2021 Firewall Review, Feature Comparison and Recommendations

Рет қаралды 119,790

Күн бұрын

Firewall Comparison Chart
docs.google.com/spreadsheets/...
List of our pfsense tutorials
lawrence.technology/pfsense/
Untangle Firewall Web Filtering & SSL Inspection
• Untangle Firewall Web ...
Untangle Firewall Review
• Untangle Firewall Review
pfSense Plus 21.02 and pfSense CE 2.5.0 Features, Updates, and Changes
• pfSense Plus 21.02 and...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 5% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Timestamps ⏱️
0:00 Firewalls We Recomend
2:08 Firewall Comparison Chart
5:08 Central Firewall management
7:04 OpenVPN Support
9:52 IPSEC/LT2P VPN Support
10:40 Wireguard VPN
11:18 Policy Routing
11:54 IPS/IDS systems
13:25 DNS & GeoIP Filtering
14:04 Web Filtering & SSL inspection
16:12 QoS Traffic Shaping
16:34 WAN Failover / Load Balance
17:21 Active Directory
17:59 Captive Portal
18:40 Let's Encrypt & HA Proxy
19:24 Reporting

Пікірлер: 268

@jordancalhouncom 3 жыл бұрын

"Sounds really compelling until you have to use it" - this statement cannot be overstated for Unifi gateways

@LAWRENCESYSTEMS 3 жыл бұрын

Yeah, that is true for so many products but especially the UnFi routers.

@databeestje 3 жыл бұрын

So I tried to configure a USG in 2019 to a comparable state to the Draytek Vigor 2862 routers we used in shops at the time. Things that didn't work as expected. - WAN Failover didn't work as expected, failback never happened - IPSec tunnel can only be connected to one WAN, no failover. - DynDNS tied to single WAN, no failover - Firewall rules through Controller were interesting - Remote Provisioning often killed the box - Didn't work properply with PPPoE for DSL - No support for 4G modem (not even Pro) - Raspberry Pi 4G Bridge on WAN2 worked, however, see point 1 At that point I just gave up on it. The unifi controller worked fine for the APs and the Switches with provisioning for ~80 sites. The USG just wasn't complete enough.

@DATApush3r 3 жыл бұрын

I found the same to be true with TP-Link Omada. Makes sense considering it's almost a clone of the Unifi system.

@edwinkm2016 2 жыл бұрын

@@DATApush3r clone, or did they just stole the codebase? So they have the same technical dependencies (deprecated mongo), the same (lack of) features. And now you are telling me they have the same bugs?

@engrpiman 3 жыл бұрын

I have run pfsense in a business and while it is affordable it's also had some reliability issues. Mainly it kept dropping it's ipsec vpn. This was 3 years ago. While 3 times more expensive the Cisco ASA had no such issues and just worked. It does take cisco knowledge to setup an ASA they are very reliable. When we got our first Cisco ASA and switch It took me forever to get it configured but the more I learn and use them the more I appreciate them. I was in the medium business segment and because of an acquisition I'm in the billion dollars a year enterprise segment now.

@connclissmann6514 3 жыл бұрын

A most useful summary as we are in the market for replacements of our fast-ageing firewall at a couple of locations.

@BrennonA 3 жыл бұрын

Covered most of the ones I've been looking at - thanks for the overview 👍

@Adrayven 3 жыл бұрын

UDM Pro - GeoIP filtering is a Yes(no longer beta) with current release, works well. I selected most of Europe and Asia lol. Also, though not on the list, Multiple IPs are now supported as well.

@leonardogyn 3 жыл бұрын

Hey Tom... haven't tried yet, but at least from UniFi Controller 6.2 release notes, it seems timestamps were finally added to the DPI stats. If it works as expected, DPI can finally be somehow useful and not just a beautiful report gimmick!

@Noodles.FreeUkraine 3 жыл бұрын

I'd really love to see a side-by-side comparison with pfSense and OPNsense, still can't figure out why people choose one over the other (company politics aside, I mean technical reasons).

@southseapirate1 3 жыл бұрын

This please! Came here hoping to exactly this.

@rpsmith 3 жыл бұрын

I support both however I really don't like OPNsense's GUI. For me, pfSense's GUI is much easier to navigate. You could make the argument that OPNsense is more secure but the user interface killed it for me. So I think it all boils down to which one you like best. They are both great firewalls and you can't go wrong with either one! One side note: You will find way more online help for pfSense!

@MichaelSmith-fg8xh 3 жыл бұрын

The UI: they have largely the same functionality, just categorised differently in the menus (I prefer PF mildly but I’m less error prone in opnsense). OS major release: Opnsense is generally more up to date. Perf: can sometimes be up to 10% different. Driver support: slight difference e.g. needing to add a few config lines to support chelsio cards. DHCP WAN: more configurable in opnsense (to the point I couldn’t get pf to do ipv6 with my old isp). Site/Ad blocking: DNS based in Opnsense, firewall based in pf but both can use the same block lists. This is just what I saw but I’d be curious to see comments on the different base OSs

@Noodles.FreeUkraine 3 жыл бұрын

Thanks guys, really appreciate the feedback! 👍

@Totototo-nr8dh 3 жыл бұрын

Easy, OPNsense is base on HardenedBSD. So the OS is basically more secure than all the others. More frequently updated. End of the story.

@fonte935 3 жыл бұрын

All in on Ubiquiti routing sucks. Love it! Hopefully you're the first person they send a new review unit to if they ever fix it one day.

@fourtwanky 3 жыл бұрын

Wouldn't it be great if Ubiquiti just abandoned their router os and adopted opnsense as their os base instead

@SuperChristopher187 2 жыл бұрын

I really appreciate your videos, this gives me so much information to be able to make good decisions on what i should use and what ist the use case for each product. Love all of your content, best regards from Germany. :)

@LAWRENCESYSTEMS 2 жыл бұрын

Glad I was able to help.🙂

@-Good4Y0u 3 жыл бұрын

The video I have been waiting for.

@sms9106 3 жыл бұрын

That was a nice little summary, thanks.

@bradforrester2417 3 жыл бұрын

Great video, but you should add a line for comparing logging capabilities, because troubleshooting network issues and firewall rules is often complex, and that's where the Unifi gear fails hard.

@_MattyP 3 жыл бұрын

Great video! Awesome team! Video suggestion: ISP failover setup with recommended routers Untangle and Netgate (i.e. wired-wired and wired-cellular).

@fourtwanky 3 жыл бұрын

if he does that, he should included peplink as a solution provider too! Their whole product line is developed around multi-wan and failover support.

@salat 3 жыл бұрын

There's a Wireguard addon for UBNT's ER - you just have it install it manually

@jeffm2787 2 жыл бұрын

Gave up on my SG-3100 for my primary firewall, It just couldn't handle gigabit at all well. Used a USG which did handle gigabit at full speed. Running a UDM Pro now and yes I'll admit that PFSense has some serious advantages. For PFSense just don't be sold on the third party add-ons as a reason to buy (or use). Been using PFSense for about 10 years now and what I found is the third party add-ons often break with 'updates'. PFSense on good hardware works great, just don't count on the add-ons long term (or never update).

@IndianaDiy 2 жыл бұрын

Are Protectli vaults just as good for running Pf Sense vs Netgate? Just curious since there’s a price difference and I do see some added security as far as hardware goes. I was looking at VP2410 with coreboot and I wondered if having TPM module is worth is or not?

@EmilePolka 3 жыл бұрын

Qotom now a days runs a mobile based 7th gen intel processor on it. its power efficient and powerful enough to handle gigabit PPPoE WAN connection.

@GodBreathed77 3 жыл бұрын

I just got myself a fortinet super happy about it

@RobbyPedrica 3 жыл бұрын

A proper firewall

@krisdphillips 3 жыл бұрын

Excellent video! One correction: OPNSense offers both the WG Go and kernel implementation now. However, I think the Go version is currently default. There is an option to flip flop between them though. pfSense's support for WG will also be a package and not "built in" like IPSec and OpenVPN. It will be available in the Package Manager in 2.6.X and can be unofficially installed now on 2.5.1+.

@LAWRENCESYSTEMS 3 жыл бұрын

Interesting, did not know they had a kernel module as well.

@krisdphillips 3 жыл бұрын

@@LAWRENCESYSTEMS Its not default, but its in their repos/as an option. Its the same module for FreeBSD AFAIK that pfSense will use (which makes sense since they're both BSD-based). Sounds like they ported it to HardenedBSD and into the HardenedBSD repos. On OPNSense you just have to run "pkg install wireguard-kmod" and reboot. The web UI works exactly the same with the kernel module as the Go implementation. The only "gotcha" is the Wireguard service always shows as stopped because it is trying to monitor the Go implementation running in user space that no longer exists, so it always shows as off. Apparently that will be fixed in future releases, but is the only weird functionality difference.

@mattschoular8844 3 жыл бұрын

Thanks Tom...Always interesting...

@myonen4402 Жыл бұрын

The only home brew firewall/router I've worked with is ipfire and I've been incredibly happy with it. I would love to see a comparison that included it.

@wiseguy3k 3 жыл бұрын

Thanks Tom!

@TheJoBlackos 3 жыл бұрын

I tried Untangle for a year. I did not find it easier then pfsense, even if I was not familiar with both at the beginning. The deal break was when I tried to setup time based device management, I was unable to make it work properly on Untangle. I have no problem on pfsense.

@MrBobbybrady 3 жыл бұрын

I found the break and inspect worked surprisingly good on Untanlge but it was always a pain in the butt to troubleshoot which module was blocking what. This year I will roll with Opnsense and Sensei until something better comes along.

@mariotubelecce 3 жыл бұрын

I have both openvpn and wireguard setup on my edgeos(edgerouter 3 lite). Not something impossible to achieve, at least for someone who "needs" an advanced router.

@faisalalotaibi1098 3 жыл бұрын

how did you install wireguard on edgerouter ??

@grillsandaxlegrease3578 Жыл бұрын

Can PFSence be run on Zyxel's products? I have a ATP100 that suddenly goes into reboot. Thinking maybe their software is causing the problem... Or should I try that Netgate and ditch Zywall forever?

@jasonlauzer 3 жыл бұрын

Edgerouter has Wireguard and Geo Filtering. They are command line installs but works perfect!

@LAWRENCESYSTEMS 3 жыл бұрын

My point is neither are officially supported by Ubiquiti

@mervstar 3 жыл бұрын

I wonder how these compare to ClearOS. I'm using ClearOS right now for a school and for the most part it works well but I'm looking to simplify my life (without losing functionality) and trying to find a suitable replacement.

@arubial1229 3 жыл бұрын

Whenever people ask me why they should use pfSense, I always just point them to Tom's comparison videos. Company issues aside, pfSense is the best firewall I've ever used. It's so easy to setup and very powerful at the same time. Unifi makes excellent switches and WAPs, but you literally couldn't pay me to use their firewalls.

@rockking1379 3 жыл бұрын

Wow perfect timing as I’m looking to replace my ERX

@looseycanon 3 жыл бұрын

Don't dispose of that ER-X in any way! Reconfigure it. The thing can work in switch mode.

@shanelord1666 3 жыл бұрын

You really need to check the Firewalla Gold out. No ongoing license fees but extremely capable device. My go to over any of these - just as secure but dramatically easier to use.

@LAWRENCESYSTEMS 3 жыл бұрын

really not interested at this time.

@shanelord1666 3 жыл бұрын

@@LAWRENCESYSTEMS That’s a real shame. I’ve tried all of the products you’ve tested out and it’s not my day job. Takes 5-10mins to read about a product rather than dismissing it out of hand.

@LAWRENCESYSTEMS 3 жыл бұрын

@@shanelord1666 I did not say that I did not read about it, I said I was not interested in using it, which is because I have read about it.

@LAWRENCESYSTEMS 3 жыл бұрын

Firewall Comparison Chart docs.google.com/spreadsheets/d/e/2PACX-1vRRy9MWXbh7gZIrMVFjRPOIitAku91yfndZIHU73gsgtdaUOdnpcxsN2FF8Jt3OCRFB2opQQw22D7C_/pubhtml List of our pfsense tutorials lawrence.technology/pfsense/ Untangle Firewall Web Filtering & SSL Inspection kzfaq.info/get/bejne/h5N6hK2h1M3OgX0.html Untangle Firewall Review kzfaq.info/get/bejne/jb-YgsqCnbDdiX0.html pfSense Plus 21.02 and pfSense CE 2.5.0 Features, Updates, and Changes kzfaq.info/get/bejne/e5Z7i8RqqaveaKs.html ⏱️ Timestamps ⏱️ 0:00 Firewalls We Recomend 2:08 Firewall Comparison Chart 5:08 Central Firewall management 7:04 OpenVPN Support 9:52 IPSEC/LT2P VPN Support 10:40 Wireguard VPN 11:18 Policy Routing 11:54 IPS/IDS systems 13:25 DNS & GeoIP Filtering 14:04 Web Filtering & SSL inspection 16:12 QoS Traffic Shaping 16:34 WAN Failover / Load Balance 17:21 Active Directory 17:59 Captive Portal 18:40 Let's Encrypt & HA Proxy 19:24 Reporting

@Fearnight 3 жыл бұрын

What was that Advanced Client Settings in pfSense OpenVPN Client config at 8:20? Is that a package that adds that? My config doesn't show it (2.5.1) and I've been looking for a way to specify DNS servers just for my VPN client.

@LAWRENCESYSTEMS 3 жыл бұрын

It's towards the bottom under the client can fix settings

@kciwrc 3 жыл бұрын

Can you substitute the built in firewall from ubiquity for the pfsense one ?

@LAWRENCESYSTEMS 3 жыл бұрын

I don't understand the question? Unless you are asking if you can load pfsense on the Ubiquity then the answer is no.

@samsampier7147 3 жыл бұрын

You can run both if you setup the network and switches correctly. I use an Edgerouter lite behind my Pfsense.

@KristianKirilov 3 жыл бұрын

MikroTik can act as firewall, router and switch very well. The devices and the license are cheap. Unfortunately many of the advanced topics such WAF, SDN are missing.

@KristianKirilov 3 жыл бұрын

@S K Actually MikroTik is Linux based, so if you know how to do the things in Linux you will know how to do them in MikroTik as well

@KristianKirilov 3 жыл бұрын

@S K yeah, you are right about the cli learning curve. If you are familiar with Cisco, you can try VyOS - Debian based routing platform with Cisco cli interface

@fourtwanky 3 жыл бұрын

Regarding reviewing OPNsense, I know you don't plan too, you say that all the time. But, I really wish you would anyways.

@jdl3408 3 жыл бұрын

Anything with application based filtering? I know a PA-220 starts to get into the same price range as these platforms, but it would be nice to have a more SOHO friendly platform with L7 policies. Edit: It looks like Untangle supports this while pfSense does not, seems like a big omission from the video.

@MichaelSmith-fg8xh 3 жыл бұрын

Opnsense has application specific/level rules

@tqnpersonal 2 жыл бұрын

@@MichaelSmith-fg8xh wait, it does?

@avvidme 3 жыл бұрын

Also, great review but also with you included Firewalla since it's popular in this segment as well.

@LAWRENCESYSTEMS 3 жыл бұрын

It's a homeuser device that I am not really interested in.

@avvidme 3 жыл бұрын

@@LAWRENCESYSTEMS The Gold is a 4-port 1Gb w/content filtering, VPN (w/WireGuard), App blocking, QoS w/rate limiting, Multi-WAN w/failover, policy routing and VPN. Certainly more usable 'business' features than Ubiquity which you're covering

@LAWRENCESYSTEMS 3 жыл бұрын

@@avvidme So you are saying I should have it in my list of firewalls we don't recommend like the Ubiquity ones?

@avvidme 3 жыл бұрын

@@LAWRENCESYSTEMS Hahaha exactly!! ;)

@johnburger6774 3 жыл бұрын

Nice Ch. I need a suggestion on firewall slash router like the usg . It will be used in a small restaurant. Thanks for any help.

@looseycanon 3 жыл бұрын

I for one always thought that vendor should be selected in accordance to expected deployment. PfSense? HQ and data center. Untangle? Why pay a fee, when you can have something very similar for free? EdgeRouter? Anywhere you have need for decent router with decent features. UniFi? Well, hotels, motels and places, where you can't have a tech on the count of their smallness. Not UDM lineup! Mikrotik? If your staff like's to suffer or you have some very niche use case, like LTE connection, that actually need's site-to-site VPN support TP-Link? If you need a breach. There is no shame in going multi-vendor. As long as it gets the job done within the budget

@DustinSCline 3 жыл бұрын

Untangles firewall rule management, lack of firewall explicit deny rules and device pricing structure make it hard for me to get onboard.

@wicked_observer 3 жыл бұрын

Protectli has been great for me

@fourtwanky 3 жыл бұрын

me too! love those guys

@soldermecold7456 3 жыл бұрын

UDM Pro ... I was hoping to hear Betty things about VPN reliability to A USG

@blgari0n 3 жыл бұрын

Do you feel that OPNSense can’t match pfSense/Untangle feature wise or did you leave it out because it felt redundant given the firewalls you’re comparing? Just curious because I’m not happy with the direction pfSense is heading towards and OPNSense looked fine on the VM I setup for it on my test environment.

@joevining2603 3 жыл бұрын

He doesn't recommend OPNSense because it's a fork of pfSense

@blgari0n 3 жыл бұрын

@@joevining2603 I’ll have to watch the video again, I totally missed that comment. Thanks Joe!

@joevining2603 3 жыл бұрын

@@blgari0n It's towards the end. He's also made this same opinion known in several other videos throughout the past couple years.

@freebs3545 3 жыл бұрын

@@joevining2603 to me he's biased about that

@joevining2603 3 жыл бұрын

@@freebs3545 It's just his opinion and as he plainly states - it's just not compelling enough for him to switch/add to his hardware offerings. It's not like he's only dealing with a test lab and a handful of clients. He's using what he knows works well for a large client base. Nothing to stop you from using what you want in whatever context suits you.

@Huck9000 3 жыл бұрын

I think the way PFSense is moving to PFSense Plus, and PFSense CE tells the whole story. That really bothers me going forward. Plus will be in their Netgate products, and not be open to others until late 2021. I'm going to switch to OPNsense, just because it will be the safer way to go until maybe 2022. PFSense has been great for years, but Netgate is going to screw it all up. I'm not panicking or anything like Tom suggests, but I do believe it's the way to go.

@shannon1872 3 жыл бұрын

I was looking at untangle but noticed the home went from 50 a year to 50 for normal and 150 for pro. Would pfs still be a good option for home use ?

@LAWRENCESYSTEMS 3 жыл бұрын

If you like the filtering features and threat intelligence systems, then yes.

@goofables4949 3 жыл бұрын

Nice video!

@LAWRENCESYSTEMS 3 жыл бұрын

Thanks!

@easy1965 2 жыл бұрын

how will the new UXG-PRO hold up with this comparison? thank you for your videos.

@LAWRENCESYSTEMS 2 жыл бұрын

Still a very basic firewall kzfaq.info/get/bejne/edqAdMqbnavMd4k.html

@sandman8700 2 жыл бұрын

After 2:25 into your review, looking at the table I knew where this was going as there was only one recommend.

@Joshv918 3 жыл бұрын

Edge router does have wireguard btw. I use it alot..

@LAWRENCESYSTEMS 3 жыл бұрын

yes, but not officially supported by Ubiquity

@garybowers5724 3 жыл бұрын

@@LAWRENCESYSTEMS Indeed I run it on Edge Routers (x2 ER4 + x1 ERLite) and upgrading the firmware is always a fun time.... I have to make sure I have a backup VPN (IPSec etc) just to remote in to be able to re-install the package. Having said that, it's been bulletproof : I have x3 Wireguard interfaces WG0 - Site to Site interfaces with CIDR's routed between 3 sites WG1 - Remote Access from client devices WG2 - Site to Site to Google Cloud with WG running on a GCE Instance. Once WG is fully supported on pfSense I am looking to start migrating over from EdgeMax (I expect EdgeMax line to disappear at some point given their focus on Unifi)

@zackbog 3 жыл бұрын

how is the edge router gear towards ISPa but doesn't have IDS/IPS or any of the other filtering protocols

@LAWRENCESYSTEMS 3 жыл бұрын

ISP are generally not into filtering content and cheaper gear fits the budget better.

@TylerCordaro 3 жыл бұрын

I would love to know which preforms the best for people with 1gig internet.

@MichaelSmith-fg8xh 3 жыл бұрын

Two of the options are available on multiple hardware levels so you could up your hardware to get the required performance. It’s not really expensive/hard to put enough hardware under PF to route at even 10gb (assuming just routing, not packet inspection or anything too strenuous). If you choose a good network card with pf the resource usage is very low…

@theparadigm320 3 жыл бұрын

Hi Tom, have you had a look at the Sophos XG series, they also have a Free Home version with all the bells and whistles one could desire

@LAWRENCESYSTEMS 3 жыл бұрын

Took a quick look, nothing compelling about it to make me want to learn it or use it.

@Bobtb 3 жыл бұрын

@@LAWRENCESYSTEMS that's just silly. It checks all boxes, except Wireguard (for now) and it is completely free for home users. It is a solid firewall with Enterprise grade features.

@LAWRENCESYSTEMS 3 жыл бұрын

@Bob ten Berge I am not telling people not to use it, there is just nothing compelling about it to make me want to learn it or use it.

@Bobtb 3 жыл бұрын

@@LAWRENCESYSTEMS but if you're going to compare free firewall solutions, why not include it? I'm sure there are plenty of viewers who would be interested.

@LAWRENCESYSTEMS 3 жыл бұрын

@@Bobtb doubt it, but I do have plenty to say about Fortinet kzfaq.info/get/bejne/o5qIkqZ2z6m8dZc.html

@Salad360 3 жыл бұрын

You technically can do "web filtering" on the Edgerouter...sort of... So long as a website or service is recognized by it's traffic analysis engine, you can create firewall rules which block packets based on traffic analysis categories. That being said, there are A LOT of services that it doesn't detect, in which case you're SOL. It works for blocking Facebook, Twitter and other "Top 500" websites but beyond that it's pretty limited.

@Joshv918 3 жыл бұрын

Edge Router is still my favorite.. UNMS/UISP.. has me stuck with them. Plus they are pretty powerful for the price

@guyboisvert66 2 жыл бұрын

For 69$, you can get a Mikrotik hEX-S you get enough horsepower and a professional OS that supports anything you can imagine: OSPF, Wireguard, MPLS, Mangle, etc As a 30 years Network Engineer, for me it's the best management interface: CLI / WEB / Winbox

@guyboisvert66 2 жыл бұрын

... and for 219$, you get the RB4011igs_rm that has 10 x 1 Gbps ports + 1 x SFP+ and a beefier cpu + more RAM!

@brockeldridge9877 3 жыл бұрын

You should review Firewalla Gold. Pretty nice product.

@LAWRENCESYSTEMS 3 жыл бұрын

not something I plan on using or reviewing.

@mtheofy 3 жыл бұрын

@@LAWRENCESYSTEMS just curious on your reasoning. thanks

@LAWRENCESYSTEMS 3 жыл бұрын

@@mtheofy Does not have any compelling feature that makes me want to use it over other devices.

@mtheofy 3 жыл бұрын

@@LAWRENCESYSTEMS fair enough. thanks

@Noodles.FreeUkraine 3 жыл бұрын

Yikes, they don't even offer a web portal to configure things. I'd rather deal with a terminal than fumble around with an app all day. No idea what led to that idea, but I wouldn't touch it with a ten-foot pole for that reason alone.

@FunkyELF 3 жыл бұрын

How about a TailScale vs WireGuard video ;-) I'm currently running WireGuard on my UnRaid server. Apparently WireGuard can be ran on a USG but not officially supported. I'm curious about TailScale though.

@2622benttrailok 2 жыл бұрын

TailScale vs Wireguard is not really a comparison because TailScale is in basic terms a pretty Authentication and ACL wrapper around WireGuard.

@Techtips200 3 жыл бұрын

Please also review Allot dpi products

@manuelthallinger7297 3 жыл бұрын

Not having every feature others have, isnt necesary a bad thing. The thing which sucks with the USGs is, there so no development, no new features

@matth9040 3 жыл бұрын

Tom, can you do a untangle setup tutorial?

@LAWRENCESYSTEMS 3 жыл бұрын

I have a review video here kzfaq.info/get/bejne/jb-YgsqCnbDdiX0.html what exactly did you want to know?

@matth9040 3 жыл бұрын

Thanks for the reply, I'll check it out. I was trying get some basic network segmentation with web filtering on one of the VLANs.

@bparisi 3 жыл бұрын

I haven't watched this video yet. But based on the title it doesn't seem to include any of the Sophos offerings ? I migrated from pf to Sophos UTM initially and now XG. Never looked back. Anyway, that's a shame because Sophos is a far more sophisticated all integrated package.

@Crazy--Clown 3 жыл бұрын

Sophos = Syphillis

@bparisi 3 жыл бұрын

@@Crazy--Clown Reasons ? Hasn't been my experience as I have used both for over a decade.

@avvidme 3 жыл бұрын

As a Ubiquity reseller, do you have any insights into a) do they realize what a PoS their firewall is? and b) do they plan on ever releasing something usable?

@LAWRENCESYSTEMS 3 жыл бұрын

We are not a reseller and I have no insights into why their firewalls are so bad or if they will fix them.

@paultruzzi911 3 жыл бұрын

So, why isn't mikrotik mentioned?

@backupplan6058 3 жыл бұрын

Because he can’t go through every possible option, he is showing what he has personally had experience with as to not give a wrong impression. MikroTic gives plenty of features for the low price but you pay for it with stability.

@paultruzzi911 3 жыл бұрын

@@backupplan6058 I wasn't asking for a review of MikroTik. But a mention that it exists would be helpful for those of us looking at our options.

@backupplan6058 3 жыл бұрын

@@paultruzzi911 you mean along with the dozens of other potential options as well. I say again, he only was covering those in which he has experience with. Mentioning it wouldn’t do anyone any good and from the sound of it you have already made up your mind on what you are after.

@ricardomarques748 2 жыл бұрын

Thank you for you videos. Could you review the firewalla gold? That firewall is getting very famous

@LAWRENCESYSTEMS 2 жыл бұрын

It's a consumer firewall and I don't use it

@Phitur1 Жыл бұрын

@@LAWRENCESYSTEMS I'm not sure that's a true statement at this point. Their management interface could certainly be better for business needs, but as their software matures, they are getting much better. They're also coming out with a hardware upgrade on the gold with faster links and faster throughput. Their hardware was already superior in terms of throughput to the untangle appliances you've been reviewing before the upgrade at slightly higher price point and all the functionality with no subscription fees and a CI/CD process that takes user input and acts on them in a reasonable timeframe, as opposed to some other vendors.

@slip0n0fall 3 жыл бұрын

I understand you can't cover them all but surprised Zyxel Zywall/USG line never gets a mention.

@looseycanon 3 жыл бұрын

I recall, that Tom once talked smack about Zyxel in errata... And there was a major breach over at Zyxel a while back... So, I'd say, that they're really not usable...

@LAWRENCESYSTEMS 3 жыл бұрын

Zywall has had multiple back doors found arstechnica.com/information-technology/2021/01/hackers-are-exploiting-a-backdoor-built-into-zyxel-devices-are-you-patched/

@lebeyes 3 жыл бұрын

The OpenVPN implementation on USG is crippled. I got a site-to-site VPN from a USG to a pfSense working only with cipher BF-CBC and auth SHA1. The USG does not support AES-256-CBC and SHA256.

@gtwannabe2 3 жыл бұрын

The base USG is crippled by its slow, crappy MIPS processor. Ubiquiti really needs to retire the product; it can only manage 85Mbps of throughput with IDS/IPS enabled.

@rashie 2 жыл бұрын

👍👍

@tuttocrafting 3 жыл бұрын

Unfortunately finding a CPE for my needs is actually impossible. Here ISPs are migrating to IPV6 and are using Map-t and Map-t so far none support it. A firewall comparison without any mention on IPV6 in 2021 is a shame. In 2021 1/3 of the traffic is on IPV6.

@techdigitalgroup Жыл бұрын

Do you recommend watchGuard?

@LAWRENCESYSTEMS Жыл бұрын

Not really.

@DanielAwesomesauce 3 жыл бұрын

I really wish you gave OPNSense some more attention. I know you prefer to talk about products that your company uses daily on customers networks but OPNSense is just much better than PFSense. PFSense is a bad steward for open source and OPNSense fixes that. Also, there is a lot of features and usability missing from PFSense (such as wireguard) which has been in OPNSense for very long.

@DanielAwesomesauce 3 жыл бұрын

I just finished the video and saw your reasoning that OPNSense is just not that different. Well how do you know when you haven't tried it recently? Just try it and review it, not as "This isn't like pfsense" but as it's own standalone product. Seriously, just drop PFSense.

@LAWRENCESYSTEMS 3 жыл бұрын

use what makes you happy.

@rob21 2 жыл бұрын

This post didnt age well

@lightingman117 Жыл бұрын

Can you look into firewalla?

@jlficken 3 жыл бұрын

Untangle L2TP Site-to-Site to a USG Pro does work. It's just not as clean as I'd like. We do transfer ~100GB/day though over ours which as 5 different tunnels and it is very, very reliable.

@BlackHawk1335 3 жыл бұрын

We should add Mikrotik to this list, It can cover most of the things here

@LAWRENCESYSTEMS 3 жыл бұрын

Between their convoluted interface making them more difficult to configure and lack of any amazing features over something like pfsense besides being low cost means I don’t really have a compelling reason to learn their platform.

@joseroda5863 3 жыл бұрын

I understand your whole point about not looking at opnsense. But then this argument kind of loses weight for me when I see you taking the time to review tplink. Don't know... I am somehow looking forward to you looking at opnsense at some point. It does offer a lot of compelling facts, such as integration with Sensei, which pfsense doesn't have, and other things like wireguard today, search box, cleaner user interface, and so on.

@LAWRENCESYSTEMS 3 жыл бұрын

Sensei is the only feature that makes Opnsense interesting, but we use Untangle for people that want that type of filtering. I reviewed TP-Link because they cloned UnFi to such a degree that it was interesting. Over all though me not making videos has not stopped people from using it and I don't tell people not to use it. I just don't find it that interesting.

@michaeluray 2 жыл бұрын

Did you actally ever look at the Endian Firewall?

@LAWRENCESYSTEMS 2 жыл бұрын

Not in recent years. It does not have anything that makes it compelling vs pfsense or Untangle.

@earthling_parth 3 жыл бұрын

Do you have a beginner's guide to homelab setup? I really liked this, but am a beginner on setting up my homelab with a decent old laptop 😅

@keyboard_g 3 жыл бұрын

He has a home lab podcast with @LearnLinuxTV

@earthling_parth 3 жыл бұрын

@@keyboard_g yup, saw it now. Going through that

@MichaelSmith-fg8xh 3 жыл бұрын

You can run pfsense/opnsense in a vm if you want to learn before using hardware

@peterg7342 3 жыл бұрын

UDM PRO supports only 1 VPN L2TP user concurrent session. When I tried to connect two L2TP VPN users I would get disconnected.

@LAWRENCESYSTEMS 3 жыл бұрын

More likely A limitation of L2TP. You can not have two users behind the same IP address.

@peterg7342 3 жыл бұрын

@@LAWRENCESYSTEMS What VPN should I use if I need multiple users behind the same IP address?

@LAWRENCESYSTEMS 3 жыл бұрын

@@peterg7342 OpenVPN with either pfsense or Untangle.

@303topgun 3 жыл бұрын

We just deployed Cisco Meraki MX100 firewall. Roughly, 5k to 10k. Not Cheap

@soldermecold7456 3 жыл бұрын

Dang... sorry to hear. We switched from Meraki to Fortinet and it’s so much better

@swiftswamp4599 3 жыл бұрын

You do a lot of really good and in-depth reviews and with how knowledgeable you are and how large you've gotten, I presume you must have obtained a few certificates over the years (I.e. CompTIA, Cisco, AWS, etc..), any chance you could make your own video going over your thoughts on getting the cert, is it worth it, etc?

@fonte935 3 жыл бұрын

Geekiness and experience beats certs any day.

@LAWRENCESYSTEMS 3 жыл бұрын

I have a video about that here kzfaq.info/get/bejne/e8qAg7uDu7iad6c.html

@swagger1262 3 жыл бұрын

Mikrotik?

@LAWRENCESYSTEMS 3 жыл бұрын

I don't use their firewalls

@swagger1262 3 жыл бұрын

@@LAWRENCESYSTEMS I was in pfsense, USG, and EdgeRouter. Steep learning curve in Mikrotik but when you do, it basically can do anything

@KaloyanDobrev 3 ай бұрын

If you don't include Mikrotik solutions you should probably include Windows firewall :)

@The0nionKnight 3 жыл бұрын

Opnsense gang

@LAWRENCESYSTEMS 3 жыл бұрын

Use what makes you happy 😀

@fabianbence5289 3 жыл бұрын

Next time could you please add some mikrotik routers too?

@LAWRENCESYSTEMS 3 жыл бұрын

Nope, I don't have a use case for learning them at this time.

@kiwiscanwifi 3 жыл бұрын

Was surprised mikrotik routeros was not included. Ticks almost all the boxes

@tjhana 3 жыл бұрын

No Mikrotik in the comparison?

@LAWRENCESYSTEMS 3 жыл бұрын

I don't use their firewalls

@NiTeHaWKnz 3 жыл бұрын

Honestly, just skimming your comparison list, it's easy to see why you don't recommend the ubiquity routers/firewalls.

@tld8102 2 жыл бұрын

OpenWRT rasperberry pi?

@pierrepaniagua 2 жыл бұрын

What about firewalla?

@rsgurubr 2 жыл бұрын

Do you recommend FIREWALLA?

@LAWRENCESYSTEMS 2 жыл бұрын

It's a interesting consumer product, but I don't really have the time to test it now.

@GadgetWasteland 3 жыл бұрын

pfSense is still running strong on the netgate 3100. Can't really complain about it too much :)

@randleqgod 3 жыл бұрын

What are you using for switching?

@GadgetWasteland 3 жыл бұрын

@@randleqgod ubiquity unify 24 port switch. I've had no issues. I could have gone Cisco route and just configure everything manually, but i like the ubiquity interface slightly better.

@chai_reddy 3 жыл бұрын

Why do you never include Sophos in these comparisons?

@LAWRENCESYSTEMS 3 жыл бұрын

Because I don't use it

@luispagan1566 3 жыл бұрын

Firewalla

@MrAwesomeGamer99 3 жыл бұрын

Do some real NGFWs: Palo Alto, Fortinet, Cisco Firepower, etc

@LAWRENCESYSTEMS 3 жыл бұрын

What makes Fortinet better than Untangle?

@jediking2000 3 жыл бұрын

@@LAWRENCESYSTEMS Hardware acceleration, built in WAP controller, built in switch controller, enhanced threat intelligence, SSL VPN, etc....

@MrAwesomeGamer99 3 жыл бұрын

@@LAWRENCESYSTEMS I have a list of reasons but here are some of them. The immediate difference between Fortinet FortiGate and any other major FW vendor is that they have purpose built ASICs that handle multiple security functions of the FW. Which is why FortiGates are one of the fastest FWs on the market (protected throughput). With this and their high rating on 3rd party reviews from companies such as Gartner, NSSLabs (when they were around) and others you will immediately see the benefit to Fortinets firewall and why they are leading in the market. With their intuitive GUI, plethora of FW features, their security fabric**, leading protected throughout speed in the industry, they come to the lowest overall TCO for the features they come with. Which is why they are not only further ahead than Untangle but leading in the market overall. I highly recommend looking up the latest Gartner Magic Quadrant

@LAWRENCESYSTEMS 3 жыл бұрын

@@MrAwesomeGamer99 Sounds like lots of marketing speak to me. Also, since Gartner is reviewing them, don't see a need for me to do so.

@Joshv918 3 жыл бұрын

Hurts to not see the edge router there.. still my favorite..

@Joshv918 3 жыл бұрын

Ouch just saw the edge router in the spread sheet. sorry..

@SpookyLurker 3 жыл бұрын

@@Joshv918 Apparently your eyes decided to try and save you from the embarrassment it secretly is? I tried routing stuff on one once a certain way. The way I understood it, it was suppose to work.

@Jazz3006 2 жыл бұрын

Where would Sophos XG come into play here?

@LAWRENCESYSTEMS 2 жыл бұрын

Dunno, I don't use it.

@Jazz3006 2 жыл бұрын

@@LAWRENCESYSTEMS any particular reason?

@LAWRENCESYSTEMS 2 жыл бұрын

@@Jazz3006 nothing compelling about it.

@Jazz3006 2 жыл бұрын

@@LAWRENCESYSTEMS huh, for some reason my roommate slanders pfsense, but pushes Sophos. I don't really understand why.

@LAWRENCESYSTEMS 2 жыл бұрын

@@Jazz3006 ¯\_(ツ)_/¯

@DJaquithFL 2 жыл бұрын

Maybe a dumb question but why not just lockout / block the entire internet and just whitelist the sites that are needed for your business?

@LAWRENCESYSTEMS 2 жыл бұрын

It's just not a practical usable solution.

@Phitur1 Жыл бұрын

This is a great approach if you're using web filtering to allow specific domains and have the resources to have someone manage that on a daily basis. However, it does require quite a bit of management to implement properly and ensure that you aren't inadvertently blocking valid business needs. His comment that it's not a practical solution is because it requires quite a bit of overhead to manage properly. But, based on your use case and business needs, this could be a good option for portions of your users or network segments. Would require a lot of work on the front end and should get easier over time.

@DJaquithFL Жыл бұрын

@@Phitur1 .. I didn't want to argue with him, but it's a hell of a lot easier than he thinks or believes apparently. Most businesses only need to be involved with a very small number of companies via the internet from outside their office. This becomes even more apparent from a larger company when you have to look at the small cost of hiring a good network administrator or paying ransomware demands. The proverbial drop in the bucket in comparison. We did something like this nearly 30 years ago. There was no reason for staff to use 99.9999999% of the websites and frankly, most businesses outside of their email have little to no need whatsoever for outside access. The text-only emails would be allowed but the links and attachments would be blocked in most cases.

@mimimj9952 2 жыл бұрын

What is he saying I'm not tech savvy at all as he explains I'm more confused for future reference people do know the abbreviation lpt, to stf to jol I don't know anything like most simplify then get complicated. But simplify for like half a hour on what abbreviation prevent what in the internet.