Which firewall to pick



  • Hello

    I am in a serious struggle with myself regarding which router/firewall to go with.

    I have narrowed it down to these 3 firewalls.

    -Ubiquiti USG
    -Ubiquiti Edgerouter 4
    -Netgate Pfsense SG-3100

    Why USG, because then I would have the whole management one place as I have 4 APs from unifi, a cloud key and a unif switch.

    But I hear so much about throughput issues when advanced features are enabled and I have a stable 1 Gps wan connection which I don’t want to loose to much of.

    Edgerouter 4 has a lot of horsepower but this is more for people messing with CLI. I see my self as in between those two but I am more to the GUI than CLI.

    My requirements:

    -DHCP SERVER
    -VPN
    -Parrental control
    -1 gbit handling
    -SUPER FIREWALL
    -Packet inspection
    -Intrusion detection
    -Geo blockning/web filter
    -vlan
    -traffic control
    -Option to CLI
    -Remote access

    I know i am missing something here??

    Cheers...



  • -DHCP SERVER
    Yes

    -VPN
    OpenVPN or IPSec

    -Parrental control
    Kind of.

    -1 gbit handling
    Yes

    -SUPER FIREWALL
    What's that?

    -Packet inspection
    Not really, but IDSes like Snort or Suricata can inspect packets against blocklists and block suspected nastiness.

    -Intrusion detection
    Yes, Snort or Suricata. See above.

    -Geo blockning/web filter
    pfBlockerNG/Squid + squidguard

    -vlan
    Yes

    -traffic control
    If you mean Quality of Service (QoS) aka traffic-shaping, yes. Technically, all firewalls do traffic control.

    -Option to CLI
    Not really. Fundamentally, pfSense is a framework and GUI for FreeBSD's existing network functionality. If you want to do things form the CLI, install FreeBSD instead and go wild. While you can do some things from CLI, you risk breaking something or at the least, losing your changes after a reboot.

    -Remote access
    That's VPN, no?



  • @KOM
    Enabling all those features does the router take a performance hit?



  • Yes, of course. However it can't be generally quantified because you could be running any number of different CPUs and the performance varies with that.

    Personally, for a home network I don't bother running a geoblocker or an IDS. Geoblockers are only useful for blocking countries from coming into your forwarded servers, and I'm not running a server from home. Plus those are easily evaded by using a VPN so that Mr RussiaHacker or Mr ChinaHacker can appear to be coming from the US. I don't like IDSes because they put a load on your firewall and can sometimes cause problems with false positives or broken blocklists.



  • @KOM is exactly on point here and I agree 100%. Even though I am the maintainer for both the Snort and Suricata packages used on pfSense (and the creator of the Suricata package on pfSense), I still don't consider either package "required" for home network users. Sure, they offer some amount of additional security when used properly, but their configuration and subsequent administration requires quite a bit of skill and knowledge of internal networking theory and technology plus a good grounding in the various types of network threats running loose in "the wild". Unfortunately many non-IT security folks tend to think of an IDS/IPS as being as simple to administer and configure as say an anti-virus client. That is not true at all!

    pfSense is a great firewall distro for both home and commercial users. By default it blocks all unsolicited inbound traffic, so like @KOM said, if you don't have internal public-facing servers you don't really need all the geo-blocking stuff nor an IDS/IPS. If you just want to be a "geek" and have some fun and are willing to put up with a potentially steep learning curve, then install a geo-blocker or IDS/IPS and have at it -- just be prepared to chase down mysterious cases of things breaking from time to time.

    The very best IT security measure is to keep your installed software updated! Can't stress that enough. Malware and other exploits look for and operate on security holes within installed software. Keep your machines updated with the latest vendor supplied security hotfixes!



  • @hrohibil said in Which firewall to pick:

    -Ubiquiti USG
    -Ubiquiti Edgerouter 4
    -Netgate Pfsense SG-3100

    Show down : https://www.youtube.com/watch?v=bK2_ROQrMcM ( just an example - way more videos exist )


Log in to reply