Dd-wrt VS pfsense
I've recently finished wiring the house and was originally planning to install PFsense to handle all the networking stuff. in the meantime though I had to upgrade my wrt54g to dd-wrt to fix some annoying wirreless problems and now I'm kinda dubious.
I have about a dozen devices that connect on and off to the net and right now dd-wrt seems to handle this load reasonably well even when shaping bittorrent traffic while keeping ping time for online games low (that's crucial, you don't want to deal w/ a pissed off teenager who just got his BF2 session blown up by lag… :-)
I don't have any other special requirements like VPN or other fancy stuff.
I'm a fan of BSD that have already installed on another box, but at this point I'm wondering if it's worth upgrading to pfsense. what "must-have" feature does it have over dd-wrt? one thing that I think should be easier to do w/ psfsense is isolating LAN from WLAN, anything else? how do the traffic shapers compare?
I hope nobody thinks I'm trying to diss pfsense, on the contrary. it's just that I don't have unlimited time to tinker and would like to have some advice. thanks a lot in advance,
I have a wrt54g box with the dd-wrt firmware on it as well. I use it as a wireless access point only and pfsense for handling everything else. The wrt54g box is just not stable enough. When I had bittorrent running and other internet tasks the unit would drop the connection to the internet. I had to unplug and plug it every few days to a week.
Running as a wireless only access point I've gotten 60+ days uptime, as I've had a power failure or two and the device is located upstairs to provide central wireless coverage. UPS is downstairs on the fileserver and pfsense box.
Likewise pfsense is almost 100% reliabile. Never had a dropped internet connection. I've had 40+ days of uptime as I have been keeping it current when new releases come out. I've use it on my 5mb down 2mb up cable connection and will run bittorrent and downloads and never once run into an issue. Plus its better layed out and easy to view dhcp leases and the firewall logs. dd-wrt doesn't provide as fine control over the nat and firewall rules as well as logging. One feature I find essential to pfsense is the ability to limit the max new connections per xx amount of time. This allows me to keep people from trying to hack ssh on my linux box.
Downside to pfsense is that upnp is not there yet. Other than that theres no question pfsense is the way to go. However upnp is a security risk in one sense.
upnp is almost there, you can install it as package already: http://forum.pfsense.org/index.php/topic,551.0.html
so far my experience w/ dd-wrt has been pretty good. I have it on 2 routers one acting just as AP and the other doing the rest. the only instability seems to be caused by my tinkering w/ it :)
I don't particularly care for upnp, I only have few apps needing port forwarding and I'm happier to poke holes myself to keep things under control.
looking at the documentation I got the feeling that pfsense's traffic shaper is more granular and therefore potentially harder to configure than dd-wrt's that has preloaded rules for a bunch of applications (f.e. bittorrent, ftp, voip, several online games or xbox live) that make it a snap to set up.
I already have a box w/ 3 nics that I had decided to use w/ pfsense, I might try and install it and leave the linksys AP online and keep the other as a backup firewall in case I screw up configuring pfsense.
anyone else cares to comment? thanks,
I actually use to use dd-wrt for about a year before switching to pfsense. A lot of the reasons why I switched was because of the more advanced features that pfsense offered but there are others.
Some simple ones which you may find more useful.
1. Better throughput - on a 5meg/512k connection I can squeeze out a bit more bandwidth
2. Better pings - donno if anyone else notices this but pings are about 2-3ms lower if nothing is going on and if using BT or other stuff pings are lower by upto 40ms
3. Stability - pfsense hasn't crashed while dd-wrt would lock once every week with what I was tossing at it.
4. Scalability - can handle a lot larger load…..not just in throughput but also in concurrent connections
5. Architecture - ok, granted depending on your hardware but it can be a night and day difference in the architecture.
you are comparing a small linux box (200 MHz, 16 Mb RAM) to a computer with 256 or 512 Mb of RAM and a big processor.
so it is normal to have unstability problem with the small router when it handels a lot of connections, bittorent and P2P…. but DD-WRT have a X86 version that runs on PCs and it is really stable and faster than Pfsense.
I am using now many dd-wrt boxes as access points, and pfsense is doing the rest (DHCP, authentication...) pfsense never crash but it have a lot of bugs and missing futures.
it would be appreciated if pfsense have some of DD-WRT futures like
- additionnal DHCP options / DNSmasq as DHCP server, windows networking is not working well in pfsense (from LAN to WAN, LAN clients cannot see PC connected on WAN domain for exemple in latest pfsense release). i think that this problem is related to a DNS / firewall bugs ?
- I prefer SPI firewall than pfsense, but it is a personal choice
- Access restrictions per IP or MAC address is also missed in actual Pfsense release. blocking P2P and other applications or website is easy with dd-wrt
- QoS, priority per IP, MAC, subnet or application... in VLANs also
- the hotspot options : DD-WRT can use chillispot, nocat, spuntik for authentications... it would be nice if chillispot can be add to pfsense via a package (it needs a package for chillispot, radius, webserver... MySQL is also preferable).
- a monitoring package like Rflow is also missed in pfsense, it is not perfect in dd-wrt but the best is to have a package or a small software that list all connected users (users, mac, ip, time and trafic) with the possibility to disconnect users
-finally a nice future that could be easy implemented in pfsense I thnik, is the possibility to define a user groups and to add (in captive portal) its static DHCP mapping
anyway pfsense is a very good firewall and the support on the forum is very fast and appreciable.