Need more clearification on PFSENSE & MIKROTIK



  • i am new to in linux and am highly interested in learning how to setup and configure one with firewall, router, NAT, hotspot, etc and most especially open source like pfsense
    my office uses mikrotik for their wireless access point both with the hotspot billing which also records tickets and remaining minutes.
    Now pfsense is free and mikrotik is not, i want to know the similarities they share and the different like wise their limitations.
    i will also like to deploy pfsense in our branch office doing the same work mikrotik is doing in the main branch.



  • pfSense is FreeBSD - FreeBSD is not linux.

    You'll find most of the answers you're after by searching this forum and reading the documentation.  If you want more you'll have to provide a list of the features you're using in mikrotik (RouterOS) rather than expecting others to do your legwork for you.



  • Thanks for your reply and corrections. i will try and do the legwork my self. i thought some experienced geeks will elaborate more on it.
    all the same, thanks.



  • It's a bit like saying "currently I have a Ford but I'm looking at a Mazda - what's the difference?".  People could spend days posting and never touch the bits that matter to you, and that's assuming people here are as familiar with RouterOS as they are with pfSense.  It's far better if you ask specific questions about features that matter to you.



  • here is the results of my legwork

    pfsense:

    • free
    • easy configuration over the web
    • picky on the hardware (it's more BSD's fault)
    • no documentation and reasonable support is a problem
    • not so many features (compared with MT)
    • very slow development (one release per year, or two …)

    mikrotik:

    • if you configure it right, it will do almost anything, almost forever
    • can be purchased with wide scale of affordable and fine hardware
    • well documented, active forum, many examples on the wiki
    • not free, can't be upgraded forever for free
    • harder to learn at first
    • no web interface

    I have tried to use pFsense several times, and failed. Now using RB1000 on same spot, with about 2000 users, and 340Mbps traffic, uptime more that 800 days, and are very pleased. pFsense make sense maybe on the very HDD or CPU intensive applications (cache, VPN, etc.) when MT's hardware simply do not have enough horsepower. On your scale, pFsense with PC is overkill in my opinion. Get any of the small MT boxes, and learn how to use it. Take second also, for reserve, and for testing the new things.

    PS: pFsense having older brother, called m0n0wall. On the small scale, this may be a better choice. It's based on newer BSD version, and is faster, simpler and with more features. Maybe it worth a look at.

    I would go with the mikrotik rb450 it will handle everything for you and even allow you to do billing, the pfsense box does not handle billing so you would have to have another solution for that.

    With that much experience in Mikrotik, I am curious why you are considering alternatives? Are you encountering some serious problems?

    m0n0wall uses BSD ipfw and dummynet modules while pfSense uses BSD pf and altq module, but Mikrotik uses Linux iptables/netfilter. So there are differences in packet available in each of them. Each one (including m0n0wall) has some filtering and traffic shaping features not available in the others, but in general you can mimic similar setups.

    You already know Mikrotik uses VRRP for router redundancy. pfSense has CARP. Both have dual-WAN capability and PPPoE server.

    m0n0wall was really designed as a single-WAN SoHo router on steroids, it may not be for you. You could try out pfSense if you sincerely want to explore alternatives. But maybe you are just casually asking which one is "best" … ?

    Pfsense dose have Captive Portal (CP) and link to Radius but it will not do billing

    The last quote is where i have more concern, the billing aspect is what i really want to know how to lay hands on it in pfsense.



  • i saw this as well and am waiting for the final solution to it http://forum.pfsense.org/index.php/topic,28851.msg157901.html#msg157901



  • @collins465:

    here is the results of my legwork

    which I'll correct as you're WAY off in several regards.  ;D

    @collins465:

    • no documentation and reasonable support is a problem

    Not true at all. It's documented in great depth in the book and there is a lot of freely available info at doc.pfsense.org. As for support, this forum has more members and is more active than Mikrotik's. If you're willing to pay, it simply doesn't get any better than our commercial support offering - nowhere else are you going to work with the world's foremost experts on the product when you call support. There are no first level script reading support people and never will be.

    Especially compared to Mikrotik, their support is their biggest downfall from everything I've heard from a number of their customers (who are running away from it as quickly as they can, where they can at least).

    @collins465:

    • not so many features (compared with MT)

    I just did a comparison between the two a couple weeks ago, and there aren't many differences. VRF and MPLS are the only two I could find that we're missing. Those aren't used a whole lot, though they're critical in some portions of some networks. Features aside, being able to run on dirt cheap hardware is the only compelling benefit MT has.

    @collins465:

    • very slow development (one release per year, or two …)

    There haven't been any further 1.2.x releases because it's rock solid and hasn't needed any security updates, and 2.0 is taking longer than we'd hoped as there was a huge amount of work in cleaning up all the features added in the past 3-4 years. From 2.0 onwards we're making much smaller steps from one release to another and you'll see considerably faster release cycles. Every single feature has drastically changed from 1.2.x to 2.0 as that's when the project gained mass popularity.

    @collins465:

    the billing aspect is what i really want to know how to lay hands on it in pfsense.

    We work with companies who use a wide range of billing methods, including typical subscription based, prepaid cards, pay per visit/hour/minute, you name it. Your billing system is virtually never on your gateway platform. Every worthwhile billing system supports RADIUS, and that's all you need. No the billing system isn't built in, but it really shouldn't be (that's not a scalable solution) and there are numerous options that will integrate easily with any centralized billing system.

    @collins465:

    PS: pFsense having older brother, called m0n0wall. On the small scale, this may be a better choice. It's based on newer BSD version, and is faster, simpler and with more features.

    Not sure what you're looking at with m0n0wall, it's not actively developed, it's based on a much older FreeBSD version, is slower as the newer FreeBSD versions we use have much better throughput capabilities, and has drastically fewer features including major lackings that make it unsuitable for serious deployments (no HA capabilities, no routing protocols, no firewall alias abilities, no ability to scale state table without building your own image, and more). It's a great platform for home or small office where you don't have complex needs, but not at an ISP level.



  • @cmb:

    I just did a comparison between the two a couple weeks ago, and there aren't many differences. VRF and MPLS are the only two I could find that we're missing. Those aren't used a whole lot, though they're critical in some portions of some networks. Features aside, being able to run on dirt cheap hardware is the only compelling benefit MT has.

    They do also provide a full command line interface to configuring their boxes, which having used it I have to admit has it's advantages.  The flip side is that their GUI is really quite horrendous and their web interface is far from complete.  It's really not well suited to the less experienced (it took me a few hours to get one running the first time I used one and that's despite years of experience of Cisco et all).

    Their relatively low hardware cost is a meaningful advantage however - I recently picked up one of their units for not much more than it would have cost to replace the (failing) hard disk in my pfSense box.  That said, the biggest advantage of pfSense is IMO the packages.  No way can my little RouterBoard support half the things I can do with my pfSense host.



  • which I'll correct as you're WAY off in several regards.

    We work with companies who use a wide range of billing methods, including typical subscription based, prepaid cards, pay per visit/hour/minute, you name it. Your billing system is virtually never on your gateway platform. Every worthwhile billing system supports RADIUS, and that's all you need. No the billing system isn't built in, but it really shouldn't be (that's not a scalable solution) and there are numerous options that will integrate easily with any centralized billing system.

    pardon me for my ignorance. am yet to understand the meaning of this words and how they work with each other.
    talking of billing system, like which of the companies are you talking about? i really thought that pfsense 2.0 will have billing system inbuilt just like mikrotik…



  • @collins465:

    Commercial support, when this forum just isn't enough: http://www.pfsense.org/index.php?option=com_content&task=view&id=62&Itemid=73

    RADIUS will keep track of when users log in and log off (among other things), and put it in a database. Then, some other software will run on your billing system that will take the RADIUS records in the database and use them for billing your customers.

    Firewalls, in contrast, are supposed to do one thing, and one thing only: prevent intrusion. They're not really supposed to be running web servers and billing servers and mail servers too - they just provide more avenues for attack, and personally I wouldn't even want to run a billing server that was visible to the internet. Which is why the RADIUS server should be storing its logs elsewhere, for another server to pick up the load for billing.



  • what do you guys think about this: http://daloradius.com/  ?



  • @cmb:

    We work with companies who use a wide range of billing methods, including typical subscription based, prepaid cards, pay per visit/hour/minute, you name it. Your billing system is virtually never on your gateway platform. Every worthwhile billing system supports RADIUS, and that's all you need. No the billing system isn't built in, but it really shouldn't be (that's not a scalable solution) and there are numerous options that will integrate easily with any centralized billing system.

    Are examples of companies that provide these numerous billing methods that can be employed with pfSense documented anywhere? http://www.dmasoftlab.com/cont/radman#comp lists support but it took a lot of hunting around to find that. I'm interested in billing solutions that count data rather than time.


  • Rebel Alliance Developer Netgate

    I have worked with http://billmax.com/ before and it's not too bad, though I know it can control RADIUS and do billing based on time, I'm not sure if it does it by data. If not, they're a pretty responsive group and could probably tell you if it does it, and if not, give you a quote on what it would take.



  • Thanks for the suggestion, will check it out.



  • Ok, Guys is time for practicals now, my definitive guide just arribved. so i have to kick off as soon as possble.


Locked