A silly Question, is there a better alternative to pfsense for home use?

vl1969

Active Member
Feb 5, 2014
611
68
28
Here is the thoughts,

I was looking for help on setting up pfSense at home. simple setup for now.
I have ISP modem --> to wireless router --> hose network.
on the house network I have a second Wireless router in AP mode to extend range.
an HTPC (Linux Mint 18 on Intel NUC )
an Office Computer (Linux Mint 18)
Network Printer
2 laptops
2 smart phones

Plan to add a Proxmox Server with several VM. and maybe a couple security cameras just for fun.


my wants are :
Replace my ISP router with a pfSense or alternative setup.

so idea for new setup is

ISP modem(WAN) --> connected to pfSense/alternative PC (FireWall(FW))
after that . FireWall PC LAN port plugged in into switch making it a router/DHCP/DNS/Gateway/firewall
into switch plugs in all other devices including wireless router in AP mode or real AP device.

now how do I secure all of this, so a wireless devices can use the internet but not anything else on LAN
but some devices do need to access my server and shares.

is pfSense the best for this setup?
is Zentile a good alternative?
NethServer ?

please drop me some ideas here

thanks vlad.
 

cactus

Moderator
Jan 25, 2011
829
77
28
CA
I have used pfSense and some other distros at home, but am back to just using EdgeRouters. (five including family) They are low power and little hassle; something I can set up and forget. When I did have a lab at my house, I tried to put the whole network behind a pfSense VM, but that meant I could never take the host down without losing internet.

Also, not saying the EdgeRouter is the best, it is just what I became comfortable with and were at a good price point at the time. pfSense has the SG-1000 and the SG-3100 which are low power and get you pfSense.
 

nkw

Active Member
Aug 28, 2017
130
44
28
... EdgeRouters ...
This is what I usually end up doing anywhere there not a need for a fancy router (which now is pretty much any site that doesn't run full BGP in my opinion). I've even started moving smaller sites over to the Ubiquiti USG. They can route/firewall/nat line rate gigabit just fine and I've grown to like the centralized GUI management that the Unifi controller provides -- but that could just be because I'm old and lazy.
 
  • Like
Reactions: cactus

K D

Well-Known Member
Dec 24, 2016
1,431
308
83
30041
The edgerouter devices are awesome and can be tucked in anywhere. I still use an edgerouter-x that I got for 30bucks from my local microcenter.

I personally use unifi devices. Set them up for a couple of family members for whom I provide tech support to. The ability to completely manage the network from anywhere I am with my phone is real cool.
 
  • Like
Reactions: nkw and cactus

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,028
1,577
113
CA
Here is the thoughts,

I was looking for help on setting up pfSense at home. simple setup for now.
I have ISP modem --> to wireless router --> hose network.
on the house network I have a second Wireless router in AP mode to extend range.
an HTPC (Linux Mint 18 on Intel NUC )
an Office Computer (Linux Mint 18)
Network Printer
2 laptops
2 smart phones

Plan to add a Proxmox Server with several VM. and maybe a couple security cameras just for fun.


my wants are :
Replace my ISP router with a pfSense or alternative setup.

so idea for new setup is

ISP modem(WAN) --> connected to pfSense/alternative PC (FireWall(FW))
after that . FireWall PC LAN port plugged in into switch making it a router/DHCP/DNS/Gateway/firewall
into switch plugs in all other devices including wireless router in AP mode or real AP device.

now how do I secure all of this, so a wireless devices can use the internet but not anything else on LAN
but some devices do need to access my server and shares.

is pfSense the best for this setup?
is Zentile a good alternative?
NethServer ?

please drop me some ideas here

thanks vlad.
pfsense would work fine for this setup.

My pfsense appliance currently is like 6"x6"x1" it can fit almost anywhere too, is ultra low power, etc... you don't HAVE to use an old PC for pfsense... you can use some rather expensive high-end mini hardware now days too :)

Amazon Search or Google: pfsense appliance or pfsense device
 
  • Like
Reactions: EWBtCiaST

am4593

Active Member
Feb 20, 2017
151
33
28
40
if you're just looking for alternate firewall software there is also Untangle. Its linux based, more user friendly than pfsense. or so they say.
 

Pri

Active Member
Jul 30, 2014
122
50
28
My personal opinion is that pfSense is the best option but it can be power hungry if you build your own box or costly if you use one of their pre-made systems. Ubiquti's $99-$299 units are pretty good and easy to use too.

Personally pfSense all the way for me, it's just so good.
 

Evan

Well-Known Member
Jan 6, 2016
3,098
515
113
I don’t especially like pfSense but newest version is no doubt better, its not that it didn’t do anything at all that I needed though.

I am using Sophos XG and also works well and I feel more polished in most areas.

Prior I have used UBNT ERL3 (edge router) and found it very simple to operate and a fine firewall (fast and low power fanless) also but not with the anti malware etc that the pfSense add in and Sophos can provide.
 

vl1969

Active Member
Feb 5, 2014
611
68
28
thanks everyone for this nice lineup of great answers. I will look over any that sound interesting to me.

let me however do add more info.

I did not plan to buy any device. although edgerouter sounds nice, at the moment is is not on the list.

My plan was to setup a dedicated small factor PC (I already have) with Proxmox.
than run a firewall distro VM on it. the PC I have is a Lenovo SFF with a PCIe 2 port nic added.
so I have 3 Intel Gigabit NIC ports, 6GB RAM and 120GB SSD.

I want to use Proxmox with VM to make it easier to test and switch firewall setups. but I could run it as a dedicated machine too.

I tried Sophos 9 and like it but some things I wanted were missing in Free version.
that is the issue with many distros I have looked over.

pfSense seams to provide the best set of features even on free setup over most.
but it is complicated for me as I am still kind of noobish with Linux and pfSense is not even Linux but BSD so some differences here too.

so since my plan is to run a dedicated but virtualize setup I will try out most of the suggestions here but just wanted to limit
myself to most popular and high ranked distros out there.
 

mstone

Active Member
Mar 11, 2015
505
117
43
42
pfsense's decision to go with freebsd means their hardware support is much worse than the linux-based firewalls. they used to be more of a community project, but they really seem to see themselves as a corporate appliance provider with an open source dump on the side. this impacts their willingness to add anything that doesn't directly improve their own hardware offerings. they seem to be making decisions aimed at making third party hardware less attractive. if you're using pfsense and like it, great. but I don't think I'd choose it over other options for a new project if I had no investment in the platform.
 
  • Like
Reactions: SwanRonson

Pri

Active Member
Jul 30, 2014
122
50
28
pfsense's decision to go with freebsd means their hardware support is much worse than the linux-based firewalls. they used to be more of a community project, but they really seem to see themselves as a corporate appliance provider with an open source dump on the side. this impacts their willingness to add anything that doesn't directly improve their own hardware offerings. they seem to be making decisions aimed at making third party hardware less attractive. if you're using pfsense and like it, great. but I don't think I'd choose it over other options for a new project if I had no investment in the platform.
When you say their hardware support is much worse do you mean for network interface cards? - I ask as I've not had or seen any complaints about hardware compatibility before it seems to work well on all manner of processors and platforms.

The only time I've seen people say it doesn't have good support for their stuff is with those niche SFP+ cards from Mellanox where the user has to install some driver themselves instead of pfSense having native out of the box support.
 

vl1969

Active Member
Feb 5, 2014
611
68
28
What has been missing in UTM9?
Just wondering...
it's not that it was missing but rather free version did not have the options I want it .

like antivirus, website blocking features,
if you want to use that you had to get a paid subscription.

now I do not mind paying per see, but I do not like a subscription based model on things like firewall OS or some applications I use at home.
when you run a business you can write off legitimate business expense like a subscription needed to run your business. but for home it does not work for me. so I am trying to find something that would do what I want and where I do not have to have a subscription. If I like an app I will donate what ever is suggested or even more but I like to have an option to pay one time and use thing I pay for.
 

mstone

Active Member
Mar 11, 2015
505
117
43
42
When you say their hardware support is much worse do you mean for network interface cards? - I ask as I've not had or seen any complaints about hardware compatibility before it seems to work well on all manner of processors and platforms.

The only time I've seen people say it doesn't have good support for their stuff is with those niche SFP+ cards from Mellanox where the user has to install some driver themselves instead of pfSense having native out of the box support.
Well, the most common NICs in low priced gear are from realtek, and they are largely unusable in pfsense. The support for new hardware (e.g., denverton) is slow to roll out. The next version of pfsense is supposed to require AES-NI, which seems like a shot against a lot of common third party pfsense hardware based on J1900. They've been in a dispute with qotom (who sold a lot of J1900 boxes) which may be unrelated, but also makes one wonder what hardware they'll decide to drop next and why. There was a lot of hype about QAT a couple of years ago, and a lot of people ran out to buy QAT hardware for pfsense, then one of the devs said later on reddit they weren't going to release anything that worked on the rangeley QAT platform because there were more third party boards with rangeley QAT than netsense hardware, so it didn't make financial sense for them. None of this is to say that they're evil, just be aware that their goal is to make money, which they've decided to do by selling hardware and corporate support contracts, and that if the free version works for you that's a happy accident. It isn't a community project driven by user contributions or desires.
 

K D

Well-Known Member
Dec 24, 2016
1,431
308
83
30041
if the free version works for you that's a happy accident
I agree with everything in your post but the above statement. If one is savvy enough to build their own router based on pfsense, then at the minimum they should look at building based on supported hardware. The statement hold good only if you want to just loadon pfsense on any old equipment that you have lying around and expect it to work. But those kind of compatibility issues are not limited to pfsense and apply to all software to some extent.
 

BLinux

cat lover server enthusiast
Jul 7, 2016
2,521
967
113
artofserver.com
I know I'm not doing what most people are doing, but that's why I thought I would throw the option out there.... this is only if you're really comfortable with Linux and you mention you have Linux computers; i've been using Linux OSes as network appliances for over a decade so this is what i'm comfortable with and chose to do...

i got myself a cheap N2930 based system that draws like <20W, 8GB RAM, a 512GB SSD for caching and other stuff, and a 32GB USB drive for booting OS. it came with 5x 1Gbps NICs. this doesn't have AES-NI and frankly, I don't need it; I can run half a dozen VPN connections and the CPU is hardly working - I think AES-NI would be great if you need to do more VPN stuff, but that's not my case. i just threw a very stable CentOS7 on it and between netfilter and all the other open source tools available, I'm routing between my 2 internet connections (1x cable modem, 1x gigabit internet fiber), a wireless zone, a dmz zone to my publicly accessible servers, and my internal private network. i have policy routing to manage traffic between my 2 internet connections and I can download Windows or Linux distributions at near 1Gbps from the internet and system is mostly idle. the system is dead quiet and hidden under one of my desks in the home office. i'm very comfortable on the Linux CLI, so it's very easy for me to setup what i need, no GUI is all the better for me as I really don't like web servers running on a network appliance connected to the internet.

I've tried other network router/firewall dedicated OSes and they are all fine, each with their pros/cons. I like CentOS because it is generic, super stable, has very long support cycle, and if I want to add any software on it, it's easy to find packages from the many repos, or setup a CentOS VM to compile/build whatever tools I want to put on the firewall/router and then just upload it. The last part, the flexibility, really appeals to me as I like to tinker and try things, or write my own programs/scripts to do this or that (e.g., I parse my logs for VPN connections and grab the GeoIP and send myself a message) and there's nothing special about doing development for a generic OS like CentOS (or whatever your favorite Linux distro might be).

i know this isn't for everyone, but if you're comfortable with Linux, and have an appreciation for flexibility, then you can probably just throw your favorite Linux distro on it (doesn't have to be CentOS) and do whatever you want with it; no need to have "another OS" just for firewall/routing.

P.S. based on comments above, i also want to throw out there that a generic Linux OS will have very broad hardware support too... so less restrictions on what you can use.
 

Rand__

Well-Known Member
Mar 6, 2014
4,547
901
113
it's not that it was missing but rather free version did not have the options I want it .

like antivirus, website blocking features,
if you want to use that you had to get a paid subscription.
Weird, I have those features with my free license?