Advice about PFSense vs the other free offerings
-
I'm posting this in General Question, because it's quite general.
I'm getting ready to load a software firewall into a home built PC. I'm leaning towards PFSense for lots of good reasons, but free Sophos and free Untangle are also being considered. Most comments all over the internet come across like 'support for the home team' rather than experienced and thoughtful reflection. Since this is a PFSense forum, I expect all will say PFSense is their favorite choice. That being said, what is so good or less good about the other two? I'm not interest in slamming anyone. Just helpful comparative information. I'm much to new with software routers to make a good evaluation without hearing from others who are experienced.
What does PFSense offer, or not offer, compared to these two others (any other one(s) in common use not listed above?)
I've googled a lot on this and have seen the common articles that are presented. All are too general to be really useful.
I'll start. This is for home use and free is essential, although minor extra expenses, such as $30/yr for snort is inconsequential. I don't want to be out a few hundred a year just to keep my home network safe unless that is what it actually costs (doubtful). Currently using DD-WRT.
PFSense provides a lot of features. It does not look difficult to install and use. The forum has been, so far, helpful. To the uncertain, how 'powerful' is it compared to the others?
Untangle appears to be easy to install and users say it's easy to work with. To the bad, the free version has limits and it is, for home use, too expensive to consider the full version for as many as 30 ip addresses in use. A quick look at the forum appears to offer helpful advice, but it does not appear to be used often.
Sophos free appears all powerful, but is complicated to use. The AV looks pretty good to me. Install is something I can grasp, but port forwarding looks monumentally difficult compared to just about every other router I have experience with. The forum is active but long time contributors have a subculture of being less than helpful to newbies like me.
This information will be useful to all others, probably lots of people, who have had similar questions about objective evaluations about the top selections available.
Thank you.
-
I discovered pfSense from the folks on dslreports.com. I consider that the authoritative ISP community site. I've gotten the best technical details from folks there as well as discussing technologies and issues with employees from ISPs. Those folks recommended pfSense when I wanted to upgrade my Netgear FVS firewall to something else. Once I made the change I never looked back.
They're all good and the nice thing is you can find the one that fits your personal preferences and what you want to achieve.
-
OPNsense is a fork of pfsense based in Holland.
Consider Mikrotik and Smoothwall as well.
One instance of unlimited Mikrotik incl. support is 250USD. Based in Latvia so no NSA backdoors to worry about :D
-
Based in Latvia so no NSA backdoors to worry about :D
You're joking, right? Being from Latvia isn't protection from anything. Everybody is already in the NSA's pocket, and they've already shown they have no problems intercepting hardware en route and infecting it. Hell, some of the ASICs inside the router may already be compromised.
-
-
-
Thanks much. I'll pass on mikrotik for now. Maybe next router.
I made my decision. PFSense wins. Untangle requires paid upgrades to really become useful. Sophos is too complicated for easy things and it's hard to find good answers. The Sophos AV I was most interested in looks less important after some research.
PFSense with $30/year for snort is good. UPnP will help me with ooma and my slingboxes, also my NAS later when I want to access it from outside. Port forwarding looks easy if UPnP won't 'hold' the settings after I turn it off. My newly build small pc should power it nicely, in fact I might be able to replace it with something smaller and put the new pc to work as a HTPC, later.
I'm most interested in upgrading from DD-WRT to keep the bad guys out. With everyone under the sun scanning all day and who knows what they might find for a vulnerability, I want to be safe. I'm wondering if NAT and SPI will someday be looked upon as 'good in their day' until xxxx came along.
-
@jim1000:
PFSense with $30/year for snort is good.
If your going to use Snort or Suricata, you can also use the Emerging Threats List.. They have a free "Open" List, and also a "Pro" version which is a little pricey but very good….
I'm most interested in upgrading from DD-WRT to keep the bad guys out. With everyone under the sun scanning all day and who knows what they might find for a vulnerability, I want to be safe.
You can also use pfBlockerNG which will block known malicious IPs.
https://forum.pfsense.org/index.php?topic=86212.0 -
@jim1000:
I'm most interested in upgrading from DD-WRT to keep the bad guys out. With everyone under the sun scanning all day and who knows what they might find for a vulnerability, I want to be safe.
You can also use pfBlockerNG which will block known malicious IPs.
https://forum.pfsense.org/index.php?topic=86212.0Big +1 for pfBlocker. I am using an iblocklist subscription that's been very helpful.
Remember, security is best done in layers. Start simple, add a layer. Wash, rinse, repeat.
-
Big +1 for pfBlocker. I am using an iblocklist subscription that's been very helpful.
Remember, security is best done in layers. Start simple, add a layer. Wash, rinse, repeat.
Hey Tim,
Im really not a big fan of IBlock lists, there are a lot of other lists available that will do a better job… I wrote a script here, that Dok posted... (Just don't let him take the credit ;) )
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975
Also v2.0 will have DNSBL domain name blocking via Unbound...
-
Big +1 for pfBlocker. I am using an iblocklist subscription that's been very helpful.
Remember, security is best done in layers. Start simple, add a layer. Wash, rinse, repeat.
Hey Tim,
Im really not a big fan of IBlock lists, there are a lot of other lists available that will do a better job… I wrote a script here, that Dok posted... (Just don't let him take the credit ;) )
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975
Also v2.0 will have DNSBL domain name blocking via Unbound...
At the risk of sounding like a total noob, what all exactly does this block? I currently have the top 20 blocked. Will this block those as well as other known offenders?
-
Big +1 for pfBlocker. I am using an iblocklist subscription that's been very helpful.
Remember, security is best done in layers. Start simple, add a layer. Wash, rinse, repeat.
Hey Tim,
Im really not a big fan of IBlock lists, there are a lot of other lists available that will do a better job… I wrote a script here, that Dok posted... (Just don't let him take the credit ;) )
https://forum.pfsense.org/index.php?topic=86212.msg508975#msg508975
Also v2.0 will have DNSBL domain name blocking via Unbound...
At the risk of sounding like a total noob, what all exactly does this block? I currently have the top 20 blocked. Will this block those as well as other known offenders?
Since it's better than what I got, I'd guess that it will. Speaking about my subscription because it's what I got, they do collect known IPs and block them. I can see script kiddie attacks being blocked scanning for port 22, 53, and a few others. It's just another layer of security, but I'm going to clink that link to see if I can do better.
Props to BBcan177 for the improved linkage.
-
At the risk of sounding like a total noob, what all exactly does this block? I currently have the top 20 blocked. Will this block those as well as other known offenders?
Unfortunately, the primary reason why I wrote pfBlockerNG was not for the Country blocking per se.. It was that the previous pfBlocker version couldn't handle a lot of the Threat Sources that are available… Also it didn't have any de-duplication of the lists... Not to mention that the Country lists were over 2 yrs out of date.
So to answer your question, if you use the Country Blocking features, it will download those first, then other lists are downloaded and if the IPs are already being blocked by a Country List, those IPs are skipped as they are already in the database... So yes, the other lists make a big difference then just using Top20.
