Firewall Comparison: Ubiquiti EdgeRouter / Ubiquiti UniFi USG / Untangle / pfsense 

Probably time for another one of these if that’s okay please Tom!

I discovered your channel about 2 weeks ago, and I can't thank you guys enough for everything that you share. I'm a computer consultant myself, but I love to learn from others all the time. Some of your experiences I've shared, and others were great to learn from. The demos that you do are great too, and are very useful in case I want to try out a product. I can't thank you guys enough, I hope that you continue to feel good about doing these videos and keep putting them out. -Max

Just wanted to give you a huge thanks for all your helpful content! Because of you I was finally able to ditch my horrible, unreliable modem/router that was provided by my isp. I'm now running a pfSense vm in Unraid with a UniFi AC Pro and Motorola MB8600 Modem. Now I'm diving deep into Suricata, ntopng and traffic shaping for my seedbox. What a cool (sometimes frustrating) learning experience this has been. It feels so great to have control over my network. Thank you very much!

thank you for your contribution to open source projects. it is very appreciated to hear that!

I really like that you fill the gap between Cisco/Palo Alto/Checkpoint and Linksys/Netgear. It’s such a wide world between them, and deserves to be covered.

The only thing I don't like about the Netgate hardware is the price. They are easily twice the price of a Supermicro server of similar performance, and that doesn't even include a year of support. With budgets being what they are right now, I have to build my own server and load PFSense. If the price included a year of support, then it would help justify the purchase.

I run a security gateway pro for layer 3, then i have another box running in a transparent bridge/vwire depending on the flavor of the month. Right now i'm running untangle on a atom in transparent layer 2 bridge behind the unifi security pro and in front of the switch. I've had pfSense, Palo Alto, etc.. etc.. running in this same configuration. Sort of gives you the best of both worlds.

I setup a dual pfSense router for no fear back in 2006 running on an alix2d3. Use to love that Os. I was doing all the pf work by hand before pfSense! Made sense to switch.

Thanks for being open and honest with your thoughts / comments!

Lmao "don't ask me to review consumer routers I don't use them" damn straight

Hey, Lawrence thanks for all the great videos especially the Pfsense routers. Thanks, Jeff

I ran PFSense for a few years, until the big AES-NI push, which didn't happen. I wasn't ready to upgrade the machine it ran on, so I found Untangle to be more to my liking. Sure, it cost me $50 a year, but I'm on year 2, and I thoroughly enjoy their product. I have the traffic separated into about 5 vlans, each with their own specific rules and policies. So I was really happy when you decided to review Untangle, and were good with it.

Waiting for that MikroTik review ;)

I ha e the free sophos box in a small school for the web filtering and just to make sure no one hits porn ... works so well for me

Hello Lawrence, I don't have much time before I hit the road and listen to your video but decided to give a +1 to recommending taking a look at Vyos, I see other commenters have mentioned it but it is very similar to the EdgeOS cli. Ive been using Vyos in my Homelab and home network for about 2 years without any issues. they are running Wireguard and are doing NATS, Firewalling, and OSPF networking in both a protectli like device and a VM. Cheers!

imo Sophos should win hands down. It's by far the most feature packed, very very simple to use and manage, was rated in #1 cyber security (multiple times) and has true TLS/SSL DPI decryption.

Nice work, I would add that the ubiquiti usg is based on vyatta and can be configured for OpenVPN, IPSec, l2tp, all using the identical config commands as the vyatta. The config code can be added to the central configuration on the controller... the graphical interface is limited and disappointing when looking at all the functions and capabilities if this device ... adding extra interfaces is possible but again - cli same as vyatta ... Fully agree that pfsense is the easier to use solution .. .. however the central management of client environment I see as a major advantage .. thanks for the video .. factual and well presented .. I am not associated with any of the companies being commented on ..

The Sophos SG series was pretty good, but after a couple of years, issues with web filtering was a big problem. I will say, the SG gui was very good and the reports and config dumps were fantastic. Now, with either the Sophos SG or XG series, they tend to max out the CPU and make the system unusable. I have an old Sophos SG box that I installed the XG on, and it kept maxing out the CPU. So, I installed Untangle on it, and it is working great!

I still prefer Untagle over pfSense especially for home use as it is really simple to use.

VyOS is command line very similar to in feel to Junos. Works great and have it running on a protectli J1800.

I'm going to shout out to Watchguard for one specific use case I have all the time. High availability with DHCP or PPPoE provided ISP circuits. Watchguard is the only device I have run that supports this configuration. There may be others, but I suspect they are all in the same ballpark for pricing and closed source so I'm sticking with what I know. It's a great feature.

I like untangle because of the Dashboard and Support. Having support included when something hits the fan is pretty nice.

Every time I install Untangle, I love it. Aside from pfsense and OPNsense, it's the only downloadable solution that I've found that supports NIC bonding from the UI, and they make it easier than anybody else. Then I promptly feel betrayed by needing to pay for running a caching DNS locally. I know, they also need to eat, but combine the facts that its so fundamental to a decent LAN with the fact that I'm willing to overlook a lack of local hostname resolution, and I feel like they fundamentally don't understand the home market.

The sophos hardware is great - for running pfsense. Sophos is barely closed source. Its an assortment of open-source modules in a gui that's pretty, but limited. Sophos has poor interop documentation. I finally did get a VPN tunnel working sophos-cisco, but it was a huge pain compared to pfsense. For whatever reason, the performance was abysmal once you started doing ips. Between performance, nerfed features, and them releasing a hideous fw version, I pulled the plug on that project and did not renew. Fortunately, my purchase was with a one year sub. Went with some short depth used servers, loaded pfsense, and never looked back. After the sophos boxes were no longer used, I figured out how to load pfsense on them. I have those powering a couple of smb installations. Once free of sophos licensing, I was able to swap cpu on the larger units, and upgrade ram on all of them. Even stock, the sg-115 is able to power a 200/20 connection with suricata without breaking a sweat

Great video! After doing some research on what I want, I think pfsense might be the way for me to go. Just scares the crap out of me (coming from a gen 1 eero router), if I ever do upgrade my network.

If you can put up with the registration process that Sophos makes you go through, it is a great product. You get pretty much every feature a home user could want for free and a polished GUI and it is relatively easy to configure. I haven't tried pfSense but I did briefly use Untangle but ever since since they put their premium version of NG home firewall behind a paywall I went with Sophos instead which offers most of the features of Untangle, for free, minus the Wireguard VPN. Honestly- sometimes I'd rather go with an Untangle appliance that has WiFi, but you can't argue with free and vote with your wallet.

Thanks for all the great videos

A few years ago when I was just getting started I bought a couple of ap acl and a mikrotik router. I basically had to take the mtcna to learn how the heck to configure the darn thing. Once I learned and got everything right, it's been over 5 years with no issues. I've deployed over 20 of them to friends and a couple of of small businesses. No problems. I'm not saying they are better than pf sense. They are just different.

At home I use OpnSense, for home use I prefer it over pFsense due to Netgate being a bit slow to give hardware support to third party devices as opposed to their own solutions. That being said, if I were to roll it out as an IT professional and/or as an MSP, I'd probably just buy the Netgate devices.

I am interested to see your Take on WatchGuard newer gen firewalls

The USG is a pretty ordinary firewall IMHO. Limited DPI functionality and IPS seems pretty ordinary too from my limited testing. It's even difficult to understand how to configure the security rules.

spot on as usual. thanks

pfsense+UAP AC PRO=great combination

I have been using dd-wrt on my home Linksys router and now I am looking into running PFsene. I just need to find the most stable, power-efficient and cheap hardware I can find. I have an HP G7 server and I am not sure how stable PFsense going to be on a VM within the windows server.

It needs to be pointedd out that while Ubiquit's security gateways are a bit behind, but they have made great strides in the last year.

Problem is that you don't find a could reseller for Netgate boxes in Europe. Especially in Austria.

I'm a fan of the Sophos XG's. Manage around 15 of them across different networks. Plugs into the rest of the Sophos ecosystem pretty well and the RED devices are pretty cool for small remote offices. Their biggest problem is logs.... The logging is shithouse. Apparently it's on the roadmap, but they're not the quickest when it comes to introducing features... Apart from that, I think they're great for a relatively cheap enterprise firewall.

I know that router os is not open source, but man is very powerful. Have you considered it?

Why don't you review the Ubiquity Dream Machine?

Can you confirm a statement that I read. I read on a Amazon comment that vanilla pfSense can't be installed on Netgate boxes (e.g., SG3100). Thus one needs to load/install the version of pfSense controlled by Netgate??? Here are the Caveats listed by the commentator. Caveats: * The software is proprietary to Netgate. It will not run public distro of pfSense. You will need to contact support if you need a reinstall image. * The embedded eMMC flash is slow! If you are doing anything disk intensive plan to buy a M.2 SSD. If you are only using it as a basic firewall with no packages, eMMC is fine. Note: Installation of an SSD requires reinstall. * Only 2 GB RAM - only matters with certain packages. * Snort users: don't expect to get 1Gb/s throughput. Something more like 300 - 500 Mb/s is probably the limit. * Runs warm but Netgate says it's normal.

As my wife and I both work from home, I've contracted two ISPs, in order to account for outages. The problem is, now I've got two separate networks and one of them is always idle. I'd like to use a router to aggregate these two Internet connections. What router do you recommend?

That Sophos box looks like the SG105 or SG115. I have actually installed pfSense on these and they work great. The later rev hardware can handle 6-8GB or RAM. Can't update the CPU though. You have to disable the "Port 60/64 Emulation" setting in BIOS, but then you can install pfSense!

I started out with m0n0wall back in 2008, moved to pfSense a few years later. Never looked back for anything else for clients when I worked in a small MSP. Now I am stuck with CheckPoint :( $40,000 pile of @$%^

Moved from google WiFi to ER-X running vlans and custom firewall rules.

Will you be doing a review of the dream machine soon?

Hello Tom. Thanks for all of your videos. Once I start on one, I usually get drawn down the rabbit hole to your others. Question: where did you get the Netgate rack mount enclosure?

That was a lot of informative Video. I want to know if there is any Open Hardware available to install PFSense, which is not that costly as that of netgate hardware. If yes, do share the details

Hi there, it was one of your best tutorial video. Thnx

PFsense can filter (ssl -https) traffic also without installing certificate on client machines, using squid proxy , I used it for 2 years now and its working fine

Personally i really like VyOS. Once you figured out the CLI its by far faster to change configs then having to navigate through some 3 submenus on a web gui imho. Also i really like the commit/save style of changing configs. Not sure if PFSense supports that?

In these router/firewall comparisons, why do we hardly see mikrotik? I moved 4 sites from usg and usg pro to mikrotik and I could never go back. Mikrotik routers combined with unifi switches and ap is now my killer combination.

The USG and the edge do the same things. They have the same base in software. Yes you are limited in configuring the USG through the ui. But you can do loads with the json config file on the controller

Thank you for this. I was evaluating some routers/firewalls for use with our small office environment. We had narrowed down to EdgeRouter (now i know it's command line) and Ubiquity (but we need Wan2 for internet failover.. not an option apparently due to having to use an unsupported script).. so looks like we're back to pfsense. Any thoughts of building our own vs. getting netgate hardware with software built in?

Fortigate blames everything on you if there stuff don’t work. Even on hosted VOip issues. Does pFsense has a UMS?

Another issue with the usg is it takes forever to provision new configure, and can also cause outages when applying firewall rules, I bought one and now regret it... should have gone dual pfsense

What about centralized management solution for pfSense installed in different places?

Such a shame that multi-address is such as basic feature of Vyatta, but UBNT just can't be arsed to add it to the UniFi provisioning thing.

How is the programmability on these pfSense boxes now a days? Doing a bunch of ansible work with junos and it’s a dream

So if a build was primarily unifi- based, and would like that interface/management the USG provides, couldn't you have a pfSense box as the first point of entry on the network, with a USG behind it to give the best of both options? I apologize if that was asked before, or if it's just a general noob question. But other than cost, that would seem to solve the issue of keeping that interface for local management, and the pfSense box for the added features.

For some reason i have to reset the wireless connection on all wireless devices if left idle for a while, started happening once i switched to pfsencen AP AC LR + pfsence

Thanks a lot very instructive tutorial

What are your thoughts or experiences with ZyXEL firewalls and their USG series/line?

100% Agree!

To be honest, I clicked this video because I thought you finally tested out the Sophos XG... Please give it a try.

It would be interesting if you can do a site to site vpn tutorial using wireguard sitting behind pfsense. Wireguard on pfsense itself is still a controversial topic.

use sonicwall soho product for home & small business as well as enterprise sonicwall products.

Question about PFSence, you said it uses a command line's. I was wondering "Does it use standard Linux instructions" for its command line or does it have some unique set of instructions?

I gotta say, you're not doing Sophos any justice!! i don't understand why you have so much reluctance against commercial products, sure they cost money (i hate that too lol) but ofcourse you have to put in a trial license to get it to work, how else will you be able to test all it, if they don't have a license system they can't make you pay for it.... And opensource fan's always seem have the same argument that all the code is audited, but are you sure about that? Because that almost never happens, also it would take a long time to check all that code. And if they did they are probably going to find tons of bugs which is good, then it can be fixed but don't think it has less bugs than commercial products. But honestly most opensource software are hobby projects which can go on for years and then just disappear because the developer does feel like it anymore, also support is often non existent. I'm not saying all opensource is like that but my experiences with opensource are frustrating. As for PFsense, i have been running it in a VM for years and testing with it on and off but i just HATE that damn interface, it's just not intuative at all. The dashboard is a joke (does not show me what i want to see, let alone have alerting) and simple stuff like putting in a firewall rule with a hostname doesn't even work, you have to make some alias for it. What a pain in the ass!!!! Most PFsense users don't even know what they are doing, they ask for help to get something to work but really they have no f-ing clue if they did it right. To me that is just bad practise and even unsafe!! Sure PFsense has some cool features but it's not mature enough especially if you compare it to other products which have much better interfaces. I suggest you also test and review some commercial products, you might like them and even love them at some point. Personally i like Kerio's interface, it's just easy and it think it was even free in the past 10+ yrs ago and ran on windows. Now it's all linux based and unfortunately expensive :-( But i gotta say, i immediately understand how to do something or make advanced firewall rules and the logs are great too.

You can pay attention to OPNsense too. It's NGFW with Sensei now.

How does the RackmountIT setup work for the SG-5100? I just got my box and I want it clean and rack mounted. I have a ventilated rack and it will be placed at the top by the fans so it will get plenty of air.

can you review IPFIRE?

Pfsense should implement zerotier to make something like a zerotier /SD-wan solution.

I wonder what your thoughts are on the edge routers for a wisp? They don’t need a lot of filtering. Mainly just good routing and nating. Any thoughts??

Could you do a review of a cyberoam or fortigate firewall

Ubiquiti USG: I have two USG Site-Site VPNs extending from my office USG. BUT, it doesn't allow overlapping subnets, and forces me to use a different subnet for each remote site! Is there any way to allow all three to be on the same subnet?? Anything connected could be given a static IP and not use dhcp.... ?

Is it possible to use the small USG device for just DHCP ? I just need a cheap reliable dhcp server that the CK can manage. I don’t want the USG to be my gateway, I’ll keep my service provider gateway, but I want to control DHCP. I’m hoping I can just connect a single interface LAN port and manage it with CK and let it do DHCP ?

Hey Tom, is there any news on the second generation Unifi switches?

Pfsense awesome 👍

Wait.. pfsense and edgerouter has a dashboard. Ive used them

Dead video at this point, UDM line supports blocks of IP's today. Yes, long time coming.

Do u have a video on pfsense setup via virtual machine?

Do you know of any good tool to manage pfsense. Mostly to get status, health info?

what about OPNsense and IPfire?

Netgear is expensive and unreliable. I have pulled so many Netgear devices that are not operational. I am happy with the Edgerouter lineup and the ability to easily manage all of my devices from one interface which pfsense doesn't offer. Tried pfsense once and it was OK but I don't see any reason to spend 2x the money for an open source (ie FREE) software.

Could not get broadcast helper to work with the edge.

Is there a central management option for pfsense?

Have you tried any of the TP Link Omada stuff? Their little OC200 controller and APs work really well as an alternative to UniFi. Pure wireless at the minute.

Isn’t Sophos firewalls based on Astaro distro?! I use to work on Astaro’s firewall and they were based on Linux and very powerful.

pfSense has a use case for my use case.

"some crappy opensource project", wow such sentences light me on fire, or well, turns on a switch saying that the person is so closed-minded, often not so easy to talk with, often not even willing to consider the possibility that it would work alright, or well, they say it's fine but that none would buy it, doesn't sell.

Pfsense lacks a proper certificate for squid +squid guard...

I'd say Chris Buechler was more than just a "developer" at pfSense.... that moved to Ubiquiti.

Hi , wondering if Unifi end point is safe if you use it with pfsense would you need another ips /ids on the wifi end . thanks

Any thoughts on Palo Alto firewalls?

Can’t view firewall logs. For 7 years. WTF Ubiquiti.

Do all of these allow to change the default IP for logging in. My current setup has a bunch of static IP for my devices - I wouldnt want to reconfigure all of them.

👌 ✌️

I understand some business don't want to use Open Source like OPNsense or PFsense, because they want to call support to do all the investigation to gather the information for troubleshooting. They don't want to pay an MSP, and some business believe Cisco, Sonciwall, Juniper, Palo Alto, Meraki, fortigate, and etc will have the answer if companies buy it from them. Businesses think just because they pay for the product/services somehow these companies will get the answer quickly for any problem the company encounters.

Thanks :)

pfsense just works