Which Firewall is RIGHT for YOU? pfSense vs. UniFi

Has OPNsense kept up as well?

I have often considered buying a UniFi firewall, but I can't do without the automated Lets Encrypt stuff and reverse proxy.

Do a review of ZScaler

Hey @Tom, love the content.

Do you have 'n video or instructions to setup advance QOS and queues on a UniF network?

Also please do a updated tool and services list you guys use as a MSP

Keep up the great work

Ps. I mis the business content!!

I have at home PFSense, for many years and I did swapped into UDM Pro at some point in time, but the FW was lacking a good multi-wan support so I moved back to PF Sense and set up the UDM Pro at family house that they had NVR needs, so made sense and I mange it.

I have a sizeable homely for apartment standards and I'm looking to downsize from my 19 inch rack to a 10 inch rack and using one of the smaller gateways seems a good, fit, plus all my switches and APs are Unifi.

I now prefer the Unifi, because it is evolving and fine tuning itself and if you want simplified visibility, PFSense doesn't even come close, when you have all gear with Unifi the visibility you get on the network without hassle is impressive. I do among enterprise networks since I work in a large global ISP and I can say that this lets a lot of high end gear embarrassed on the way it all comes together in the smallest package.

The reality is that Firewall means security and security only comes together with end to end integration where systems can be integrated, you can have the best firewall but if you loose L2 visibility, then you are handicapped.

The other thing that is changing my mind is that the UDM Pro that is now 5+ years or so still rocks and is now a much better firewall because of the software and Unifi is stepping up the game and at this pace, they will supersede PFSense that has a very slow feature release.

The PFSense on the other hand is the exact same thing as it was 5 years back (minor changes that really add no value for the common folk).

There are Pros and conns to both, but the reality is that currently I can say that the odds that a Unifi gear will be kept relevant to evolution, is much higher than PFSense, that is what created open sense in the first place.

So My bets are now on the Unifi side, it has its caveats, but Unifi have been addressing virtually every single one of them, release after release, and they seem to be listening the client base needs, to a point they are now a legit threat to the likes of fortinet for example, that with all the snafus it has been having, people are looking into options, and for SME/Bs the Unifi offer starts to really make sense with all recent additions besides the firewall, the HA, the storage, the MLAG support in switches, etc.

Again this is all a question of preference and in reality I like the fact that Unifi can be set and forget and keeps evolving on itself. I have enough of network gear from all vendor you can imagine to worry at work, simplicity, wins for me at this point.

I like having unifi at home because I don’t open up my network, and the “single pane” for all devices is nice.

openwrt any kind of alternative? Pfsense seems like its been getting buggy.

Unifi's ecosystem has power in it - and their firewall really is very nice. Does it have every feature of PfSense? No. But I haven't been a fan of all of PfSense decisions. PfSense is often "let's try on our own hardware" which sounds great, until you realize the level of hardware expense plus power expenditure you are using on that hardware. Meanwhile, on every UDM, there are features PfSense doesn't even touch - WiFi management, if you use ONVIF camera management you're set, if you use entry system management you're good to go, and so on. UniFi has really put together an 'all-in-one' solution. PfSense has put up systems that are really high detail and I appreciate some of the core functions, but for 98% of people, those functions won't get used, meanwhile, functions that come with UnIFI that aren't even in a comparison, like WiFI network management, will.

Thanks Tom, really great video. I'll stick with PfSense because I know it well and because it is what I've used for ages. It has never let me down. It is nice to know that Ubiquity finally put forward a Firewall that can be considered for a single ecosystem approach now though.

Palo Alto and Sophos 😅

What are you thoughts on ipfire ?

OPNsense have vxlan and zerotier-vpn

Firewalla for the win over both.

Ignoring the obviously better and more robust alternative to both of these, OPNsense....classic Lawrence Systems content

I have OPNSense and install UniFi Network Application 8.6.9 on FW

Thanks for this comprehensive comparison. I see our friends from Untangle aren't even a consideration anymore and I have retired all those devices about two years ago. Just installed a new location with a full UniFi last weekend and then the next day the software update to version 9 and the policy-based routing. So far it's working great. Since I am also a pfSense fan I think UniFi has caught up feature wise to most configurations I deploy with pfSense.

Which Firewall is RIGHT for YOU? Neither. I'm a home techie with a few RPIs. The audience for these seem to be corporations. I need a deadbolt not a vault door on my network door. I bailed after 14 min.

I can't believe UniFi DNS still doesn't support CNAME - and that you didn't call it out.

HAProxy is one of the reasons I'm sticking with pfsense. I have a wildcard from Let's Encrypt for my internal domain. So simple to just setup an entry in HAProxy and boom - no more cert warnings, and no need to manually manage certs. Oh and I guess Tailscale for remote access too.

When you see a company that puts a gyroscope so that the small led on router can rotate, you know which company you should choose. The care of details and how thoughtful it is, just on a totally different level.

ZENTYAL firewall is good too.

I’ve had the Cloud Gateway Max in my home setup since last August and I recommend it highly.

Pf vs PA

We had a USG-PRO-4 for work and will never do Ubiquity again. VPN wouldn't close channels when inactive, so had to manually SSH in, find the channel id for the user that couldn't log in, then kill the process. Really fun when it is your channel and you have to walk your boss through how to do it. There was a known issue for several years with strongswan they never fixed. And how secure can their system be if they have a backdoor tunnel so they can provide a SaaS admin interface for your network equipment. Went to PFSense and never looked back.

pfSense is so much better, powerful, and flexible. Unifi is fine if you "just need a firewall/router"

Are there any options besides protectli vault with open source firmware e.g. coreboot

It`s been years that I use both of them. At home, my main firewall that is my backbone is a UDM-Pro (unifi), to complete, I have some pfSense running in my ProxMox cluster. To be able to do home user stuff, Unifi is great and simple but for more advance stuff, pfSense is better !

We have a psSense 4200 and Comcast Business with 5 static IPs, but we aren't having any luck getting the static IPs accessible by the systems inside the firewall. We have searched online for a solution but have yet to figure it out. Does anyone have good resources to dive into to resolve our issue? Thank you in advance.

I think the major draw for me is the ability to virtualize it and quickly switch to other hardware in case of failure. Backup and restore is flawless on pfsense. Also you can run it on any hardware you may have around

Does UniFi support hostnames in firewall rules? That was part of the reason I went with OPNSense for my setup. I wanted the ability for certain hosts to only have access to specific hosts on the public Internet. Since they're public servers I can't use IP addresses.

I was going to switch to pfSense, but as the features of the routers have finally caught up to a very decent level, I just don't need it now. As my main business is not networking, just an out-of-hand hobby haha, it meets the needs for my heavily networked home where we have 3 people making a living or remote-working that way, plus I donated my older UI gear to a school and am able to help monitor and remotely fix things for them (they are a 10 hour drive away if the weather is bad). I really like that the equipment is super reliable as well. They have confusing and overlapping product ranges that were not really an issue before, and the POE+++ is not actually a standard, and the RSTP implementation still has problems sometimes. But I've used their gear for 15ish years now, and no regrets. The same is true for the Protect system. The refinements and no EOL for a lot of their stuff for a very, very long time, is also providing confidence in upgrading my own equipment every once in a while and then offloading the older stuff to those who need it and/or could benefit from improved networking.

OPNsense in the house. 😀 Ubiquity for my APs though, and a couple of flex minis hidden behind things like my TV stand.

FYI Its EN-tra not ON-tra ;-)

I've always been an OPNsense guy.

Thanks for the video Tom! I was concerned with the UDM reviews I was seeing with the VPNs and firewall rules but this video has shown much needed improvement in the UDM's management.

I have proceeded with an order for a UDM Pro Max and am looking forward to seeing how that journey plays out. My firewall journey has been from crappy home routers to pfSense, pfSense to OPNsense, and now hopefully from OPNsense to UDM.

pfsense is awesome!

Could you please do a review of the Omada system too. It’s a little short on some of the features. But definitely a great value proposition in my country since UniFi is either not available or too highly priced. Sometimes 2x what an equivalent Omada unit would do.

These days, the question "is it secure" is the wrong question. Both are fine. Much more common are misconfigurations, and I actually don't like the pfSense "throw everything no matter how silly at the user", because it's so easy to get lost in them and do the wrong thing. Even the lists of firewall rules in UniFi used to be bad enough for this, and I agree with you that the new system is a huge improvement.

Firewalls are not so difficult to set up. But maintaining them for years and years as features are added, user interfaces change, requirements change etc. This is where firewalls are hard.

I want to serve small businesses and I would like to setup firewalls that I can manage the network from home. Which unifi suits that scenario

Thank you for clarifying that you can run unifi networks without having a unifi account. That is specifically why i came to your channel. 🌻

For client VPN, you put Tailscale for pfSense and Teleport for Unifi, but you can easily use OpenVPN or Wireguard for client devices with Unifi, too. That's how I used to client VPN to a Unifi-run network from a Windows computer, before Teleport was available for PC.

How do you get QoS to show up? I can turn "Smart Queues" on and off in WAN settings, but when looking at the menus for the Routing Settings page, first entry is Policy-Based Routes, and second is Port Forwarding. I don't have a "QoS" in the middle.

OPNsense might possibly be the best open source software that I've ever used. I've also found that it is compatible with more hardware than pfSense. I had paid for a used multiple fortinet firewalls and it's actually better and free.

How about another pfSense vs OPNSense?
Or comparison with OpenWrt?

The eMMC died on my Netgate SG1100 recently, so I hastily replaced it with an SG4200 because my configuration would just port across. But I prefer Linux over BSD so, if I were starting from scratch, I would give Unifi a closer look now that it has received these updates. And they're cheaper. Another contributor was the negative impression of Unifi I had from the gear we have at work, but that may be more to do with the lack of features in the past.

I really hope Netgate will move pfSense from FreeBSD to a Linux kernal. If they don't make changes soon, I feel it might be best for myself to move on, along with my customers, from pfSense. I love pfSense though.

I use OpnSense as my perimeter firewall and Unifi for everything else internal. Still not trusting my border security to something I can’t tweak and hand configure.

I am running Unifi controller on my QNAP NAS controller in docker. No virtualisation? Seriously ? What am I doing wrong?

I realize this was 4 weeks ago, but it would seem the cloud gateway max would also satisfy the backup wan port you wanted and was not included and was was what I ended up getting a three weeks ago.