Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which firewall to pick

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hrohibil
      last edited by

      Hello

      I am in a serious struggle with myself regarding which router/firewall to go with.

      I have narrowed it down to these 3 firewalls.

      -Ubiquiti USG
      -Ubiquiti Edgerouter 4
      -Netgate Pfsense SG-3100

      Why USG, because then I would have the whole management one place as I have 4 APs from unifi, a cloud key and a unif switch.

      But I hear so much about throughput issues when advanced features are enabled and I have a stable 1 Gps wan connection which I don’t want to loose to much of.

      Edgerouter 4 has a lot of horsepower but this is more for people messing with CLI. I see my self as in between those two but I am more to the GUI than CLI.

      My requirements:

      -DHCP SERVER
      -VPN
      -Parrental control
      -1 gbit handling
      -SUPER FIREWALL
      -Packet inspection
      -Intrusion detection
      -Geo blockning/web filter
      -vlan
      -traffic control
      -Option to CLI
      -Remote access

      I know i am missing something here??

      Cheers...

      GertjanG 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by KOM

        -DHCP SERVER
        Yes

        -VPN
        OpenVPN or IPSec

        -Parrental control
        Kind of.

        -1 gbit handling
        Yes

        -SUPER FIREWALL
        What's that?

        -Packet inspection
        Not really, but IDSes like Snort or Suricata can inspect packets against blocklists and block suspected nastiness.

        -Intrusion detection
        Yes, Snort or Suricata. See above.

        -Geo blockning/web filter
        pfBlockerNG/Squid + squidguard

        -vlan
        Yes

        -traffic control
        If you mean Quality of Service (QoS) aka traffic-shaping, yes. Technically, all firewalls do traffic control.

        -Option to CLI
        Not really. Fundamentally, pfSense is a framework and GUI for FreeBSD's existing network functionality. If you want to do things form the CLI, install FreeBSD instead and go wild. While you can do some things from CLI, you risk breaking something or at the least, losing your changes after a reboot.

        -Remote access
        That's VPN, no?

        H 1 Reply Last reply Reply Quote 1
        • H
          hrohibil @KOM
          last edited by

          @KOM
          Enabling all those features does the router take a performance hit?

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Yes, of course. However it can't be generally quantified because you could be running any number of different CPUs and the performance varies with that.

            Personally, for a home network I don't bother running a geoblocker or an IDS. Geoblockers are only useful for blocking countries from coming into your forwarded servers, and I'm not running a server from home. Plus those are easily evaded by using a VPN so that Mr RussiaHacker or Mr ChinaHacker can appear to be coming from the US. I don't like IDSes because they put a load on your firewall and can sometimes cause problems with false positives or broken blocklists.

            1 Reply Last reply Reply Quote 1
            • bmeeksB
              bmeeks
              last edited by bmeeks

              @KOM is exactly on point here and I agree 100%. Even though I am the maintainer for both the Snort and Suricata packages used on pfSense (and the creator of the Suricata package on pfSense), I still don't consider either package "required" for home network users. Sure, they offer some amount of additional security when used properly, but their configuration and subsequent administration requires quite a bit of skill and knowledge of internal networking theory and technology plus a good grounding in the various types of network threats running loose in "the wild". Unfortunately many non-IT security folks tend to think of an IDS/IPS as being as simple to administer and configure as say an anti-virus client. That is not true at all!

              pfSense is a great firewall distro for both home and commercial users. By default it blocks all unsolicited inbound traffic, so like @KOM said, if you don't have internal public-facing servers you don't really need all the geo-blocking stuff nor an IDS/IPS. If you just want to be a "geek" and have some fun and are willing to put up with a potentially steep learning curve, then install a geo-blocker or IDS/IPS and have at it -- just be prepared to chase down mysterious cases of things breaking from time to time.

              The very best IT security measure is to keep your installed software updated! Can't stress that enough. Malware and other exploits look for and operate on security holes within installed software. Keep your machines updated with the latest vendor supplied security hotfixes!

              1 Reply Last reply Reply Quote 1
              • GertjanG
                Gertjan @hrohibil
                last edited by

                @hrohibil said in Which firewall to pick:

                -Ubiquiti USG
                -Ubiquiti Edgerouter 4
                -Netgate Pfsense SG-3100

                Show down : https://www.youtube.com/watch?v=bK2_ROQrMcM ( just an example - way more videos exist )

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.