Firewall Comparison, Which Ones We Use and Why We Use Them: Untangle / pfsense / Ubiquiti

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I have in front of me a few different firewalls that I've done reviews on I've done reviews on the net gate pfSense firewalls both the software and the hardware directly from net gate I've done reviews on the edge router X I've done reviews on the USG VY unify I've done reviews on the protec telly boxes such as this one here which can run a lot of different firewall software and a lot of people ask me always comes down to which firewall should I buy or how do we know which one to choose for a client well we're gonna start with this one right here the edge router X not really a popular choice in terms of for our clients but it does have its use cases this is a nice mini powerhouse of a firewall that you can pick up in the $50.00 arrange us which is really reasonable for any firewall that's above consumer grade it actually has fast routing capabilities it has a ton of features once you get into the command line on it so it's very diverse it has all kinds of different things you can do but but this is the big downside one of them is people asked me what about intrusion detection systems and intrusion prevention systems and things like that and I'm kind of cross-eyed a little bit when I hear that because I'm like okay those take a lot of horsepower to run and I'm sorry these are going to fail at that you could probably find some hacky way to get more things running on this then it comes with but the fact of it is and I'm even holding the adapter right here to show you this thing's only a couple watts and that's it it's so low powered it just doesn't have the horsepower to do a lot of advanced things now the other downside that the edge router line suffers from maybe benefits from is it is advanced as you can go with it it's also very difficult to do so if you look at either tutorials a lot of people see wow that's a really long tutorial on to how to accomplish this or that and I'm like yeah they are a lot of times so advanced features it does require editing a config file and handwriting some of the rules and things like that so that is a disadvantage with these as powerful as they are and inexpensive as you can get especially this model for they have their use cases the wizards in them are nice to get kind of basic things set up but for advanced use get prepared to get advanced with it and break out the command line to really get some you know very specific configurations but from a low wattage standpoint and sometimes and you just have to NAT something over a point to point in a small area we've used them for that and that is sometimes a client use case for them no real advanced routing needed just a basic NAT low powered in a small especially when we've done some of these outdoor setups they just need to get some devices online behind a NAT and a site-to-site this combines really nice now it does have I will mention I have not done any testing with it this will connect into the UNM s dashboard by unify I've not done a lot of testing with that but you can you can dig up some information there but like I said not really done much for that the next one people ask me about is the unify us G line now I like these these are nice but they have back to specific use cases they have beautiful dashboards to integrate with all the other unifying equipment so if you're putting in really nice unified Wireless and all the different range of those and unify switches which we love and we love their Wireless and then you put this at the head end of it all you just get a great dashboard it gives you a good overview of what's going on and from an MSP standpoint we manage a lot of clients using these and they're great for those small businesses some of the advantages you have with this is that integrated dashboard with all the clients the downside you run into with this and this is where things get unfortunate I really wish I really want to love it I really wish I could love it the thing I dislike about it and this this is where it starts to fall off is when people need advanced routing options and they need VPNs or they have one of these that's double netted you're back to editing files on this you can't use the user interface through the web interface to make it do some of the things that you wanted to do if both of these you have two of these at two sites and are on public networks they have essentially a one-click VPN setup and it's super easy you're like wow that was nice one of these behind a NAT well you instantly have problems and they're just not as configurable unless you once again break out the command line off and if you break out the command line you can do quite a bit these do offer as well the intrusion detection and intrusion prevention systems but they're not very customizable and once again you're going back under the hood if you really want to start tweaking with it you just don't have a ton of rulesets and a ton of options that you can do it's kind of a basic filtering basic bandwidth management everything's very basic on these or breakout the command line to do anything there including is as of right now if you just want to have a second IP address where you range of IPs put on the LAN side that's still a command line feature that's I mean for my small business clients that are you know a four person salon for example we actually have a handful of like small offices like the salons using these and they're great for them I mean they're simplistic they get the job done but yeah if you have a client that has a lot of firewall rules a lot of routing they just don't feel as robust in or a little bit more difficult to work with I'll cover here the neck gate now I've seen people complain about this SG 3100 and saying well it's an armed device and armed devices should be super cheap like these and inexpensive this isn't just your average armed device this has a lot of power good VPN speeds can route kick a bit and its outstanding now this is you know a really nice box from the makers of PF sense this is the neck gate box we love putting these in because when you're doing remote updates you're gonna have problems with occasionally some of these type of boxes when you build it yourself doesn't mean you will have a problem but occasionally there can be a problem because the folks at PF sense test their software specifically on their hardware so we know whenever we hit update and we're remote updates should go perfectly smooth when you're running any type of white box hardware there's always a possible chance of risk and we actually ran into this with one of the other boxes there was a parameter with one of the white boxes we had they had to be passed on to the through grub and if you didn't know about a prior to the update you couldn't do it remotely you would have to get in there and add the parameter or it wouldn't boot so having extra boot parameter fixed problem but one of those things if you didn't stop and check before you just pushed update and your remote you maybe visiting that client on-site so we when we deploy these majority of our clients have one of the genuine decades this one or one of the more powerful ones at their office that we've set up now the last thing I'll talk about in terms of the hardware here is these protect tally boxes this particular one is still a great box these come in a little bit of different varieties they're reasonably priced and I know someone's gonna point out that you can find these from Alibaba for cheaper not under protect telegram I believe just to save that person writing a comment I believe they're marketed under a qot om on the Alibaba so if you have time to wait for something to come from China you can find these for less money that's not secrets I'll leave a link in Amazon where you can't find these though on Amazon if you're looking for a u.s. seller that has it in stock and give it to you faster now the difference between when you get these from it varies because Alibaba is kind of a random marketplace it seems sometimes I can tell you when things are available and then they'll have another brand but it looks like the other brand and they'll have a lot of them the one one thing nice about protect le I've actually talked with the people there and now they seem to do a good job of putting these together because you can order them with the hard drive already installed everything else they give you a bundle price they're not cheap but they're also really fast and really diverse I mean this has all Intel Nick's on it labeled win land and win opt one up two up three up four we've tested this with untangle we've test this with pfsense these boxes work really well for them they are a nice solution if you're looking for something small compact powerful out there like I said for most of our clients we do prefer this but this is an option as well now both of these devices here and kind of these will all route at gigabit but that are is exceptions if you're using some of the IDS features on here that limits it so if you turn on the intrusion prevention system you're gonna get slower speeds out of this I know they're tweaking it so I'm not going to state the exact speed but you can google it I know it's round the hundred Meg so if you have a faster than hundred mega internet connection you're right away going to have a bottleneck if you use those features this one you have to turn on hardware offloading but that also eliminates I think some of I can't write exactly which feature I have it in my video though so you'll have some issues if you try to get this but you know at what point do you expect a forty nine dollar product to fully perform at full you give it and it's not quite gigabit I believe actual performance varies on these because it can only hold so many state tables so you may be will get a single stream but you know for heavy use cases when you have a lot of devices behind it which means a lot of state tables that's another factor you have to think about so if you're connecting a few hundred devices not just one or two computers in your home you can run into problems with this because they just it doesn't have the horsepower to handle all those simultaneous connections and the same thinking you can run to here if you have a larger office maybe you don't have as fast of internet but just have a lot of connections well the more connections you have the more streams that you have going across the more states that are you're gonna have hardware problems limitations with well it's a $99 box when you get into these these handle lots of devices we've got these deployed specifically this SG 3100 and like I said this is not your average ARM based device and we've got several hundred computers behind it no problem we've actually put this in at some of the locations like I did the Family Fun Center we put one of this end it handles their entire guests network you know tons of people on phones the entire building no problem at all it's not even breaking a sweat it does handle just a lot of connections at once it's also one of my favorites in terms of PF sense because PF sense is really the Swiss Army knife of firewalls it's open-source it has absolutely amazing top-to-bottom features and tools for diagnosing your network is one of the reasons I've done so many in-depth videos on PF sense and that's gonna lead into the software choices so as much as I do love the unified line the software is a little lacking unless you break out the command line for those of you they're not willing to dive into the command line and learn how some of that works and are our tutorials I know some of those things work well you this is where you're gonna have some shortcomings with these pfSense on the other hand does do really really well for just you have some crazy configuration and I have with some odd configuration requests this can handle it you have we've connected these two other firewalls because they have things in the data center that they're running that they have to specifically connect to with certain IPSec VPNs we've had good luck getting pfSense to connect to those because pfSense exposes pretty much through a web interface all the options you need to really get this thing going and whenever weird configuration you want we even had some clients that use some weird DCP relaying and that's actually built into here as well it was I've run into some odd configurations because they want to replace some legacy things that people come up with and pfSense hands down whether you run it on the neck gate or you run it on your own hardware and build it yourself is a great choice now this box like I said at 3:49 it's a pretty good value but back to the last piece and kind of the software related part entangles another firewall I reviewed now I think I kind of hinted towards it's open source and not it's kind of a hybrid approach now the way they are the the firewall itself is open source but they have closed source modules and subscriptions that give you feeds for filtering and untangles the firewall that I've been starting with a little bit newer we've seen it out in the field a handful of times I have friends that work in IT one of them said he's deployed several thousands of these over the years and he's one of their premier partners and loves the fire while Isis never let them down by testing with it has been wow it's great I really have no complaints on it now the thing about untangle they do have a wonderful if you're a home user a $50 a year subscription that's really gives you amazing features for 50 bucks for the home user addition they have licensing that goes for business users and with the the business class ones you get that really nice filter ease a lot of people really want good filtering and that's what you're really paying for when you pay for untangle as you pay for that extra filtering that they offer so they offer that you know I want to filter this website and the way this works that is something you can do the other nice thing that I've noticed with untangle is for example people who ask me about policy based routing I've done videos about it on pfSense I have also done how to use like p.i a VPN with PF sense and it's a much longer instruction than it is for example with naive untangle loaded on this as why keep holding this woman when you have untangle it's just a couple clicks you can use Nord VPN P ie VPN and a couple others there built-in you just drop in your username password and the VPN profile and you're done in a few seconds it will then create a tunnel network so you can tunnel all your traffic over a VPN and then you can even select specific devices with just the web interface and a checks box yes you can do that MPF sets no it's not going to be as easy because you have to write policies and routing and have multiple gateways and decide which gateway you want traffic to go out based on the conditions and rules untangle is just kind of one-click so when it comes to some of that software features these are really nice advanced features supported by both pfSense untangle and I won't lie untangle makes a little bit easier and back to that filtering yes I know you can add some third-party add-ons and it's been a long time since I tested it but I know one of them is DNS thingy has a plug-in for PF sense that's also a paid service that allows you to add filtering features to PF sense but once again it's going above and beyond those the filtering really comes down to a lot of times you got to pay for those type of subscriptions if you want really good filtering features now both untangle and pfsense do have not just sericata built in but they give you a lot of options with it much more so than the sericata that you get with the USG I mean I love the unify interface in terms of ease of use but once we start talking sericata tunnel VPNs everything else they're not impossible to do on these but they're basically command-line and if you find it difficult and pfsense you'll probably find it even more difficult over on the unify and edge router lines versus untangle one click put your username and password in for PIAA VPN i've tested it myself because I have a PIAA account and it just works so these are kind of the choices you have and these are some of the reasons we've I am so if you have those advanced use cases and you really like that Swiss Army knife and you want some firewall for a 349 I won't lie neck 8 still might go to still one of my favorites it's what I have at my office here it's what we use to manage our network and you know a project I was working on and gonna be finishing soon enough because maybe doing some videos about this is in a complete captive portal free radius on along with assigned SSL cert for doing the captive portal enhancements well pfSense has all those plugins running in one place oh by the way it also has a bik's monitoring and other extensible plugins that really make pfsense a like I said I'm still really happy with it and still generally my go-to firewall for most solutions but I won't lie for those are you looking for just an easy way to point-and-click your way through some simple setups including like that tunneled Network untangle the filtering and everything else for their home users that want just basic filtering that $50 a year really hard to beat it at the price but I think they're both really good firewalls they're both great products and they're both products I recommend so once again it depends on your use case and if you really need those so hopefully this was helpful in deciding which firewall to buy like I said all of them have their merits but once you start getting into advanced things pfSense and untangle are really the the - I like pfSense still being my favorite just I love all the bells whistles and features and that's a reason or so many pfsense videos I have on my channel here if you have other thoughts on there and I know there's going to be at least a couple people who mentioned the mikrotik routers they come over to the edge router category they seem to be really nice I've not done much testing more than we really don't run into a much in a field they seem to be a good value for their money but they also have a more complicated interface and I've talked about the security they had left some default insecure settings which is kind of scary and when a lot of home users deploy I think everything should default to secure and you open it up and their original policies apparently allowed you to create insecure settings and then you had to close them I think they've changed the policies but it's still one of those things anytime I firewall companies like that and I yeah I've not done a lot of testing on the me critique once I guess they're okay if you're looking for really good budgets but if you're looking for the powerhouses pfSense and untangle are still there for the and all the advanced uses lots of flexibility and all the belt you know just that real advanced power settle Ong with filtering and things like that intrusion detection and everything else alright hopefully this is helpful and thanks thanks for watching if you like this video go ahead and click the thumbs up leave us some feedback below to let us know any details what you liked and didn't like as well because we love hearing the feedback her if you just want to say thanks leave a comment if you wanted to be notified of new videos as they come out go ahead and to subscribe and the Bell icon that lets YouTube know that you're interested in notifications hopefully they send them as we've learned with YouTube anyways if you want to contract us for consulting services you go ahead and hit orange systems comm and you can reach out to us for all the projects that we can do and help you we work with a lot of small businesses IT companies even some large companies and you can farm different work out to us or just hire us as a consultant to help design your network also if you want to help the channel other ways we have a patreon we have affiliate links you'll find them in a description you'll also find recommendations to other affiliate links and things you can sign up for on Lauren systems comm once again thanks for watching and I'll see you in the next video

Info

Channel: Lawrence Systems

Views: 528,460

Rating: undefined out of 5

Keywords: ubiquiti networks, edgerouter x, ubiquiti usg, pfsense tutorial, edge router, ubiquiti edgerouter x, unifi controller, next generation firewall comparison, firewall comparison, firewall, network security, ngfw, firewall (software genre), security, ubiquiti networks unifi, pfsense, protectli pfsense, protectli firewall micro appliance, protectli pfsense install, protectli pfsense review

Id: bK2_ROQrMcM

Channel Id: undefined

Length: 18min 35sec (1115 seconds)

Published: Sun Dec 09 2018