Help me pick a replacement home firewall/router

Diavuno

Active Member
So I'm familiar with most of the big name firewall guys. But I broke my hands and not a fan of mandated CLI.

What do you gents (and ladies?) like?

I'm currently using a SonicWALL TZ105W (formerly a TZ210 and an ASA5505)
My colo's are using a Palo Alto and a PFSense

My current TZ is "ok" but often starts to get slower and slower (over a week) until it needs a reboot. the WiFi sucks, and the Total security subscription plan just ran out.


power and upfront costs are a concern. I'd like to avoid subscriptions and licensing fees if possible.

It'll be used on a 100/20 pipe. with a good chunk of that being over SSL VPN to my other sites.


*I've heard good things about MicroTik but have limited exposure... thoughts?
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
6,990
1,567
113
CA
Running a Zyxel USG50 @ home and does everything I need with a great (imho) web GUI
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,905
4,866
113
The pfSense Web GUI is getting updated in the next major revision.

pfSense -> pfSense is very easy. Unless there is a good reason, I would limit the number of different types of appliances you are using. Less nuances to learn.
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
6,990
1,567
113
CA
The pfSense Web GUI is getting updated in the next major revision.

pfSense -> pfSense is very easy. Unless there is a good reason, I would limit the number of different types of appliances you are using. Less nuances to learn.
I agree, lol!! Deployed the same at my parents, and have a 3rd I traded for going to my brothers place here soon. Only issue I ran into when doing router<->router ipsec was not realizing it wasn't actually saving my updates, and trying to troubleshoot the connection was a big circle of nothing being wrong, LOL!!
 

RTM

Active Member
Jan 26, 2014
552
193
43
Another +1 for pfsense.

I am not too fond of using Mikrotiks for firewalls, they have some weird security defaults and their new "fasttrack" functionality to improve routing performance is really just doing less connection tracking, which I suppose could be considered weakening of the SPI functionality of the FW (I have not seen any attacks using this however, and it can be disabled).

Another reason why not to use Mikrotik for firewalls: No IDS/IPS and OpenVPN mode is gimped (no UDP mode and some other stuff is missing) so if you want SSL/TLS VPN they suggest you use SSTP.

If you end up using pfsense and intend to use an IDS, remember to purchase the relatively inexpensive snort signatures, a personal license is only 30 USD/year. And for the record you can use snort rules even if you chose to use suricata rather than snort.
 
  • Like
Reactions: Patrick

Evan

Well-Known Member
Jan 6, 2016
3,060
512
113
I use for a router and edge router lite. Handled my 1g fiber connection fine. Cheap and high performance.

For firewall I am considering a pfsense appliance shortly.
Hardware Requirements and Appliances for pfSense
Again low power, easy to setup and cheapish.

Your setup must be a real power hog ! Aside from 20+ cents for kWh here I just hate the noise, heat, and principle of the big devices. (Leave that stuff in the datacenter where it's really needed)
 

Visseroth

Member
Jan 23, 2016
74
1
8
40
+1 PfSense, been using it for 8 years. Don't get my wrong, it has it's bugs from time to time but they do fix the bugs and accept reports on them.
 

bds1904

Active Member
Aug 30, 2013
271
76
28
Ready-to-roll: Edgerouter Lite

Roll-your-own: atom c2xxx & pfsense or the $300 atom box from pfsense
 

RTM

Active Member
Jan 26, 2014
552
193
43
c2xxx series chips have onboard crypto for accelerated openssl/vpn which is really nice.
I assume you are talking about AES-NI, because support for the Quickassist engine is as far as I know not yet supported by pfsense.

For the record: AES-NI is also supported by a lot of cheapish boards + CPU combos, like the newer Atom n3700 and the AMD AM1 "series" (sorry I forgot the codename, but look at athlon 5350 for an CPU). Just note that you will most likely want to add a separate NIC and you do not get many PCIe lanes (if there are extra devices you usually only get a single lane) for it.

Nevertheless the "c2xxx series" is overall a nice platform, you usually get 4 "Intel" NIC ports (using a Marvell PHY, but the controller is Intel), and support for a lot of ECC memory.

If you are feeling adventurous an interesting board might be pcengines' new APU2 series, Intel NICs and a decent CPU with AES-NI for not that much money, it looks ideal for home pfsense use.
But do your own research, because pcengines had quite a bit of trouble with the BIOS of the APU(1) boards.
 

gigatexal

I'm here to learn
Nov 25, 2012
2,746
524
113
Portland, Oregon
alexandarnarayan.com
hmm didn't know that about pfsense, thanks for the clarification
Ermal Luci is working on porting the linux QuickAssist driver for 895x to FreeBSD with direct support from Intel. QuickAssist is the crypto/compression accelerator that Intel produces. We’ve seen 40Gbps of AES-256 + SHA1 on linux using “openssl -speed”. Ermal is also including support for cryptdev(4) on FreeBSD.

Since not everyone will have a QuickAssist unit to leverage, we’re continuing work on software crypto (including AES-NI). Our internal testing of IPsec performance relative to a FreeBSD baseline, linux and OpenBSD showed that linux was a bit faster at everything, and even OpenBSD 5.6 is faster than pfSense 2.2 at AES-CBC-256 + HMAC-SHA1, while pfSense is faster than OpenBSD 5.6 using AES-GCM. After investigating the issue, Ermal has responded with some preliminary work on a patch to cryptdev(4) to even the score. Same will be reflected back to FreeBSD, when ready, as will the changes to make AES-GCM work with IPsec in the FreeBSD baseline starting with FreeBSD 10.2-RELEASE.
from pfSense Digest » Recent developments in pfSense so perhaps we'll see it in the next version of pfsense if not there already

i've been toying around with the idea of doing opposite of what the op wants, rolling my own router using openBSD probably but i am not fond of losing the comfort of the webui
 
  • Like
Reactions: RTM

RTM

Active Member
Jan 26, 2014
552
193
43
i've been toying around with the idea of doing opposite of what the op wants, rolling my own router using openBSD probably but i am not fond of losing the comfort of the webui
Sounds like a pretty nice plan OpenBSD is awesome, and remember: rather than losing the comfort of the webui, you rid yourself of the attack vector it is.

EDIT: Oh and I almost forgot, no starch press has a book on pf, that in itself is almost a reason to do a router/firewall with OpenBSD.
 
  • Like
Reactions: gigatexal

abulafia

Member
Jun 17, 2014
49
5
8
Manhattan
Originally I used to use Edgerouters, for my extended LAN, but have come to despise them; 2 of 4 failed, maybe a third at a remote site recently. And the RMA time was painful, as it has been on UniFi. And you either have fail prone USB storage (see the forums, also see the replacement alternatives threads, this is used on ERL, ERPOE, own one of each) or onboard soldered down flash that can't be replaced (ER8, ERPro8) or reinstalled from scratch (unlike the cheaper ones) or done in RAID and a power loss at the wrong time in conjunction with UBNTs anti counterfeiting code will leave you with a $300-400 brick if out of warranty, and without a router for a couple of months or more of in warranty. (Ask me how I know).

I do like the ER-X for $50 but only use it as a l3 segment switch (eth0/poe is not switched with the other four ports, but if bonded it is a nice place to put chatty low bandwidth 100BT devices, plus 12-18v passive poe or splittable out for a WISP type AP or anything else (like a 12v/USB for a rPi AirPrint/cups/USB-ethernet print server) and maybe some filtering or rate control on broadcast and multicast traffic. I actually bought a pair to have a simple physical VRRP lab plus an almost drop in backup for the ERL/ERPOE. Nice Swiss army knife. But that's about it.

I swapped my ERPro8 for a Supermicro C2358 LN5F with the LAN bypass, intending it for failover after the router failure scars, and it actually draws 2/3 to 1/2 the wattage of the Pro8, running VyOS. Nevertheless, I wish I had spent the extra money on the C2758 LN7F for the cores and RAM so I could have just rolled over into VyOS as an appliance and then after tinkering, into a special use VM host, taking WAN ethernet in on a tagged VLAN and exposing it to various VMs in a VRRP group (to virtualize the router at the IP level, not VM, to make it hypervisor agnostic), possibly using the LAN bypass to fail into a second group.

It's become even more important as this summer I pretty much was only untagged/tagged wifi for UBNT's mFi power monitoring (lovely hardware, abandoned software that the team wasn't competent to develop- as per UBNT's rep in that forum) and tagged 10GbE, but i now have 6 constant use VLANs, plus guest, lab, and L2TP, IGMP snooping/forwarding for my "consumer/dial home" device VLAN (though done at the switches and slow to discover/query) and now a broken router breaks inside and outside things. And my router is there chugging along a .7-3% CPU use on one of two cores and 1/16GB ECC used. Super reliable, but not enough cores or RAM to be repurposed as much more, and the power draw between that and my C2558F or C2750... it was a beautiful mistake not to get all 8 cores and the extra two DIMM slots.

So if you want a single device, the ERL or ERPOE (particularly nice for the 3 switched ports and 24v/802.3af dual poe/on board choice) if you can suffer a failure and can wait to get at it and have time to do the edge router rescue kit/PXE/tftp routine (better - open the thing and image the USB before powering on) pass on the ER8/PRO; very nice is the Rangeley options - even if not cabled for VM host and egress routing failover, you can fail over VRRP or auto start another VyOS VMs if a misconfig kills you, plus the datastor can be RAID1, but for the price difference, get all 8 cores.
But it doesn't have to be that - anything cheap with AESNI (I have yet to see a VyOS package which uses QuickAssist) and a PCIe slot and a spare DDR3 DIMM... it will draw much less than the 30-40W the ERPro8 does, have more RAM, and with even just two USB sticks, if not a pair of 16GB SSDs, you'll have more reliability and less brickability for maybe 1/3rd of the cost. With the right setup, you don't even need a second NIC, though... performance and definitely complexity.
 
Last edited:

Diavuno

Active Member
So Im totally fine with a little cli, but its slow.
I'm OK with pfsense, oven been using it on and off for years.

As for power and heat, yes its a concern, but more a concern for power.
Yes it needs to be pretty powerful as my business hosts VMs for some of my clients, and my home is a DR site. If the clients setup fails, I have a half rack in colo, if that fails my home takes the load, its also a collection of historical backups for said clients.
 

Quasduco

Active Member
Nov 16, 2015
126
46
28
109
Tennessee
So Im totally fine with a little cli, but its slow.
I'm OK with pfsense, oven been using it on and off for years.

As for power and heat, yes its a concern, but more a concern for power.
Yes it needs to be pretty powerful as my business hosts VMs for some of my clients, and my home is a DR site. If the clients setup fails, I have a half rack in colo, if that fails my home takes the load, its also a collection of historical backups for said clients.
If you have a more serious business need for good uptime, regardless of what solution you end up with, I would strongly suggest having redundancy. The pfsense solution is nice for the ability to throw it on an old backup pc easily.
 

abulafia

Member
Jun 17, 2014
49
5
8
Manhattan
Actually, even on EdgeOS, I barely use the web interface any more. Their new SPI web graphic stuff is nice, but very RAM intensive on such small boxes. And iptraf is more controllable. And logging is better done elsewhere. But it is nice, even if the current 1.8b3 EdgeOS locked up my girlfriend's router (yes, one of my "decommissioned" and she knows SPI is there, by request for other "users") in under two days, though it's been ok elsewhere on the 1.7 point release. But that's it for the GUI. Also, more attack surface, and the certificate is annoying to replace, not built in to anything, GUI or CLI, not a symlink to a persistent file in /config... and with 512MB, I'd rather it spent it on conntrack not lighttpd.

But the CLI/autocomplete/inline help is pretty fast (in fact, the only thing of use with the EdgeOS GUI is the config key "map" to show all the CLI options, but even then, setting them is faster in the CLI vbash. Say you want to copy a single DHCP scope, comprising boot options and multiple subnets; like if you were doing some sort of multitenant thing. Or not multitenant, but same network, but you'll change the subnet for each, but VoIP phone tftp options and internal DNS is the same. Only one of these exists, called foo.

ed<tab>it ser<tab>vices dhcp-s<tab>server
co<tab>py sha<tab>red-network-name <tab>foo <tab> to <tab> shared-network-name bar1

then press up arrow, erase the 1 and hit 2 for bar2, up arrow again, bar3 and so on.
Everything in italics isn't a key press.
Now you have a lot of clones of DHCP foo named bar1...

and even faster is editing config.boot in a text editor, or doing the above in CLI to make nice templates and then just search/replace. Want a failover router? Copy your running router's config.boot, overwrite the default one in a VMs, set the new IP and make the new VRRP IP where it currently is. Then boot/cable switch to that new config. Or make the commit changes to the running HW router as the new ones wait for it to join them in an existing VRRP group.

Want another? Take that new text file and paste it into a new VM and just change the inter-router and LAN IP. And a third. Bam, three failover routers. And if they are VMs, just clone after shutting down step one and change one or two numbers (literally) in a text file before plugging them into a vswitch. Or of course script it.

The only advantages right now for EdgeOS are the new routing things in 1.8b3 mostly for external labeling (which doesn't apply to me and I can't speak towards) and the resolution of a VTI/L2TP conflict that has been around for a long time, which unfortunately does, and I will not go back to IPSEC tun. (yes, GRE, I know). But it's been a little unstable anyway.

Doesn't matter. Yes, you could buy more than one Edgerouter, and have drop in spares - with service denial and hope your latest commits made it to your syslog and pull it from there. You could VRRP them, but with that cabling and ideally independent UPS/outlet/circuit chains, and with customer's services on the line, you probably have spent more than the box cost, and have a lot more in income to lose. Or you could have a roll your own Supermicro Rangeley with RAID (natively supported as part of a VyOS install) and swap a drive. Or buy a Lanner or Netgate box for a bit of middleman overhead.

Or you could virtualize the IP at the service level inside the VM across (virtual) machines and (physical) hypervisors (hell, a VyOS VM and UBNT ERL will failover on the same gateway IP just fine, let alone VyOS/Hyper-V and VyOS/ESXi) *and* the cluster/replication you get with VMs. Don't migrate them though, even across the same hypervisor, you don't want the copy time and also it may limit the advantages of any CPU acceleration benefits if you have it going across CPU architectures; let them use the native CPU features if available (and won't cause failure if an Avoton takes over for a Rangeley, for example.)

Much of it depends on what you can afford to lose with a service failure, and the cost of managing failure avoidance.
It goes without saying that spinning up some VMs is as "free" as the hardware cost of what is probably the most reliable option; doesn't change the fact that someone has to manage the juggling balls and test the redundancy.
 
Last edited: