Firewall Choice

[LahryMusic]

Ok, so I am looking to replace my current firewall (home built PFsense box) and I have narrowed down my choices to two. I am looking at either an SG-3100 or a USG Pro-4. I have some networking experience and I believe that either one can meet my network requirements, but I don't have any experience with the Unifi Security Gateways. I currently have Openvpn, Suricata and PIA setup on my pfsense box. I have a full gigabit connection to my apartment (its copper so I average like 600 mbps) I know that I can setup OpenVPN and PIA on a USG so I'm not worried about those services. I also have a Unifi 24port switch in my network. My questions is will I be taking a step back by moving over to a USG or will I get the same functionality out of the device. I don't have any problems with PFsense, but I'd like to have the control over my network like Unifi allows. Hopefully that all makes sense.

[Mdgtman91]

I think the question to ask yourself is how much do you want to tinker with things and experiment. PFSense gives you a little more freedom to tinker and do weird stuff but comes with a trade off in that tinkering can end with breaking stuff as well. With the Unifi solution you get what you need in a nicer UI that allows you to do some complex things quite easily with a low risk of breaking stuff too bad. At least thats how I see it. My brother likes his stuff to be set and just work so he is running Unifi stuff and I like messing with stuff all the time so I have a mix of stuff like PFSense for my firewall and Unifi for WiFi and some TP-Link managed switch cause what ever lol

 

 

Edit: Cloud access on the Unifi stuff is sweet

[jlficken]

I don't think the USG Pro-4 is going to provide you with the bandwidth you have.  I'm sure it won't if you enable QoS or IPS/IDS.

 

We use the USG Pro-4's at work and I use Untangle at home.  The USG is a piece of garbage compared to Untangle and I HATE having to resort to JSON Hell when doing even basic things since the interface doesn't support it.  The picture below is with a 25/5 DSL connection and it is using 44% of the CPU currently.  Sometimes it is closer to 70%.

 

I can't wait for our Gigabit Fiber connection so get here so that I can convince them to replace the USG's.

 

Untangle HomePro is $40/yr and worth every penny imo.  The TunnelVPN app is great and the OpenVPN app is easy to configure as well.

 

I haven't used pfSense very much so I will refrain from commenting on it.

 

[LahryMusic]

On 3/25/2019 at 9:02 AM, jlficken said:

I don't think the USG Pro-4 is going to provide you with the bandwidth you have.  I'm sure it won't if you enable QoS or IPS/IDS.

 

We use the USG Pro-4's at work and I use Untangle at home.  The USG is a piece of garbage compared to Untangle and I HATE having to resort to JSON Hell when doing even basic things since the interface doesn't support it.  The picture below is with a 25/5 DSL connection and it is using 44% of the CPU currently.  Sometimes it is closer to 70%.

 

I can't wait for our Gigabit Fiber connection so get here so that I can convince them to replace the USG's.

 

Untangle HomePro is $40/yr and worth every penny imo.  The TunnelVPN app is great and the OpenVPN app is easy to configure as well.

 

I haven't used pfSense very much so I will refrain from commenting on it.

 

This is great information!! After hearing about you using it in an enterprise environment, it tells me a lot about the performance I might expect from the box at home. While I wont have the load that an enterprise does, I do expect to get my fill gigabit pipe.ON a side note, I have really gotten past the tinkering phase, and if I wanted to tinker I'd just set up a new network for it instead of constantly playing with my live environment. 

 

Thanks for the feedback!!

[Alex Atkin UK]

Depends what you mean by tinker.  There are a lot of things (advanced firewall/routing rules) that you'd HAVE to do on a live system to know if it worked.  Plus if you did it on a separate network, how do you now implement it if your chosen firewall doesn't support it?

[mynameisjuan]

4 hours ago, arcticfox159 said:

While I wont have the load that an enterprise does, I do expect to get my fill gigabit pipe.

What are your requirements for the firewall? 

 

That USG in the image includes IPS/IDS which is typical utilization. If you dont want IPS then you will be able to route a gig. Now if you do want the fancy features like DPI and still want to route a gig, you are looking at a few grand for a gateway. 

[LahryMusic]

22 hours ago, Alex Atkin UK said:

Depends what you mean by tinker.  There are a lot of things (advanced firewall/routing rules) that you'd HAVE to do on a live system to know if it worked.  Plus if you did it on a separate network, how do you now implement it if your chosen firewall doesn't support it?

What I mean by tinker is just playing around with new things and devices. I would have no desire to implement it into my current network infrastructure.

[Alex Atkin UK]

13 hours ago, arcticfox159 said:

What I mean by tinker is just playing around with new things and devices. I would have no desire to implement it into my current network infrastructure.

Just saying, I used to use OpenWRT for my router and that was fine.  But then I went to pfSense and my configuration has gotten far more complicated.

I have a VPN to my web hosting server, a VPN to my friends house, a VPN for anonymising certain clients traffic, a VPN server to get into my network when I'm away from home and pfBlockerNG to automatically block dodgy IP addresses from even attempting to get into my network, plus to block any known compromised IPs that a dodgy advert might hit to try and infect a client.

I recently upgraded to dual-VDSL and route bulk traffic down one connection, games consoles down both to double their download speed and also allowing failover for the rest of the network should the main WAN go down.

I wouldn't give up this flexibility now, its just so useful.

[LahryMusic]

2 hours ago, Alex Atkin UK said:

Just saying, I used to use OpenWRT for my router and that was fine.  But then I went to pfSense and my configuration has gotten far more complicated.

I have a VPN to my web hosting server, a VPN to my friends house, a VPN for anonymising certain clients traffic, a VPN server to get into my network when I'm away from home and pfBlockerNG to automatically block dodgy IP addresses from even attempting to get into my network, plus to block any known compromised IPs that a dodgy advert might hit to try and infect a client.

I recently upgraded to dual-VDSL and route bulk traffic down one connection, games consoles down both to double their download speed and also allowing failover for the rest of the network should the main WAN go down.

I wouldn't give up this flexibility now, its just so useful.

Thats a great example. Right now I only have 2 VPNs, one for my game servers and one for remote access when I'm away. I would like to be able to keep this kind of customization. 

 

I was just unsure if i would be able to migrate my current solution to a USG. I love PFsense dont get me wrong, but it is the one oddball in my network of Unifi equipment. I havent really played around with a VDSL or pfBlockerNG. I do have Suricata installed and its been working great.

 

Would I be opposed to keeping my current PFsense box, no not at all, but I would like to update it to the SG3100 in the near future if I did. Now that I have seen what you have done, I think that PFsense might be the route that I go. I will say I don't have a lot of experience with PFsense, but that can always change.

[Alex Atkin UK]

Yeah its taken me several years to get this complicated, as I never really knew any of this stuff would be so useful.

 

But with the Internet getting ever more complex and iffy security wise, I think it pays to have some flexibility even if it makes things a bit more complicated to learn and setup.