Pfsense or m0n0wall

  • Hi,
    I have been looking at both pfsense and m0n0wall and am little confused on which to go for?
    Is there any advantage using freeBSD 6 compared to 4? Apart from hardware support? Is one more secure or faster at processing packets than the other? I see that m0n0wall is heading to freeBSD 6.2.
    I would like to setup the firewall to utilise my home ADSL connection that hosts a web and mail server. Not huge traffic although.

    I have a mini-ITX motherboard with a 1.2 Ghz via eden CPU and 1Gb of DDR ram. It also has a quad port dlink network card.
    I can install a notebook hard drive or I can run m0n0wall from a usb memory stick.

    I also play a few games at home like Call of duty 2 and would like the traffic from this game to have higher priority than other traffic such as web and P2P. Will both m0n0wall and pfsense do this suitably. Is one better than the other in this sense.  ;D

    I would also be using the dyndns function.

    Many thanks.

  • The primary difference is the feature set. What you're looking at doing is suitable for either/or, and your hardware is fine for either/or. So, it becomes a matter of personal preference, and what you may want or need to accomplish in the future.

  • Like Chris already said, for your scenario both will get the job done nicely. m0n0wall aims more at low end platforms where pfSense doesn't restrict it's featureset to run on this kind of hardware (your hardware is not low end). pfSense offers a lot of features that you probably don't need currently but they might be handy in the future. Also some things at the backend are completely different (like the trafficshaping which therefore works completely different in the webgui as well). If you have some time have a look at both and pick the one that you get along with better. As you don't need features that only one of the system provides it's really your own decision what you feel more comfortable with.

  • Many thanks for your quick and kind replies.
    Yes, the ability to add companents down the track is a draw card.

    You say that things like traffic shapping runs completely different in the backend. Does it run more efficeint and effectively in comparison to m0n0wall?

    Because of the higher hardware requirements of pfsense in comparison to m0n0wall, does m0n0wall analyse and deal with the packets quicker than pfsense? Or does pfsense do it better and because I have desent hardware it will actually work faster?

    Sorry for the maybe obvious questions but I would just like to know as much as I can before I dive in.  ;D

    Also I am using NAT on my adsl modem/router and I assume I should just open everything up on the adsl router and let pfsense or m0n0wall deal with the NAT rather than having the packets re-direct twice. Once from the adsl modem to the pfsense/m0n0wall machine then to the internal server. Just have it straight through to the pfsense/m0n0wall machine and have it re-direct once only.

    Amazing software by the way!  ;)

  • At least when using FreeBSD 6.x (m0n0 1.3 betas) it's not any faster than pfSense anymore (from my tests). So unless you use a m0n0 version prior 1.3beta it's not faster than pfSense.

    Trafficshaping is depending on what you want to do. There are things that m0n0's shaper can do (for example per user bandwidth limits) that pfSense's shaper can't and vice versa. For most things I prefer the pfSense shaper but there are some applications where I use a m0n0 too.

    It's really not a question wether m0n0 or pfSense is better, it depends on the job you need to get done.

  • To be fair - it seems there's a decent number of people who have used both traffic shapers who think m0n0wall's is vastly superior. The consensus amongst the pfsense developers is that isn't the case if you have it setup properly. My opinion? I don't know - I've never had good results with the m0n0wall shaper, and haven't really messed with it a whole lot, and have actually never even enabled the pfsense traffic shaper. I don't use shaping on my networks.

    As for taking the NAT off your DSL modem, you'll definitely want to do that. Otherwise you'll be double NAT'ing and that can cause issues with NAT-unfriendly protocols, like FTP, amongst others.

  • the m0n0 traffic shaper is probably easier for most people to set up and understand. pfSense shaper allows you much more control (the theoretical underpinings are much more complex) but I have not been able to use it because I do not understand how to.

    FreeBSD 4 will give you much better throughput.

    mono is low end hardware, embedded. "pure" firewall.
    pfSense is modern hardware, lot more features.

  • By throughput do you mean less latency or just higher amount of sustained data flow on lower end hardware or both?

    Is m0n0wall (free BSD 4) likely to have a lower latency on processing packets than pfsense? or if you have descent hardware pfsense is the same or better?

  • I dont know about latency - never tested. I meant sustained FreeBSD4 has better data flow with low end and medium type hardware.

  • Anybody know any details on latency between m0n0wall and pfsense?

  • It's not a matter of latency, or speed of processing packets, etc. That won't differ. Your CPU will be your first bottleneck on either, and if/when it's maxed out, your latency will increase with either.  It's just that it takes less bandwidth to max out pfsense than m0n0wall 1.2. In a couple months when m0n0wall is at 1.3 release, they'll be equal.

    Though with most typical broadband connections of less than 10 Mb, any CPU will be fine.

  • cheers  :D

Log in to reply