PfSense V.S. VyOS
-
I have spent a lot of time over the last week looking into pfSense V.S. VyOS. I have used pfSense for a while now and I love it. That being said, I am always looking into different possibilities and I came across VyOS while looking at a Ubiquiti EdgeRouter. What I could not find was a comparison between VyOS and pfSense with routing performance so I wanted to test it myself and post my results for other curious folk. This is by no means a 'scientific' test and neither setup was optimized after the installation. Here is the setup
- 2 iPerf machines running on Hyper-V. Each with 4 processor cores @3.34 GHz and 4 GB RAM. Hyper-V host is connected to a Cisco 2970 with 4 Gbe NICs bonded with LACP.
- 1 Watchguard XTM5 Series device with Intel Core2Duo E4500 @2.20 GHz and 4 GB RAM. Both OS's installed to an internal 160GB SATA HDD. 4 of the Gbe interfaces are connected to the switch and bonded with LACP.
Working on test results now
Please let me know if this belongs somewhere else. I am truly terrible at using forums. -
i think the difference (one way or the other) will be determined by the base-os. pfSense is based on freebsd, vyOS is based on linux.
FreeBSD is rocksolid but has been running behind in hardware-support / vm support , compared to linux.
-
FreeBSD 11, summer next year, will have a slew of huge improvements for nearly everything related to VMs and network performance. Then it's a matter of waiting for PFSense to get rebased.
-
pfSense is a following a concept to be a firewall and VyOS is a clone or fork of the long time existing Vyatta
but Vyatta is more used as a router and mostly not a smaller one, more in the field of OpenBSD & OpenBGPD
or OpenBSD & Quagga for doing real good jobs in the BGP field of routing.This concept is well proven and often wished by users to get the hands on other devices that came
pre-installed with that system and UBNT was assembling their own routers together and so it was
coming up. So why you would be comparing this both systems against I don´t really know each of
them has his own charm and skills, it will be as it is, pfSense is a firewall and VyOS is a router
system from UBNT. -
I agree with everyone that they are definitely a different species. I just wanted to make a throughput comparison for everyone like me that was curious how they compared on the same physical hardware. pfSense will always be my go-to OS when I am building my own firewalls :) There is some middle ground between them if you want to use both as a firewall or both as a router. Also, pfSense is much much much easier to configure - VyOS has a steep learning curve and I had a hard time installing it on headless hardware.
Here are the first batch of results:
iPerf1 –-> iPerf2 (Same VLAN) is at ~ 10 Gbps - I did this one to make sure that the machines performed well enough to send oodles of iPerf traffic.
iPerf1 (VLAN 10)---> VyOS (Physical) ---> iPerf2 (VLAN 20) is at ~ 940 MbpsiPerf1 ---> PfSense (Physical) ---> iPerf2 results to come. I have hopes that this will have higher throughput than VyOS.
Happy turkey day everyone!
-
@BlueKobold:
pfSense is a following a concept to be a firewall and VyOS is a clone or fork of the long time existing Vyatta
but Vyatta is more used as a router and mostly not a smaller one, more in the field of OpenBSD & OpenBGPD
or OpenBSD & Quagga for doing real good jobs in the BGP field of routing.This concept is well proven and often wished by users to get the hands on other devices that came
pre-installed with that system and UBNT was assembling their own routers together and so it was
coming up. So why you would be comparing this both systems against I don´t really know each of
them has his own charm and skills, it will be as it is, pfSense is a firewall and VyOS is a router
system from UBNT.pfSense is more of an 'access router'. Think Cisco ASA.
Vyatta (now VyOS) was more of a 'border router'/'edge router'.
We have plans for an 'edge router'/'border router' product. See the Roadmap from early in the year, ref DPDK.
(betcha don't know that a) gonzopancho and his spouse nearly bought UBNT back in the day, and b) Robert Pera once tried to get pfSense running on MIPS
-
(betcha don't know that a) gonzopancho and his spouse nearly bought UBNT back in the day,
Hmmm, you all got some good weed in Austin, Texas these days I imagine ;)
and b) Robert Pera once tried to get pfSense running on MIPS
Could be interesting for him that he sells then more devices as he could imagine.
Three or more devices up to ~$100 with three or five GB LAN ports would be really
interesting for many home users. -
@jwt:
@BlueKobold:
pfSense is a following a concept to be a firewall and VyOS is a clone or fork of the long time existing Vyatta
but Vyatta is more used as a router and mostly not a smaller one, more in the field of OpenBSD & OpenBGPD
or OpenBSD & Quagga for doing real good jobs in the BGP field of routing.This concept is well proven and often wished by users to get the hands on other devices that came
pre-installed with that system and UBNT was assembling their own routers together and so it was
coming up. So why you would be comparing this both systems against I don´t really know each of
them has his own charm and skills, it will be as it is, pfSense is a firewall and VyOS is a router
system from UBNT.pfSense is more of an 'access router'. Think Cisco ASA.
Vyatta (now VyOS) was more of a 'border router'/'edge router'.
We have plans for an 'edge router'/'border router' product. See the Roadmap from early in the year, ref DPDK.
(betcha don't know that a) gonzopancho and his spouse nearly bought UBNT back in the day, and b) Robert Pera once tried to get pfSense running on MIPS
hope this running pfSense on mips gets revisited I could place a LOT of ubnt ERL plus unifi AC units as replacements to home owner routers can't now cause I don't want to learn edgeos and could have very nice setup for (router and AC accesspoint) for under $250
maybe ubnt could have some interest in this
-
Supporting mips for the CPU is one thing, supporting a completely different bunch of NICs and wireless cards for mostly closed source binary drivers is a whole other issue.
-
@BlueKobold:
(betcha don't know that a) gonzopancho and his spouse nearly bought UBNT back in the day,
Hmmm, you all got some good weed in Austin, Texas these days I imagine ;)
No idea, I don't imbibe. This was back in the early days of Ubiquiti, when Gonzo lived in Hawaii.
-
@BlueKobold:
Hmmm, you all got some good weed in Austin, Texas these days I imagine ;)
No need for magic mushrooms, just google for: "Jim Thompson", "Vivato Technologies", and Musenki
The UBNT part was a long time ago when they were purely focused on wireless technologies - mostly backhaul stuff and way before they tried entering the prosumer/ enthusiast market.
Pity on UBNT though, they had pretty crappy hardware several years back reliability wise.
Now that they've got decently reliable hardware, their software side is lacking - even worse when they don't even have a reference manual. I gave up trying to do ubnt deployments after endless googling and ending up with trying to mix and match end-user supplied guides with Vyatta command reference (with no indication as to which parts are actually part of the Edge OS). -
The funniest of all is going to be if one, or both, of them is NOT going to work
Intellectual Works irritate me but - it is the works1, and 2 and 3 - make them work like me
-
I'm back with an update, but I'm afraid that it isn't good. Turns out that when you're trying to do something awesome disaster strikes. The XTM5 that I was using for these tests has gone kaput. Anyone out there with a spare XTM5 to finish the test? :D
-
FreeBSD 11, summer next year, will have a slew of huge improvements for nearly everything related to VMs and network performance. Then it's a matter of waiting for PFSense to get rebased.
You seemingly have no idea how trivial it is to 'rebase' now.
What was true in the past is no longer true with the changes we've made to the build system for 2.3 and beyond.
In other words: We fixed that shit.
Point-in-fact, 2.3 follows -STABLE. When it is released, we will be so far along the path to 10.3 that the eventual upgrade will be a non-event (and likely carried out entirely via "pkg update;pkg upgrade", or the GUI equivalent.)
We have an internal project that follows -CURRENT (FreeBSD will be the eventual -RELEASE of what is now -CURRENT), so that will also be trivial.
Mostly, it will come down to testing.