently get from pfSense.
Thanks for the high level overview and comparison of the different platforms! It really comes down to use cases, and sometimes personal preference, for the most part with many of these. I've been running pfSense for a while, but as you said you really need to tinker a bit with things under the hood sometime to get it working right. Had considered Untangle in the past due to the reporting functionality and front end configuration for most functionality... your video talked me into trying it out again. Thanks again for the video!
Great video! I've deployed all of these devices and couldn't agree with you more. Netgate is also my go to for pfsense and I would advise anyone who is looking to deploy pfsense in a business environment to buy direct. One tip with Netgate, their email support is free if purchased through them with original configuration. They are quick to respond even by email..of course buy support if you have a mission critical environment.
Working with all this products for years, used to build ipfilter rules over freeBSB back in the 90"s for top secure firewalls, thanks pfsense life is much better now, agreed 1000%, amazing video.
Now by filtering you mean? Can you add the description in context? I get command lines. What’s best for a home multi connection with guest setup. TVs, Apple products, computers and scanner printer with enough power to run guest accounts via Wi-Fi. What would it cost to get a system fully protected like this?
Great summary, thank you! I also concur with all the callouts you have about USG, Edge, and pfSense. I personally lean towards pfSense as well. I do also have a USG Pro which seems to perform bit better than USG, but the VLAN routing, and routing between two LANs (LAN1, LAN2) is still a pain from what I have experienced, but cant say that is the case because my skills may not be the best.
The Ubiquiti EdgeRouter has been pretty reliable for me when I want to eliminate small business client (no more than 7 workstations) router that comes from the ISP. After configuring about five of these I realized that spending more on a router saved the client some billable hours in locking down the Ubiquiti EdgeRouter.
brilliant comparison thanks Lawrence Systems. I've got a Netgate running pfSense at home and have just built a second remote pfSense box running on a HP Compaq DC8000 (Intel Quad Core with 4gb of Ram). pfSense runs so well it's very difficult to look beyond. Interesting comments regarding Untangle. I've never used it, have heard of it, sounds quite good. I also have a ClearOS server sitting behind my pfSense router at home to provide some excellent transparent proxy content filtering (keep the kids protected from adult websites etc)
Overall great video, I do think you needed to touch on the untangle pricing scheme more. $250/yr. for a 12 device subscription seems pretty insane imo.
Untangle is free for personal use/basic version. If you want all the bells and whistles (apps like content filtering) for home use, it's only $50. As far as for a business, $250 is really cheap. Most businesses that use Windows servers, adobe products, virtualization, etc. pay 10's of thousands per year (if not hundreds of thousands or even millions for large orgs) for licensing. I'm not sure what situation you'd need the $250 license for where that would be considered "insane". Your business can't pay 20 bucks a month for network/firewall/content filtering, VPN, etc? LoL! Or perhaps you're trying to use it for home use where $250 would be considered a lot of money and you're unaware they have the free basic version or $50/yr home version.
P.S. I'm not affiliated with Untangle at all. I've used it at my home for free for about 3 years and 1 year I got the $50 version to play around with some apps but decided not to keep it. Still use the basic free version though and it's fantastic. Haven't tried PFsense though so I can't say it's better or worse.
The nifty thing with pfSense is it's so easy to build what meets your needs so cheap...I was using a Zotac Zbox (which had realtek NICs) but recently was shown a nice cheap HP thinclient with PCIe slot for a server NIC in addition to options for swapping the OEM WLAN card for an OEM fiber-card. Total cost under $300 new with full gigabit (around 950Mbps) routing between VLANs and WAN with loads of resources to spare. I'd never update anything remotely just in case...but the ease of use and flexibility is amazing with what all pfSense can do.
(Y) Great and super easy video for me not only to understand the features of these products but was a catalyst to my decision making for home Networking requirements.
What are your thoughts about OPNSense as an alternative to pfSense? - It seems to have some neat security features like Two-Factor authentication built in and Suricata built in etc
Yes OPNSense is a nice firewall it comes from The Netherlands and has a great monitor mode where you can see real time traffic logs. You can see what ports are being used inbound and outbound and more. I can recommend this Firewall for 100%
@@squadramunter OPNSense had a nicer layout but now after pfSense introduced the new layout they are kind of on the same plane when it comes to the interface, at lest I think so :) However, there are some features in OPNSense that would be great if pfSense had!
Nice comparison video for these low end firewalls with advanced features.. I recently downloaded pfSense to run in a SuperMicro ITX system. I’ll check out the generic system you recommended as well.
That black box from alibaba can handle pfsense as Vitual Machine on HyperV for ex. So you can install two pfsenses on it and get 2 vpn tunnels and update remotely without risk to loose connection. Moreover you can make snapshot VM before update to rollback if update is failed. And with big size hdd you can get installed other VM on this box. So you can get router(s), fileserver, lab for tests...
I really have enjoyed a lot of your videos. Keep it up. In my company really we really love the Sophos XG line of firewalls and as a partner we get access to a centralized management system - that part does need some work. They aren’t cheap though but nowhere near Cisco prices.
For Business use: The Ubiquiti line + Cloud Key and Cloud management as an entry point. Chances are, you already (should be) using their AP's anyway. CISCO Meraki MX with Advanced Malware Protection for most use cases, simply due to 0-day AMP and Sonicwall TZ series for more nerdy setups would be my starting points. First and foremost is support availability and not looping to a single tech guy who set it up through some "command line"
I really like my netgate box but just for your info, even with this box you can have problems when you update. I had it once that the box did not boot after the update. I had to access it via USB, reinstall pfSense completely and import my backup to get it working again.
EdgeRouter X does have the switch chip that allows offloading of processing power for 'soft switching' that is a feature of EdgeRouter Lite (does not have a dedicated switching chip). ER-Lite is better if you have 2 WANs and a LAN connection.
Have you ever put a USG between pfsense and your switch in a pass through like mode to get the nice graphs in the UniFi manager? I have UniFi APs and looking to get some more information in the dashboard and debating on a USG but keeping pfsense as my firewall
I've been using a Gigabyte ga-j1900d3v motherboard as a firewall which has a soldered-on Intel Baytrail Celeron j1900 processor. I added an additional PCI dual NIC card, thus giving me four nics. It works well as a firewall running Linux BUT the j1900 has a flaw which means it locks up solid occasionally, maybe once every 14 days. In theory the later Apollo Lake and Gemini Lake processors don't have the same problem, but I'm still waiting did Qotom and others to adopt newer chips.
I've been using a DIY Sophos box for the last few years, but lately I've been really thinking about testing PFSense on the same hardware. It's been a long time since I tried it, so it's probably come a long way.
For 2.5 gbps use with VPN (router to router) to multiple sites I am torn between EdgeRouter Infinity, waiting for the UDM-Pro, or pfSense? I use unifi systems too but dont care about fancy numbers and seeing all green.
Appreciate your detailed HW review. I would appreciate your recommendations regarding my network needs. I need a router / FW to do multi-wan load balance / failover that really works.. Beyond that my network needs are pretty basic. I've tried several ASUS and TP-Link routers that claim the dual WAN with load balance / fail over however none that I have tried have actually worked. I have about 45 connected devices ( 15ish wired and 30ish Wi-Fi). Both my WAN connections are
I'd be curious so see a comparison of pfSense and Untangle versus Peplink. I'd really like to have good multi-WAN load balancing and aggregation as part of my firewall configuration.
I really like your reviews and the magnitude of information you give us. I'd love to see an overview on how to combine a firewall with a router and switches to make the absolute max of the ISP provided internet bandwidth as well as the more powerful LAN setup between machines and switches. Like how limiting is the 1Gbps port on a firewall if you have a lot of LAN devices talking to each other using for example 2,5 Gbps switches and for example PC's and NAS servers :)
Forgive me if you have covered this before in an alternative video but I have seen some of your videos on PfSense and was wondering if you rate OPNSense and would ever use it in any of your networks or in any of your customers networks?
when deploying a distributed network, i actually _do_ want to set up _all_ the specific routes myself (including metrics for failover scenarios), "set in stone" in config files, and make sure they work, then try to break them, and once it all still works as intended, i open it up to the client for initial testing. having your 3rd party firewall appliance logging into another fancy-of-the-month 3rd party's VPN or cloudhosting or whatever just adds potential points of failure and security risks outside of your reach and control. tl,dr: either do it at "at home" level, or do it atleast semi-seriously. first off, all you need to understand is what you are actually trying to do, and then go on from there. cheap/er/ish appliances tend to just sell you peace of mind, like a good chunk of most windows desktop or mobile phone anti-virus/-malware bloatware does. sometimes they're even posing a security threat themselves due to not being maintained and updated for years (but still being sold), or having significant design flaws in the first place (think older access points, networked print/scan/fax machines, cable modem back-looping, etc). yes, it will involve learning about wth you're actually trying to do (or want to avoid to happen), and yes, it will take more time. but, once done, you'll know exactly _what_ is happening _where_ , and _why_ . ...plus, you don't pay monthly fees to someone else for the knowledge you've acquired and applied yourself. (and if it doesn't work as intended, you'll probably have a very good idea about who to blame ;p ) in case you want a solid solution but don't want to dig into it yourself or don't have the time, hire a professional to set it up and coach you on how to use it. also, ask for documentation: IT guys hate to do it (because it's boring, spelling is a b%$=!, and being found out is embarrassing for many native speakers), but it'll help you a lot maintaining your installation. also, you'll have a face with a name to it if you need assistance, instead of a $40/600/1k appliance you bought online and told it's setup wizard to auto-configure itself in mysterious ways by clicking fancy icons. ...sorry for the rambling (oh, and the semi-necro). i'll revisit this post after having sobered up a bit :)
I should add that the Spectrum-supplied (and required) gateway forced all DNS requests to Time Warner DNS servers, regardless of the DNS selection in the gateway/router. So services like OpenDNS were not accessible without additional hardware to bypass the Time Warner DNS servers.
Use a Microtik for the first barrier and with the right rules in it is a great wall and does not crumble on DOS like I experienced with an ubiquiti. great comparison for those choices
Those Ubiquiti seem cool for the single pane of glass but PFsense or Untangle seems more feature rich. What AP would you pair with a Untangle/PFsense install?
My company primarily services SMBs and we're looking to switch away from Sonicwalls. The problem is that we just known them and change is hard. I might pick up another NIC and run pfSense on my home server to test it out.
Nice comparison you got there mate. My previous firewall is PFSense and change to Unifi Security Gateway Pro. Honestly, I can't do much with USG, unlike my previous firewall which is quite flexible. bad decision... :D
Pretty amazed that so many people love Ubiquiti products. I have 860$ Ubiquiti ES-48-500W switch in my LAN at work and it is the worst device I ever seen in my 15 years network engineer experience. This model was purchased because it was the only device in the marked (at that time) providing both passive 24V PoE or 48V PoE+ in one device. No web interface at all, you need to have laggy controller written on java to be installed somewhere in the network to be able to change something on a switch. Stupid settings are placed at different sections of the interface. Interface is filled with tons of unnecessary stuff you are not able to use. When you change some settings and Apply them it drops all connections on the lan, i don't know what it actually do but you will lose connection to the server even if you are not actually connected through Ubiquiti switch! Even password remember option is present in interface but not working. Stock fans of the switch in almost zero load was louder than all my 5 servers together, have to order and replace them with Noctua fans, losing warranty. IMHO cheap Soho TP-Link\D-Link devices are more user friendly that this piece of ...... hardware. All other network is based on more than 60 Mikrotik routers, only good feelings... I was surprised that you didn't mentioned Mikrotik devices at all.
Hi Tom, thanks for video. Would be nice if you could cover Cisco ASA and Dell SonicWALL just to know the advantages between open source and enterprise commercial solutions.
I am using the SG-3100 since more than a year now, and the only thing I don't like about their product is the non-discret ports. The 4 ports and switched together and it is uselessly complicated to have them behave like real discrete ports. And because of that complexity, I instead went and got a PCEngine box with 4 discrete ports and installed Opnsense on it and that's it: easy config of the different ports for different tasks without having to do voodoo magik to get the ports separated. Everything else is great and the SG-3100 is able to sustain a NATed ~1 Gbps speed with no problems.
Hey, just wanted to give my two cents about mikrotik. They didnt came in a unsecure config. The home stuff came preconfiguted secure. The bigger systems where completely unconfigured but could be loaded in a safe config via a quickset menue.
You guys ever mess with Cisco ASAs? We have a 5508-X for firewall and routing and have trouble finding vendors who will help us reconfigure it. It's too much of a dark art for our 2-man team to learn and properly configure ourselves and we're wondering if we should continue to stick with it!
What is consensus on Firewalla? It doesn't look very professional but seems to meet my needs. My main concern was filtering inappropriate sites om a public guest network. I tried Squidguard on a Unifi USG (via CLI) but felt I had little visibility into what the USG was really doing. Firewalla seems to do a good job but I don't know what I don't know.
For the comments on the EdgeRouter series, would you say the same is true for the EdgeRouter Pro8? I went for that one mostly for the higher throughput. I did replace the fans for more quiet ones, but it has served me well. I've got a relatively high number of devices, but it is home use with an office element for my job. 200 Mbit up/down is the fastest I can get, so even with some basic filtering enabled I'm still safely away from the bottleneck :) Appreciate the honest comparisons. I have the Unifi AC Pros, very nice devices. Still not sure if I should go for a Unifi switch though, as I want to prep for 10G and the you have to step up to 48 ports to get that POE+ ability. Thanks again!
Thanks for the comparison... I'm interested in the Netgate box, would you still recommend it or are there better alternatives at that price point ($400) these days?
The protectli is way better than any netgate, runs everything under the sun including OpenBSD. I've run VyOS, OPNsense, PFsense, OpenBSD without any issues. I have the SG-1100 and it is very fast but it appears like you are stuck with PFsense only, please correct me if I am wrong here on this. BTW installing firmware on the protectli FW2 J1800 is very straightforward and simple. Super happy with it.
One of the things that completely bummed me about the Unifi is the need for a cloudkey. Not only are those expensive (for a home user) it was unexpected, since ubiquiti is rather vague on the need of these. What also p*ssed me off are the various login accounts you need to have. And how difficult/impossible it is to combine those. And the USG does not play well with some of the modem you get from the provider (Netherlands) if they provide a different than standard internal IP. Their Wifi AP's are awesome.
I'm going to be setting up a Sophos firewall on a dell r310 I ordered. I only have a 300mb cable so I figured it would be overkill but my Orbi is definitely lacking in security over my old dd-wrt router that died after a decade of use. The orbi will become an AP until I get a wifi6 AP
Had Sophos for 6 months then went to opnsense but had issues with vlans. Went to pfsense but missed Sophos and I had some slight pauses in data, not much say a minute or two once in awhile. We t back to Sophos and easily set up multiple vlans with separate content filters and restrictions. I love open source but Sophos works for me.
I use the EdgeRouter X at home and am able to seamlessly VPN into the office SonicWalls with it. The interface is kludgy, but it handles my 300/300 FiOS line no problem using very little power and for a low price. I wouldn't use it for more than the most basic office though.
I mostly agree with you, but you missed out two things: There are more powerful Edgerouters from Ubiquiti, I personally made good experience with the Edgerouter 4, which is still very low priced for it's power. Second, pfsense is not fully open, there are licence restrictions. That's why there is OPNsense, which I would prefere over pfsense in context of open source.
Also the er4 and 6 will do ids and iOS roles in the 400-500 mbps range, usg only does around 80-100 and the usg pro only around 250. Er4 for less than twice the price of the usg is an easy choice
Also if I'm not mistaken you lose some or all of the ipv6 on the erX if you disable the hardware offload, could be wrong but that's what memory serves me, used to be a fan of the erx but it's too weak for even modern home networks
Thoughts for discussion... do you think deep packet inspection is worthwhile considering that less and less Internet traffic is unencrypted? I have seen this argument floating around forums in recent years. Of note, 1 Gbps Internet service is becoming more and more common, which that little Unifi USG can do handily for a small office _unless_ you turn on Deep Packet Inspection, then you've got a sizable bottleneck. (2 Gbps service is also available in my market.) With pfSense and other routers that offer more customization, it naturally depends on your rule set. Snort/Suricata with no rules will have a negligible impact, but heavy analysis will require more robust hardware. For my network, I went with Supermicro 5018D-FN4T with a Xeon D-1541 8-Core, 16 thread, 2.1 GHz to give the system plenty of processing power for Suricata and headroom for possible faster ISP connections in the future, but wonder now if I'd be just as happy (and my pockets less empty) if I'd just stuck with sensible firewall rules and not bother with deeper analysis. That USG or a similarly spec'd box for pfSense would have been 10% of the purchase price of the Supermicro, and the Supermicro uses up to 29x the electricity. Unifi used to quote maximum throughput in their literature, both with and without DPI, but I can't seem to find it anymore.
I don't put a ton of faith in DPI and a lot of that is because so much of the internet is moving to the QUIC protocol which gives firewalls even less visibility into the traffic.
The base model USG can handle DPI at gigabit just fine - it's only when you enable IDS/IPS that it starts bottlenecking. I used a base USG for about a year with gigabit internet and DPI turned on, and it didn't affect the throughput whatsoever. I have since upgraded to a USG Pro just so I could rackmount it. :)
depending on your needs for deep packet inspection there has been some emerging technology that is able to detect malware signatures in encrypted traffic. Cisco has been developing their ETA or Encrypted Traffic Analysis service on their high end enterprise line. it's only a matter of time until we see this same technology filter down to the small business/ small enterprise lines.
Sorry, I guess I should have been more specific. IDS/IPS was implied. For small offices that these devices apply to, I frankly don't see any point at all in inspecting the traffic if you aren't going to have rulesets to act upon the data. Last year, I bought a Unifi USG and returned it after testing and seeing similar throughput to what he talked about in the video. It just didn't have the processing power to handle it. There was such a huge gap from rated performance to actual performance, I wasn't even confident in the Pro keeping up, especially when considering future growth. I'm glad it has worked for you though. :) I have since wondered whether I was just getting the twitches by having a security feature I couldn't turn on without suffering. That switch in the GUI just sat there in the off position mocking me. :p Then I wonder, is the IDS/IDP just security theater these days. Meaning, does it really offer meaningful protection, and is it worth the hardware required to run it in the modern era? Routing and firewall rules are computationally relatively cheap. I know I'm not alone in considering total cost of ownership issues like power draw and cooling as well. Is IDS/IPS (and HAVP), like some tech articles boldly claim, effectively dead? Until recently, I would have said that is a bunch of click-bait trash, but lately I'm kinda seeing their point.
Excellent video. Used pfsense for over 20 years. Never failed me. I'm curious to try out untangle for recommending to less techie users. Do they have child protection features built in? Also, can you use the USG as a pass through device just for the unifi dashboard stats?
I just switched from Untangle/Untangle to pfsense/NetGate supported software/hardware after being with Untange for more than 10 years and a half dozen or so installations. I did not do this lightly and mostly because IMHO, Untangle as an organization seems increasingly dysfunctional with poor internal communication and their employees do not appear to be sufficiently empowered to ensure a positive customer experience. Just my 2 cents. Subscribing.
Nice, concise review. I'd be interested in seeing your review of enterprise-grade (e.g., certified) firewalls, such as those from Fortigate, Juniper, PaloAlto, SonicWall, etc. Yes, they cost more, but they are much more polished products, with the level of support levels that enterprise clients are looking for. When you're talking about the safety of an entire enterprise, a few hundred dollars in additional cost isn't an issue. It's just the cost of doing business. Comparing these with the open-source and Vyatta-based products would be very valuable.
@@LAWRENCESYSTEMS I've looked for some kind of certification for pFsense, such as ICSA Labs certification, but can't find anything. Most enterprises requires formal independent certification for security products, both for liability reasons, and because some governance regulations require it. It would be one thing if there were a dearth of certified firewall appliances, but why should any enterprise use an uncertified product when so many certified products are widely available for not much more cost? I noticed that pFsense has a product called 'pFsense Certified(R) Virtual Firewall Appliance", but upon investigation, I found that they simply made the word "Certified" part of their registered trademark. That won't fly as an independent certification with any enterprise I know of. So this is where a feature comparison would be helpful, weighing the extra cost of various enterprise attributes such as certification and central reporting, against the costs of low-end solutions.
Very thorough review. I'm currently looking into making my home network more secure and to also start messing with a home lab to expand my knowledge and this was very informative. For home lab usage, do you still prefer the pfsense route or does one of the other options stand out more?
i have been using untangled for a few months and paid for the home user...works great and easy to setup...i still need to explore its features in more depth and maybe a video tutorial would be awesome????.... ;)
You are a LONG way off with the small USG. We have 3 main sites with the big USG, and about 60 small sites with the small USG. All connected together. Ofc also Unifi switches and Ap's a.s.o. There is NO PROBLEM whatsoever running the one-click VPN behind a NAT. Agreed, Double-nat is NEVER a good idea. PS: We also have added MPLS and qos to the mix. (on seperate big Ciscobox, no routing problems) The only "problem" we've had is multiple WAN adresses, portsredirect and such. Easily overcome with json file.
yup plus he didn't include the fact that Ubiquiti is also still a new dog in the fight.. with every major release more and more capability is being added into the UI.. but at the end of the day if a Tech is scared to break out the CLI they weren't doing anything that a high school kid couldn't do anyways.. hehe
@@ChrisNicholson when you are considering that the entities they are operating against that have been building a brand for 20+ years(Cisco) 5 years is still young. The ui may be a little limited but anyone who isn't afraid of a little CLI can set it up no problem
UniF--k has been around for around 10 years. Ubiquiti was doing air OS long before that. AND the vyatta fork they ran off with (before it was sold) was considered "developed" long ago. @eliath84
I like the setting of the scene, just done in workshop, nice lighting, some good depth too(foreground focused, background not.. ofcourse.). And good comparison of stuff you know about. Maybe sometimes it be fun to hear comparison between.. this and more ordinary routers people might have, or the kinda hyped "Gaming" routers, or whatever. Not that I really think id use or it is the normal audience. But it be fun.
I don't comment on videos often. I just wanted to drop a line and say how much I appreciate your channel and videos. Super helpful and so helpful. Keep up the good work, I am a fan
I don't always comment on videos but when I do, I comment on yours
Hi, old pfSense contributor here. I originally rolled into this project when using a M0n0wall router internally. After some further investigating we started using pfSense in the pre 1.0 days. Later on I wrote the RRD graphs, IPv6 support in the UI as well as implementing the Gateways, Gateway Groups and some other things.
Eating one's own dog food is *very* useful. Things like the duplicate button that only existed on the firewall page was replicated to VPNs and other items. Because it just make life so much easier.
The gateway groups came to pass from load balancing, wanting to assign weights, that sort of thing. The drawback of a lot of this is that you need to define everything before you can asssign it. Sorry for that. But if you manage a lot of routes that makes it very readable and easy to grasp. Alos glad that apinger was replaced with dpinger :)
Then you need things like PXE network booting and pfSense just has the ISC dhcpd logic to pass the right BIOS, EFI32 or EFI64 image. Things that otherwise are really hard to get rid, or only give you a single Boot file option, booo.
We ended up building a internal vlan router with this eventually, with a Dell PowerEdge server with Intel X520 10Ge dual port card. That worked really well for 7 years or so and 1 upgrade cycle. The base box was less then 1500 euro a piece. HA was a cinch.
Other plus is a readable configuration, and through the exec.php page I had a PHP interface to this config. So on regular occasions I wrote some conversion code to modify ~350 IPSec vpn tunnel endpoints or encryption settings using this page. I never found another that has sonething similiar, and I had a tip that only Juniper currently has something comparable.
For comparison, I now use a Watchguard XTM M4600 (~14k euro a piece), the aliases are not sorted alphanumerically in the Windows Policy manager, and listed in a really small select screen. The OpenVPN server can only be used for mobile clients, and only has one server. To make matters worse, the webserver it runs is on 443, so if it reloads rules you ocassionally connect to watchguard openvpn config server instead. Not so much fun. No support for OpenVPN client tunnels or extra servers with different settings or certs. Still, it does do a lot of inspection and offers inspection capabilities, but with some network bending drawbacks. Min boggingly, if you need to look up the ARP table, that is only available in the WebUI, and not in the Windows manager.
I guess each brand has their own issues and finnicky things.
I left the project after it went from BSD Perimeter to Netgate, it required signing a legal waiver for code contributed to github, and I just never did. Good memories though.
Wow, lot of cool history there! Hope you doing well and thanks for sharing!
The guys at Lawrence Systems are absolutely awesome. My IT skills are limited, but I had watched enough UA-cam videos to know that these guys knew their stuff. I live in Texas and I hired them to help me build and deploy a ubiquiti network. They provided great advice, acquired and program all of the equipment, and then shipped it to me for install. I was going to use the usg, but they recommended the netgate 3100. The network has been up an running for a little over a year and has worked flawlessly.
Thanks!
Hey guys! I deployed the netgate for a client that needed several vlans, one is a public wireless network. The venue is a performing arts theater and it has to handle a thousand connections both wired and wirelessly. It works great even running Surricata and other modules. It was super easy to configure, runs stable, but a little warm. I'd recommend it to anyone!
Many years late to the party, but want to thumbs up to PFsense! Use a microtik box with two 2 Smoothwall S8's running PFsense below. Separates my work and personal LAN. PFsense is so configurable its great. :) Suggest everyone give it a go.
I am so glad to see that Untangle gets your seal of approval. After struggling with PFSense, despite watching countless hours of video tutorials, and having to set up a second network for my wife to use, I switched over to Untangle in October. I went with the home subscription, and I don't think I will look anywhere else. Definitely worth the $50 price tag for ease of use, and the features that you get. Plus I don't have to upgrade my box for awhile!
I've been a PFsense user for a long, long time. Recently, I've found Untangle. This video really clears some things up for me. Thanks!
Please bro can u help me on pfsense url
I've been running an untangle box for my router at home for about 4 years now and it's been great. Free license for all of it except one year I got the $50 one to check out content filtering and all that. Which do you prefer, untangle or PFsense? My buddy who got me into Untangle went to PFsense but I don't see any need for it.
Edge router x is amazing! I've had one up for 2 years now. No downtime. Great alternative to crappy consumer all in one's. Pair with a ac pro and you have a nighthawk killer.
same here can speak to that!
My nighthawk makes an excellent AP. Has never seen anything plugged in on the WAN side.
@@bertblankenstein3738 you still pay more for a nighthawk. They are over priced and you have less features/controls.
@@Questchaun lol, I had a look, I have an Asus Rt-AC68U, no nighthawk. Obviously I haven't looked closely. Same thing, it is just an AP and it works well. I've had it for a number of years.
Great video with lots of detail. I can only imagine the newbs having a hard time grasping the 'white box' comment when you picked up the black hardware case and having the 'black box' right behind it which was white in colour. Always makes me smile inside.
Thanks for making these videos. It is nice to get tips and pointers. I recently got a protectli box and your videos make setup/config so easy.
I'm an MSP and have been using Untangle at all my client sites for the last 6yrs exclusively. I don't have near the experience you seem to have with other solutions, but I've been highly impressed with Untangle. As of yet, I haven't run into any config I couldn't achieve using Untangle. One of my favorite things is the OpenVPN app is part of the open source base, so I can get essential network config, reporting, and a VPN installed without a subscription. But when you get a subscription the possibilities are seemingly endless. At one of my clients, Untangle tarpits streaming media services based on the end user's Active Directory group membership! That's some really well integrated networking right there. But I did discover the Protectli devices on your channel, so I'm 0retty sure my hardware costs can go down now ;-)
I used pfsense from 2002 timeframe roughly until 2007. Then I became a "real" network engineer and went to various Asa's and srx's. Ran untangle at a couple customer sights until around 2015. Now I'm Unifi all the way just for simplicity. UDM pro at home replaced my ER-4 which replaced a few previous Mikrotik's.
Order of pref for feature and performance, SRX, Mikrotik, Edge Router, Unifi.
For ease of use, Unifi, ER, SRX, Mikrotik.
I've tried various other open source and paid solutions over the years, and these are what I always come back to.
I now use Palo Alto at work, they are NOT carrier grade, miss my ASR's, and MX's, but they do cover a lot of features and use cases. They are very expensive, even compared to Cisco, and I wouldn't recommend them for small business use at all!
My life is simplified now that I'm older (42) so I have no DC's or anything crazy anymore, and just StarLink vs multiple load balanced connection in my past life. UniFi really does knock it out of the park, even with all their issues. Like getting IPsec VPN working over StarLinks CGNAT.... But it does work!
I put in an edgerouter pro (rackmount unit) with 54 VLANs on a gb fibre connection and it's been working great for about 2 years now. It's a 52 unit apartment complex with 9 Ruckus APs for wifi with a separate SSID and VLAN (plus 1 for public and management) for each unit. Also used UBNT POE switches and no issues there either.
Matt S. I run an er8pro with 1gb fiber. 10 ap pros and about 80 Ethernet clients. Also routing a /28
Routers and firewalls are my favorite video topic. Love hardware.
Great information, and really appreciate that you also talk to those of us that build & manage networks for our SMB customers. Having your knowledge on-hand is how we look good for them! Cheers!
Sometimes the youtube algorithms do a good job recommending exactly what I was searching for :) just subbed
His channel is gold
Probably based on my google searches ._. But a good video
Whoa dude kick azz video! You nailed all the relevant points well in less than 20 min. You just sold me on PFS. Peace. ✌️😎👍
The ER-X can push ~200Mbps with QoS enabled and is the only router in the group with a dedicated switch chip. For small offices the ER-X is a little beast when you need to QoS your WAN and want to run VLANs bridged on the switch ports.
Thanks. This has been really helpful. I have a Sonicwall but refuse to pay Dell’s annual fees after the initial 3 years ran out. I’ve played around with pfsense but Untangle might be even easier and I can handle $50 a year. Your videos are some of the best of their kind on the web.
The Ubiquiti also supports BGP, ipsec, and VTI. I use all these to establish tunnels between branches, AWS, and other datacenters as the BGP advertisements make things simple.
That said, the low end devices have a lot of features but they lack processing power. The Lite and ER-8 are used in branches while PFSense runs as a VM in the datacenter.
pfSense is great, I have 6 years experience deploying and using it in datacenters and office space. About 6 months ago I started trialling OPNSense which is equally great and a fork of pfSense. I recommend looking at that as well given the community edition / commercial split vibe I currently get from pfSense.
I wished i found this channel years ago. Thanks for this!
Thanks for the high level overview and comparison of the different platforms! It really comes down to use cases, and sometimes personal preference, for the most part with many of these. I've been running pfSense for a while, but as you said you really need to tinker a bit with things under the hood sometime to get it working right. Had considered Untangle in the past due to the reporting functionality and front end configuration for most functionality... your video talked me into trying it out again. Thanks again for the video!
Bro you are a breath of fresh air.. keep it up dude you're a legend =)
Great video! I've deployed all of these devices and couldn't agree with you more. Netgate is also my go to for pfsense and I would advise anyone who is looking to deploy pfsense in a business environment to buy direct. One tip with Netgate, their email support is free if purchased through them with original configuration. They are quick to respond even by email..of course buy support if you have a mission critical environment.
Helpful video, thanks! Bottom line...scale your router to your requirements and personal needs.
Mine is the $50 deal!
Working with all this products for years, used to build ipfilter rules over freeBSB back in the 90"s for top secure firewalls, thanks pfsense life is much better now, agreed 1000%, amazing video.
Great presentation. Accurate overview of these products. Thank you for sharing.
Now by filtering you mean? Can you add the description in context? I get command lines. What’s best for a home multi connection with guest setup. TVs, Apple products, computers and scanner printer with enough power to run guest accounts via Wi-Fi. What would it cost to get a system fully protected like this?
Just subscribed and liked, really enjoying your videos. keep up the great content!
Great summary, thank you! I also concur with all the callouts you have about USG, Edge, and pfSense. I personally lean towards pfSense as well. I do also have a USG Pro which seems to perform bit better than USG, but the VLAN routing, and routing between two LANs (LAN1, LAN2) is still a pain from what I have experienced, but cant say that is the case because my skills may not be the best.
The Ubiquiti EdgeRouter has been pretty reliable for me when I want to eliminate small business client (no more than 7 workstations) router that comes from the ISP. After configuring about five of these I realized that spending more on a router saved the client some billable hours in locking down the Ubiquiti EdgeRouter.
Great show. A wealth of information.
Love the Ubiquiti firewall, the best bang for the buck!!!
Would love to hear your thoughts on some other options as well like Sophos XG/UTM Home, ClearOS, etc.
OhFreeGames sophos-just no, please no
Thank you for the content, really enjoy y'all's teaching style.
OpenWrt on EdgeRouter X rocks. Sad you didn't mention because it even gives you NAT offloading mechanisms. Really good choice.
brilliant comparison thanks Lawrence Systems. I've got a Netgate running pfSense at home and have just built a second remote pfSense box running on a HP Compaq DC8000 (Intel Quad Core with 4gb of Ram). pfSense runs so well it's very difficult to look beyond. Interesting comments regarding Untangle. I've never used it, have heard of it, sounds quite good. I also have a ClearOS server sitting behind my pfSense router at home to provide some excellent transparent proxy content filtering (keep the kids protected from adult websites etc)
Overall great video, I do think you needed to touch on the untangle pricing scheme more. $250/yr. for a 12 device subscription seems pretty insane imo.
Untangle is free for personal use/basic version. If you want all the bells and whistles (apps like content filtering) for home use, it's only $50. As far as for a business, $250 is really cheap. Most businesses that use Windows servers, adobe products, virtualization, etc. pay 10's of thousands per year (if not hundreds of thousands or even millions for large orgs) for licensing. I'm not sure what situation you'd need the $250 license for where that would be considered "insane". Your business can't pay 20 bucks a month for network/firewall/content filtering, VPN, etc? LoL! Or perhaps you're trying to use it for home use where $250 would be considered a lot of money and you're unaware they have the free basic version or $50/yr home version.
P.S. I'm not affiliated with Untangle at all. I've used it at my home for free for about 3 years and 1 year I got the $50 version to play around with some apps but decided not to keep it. Still use the basic free version though and it's fantastic. Haven't tried PFsense though so I can't say it's better or worse.
The nifty thing with pfSense is it's so easy to build what meets your needs so cheap...I was using a Zotac Zbox (which had realtek NICs) but recently was shown a nice cheap HP thinclient with PCIe slot for a server NIC in addition to options for swapping the OEM WLAN card for an OEM fiber-card. Total cost under $300 new with full gigabit (around 950Mbps) routing between VLANs and WAN with loads of resources to spare. I'd never update anything remotely just in case...but the ease of use and flexibility is amazing with what all pfSense can do.
HP t620 plus?
(Y) Great and super easy video for me not only to understand the features of these products but was a catalyst to my decision making for home Networking requirements.
Hello,
perfect Video.
i used Sophos UTM 9 Home Edition.
for only 50 Clients its perfect but for more than that i used pfsense.
What are your thoughts about OPNSense as an alternative to pfSense? - It seems to have some neat security features like Two-Factor authentication built in and Suricata built in etc
I like that they have built in Two-Factor, but I don't have a compelling use case for it beyond that over pfsense.
Dont forget HardenedBSD
Yes OPNSense is a nice firewall it comes from The Netherlands and has a great monitor mode where you can see real time traffic logs. You can see what ports are being used inbound and outbound and more. I can recommend this Firewall for 100%
Did you know OPNSense is a fork of pfSense? It is nice that they created a nicer layout and add more functions init that I missed by pfSense
@@squadramunter OPNSense had a nicer layout but now after pfSense introduced the new layout they are kind of on the same plane when it comes to the interface, at lest I think so :)
However, there are some features in OPNSense that would be great if pfSense had!
Nice comparison video for these low end firewalls with advanced features.. I recently downloaded pfSense to run in a SuperMicro ITX system. I’ll check out the generic system you recommended as well.
That black box from alibaba can handle pfsense as Vitual Machine on HyperV for ex. So you can install two pfsenses on it and get 2 vpn tunnels and update remotely without risk to loose connection. Moreover you can make snapshot VM before update to rollback if update is failed. And with big size hdd you can get installed other VM on this box. So you can get router(s), fileserver, lab for tests...
I would like to see your review of Mikrotik products. I bet that you would find them to be great solutions.
I have many USG and USG Pro 4 that I am using as paperweights since I got my mikrotiks
came to say this. second comment. good
@@ap5672 send me some of those paper weight
@@rhdtv2002 ha ha they are literally at the bottom of my boxes of unused parts.
@@ap5672 damn man..please tell me you live in Chicago..I'll be right over
Very detailed explanation, if you get opinions from other places, people say protectli. Seem like im leaning towards Netgate more.
I really have enjoyed a lot of your videos. Keep it up. In my company really we really love the Sophos XG line of firewalls and as a partner we get access to a centralized management system - that part does need some work. They aren’t cheap though but nowhere near Cisco prices.
Cisco is very overrated. They market themselves like Apple
For Business use: The Ubiquiti line + Cloud Key and Cloud management as an entry point. Chances are, you already (should be) using their AP's anyway. CISCO Meraki MX with Advanced Malware Protection for most use cases, simply due to 0-day AMP and Sonicwall TZ series for more nerdy setups would be my starting points. First and foremost is support availability and not looping to a single tech guy who set it up through some "command line"
Great job. I think the only thing you might have left out about UnTangle is that it can do SSL decryption. This is essential in my book.
Dude I am new to your channel, it is awesome. Keep it up and thank you.
I have USG for 2 years now and plugged in 2 WANs into it. It works smoothly, but yes very limited firewall (but I have no complain)
I really like my netgate box but just for your info, even with this box you can have problems when you update. I had it once that the box did not boot after the update. I had to access it via USB, reinstall pfSense completely and import my backup to get it working again.
EdgeRouter X does have the switch chip that allows offloading of processing power for 'soft switching' that is a feature of EdgeRouter Lite (does not have a dedicated switching chip).
ER-Lite is better if you have 2 WANs and a LAN connection.
Have you ever put a USG between pfsense and your switch in a pass through like mode to get the nice graphs in the UniFi manager? I have UniFi APs and looking to get some more information in the dashboard and debating on a USG but keeping pfsense as my firewall
I've been using a Gigabyte ga-j1900d3v motherboard as a firewall which has a soldered-on Intel Baytrail Celeron j1900 processor. I added an additional PCI dual NIC card, thus giving me four nics.
It works well as a firewall running Linux BUT the j1900 has a flaw which means it locks up solid occasionally, maybe once every 14 days. In theory the later Apollo Lake and Gemini Lake processors don't have the same problem, but I'm still waiting did Qotom and others to adopt newer chips.
I’d like to see more information on the higher end of the USG line
they are essentially the same just more power..
I've been using a DIY Sophos box for the last few years, but lately I've been really thinking about testing PFSense on the same hardware. It's been a long time since I tried it, so it's probably come a long way.
as always informative.. Thanks for the comparison, adds to decisive prams
For 2.5 gbps use with VPN (router to router) to multiple sites I am torn between EdgeRouter Infinity, waiting for the UDM-Pro, or pfSense? I use unifi systems too but dont care about fancy numbers and seeing all green.
Clear and informative....best networking video I've seen.
Appreciate your detailed HW review.
I would appreciate your recommendations regarding my network needs. I need a router / FW to do multi-wan load balance / failover that really works.. Beyond that my network needs are pretty basic. I've tried several ASUS and TP-Link routers that claim the dual WAN with load balance / fail over however none that I have tried have actually worked. I have about 45 connected devices ( 15ish wired and 30ish Wi-Fi). Both my WAN connections are
Have you heard about the "Firewalla Gold"? If so, what do you think about it? And does pfsense have an option to block website ads?
I'd be curious so see a comparison of pfSense and Untangle versus Peplink. I'd really like to have good multi-WAN load balancing and aggregation as part of my firewall configuration.
I really like your reviews and the magnitude of information you give us. I'd love to see an overview on how to combine a firewall with a router and switches to make the absolute max of the ISP provided internet bandwidth as well as the more powerful LAN setup between machines and switches. Like how limiting is the 1Gbps port on a firewall if you have a lot of LAN devices talking to each other using for example 2,5 Gbps switches and for example PC's and NAS servers :)
Forgive me if you have covered this before in an alternative video but I have seen some of your videos on PfSense and was wondering if you rate OPNSense and would ever use it in any of your networks or in any of your customers networks?
when deploying a distributed network, i actually _do_ want to set up _all_ the specific routes myself (including metrics for failover scenarios), "set in stone" in config files, and make sure they work, then try to break them, and once it all still works as intended, i open it up to the client for initial testing. having your 3rd party firewall appliance logging into another fancy-of-the-month 3rd party's VPN or cloudhosting or whatever just adds potential points of failure and security risks outside of your reach and control.
tl,dr: either do it at "at home" level, or do it atleast semi-seriously. first off, all you need to understand is what you are actually trying to do, and then go on from there.
cheap/er/ish appliances tend to just sell you peace of mind, like a good chunk of most windows desktop or mobile phone anti-virus/-malware bloatware does. sometimes they're even posing a security threat themselves due to not being maintained and updated for years (but still being sold), or having significant design flaws in the first place (think older access points, networked print/scan/fax machines, cable modem back-looping, etc).
yes, it will involve learning about wth you're actually trying to do (or want to avoid to happen), and yes, it will take more time. but, once done, you'll know exactly _what_ is happening _where_ , and _why_ .
...plus, you don't pay monthly fees to someone else for the knowledge you've acquired and applied yourself.
(and if it doesn't work as intended, you'll probably have a very good idea about who to blame ;p )
in case you want a solid solution but don't want to dig into it yourself or don't have the time, hire a professional to set it up and coach you on how to use it. also, ask for documentation: IT guys hate to do it (because it's boring, spelling is a b%$=!, and being found out is embarrassing for many native speakers), but it'll help you a lot maintaining your installation. also, you'll have a face with a name to it if you need assistance, instead of a $40/600/1k appliance you bought online and told it's setup wizard to auto-configure itself in mysterious ways by clicking fancy icons.
...sorry for the rambling (oh, and the semi-necro). i'll revisit this post after having sobered up a bit :)
What are your thoughts on the Arrista/Untangle buyout? Is this the end of Untangle's Home market? What are your thoughts?
I should add that the Spectrum-supplied (and required) gateway forced all DNS requests to Time Warner DNS servers, regardless of the DNS selection in the gateway/router. So services like OpenDNS were not accessible without additional hardware to bypass the Time Warner DNS servers.
Awesome video. Can you do one updated version? Or just let us know what's new?
Use a Microtik for the first barrier and with the right rules in it is a great wall and does not crumble on DOS like I experienced with an ubiquiti. great comparison for those choices
Those Ubiquiti seem cool for the single pane of glass but PFsense or Untangle seems more feature rich. What AP would you pair with a Untangle/PFsense install?
My company primarily services SMBs and we're looking to switch away from Sonicwalls. The problem is that we just known them and change is hard. I might pick up another NIC and run pfSense on my home server to test it out.
Nice comparison you got there mate. My previous firewall is PFSense and change to Unifi Security Gateway Pro. Honestly, I can't do much with USG, unlike my previous firewall which is quite flexible. bad decision... :D
You held up the Ubiquiti RouterX as an example of an "cheap" ARM device, but it's not ARM. It has a MIPS processor, like the rest of their line.
Pretty amazed that so many people love Ubiquiti products. I have 860$ Ubiquiti ES-48-500W switch in my LAN at work and it is the worst device I ever seen in my 15 years network engineer experience. This model was purchased because it was the only device in the marked (at that time) providing both passive 24V PoE or 48V PoE+ in one device. No web interface at all, you need to have laggy controller written on java to be installed somewhere in the network to be able to change something on a switch. Stupid settings are placed at different sections of the interface. Interface is filled with tons of unnecessary stuff you are not able to use. When you change some settings and Apply them it drops all connections on the lan, i don't know what it actually do but you will lose connection to the server even if you are not actually connected through Ubiquiti switch! Even password remember option is present in interface but not working. Stock fans of the switch in almost zero load was louder than all my 5 servers together, have to order and replace them with Noctua fans, losing warranty. IMHO cheap Soho TP-Link\D-Link devices are more user friendly that this piece of ...... hardware. All other network is based on more than 60 Mikrotik routers, only good feelings... I was surprised that you didn't mentioned Mikrotik devices at all.
Hi Tom, thanks for video. Would be nice if you could cover Cisco ASA and Dell SonicWALL just to know the advantages between open source and enterprise commercial solutions.
I am using the SG-3100 since more than a year now, and the only thing I don't like about their product is the non-discret ports. The 4 ports and switched together and it is uselessly complicated to have them behave like real discrete ports. And because of that complexity, I instead went and got a PCEngine box with 4 discrete ports and installed Opnsense on it and that's it: easy config of the different ports for different tasks without having to do voodoo magik to get the ports separated. Everything else is great and the SG-3100 is able to sustain a NATed ~1 Gbps speed with no problems.
Hey, just wanted to give my two cents about mikrotik. They didnt came in a unsecure config. The home stuff came preconfiguted secure. The bigger systems where completely unconfigured but could be loaded in a safe config via a quickset menue.
You guys ever mess with Cisco ASAs? We have a 5508-X for firewall and routing and have trouble finding vendors who will help us reconfigure it. It's too much of a dark art for our 2-man team to learn and properly configure ourselves and we're wondering if we should continue to stick with it!
What is consensus on Firewalla? It doesn't look very professional but seems to meet my needs. My main concern was filtering inappropriate sites om a public guest network. I tried Squidguard on a Unifi USG (via CLI) but felt I had little visibility into what the USG was really doing. Firewalla seems to do a good job but I don't know what I don't know.
For the comments on the EdgeRouter series, would you say the same is true for the EdgeRouter Pro8? I went for that one mostly for the higher throughput. I did replace the fans for more quiet ones, but it has served me well. I've got a relatively high number of devices, but it is home use with an office element for my job. 200 Mbit up/down is the fastest I can get, so even with some basic filtering enabled I'm still safely away from the bottleneck :) Appreciate the honest comparisons. I have the Unifi AC Pros, very nice devices. Still not sure if I should go for a Unifi switch though, as I want to prep for 10G and the you have to step up to 48 ports to get that POE+ ability. Thanks again!
Thanks for the comparison... I'm interested in the Netgate box, would you still recommend it or are there better alternatives at that price point ($400) these days?
The protectli is way better than any netgate, runs everything under the sun including OpenBSD. I've run VyOS, OPNsense, PFsense, OpenBSD without any issues. I have the SG-1100 and it is very fast but it appears like you are stuck with PFsense only, please correct me if I am wrong here on this. BTW installing firmware on the protectli FW2 J1800 is very straightforward and simple. Super happy with it.
We are a total Sophos shop for our clients. Small offices get the SG or XG 135W then we grow from there based on size of business. Sleep like a baby!
One of the things that completely bummed me about the Unifi is the need for a cloudkey. Not only are those expensive (for a home user) it was unexpected, since ubiquiti is rather vague on the need of these. What also p*ssed me off are the various login accounts you need to have. And how difficult/impossible it is to combine those. And the USG does not play well with some of the modem you get from the provider (Netherlands) if they provide a different than standard internal IP.
Their Wifi AP's are awesome.
You can download and run the free UniFi SDN controller software and skip getting a cloud key.
I'm going to be setting up a Sophos firewall on a dell r310 I ordered. I only have a 300mb cable so I figured it would be overkill but my Orbi is definitely lacking in security over my old dd-wrt router that died after a decade of use. The orbi will become an AP until I get a wifi6 AP
Had Sophos for 6 months then went to opnsense but had issues with vlans. Went to pfsense but missed Sophos and I had some slight pauses in data, not much say a minute or two once in awhile. We t back to Sophos and easily set up multiple vlans with separate content filters and restrictions. I love open source but Sophos works for me.
I've been happy with Sophos UTM9 it's done well for us. My only bitch with it is the VPN seems a little dicey to get working right.
I use the EdgeRouter X at home and am able to seamlessly VPN into the office SonicWalls with it. The interface is kludgy, but it handles my 300/300 FiOS line no problem using very little power and for a low price. I wouldn't use it for more than the most basic office though.
I mostly agree with you, but you missed out two things: There are more powerful Edgerouters from Ubiquiti, I personally made good experience with the Edgerouter 4, which is still very low priced for it's power. Second, pfsense is not fully open, there are licence restrictions. That's why there is OPNsense, which I would prefere over pfsense in context of open source.
I am not clear on the licence statement, they are under an Apache 2.0 license.
www.pfsense.org/about-pfsense/
Also the er4 and 6 will do ids and iOS roles in the 400-500 mbps range, usg only does around 80-100 and the usg pro only around 250. Er4 for less than twice the price of the usg is an easy choice
Should be ids and ips, damn auto correct
Also if I'm not mistaken you lose some or all of the ipv6 on the erX if you disable the hardware offload, could be wrong but that's what memory serves me, used to be a fan of the erx but it's too weak for even modern home networks
Thoughts for discussion... do you think deep packet inspection is worthwhile considering that less and less Internet traffic is unencrypted? I have seen this argument floating around forums in recent years.
Of note, 1 Gbps Internet service is becoming more and more common, which that little Unifi USG can do handily for a small office _unless_ you turn on Deep Packet Inspection, then you've got a sizable bottleneck. (2 Gbps service is also available in my market.) With pfSense and other routers that offer more customization, it naturally depends on your rule set. Snort/Suricata with no rules will have a negligible impact, but heavy analysis will require more robust hardware.
For my network, I went with Supermicro 5018D-FN4T with a Xeon D-1541 8-Core, 16 thread, 2.1 GHz to give the system plenty of processing power for Suricata and headroom for possible faster ISP connections in the future, but wonder now if I'd be just as happy (and my pockets less empty) if I'd just stuck with sensible firewall rules and not bother with deeper analysis. That USG or a similarly spec'd box for pfSense would have been 10% of the purchase price of the Supermicro, and the Supermicro uses up to 29x the electricity.
Unifi used to quote maximum throughput in their literature, both with and without DPI, but I can't seem to find it anymore.
I don't put a ton of faith in DPI and a lot of that is because so much of the internet is moving to the QUIC protocol which gives firewalls even less visibility into the traffic.
The base model USG can handle DPI at gigabit just fine - it's only when you enable IDS/IPS that it starts bottlenecking. I used a base USG for about a year with gigabit internet and DPI turned on, and it didn't affect the throughput whatsoever. I have since upgraded to a USG Pro just so I could rackmount it. :)
depending on your needs for deep packet inspection there has been some emerging technology that is able to detect malware signatures in encrypted traffic. Cisco has been developing their ETA or Encrypted Traffic Analysis service on their high end enterprise line. it's only a matter of time until we see this same technology filter down to the small business/ small enterprise lines.
Sorry, I guess I should have been more specific. IDS/IPS was implied. For small offices that these devices apply to, I frankly don't see any point at all in inspecting the traffic if you aren't going to have rulesets to act upon the data.
Last year, I bought a Unifi USG and returned it after testing and seeing similar throughput to what he talked about in the video. It just didn't have the processing power to handle it. There was such a huge gap from rated performance to actual performance, I wasn't even confident in the Pro keeping up, especially when considering future growth. I'm glad it has worked for you though. :)
I have since wondered whether I was just getting the twitches by having a security feature I couldn't turn on without suffering. That switch in the GUI just sat there in the off position mocking me. :p Then I wonder, is the IDS/IDP just security theater these days. Meaning, does it really offer meaningful protection, and is it worth the hardware required to run it in the modern era? Routing and firewall rules are computationally relatively cheap. I know I'm not alone in considering total cost of ownership issues like power draw and cooling as well. Is IDS/IPS (and HAVP), like some tech articles boldly claim, effectively dead?
Until recently, I would have said that is a bunch of click-bait trash, but lately I'm kinda seeing their point.
@@LAWRENCESYSTEMS You can block QUIC inside of your network and it will default to TLS.
Excellent video. Used pfsense for over 20 years. Never failed me. I'm curious to try out untangle for recommending to less techie users. Do they have child protection features built in? Also, can you use the USG as a pass through device just for the unifi dashboard stats?
I just switched from Untangle/Untangle to pfsense/NetGate supported software/hardware after being with Untange for more than 10 years and a half dozen or so installations. I did not do this lightly and mostly because IMHO, Untangle as an organization seems increasingly dysfunctional with poor internal communication and their employees do not appear to be sufficiently empowered to ensure a positive customer experience. Just my 2 cents. Subscribing.
Nice, concise review. I'd be interested in seeing your review of enterprise-grade (e.g., certified) firewalls, such as those from Fortigate, Juniper, PaloAlto, SonicWall, etc. Yes, they cost more, but they are much more polished products, with the level of support levels that enterprise clients are looking for. When you're talking about the safety of an entire enterprise, a few hundred dollars in additional cost isn't an issue. It's just the cost of doing business. Comparing these with the open-source and Vyatta-based products would be very valuable.
I would say that pfsense & Untangle are enterprise grade and they both offer support contracts when you buy them as their own appliances.
@@LAWRENCESYSTEMS I've looked for some kind of certification for pFsense, such as ICSA Labs certification, but can't find anything. Most enterprises requires formal independent certification for security products, both for liability reasons, and because some governance regulations require it. It would be one thing if there were a dearth of certified firewall appliances, but why should any enterprise use an uncertified product when so many certified products are widely available for not much more cost?
I noticed that pFsense has a product called 'pFsense Certified(R) Virtual Firewall Appliance", but upon investigation, I found that they simply made the word "Certified" part of their registered trademark. That won't fly as an independent certification with any enterprise I know of.
So this is where a feature comparison would be helpful, weighing the extra cost of various enterprise attributes such as certification and central reporting, against the costs of low-end solutions.
Pfsense will never have a common criteria or similar rating either. Pfsense is prosumer at best.
@@uendarkarplips7263 Agreed
I mean, Vyatta is pretty enterprise. Isn't it what Brocade uses?
Very thorough review. I'm currently looking into making my home network more secure and to also start messing with a home lab to expand my knowledge and this was very informative. For home lab usage, do you still prefer the pfsense route or does one of the other options stand out more?
A interesting & honest review.
..... I missed it....so...exactly what IS the major problem? Other than it not being blue? 😉
Excellent review. I’ll be looking for new ones.
i have been using untangled for a few months and paid for the home user...works great and easy to setup...i still need to explore its features in more depth and maybe a video tutorial would be awesome????.... ;)
You are a LONG way off with the small USG. We have 3 main sites with the big USG, and about 60 small sites with the small USG. All connected together. Ofc also Unifi switches and Ap's a.s.o. There is NO PROBLEM whatsoever running the one-click VPN behind a NAT. Agreed, Double-nat is NEVER a good idea. PS: We also have added MPLS and qos to the mix. (on seperate big Ciscobox, no routing problems) The only "problem" we've had is multiple WAN adresses, portsredirect and such. Easily overcome with json file.
yup plus he didn't include the fact that Ubiquiti is also still a new dog in the fight.. with every major release more and more capability is being added into the UI.. but at the end of the day if a Tech is scared to break out the CLI they weren't doing anything that a high school kid couldn't do anyways.. hehe
@@Eliath1984 5 years in the IT space is not "new".
@@ChrisNicholson when you are considering that the entities they are operating against that have been building a brand for 20+ years(Cisco) 5 years is still young. The ui may be a little limited but anyone who isn't afraid of a little CLI can set it up no problem
UniF--k has been around for around 10 years. Ubiquiti was doing air OS long before that. AND the vyatta fork they ran off with (before it was sold) was considered "developed" long ago.
@eliath84
I like the setting of the scene, just done in workshop, nice lighting, some good depth too(foreground focused, background not.. ofcourse.).
And good comparison of stuff you know about. Maybe sometimes it be fun to hear comparison between.. this and more ordinary routers people might have, or the kinda hyped "Gaming" routers, or whatever. Not that I really think id use or it is the normal audience. But it be fun.