Home firewall poll

What firewall do you run at home?


  • Total voters
    96
  • Poll closed .

StammesOpfer

Active Member
Mar 15, 2016
382
126
43
This puzzled me too: surely the router of choice for most knowledgeable home users is the well-vetted consumer router reflashed with third party firmware. OpenWRT now has the CeroWRT bufferbloat fixes backported and if I wasn't treating edge routing and firewalling as a subfeature set of a more elaborate network appliance I'd still be doing it too.
So I found that my traffic patterns killed consumer grade devices. From the research that I have done (and the internet is never wrong) they are not designed for anywhere close to 100% duty cycle. So once you install something more powerful (also uses more resources) and then start hammering it with connections they burn out due to running hotter than they should long term. So after running highly rated consumer hardware and replacing it every 1-1.5yrs I moved to pfSense and recently a Ubiquiti USG.
 

mstone

Active Member
Mar 11, 2015
505
117
43
42
This puzzled me too: surely the router of choice for most knowledgeable home users is the well-vetted consumer router reflashed with third party firmware. OpenWRT now has the CeroWRT bufferbloat fixes backported and if I wasn't treating edge routing and firewalling as a subfeature set of a more elaborate network appliance I'd still be doing it too.
I've never had a great experience going that route. First, stuff like OpenWRT doesn't tend to track the latest hardware so you're always chasing some old board that's been abandoned by the manufacturer. The wireless support is always flaky (and I'd rather have access points deployed independently of the router anyway). You've generally got limited RAM & storage. Stuff randomly breaks because nobody can test every "supported" platform. Bottom line, it can be made to work but it's not particularly fun and usually not worth the effort.
 
  • Like
Reactions: tic226

ttabbal

Active Member
Mar 10, 2016
742
199
43
43
That was where I ended up with the *WRT method as well. When it worked, it often didn't work right with the newer radio hardware etc.. For the longest time no 5Ghz radios worked, or didn't work well, for example.

The lack of firmware updates etc is less important when they are deployed as APs and aren't internet-facing. So I did pfSense as it looked like an easier to work with setup than my old iptables scripts. :)
 

Cheddoleum

Member
Feb 19, 2014
97
22
8
That was where I ended up with the *WRT method as well. When it worked, it often didn't work right with the newer radio hardware etc.. For the longest time no 5Ghz radios worked, or didn't work well, for example.
Yeah, I can see where you're coming from. I don't run it anymore but I'm fond of OpenWRT, maybe because I last ran it on commodity hardware in the Aughties (Asus wl-500gP v1 with the replaceable MiniPCI card... I still love that stupid thing). Then ran it for a few years compiled from source for an Alix 2d13 and a succession of WiFi cards, but always Atheros-based so there was never a support issue. Only dumped that when the 100base-TX nics became hopelessly inadequate even bonded, and of course insufficient crypto support for full-bandwidth VPN.

Still ran OpenWRT for a few months after that, built with paravirtualization and SMP switches in a KVM, but I got occasional kernel oopses on the host that I didn't think worth chasing so I finally gave it up. Still think it's a great little distro for small appliances though, particularly if you're prepared to build it yourself.
 

azev

Active Member
Jan 18, 2013
737
203
43
does anyone know of any open source or "affordable" L7 firewalls for the home ?
Being able to allow or block application on the internet (facebook, youtube, etc) would be awesome.
 

cheezehead

Active Member
Sep 23, 2012
715
174
43
WI
does anyone know of any open source or "affordable" L7 firewalls for the home ?
Being able to allow or block application on the internet (facebook, youtube, etc) would be awesome.
pfSense use to have the code for this years ago but they pulled the ipfw-classifyd package :(after stability issues awhile back.

Sophos UTM does have the functionality but beware the CPU requirements for handling L7 is significantly higher than a L4 firewall.
 

azev

Active Member
Jan 18, 2013
737
203
43
pfSense use to have the code for this years ago but they pulled the ipfw-classifyd package :(after stability issues awhile back.

Sophos UTM does have the functionality but beware the CPU requirements for handling L7 is significantly higher than a L4 firewall.
I have tried sophos UTM, they do have some L7 capability but nothing close to the like of palo alto.
 

cheezehead

Active Member
Sep 23, 2012
715
174
43
WI
I have tried sophos UTM, they do have some L7 capability but nothing close to the like of palo alto.
That's like comparing a VW Golf to a Telsa lol.

I don't know of any free solutions that come close to the capabilities of a Palo Alto.

PA-2050's (which can handle gig links) can be picked up used for like $300ish...sometimes cheaper if you "need"/want that level of filtering.

Keep in mind a lot of the advanced features are all subscription based.