pfSense vs UniFi Firewall: May 2024 Edition

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to the May 2024 edition of UniFi features versus pfSense features in terms of firewall now this is not an easy comparison to make because there's so many things that go into a firewall and I want to cover this a little bit differently than I did in my July of 2023 video by actually showing some of the fundamental differences to kind of give you some overall views of these UniFi just in the last year has made some Leaps and Bounds of making a much more full featured firewall but I will not tell you which one to use that is ultimately your decision as I tell people use what makes you happy use what makes sense for your use case what I do want to show is those Nuance details about how these Services function differently in each of these firewalls and what makes them even more challenging is pfSense is just that a firewall versus UniFi has a firewall feature but it's actually part of a larger ecosystem and platform that can control your switches and your access points and Wi-Fi Etc all in one place so there's no fair comparison to there especially when you start talking about Dream Machines and some of the NVR features that get thrown on top of that along with all the other cool things you can do with UniFi but I am keeping this narrowed in scope to just firewall features so I can talk about those differences what I will tell you right here up front so you can save the time of watching the video there's no gotas here I'm not going to tell you that one or the other is a terrible insecure platform because they're both solid and secure platforms that have great track histories in terms of their overall security as far as updates ubiquity has been on top of updates for quite a while so has the folks at pfSense so in terms of using it just for routing yeah these are going to be fine so if that was your concern hopefully I've just alleviated that and you can just say okay I was just worried that I couldn't use it for routing but yes of course it does all your basic routing and VLAN functionality that's not what we're here to talk about cuz that does work perfectly fine in both platforms let's dive into those Nuance details where I show you some of those things that are advantages on the UniFi side and advantages on the pfSense side and it comes down to which is the need you have and which one fulfills that need the best so let's get [Music] started are you an individual or Forward Thinking company looking for expert assistance with network engineering storage or virtualization projects perhaps you're an internal it team seeking help to proactively manage monitor or secure your systems we offer comprehensive Consulting Services tailored to meet your specific project needs whether you require fully managed or co-managed IT services our experienced team is ready to step in and help we specialize in supporting businesses that need it Administration or it team seeking an extra layer of support to enhance their operations to learn more about any of our services head over to our website and fill out the hire us form at Lauren systems.com let us start crafting the perfect it solution for you if you want to show some extra love for our Channel check out our swag store and affiliate links down below that will lead you to discounts and deals for products and services we discuss on this channel with the ad read out of the way let's get you back to the content that you really came here for we're going to start here with my Forum post which you'll find Linked In the description below with pfSense we're going to cover the cem plus Edition so there's a couple little changes between them and that'll be noted on this column here then we have the uxg pro and the udm pro Max and SE versions I'm not covering all of them because once you get down to a couple of the smaller ones there'll be features that they don't have such as the Dual Wan and Wan failovers not going to be an option because they physically don't have the ports but they do have most of the same functionality that we'll be covering but I know a lot of people are looking at the udm pro Max and SE versions or uxg Pro so let's get started can you run it on your own Hardware well of course with pfSense you can or you can buy negate hardware and see with virtualization you can virtualize pfSense plus but the udm is a hardware platform and it comes with their software installed and there's not really any separating the two officially centralized management there is not an option currently for pfSense for centralized management that's official from nutgate there has been talks about this coming out in the future but as of right now that does not exist and they do have either via the self-hosted UniFi Network server or via the UniFi site manager which you can actually also take your self-hosted instance of the network server and tie it to the site manager so you can have both technically uh the web interface on pfSense is directly a function of the pfSense software versus the web interface is part of the UniFi Network server with the uxg pro and via the builtin server with the udm series of them that being said it's also worth noting that you can't put your own self-hosted controller and then adopt one of the UniFi Dream Machines into it because they have their own builtin controller that comes with the device so technically the software is running on there but it's running separate it's a extracted layer from the firewall it all tie into site manager but that is a fundamental difference between how they do like the uxg pro and the previously and now deprecated USG Pro that was one of the original devices on there now that we got some of that out of the way let's talk about license fees if you buy ne8 Hardware there are no license fees for the negate but if you'd like to buy the negate pfSense plus and not just use the free Community Edition or C yes there's no license fees so once again I've just made that little asterisk there let you know if you buy the hardware there's no fees there are no fees for the uxg Pro or the udm series this is one of the things that UniFi supports is you can just have their controller software if you want to download and self-host it and manage a uxg pro no problem no license fees and there's no license fees with the built-in controller that comes with the hardware as well moving down to operating system FreeBSD versus Linux um then the next thing on there though that's really a big deal I think is automatic updates that's one thing I'm really happy that there's automatic updates as an option you can turn it off you can't override this I don't know that this will be coming to pfSense that's a maybe but having the automated updates is huge for people who want to kind of set it and forget it especially home users or technical people like myself maybe providing something for family members to go what's the best one to buy use this just plug it in it'll work the setup is easy and it will auto update and maintain security it is not the same way in the pfSense world where you can't just set it and forget it it does take actual intervention for you to go in through and say yes to doing the updates now let's dive into GR inter changes and rollbacks and the rollbacks are only a PF sense plus but the gr interchanges are in both and this is not a feature that you have over in UniFi here inside of pfSense we have both the boot environments because this is the pfSense plus system and a entire list of each change as it was made and an ability to roll back to that change create differentials between those change so we can look at how those changes were made we know who made those changes and when and we can quickly just hit this and revert back to that particular state or even just download a backup of the firewall as it was at that time when that change was made this is really nice for not only a change log of what happened but being able to see who did it and granular roll back to it and even do differentials to see the file changes and of course the boot environments allow this as well where you can take an entire snapshot of the OS if you have the plus Edition and bring it back to that particular snapshot using ZFS snapshots on the background now UniFi does have logging of what the users did so you can see when I open things or review changes to the VPN but you can't roll back to these I can only see what changes were made like for example the teleport subnet I did change the range on that but you can't go back and reverse it but at least you know what I changed so you could go back and reverse it manually High availability we have a yes with pfSense I've got a pretty in-depth video on that I'm not aware of that coming to the uxg pro yes this is beta with certain models it's actually really a cool feature unify call call it their Shadow mode Gateway this has been out actually for a little while this is the latest iteration that's in beta that I'm testing right now it works really well several YouTubers have also demonstrated this such as techno Tim and Chris from Cross Solutions and Cody it is one of the easiest setups hats off for them for making this really easy I will point out as well that the shadow mode does not require the same extra IPS as required in pfSense when you set up the ha there this is simply using vrrp to hand off the IP between the devices it works really well but it is in beta as of the recording of this video vlans support yes they support vlans I'm all of the above here but with pfSense you don't just have VLAN support you can go a little further with things like q and Q you have a lot more advanced features including interface groupings that you can do and this goes a little beyond what you can do inside of UniFi platform bgp and OPF this is a yes for PF sense there's actually a lot of features around there the OPF was recently added and as of right now still relatively simple but this is a feature Now supported in the UniFi platform captive portal I'm not a big fan of captive portal but yes these all have captive portal options openvpn IPC wire guard I'm going to group all these together to kind of give a demonstration here that yes but very basic and what I mean by that because even IPC I didn't put the words very basic but technically I compared to pfSense it's basic but it may be adequate if you're looking at openvpn inside of pfSense you see a lot of options this is so you can really fine-tune exactly which data encryption algorithms you'd want to use you can choose all kinds of parameters in here your certificates your certificate client with OSP if you have that feature you want on there the ability to choose these different shts here and have an entire CT management system in here uh fallback algorithms digest certificate depth client plus server uh three client plus two intermediary service four five Etc you can really go fine grain through all these controls and I've got videos on how to set this up in pfSense but yeah this gives you a lot of options and then you can pass through extra parameters here and the same goes for doing IP SEC you have a lot of options and a lot of granular control over IP SEC and if you go over even what they were considered the advanced settings you have granular logging controls in here configuration options Etc so there's a lot you can do here and if you have custom situations where you're connecting your firewall to a third party a lot of times you have to go through these and figure out how to line it up and match them together coming over here to VPN settings on UniFi we have the wire guard server this is actually very similar except for I will say UniFi has the advantage of being able to do a QR code to make this easy to add devices so the wire guard is a relatively simple VPN server to set up on both of them but once you look at something like openvpn even with a manual setup here there's just not near as many options or Advanced features that you can do and if you go over here to like site to site VPN and we look at doing openvpn or IP secc same thing even with a manual setting there's still not a lot of advanced detailed options that you have in here now if we look at the automatic sight to sight options there's nothing built into pfSense for automated site to sight because pfSense doesn't have a cloud controller or anything to coordinate that you can via the UniFi Network server or their site magic do automated sight to site this is really cool I think it's a nice feature that this is just built into the firewall but with pfSense we have the option of tail scale it's a plug-in that you can load just going through their normal package manager nothing and special and with tail scale this makes it easy to have tail scale handle automatic sight to sight and other functionality tail scale is not supported because they have their automatic sight to sight and site magic built into UniFi so I don't really expect them to put this on a road map uh because they have their own intrusion detection versus intrusion protection serotta or snort and all the features versus very basic and very basic for either one of these and let me explain what I mean when you're looking at the snort settings or serotta settings it's a similar interface in pf sense you have a ton of granular controls not of just the settings but the categories which you want to check specific rules variables and so on and so forth so there's a absolute ton of exposed options here ways to pull in different lists and updates including paid subscriber rules inside of UniFi you have Auto or Advanced and under Advanced there is a way to change the sensitivity and you'll notice that these are very similar to the rules exposed in pfSense and they're based on sraak cotta in the back end so they're actually running similar services in the back end they just don't expose as much detail but this may be easier for some people because they can simply check the boxes they want and that's adequate for what you need including like the dark web blocker or block known malicious IPS from their threat entries but they don't give you a lot of grind or control here in May of 2024 over exactly what you want added into that list or custom list or paid subscriber rules that you can buy from snort or SRA cotta this is where UniFi really differs from pfSense pfSense does not really have especially since squid has been deprecated any good way to manage SSL filtering now even with squid in the past I never thought it was a great way to do it they do not have a DPI system versus you have a really solid content filtering and DPI system inside of UniFi now the traffic monitoring ort is kind of related you can view some of that with some DPI information using ntop NG I've done a video on that uh you get to view it but also control it and they've done a great job of making this easy so we can select a specific device or a specific Network and we're going to do it by device save and we're going to choose the apps we'll select the apps and let's say we don't want that device to watch YouTube or YouTube kids so we're just going to hit save you know what I really think we should probably edit this and block Outlook as well there we go hit save now this device on a schedule or everyday every weekday on a timer Etc can have that blocked they've just done a nice job of this the same with even adding speed limits it's kind of all part of the traffic control system here and this is something a lot of users are really going to like and it is a frequent request in pfSense and even with PF blocker this is really not supported at this granular per device level which leads us down here to DNS filtering and yes via PF blocker because you can add very granular custom block list but you get that at the firewall level not the per device level versus just the basic features that you have for DNS filtering inside of the UniFi platform now let's talk about advanced DNS options inside of pfSense we have some very Advanced options but there's really no equivalent to even show you inside of UniFi so when we look at the DNS resolver settings you have a lot of fine green control over what network interfaces it's attached to you some advanced settings if you want to fine-tune your DNS for a lot of different reasons you can go through here and go and configure pretty much all your high-end DNS options and get very granular you can leave them at default and they work fine at default but if you have some those Advanced use cases especially the simple ones like host overrides still don't exist currently in the UniFi platform goip filtering this is across all of them yes is with PF blocker inside of PF sense uh traffic shaping there's a lot of advanced traffic shaping versus the kind of basic on or off that you have here I've covered this before in videos where you can choose your different type of Q algorithm management set your Wan up and Wan down speeds so you can get fine grain control over how you want the traffic shaping to be set up inside a PF sense multi-wan support they do have failover basic support inside of UniFi but it's a lot more advanced inside of pfSense so let me show you the differences when you go to your routing inside of pfSense you have all of your different gateways then you can build your gateway groups and when you're building these Gateway groups you have the option to tier them up to five different tiers or you can even have them sharing tiers this allows you to change how the failover works what the trigger level is high lency or packet loss and this can actually be on a per Gateway basis defined exactly how it monitors each of these gateways and makes those determinations and sets the weights this is important if you have really Advanced failover needs more than just failing over from one to the other you do have the ability to fail over inside of UniFi but it's not quite as granular you can do distributed and choose how you want it distributed but it doesn't really have tearing in here and there's only two supported so there's there's not a ton of things you either get a primary Wan or a secondary Wan failover or distributed and as I noted not a lot of fine grain control SNMP monitoring this is popular in a lot of business environments because you have other services that may do the SNMP monitoring you can do this with pfSense right now in the version 3 Series this is not an option for the firewalls but there is an option to turn it on because it allows other devices that are unified to be monitored via SNMP but this is coming to the 4.0 version but this is the May 24 version of this video hence I'm not talking about things that are not released yet but that is actually coming soon for those wondering active directory integration yes via radius or ldap yes via radius because I know people can do it but this is where there's a little bit of a Nuance I want to talk about if you head over to the pfSense documentation there's entire documentations from the people at netgate that offer how to do this step by step this is something that I know can be done in UniFi but there's no official documentation from UniFi EXA how to set this up which is why I do say yes because I know people have done it but you're going through people's guides or videos people have done to see it there's not much documentation on the UniFi side that I could find at least that shows official ways to set that up policy routing they do IP based policy routing inside of pfSense you can do policy routing for even the vpns and send things over other gateways but at present not over the wi guard one which I think is a little odd but I'm sure that's a feature that will be coming out in the future packet capture Diagnostics tools and netf flow export we can kind of group these together th this is a feature of pfSense it's yes built in and a package available if you're not using pfSense plus if you're using pfSense plus this is automatically built into the web interface but I say yes to the command line on both of these because they're running Linux underneath so many of these features are there if you want to do packet capture with something like wire shark you could turn on SSH ssh in and I've covered before how to do this with like a UniFi access point so yes there's actually a lot of things you can do from the command line on there but there's currently no netf flow export and the packet capture tools inside a pfSense are actually quite good and quite granular you can choose the interface that you want to capture off of then you can filter for only the packets that you want and the advantage of doing it in a web interface like this is to be able to get very specific of only the thing I want on a network and if that Network's remote it's harder to set up wire shark to tie into it but you can do that with PF sense but now I can just grab a capture of some type of packet CU I want to see what's going on and be able to pull that data right into a pcap file that I can download and analyze on my system they make it really easy to do inside of pfSense plus they have all these other diagnostic tools like looking at the AR table or doing a DNS lookup so I know how the firewall seees something based on its DNS settings or even looking up what ports are open which is very helpful when you're trying to figure out or troubleshoot any port forwarding options now the last two are really popular among home users I don't really see this as the target audience for people running the UniFi systems that's going to be having ha proxy as your reverse proxy along with leton cryp certificates this is a nice combo I put it on here because I know a lot of people would ask about it if I didn't but I don't really see this as unifies task uh it's not hard to insert name of your favorite third proxy or even ha proxy where a lot of other people have a dedicated secondary reverse proxy but it's nice having it built into pfSense because it's the central point in your network so it can handle all certificates and reverse proxy to other services that you may want to have on here now the last thing I want to cover here is the firewall rules themselves and this is where there's a really dramatic difference in the way they handle it you have good features and probably the most common features available inside of the UniFi platform for setting up firewall rules but I don't believe they laid them out in the most concise or clear way this is a little bit confusing when you have a whole lot of networks figuring out exactly how they're all structured versus the way it's handled in pfSense where you have not only a ton of options and as I noted many of which you may not use but if you need to use them they're there there's a lot of really Advanced features and because of the way they segment out all the firewall rules on a per interface basis and allow you to put things like notes in between them so you can group The Rules together along with a very nice aliasing system in case you need to pull in other sources to help build the rules they've just done a great job on this with the pfSense system in terms of layout and concise press there's also the ability to granly do things in pfSense such as import just firewall rules so if you have to do something repetitive you can actually grab rules drag them across repeat them across or even Import and Export them between different pfSense devices to have them align to a structure that you want or even just Import and Export aliases that you want to set up this gives you a really lot of advanced control over how you do firewalls which is awesome and not everyone needs it but it's really nice if you do need it and that that's where these Advanced use cases come in and that's why I did this video it's not that one is better than the other now granted many of you make go but I really need that DPI and content filtering options that are in the UniFi system and hey I get it that's a frequent request that you just don't have inside of pfSense natively built in but that being said all those Advanced traffic rules if you're going I have a large scale site I have to set up I have a lot of vlans I need all these extra features and uh I need to have these different rule sets be able to have an alias so I can push this across with granular control hey pfSense has it for that but that's not an everyday use case and comparing nich products kind of get you that better idea when I say and I've said this on many times in many debates with people about which one should you get well I like the advanced features in pfSense and those are the features I'm talking about but if you don't need them well then your use case comes down to buy what you need both of them are good platforms I'm not here to bash on either one of them because as I said in the beginning I've seen them both in large scale production systems and if you're a small business running very few rules which is a pretty common setup where most of your applications are in the cloud and you don't really host anything on site and you're just a bunch of users using computers on the network then you're probably not even spending a lot of time building out many firewall rules uh so that doesn't really matter to you all in all let me know which one is right for you and if it wasn't the two I covered then let me know what is it's always fun seeing what people think in the comments like And subscribe to see more content from the channel head over my forums where you'll find that list along with this video and it's a great place to have a more in depth discussion on this and other topics that you may have seen on the channel and head over to lawren systems.com if you're interested in signing up for the newsletter to keep up with the things going on or check out our swag store all right and thanks [Music]
Info
Channel: Lawrence Systems
Views: 64,863
Rating: undefined out of 5
Keywords: LawrenceSystems, pfsense firewall, ubiquiti networks, pfsense router, network security, ubiquiti unifi, firewall comparison, unifi firewall, pfsense vs ubiquiti, pfsense vs unifi dream machine pro, pfsense vs unifi, pfsense unifi setup, pfsense unifi vlan, pfsense (software)
Id: OkdtybC2Krs
Channel Id: undefined
Length: 23min 29sec (1409 seconds)
Published: Tue May 07 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.