Advice on firewall software/appliance


Active Member
Oct 25, 2016
So after building up my network over the last couple months with the approval of the boss (aka wife), I believe I'm finally ready to replace my ISP's router with something a little better.

My setup consist of the following items currently:

Ubiquiti Networks US-48-500W
Ubiquiti UAP-AC-PRO
Ubiquiti US-16-XG
Ubiquiti Cloud Key

After reading here and on reddit about various options, I'm a little confused on my best course of action. That's where I come to this great community for advice.

The options I am currently evaluating are pfSense, Sophos UTM or the Ubiquiti USG-PRO-4. My only requirement at this time is to be able to install OpenVPN and route traffic from a specific IP through that tunnel and leave all other traffic untouched.

Any help would be greatly appreciated!


Active Member
Jul 25, 2015
Seeing as how you've already gone down the Ubnt path, why not an ERL or ER-Pro? The USG line is still badly crippled and custom configured items in the CLI will need specific config files manually created on the cloud key to be able to re-provision on reboot.

While pfSense, Sophos, etc bring more to the table such as IPS, if you don't need them then why bother with the complexity?
Finally, if you still want software and don't care about the GUI, vyOS is 90% compatible with the Edgerouter CLI, is very quick and very lightweight.


New Member
Dec 15, 2016
I'd go Sophos. I'm running Untangle on a R410 and it's starting to annoy me. back to Sophos, It's free, fast, stable, and has a very large user community. It's also a lot more user friendly than PFsense. There is FAR less to go wrong in the software component compared to UBNT. At the last ISP I worked for, we deployed a bunch of UBNT gear as kind of a "beta group" so to speak. All of it has been ripped out because of the myriad of software issues UBNT has. Nothing they send out as far as releases or anything goes can even be considered stable. They're perpetually in beta with everything. If you want rock steady performance and have the spare PC on hand, do it. Heck, buy a used optiplex on Ebay and throw in a Intel PRO Quad server nic and you've got something that in all likelihood can pass true gigabit throughput when it becomes available in your area.


Mar 7, 2016
Well i would go with pfSense (or in my opinion also with opnsense [fork of pfsense]). Why? Sophos is great and I liked it especialy the traffic logging but it has no OpenVPN support. I'm running opnsense with about 10 active openvpn clients / servers but if you run into a problem you will likely need to solve the problem by yourself.