A Detailed Comparison of The Latest pfSense and UniFi Firewalls in July 2023

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] systems and we're going to compare PF sense and unified firewalls here on July 29th of 2023. I bring up the date because yes I've been critical for a long time of the unified firewalls and people ask me Tom since they've added new features here have you changed your mind and the latest feature they've come up with is a magic site to site as they call it and it's not magic but it's definitely some really clever programming I think this is a really neat feature I feel this is a good time to compare because of the changes that are made these two firewalls together because they're arguably the most popular firewalls I see in the home lab and the small business Market in the managed Services Market it admins really like these both of these products and they do have their place but despite us installing thousands and thousands of unified devices in the past I did not include firewalls in the devices that we would offer to clients because they were very well lacking and that big lacking came around the way their features worked in terms of VPN I was pretty critical for a long time when they had forced registrations and your VPN issues and now that they've kind of come all the way back around here in July of 2023 to having a normal setup for a firewall with a traditional style VPN that doesn't require you to attach to the cloud with the exception of the site to site one the magic site to site but I will walk you through how it works now I have extensive knowledge and I should say we as a company have extensive knowledge on both of these products because of the volume at which we deploy them if you like to hire us for Consulting head over to lawrencesystems.com click on that hires button and we will do Consulting on both unify pfSense or even a UNIF ipf sense setup which is actually a really common setup that we run into all right now let's jump over to this comparison by the way everything's going to be linked down below including my other firewall comparison video where I talk about more firewalls than just PF sense and unify but we're going to keep this narrative scope to just those now the first one I do is explain pfSense CE and plus I have a video where I dive deeper into details but all the features we're going to talk about are available on both the Community Edition or the plus Edition the USG and uxg pro are one line of unified firewalls that are available and then we have the unified dream Series so you got your dream machine pro your pro SC I believe there's a dream wall and there may be more in the future but their dream series Works different than their USG uxg Series so I had them in two different categories because that's where the feature differences are between them ubiquity the parent company that offers the unified product line does have other firewalls as well that are not going to be included in here because I don't really see them as a popular product anymore The unifies Edge series but nonetheless I just don't use them to know enough about them but I don't see a lot of updates or a lot of use cases for them because their Hardware is getting a little bit old but I'm just emitting those from the list to keep this narrowing scope to the ones that are popular now can you run it on your own hardware and can it be virtualized as a yes and a yes for PF sense and obviously not for the unified there's no way to well there's hacky ways that if you wanted to try to figure out how to build this on your own Hardware but it is not something that's even remotely supported they don't offer an installer just to set this up on your system now centralized management this is something definitely missing from the PF sense series and with unify there's two different ways to do it so you can manage the USG and uxg pro via the unified controller software which is free you can self-host this you can use someone like hostify to host it you can use their controller to host it or specifically like a cloud key with the unified Dream Machines it's a little bit different you can only manage these essentially through the cloud of their site so you can tie several unified Dream Machines to the unified cloud and the controller runs within the unified dream machine that's an important distinction because you can't adopt it to your own self-hosted controller and this is something people get mixed up on a lot trying to figure out how to get it adopted so they can manage it through something Central that's not unifies Cloud so just something you should be very aware of if you're trying to set many of these up the only way to manage them in group and the way to get the magic site to site VPN working that we'll talk about momentarily is with them tied to the unified Cloud because that's what does the coordination of these license fees no but I put an asterisk because technically you can buy support contracts for your PF sense plus and if you are using it and want to have commercial support including SLE agreements yes you can go that with plus I covered that in my pfSense plus video to talk about some of the different tiers levels of support you can get their support is really good with pfSense this is one of the things that makes it popular not just in the I.T sector but even in some of the Enterprise companies that use this it's got a lot of good documentation and a lot of good support that's something you're not going to be able to get in the same way with USGS and the udms but there's no license fees which is really what that's about operating system FreeBSD and these are both Linux based High availability yes this is very popular feature and it's not licensed in any way none of these features will talk about require any type of licensing on here to activate so you can set up an ha setup with any two PF sensors whether it's two boxes you bought from netgate or two preferably similar systems that you are using to mirror and set up as an aha High availability system not an option in either one of these bgp ospf yes it's supported in pf sense not exactly supported ospf is used as part of the back end for the magic VPN but there's not something that's like exposed that you can set up and configure VLAN support they all support vlans and I will say the way that USGS and udms that line handles it is going to be really well integrated with your UniFi equipment which is certainly one of the reasons people want to use their firewalls because if you create a VLAN inside of PF sense you have to create the corresponding vlans inside of your switching equipment and if you're doing it via the UniFi controller and that controller is controlling the same switching equipment and same access points you only have to create it once and it'll propagate so there's definitely an advantage and this is one of the reasons people ask so much about the unify line of firewalls because well that single pane of glass is really really nice openvpn yes with lots of extensive features and we're going to say yes but basic yes it's on the EA and the pro but it's also basic it's early access but I believe by now it might be full release um either way it's still basic is the way I would describe the openvpn support it works it's there but if you want to twiddle the knobs of a more advanced features you're not going to find them in there ipsec yes they all support ipsec wire guard yes this is built into PF sense I didn't see anywhere it was available on the uxg pro but it does support what the magic VPN uses wireguard and without having a USC Pro I couldn't find it in their documentation if someone has a link that'll be great and I'll update this to a yes but yes it is in the unified dream machine series that does have wireguard l2tpvpn yes on PF sense yes across the board here automatic site to site this is that as they refer to it site magic which is available on the uxg and they just call it site Magic on the udm series now let's talk about this one real quick because I want to get a little bit in depth because I think this is just a really neat feature and a lot of people are probably wondering about this and is this the reason to buy one and it might be one for you so first what is it magic site to site VPN allows you to easily interconnect unify gateways across multiple locations with just a few clicks and I'll leave a link to this so you can read through it it does require that you're on UniFi Os 3.18 or uxg Pro 3.13 UniFi OS host that runs Network application 7.4.15 or newer at least one public IP address that's a very important one there and all purchasing consoles must have the same owner that's because it ties to ubiquities Cloud so you must set up each of your devices as you the owner in the ubiquity Cloud because that handles the coordination of it now let's talk about how it actually works now I'm going to run over this really quick where we have Network a and network B it is important that Network a and network B and you can have more than one network on each side of this but this is the basic explainer here I'll leave a link to Cody's video because he's got a demo of it as well that's a little bit more extensive but essentially if you want Network a and network B talking you have each of these unified firewalls and at least one of them has to have a public IP so if this one has a public IP and we have some random firewall and that means this firewall this other UniFi is behind the private AP we connect both of these to the unified Cloud portal once they talk to the unified Cloud portal it'll figure out which one of these has a public IP address and tell the ones behind the private IP address to talk to each other that way so this firewall will reach out and connect to a wireguard instance this is done in a very automated way and one of the things that unified did clarify is that if the unified Cloud portal goes down the established connections will stay but if there's an IP address change you're changes you need made to the network until that unified Cloud portal comes back up you're not making those changes that's an important thing is that it does rely on you joining and the cloud portal being up and of course one more thing and that's that the network a and network B are on different subnets because they wouldn't know how to route otherwise but I do think it's really clever that these just automatically get set up now while pfSense doesn't have an automated way to do this just by checking a couple boxes and joining 2pf sense together you can manually set them up there are videos and tutorials on wireguard and there's documentation and netgate site to cover exactly how to set up wireguard and get a site to site VPN working it's just not Dynamic and being managed by a controller but that's why I did throw tailscale in here because tailscale is an overlay Network automatic site to site is just automatically joining wireguard together and figuring out how to get the routes between all the devices tail scales and overlay Network I've got videos I dive in depth on it and tailscale is awesome for being able to not just High firewalls together but but also tied devices to firewalls to different subnets overlay networks are a different way of solving the VPN problem but a very clever and very welcome way especially when you have different devices behind firewalls that don't allow you to have a public IP address on your firewall so tailscale for example will work without public IP addresses on different devices they'll still be able to talk to each other but that does require of course joining the tail scale coordination server to make all that work or self-hosting an instance of it yourself using something like head scale IDs and IPS cerakata or snort are both available in pfSense you have very basic and under the hood it's still cerakata available with the uxg pro USG and the unified dream machine line I see basic because they just don't give you as many features they give you all the features and fully expose these through a web interface so you can manage whichever one you choose control what feeds are in there and how fine-tuned you'd like this to be and they give you just a lot of bells and whistles for it so it's a much more extensive system but under the hood it's actually still cerakata with the unify line content filtering it does not work well in pfSense I know there's the ability to do it so I put yes but complex I'm probably understating how complicated it is to run squid and why I never use it it's just not a feature we even want to use because it's just a headache basic DPI no SSL inspection is how they do it there so they're doing some basic deep packet inspections so they can block certain things but you don't have full SSL unraveling and inspection while you can do that over here in pf sense back to it's just complicated to manage and man in the middle all of your devices to get them to go through there to get that done so neither one of them are great for that feature DNS filtering PF blocker is amazing for doing a lot of cool stuff when it comes to both DNS filtering geoip filtering they've got some basic filtering options here for DNS inside of the unify line traffic shaping very Advanced you can get granular with a ton of features with traffic shaping you have a lot of options there's kind of some basic on or off features but there's no real tuning you can do to the same extent you can do it in pf sense so yes it has it but no they're not quite the same in terms of features multi-wan support I almost wanted to put yes in advance because you can do so much with multi-wan on pfSense you have yes that you can do it but the rules are going to be not as tunable in terms of all the thresholds and all the details maybe when you want things to fail over and load balance it does have those features though so active directory integration yes radius or ldap yes via radius yes via radius so there's ways you can integrate active directory for your VPN authentication policy routing yes yes and yes the policy routing though once again pfSense has a much more advanced feature set for that but yes it is supported firewall rule policies on active directory none of these have it if that's a feature you really need it's just not going to be available in any of these firewalls listed here reverse proxy or web application firewall ha proxy is a feature you can turn on inside a pfSense I've done videos on that it'll even handle all the certificate management and termination for all your devices and you can set it up so you can grab a wildcard cert and have it serving up search for all of your internal things without even publicly exposing them I really like ha proxy it just solves a lot of those little problems for dealing with it right at the firewall level and then all the granular control that will come with it that is not something that is available in the UniFi line let's encrypt certificates yes but there's actually more than just that supported but I said yes to Let's encrypt because they're probably the most popular ones out there and you can do them via DNS inside of here the captive portal this is something that once again there's a lot more features on the pfSense one but you do get a captive portal so if you just have some basic Hefty portal needs those will work under the unified line as well traffic reporting and monitoring very different on the way they work and top NG I've done a whole video on it it's a pretty extensive package it gives you a lot of granular detail you just don't get that granular detail so yes it has information but it doesn't have really nice time series information that allows you to dive deeper into the traffic so you can get a better understanding of it but it's there as a yes it's just a yes but it's not the most advanced version of it now I hope this video gave you a better understanding of the differences between the unified firewalls and what's offered by PF sense and the feature differences between them ultimately it comes down to what works for you I think they're both good firewalls I don't have any any concerns about security problems from either one of these companies it really just comes down to the features and because we do a lot of Consulting we get people who want us to make the firewall do something it wouldn't do and this is why starting with a list of features before you buy the firewall and doing some research on them helps make a more informed decision so you know it'll fit your needs and that's really what this is all about is what works for you by the way leave some comments and let me know which one works for you and what context you're using is in your home your lab your business maybe your AIT manager using this at clients let me know I love hearing from you love hearing your thoughts on all of this or if you just hate all of these firewalls and you like to use something different I wouldn't mind hearing that too it's always you know fun to engage with the community on there if you want to discuss this further forums.loronsystems.com is a great place where you can interact with me on this and other videos and if you want to see more content from this channel like And subscribe it is greatly appreciated and thank you very much see you next time [Music] thank you

Info

Channel: Lawrence Systems

Views: 71,503

Rating: undefined out of 5

Keywords: LawrenceSystems, ubiquiti networks, pfsense firewall, network security, firewall comparison, pfsense unifi, pfsense unifi setup, pfsense unifi vlan, pfsense unifi controller, pfsense unifi dream machine, pfsense vs unifi, pfsense vs unifi dream machine pro, pfsense vs unifi dream machine, pfsense versus unifi, ubiquiti unifi, next generation firewall comparison, unifi firewall, unifi dream machine pro

Id: 1E6fYKlQKa0

Channel Id: undefined

Length: 15min 54sec (954 seconds)

Published: Sat Jul 29 2023