Pfsense vs sonicwall tz215?



  • Hi everyone,

    Like to check.

    Currently, my project consists of:-

    HQ

    • Branch 1 (remote area)
    • Branch 2 (remote area)
    • Branch 3 (remote area)

    Each site will be connected to each other via ipsec site-to-site VPN. There will be database which will replicated. Basically HQ's database has the same copy with Branch 1, etc.

    I am considering pfsense to do 2 things:-

    • firewall for each branch
    • be the ipsec site-to-site VPN

    For each site, there will be around 30 concurrent users at 1 time.

    Recently, I met a consultant and he told me that pfsense is not good. Due to the 3 branches are on remote area (which I don't have people in there for standby), he recommended to get boxes that are more reliable than pfsense. He recommended to get a cheap version of sonicwall e.g. TZ215 series.

    Based on what he claimed:-

    • pfsense is on freebsd and the filesystem is not as good as ext3 and ext4. Basically if I force restart on pfsense box (whether it is installed on a china appliance box with compact flash or to a 1u server), pfsense will have difficulty to recover due to filesystem limitation)? Not sure how true is this.

    • plus the firewall that pfsense has is not as good as sonicwall ones (which i am referring to tz215)

    • same to the ipsec site-to-site vpn. Sonicwall TZ215 can support up to 20 sites. How about pfsense?

    • the security is better too for sonicwall compare to pfsense

    Thus, I like to check on his claims. Is this true?

    Any help? Thanks.



  • F.U.D.

    I'm guessing your salesman consultant would be very happy to supply the Sonicwall TZ215.

    Have a read of this:  http://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

    and this: http://community.spiceworks.com/topic/314194-asa-vs-pfsense



  • @ericmachine:

    • pfsense is on freebsd and the filesystem is not as good as ext3 and ext4. Basically if I force restart on pfsense box (whether it is installed on a china appliance box with compact flash or to a 1u server), pfsense will have difficulty to recover due to filesystem limitation)? Not sure how true is this.

    Probably true in that its been my experience that a pfSense kernel panic seems to usually result in fsck reporting file system issues on the next boot whereas my Linux systems seem to recover without issue after unplanned shutdowns. But if crucial pfSense files are damaged its pretty easy to recover if you have planned ahead by taking regular backups of the configuration file and keep an install file or firmware upgrade handy. Use of the nanoBSD variant of pfSense probably significantly reduces the likelihood of a kernel panic leaving the file system damaged. (I use the "full" variant of pfSense, not the nanoBSD variant.)

    @ericmachine:

    • plus the firewall that pfsense has is not as good as sonicwall ones (which i am referring to tz215)

    "not as good" by what criteria?

    @ericmachine:

    • the security is better too for sonicwall compare to pfsense

    better by what criteria?

    @ericmachine:

    Thus, I like to check on his claims. Is this true?

    I think a consultant worthy of the name should be able to back up such claims with detailed supporting evidence.


  • Netgate Administrator

    I run only the NanoBSD variant of pfSense and have hard power cycled many boxes many times and not once had any issue. It's possible that if you suffered a power outage at a point when pfSense was writing the config file or some other key component it might cause problems but you'd be very unlucky. I don't believe that the Sonicwall would be completely invulnerable to that either.

    @http://www.freebsd.org/doc/en/articles/nanobsd/:

    Everything is read-only at run-time — It is safe to pull the power-plug. There is no necessity to run fsck after a non-graceful shutdown of the system.

    The Nano variant has some restrictions compared to the 'full' install but should be fine for your requirements.

    Steve



  • Thanks everyone.

    For nanobsd, what kind of restrictions are you referring to? I assume is pfsense restriction right?

    So basically sonicwall tz215 won't have kernel panic?

    My consultant is an open source guy and used pfsense too. But he told me to consider sonicwall as due to ease of maintenance (especially the multiple force restart issue). He is not a reseller or distributor for sonicwall.

    Thanks.


  • Netgate Administrator

    The restrictions are due to the fact that the filesystem is read only. Thus packages that have to write constantly can only use a ramdisk and that may not be sufficient. Squid, the web proxy, cannot cache content for example, though it can still act as a filter without caching. Snort can have a problem retrieving new definitions on low ram systems. There are a few other packages that cannot be installed on the Nano variant: pure-ftp, ntop, Freeswitch, Freeswitch-dev, Lightsquid and phpsysinfo. There's a good chance you don't want any of those anyway.
    There are also some advantages. In NanoBSD two system slices are kept on the card such that when you upgrade it switches to the other slice. This leaves the previous system image available to fall back to.

    I hadn't realised how much the TZ215 costs, is $845 a realistic price or is everybody buying it discounted?
    For that money you could get this for instance: http://store.netgate.com/Netgate-FW-7541-P1846C83.aspx. The FW-7541D will give similar performance to the TZ215, ~500Mbps firewall/NAT. You could also have a support subscription with the dev team that would cover all your locations (it's done on time not appliances) and still save money. Of course I am massively biased!  ;D

    Steve



  • Thanks :)

    Few questions:-

    a. Normally when people use pfsense for firewall protection, do they enable snort too?

    b. Does that mean this FW-7541 can't do snort?

    c. I assume the FW-7541 come pre-installed with pfsense latest right?

    d. If I buy the FW-7541, will there be a "forced" annual recurring each year? The TZ215, I am forced to pay every year for maintenance and updates (e.g. content filtering).

    For me, I just need for firewall and VPN (site-to-site vpn and ssl vpn). Will this FW-7541 work for me?

    Any help? Thanks.


  • Netgate Administrator

    A. I don't. Some people insist on it. Technically it's not part of the firewall it's an IDS/IPS system. My experience with Snort has always been that it throws more false positives than it's worth. Once you get it tuned correctly it usually runs fine or if you have it set to detection only so it logs but does block stuff its fine.

    B. The 2GB in the FW-7541 should be fine for running Snort. It will slow it down though. I don't think you've said what bandwidth your connections are?

    C. Yes, but if a new version is released while yours is being delivered its simply a matter a clicking a button in the webgui to upgrade it.

    D. There are no annual costs to running pfSense. If you choose to get official support then that costs. If you run Snort then there are free or paid for definitions sets, the paid version being more recent. Do you need content filtering?

    All of that may be irrelevant because if you need SSL VPN then go with the Sonicwall because pfSense doesn't support that. (yet) ;)

    Steve



  • Depends on the definition of SSL-VPN.
    OpenVPN is for me SSL-VPN, just not the kind you can run in your webbrowser.



  • The words "SSL VPN" have always seemed a misuse of "VPN".
    Its more like SSL RDP.

    I too prefer an actual VPN to a SSL Desktop server.


  • Netgate Administrator

    Ah. It was my understanding that SSL VPN usually referred to SSTP. I could easily be wrong though.

    Steve



  • On many occasions I've seen what is basically something similar to ThinVNC accessed via browser referred to as VPN. 
    Thats not my idea of VPN either.  SSTP is VPN, but I never use it.

    This is the sort of explanation of SSL VPN that I'm used to seeing people talk about.

    http://searchsecurity.techtarget.com/definition/SSL-VPN

    I have set up a server like this before under Linux using FreeNX as a server, but I never called it a VPN.  I called it a desktop server.
    (I don't like the performance of TCP based RDP applications either.  Very sluggish compared to UDP based applications)


  • Netgate Administrator

    Yep, not what I call a VPN either but I think you're right. I can't find any mention of SSTP on Sonicwall's site.

    Steve



  • To be fair, you don't have to pay anything to Sonicwall if you just use the FW and I think VPN. We used one in a remote office for about 2 years before switching it to pfsense. They wanted us to by content filter and all that "extra" stuff you might not need. If you want support, pfsense's support is cheaper, and better IMO.
    We have been running pfSense in 2 data centers and our office with no issues. Well except for once, but it was only one server and it was in a DMZ by it self with port 22 open to the world with a very simple password. Don't ask, I wanted them till I was blue in the face, but since it was not my server .. whatever. But it was isolated and could not hurt anything in my main net. pfSense FTW. I have survived many power offs. Only have to redo my FW once cause of a power issue. Don't forget regular backups.
    Also, and I know I am being long winded, I had our office manager login recently and with instruction, undid my mistake and rebooted with very little effort. I would not have attempted that with Sonicwall. It is just not that intuitive.  To remove the gas from the flames, anything once gotten used to, is easy for those who administer it.

    OpenVPN works well for a mesh VPN in site to site. You are not talking road warrior stuff here. ALthough I hear it works well for that also.
    I have also worked with Juniper, Cisco, and WatchGuard FWs and I would still prefer pfSense. I can full customize it without worrying about licensing. Thank you pfSense developers!!!



  • Thanks so much for replying back.

    Does the FW-7541 comes with worldwide warranty? I assume a lot of people have purchased this hardware right?

    When I mean SSL VPN, yeah I am referring to something like OpenVPN. But I think OpenVPN is quited limited, not sure ios can support (without jail break).

    I had seen sonicwall SSL VPN. They have the mobile (ios, android), pc, mac, linux clients too.

    Right now, I plan to use 2 internets (active, passive, or both if I can do network bonding in pfsense???)

    primary - 5MB ADSL line (why 5MB adsl? coz it is on remote area, that's the best I can get)
    secondary - 3MB 3G/4G connection (still haven't figure out this yet, but assume will connect to a gsm gateway or something)

    Since this is on remote area, should I consider a fail over pfsense too? In case pfsense is dead, it will fall back to 2nd pfsense? Not sure this can be done either.

    Hopefully the FW-7541 can do that.

    I don't think I need content filtering for now. After all, I need to make sure my servers are secure. I believe content filtering is more to user side.

    I assume the definition updates is for content filtering. If I don't need this and disable, it won't affect anything right?

    Any help? Thanks so much again :)



  • "But I think OpenVPN is quited limited, not sure ios can support (without jail break)."

    What you mean to say is that ios is limited?

    The gold standard of VPN isn't how well IOS has decided to support it.  Actually, the opposite might be true.

    IOS has a history of screwing over anything they can't hijack and transform into a revenue stream immediately.

    My personal opinion of IOS is its an OS for yuppie hipster wanna-bees with more money than brains who buy into a "lifestyle".

    Anyhow.  IPsec is supported of the the box on both ios and pfsense, so rest easy.


  • Netgate Administrator

    The FW-7541 is relatively new so not that many people here will have one. Warranty issue would be best aimed at Netgate directly, I'm not sure. There are many people running similar hardware though and it's probably the best tested pfSense platform available.

    There are VPN options available for all those platforms that will work with pfSense. Personally I'm using OpenVPN with Windows and Linux clients and Android (yes also Linux!). OpenVPN can also run on IOS without jailbreaking: http://doc.pfsense.org/index.php/OpenVPN_on_iOS

    You can do load balancing between two WAN connections, you can also do true bonding but that requires the ISP to co-operate and be running both connections.

    You can run two FW-7541, or any boxes, as a CARP cluster for high availability.

    If you don't need content filtering then don't install it and forget about it.  :) The definition updates I mentioned are for Snort (IDS/IPS) which isn't content filtering. Again if you don't need it just don't install it.

    Clearly you're unlikely to find anyone here recommending Sonicwall over pfSense.  ;) I hope we've pointed out that pfSense can accomplish all you need for less expenditure.

    Steve



  • I assume even not many people have that FW-7541, but that's tested by pfsense internal team right? I assume it can use it for enterprise usage too. Just curious how many concurrent users can that support?

    For sonicwall TZ215, it can support ipsec site-to-site up to 20 sites. How about FW-7541 or pfsense? I am not sure whether pfsense can support more than 1 site?

    What kind of hardware do most people use with pfsense? Upon curiousity though :)

    I google on this, and found out a similar box here
    http://hollipc.en.china.cn/selling-leads/detail,1100782802,Network-Security-Platform-Firewall-IEC516P.html

    Is that specs sufficient? Or do you recommend others?

    How do you get both ISPs to co-op for true bonding? They are kinda competitors though. Hmm?

    I search in the forum, it seems like pfsense can't support PPPOA. Is this true? Coz I have an Australia ADSL that is based on PPPOA. I plan to have this pfsense to talk to the modem to dial for the ADSL internet.

    Lastly for CARP cluster, I assume the FW-7541 can make this work too? I have to make sure as I believe FW-7541 is on embedded (probably on nanobsd, not sure this works?).


  • Banned

    @ericmachine:

    I search in the forum, it seems like pfsense can't support PPPOA. Is this true? Coz I have an Australia ADSL that is based on PPPOA. I plan to have this pfsense to talk to the modem to dial for the ADSL internet.

    You should talk to the ISP to see if they support PPPoE as well… And yeah, there's no PPPoA support, just about every sane ISP abandoned this sucky thing long ago. This thread has some good technical info.



  • I assume even not many people have that FW-7541, but that's tested by pfsense internal team right? I assume it can use it for enterprise usage too. Just curious how many concurrent users can that support

    It will go as fast as and faster than any of the speeds you mention, and with multi-GB RAM will have no trouble supporting lots of VPN links of any flavour. For specific questions about the device email the sales address at NetGate. I have bought plenty of stuff at NetGate, and they always tell me correctly what works with what. They won't give you a sales spiel, they tell you reality and are smart enough to know that happy customers come back again and again.


  • Netgate Administrator

    Mmm, that is a good thread. As stated in it almost all adsl in the UK is still using PPPoA. Though I have in the past managed to make a PPPoE connection directly it was never very stable or reliable, some time ago since I tried though. Anyway there are many modem/routers that can be put in some type or bridge mode to work with PPPoA so it shouldn't be a problem. I'm using the Draytek Vigor 120 which is incredibly easy to setup (no config required. it's already a pppoa-pppoe bridge). There are loads of Aussie pfSense users who could probably advise you better on available modem options.

    There's no real limit on how many VPN connections you setup. The limit is in how much traffic you a passing over all of them, though I guess there is some overhead. The TZ215 claims to support 130Mbps of AES encrypted traffic (though it doesn't say what encryption level that is) so I would infer that it has some additional VPN accelerator hardware. The FW-7541 will probably pass 50-60Mbps depending on the encryption level and type. Given that you have <10Mbps WAN connection that may not be a problem. (You wrote MB but I assume you meant Mbps?)

    I am using re-purposed Watchguard boxes mostly because I can.  ;) See: http://forum.pfsense.org/index.php/topic,25011.0.html

    To use MLPPP you need to have both connections from the same ISP and they need to support it at their end. You'll never get that with one dsl and one mobile connection.  :(

    Steve



  • @ericmachine:

    But I think OpenVPN is quited limited, not sure ios can support (without jail break).

    https://itunes.apple.com/us/app/openvpn-connect/id590379981



  • @ericmachine:

    I search in the forum, it seems like pfsense can't support PPPOA. Is this true? Coz I have an Australia ADSL that is based on PPPOA. I plan to have this pfsense to talk to the modem to dial for the ADSL internet.

    I am in Australia. I  use Gold Coast based ISP Onthenet. My pfSense talks PPPoE to a Tenda D820B ADSL modem. The combination works well enough.


Log in to reply