2021 Firewall Review, Feature Comparison and Recommendations
HTML-код
- Опубликовано: 3 июн 2024
- Firewall Comparison Chart
docs.google.com/spreadsheets/...
List of our pfsense tutorials
lawrence.technology/pfsense/
Untangle Firewall Web Filtering & SSL Inspection
• Untangle Firewall Web ...
Untangle Firewall Review
• Untangle Firewall Review
pfSense Plus 21.02 and pfSense CE 2.5.0 Features, Updates, and Changes
• pfSense Plus 21.02 and...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 5% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Timestamps ⏱️
0:00 Firewalls We Recomend
2:08 Firewall Comparison Chart
5:08 Central Firewall management
7:04 OpenVPN Support
9:52 IPSEC/LT2P VPN Support
10:40 Wireguard VPN
11:18 Policy Routing
11:54 IPS/IDS systems
13:25 DNS & GeoIP Filtering
14:04 Web Filtering & SSL inspection
16:12 QoS Traffic Shaping
16:34 WAN Failover / Load Balance
17:21 Active Directory
17:59 Captive Portal
18:40 Let's Encrypt & HA Proxy
19:24 Reporting 
Наука
"Sounds really compelling until you have to use it" - this statement cannot be overstated for Unifi gateways
Yeah, that is true for so many products but especially the UnFi routers.
So I tried to configure a USG in 2019 to a comparable state to the Draytek Vigor 2862 routers we used in shops at the time. Things that didn't work as expected.
- WAN Failover didn't work as expected, failback never happened
- IPSec tunnel can only be connected to one WAN, no failover.
- DynDNS tied to single WAN, no failover
- Firewall rules through Controller were interesting
- Remote Provisioning often killed the box
- Didn't work properply with PPPoE for DSL
- No support for 4G modem (not even Pro)
- Raspberry Pi 4G Bridge on WAN2 worked, however, see point 1
At that point I just gave up on it. The unifi controller worked fine for the APs and the Switches with provisioning for ~80 sites. The USG just wasn't complete enough.
I found the same to be true with TP-Link Omada. Makes sense considering it's almost a clone of the Unifi system.
@@DATApush3r clone, or did they just stole the codebase? So they have the same technical dependencies (deprecated mongo), the same (lack of) features. And now you are telling me they have the same bugs?
A most useful summary as we are in the market for replacements of our fast-ageing firewall at a couple of locations.
Covered most of the ones I've been looking at - thanks for the overview 👍
I have run pfsense in a business and while it is affordable it's also had some reliability issues. Mainly it kept dropping it's ipsec vpn. This was 3 years ago. While 3 times more expensive the Cisco ASA had no such issues and just worked. It does take cisco knowledge to setup an ASA they are very reliable.
When we got our first Cisco ASA and switch It took me forever to get it configured but the more I learn and use them the more I appreciate them.
I was in the medium business segment and because of an acquisition I'm in the billion dollars a year enterprise segment now.
UDM Pro - GeoIP filtering is a Yes(no longer beta) with current release, works well. I selected most of Europe and Asia lol. Also, though not on the list, Multiple IPs are now supported as well.
Hey Tom... haven't tried yet, but at least from UniFi Controller 6.2 release notes, it seems timestamps were finally added to the DPI stats. If it works as expected, DPI can finally be somehow useful and not just a beautiful report gimmick!
I'd really love to see a side-by-side comparison with pfSense and OPNsense, still can't figure out why people choose one over the other (company politics aside, I mean technical reasons).
This please! Came here hoping to exactly this.
I support both however I really don't like OPNsense's GUI. For me, pfSense's GUI is much easier to navigate. You could make the argument that OPNsense is more secure but the user interface killed it for me. So I think it all boils down to which one you like best. They are both great firewalls and you can't go wrong with either one! One side note: You will find way more online help for pfSense!
The UI: they have largely the same functionality, just categorised differently in the menus (I prefer PF mildly but I’m less error prone in opnsense). OS major release: Opnsense is generally more up to date. Perf: can sometimes be up to 10% different. Driver support: slight difference e.g. needing to add a few config lines to support chelsio cards. DHCP WAN: more configurable in opnsense (to the point I couldn’t get pf to do ipv6 with my old isp). Site/Ad blocking: DNS based in Opnsense, firewall based in pf but both can use the same block lists.
This is just what I saw but I’d be curious to see comments on the different base OSs
Thanks guys, really appreciate the feedback! 👍
Easy, OPNsense is base on HardenedBSD. So the OS is basically more secure than all the others. More frequently updated. End of the story.
I really appreciate your videos, this gives me so much information to be able to make good decisions on what i should use and what ist the use case for each product. Love all of your content, best regards from Germany. :)
Glad I was able to help.🙂
Are Protectli vaults just as good for running Pf Sense vs Netgate? Just curious since there’s a price difference and I do see some added security as far as hardware goes. I was looking at VP2410 with coreboot and I wondered if having TPM module is worth is or not?
All in on Ubiquiti routing sucks. Love it! Hopefully you're the first person they send a new review unit to if they ever fix it one day.
Wouldn't it be great if Ubiquiti just abandoned their router os and adopted opnsense as their os base instead
That was a nice little summary, thanks.
There's a Wireguard addon for UBNT's ER - you just have it install it manually
Great video, but you should add a line for comparing logging capabilities, because troubleshooting network issues and firewall rules is often complex, and that's where the Unifi gear fails hard.
Qotom now a days runs a mobile based 7th gen intel processor on it. its power efficient and powerful enough to handle gigabit PPPoE WAN connection.
The only home brew firewall/router I've worked with is ipfire and I've been incredibly happy with it. I would love to see a comparison that included it.
Great video! Awesome team!
Video suggestion: ISP failover setup with recommended routers Untangle and Netgate (i.e. wired-wired and wired-cellular).
if he does that, he should included peplink as a solution provider too! Their whole product line is developed around multi-wan and failover support.
Gave up on my SG-3100 for my primary firewall, It just couldn't handle gigabit at all well. Used a USG which did handle gigabit at full speed. Running a UDM Pro now and yes I'll admit that PFSense has some serious advantages. For PFSense just don't be sold on the third party add-ons as a reason to buy (or use). Been using PFSense for about 10 years now and what I found is the third party add-ons often break with 'updates'. PFSense on good hardware works great, just don't count on the add-ons long term (or never update).
Nice Ch. I need a suggestion on firewall slash router like the usg . It will be used in a small restaurant. Thanks for any help.
I wonder how these compare to ClearOS. I'm using ClearOS right now for a school and for the most part it works well but I'm looking to simplify my life (without losing functionality) and trying to find a suitable replacement.
Firewall Comparison Chart
docs.google.com/spreadsheets/d/e/2PACX-1vRRy9MWXbh7gZIrMVFjRPOIitAku91yfndZIHU73gsgtdaUOdnpcxsN2FF8Jt3OCRFB2opQQw22D7C_/pubhtml
List of our pfsense tutorials
lawrence.technology/pfsense/
Untangle Firewall Web Filtering & SSL Inspection
ruclips.net/video/Q-JQJpogjQI/видео.html
Untangle Firewall Review
ruclips.net/video/WYhOgQ8JyYI/видео.html
pfSense Plus 21.02 and pfSense CE 2.5.0 Features, Updates, and Changes
ruclips.net/video/E0KXa9DEz8w/видео.html
⏱️ Timestamps ⏱️
0:00 Firewalls We Recomend
2:08 Firewall Comparison Chart
5:08 Central Firewall management
7:04 OpenVPN Support
9:52 IPSEC/LT2P VPN Support
10:40 Wireguard VPN
11:18 Policy Routing
11:54 IPS/IDS systems
13:25 DNS & GeoIP Filtering
14:04 Web Filtering & SSL inspection
16:12 QoS Traffic Shaping
16:34 WAN Failover / Load Balance
17:21 Active Directory
17:59 Captive Portal
18:40 Let's Encrypt & HA Proxy
19:24 Reporting
The video I have been waiting for.
Can PFSence be run on Zyxel's products? I have a ATP100 that suddenly goes into reboot. Thinking maybe their software is causing the problem... Or should I try that Netgate and ditch Zywall forever?
UDM Pro ... I was hoping to hear Betty things about VPN reliability to A USG
Excellent video!
One correction: OPNSense offers both the WG Go and kernel implementation now. However, I think the Go version is currently default. There is an option to flip flop between them though.
pfSense's support for WG will also be a package and not "built in" like IPSec and OpenVPN. It will be available in the Package Manager in 2.6.X and can be unofficially installed now on 2.5.1+.
Interesting, did not know they had a kernel module as well.
@@LAWRENCESYSTEMS Its not default, but its in their repos/as an option. Its the same module for FreeBSD AFAIK that pfSense will use (which makes sense since they're both BSD-based). Sounds like they ported it to HardenedBSD and into the HardenedBSD repos.
On OPNSense you just have to run "pkg install wireguard-kmod" and reboot. The web UI works exactly the same with the kernel module as the Go implementation. The only "gotcha" is the Wireguard service always shows as stopped because it is trying to monitor the Go implementation running in user space that no longer exists, so it always shows as off. Apparently that will be fixed in future releases, but is the only weird functionality difference.
What was that Advanced Client Settings in pfSense OpenVPN Client config at 8:20? Is that a package that adds that? My config doesn't show it (2.5.1) and I've been looking for a way to specify DNS servers just for my VPN client.
It's towards the bottom under the client can fix settings
Thanks Tom...Always interesting...
I have both openvpn and wireguard setup on my edgeos(edgerouter 3 lite). Not something impossible to achieve, at least for someone who "needs" an advanced router.
how did you install wireguard on edgerouter ??
Edgerouter has Wireguard and Geo Filtering. They are command line installs but works perfect!
My point is neither are officially supported by Ubiquiti
I just got myself a fortinet super happy about it
A proper firewall
Thanks Tom!
I tried Untangle for a year. I did not find it easier then pfsense, even if I was not familiar with both at the beginning. The deal break was when I tried to setup time based device management, I was unable to make it work properly on Untangle. I have no problem on pfsense.
I found the break and inspect worked surprisingly good on Untanlge but it was always a pain in the butt to troubleshoot which module was blocking what. This year I will roll with Opnsense and Sensei until something better comes along.
Whenever people ask me why they should use pfSense, I always just point them to Tom's comparison videos. Company issues aside, pfSense is the best firewall I've ever used. It's so easy to setup and very powerful at the same time. Unifi makes excellent switches and WAPs, but you literally couldn't pay me to use their firewalls.
how will the new UXG-PRO hold up with this comparison? thank you for your videos.
Still a very basic firewall ruclips.net/video/CtPAgj8EhGU/видео.html
Untangles firewall rule management, lack of firewall explicit deny rules and device pricing structure make it hard for me to get onboard.
Anything with application based filtering? I know a PA-220 starts to get into the same price range as these platforms, but it would be nice to have a more SOHO friendly platform with L7 policies. Edit: It looks like Untangle supports this while pfSense does not, seems like a big omission from the video.
Opnsense has application specific/level rules
@@MichaelSmith-fg8xh wait, it does?
I was looking at untangle but noticed the home went from 50 a year to 50 for normal and 150 for pro. Would pfs still be a good option for home use ?
If you like the filtering features and threat intelligence systems, then yes.
Can you substitute the built in firewall from ubiquity for the pfsense one ?
I don't understand the question? Unless you are asking if you can load pfsense on the Ubiquity then the answer is no.
You can run both if you setup the network and switches correctly. I use an Edgerouter lite behind my Pfsense.
Wow perfect timing as I’m looking to replace my ERX
Don't dispose of that ER-X in any way! Reconfigure it. The thing can work in switch mode.
how is the edge router gear towards ISPa but doesn't have IDS/IPS or any of the other filtering protocols
ISP are generally not into filtering content and cheaper gear fits the budget better.
Hi Tom, have you had a look at the Sophos XG series, they also have a Free Home version with all the bells and whistles one could desire
Took a quick look, nothing compelling about it to make me want to learn it or use it.
@@LAWRENCESYSTEMS that's just silly. It checks all boxes, except Wireguard (for now) and it is completely free for home users. It is a solid firewall with Enterprise grade features.
@Bob ten Berge I am not telling people not to use it, there is just nothing compelling about it to make me want to learn it or use it.
@@LAWRENCESYSTEMS but if you're going to compare free firewall solutions, why not include it? I'm sure there are plenty of viewers who would be interested.
@@Bobtb doubt it, but I do have plenty to say about Fortinet ruclips.net/video/m4X_CEjCXEc/видео.html
I would love to know which preforms the best for people with 1gig internet.
Two of the options are available on multiple hardware levels so you could up your hardware to get the required performance. It’s not really expensive/hard to put enough hardware under PF to route at even 10gb (assuming just routing, not packet inspection or anything too strenuous). If you choose a good network card with pf the resource usage is very low…
Regarding reviewing OPNsense, I know you don't plan too, you say that all the time. But, I really wish you would anyways.
Also, great review but also with you included Firewalla since it's popular in this segment as well.
It's a homeuser device that I am not really interested in.
@@LAWRENCESYSTEMS The Gold is a 4-port 1Gb w/content filtering, VPN (w/WireGuard), App blocking, QoS w/rate limiting, Multi-WAN w/failover, policy routing and VPN. Certainly more usable 'business' features than Ubiquity which you're covering
@@avvidme So you are saying I should have it in my list of firewalls we don't recommend like the Ubiquity ones?
@@LAWRENCESYSTEMS Hahaha exactly!! ;)
Do you feel that OPNSense can’t match pfSense/Untangle feature wise or did you leave it out because it felt redundant given the firewalls you’re comparing?
Just curious because I’m not happy with the direction pfSense is heading towards and OPNSense looked fine on the VM I setup for it on my test environment.
He doesn't recommend OPNSense because it's a fork of pfSense
@@joevining2603 I’ll have to watch the video again, I totally missed that comment. Thanks Joe!
@@blgari0n It's towards the end. He's also made this same opinion known in several other videos throughout the past couple years.
@@joevining2603 to me he's biased about that
@@freebs3545 It's just his opinion and as he plainly states - it's just not compelling enough for him to switch/add to his hardware offerings. It's not like he's only dealing with a test lab and a handful of clients. He's using what he knows works well for a large client base. Nothing to stop you from using what you want in whatever context suits you.
You really need to check the Firewalla Gold out. No ongoing license fees but extremely capable device. My go to over any of these - just as secure but dramatically easier to use.
really not interested at this time.
@@LAWRENCESYSTEMS That’s a real shame. I’ve tried all of the products you’ve tested out and it’s not my day job. Takes 5-10mins to read about a product rather than dismissing it out of hand.
@@shanelord1666 I did not say that I did not read about it, I said I was not interested in using it, which is because I have read about it.
Edge router does have wireguard btw. I use it alot..
yes, but not officially supported by Ubiquity
@@LAWRENCESYSTEMS Indeed I run it on Edge Routers (x2 ER4 + x1 ERLite) and upgrading the firmware is always a fun time.... I have to make sure I have a backup VPN (IPSec etc) just to remote in to be able to re-install the package. Having said that, it's been bulletproof : I have x3 Wireguard interfaces
WG0 - Site to Site interfaces with CIDR's routed between 3 sites
WG1 - Remote Access from client devices
WG2 - Site to Site to Google Cloud with WG running on a GCE Instance.
Once WG is fully supported on pfSense I am looking to start migrating over from EdgeMax (I expect EdgeMax line to disappear at some point given their focus on Unifi)
As a Ubiquity reseller, do you have any insights into a) do they realize what a PoS their firewall is? and b) do they plan on ever releasing something usable?
We are not a reseller and I have no insights into why their firewalls are so bad or if they will fix them.
MikroTik can act as firewall, router and switch very well. The devices and the license are cheap. Unfortunately many of the advanced topics such WAF, SDN are missing.
@S K Actually MikroTik is Linux based, so if you know how to do the things in Linux you will know how to do them in MikroTik as well
@S K yeah, you are right about the cli learning curve. If you are familiar with Cisco, you can try VyOS - Debian based routing platform with Cisco cli interface
After 2:25 into your review, looking at the table I knew where this was going as there was only one recommend.
How about a TailScale vs WireGuard video ;-)
I'm currently running WireGuard on my UnRaid server. Apparently WireGuard can be ran on a USG but not officially supported. I'm curious about TailScale though.
TailScale vs Wireguard is not really a comparison because TailScale is in basic terms a pretty Authentication and ACL wrapper around WireGuard.
The OpenVPN implementation on USG is crippled. I got a site-to-site VPN from a USG to a pfSense working only with cipher BF-CBC and auth SHA1. The USG does not support AES-256-CBC and SHA256.
The base USG is crippled by its slow, crappy MIPS processor. Ubiquiti really needs to retire the product; it can only manage 85Mbps of throughput with IDS/IPS enabled.
I for one always thought that vendor should be selected in accordance to expected deployment.
PfSense? HQ and data center.
Untangle? Why pay a fee, when you can have something very similar for free?
EdgeRouter? Anywhere you have need for decent router with decent features.
UniFi? Well, hotels, motels and places, where you can't have a tech on the count of their smallness. Not UDM lineup!
Mikrotik? If your staff like's to suffer or you have some very niche use case, like LTE connection, that actually need's site-to-site VPN support
TP-Link? If you need a breach.
There is no shame in going multi-vendor. As long as it gets the job done within the budget
Do you recommend watchGuard?
Not really.
Please also review Allot dpi products
Protectli has been great for me
me too! love those guys
I haven't watched this video yet. But based on the title it doesn't seem to include any of the Sophos offerings ? I migrated from pf to Sophos UTM initially and now XG. Never looked back. Anyway, that's a shame because Sophos is a far more sophisticated all integrated package.
Sophos = Syphillis
@@Crazy--Clown Reasons ? Hasn't been my experience as I have used both for over a decade.
Thank you for you videos. Could you review the firewalla gold? That firewall is getting very famous
It's a consumer firewall and I don't use it
@@LAWRENCESYSTEMS I'm not sure that's a true statement at this point. Their management interface could certainly be better for business needs, but as their software matures, they are getting much better. They're also coming out with a hardware upgrade on the gold with faster links and faster throughput. Their hardware was already superior in terms of throughput to the untangle appliances you've been reviewing before the upgrade at slightly higher price point and all the functionality with no subscription fees and a CI/CD process that takes user input and acts on them in a reasonable timeframe, as opposed to some other vendors.
Do you have a beginner's guide to homelab setup? I really liked this, but am a beginner on setting up my homelab with a decent old laptop 😅
He has a home lab podcast with @LearnLinuxTV
@@keyboard_g yup, saw it now. Going through that
You can run pfsense/opnsense in a vm if you want to learn before using hardware
I think the way PFSense is moving to PFSense Plus, and PFSense CE tells the whole story. That really bothers me going forward. Plus will be in their Netgate products, and not be open to others until late 2021. I'm going to switch to OPNsense, just because it will be the safer way to go until maybe 2022. PFSense has been great for years, but Netgate is going to screw it all up. I'm not panicking or anything like Tom suggests, but I do believe it's the way to go.
You technically can do "web filtering" on the Edgerouter...sort of... So long as a website or service is recognized by it's traffic analysis engine, you can create firewall rules which block packets based on traffic analysis categories. That being said, there are A LOT of services that it doesn't detect, in which case you're SOL. It works for blocking Facebook, Twitter and other "Top 500" websites but beyond that it's pretty limited.
Edge Router is still my favorite.. UNMS/UISP.. has me stuck with them. Plus they are pretty powerful for the price
Tom, can you do a untangle setup tutorial?
I have a review video here ruclips.net/video/WYhOgQ8JyYI/видео.html what exactly did you want to know?
Thanks for the reply, I'll check it out. I was trying get some basic network segmentation with web filtering on one of the VLANs.
Can you look into firewalla?
You should review Firewalla Gold. Pretty nice product.
not something I plan on using or reviewing.
@@LAWRENCESYSTEMS just curious on your reasoning. thanks
@@mtheofy Does not have any compelling feature that makes me want to use it over other devices.
@@LAWRENCESYSTEMS fair enough. thanks
Yikes, they don't even offer a web portal to configure things. I'd rather deal with a terminal than fumble around with an app all day. No idea what led to that idea, but I wouldn't touch it with a ten-foot pole for that reason alone.
Nice video!
Thanks!
Did you actally ever look at the Endian Firewall?
Not in recent years. It does not have anything that makes it compelling vs pfsense or Untangle.
UDM PRO supports only 1 VPN L2TP user concurrent session. When I tried to connect two L2TP VPN users I would get disconnected.
More likely A limitation of L2TP. You can not have two users behind the same IP address.
@@LAWRENCESYSTEMS What VPN should I use if I need multiple users behind the same IP address?
@@peterg7342 OpenVPN with either pfsense or Untangle.
So, why isn't mikrotik mentioned?
Because he can’t go through every possible option, he is showing what he has personally had experience with as to not give a wrong impression. MikroTic gives plenty of features for the low price but you pay for it with stability.
@@backupplan6058 I wasn't asking for a review of MikroTik. But a mention that it exists would be helpful for those of us looking at our options.
@@paultruzzi911 you mean along with the dozens of other potential options as well. I say again, he only was covering those in which he has experience with. Mentioning it wouldn’t do anyone any good and from the sound of it you have already made up your mind on what you are after.
For 69$, you can get a Mikrotik hEX-S you get enough horsepower and a professional OS that supports anything you can imagine: OSPF, Wireguard, MPLS, Mangle, etc
As a 30 years Network Engineer, for me it's the best management interface: CLI / WEB / Winbox
... and for 219$, you get the RB4011igs_rm that has 10 x 1 Gbps ports + 1 x SFP+ and a beefier cpu + more RAM!
Unfortunately finding a CPE for my needs is actually impossible. Here ISPs are migrating to IPV6 and are using Map-t and Map-t so far none support it.
A firewall comparison without any mention on IPV6 in 2021 is a shame. In 2021 1/3 of the traffic is on IPV6.
I understand you can't cover them all but surprised Zyxel Zywall/USG line never gets a mention.
I recall, that Tom once talked smack about Zyxel in errata... And there was a major breach over at Zyxel a while back... So, I'd say, that they're really not usable...
Zywall has had multiple back doors found arstechnica.com/information-technology/2021/01/hackers-are-exploiting-a-backdoor-built-into-zyxel-devices-are-you-patched/
You do a lot of really good and in-depth reviews and with how knowledgeable you are and how large you've gotten, I presume you must have obtained a few certificates over the years (I.e. CompTIA, Cisco, AWS, etc..), any chance you could make your own video going over your thoughts on getting the cert, is it worth it, etc?
Geekiness and experience beats certs any day.
I have a video about that here ruclips.net/video/EdPPXRVR6Gs/видео.html
OpenWRT rasperberry pi?
Mikrotik?
I don't use their firewalls
@@LAWRENCESYSTEMS I was in pfsense, USG, and EdgeRouter. Steep learning curve in Mikrotik but when you do, it basically can do anything
What about firewalla?
No Mikrotik in the comparison?
I don't use their firewalls
Untangle L2TP Site-to-Site to a USG Pro does work. It's just not as clean as I'd like. We do transfer ~100GB/day though over ours which as 5 different tunnels and it is very, very reliable.
Do you recommend FIREWALLA?
It's a interesting consumer product, but I don't really have the time to test it now.
Why do you never include Sophos in these comparisons?
Because I don't use it
Not having every feature others have, isnt necesary a bad thing. The thing which sucks with the USGs is, there so no development, no new features
👍👍
I understand your whole point about not looking at opnsense. But then this argument kind of loses weight for me when I see you taking the time to review tplink. Don't know... I am somehow looking forward to you looking at opnsense at some point. It does offer a lot of compelling facts, such as integration with Sensei, which pfsense doesn't have, and other things like wireguard today, search box, cleaner user interface, and so on.
Sensei is the only feature that makes Opnsense interesting, but we use Untangle for people that want that type of filtering. I reviewed TP-Link because they cloned UnFi to such a degree that it was interesting. Over all though me not making videos has not stopped people from using it and I don't tell people not to use it. I just don't find it that interesting.
We should add Mikrotik to this list, It can cover most of the things here
Between their convoluted interface making them more difficult to configure and lack of any amazing features over something like pfsense besides being low cost means I don’t really have a compelling reason to learn their platform.
Where would Sophos XG come into play here?
Dunno, I don't use it.
@@LAWRENCESYSTEMS any particular reason?
@@Jazz3006 nothing compelling about it.
@@LAWRENCESYSTEMS huh, for some reason my roommate slanders pfsense, but pushes Sophos. I don't really understand why.
@@Jazz3006 ¯\_(ツ)_/¯
Next time could you please add some mikrotik routers too?
Nope, I don't have a use case for learning them at this time.
Was surprised mikrotik routeros was not included. Ticks almost all the boxes
I really wish you gave OPNSense some more attention. I know you prefer to talk about products that your company uses daily on customers networks but OPNSense is just much better than PFSense. PFSense is a bad steward for open source and OPNSense fixes that. Also, there is a lot of features and usability missing from PFSense (such as wireguard) which has been in OPNSense for very long.
I just finished the video and saw your reasoning that OPNSense is just not that different. Well how do you know when you haven't tried it recently? Just try it and review it, not as "This isn't like pfsense" but as it's own standalone product.
Seriously, just drop PFSense.
use what makes you happy.
This post didnt age well
Maybe a dumb question but why not just lockout / block the entire internet and just whitelist the sites that are needed for your business?
It's just not a practical usable solution.
This is a great approach if you're using web filtering to allow specific domains and have the resources to have someone manage that on a daily basis. However, it does require quite a bit of management to implement properly and ensure that you aren't inadvertently blocking valid business needs. His comment that it's not a practical solution is because it requires quite a bit of overhead to manage properly. But, based on your use case and business needs, this could be a good option for portions of your users or network segments. Would require a lot of work on the front end and should get easier over time.
@@Phitur1 .. I didn't want to argue with him, but it's a hell of a lot easier than he thinks or believes apparently. Most businesses only need to be involved with a very small number of companies via the internet from outside their office. This becomes even more apparent from a larger company when you have to look at the small cost of hiring a good network administrator or paying ransomware demands. The proverbial drop in the bucket in comparison.
We did something like this nearly 30 years ago. There was no reason for staff to use 99.9999999% of the websites and frankly, most businesses outside of their email have little to no need whatsoever for outside access. The text-only emails would be allowed but the links and attachments would be blocked in most cases.
We just deployed Cisco Meraki MX100 firewall. Roughly, 5k to 10k. Not Cheap
Dang... sorry to hear. We switched from Meraki to Fortinet and it’s so much better
OPNSense?
If you take a look at the video to the end, he answer your question ;)
Hurts to not see the edge router there.. still my favorite..
Ouch just saw the edge router in the spread sheet. sorry..
@@Joshv918 Apparently your eyes decided to try and save you from the embarrassment it secretly is?
I tried routing stuff on one once a certain way. The way I understood it, it was suppose to work.
Opnsense gang
Use what makes you happy 😀
What is he saying I'm not tech savvy at all as he explains I'm more confused for future reference people do know the abbreviation lpt, to stf to jol I don't know anything like most simplify then get complicated. But simplify for like half a hour on what abbreviation prevent what in the internet.
If you don't include Mikrotik solutions you should probably include Windows firewall :)
Firewalla
Do some real NGFWs: Palo Alto, Fortinet, Cisco Firepower, etc
What makes Fortinet better than Untangle?
@@LAWRENCESYSTEMS Hardware acceleration, built in WAP controller, built in switch controller, enhanced threat intelligence, SSL VPN, etc....
@@LAWRENCESYSTEMS I have a list of reasons but here are some of them. The immediate difference between Fortinet FortiGate and any other major FW vendor is that they have purpose built ASICs that handle multiple security functions of the FW. Which is why FortiGates are one of the fastest FWs on the market (protected throughput). With this and their high rating on 3rd party reviews from companies such as Gartner, NSSLabs (when they were around) and others you will immediately see the benefit to Fortinets firewall and why they are leading in the market. With their intuitive GUI, plethora of FW features, their security fabric**, leading protected throughout speed in the industry, they come to the lowest overall TCO for the features they come with. Which is why they are not only further ahead than Untangle but leading in the market overall. I highly recommend looking up the latest Gartner Magic Quadrant
@@MrAwesomeGamer99 Sounds like lots of marketing speak to me. Also, since Gartner is reviewing them, don't see a need for me to do so.
pfSense is still running strong on the netgate 3100. Can't really complain about it too much :)
What are you using for switching?
@@randleqgod ubiquity unify 24 port switch. I've had no issues. I could have gone Cisco route and just configure everything manually, but i like the ubiquity interface slightly better.
Honestly, just skimming your comparison list, it's easy to see why you don't recommend the ubiquity routers/firewalls.
Nothing about Linksys?
I don't really test the low end firewalls.
@@LAWRENCESYSTEMS Matter of opinion whats low or high When you have to pay subscription fees for a firewall it's not a good thing
Firewalls again?
Missing at least 2 respectable offerings.
please include openwrt
I don't use it