Firewall Comparison: Ubiquiti EdgeRouter / Ubiquiti UniFi USG / Untangle / pfsense

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so we do a lot of unify installs we love their Wi-Fi we love their switches we love the management dashboard it makes it very easy we can self host the controller there's not a bunch of licensing fees to make it you know cost inhibitive to install these at scale for clients so this is great and many times clients host your own controllers internally because they don't want any data leaving and with the exception of the phone home which you can sinkhole which I did a video about yeah other than that they've been really really good but that always brings me to the next question that comes up every time I talk about a project is Tom why isn't this at the head end of your project why don't you have a USG so you can complete the whole ecosystem and have a pretty dashboard with dpi and things in there and let's talk about that so with the unified I really like the unifies I love like I said all their other products but they're you as cheese once you need more than just routing to get to the internet they fall flat and I mean very flat the US she even though we're talking about this one right here this is the US you know the base you achieve at the Pro and all the other ones have the same limitations is let's say we want to add more than one IP address to one physical land port that is a pretty normal feature when you buy a block of IPS from an isp here's all the config you got to make sure we get the JSON file right which by the way is not officially supported by them and not supported through the UI at all you have to get to the command line and do this and I like how this right up you know a couple of comments right here even from five days ago this is November of 2019 any update on the roadmap timeline for multiple IP interface interfaces yet been watching threads for four years waiting patiently no roadmap no timeline no comment I know someone's going to point out that some developer who was working in a PF sense project now works for ubiquity and I believe that happened to maybe almost two years ago I clearly they're not adding if they're adding a feature I don't know when they're doing it if they're doing it that's one of the first problems you run into second advanced routing features such as selective routing and things like that nope what about VPN surely you have open VPN and all of the other features in here cuz that's common open VPNs been around a long time nope that kind of falls flat too they do have l2p for user VPNs which also over here can cause some issues as well when you're doing if you use USC VPN client you'll find multiple users behind the same ip with l2p has a problem because that's why that protocol is not as popular but yeah so there's another place that falls flat places it does do well routing those writing great I don't think it's insecure it routes it does have under the hood but so to see someone up scared from you sericata under hood for intrusion prevention but that limits it speeds you have to look at each model and whether or not it has enough capacity to handle not the routing speed but if you want those intrusion detection on there it does have the DPI dashboard so you get some statistics that's cool that is a great feature and the site-to-site VPN if you have two of these in the same controller one-click site-to-site VPN amazing great job hats off to the engineering behind that because it just works I like that so but that's one reason we don't use it as frequently run into clients that need those advanced features and like I said it's just a problem when it comes to the the system it just it falls flat on now so what about the edge router X that must be an awesome router actually it is I am very much like these but the edge router has kind of a limitation and it is the fact that you have to learn the command-line if you want to do the powerful features know pretty dashboards Napa did you know it doesn't tie into the unify eco system in terms of it doesn't tie into there yes it does have you at a mess dashboard which is not as full featured as the unified one but yes that's an option on there and if you're not familiar it is a fork so viata I think they say it is the system BIOS and edge OS were forked from so first you start with an open-source product called I believe is open source code Fattah BIOS is fully open source is the command line driven network operating system which is very powerful but 100 percent command line driven there's no web UI or anything like there but it's very very powerful very very diverse and seen with edge OS very powerful very diverse they kind of put a basic web UI on top of it and you know here's a little history I can leave a link to for the fork in the history of it and you can do a lot with it so the edge router is not a bad choice they like I said they think they make a great product and are very affordable but if you're looking for things to do all from a web interface well that's where this may fall short one things I like should bring because someone has asked about this the other day was I did a video on PF blocker and how it works with PF sense and DNS ad blocking blacklisting dns mask configuration in here once again you're going to they have very specific which ones it supports actually is kind of inning because you can do this because they do run essentially linux underneath dns mask blacklist tests on the edge router ear three ear x yeah yeah you can set the system because you're you know ssh into these and get to the command line and start configuring these things and update them and things like that so if you're fine and you're comfortable the command-line and it's a good practice to learn network engineering if that's your day in day out but for some users they go you know I just kind of want to be able to set something and have a web interface to make it a little easier not do a lot of time custom configuring and writing scripts so there's a good man with them I don't dislike them as a product I think they're quite good but for people wanting the one-click easy setups sorry that's not for you now the next one I have here is not something I know much about but people ask me about this all the time so I'm just going to give it an honourable mention is the Sophos XG firewall and I'm talking with the Home Edition I know this is probably an older model even know if this is support on here this is something we pulled out of a client this this box is heavier prop but one of the things I don't like is one Sophos XG is not open source if it is I couldn't find source code to it maybe parts I know parts of it are but one of the things right away is just to download it and use it as a home user you have to activate it and you should receive an email shortly with your evaluation serial number and I haven't gone through the process setting it up I'm not likely to review the product one of those I don't have a use case for this we don't really have any clients running it I've talked to people that says they enjoy Sophos they like Sophos I think so force is great it is a closed source proprietary firewall but does have some advanced features that's pretty cool and I don't know of any known like major security problems with it but I do lean towards open source firewalls and one of the reasons I bring that up is right here new discovery around juniper backdoor raises more questions about the company and these are one of those things that when you can't audit the source code and because it's becoming so much of a concern in the security world that we see all the source codes and businesses are realizing the reliance on code is absolutely you it drives their business it's not like oh yeah if the computers are down we can't you know we'll just muddle through it we'll go back to a paper process if someone backdoors your company and start stealing intellectual property in other information right out that is a huge concern so this scaring companies more and more with these closed source firewalls so take that for what it's worth but I figured it's worth bringing it up and one of the reasons I'm so bullish on open source firewalls which brings me to the one on the bottom here save the best for last so yes I'm aware someone forked it an open sense and someone loves to ask that question every single time I've briefly looked at open sense we had some problems so that could have been my lack of knowledge and I seen someone got mad at me even though I always say it could be my like analogy couldn't make it do neither could the person using it who was the head installed open sense numerous times who then contacted us to help solve a VPN problem who we couldn't get the routing to work in the way they wanted which was some very specific very advanced routing features we took that same piece of hardware and loaded pfSense on it and it works fine now this is actually a neck gate pfsense box in front of me but that's where PF sent to me really excels it's fully open source which means we can audit all the code this makes companies very comfortable and for those you say but it's not ready for the primetime commercial I did a video on this topic over to zip recorders an easy way to do this look for problem hiring for pfsense engineers when you see companies like MasterCard hiring you're like oh they must be using it so most large companies buy policy specifically they will not disclose what things are using a matter of fact this is an interesting facet of our business when we do they have done work with our companies they do not want the even though Lisa found us from YouTube they say you may not admit use their company name or talk about projects you don't or you can post that you use that you do things with us honor and your website can you know be quiet about all that and I'm fine with this so I have worked with you know automotive suppliers and things like that they don't want their stack talked about but it's got a funny because then they put things in zip recruiter like they're hiring for an engineer for whatever supports you can figure out what hardware to using but yes this has been used in many commercial environments one of the nice things about PF sense is you can go to the command line it's fully open source it's modular so you can actually do a package update on individual thing and I covered this when there was an engine ax flaw that you could update engine X individually on this not have to wait the company - Rhys penned a new version of PF sense for you to download an update they also expose more features so they put in open VPN and I mean like everything is exposed and if you find some weird advanced use case that's not all you have to do is they have a command line to pass further commands to it from the web interface I think this is kind of cool this is at the bottom of a lot of the pf7 option boxes like an advanced configure where you can just push extra parameters if you have something that they didn't expose but they expose so much to the web interface they kind of glue everything together in a really nice way between sericata and everything else and it's fully open source it does not require that you go and register some serial number some license thing to phone home and activate your PF sense so if something were to happen or they change policies and pfSense the code itself is open and therefore if they were to try to close source it not that they have any intentions of this I'm just pointing out if any of these other companies if Sophos for example because it requires a serial number to do some type of activation if they decide not to honor that sheer number then your firewall turns into a pumpkin at midnight this is my problem with a lot of commercial products is your reliance on them as a company and their policies to support this people ask me why I didn't support certain companies that made Wi-Fi number of years ago that I said oh cool they have a free dashboard it you can't host it it's only their dashboard they're gonna charge for that people like no no you should try this product it's really cool then the company got bought and they charge for their dashboard shocker and by the way it's not easy to get them off the dashboard the device was designed to do that so one of the reasons like I said I'm really bullish on the open source and the PF sense specifically the company has been really tight with security they don't monkey with things so when they use Open VPN it is the standard open VPN so you can use whatever Open VPN client and I make some you know talks with other people a lot PF sense and the engineers actually at net gate and it's kind of funny when they've had problems connecting and we did this we had a trouble with connecting to a 48 so our client had a Open VPN the endpoint that you need to connect to another business had a 48 turns out forty gate wasn't implementing something properly and it took an update from 48 who the engineers first just blamed us using some crappy open-source product that was a direct quote from from the people on that from directly before the people on the other side and yeah a matter of fact one of the things we've done working with the health care providers here in the Detroit area they now have a document on how to set up a week because our clients are using IPSec VPNs to I don't know what's on the other end I'm less than clear they're very vague about it but it's not PF sense but now they support connecting PF sense to it they have a document because we showed them how to get pfSense connected because PF sense once again fully using the open source standard for things or the documented standard for you know IPSec VPN is Open VPN how they're implementing things they're not trying to compile everything into one big monolithic they're using each one of these projects and kind of pull them together in PF sense I know someone's gonna call me a fanboy but if you notice we're not even an official reseller for PS ence I have no affiliate links I buy direct at the same price you pay I do that on purpose because their reseller program I didn't think it was all that advantageous for me to join so those are kind of my thoughts and some of the firewalls this is you know I said pfsense is our go-to because it's so diverse it can do super advanced crazy routing things that sometimes well people need you don't need licenses for things like even H a or any of that you can load PF blocker you can load sericata you can create a really strong UTM device but I will admit it's missing the dashboard so that is kind of out there now the last little piece I'm gonna give an honorable mention to because I did a video on this is untangle and also hats off to them because I didn't have to go digging for prices so untangle is free but they do have a home edition what's the difference so untangled people want the home edition because they want granular web filtering that requires a certificate to install I'll leave a link to that video I did talking about that because more and more sites have moved towards moving to an encrypted site if you want to get granular not DNS blocking but granular see what websites each individual computer is going to and create per computer block lists and do that advanced little filtering - where untangle does have that built in there's the free edition of untangle which you can just install but then they have the paid edition so you want that advanced filtering that is something where it's just not creating pfsense between the dashboards being you know if you want that high DPI lots of information and because does has the ability to export the data out but does not have native built-in high DPI and then you have untangle which just has some nice - portion I've done a full review of untangle and of course I've done specifically the filtering this is a common request that people have which by the way isn't supported on either one of the unifies or USGS but is supported by many advanced firewalls such as your commercial products by Meraki and 48 so untangle further Home Edition they do have have this for like 50 bucks and someone told me and I guess I'm not I'm not planning on evaluating it but I believe the home edition of Sophos has some granular filtering that you get with the home user Edition as long as you agree to their home user licenses and things like that and you guys that untangle is free but those filtering features do cost money so take that for what it's worth and decide what your use cases on there I'm personally like I said biased towards open source overall i tries use open source whenever possible that's my preference and someone's kind of say it's because I'm cheap it's actually no because they care about security and care about code auditing code and I have no problems paying money and have donated money to open source projects and open source developers some of them are just asked for you know as the quote-unquote beer money and things like that I have no problems donating to these projects and helping these developers out and I've even contacted and hired some of them for specialized projects when we needed code updated so I like the fact that I have my hands on the code that makes me very happy so that's my background and love for open-source hopefully this helps a little bit or maybe confuse you more about decisions Oh in a it don't ask me to review consumer routers I don't use them I so I know that d-link and Linksys or name companies they have a bunch of products out there I'm not gonna do a comparison to him I just not interested in them I don't run them so my comparison to be like it has these features I'd be reading off the box I don't really do those I like to talk about products we've used products we've used in the field that way I can give you a more subjective or more realistic answer to how it uses versus reading off the back of the box or reading in some forums to gain some understanding that's why I mentioned so folks I see a lot of people talking about them they seem to be happy about them but I can't give you any real subjective answers on it because never used it I have zero clients using it the only client that was using it is that boxes over there we pulled it out and put pfSense in to solve some really advanced routing things that they needed and it so they've been really happy since we put it in all right in thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to Lauren systems comm fill out our contact page and let us know what we can help you with and what projects you like us to work together on if you want to carry on the discussion how to wrote of forums that Lauren systems calm where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos that are accepted right there on our forums which are free also if you'd like to help the channel on other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time
Info
Channel: Lawrence Systems
Views: 100,423
Rating: 4.9342051 out of 5
Keywords: ubiquiti networks, edgerouter x, ubiquiti usg, pfsense tutorial, edge router, ubiquiti edgerouter x, unifi controller, next generation firewall comparison, firewall comparison, firewall, network security, ngfw, firewall (software genre), security, ubiquiti networks unifi, pfsense, protectli pfsense, protectli firewall micro appliance, protectli pfsense install, protectli pfsense review, UniFi USG, ngfw firewall comparison
Id: vpKEi2o1DQM
Channel Id: undefined
Length: 16min 28sec (988 seconds)
Published: Mon Nov 11 2019
Related Videos
Review: Ubiquiti UniFi Dream Machine Pro (UDM-Pro)
Lawrence Systems
210K
Netgate SG-2100 pfsense Firewall Hardware Review
Lawrence Systems
89K
USG vs. EdgeRouter
Crosstalk Solutions
589K
Inexpensive Budget Switch: TP Link TL-SG108E HW Rev. 3.0 With VLANS & pfsense Review
Lawrence Systems
309K
Untangle Firewall Review
Lawrence Systems
82K
pfsense VS OPNSense
Lawrence Systems
77K
Managed VS Unmanaged Switches and Support For InterVLAN Routing / Layer Three Switch Routing
Lawrence Systems
167K
2018 Getting started with pfsense 2.4 from install to secure! including multiple separate networks
Lawrence Systems
482K
Firewall Comparison, Which Ones We Use and Why We Use Them: Untangle / pfsense / Ubiquiti
Lawrence Systems
514K
Firewall Comparison: Untangle VS pfsense
Lawrence Systems
44K
The Unifi USG and Dream Machine Gateway Routers: Features, Issues & Shortcomings
Lawrence Systems
58K
EdgeRouter 4 and 6 Unboxing and Setup
Crosstalk Solutions
82K
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
Lawrence Systems
319K
Comparing SFP+ 10 Gigabit Connectors: LC Multi-Mode Fiber, 10GBASE-T, and DAC Cables.
Lawrence Systems
122K
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
1.2M
DIY Home Rack Build
Lawrence Systems
330K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
494K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.