Pfsense vs sonicwall tz215?
-
The words "SSL VPN" have always seemed a misuse of "VPN".
Its more like SSL RDP.I too prefer an actual VPN to a SSL Desktop server.
-
Ah. It was my understanding that SSL VPN usually referred to SSTP. I could easily be wrong though.
Steve
-
On many occasions I've seen what is basically something similar to ThinVNC accessed via browser referred to as VPN.
Thats not my idea of VPN either. SSTP is VPN, but I never use it.This is the sort of explanation of SSL VPN that I'm used to seeing people talk about.
http://searchsecurity.techtarget.com/definition/SSL-VPN
I have set up a server like this before under Linux using FreeNX as a server, but I never called it a VPN. I called it a desktop server.
(I don't like the performance of TCP based RDP applications either. Very sluggish compared to UDP based applications) -
Yep, not what I call a VPN either but I think you're right. I can't find any mention of SSTP on Sonicwall's site.
Steve
-
To be fair, you don't have to pay anything to Sonicwall if you just use the FW and I think VPN. We used one in a remote office for about 2 years before switching it to pfsense. They wanted us to by content filter and all that "extra" stuff you might not need. If you want support, pfsense's support is cheaper, and better IMO.
We have been running pfSense in 2 data centers and our office with no issues. Well except for once, but it was only one server and it was in a DMZ by it self with port 22 open to the world with a very simple password. Don't ask, I wanted them till I was blue in the face, but since it was not my server .. whatever. But it was isolated and could not hurt anything in my main net. pfSense FTW. I have survived many power offs. Only have to redo my FW once cause of a power issue. Don't forget regular backups.
Also, and I know I am being long winded, I had our office manager login recently and with instruction, undid my mistake and rebooted with very little effort. I would not have attempted that with Sonicwall. It is just not that intuitive. To remove the gas from the flames, anything once gotten used to, is easy for those who administer it.OpenVPN works well for a mesh VPN in site to site. You are not talking road warrior stuff here. ALthough I hear it works well for that also.
I have also worked with Juniper, Cisco, and WatchGuard FWs and I would still prefer pfSense. I can full customize it without worrying about licensing. Thank you pfSense developers!!! -
Thanks so much for replying back.
Does the FW-7541 comes with worldwide warranty? I assume a lot of people have purchased this hardware right?
When I mean SSL VPN, yeah I am referring to something like OpenVPN. But I think OpenVPN is quited limited, not sure ios can support (without jail break).
I had seen sonicwall SSL VPN. They have the mobile (ios, android), pc, mac, linux clients too.
Right now, I plan to use 2 internets (active, passive, or both if I can do network bonding in pfsense???)
primary - 5MB ADSL line (why 5MB adsl? coz it is on remote area, that's the best I can get)
secondary - 3MB 3G/4G connection (still haven't figure out this yet, but assume will connect to a gsm gateway or something)Since this is on remote area, should I consider a fail over pfsense too? In case pfsense is dead, it will fall back to 2nd pfsense? Not sure this can be done either.
Hopefully the FW-7541 can do that.
I don't think I need content filtering for now. After all, I need to make sure my servers are secure. I believe content filtering is more to user side.
I assume the definition updates is for content filtering. If I don't need this and disable, it won't affect anything right?
Any help? Thanks so much again :)
-
"But I think OpenVPN is quited limited, not sure ios can support (without jail break)."
What you mean to say is that ios is limited?
The gold standard of VPN isn't how well IOS has decided to support it. Actually, the opposite might be true.
IOS has a history of screwing over anything they can't hijack and transform into a revenue stream immediately.
My personal opinion of IOS is its an OS for yuppie hipster wanna-bees with more money than brains who buy into a "lifestyle".
Anyhow. IPsec is supported of the the box on both ios and pfsense, so rest easy.
-
The FW-7541 is relatively new so not that many people here will have one. Warranty issue would be best aimed at Netgate directly, I'm not sure. There are many people running similar hardware though and it's probably the best tested pfSense platform available.
There are VPN options available for all those platforms that will work with pfSense. Personally I'm using OpenVPN with Windows and Linux clients and Android (yes also Linux!). OpenVPN can also run on IOS without jailbreaking: http://doc.pfsense.org/index.php/OpenVPN_on_iOS
You can do load balancing between two WAN connections, you can also do true bonding but that requires the ISP to co-operate and be running both connections.
You can run two FW-7541, or any boxes, as a CARP cluster for high availability.
If you don't need content filtering then don't install it and forget about it. :) The definition updates I mentioned are for Snort (IDS/IPS) which isn't content filtering. Again if you don't need it just don't install it.
Clearly you're unlikely to find anyone here recommending Sonicwall over pfSense. ;) I hope we've pointed out that pfSense can accomplish all you need for less expenditure.
Steve
-
I assume even not many people have that FW-7541, but that's tested by pfsense internal team right? I assume it can use it for enterprise usage too. Just curious how many concurrent users can that support?
For sonicwall TZ215, it can support ipsec site-to-site up to 20 sites. How about FW-7541 or pfsense? I am not sure whether pfsense can support more than 1 site?
What kind of hardware do most people use with pfsense? Upon curiousity though :)
I google on this, and found out a similar box here
http://hollipc.en.china.cn/selling-leads/detail,1100782802,Network-Security-Platform-Firewall-IEC516P.htmlIs that specs sufficient? Or do you recommend others?
How do you get both ISPs to co-op for true bonding? They are kinda competitors though. Hmm?
I search in the forum, it seems like pfsense can't support PPPOA. Is this true? Coz I have an Australia ADSL that is based on PPPOA. I plan to have this pfsense to talk to the modem to dial for the ADSL internet.
Lastly for CARP cluster, I assume the FW-7541 can make this work too? I have to make sure as I believe FW-7541 is on embedded (probably on nanobsd, not sure this works?).
-
I search in the forum, it seems like pfsense can't support PPPOA. Is this true? Coz I have an Australia ADSL that is based on PPPOA. I plan to have this pfsense to talk to the modem to dial for the ADSL internet.
You should talk to the ISP to see if they support PPPoE as well… And yeah, there's no PPPoA support, just about every sane ISP abandoned this sucky thing long ago. This thread has some good technical info.
-
I assume even not many people have that FW-7541, but that's tested by pfsense internal team right? I assume it can use it for enterprise usage too. Just curious how many concurrent users can that support
It will go as fast as and faster than any of the speeds you mention, and with multi-GB RAM will have no trouble supporting lots of VPN links of any flavour. For specific questions about the device email the sales address at NetGate. I have bought plenty of stuff at NetGate, and they always tell me correctly what works with what. They won't give you a sales spiel, they tell you reality and are smart enough to know that happy customers come back again and again.
-
Mmm, that is a good thread. As stated in it almost all adsl in the UK is still using PPPoA. Though I have in the past managed to make a PPPoE connection directly it was never very stable or reliable, some time ago since I tried though. Anyway there are many modem/routers that can be put in some type or bridge mode to work with PPPoA so it shouldn't be a problem. I'm using the Draytek Vigor 120 which is incredibly easy to setup (no config required. it's already a pppoa-pppoe bridge). There are loads of Aussie pfSense users who could probably advise you better on available modem options.
There's no real limit on how many VPN connections you setup. The limit is in how much traffic you a passing over all of them, though I guess there is some overhead. The TZ215 claims to support 130Mbps of AES encrypted traffic (though it doesn't say what encryption level that is) so I would infer that it has some additional VPN accelerator hardware. The FW-7541 will probably pass 50-60Mbps depending on the encryption level and type. Given that you have <10Mbps WAN connection that may not be a problem. (You wrote MB but I assume you meant Mbps?)
I am using re-purposed Watchguard boxes mostly because I can. ;) See: http://forum.pfsense.org/index.php/topic,25011.0.html
To use MLPPP you need to have both connections from the same ISP and they need to support it at their end. You'll never get that with one dsl and one mobile connection. :(
Steve
-
But I think OpenVPN is quited limited, not sure ios can support (without jail break).
https://itunes.apple.com/us/app/openvpn-connect/id590379981
-
I search in the forum, it seems like pfsense can't support PPPOA. Is this true? Coz I have an Australia ADSL that is based on PPPOA. I plan to have this pfsense to talk to the modem to dial for the ADSL internet.
I am in Australia. I use Gold Coast based ISP Onthenet. My pfSense talks PPPoE to a Tenda D820B ADSL modem. The combination works well enough.
