Advice on firewall software/appliance

Geran

Active Member
Oct 25, 2016
332
91
28
38
So after building up my network over the last couple months with the approval of the boss (aka wife), I believe I'm finally ready to replace my ISP's router with something a little better.

My setup consist of the following items currently:

Ubiquiti Networks US-48-500W
Ubiquiti UAP-AC-PRO
Ubiquiti US-16-XG
Ubiquiti Cloud Key

After reading here and on reddit about various options, I'm a little confused on my best course of action. That's where I come to this great community for advice.

The options I am currently evaluating are pfSense, Sophos UTM or the Ubiquiti USG-PRO-4. My only requirement at this time is to be able to install OpenVPN and route traffic from a specific IP through that tunnel and leave all other traffic untouched.

Any help would be greatly appreciated!
 

manxam

Active Member
Jul 25, 2015
235
50
28
Seeing as how you've already gone down the Ubnt path, why not an ERL or ER-Pro? The USG line is still badly crippled and custom configured items in the CLI will need specific config files manually created on the cloud key to be able to re-provision on reboot.

While pfSense, Sophos, etc bring more to the table such as IPS, if you don't need them then why bother with the complexity?
Finally, if you still want software and don't care about the GUI, vyOS is 90% compatible with the Edgerouter CLI, is very quick and very lightweight.
 

cdawwgg

New Member
Dec 15, 2016
3
0
1
31
I'd go Sophos. I'm running Untangle on a R410 and it's starting to annoy me. back to Sophos, It's free, fast, stable, and has a very large user community. It's also a lot more user friendly than PFsense. There is FAR less to go wrong in the software component compared to UBNT. At the last ISP I worked for, we deployed a bunch of UBNT gear as kind of a "beta group" so to speak. All of it has been ripped out because of the myriad of software issues UBNT has. Nothing they send out as far as releases or anything goes can even be considered stable. They're perpetually in beta with everything. If you want rock steady performance and have the spare PC on hand, do it. Heck, buy a used optiplex on Ebay and throw in a Intel PRO Quad server nic and you've got something that in all likelihood can pass true gigabit throughput when it becomes available in your area.
 

sthsep

Member
Mar 7, 2016
72
10
8
Well i would go with pfSense (or in my opinion also with opnsense [fork of pfsense]). Why? Sophos is great and I liked it especialy the traffic logging but it has no OpenVPN support. I'm running opnsense with about 10 active openvpn clients / servers but if you run into a problem you will likely need to solve the problem by yourself.