Firewall Comparison, Which Ones We Use and Why We Use Them: Untangle / pfsense / Ubiquiti

I don't comment on videos often. I just wanted to drop a line and say how much I appreciate your channel and videos. Super helpful and so helpful. Keep up the good work, I am a fan

Hi, old pfSense contributor here. I originally rolled into this project when using a M0n0wall router internally. After some further investigating we started using pfSense in the pre 1.0 days. Later on I wrote the RRD graphs, IPv6 support in the UI as well as implementing the Gateways, Gateway Groups and some other things.
Eating one's own dog food is *very* useful. Things like the duplicate button that only existed on the firewall page was replicated to VPNs and other items. Because it just make life so much easier.
The gateway groups came to pass from load balancing, wanting to assign weights, that sort of thing. The drawback of a lot of this is that you need to define everything before you can asssign it. Sorry for that. But if you manage a lot of routes that makes it very readable and easy to grasp. Alos glad that apinger was replaced with dpinger :)
Then you need things like PXE network booting and pfSense just has the ISC dhcpd logic to pass the right BIOS, EFI32 or EFI64 image. Things that otherwise are really hard to get rid, or only give you a single Boot file option, booo.
We ended up building a internal vlan router with this eventually, with a Dell PowerEdge server with Intel X520 10Ge dual port card. That worked really well for 7 years or so and 1 upgrade cycle. The base box was less then 1500 euro a piece. HA was a cinch.
Other plus is a readable configuration, and through the exec.php page I had a PHP interface to this config. So on regular occasions I wrote some conversion code to modify ~350 IPSec vpn tunnel endpoints or encryption settings using this page. I never found another that has sonething similiar, and I had a tip that only Juniper currently has something comparable.
For comparison, I now use a Watchguard XTM M4600 (~14k euro a piece), the aliases are not sorted alphanumerically in the Windows Policy manager, and listed in a really small select screen. The OpenVPN server can only be used for mobile clients, and only has one server. To make matters worse, the webserver it runs is on 443, so if it reloads rules you ocassionally connect to watchguard openvpn config server instead. Not so much fun. No support for OpenVPN client tunnels or extra servers with different settings or certs. Still, it does do a lot of inspection and offers inspection capabilities, but with some network bending drawbacks. Min boggingly, if you need to look up the ARP table, that is only available in the WebUI, and not in the Windows manager.
I guess each brand has their own issues and finnicky things.
I left the project after it went from BSD Perimeter to Netgate, it required signing a legal waiver for code contributed to github, and I just never did. Good memories though.

I am so glad to see that Untangle gets your seal of approval. After struggling with PFSense, despite watching countless hours of video tutorials, and having to set up a second network for my wife to use, I switched over to Untangle in October. I went with the home subscription, and I don't think I will look anywhere else. Definitely worth the $50 price tag for ease of use, and the features that you get. Plus I don't have to upgrade my box for awhile!

Whoa dude kick azz video! You nailed all the relevant points well in less than 20 min. You just sold me on PFS. Peace. ✌️😎👍

The guys at Lawrence Systems are absolutely awesome. My IT skills are limited, but I had watched enough RUclips videos to know that these guys knew their stuff. I live in Texas and I hired them to help me build and deploy a ubiquiti network. They provided great advice, acquired and program all of the equipment, and then shipped it to me for install. I was going to use the usg, but they recommended the netgate 3100. The network has been up an running for a little over a year and has worked flawlessly.

Great information, and really appreciate that you also talk to those of us that build & manage networks for our SMB customers. Having your knowledge on-hand is how we look good for them! Cheers!

I wished i found this channel years ago. Thanks for this!

I've been a PFsense user for a long, long time. Recently, I've found Untangle. This video really clears some things up for me. Thanks!

Great video with lots of detail. I can only imagine the newbs having a hard time grasping the 'white box' comment when you picked up the black hardware case and having the 'black box' right behind it which was white in colour. Always makes me smile inside.

Many years late to the party, but want to thumbs up to PFsense! Use a microtik box with two 2 Smoothwall S8's running PFsense below. Separates my work and personal LAN. PFsense is so configurable its great. :) Suggest everyone give it a go.

Thanks for making these videos. It is nice to get tips and pointers. I recently got a protectli box and your videos make setup/config so easy.

Great presentation. Accurate overview of these products. Thank you for sharing.

Just subscribed and liked, really enjoying your videos. keep up the great content!

Routers and firewalls are my favorite video topic. Love hardware.

Bro you are a breath of fresh air.. keep it up dude you're a legend =)

Thank you for the content, really enjoy y'all's teaching style.

Thanks for the high level overview and comparison of the different platforms! It really comes down to use cases, and sometimes personal preference, for the most part with many of these. I've been running pfSense for a while, but as you said you really need to tinker a bit with things under the hood sometime to get it working right. Had considered Untangle in the past due to the reporting functionality and front end configuration for most functionality... your video talked me into trying it out again. Thanks again for the video!

Thanks. This has been really helpful. I have a Sonicwall but refuse to pay Dell’s annual fees after the initial 3 years ran out. I’ve played around with pfsense but Untangle might be even easier and I can handle $50 a year. Your videos are some of the best of their kind on the web.

Sometimes the youtube algorithms do a good job recommending exactly what I was searching for :) just subbed

Hey guys! I deployed the netgate for a client that needed several vlans, one is a public wireless network. The venue is a performing arts theater and it has to handle a thousand connections both wired and wirelessly. It works great even running Surricata and other modules. It was super easy to configure, runs stable, but a little warm. I'd recommend it to anyone!

as always informative.. Thanks for the comparison, adds to decisive prams

I'm an MSP and have been using Untangle at all my client sites for the last 6yrs exclusively. I don't have near the experience you seem to have with other solutions, but I've been highly impressed with Untangle. As of yet, I haven't run into any config I couldn't achieve using Untangle. One of my favorite things is the OpenVPN app is part of the open source base, so I can get essential network config, reporting, and a VPN installed without a subscription. But when you get a subscription the possibilities are seemingly endless. At one of my clients, Untangle tarpits streaming media services based on the end user's Active Directory group membership! That's some really well integrated networking right there. But I did discover the Protectli devices on your channel, so I'm 0retty sure my hardware costs can go down now ;-)

Dude I am new to your channel, it is awesome. Keep it up and thank you.

Helpful video, thanks! Bottom line...scale your router to your requirements and personal needs.
Mine is the $50 deal!

Clear and informative....best networking video I've seen.

Excellent review. I’ll be looking for new ones.

Great video! I've deployed all of these devices and couldn't agree with you more. Netgate is also my go to for pfsense and I would advise anyone who is looking to deploy pfsense in a business environment to buy direct. One tip with Netgate, their email support is free if purchased through them with original configuration. They are quick to respond even by email..of course buy support if you have a mission critical environment.

Love the Ubiquiti firewall, the best bang for the buck!!!

I just subscribed, awesome information delivery.

Very thorough review. I'm currently looking into making my home network more secure and to also start messing with a home lab to expand my knowledge and this was very informative. For home lab usage, do you still prefer the pfsense route or does one of the other options stand out more?

Great show. A wealth of information.

(Y) Great and super easy video for me not only to understand the features of these products but was a catalyst to my decision making for home Networking requirements.

Great summary, thank you! I also concur with all the callouts you have about USG, Edge, and pfSense. I personally lean towards pfSense as well. I do also have a USG Pro which seems to perform bit better than USG, but the VLAN routing, and routing between two LANs (LAN1, LAN2) is still a pain from what I have experienced, but cant say that is the case because my skills may not be the best.

I really have enjoyed a lot of your videos. Keep it up. In my company really we really love the Sophos XG line of firewalls and as a partner we get access to a centralized management system - that part does need some work. They aren’t cheap though but nowhere near Cisco prices.

I put in an edgerouter pro (rackmount unit) with 54 VLANs on a gb fibre connection and it's been working great for about 2 years now. It's a 52 unit apartment complex with 9 Ruckus APs for wifi with a separate SSID and VLAN (plus 1 for public and management) for each unit. Also used UBNT POE switches and no issues there either.

Nice comparison video! thanks

Edge router x is amazing! I've had one up for 2 years now. No downtime. Great alternative to crappy consumer all in one's. Pair with a ac pro and you have a nighthawk killer.

Would love to hear your thoughts on some other options as well like Sophos XG/UTM Home, ClearOS, etc.

Working with all this products for years, used to build ipfilter rules over freeBSB back in the 90"s for top secure firewalls, thanks pfsense life is much better now, agreed 1000%, amazing video.

Thanks Lawrence! Very helpful!

Great job. I think the only thing you might have left out about UnTangle is that it can do SSL decryption. This is essential in my book.

I've been using a DIY Sophos box for the last few years, but lately I've been really thinking about testing PFSense on the same hardware. It's been a long time since I tried it, so it's probably come a long way.

I used pfsense from 2002 timeframe roughly until 2007. Then I became a "real" network engineer and went to various Asa's and srx's. Ran untangle at a couple customer sights until around 2015. Now I'm Unifi all the way just for simplicity. UDM pro at home replaced my ER-4 which replaced a few previous Mikrotik's.
Order of pref for feature and performance, SRX, Mikrotik, Edge Router, Unifi.
For ease of use, Unifi, ER, SRX, Mikrotik.
I've tried various other open source and paid solutions over the years, and these are what I always come back to.
I now use Palo Alto at work, they are NOT carrier grade, miss my ASR's, and MX's, but they do cover a lot of features and use cases. They are very expensive, even compared to Cisco, and I wouldn't recommend them for small business use at all!
My life is simplified now that I'm older (42) so I have no DC's or anything crazy anymore, and just StarLink vs multiple load balanced connection in my past life. UniFi really does knock it out of the park, even with all their issues. Like getting IPsec VPN working over StarLinks CGNAT.... But it does work!

The Ubiquiti also supports BGP, ipsec, and VTI. I use all these to establish tunnels between branches, AWS, and other datacenters as the BGP advertisements make things simple.
That said, the low end devices have a lot of features but they lack processing power. The Lite and ER-8 are used in branches while PFSense runs as a VM in the datacenter.

The ER-X can push ~200Mbps with QoS enabled and is the only router in the group with a dedicated switch chip. For small offices the ER-X is a little beast when you need to QoS your WAN and want to run VLANs bridged on the switch ports.

Great video, what are your thoughts about fortigate and checkpoint ?

pfSense is great, I have 6 years experience deploying and using it in datacenters and office space. About 6 months ago I started trialling OPNSense which is equally great and a fork of pfSense. I recommend looking at that as well given the community edition / commercial split vibe I currently get from pfSense.

Lawrence, First thank you for making these videos, I really have learned alot about hardware firewalls. I have a question, I have a Zyxel UAG5100 that I got for free. I was wondering would this work for just a hardware firewall for home use and all I would need to do is update the firmware, correct? I know this is a overkill but it was free, haha. All I did was factory reset it and updated the firmware. I called Zyxel support to see if I don't need a subscription to have the firewall and they said no, the hardware is all I needed, is this correct? Or would you recommend getting the Netgate? I won't be doing nothing crazy, I just want a good firewall for my future smart home. I wish I could PFsense on the Zyxel!

I like the setting of the scene, just done in workshop, nice lighting, some good depth too(foreground focused, background not.. ofcourse.).
And good comparison of stuff you know about. Maybe sometimes it be fun to hear comparison between.. this and more ordinary routers people might have, or the kinda hyped "Gaming" routers, or whatever. Not that I really think id use or it is the normal audience. But it be fun.

Have you ever put a USG between pfsense and your switch in a pass through like mode to get the nice graphs in the UniFi manager? I have UniFi APs and looking to get some more information in the dashboard and debating on a USG but keeping pfsense as my firewall

I really like your reviews and the magnitude of information you give us. I'd love to see an overview on how to combine a firewall with a router and switches to make the absolute max of the ISP provided internet bandwidth as well as the more powerful LAN setup between machines and switches. Like how limiting is the 1Gbps port on a firewall if you have a lot of LAN devices talking to each other using for example 2,5 Gbps switches and for example PC's and NAS servers :)

Nice comparison video for these low end firewalls with advanced features.. I recently downloaded pfSense to run in a SuperMicro ITX system. I’ll check out the generic system you recommended as well.

Overall great video, I do think you needed to touch on the untangle pricing scheme more. $250/yr. for a 12 device subscription seems pretty insane imo.

OpenWrt on EdgeRouter X rocks. Sad you didn't mention because it even gives you NAT offloading mechanisms. Really good choice.

Excellent. Good work!

Thanks for the clarification - the doubt I had regarding the EdgeRouter has been confirmed - great show.
BTW : What is your view on OpenSense ?

For the comments on the EdgeRouter series, would you say the same is true for the EdgeRouter Pro8? I went for that one mostly for the higher throughput. I did replace the fans for more quiet ones, but it has served me well. I've got a relatively high number of devices, but it is home use with an office element for my job. 200 Mbit up/down is the fastest I can get, so even with some basic filtering enabled I'm still safely away from the bottleneck :) Appreciate the honest comparisons. I have the Unifi AC Pros, very nice devices. Still not sure if I should go for a Unifi switch though, as I want to prep for 10G and the you have to step up to 48 ports to get that POE+ ability. Thanks again!

Great video btw, a little off topic but any suggestions on home server to run solid 4 to 5 vms off?

brilliant comparison thanks Lawrence Systems. I've got a Netgate running pfSense at home and have just built a second remote pfSense box running on a HP Compaq DC8000 (Intel Quad Core with 4gb of Ram). pfSense runs so well it's very difficult to look beyond. Interesting comments regarding Untangle. I've never used it, have heard of it, sounds quite good. I also have a ClearOS server sitting behind my pfSense router at home to provide some excellent transparent proxy content filtering (keep the kids protected from adult websites etc)

Great video! I'd love to hear your thoughts on the UniFi USG Pro 4 - especially with the ram increased from 2gb to 8gb (for large environments with ~500 users)

Thanks for the comparison... I'm interested in the Netgate box, would you still recommend it or are there better alternatives at that price point ($400) these days?

Great video! Thanks!

@Lawrence. I loved the review and I personally liked the Untangle review. What do you think about using the FW2B(it seems Intel AES-NI will be a major differential) to use for a home network (about 100Mbps) to run the entire traffic using a VPN provider running with Untangle? Can you do a review with the protection running untangle and open VPN?

Excellent video. Used pfsense for over 20 years. Never failed me. I'm curious to try out untangle for recommending to less techie users. Do they have child protection features built in? Also, can you use the USG as a pass through device just for the unifi dashboard stats?

Good vid and well presented.

Hi Tom, thanks for video. Would be nice if you could cover Cisco ASA and Dell SonicWALL just to know the advantages between open source and enterprise commercial solutions.

Hey There - thanks so much for taking the time to make these videos - we have a 5 person network and have been asked by a client to install a hardware firewall - we have no in-house IT person, and I think I know just enough to get into trouble - can you recommend a device for a small business that it essentially plug & play? Client is asking for a device with the following features: IDS, IPS, Gateway A/V, Anti-spam, Application Control, and content filtering enabled - would also love to not have to subscribe to software updates - is there a unicorn firewall solution out there for us in your opinion?

Nice comparison you got there mate. My previous firewall is PFSense and change to Unifi Security Gateway Pro. Honestly, I can't do much with USG, unlike my previous firewall which is quite flexible. bad decision... :D

My ISP has a Modem/router all in one. Right now i have an apple router set as follows:
*ISP modem/router --> DHCP range set to 192.168.10--256
*Static IP set for apple router -- outside dhcp range
* placed apple router in ISP router settings DMZ so my router can do its own routing
My question is can i do this same set up with the USG with ease or will i need to have more advanced skills to change these settings?

Very detailed explanation, if you get opinions from other places, people say protectli. Seem like im leaning towards Netgate more.

Hello,
perfect Video.
i used Sophos UTM 9 Home Edition.
for only 50 Clients its perfect but for more than that i used pfsense.

Been using pfsense for years but switched to mikrotik it is more flexible (also a little more complicated) at that time EoIP was not available in pfsense, has that changed?

Timely of me to stumble across this as i'm evaluating network solutions for a potential client and i've been out of the network world for a while.

You held up the Ubiquiti RouterX as an example of an "cheap" ARM device, but it's not ARM. It has a MIPS processor, like the rest of their line.

Awesome video. Can you do one updated version? Or just let us know what's new?

What about the newer EdgeRouter 4 ER-4 from Ubiquiti?

Hi! can you please do a video on VPN pass through on PFsense router for Amazon Prime. I cant find a comprehensive guide for this. I have clients that pass through the vpn(PIA) to the WAN port, however I have a device I wish to have on the VPN and also use Prime.
I've looked all over and the Netgate forums aren't very helpful when it comes to this.

Appreciate your detailed HW review.
I would appreciate your recommendations regarding my network needs. I need a router / FW to do multi-wan load balance / failover that really works.. Beyond that my network needs are pretty basic. I've tried several ASUS and TP-Link routers that claim the dual WAN with load balance / fail over however none that I have tried have actually worked. I have about 45 connected devices ( 15ish wired and 30ish Wi-Fi). Both my WAN connections are

+1 for the captive portal stuff!

Very useful. Thanks!

Firewalla seems to be emerging more. I would love to see a video on those.

I'm having a hard time finding a Protectelly box. Where do you find them? Are they similar to the Protectli devices?

Hi there! So far, i've enjoyed your videos and have learned a lot as well!! Question. What model of NetGate pfsense do you recommend for SOHO?

I would like to see your review of Mikrotik products. I bet that you would find them to be great solutions.

Great info- thanks

The Ubiquiti EdgeRouter has been pretty reliable for me when I want to eliminate small business client (no more than 7 workstations) router that comes from the ISP. After configuring about five of these I realized that spending more on a router saved the client some billable hours in locking down the Ubiquiti EdgeRouter.

How do you think a higher end Edgerouter like an ER6 compares to the Netgate? I believe it's still about $100 bucks less than a 3100.

I use Ubiquiti for home use and it is awesome.

Forgive me if you have covered this before in an alternative video but I have seen some of your videos on PfSense and was wondering if you rate OPNSense and would ever use it in any of your networks or in any of your customers networks?

For Business use: The Ubiquiti line + Cloud Key and Cloud management as an entry point. Chances are, you already (should be) using their AP's anyway. CISCO Meraki MX with Advanced Malware Protection for most use cases, simply due to 0-day AMP and Sonicwall TZ series for more nerdy setups would be my starting points. First and foremost is support availability and not looping to a single tech guy who set it up through some "command line"

My company primarily services SMBs and we're looking to switch away from Sonicwalls. The problem is that we just known them and change is hard. I might pick up another NIC and run pfSense on my home server to test it out.

I really like my netgate box but just for your info, even with this box you can have problems when you update. I had it once that the box did not boot after the update. I had to access it via USB, reinstall pfSense completely and import my backup to get it working again.

i heard that mikrotik are good too but are they just a router or firewall too ? i plan on getting a cloud core router as backup for my unifi 4p

I have the USG and other unifi products behind it... would you put the SG in front of the USG if i wanted to use PFsense or Untangled

Thanks so much for such an unbiased review. I use edgerouters in small offices (1-2 people) and pfsense in offices with 6+ people. How do you see using the SG1000 or pfsense community edition on I3 cpu, 4 Gig ram and 160 gig hd with intel nic cards replacing my edgerouter-x?

Thanks for putting this information out there. Have you ever looked at Unbox from uplevelsystems? It came across my feed the other day and looks interesting.

That black box from alibaba can handle pfsense as Vitual Machine on HyperV for ex. So you can install two pfsenses on it and get 2 vpn tunnels and update remotely without risk to loose connection. Moreover you can make snapshot VM before update to rollback if update is failed. And with big size hdd you can get installed other VM on this box. So you can get router(s), fileserver, lab for tests...

Can you do videos on how to use and configure the netgate pfsense on how to do the most common configurations that people need. In addition can you also cover how to catch/trap viruses and intrusion detection. Thank you.

Thanks for the video, this is the question I have been trying to answer for myself over the last year or so. I like the idea of pfsense but the ease of UT. As a home user either would be great. May grab a protectelli or an old dell server blade and try both :). This channel is awesome for my hobbiest knowledge, I just need to finish off my unifi setup with a nice router.

Thank you for all your videos they are very good and clear to understand.