Home firewall poll

So I found that my traffic patterns killed consumer grade devices. From the research that I have done (and the internet is never wrong) they are not designed for anywhere close to 100% duty cycle. So once you install something more powerful (also uses more resources) and then start hammering it with connections they burn out due to running hotter than they should long term. So after running highly rated consumer hardware and replacing it every 1-1.5yrs I moved to pfSense and recently a Ubiquiti USG.

 

I've never had a great experience going that route. First, stuff like OpenWRT doesn't tend to track the latest hardware so you're always chasing some old board that's been abandoned by the manufacturer. The wireless support is always flaky (and I'd rather have access points deployed independently of the router anyway). You've generally got limited RAM & storage. Stuff randomly breaks because nobody can test every "supported" platform. Bottom line, it can be made to work but it's not particularly fun and usually not worth the effort.

 

That was where I ended up with the *WRT method as well. When it worked, it often didn't work right with the newer radio hardware etc.. For the longest time no 5Ghz radios worked, or didn't work well, for example.

The lack of firmware updates etc is less important when they are deployed as APs and aren't internet-facing. So I did pfSense as it looked like an easier to work with setup than my old iptables scripts.

 

Yeah, I can see where you're coming from. I don't run it anymore but I'm fond of OpenWRT, maybe because I last ran it on commodity hardware in the Aughties (Asus wl-500gP v1 with the replaceable MiniPCI card... I still love that stupid thing). Then ran it for a few years compiled from source for an Alix 2d13 and a succession of WiFi cards, but always Atheros-based so there was never a support issue. Only dumped that when the 100base-TX nics became hopelessly inadequate even bonded, and of course insufficient crypto support for full-bandwidth VPN.

Still ran OpenWRT for a few months after that, built with paravirtualization and SMP switches in a KVM, but I got occasional kernel oopses on the host that I didn't think worth chasing so I finally gave it up. Still think it's a great little distro for small appliances though, particularly if you're prepared to build it yourself.

 

Was Vyos, am now using Mikrotik - neither of which are on the list.

 

does anyone know of any open source or "affordable" L7 firewalls for the home ?
Being able to allow or block application on the internet (facebook, youtube, etc) would be awesome.

 

pfSense use to have the code for this years ago but they pulled the ipfw-classifyd package after stability issues awhile back.

Sophos UTM does have the functionality but beware the CPU requirements for handling L7 is significantly higher than a L4 firewall.

 

I have tried sophos UTM, they do have some L7 capability but nothing close to the like of palo alto.

 

Does anyone have experience with Opnsense , vis a vis pfSense?

 

That's like comparing a VW Golf to a Telsa lol.

I don't know of any free solutions that come close to the capabilities of a Palo Alto.

PA-2050's (which can handle gig links) can be picked up used for like $300ish...sometimes cheaper if you "need"/want that level of filtering.

Keep in mind a lot of the advanced features are all subscription based.