2021 Firewall Review, Feature Comparison and Recommendations

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
time here for more systems and let's talk about firewalls picking the right firewall is challenging and there's a lot of choices in the market to keep this video reasonable and narrower in scope we're only going to cover the ones we recommend this is by no means an exhaustive list of every potential firewall out there a full feature set list and a comparison that becomes very difficult to do and especially with some of the larger enterprise ones which people ask me to review it becomes a lot more fuzzy because their feature sets are so comparative to each other and it comes down really at that point to some of the support the ones we recommend both pf sense and untangle do not require any type of reseller to contact do not have to be bought they are free to download but untangle will be the one we talked about that offers licensing fees which you can buy direct from untangle it's not a partner-only program anyone can just go download it and buy the extra add-ons as needed so i want to just put that out there up front now the other ones gonna be covering is the equipment from ubiquity and i guess i could throw tp link in there i didn't throw it on comparison chart but i did the review recently of the tp-link firewall it's basically they copied the unifi so most of the same feature limitations exist within the tp link and it's not going to be on my highly recommended list the reason i bring up the unifi firewalls is because that's the real question people ask if you recommend the access points and you're recommending the switches from ubiquity why wouldn't you recommend the firewalls and i do if people have the most basic of needs and that's what brings the video to be a lot longer here is what does that mean exactly that's we're going to define the functionality of untangled the functionality of pf sense and where that falls off in terms of using the usg or unified dream machine before we dive into all these details if you like to learn more about me and my company head over to lawrencesystems.com if you like to hire a shared project especially things like firewall consulting and network design there's a hyrus button right at the top if you like to support this channel in other ways there's affiliate links down below and plenty of ways to connect with us now let's start by looking at the chart here we have netgate pf sense netgate is the hardware company pfsense is the project in the firewall you can download there's no fees there's no registration you can just download it you can either load it on your own hardware or you can buy the netgate appliance that's how they fund the project is selling the netgate appliances that allow you to run this not only with pfsense or pfsense plus i'm not going to get too off topic but i have a separate video and it's documented on their website they've made a enhanced version of pf sense called psn plus with very few features here in may of 2021 more features are planned like a few business add-ons if you buy their hardware but that's documented on their site and once again no license fee but it does only come with pf sense plus right now if you get their hardware pretty much the same thing minor differences now untangle you can load on your own hardware they do sell appliances and they have a free version and a paid version it is based on linux versus pf census based on freebsd now what comes with the free version which is open source but closed source add-ons with their complete check boxes over here you can kind of go through and compare and see what's on there i've also listed in the chart that many of these features like being able to use wire guard within there is going to be a paid feature so i wanted to just break that down to show some of the differences now you do not have to buy from a partner but we are a partner so i'm clear on that up front if you want to buy it directly from untangle there's no need to contact someone on a list you could just buy now right from their website they do offer direct sales which i really like and their pricing is very up front whether you're a business or as i brought up right here a home user they do have options so they have your home protect basic and home protect plus and at 150 a year getting all the bells and whistles and features i think it's a really solid system if you need some of the advanced web filtering and reporting that untangle has and that's one of the reasons i have it on the list now i have the unifi usg usg pro udm pro on this list and of course the edge router the big reason for them is as i said we talk so much about ubiquity equipment that people want to know why we aren't recommending their firewalls because they give you that complete dashboard where you have all the devices and the firewall in there which sounds really compelling until you have to use it and that's the one thing that this knowledge i'm sharing with you is based on our very real world use case of actually deploying many many psen systems and many many untangled systems these systems are we're very familiar with we have reliably deployed them so we're familiar with any problems or challenges that may arise from them and we actually have worked with quite a few of the usg usg pro udm udm pros well mostly udm pros because they seem to be quite popular compared to just the unified dream machines and yeah that's the one problem though is so many people have regret because they contact us thinking they can configure it to do something that is just not supported in it so let's start running down the list here and talk about the features first one is centralized management and there is no official system from netgate pf sense at this time that offers a central way to manage all the firewalls you've deployed we use xavix ourselves to log into and manage and monitor uptime as needed on these devices but yeah it's not something native right now to uh the pfsense ecosystem there are third parties out there i haven't used them but they do exist to be able to manage these firewalls versus untangle especially if you're an i.t company like we are in managed service provider where you're managing a lot of firewalls for clients it is nice the fact that they have a central dashboard so you can see all the statuses of all the firewalls in one place that is something that comes with the untangle system not really relevant for the home users if unless you are monitoring just your firewall um but you know you're probably behind it so it's less of a big deal but still cool they offer that as a feature now the software defined networking the same tool that manages all the unified switches and access points does offer management for both the usg and udm line uh and unms is the separate system that manages the edge os and edge router line that is a separate lineups essentially of how that works in the unifi ecosystem is these two and then in the edge line is the unms system it's all under a company ubiquity being the company but the edge line is kind of a separate line and they're actually decent little firewalls the thing that scares people away from the most though is they require a lot more knowledge to configure because a lot of things you do that are advanced on those outside of anything basic for routing becomes a command line option to really dive into and do things they're nice little routers they're really inexpensive which makes them attractive to people i've found them very reliable but the configuration challenges of them doing everything by writing you know basically the config files by hand makes them a little bit tedious and not up for everyone to manage makes them overall harder to manage i would say now openvpn is a great place to start there is a lot of problems where the marketing people want boxes checked because they want to be able to say a product has a feature but real world use case well engineers versus the marketing team is always at odds with each other and that's what we're going to run into as we go down this list here openvpn support is extensive on pfsense also on untangle when it comes down to the usg and udm very very basic and only command line when you're doing it from the edge router and i want to give a visual here exactly what that means so here we are in untangle and we can see openvpn status page we have the server page we have just a test i have set up in here but there's a lot you can configure a lot you can set up especially when you go under advanced then there's plenty of reporting that gets attached to the vpn well there's nothing logged in right now with this demo machine but it has a lot of advanced reporting all kinds of fine tuning on the options so if we have these default options or want to add a different parameter you can put in fill in and expand on the parameters and get into the details of it then we look over here at pfsense and same thing laid out differently but we have all the different cipher options lots of different algorithms you can choose how you want to do things in depth in detail and of course even more extra parameters that can be added and passed through to the openvpn server behind there and this is great this is what you want because it's not frequently just one thing you want to do with vpn you want to be able to have a lot of diversity and both of these have essentially wizards that will get you through the system to get the basics filled out and then leave you with the options to do something more advanced got tutorials i've done on these and like i said i'll leave that link below when we get over here to the unifi we can go over here and hit create a new network and we can see site to site vpn openvpn there we go this is the feature set they offer us and by the way there's not anything here for managing users with this it's not part of the functionality they've really built in there if you want a remote user vpn l2 tp server and once again very basic you can choose to use a radius profile and kind of goes back to it made the marketing people happy to say it has open vpn support but it really doesn't have any of those extensive features that you might be looking for that you're going to get with openvpn on netgate or on the untangle so pf sense netgate has the ability to go in there and do policy routing do privacy vpns where you do selective routing on your network you can do the same thing with untangle but that's just not really possible over here on these there are some ways to unofficially is the way i look at it on the edge router get some of that configured i put yes command line so possible but once again a lot more work to get that done same thing with ipsec yes yes there's a paid version on a tangle lots of advanced options it does work on usg and udm and this is where there's also a little bit of a diversions here we have found the udm pros less than stable and this has been something people contact us with if you're trying to connect one of the dream machine line to a non-dream machine for site to site it just i've seen a lot of quirkiness trying to get it connected to other firewalls it seems to connect well to another dream machine pro but i wouldn't call it stable when you're trying to connect it to a non-dream machine so if you have two dream machines and you want to use their site to cite ipsec that works l2 tp we have that in netgate pf sense as part of the paid features of untangle yes yes but as you've seen kind of basic uh radius profile tie-in if you want to use that for a remote user most people would still prefer something like openvpn for a lot of reasons wireguard wireguard was in pfsense 2.5 it got removed in 2.51 it's being reworked and brought back in 2.6 uh it is paid if you want to use untangle until does not offer it on free version which i know created some controversy in the untangle forums but they do have it as part of like that home pro complete version that they have but it's not an option at all but i will admit probably there's some forum posts i've had people ask me to do a video on this and i'm not going to where you can load it on some of the different devices i've seen some projects it's not officially supported by uh ubiquity so i'm going to leave it as no policy routing there are policy routing and very advanced policy routing with uh untangled matter of fact policy part of the policy running is really mostly paid features on there so make sure to set that to paid the policy routing policy routing no this is where you can do it via command line it's not an option at all on udm not even any command line documentation and command line again over here on edge router but once again you're writing rules by hand and it's fuzzy on the usg usg pro whether or not those rules survive upgrades i've heard they don't but like i said i wouldn't we don't help people with them because we don't find them very well supported and they'd be problematic at best ids ips intrusion detection systems infusion prevention systems circada or snort both are supported in a very advanced way inside of the netgate pf sense untangle has this as well tangles hiding it but they're using sharecode on the background i see hiding it but really what they're doing is giving you a very basic interface but also at the same time you know feeding it all through their their intelligence feeds to bring it in here so they do a nice job on essentially kind of hiding so you don't have to dive into the details but they do offer threat lookup and advanced management so you can fine-tune all of the rules that are within there and the same thing when we go over here like 2pf sense they give you all the options to finely tune exactly how you want cerakata for example to handle things or snort and then even give you the option to push that data over to another output for example we have it set to create json logs and push it over to syslog there's a lot of ways to tie this in so very advanced levels of management when you get over here but when you get down to the way it's handled in the usg and udm their threat management systems just kind of some basic checkbox and restrictions on there they don't give you as much of a fine grain control over how they're doing it um there's not a lot here it works once again checks the box that makes the marketing people happy they say they have it but it's not really any more than a very basic system for doing that type of work dns filtering pf blocker is one of the most popular applications for pf sense because it allows you to load up your own feeds filter sites and everything else there are filtering options within untangle they have their own ad blocking system that works and be tied to their policy as far as i know that's paid i think some of the basic features work without paid so i left it just as yes but that's not a feature on usg it's not on the udm pro it used to be a beta feature i remember but right now it looks like they after one of the updates they took it out all together for the dns filtering and it's not an option on the edge router geoip filtering so you can restrict by geography this is something pf blocker does this is something untingle can do it just lists as a beta feature but once again pretty basic web filtering ssl inspection this is one of the number one reasons people start us down the road of recommending untangle if people need really advanced ssl inspection and web filtering and detailed granular permissions on websites for who gets what blocked you want to block a certain category based on a certain computer or user this is where untangle has just a really nice system now you can do a lot of that with squid inside of pfsense i have a video it's an older one where i rant about why i don't like squid because it's just troublesome and cumbersome and not as simple to use and set up not impossible but much more difficult and very much a challenge it's not where you can just set it and forget it and then some sites may break some sites may need some updates it needs some fine tuning but this is one of the things you're really getting with the paid version of untangle is a really clean filtered list a really simple easy to use system on this and uh it's one of the biggest reasons when people say i really need endpoint protection in terms of filtering what website a device can go to but i don't want to load anything on the particular device itself then untingle is an option if you want it to be really good you want ssl inspection so it can peel back that layer of security and the ssl manager in untangle allows you to do this so you can load the ssl manager i've done this in a video before untangles does a good job of making that pretty pain free to set up and manage all of those it can be done and you can set up ssl certificates and would get some information and deeper insights but it's once again a lot more work to get it done and i would not call it easy um but that you know your mileage may vary on that some people may be arguing with me saying it's easier but let's just say it's not simple it's uh take a look at what's involved in getting that done read through some of the write-ups it is not a feature of the usg pro very basic uh dpi but no ssl inspection is all you're going to get so they have some basic dpi filters but not a lot of detail so maybe it'll block something you want maybe it will just block it globally it doesn't give you fine grain control over it it's like i said not not very advanced enough to get the marketing box checked qos advanced traffic shaping options yes yes on entangle yes on netgate pf sense it's kind of on or off there's this basic on or off when it comes to these ones here and it's via the command line to be able to fine-tune anything on it on the edge router but it's still kind of limited what options they have built into it when failover yes on the pf sense multiple wan as many as you like same thing here with untangle but it is a paid feature so if you're using the free version sorry you don't get way on failover it does work on the usg pros it works on the udm pro because it's got multiple lan and the edge router can be configured that way but when it comes to actual load balancing and figuring out what traffic under certain thresholds need to go out any other wan no that's not a feature you're going to get with other than just very basic in the usg and i believe it's command lines you have to configure on that it's not a feature at all currently in may of 2021 on the udm pro maybe in the future i've heard people mention it's been a feature request for a while but i don't know when we're going to get there with it active directory integration this is not something that is exactly native where you're talking directly attack directory you're talking actually through ldap but it does connect so whether you're using pfsense or untangle there's ways to get these talking to active directory untangle actually builds in a lot more features for this because they tie it into their policy manager so you can really go in depth with the way everything works on there it's a little bit more challenging to do on uh pf sense but it is possible to get that on there i'm not aware of any integrations you can do on these maybe you could tie it to radius but it's nothing officially supported so it doesn't really tie in all that well and this is often where there's a problem if you want a open vpn with users you usually want to tie it to wherever the centralized management of those users are for many businesses as active directory and that's not something easily done in any way on a unified device captive portal i put it separate on here um where i say unifi sdn even though the unifi sdn is technically part of like the dream machine pro but wherever you have the software defined networking controller running is where the captive portal actually talks to and of course yes it's supported on neck apsense and on tangle untangle back to what i mentioned about active directory connectors has ways to tie users for your active directory in there for some of the authentication but that's not something all supported on the edge router now the final parts are the let's encrypt and he proxy i bring these up and this kind of stands alone on the netgate pf sense side when you're running aj proxy or let's encrypt with it they usually kind of go hand in hand because a lot of people especially those building your home lab go hey i'd like a endpoint termination i need ssl on here and i don't want to click through a bunch of certificate errors for servers i have hosted behind the device matter of fact if you only have one public ip and you have multiple services you want to point at this h a proxy can not only handle that termination but then direct to each server internally where that needs to be this is popular use case and maybe even higher end configs where someone puts pf sense in a data center or in a colo location and you'll have the pf sense kind of forwarding to maybe multiple servers behind there or in a small business situation where they have a few internal servers and you tie it all to the lan but they don't want any certificate errors when they're using many of their internal servers that have web interfaces on there this is just kind of a cool standout feature to me that i really enjoy on the pf sense it's just so handy to set this up and especially people in the home lab building it um this becomes popular that way you know all their different servers even if they're not public facing they can set this up and i've got tutorials on it so you can manage it without having to have certificate errors and you know it's it's kind of a fun thing to play with how all that works on there now in conclusion here as i said when we talk about the usg and in the unified dream machines we don't recommend them because of all the things that kind of mention all those extra functionality that people who have advanced uses they go hey i'd like to have these things working but they work so basically they're almost useless exactly the people who want just basic routing is it better than what your isp offers sure will it route packets absolutely that's something it seems to do quite reliably it's all that vpn and packet inspection and everything else that becomes very not so good with the unifi usg line the final thing i will mention though is the dashboards on these when it comes to all these firewalls they all do have dashboards but whether or not you can get actionable or detailed intelligence from them is also another spot where we're splitting hairs so when you look at the dashboard on the unified dream machine here you see you know 9.3 megs of http traffic or we can go here to look at apps and see how much data was moved the first problem you run into trying to sort any of this out is there's no time slicing without time slicing we know data was used but without knowing what time it was used for we start losing the quality of this data in terms of being useful you start realizing it's just a really cool chart at some point as opposed to something that's actually actionable and helpful and as things get more and more encrypted it has less insights into what that traffic is where it went so it becomes kind of fuzzy now it does have a clear button where i can reset the stats and start over as long as i remember when i hit the clear so i can try to time slice it but you can see that's yeah not necessarily the most ideal situation untangle on the other hand when it comes to reporting is extensive they have a great reporting system that can dive into users events and captive portal and firewall and openvpn and all kinds of stats they have a great reporting system i've talked about this when i did my review and i'll leave a link to that down below because there's not much in this device because this is just the demo one i turned on for well just this demo here today now pfsense has some pretty good reporting the best reporting from pf sense once you want to get real advanced is often where you export this into a more extensive system there's plenty tutorials on there and i think the psense toolbox they offer though under diagnostics is where it is a standout swiss army knife of network engineering being able to do packet captures from here being able to really slice things up or look at pf top and look at every little connection in there this is something more so than even a dashboard is the actual intelligence you can gather by diagnosing things we got traceroute ping and looking at the route tables diving into the limiter info and looking at how the data flows through these are some of the things that i think they do a great job on with the pf sense but like i said it also has plenty of export options if you'd like to send the data somewhere else and into some other capture tools to make some really cool dashboards there's a few projects out there unofficial from pfsense or just different places you can export things and get the data out there so that's kind of our overall recommendations on them the other thing i'll mention because someone may ask is what about open sense because if you say psense people ask about opensense which is also a very popular project i think open sense is definitely better than probably whatever the isp provided you i don't have enough reason to use it it doesn't compel me enough over using the pf sense offering we've been supporting and doing a lot of projects with pf sense for a long time but if you'd like to substitute that for open sense feel free there seems to be plenty of happy people they love commenting on every pfsense video to let me know i should do a video on it but i don't really plan to at this time it's not a compelling use case and it is a fork of pfsense with a lot of similarities so yes you'll probably find a lot of feature parity um as far as what's supported on there but that's kind of my point it doesn't go so far beyond it to make me go i need to switch to pf sense because it's or switch from ps sense i should say because it offers that much more of a compelling experience and all the features now i will mention the wire guard part uh open sense does have wire guard under the go implementation and the coming in 2.6 wire guard with pf sense is done under the kernel integrated integration which would be a lot faster so hopefully that clears that up and like i said this is not exhausted list of every firewall there's plenty of other really solid firewalls out there i just don't have time to review all of them these are the ones we use and we have had wonderful experiences using them that's why we keep recommending them uh going here and going forward after may of 2021 that's what it is today i bring it up because there could be some time in the future where there's a bunch of laws and you know it's always uh truth with context is also time based when it comes to any technology because who knows what the future holds i know what they've done in the past and i'm hoping they uh continue on a tracker like this in the future all right thanks and thank you for making it to the end of this video if you enjoyed this content please give it a thumbs up if you'd like to see more content from this channel hit the subscribe button and the bell icon to hire a short project head over to lawrences.com and click on the hire us button right at the top to help this channel out in other ways there is a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thank you again and we look forward to hearing from you in the meantime check out some of our other videos you
Info
Channel: Lawrence Systems
Views: 109,758
Rating: undefined out of 5
Keywords: LawrenceSystems, pfsense, Untangle, and UniFi, network security, cyber security, next generation firewall comparison, firewall comparison, pfsense review, pfsense review 2021, pfsense 2.5 review, untangle firewall review, dream machine review, dream machine review ubiquiti, dream machine review 2021, unifi dream machine review 2021, unifi review 2021
Id: ZI7zt1Vf8vE
Channel Id: undefined
Length: 26min 6sec (1566 seconds)
Published: Mon May 17 2021
Related Videos
pfsense VS OPNSense
Lawrence Systems
211K
Netgate SG-2100 pfsense Firewall Hardware Review
Lawrence Systems
181K
DIY Home Rack Build
Lawrence Systems
606K
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
2.2M
New Fanless 4x 2 5GbE Virtualization and Firewall Appliances
ServeTheHome
79K
Protectli Firewall Micro Appliance: 6x Gigabit LAN, AES-NI, Intel 3865U 1.8GHz Review & Speed Test
Lawrence Systems
83K
The Homelab Show: Episode 0 All About Home Labs
Lawrence Systems
89K
Firewall Comparison: Ubiquiti EdgeRouter / Ubiquiti UniFi USG / Untangle / pfsense
Lawrence Systems
113K
Firewall Comparison, Which Ones We Use and Why We Use Them: Untangle / pfsense / Ubiquiti
Lawrence Systems
581K
Firewalla Gold - The Gold Standard for Firewalls?
Gary Explains
68K
Physical or Virtual? A Silent 4x 2.5GbE Proxmox VE pfSense and OPNsense Box
ServeTheHome
121K
Basic Setup and Configuring pfsense Firewall Rules For Home
Lawrence Systems
186K
TP Link Omada and Unifi compared
Lawrence Systems
127K
Managed VS Unmanaged Switches and Support For InterVLAN Routing / Layer Three Switch Routing
Lawrence Systems
253K
Should You Buy A UniFi Dream Machine, USG, USG Pro, or Dream Machine Pro?
Lawrence Systems
175K
Do I Need a Firewall for My Home Network?
Ask Leo! - Tech confidence & solutions
14K
4x 2.5GbE Intel J4125 Firewall that Finally Works with pfSense!
ServeTheHome
126K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.