I'm a VERY satisfied new user of UniFi Network 😊 Started with Cloud Gateway Ultra and a few switches and APs for home. Hardware prices are reasonable and all the tutorials on YT from you, Chris, Cody, and others made setup quick, easy and fun! Excited to add Protect functionality next and also set up and remotely manage UniFi Express at homes of parents and children. Thanks Tom for all you do to help us newbies!
I was using pfSense for about 2 years now and, while it mostly worked, updates frequently broke things and it just became a pain to keep up with. I just switched to UniFi and it was a seamless transition and everything just worked right out of the box without having to spend hours on forums trying to figure out how to do something.
Thanks for making this :) I run UniFi at home and it’s been great. The firewall rules are definitely a little backwards feeling sometimes but once it’s setup it’s solid. Policy based routing for sending VLANs or certain clients out of either WAN or a VPN interface are also good. Haven’t tried load balancing though. I’m also going to do a deploy at my dad’s small business as it will be the perfect solution. I’ve also seen quite a few chain business use UniFi as well. I would definitely like to try pfSense eventually but it is totally overkill for what I need currently
I suggest using the PFSense as DMZ Firewall and the Unifi Stuff more on the Internal Site. You Increase alot of security when using 2 Zone FW and you are less effected by 0-Day Issues.
Appreciate the spoon feeding for both platforms. Bummer that pfsense offers no content filtering. Only component missing with exception of centralized management. Unfortunately they are both big ones.
Nice comparison as always. I really love the tabular comparison between the firewalls. Correct me if I’m wrong, but this video seems to be written for small/medium companies, and I get that. That is your bread and butter. But I suspect that most of your audience are prosumers… anyway. You asked for what other solutions we would like to see so here goes: Sophos Home (the one you download and install on your own hardware) and Omada firewalls. And for the record, I’m a PFsense fanboy.
Do you have a performance comparison for VLAN routing between pfSense (OPNsense) and UDM Pro/SE ? I started recently a xcp-ng virtual host and connect to via VLAN to a Unraid storage server with 10Gb NICs. Via Aggregation and Etherlightning switch. Performance within same VLAN (virtual machine and storage) was good (measured via iPerf3) but only 1Gbps throughput when VM was on different VLAN. Had to reduce quite some checks on the UDMSE to 3Gbps; still less as I hoped. In another video I remember you said: don’t route VLAN in UDMSE. Wonder if you had done comparison else I try to get a virtualized OPNsense on any next longer weekend. Thanks for you helping videos
@@edwinkm2016 no, right now I wonder about the VLAN routing via UDMSE; im pretty sure the CPU and the two SFP+ in my xcp-ng will be fine; specially when seeing the xfer rates within a VLAN.
@@christianlohmann8577 The backplane in UDMPRO/SE is maxing at 3-4Gbps according to what was tested. The new Pro Max should be able to double that according to press media, but haven't seen any benchmark yet from independent tech channels.
I've run pfsense for the past two years but I'm considering switching for better integration with UniFi services. My current docker container UniFi controller has been working well so far, but I'm planning on getting some cameras and kind of want everything to just work.
what is really annoying about people pushing Unifi products is that they never mention they are more than likely out of stock. Point in case is the UDR which has not been in stock for weeks. I do worry about choosing a supplier that can not manage its stock and manufacturing process correctly.
This needs to be pointed out every time. They can’t manage stock of their products properly. Why would I buy from them if they can’t manage that end of their business?
If you are worried about that with UNIFI, you should try to buy a spare power supply from NETGATE for the 6100 -- NOT POSSIBLE when I tried about 12 months ago - I had to buy a 3rd party power supply with similar specs
Just hit notify me and you’ll be surprised how quick their products come back in stock. Also look at the Cloud Gateway ultra then get a AP. About the same price as UDR but more options and faster throughput.
Great review of these two systems. I liked the video so much I posted a link to it on my discord server for my clients and other members to view. Personally, I do not need the in depth granularity that pfsense has. I am quite happy with what UniFi offers for my small home business/smart home. I have been using UniFi for a couple of years now and it works great for me. It meets my needs and is pretty easy to use and set up. I do wish UniFi has some better in-depth articles on what the different options do and when it is appropriate to use them. They have made great strides in the past 12 months since getting the UDM Pro and the UDM SE on the same operating system. I hear that OS 4.0 is going to bring a ton of new features and I am really excited to see what Ubiquiti brings to the table in the next 12 months, both hardware wise and software wise. Looking forward to more of these types of videos from you.
The pfSense has a lot of configuration options. Even for home use, you don't have to use all the options/features right away but nice to know that is there if you decided to use it on a later date. For HA and reliability, from netgate you can either buy the appliance or you can build it your own with a dedicated small/mini computer or server. One thing I would warn for home users and home labbers is that setting up your router/gateway on a VM or lab environment for the whole house means that you are responsible for your family's Internet connection. If you are playing around and it goes down, would you be willing to spend hours fixing it overnight to everyone has Internet sooner than later? This is why I rather separate my home networking equipment from the home lab equipment. I don't like running pfSense on a VM for that reason.
Appreciate the video. Wish to add a few things . 1. ZFS snapshot are available even on CE [ using cli ] . 2. Content filtering and contol is possible even on pfsense - using free third party app named Nxfilter which can be installed on pfsense firewall itself. 3. Using shellcmd and cron extention, one can setup auto update on pfSense. Secondly, a comparison with Sophos and Fortiget firewalls with pfsense - makes more sense.
I did not want to get to far off topic by discussing what can be done via the command line and third party / unofficial third party add-ons because from that perspective many more things are possible. I might do a new firewall comparison of other firewalls, but I don't know that I want to take the time to go through all their interface as I did in this video.
Aren’t there some problems with IPv6 and the firewall on Unifi appliances? Or are those rectified in the newer OS versions? Because that would be a killer argument for me. I’m on IPv6 mostly.
Little Offtopic, but UniFi have issue, when You use "Isolated Network" in VLANs. When you connect from VPN, you can still see clients in this isoleted VLAns (isolation work only to other VLANs and not to VPN connection and his IP range). :-( In UniFi Gui must be VLAN id at VPN network range too.
PFsense can also do SNAT and DNAT, Unifi cannot do this. Used to be able to many years ago and even had official help articles on it, but now you cannot in Unifi as the feature was removed and despite many requesting it the feature seems to be ignored.
Fair but opnSense is very very close to pfSense its almost just a different theme A lot of the config menus are actually worded identically just layed out differently That being said i havent had much luck with pfsense something weird always happens and i just go back to opnsense
@@LAWRENCESYSTEMS ty for the link. Just as a side note OpenSSL is now on 3.0.13 in v24, if you want to add a date to the post. I do see what you mean now about the slow security updates.
My take on the UniFi firewall interface is that it feels like it was designed by someone who has never had to really setup a firewall before. it's good for basic requirements only. also one thing I never see mentioned in reviews is the way UniFi doesn't want to integrate with multiple DHCP servers that aren't its own gateway. again, good for basic usage only.
Just for context , as a random dude in asia : ive gotten Firewalla, and UCG ultra, if adblock is what i want, Firewalla purple, then Docker it. if i want ease of setup AND VPN , hands down Unifi. for those who are in the full time family tech support group, you will know what i mean when i say : setup and forget it , or site-tosite management, Unfi hands down. You can expand with no problems , with the IDS/IPS [ even though here is the higher tier, but you get the point ] and ive never touched pfsense, due to the learning curve, and its not something, i can easily troubleshoot from far. if pfsense is more harden be, it, but in terms of ease of deployment and troubleshooting and decent protection, Unifi and Firewalla.... this is purely my own view and experience
The major one feature I'd love to see added for pfSense would be a deeper Active Directory/SSO integration to gain access to Conditional Access. Fingers crossed it'll get added in the future.
the combination of both is also a good opportunity, advanced functions of the pfsense firewall, in particular for the VPN and Wireguard functions...and the entire UI part of Unifi for the advanced management of switches, access points and other equipment of the brand.....great job anyway !
I find the firewall rules and vlans in the UDM confusing. I'll have to take a look at pfsense, although it looks somewhat confusing as well. Fortinet to me is crazy easy.
3:00 RAID is not a backup (T-Shirt), what if you use a RAID 5 to store only all other 4 tiny drives with Unison? for example: R: = RAID 5 (4 x 4TB) C:, D: = 256GB SSD each E:, F: = 1TB SSD each G: = Google Drive FS Unison profile to sync C:\ to R:\Computer Unison profile to sync D:\ to R:\Downloads Unison profile to sync E:\ to R:\Engineering Unison profile to sync F:\ to R:\Files Unison profile to syn G:\ to R:\GoogleDrive etc... In case RAID fails have original disk data to retain. This is an "acceptable" aproach?
Appreciate the video. One little thing though, I've been running my rrrrr VM thru a WG policy based route without issues on a UDM pro for months. So it is definitely possible.
on the FreeBSD vs. Linux side there's a noteworthy difference - pfSense has an upstream project and tracks updates there. UniFi does not the first and does not the second. They pretty much only update the kernel versions when someone holds a gun to their head.
Do you ever put a UDM behind a more sophisticated firewall? Is it possible to do without double NATing the LAN on the UDM? I've gotten a few questions about keeping a UDM since it is being used to control the other unifi devices but wanting a better/more sophisticated firewall. I haven't playing around enough with unifi to say definitively that it is possible or even a good idea.
I've deployed about a dozen pfsense routers (mainly Protectli and Qotom) over the last 2 years but it doesn't seem robust enough to handle power outages which isn't acceptable for a router in my opinion. I've had 4 not recover from a power outage or a user forcing the router off. Am I missing something? Ill probably go back to the UniFi UXG routers now that they have been upgraded from the USG line.
Protectli is not that cheap a product, they seems quite solid. Mine has worked rather well. I've had a few power outages, no issues. That said, a small ups would solve this problem as well.
@@bertblankenstein3738Agree. I was going to mention that I used to power my protectli off nightly with no issues. On a power outage it comes right back up with no user intervention. I only had to reboot once for temporary hardware issues in years of operation. Otherwise rock solid.
For those like me that want the best of both worlds, you can choose both. I have pfSense CE installed on a Protectli vault and it handles my home lab (SOC analyst here 😎) extremely well (multiple VLANs, VPN, Cloudflare integration, etc.) However, when it comes to switches and my WiFI setup, I've gone with Ubiquity as their POE switch offering is great and I can manage all those devices their UniFi Network software I've installed on a Debian VM on my management VLAN. Very nice!
I'm pretty much done w/ Unifi at this point. IDS/IPS and the DPI traffic rules completely ignores IPv6 meaning that if you try to block a service (such as youtube in your own example) that is dual stack and you're on a dual stack network it doesn't work because it will try IPv6 which is ignored by EVERYTHING. Traffic stats that you discussed...IPv6 is ignored and not counted...I can go on and on. Until Ubiquiti get's their act together I cannot recommend their products anymore.
I would love it if Ubiquiti would build out their openvpn and ipsec feature sets. I have a U6 Pro access point, UDM SE, USW Pro and USW 10GB switch currently, but the lack of vpn configurability has been holding me back from upgrading a lot of it.
Sorry, maybe off topic here: I just bought the new Cloud Gateway Ultra because I wanted to run the network server management on hardware - not on my workstation. I run Unify switches and access points behind a Pfsense firewall with Wireguard and 8 VLANs. I connected the Cloud Gateway Ultra between Pfsense and the existing switches. The network server displayed all Unify devices and I was able to manage them, but I can't connect to the Internet via Pfsense. If I connect the Cloud Gateway Ultra directly to the Internet router, it works. Is it even possible to connect the PfSense upstream and operate the vlans or do the firewall and the vlans have to be provided by the Cloud Gateway Ultra? I am grateful for any help!
I don't recommend using both pfsnse and the Cloud Gateway because as you have noticed it's a more complex config and yes, the cloud gateway should be providing the routing and VLANs.
I think the point hammered home here is that BOTH Unifi and pfSense are excellent platforms, whether you be prosumer or using this in commercial environments.
I tried to like pfsense and opnsense but I ended up back with Sophos. Might have had errors in my configurations but Sophos has been far more stable for me. I miss having tailscale in the firewall but I'm surviving
You forgot to mention the UniFi USG router. Almost same features (less throughput) at just $100 :) I believe it is superceeded by the UniFi "Cloud Gateway Ultra" or UCG.
I don't know any corporate/enterprise people running pfsense that utilize QnQ. The lion's share of people using it are service providers - and they aren't using pfsense.. How many service providers are running pfsense? Most service providers need to move a lot of packets quickly and provide some light firewall rules to keep people out of devices...
Another great video! Thank you! Can I have a pfSense CE HA with one system with pfSense in a Proxmox VM (primary) and with pfSense on another system in a TrueNAS Scale VM (backup)?
Two years ago when talking with David Bombal you said Unifi didn't really do routing well. Has your opinion on that changed / have they made improvements? I'm running pfSense 4100 Max and a Cisco C3750X but for wifi I'm using Google Mesh. Obviously my WiFi is garbage and I've been thinking about changing my networking setup since it's been several years, so I was thinking about switching to some Unifi APs along with a Unifi gateway and switch, but after watching that video with Bombal and you mentioning the lack of inter-VLAN routing I'm a bit hesitant.
Would love to see a video comparing against closed source commercial firewalls like Watchguard that have subscription security services. How do their paid security services compare to PFSense?
I don't really feel that the security services offered by commercial firewalls are much more useful than what pfsense has, especially because you can use those same paid feeds in pfsense. But since more traffic is encrypted firewalls are blind to it.
@@LAWRENCESYSTEMS I agree with you Tom...not to mention it's been done before. What makes pfsense the go to in the vast majority of use cases including home users is the vast functionality. Where pfsense has challenges competing is in corporate environments with a NO open source policy or hardware MUST have support licenses. Other than that...I put pfsense right against many Watchguard, Fortinets, ASAs, Barracuda offering of similar feature sets.
Hej Tom, my original UDM (the capsule one) is dying. I have been using it mostly as a AP and the Controller for my unify infra ever since I moved everything behind a Netgate 2100. Do i 1) get a replacement for the UDM if yes what? or 2) Just put the controller on a Vm or Pi and run my AP 6pro and my switches from that?
unifi doesnt offer a gateway i would want yet for ports, 2 10g + gig ports is a waste, its 2024 its 10/25g + 2.5g ports and I can ditch a whole level in my setup.
4 หลายเดือนก่อน
Thx for all the great content. Been messing around with some firewall to see what is the best for me and your videos helped a lot. PFSense its really good, but its missing content filtering and apps. Found another FW, SOPHOS, that does that. I am messing around with it, but I did love PFSense. Unifi its great but I miss the fact that it more "higher" level. You just can't get to does lite configs that you can in the other firewall. BTW if theres any software that can be added to the PFSense to content and app control PLEASE tell me. Best, Serpa
There is a lot of additional stuff one can do (and I unfortunately had to use it) using EdgeOS commands with UniFi. Does the same hold true for pfsense?
Seema like PFsense is better suited for businesses/enterprises and unifi is better for residential/prosumer use cases. Although i could see the unifi firewall also working for small businesses with not much needs.
@@LAWRENCESYSTEMSThank you for the information. I will save up $350 + tax to get the Netgate 2100. Your content will be invaluable to me when I get it and set it up properly.
I would think if Unifi wants to get into the enterprise game. They should create device that is a stand alone device. Let that device do the firewall and VPN well and the other device be a high horse power router. Nice to do everything in one box but it also much better to not do it as a all in one.
Get a Layer 3 Switch that can do VRFs then you can have best of both worlds. SVIs on the layer 3 switch but traffic control decisions go through your firewall. More complex as it’s often used in larger enterprise environments but can work well.
Is it just me or Ubiquity does not yet have the option to do split tunnel VPN through OpenVPN? I find it shocking. Also, not being able to do multiple VPN servers/instances of the same kind is also a disappointment. Thank you, Tom!
I am sorry but Tom, if you are talking about Firewalling, why are you leaving out the most important point: logging. I bought the UDM Pro but as soon as I tried to debug a problem I discovered that there is simply no usable logging within their UDM Pro Appliance. The fact that tinkering with rules is more fiddly and the lack of good logging just brought me to buying a passively cooled N100 mini PC with 6 2.5Gbit NICs. I think logging should be part of your list 🙂 Otherwise great video, again and many thanks!
I did cover netflow and diag tools, but diving into Syslog and what is or is not there would have made the video MUCH longer. Once you know they don't have a Netflow exporter you can assume they are missing more detailed firewall rules.
Oh, it's simple, UniFi still don't have SFA options/features found in other firewall/gateways. There is plenty of doubt about how much they actually catch/block The UniFi is only great for being one whole package but as for use in sensitive sites, nope, UniFi way to closed and limited.
It's unfortunate you didn't also compare OPNSense for those looking for a solution that doesn't have a guaranteed single point attack vector (the vendor).
an important distinction that you missed out, is that pfsense plus absolutely destroys unifi in vpn because of intel-ipsec-mb - that library is huge for throughput over a vpn like wireguard and unifi doesn't have that as far as i know
I was debating about that, but talking about VPN speeds requires a lot of specifics about what traffic types and which models you are testing, that might be a separate video.
17:07 radius is on the way out. Microsoft doesn't even control the protocol anymore... I'd be wary of it imho (especially since Microsoft now has azure radius which is not radius 😂)
Great video though. Now I just have to bite the bullet and buy hardware for a pfsense firewall to replace my ancient USG (non pro) and actually use my 1.2gb internet 😢😅
pfsense for me, I think. I'd like my network devices not trying to behave like IOT devices. It feels like all these smart APs will be just that. I'm looking at Mikrotik's APs, they look powerful and basic - for me, these should be nothing but freaking antennae, and I just don't see any reason for themselves to reach out to the mother ship in the cloud to "upgrade" anything. I just want the antenna!
UniFi lacks modern traffic shaping capabilities offered by Netgate (pfSense) and Mikrotik (RouterOS) out-of-the-box. I can't recommend UniFi solely based on this.
Thank you for the quick breakdown of the differences. While I'm not a pfSense users (I run IPFire), it's great to see the level of detail that one can go into with pfSense, and that is something that I've noticed putting Unifi side by side with IPFire - IPFire has a more capabilities in regard to granular detail in nearly every aspect. I'm still consider myself entry level with networking, so plenty of what you covered went right over my head, but that just means I have more to learn - and that is a great thing. :) Any chance of a similar video showing the basic differences between IPFire, pfSense and Unifi? Again, thank you for the quick breakdown.
I inherited a large unifi deployment (70 sites) and I’m replacing it all at soon as possible. There’s no room to grow in terms of technology stack, no SD wan above 15 sites, no orchestration of firewall rules and policies across routers, no SASE features eg network access control, no real route to ZTNA without buying a load more stuff from another vendor. It’s just not suited for a single company with a large deployment. I imagine it could work well for people with lots of single site customers wanting different configurations.
The NETGATE INSTALLER for CE is broken. Please do not use this! Try to find an older ISO or IMG and then upgrade. Netgate is aware of the problem and has done nothing about it. Essentially, you cannot install a fresh 2.7.2 deployment. You WILL get this error -- pkg-static: cached package pfSense-base-2.7.2: missing or size mismatch, fetching from remote
That is interesting. I just downloaded and installed pfSense CE onto a test system to test the new installer yesterday, and it was able to install just fine.
@@USSZulu2 So, I downloaded the installer several times, both the mem stick and ISO images, resulting in the same error each time. I called Netgate and created a ticket last night, and then this morning, they responded with the pre-installer ISO; pfSense-CE-2.7.2-RELEASE-amd64.iso. This ISO worked flawlessly. I was surprised to discover the installer is still in BETA. Furthermore, the Netgate-Installer DOES NOT allow pfSense installation without an internet connection, so there is no OFFLINE installation of CE.
@@USSZulu2 The Netgate-Installer needs to be better implemented. They have removed the pre-installer images and FORCED us with no option but the installer. This is another NETGATE F**k-Up, similar to the Free License Scam they pulled. Additionally, they have placed the Netgate-Installer behind a $0.00 paywall, which is a sign that there will be no more free CE and that in the next 3 years or less, we will BE FORCED TO PAY PFSENSE as Tom BAITED us about this in a previous video.
Great stuf man, really apriciate the time you take to put these together!
I'm a VERY satisfied new user of UniFi Network 😊 Started with Cloud Gateway Ultra and a few switches and APs for home. Hardware prices are reasonable and all the tutorials on YT from you, Chris, Cody, and others made setup quick, easy and fun! Excited to add Protect functionality next and also set up and remotely manage UniFi Express at homes of parents and children. Thanks Tom for all you do to help us newbies!
Same here! Love my new Unifi network.
Yh I started years back on the USG, USW8 60w, CK and AP AC Pro. Now it’s an overkill set up but the ecosystem is nice really and don’t suffer issues.
I was using pfSense for about 2 years now and, while it mostly worked, updates frequently broke things and it just became a pain to keep up with. I just switched to UniFi and it was a seamless transition and everything just worked right out of the box without having to spend hours on forums trying to figure out how to do something.
pfSense and Controller at home and UniFi APs SWs and GWs at remote locations is the way to go. Works like a charm.
agree (though the other *sense with commercial filters makes me happier), but doesn't change the topology, as you described!
same here. my cup of tea.
In my home network and home lab I have pfSense, UniFi controller with their APs. Works very well for the past 2 years.
Gotta love the auto populated "you" site search at 13:40 :D
Thanks for making this :) I run UniFi at home and it’s been great. The firewall rules are definitely a little backwards feeling sometimes but once it’s setup it’s solid. Policy based routing for sending VLANs or certain clients out of either WAN or a VPN interface are also good. Haven’t tried load balancing though.
I’m also going to do a deploy at my dad’s small business as it will be the perfect solution. I’ve also seen quite a few chain business use UniFi as well.
I would definitely like to try pfSense eventually but it is totally overkill for what I need currently
I suggest using the PFSense as DMZ Firewall and the Unifi Stuff more on the Internal Site. You Increase alot of security when using 2 Zone FW and you are less effected by 0-Day Issues.
Ditto that
It will be cool if Lawrence Systems could make a video about that set up, It would be interesting
Appreciate the spoon feeding for both platforms. Bummer that pfsense offers no content filtering. Only component missing with exception of centralized management. Unfortunately they are both big ones.
Love these takes you do on this setups ❤
Nice comparison as always. I really love the tabular comparison between the firewalls. Correct me if I’m wrong, but this video seems to be written for small/medium companies, and I get that. That is your bread and butter. But I suspect that most of your audience are prosumers… anyway. You asked for what other solutions we would like to see so here goes: Sophos Home (the one you download and install on your own hardware) and Omada firewalls. And for the record, I’m a PFsense fanboy.
Do you have a performance comparison for VLAN routing between pfSense (OPNsense) and UDM Pro/SE ? I started recently a xcp-ng virtual host and connect to via VLAN to a Unraid storage server with 10Gb NICs. Via Aggregation and Etherlightning switch. Performance within same VLAN (virtual machine and storage) was good (measured via iPerf3) but only 1Gbps throughput when VM was on different VLAN. Had to reduce quite some checks on the UDMSE to 3Gbps; still less as I hoped. In another video I remember you said: don’t route VLAN in UDMSE. Wonder if you had done comparison else I try to get a virtualized OPNsense on any next longer weekend. Thanks for you helping videos
He said "don't route storage" quite often.
Does this not heavily depends on your hardware? People use crappy CPU’s and virtualize pfsense/Opnsense and wonder why the routing is slow
@@edwinkm2016 no, right now I wonder about the VLAN routing via UDMSE; im pretty sure the CPU and the two SFP+ in my xcp-ng will be fine; specially when seeing the xfer rates within a VLAN.
@@christianlohmann8577 The backplane in UDMPRO/SE is maxing at 3-4Gbps according to what was tested. The new Pro Max should be able to double that according to press media, but haven't seen any benchmark yet from independent tech channels.
Good comparison. I kinda figured that PFSense was better suited to business and Unifi for home and purchased accordingly.
I've run pfsense for the past two years but I'm considering switching for better integration with UniFi services. My current docker container UniFi controller has been working well so far, but I'm planning on getting some cameras and kind of want everything to just work.
what is really annoying about people pushing Unifi products is that they never mention they are more than likely out of stock. Point in case is the UDR which has not been in stock for weeks. I do worry about choosing a supplier that can not manage its stock and manufacturing process correctly.
This needs to be pointed out every time. They can’t manage stock of their products properly. Why would I buy from them if they can’t manage that end of their business?
If you are worried about that with UNIFI, you should try to buy a spare power supply from NETGATE for the 6100 -- NOT POSSIBLE when I tried about 12 months ago - I had to buy a 3rd party power supply with similar specs
Just hit notify me and you’ll be surprised how quick their products come back in stock.
Also look at the Cloud Gateway ultra then get a AP. About the same price as UDR but more options and faster throughput.
Great review of these two systems. I liked the video so much I posted a link to it on my discord server for my clients and other members to view. Personally, I do not need the in depth granularity that pfsense has. I am quite happy with what UniFi offers for my small home business/smart home. I have been using UniFi for a couple of years now and it works great for me. It meets my needs and is pretty easy to use and set up. I do wish UniFi has some better in-depth articles on what the different options do and when it is appropriate to use them. They have made great strides in the past 12 months since getting the UDM Pro and the UDM SE on the same operating system. I hear that OS 4.0 is going to bring a ton of new features and I am really excited to see what Ubiquiti brings to the table in the next 12 months, both hardware wise and software wise. Looking forward to more of these types of videos from you.
Please also compare to opnsense
He mentions quite often that he doesn’t run OpnSense to have an option, and doesn’t have a need to run it.
No need yet...
@RonnieRedd ... He has a MSP business with most of their clients using pfsense. Why would he change?
Opnsense is not on Tom's radar. Not even a blip.
opsense is basically just a themed pfsense anyway
theres no real point for Tom to go over opnsense when he already works with pfsense
The pfSense has a lot of configuration options. Even for home use, you don't have to use all the options/features right away but nice to know that is there if you decided to use it on a later date. For HA and reliability, from netgate you can either buy the appliance or you can build it your own with a dedicated small/mini computer or server. One thing I would warn for home users and home labbers is that setting up your router/gateway on a VM or lab environment for the whole house means that you are responsible for your family's Internet connection. If you are playing around and it goes down, would you be willing to spend hours fixing it overnight to everyone has Internet sooner than later? This is why I rather separate my home networking equipment from the home lab equipment. I don't like running pfSense on a VM for that reason.
Excellent comparison. Many thanks, Tom.
This was great, Tom. Thanks!
Excellent video! Subscribed.
Appreciate the video.
Wish to add a few things .
1. ZFS snapshot are available even on CE [ using cli ] .
2. Content filtering and contol is possible even on pfsense - using free third party app named Nxfilter which can be installed on pfsense firewall itself.
3. Using shellcmd and cron extention, one can setup auto update on pfSense.
Secondly, a comparison with Sophos and Fortiget firewalls with pfsense - makes more sense.
I did not want to get to far off topic by discussing what can be done via the command line and third party / unofficial third party add-ons because from that perspective many more things are possible.
I might do a new firewall comparison of other firewalls, but I don't know that I want to take the time to go through all their interface as I did in this video.
@@LAWRENCESYSTEMS Yeah,, would be great to touch on other firewall even in less details. Thnaks
Aren’t there some problems with IPv6 and the firewall on Unifi appliances? Or are those rectified in the newer OS versions? Because that would be a killer argument for me. I’m on IPv6 mostly.
Little Offtopic, but UniFi have issue, when You use "Isolated Network" in VLANs. When you connect from VPN, you can still see clients in this isoleted VLAns (isolation work only to other VLANs and not to VPN connection and his IP range). :-( In UniFi Gui must be VLAN id at VPN network range too.
PFsense can also do SNAT and DNAT, Unifi cannot do this. Used to be able to many years ago and even had official help articles on it, but now you cannot in Unifi as the feature was removed and despite many requesting it the feature seems to be ignored.
Not done with the video but I think OPNsense being compared as well would be neat.
Fair but opnSense is very very close to pfSense its almost just a different theme
A lot of the config menus are actually worded identically just layed out differently
That being said i havent had much luck with pfsense something weird always happens and i just go back to opnsense
OPNSense has historically been slower on security so I don't use them lawrence.video/opnsense
@@LAWRENCESYSTEMS ty for the link. Just as a side note OpenSSL is now on 3.0.13 in v24, if you want to add a date to the post. I do see what you mean now about the slow security updates.
My take on the UniFi firewall interface is that it feels like it was designed by someone who has never had to really setup a firewall before. it's good for basic requirements only. also one thing I never see mentioned in reviews is the way UniFi doesn't want to integrate with multiple DHCP servers that aren't its own gateway. again, good for basic usage only.
Could you do a video where you show using both. Probably with pfsense acting as a transparent firewall so that you could use the best of both systems
Just for context , as a random dude in asia : ive gotten Firewalla, and UCG ultra,
if adblock is what i want, Firewalla purple, then Docker it.
if i want ease of setup AND VPN , hands down Unifi.
for those who are in the full time family tech support group, you will know what i mean when i say : setup and forget it , or site-tosite management, Unfi hands down.
You can expand with no problems , with the IDS/IPS [ even though here is the higher tier, but you get the point ]
and ive never touched pfsense, due to the learning curve, and its not something, i can easily troubleshoot from far.
if pfsense is more harden be, it, but in terms of ease of deployment and troubleshooting and decent protection, Unifi and Firewalla....
this is purely my own view and experience
The major one feature I'd love to see added for pfSense would be a deeper Active Directory/SSO integration to gain access to Conditional Access. Fingers crossed it'll get added in the future.
the combination of both is also a good opportunity, advanced functions of the pfsense firewall, in particular for the VPN and Wireguard functions...and the entire UI part of Unifi for the advanced management of switches, access points and other equipment of the brand.....great job anyway !
I find the firewall rules and vlans in the UDM confusing. I'll have to take a look at pfsense, although it looks somewhat confusing as well. Fortinet to me is crazy easy.
3:00 RAID is not a backup (T-Shirt), what if you use a RAID 5 to store only all other 4 tiny drives with Unison? for example:
R: = RAID 5 (4 x 4TB)
C:, D: = 256GB SSD each
E:, F: = 1TB SSD each
G: = Google Drive FS
Unison profile to sync C:\ to R:\Computer
Unison profile to sync D:\ to R:\Downloads
Unison profile to sync E:\ to R:\Engineering
Unison profile to sync F:\ to R:\Files
Unison profile to syn G:\ to R:\GoogleDrive
etc...
In case RAID fails have original disk data to retain. This is an "acceptable" aproach?
PFSense does everything Unifi does *in my use case* and vice versa, Unifi was my choice for ease of use and a nice fancy interface.
Appreciate the video. One little thing though, I've been running my rrrrr VM thru a WG policy based route without issues on a UDM pro for months. So it is definitely possible.
on the FreeBSD vs. Linux side there's a noteworthy difference - pfSense has an upstream project and tracks updates there. UniFi does not the first and does not the second. They pretty much only update the kernel versions when someone holds a gun to their head.
Thank you for making this video
Do you ever put a UDM behind a more sophisticated firewall? Is it possible to do without double NATing the LAN on the UDM?
I've gotten a few questions about keeping a UDM since it is being used to control the other unifi devices but wanting a better/more sophisticated firewall. I haven't playing around enough with unifi to say definitively that it is possible or even a good idea.
I've deployed about a dozen pfsense routers (mainly Protectli and Qotom) over the last 2 years but it doesn't seem robust enough to handle power outages which isn't acceptable for a router in my opinion. I've had 4 not recover from a power outage or a user forcing the router off. Am I missing something? Ill probably go back to the UniFi UXG routers now that they have been upgraded from the USG line.
You can't expect quality results with cheap products. We use Netgate hardware and ZFS installs and they are very reliable.
@@LAWRENCESYSTEMS Yeah I assumed the Netgate products would be better but just far too expensive when converted to Australian Dollars.
Protectli is not that cheap a product, they seems quite solid. Mine has worked rather well. I've had a few power outages, no issues. That said, a small ups would solve this problem as well.
@@bertblankenstein3738Agree. I was going to mention that I used to power my protectli off nightly with no issues. On a power outage it comes right back up with no user intervention.
I only had to reboot once for temporary hardware issues in years of operation. Otherwise rock solid.
Are you using ZFS? And use a UPS to do a clean shutdown on power outages
Thank you for your time and informative videos as always!!
6:18 I'm not much familiar with PFS, but can't you run an update with Cron?
Unoficially, yes.
For those like me that want the best of both worlds, you can choose both. I have pfSense CE installed on a Protectli vault and it handles my home lab (SOC analyst here 😎) extremely well (multiple VLANs, VPN, Cloudflare integration, etc.) However, when it comes to switches and my WiFI setup, I've gone with Ubiquity as their POE switch offering is great and I can manage all those devices their UniFi Network software I've installed on a Debian VM on my management VLAN. Very nice!
I think you have Zenarmor for PfSense that can do content filtering.
I'm pretty much done w/ Unifi at this point. IDS/IPS and the DPI traffic rules completely ignores IPv6 meaning that if you try to block a service (such as youtube in your own example) that is dual stack and you're on a dual stack network it doesn't work because it will try IPv6 which is ignored by EVERYTHING. Traffic stats that you discussed...IPv6 is ignored and not counted...I can go on and on. Until Ubiquiti get's their act together I cannot recommend their products anymore.
I would love it if Ubiquiti would build out their openvpn and ipsec feature sets. I have a U6 Pro access point, UDM SE, USW Pro and USW 10GB switch currently, but the lack of vpn configurability has been holding me back from upgrading a lot of it.
Sorry, maybe off topic here: I just bought the new Cloud Gateway Ultra because I wanted to run the network server management on hardware - not on my workstation. I run Unify switches and access points behind a Pfsense firewall with Wireguard and 8 VLANs.
I connected the Cloud Gateway Ultra between Pfsense and the existing switches. The network server displayed all Unify devices and I was able to manage them, but I can't connect to the Internet via Pfsense. If I connect the Cloud Gateway Ultra directly to the Internet router, it works.
Is it even possible to connect the PfSense upstream and operate the vlans or do the firewall and the vlans have to be provided by the Cloud Gateway Ultra?
I am grateful for any help!
I don't recommend using both pfsnse and the Cloud Gateway because as you have noticed it's a more complex config and yes, the cloud gateway should be providing the routing and VLANs.
I think the point hammered home here is that BOTH Unifi and pfSense are excellent platforms, whether you be prosumer or using this in commercial environments.
Do you have any recommendation for Hotel and Resort Unifi set-up? Which devices is good for this kind of environment.
UI's "high availability" does not have state synch, so it should really be called failover.
They do have state syncing in the beta version.
Thanks.
Had Untangle dropped out of the race?
I'm in the market for a hardware firewall for home+lab type setup. Any recommendations please?
Untangle first removed free version and then Home version. They only offer the commercial one now.
I tried to like pfsense and opnsense but I ended up back with Sophos. Might have had errors in my configurations but Sophos has been far more stable for me. I miss having tailscale in the firewall but I'm surviving
You forgot to mention the UniFi USG router. Almost same features (less throughput) at just $100 :) I believe it is superceeded by the UniFi "Cloud Gateway Ultra" or UCG.
I don't know any corporate/enterprise people running pfsense that utilize QnQ. The lion's share of people using it are service providers - and they aren't using pfsense.. How many service providers are running pfsense? Most service providers need to move a lot of packets quickly and provide some light firewall rules to keep people out of devices...
There are a lot of psense installs in big enterprise environments and MANY government places.
@@LAWRENCESYSTEMSThe lions share of people using QnQ is what I meant.
Another great video! Thank you! Can I have a pfSense CE HA with one system with pfSense in a Proxmox VM (primary) and with pfSense on another system in a TrueNAS Scale VM (backup)?
Two years ago when talking with David Bombal you said Unifi didn't really do routing well. Has your opinion on that changed / have they made improvements?
I'm running pfSense 4100 Max and a Cisco C3750X but for wifi I'm using Google Mesh. Obviously my WiFi is garbage and I've been thinking about changing my networking setup since it's been several years, so I was thinking about switching to some Unifi APs along with a Unifi gateway and switch, but after watching that video with Bombal and you mentioning the lack of inter-VLAN routing I'm a bit hesitant.
The UniFi firewall have become better, but they are still behind compared to pfsense.
@@LAWRENCESYSTEMS I appreciate the response, however my question was more regarding L3 routing than the firewall.
Would love to see a video comparing against closed source commercial firewalls like Watchguard that have subscription security services. How do their paid security services compare to PFSense?
I don't really feel that the security services offered by commercial firewalls are much more useful than what pfsense has, especially because you can use those same paid feeds in pfsense. But since more traffic is encrypted firewalls are blind to it.
@@LAWRENCESYSTEMS I agree with you Tom...not to mention it's been done before. What makes pfsense the go to in the vast majority of use cases including home users is the vast functionality. Where pfsense has challenges competing is in corporate environments with a NO open source policy or hardware MUST have support licenses. Other than that...I put pfsense right against many Watchguard, Fortinets, ASAs, Barracuda offering of similar feature sets.
Hej Tom, my original UDM (the capsule one) is dying. I have been using it mostly as a AP and the Controller for my unify infra ever since I moved everything behind a Netgate 2100. Do i 1) get a replacement for the UDM if yes what? or 2) Just put the controller on a Vm or Pi and run my AP 6pro and my switches from that?
unifi doesnt offer a gateway i would want yet for ports, 2 10g + gig ports is a waste, its 2024 its 10/25g + 2.5g ports and I can ditch a whole level in my setup.
Thx for all the great content. Been messing around with some firewall to see what is the best for me and your videos helped a lot. PFSense its really good, but its missing content filtering and apps. Found another FW, SOPHOS, that does that. I am messing around with it, but I did love PFSense. Unifi its great but I miss the fact that it more "higher" level. You just can't get to does lite configs that you can in the other firewall.
BTW if theres any software that can be added to the PFSense to content and app control PLEASE tell me.
Best, Serpa
What about the UXG-Max? Maybe I'm missing something, it looks like a nice replacement for me.
If it has the features you want then use it
There is a lot of additional stuff one can do (and I unfortunately had to use it) using EdgeOS commands with UniFi. Does the same hold true for pfsense?
pfsense has many more features than were covered in this video.
Thank you for the video. I love the content! Keep it up!
How's your ninjaone experience?
NinjaOne is still going well and I will be at their office for an event soon.
@@LAWRENCESYSTEMS Very nice to hear! I enjoy them and the discord as well.
Seema like PFsense is better suited for businesses/enterprises and unifi is better for residential/prosumer use cases. Although i could see the unifi firewall also working for small businesses with not much needs.
With regards to Content filtering on pfsense, isnt the job of Snort and Suricata ?
Nope, those are for IPS/IDS
🤔 ty for this lawrence. i was interested to know, glad u covered it
His name is Tom. The company is named Lawrence Systems =) (maybe that was his father?)
If I buy Netgate 2100, I do not need to buy a license right? Is it a lifetime license?
Yes, free for the lifetime of the product
@@LAWRENCESYSTEMSThank you for the information.
I will save up $350 + tax to get the Netgate 2100.
Your content will be invaluable to me when I get it and set it up properly.
Excellent overview!
Great video thanks, Really interesting to see the differences side by side like that. 👍👍 Love the T-Shirt! is that available in the store?
Yes lawrence.video/swag
I would think if Unifi wants to get into the enterprise game. They should create device that is a stand alone device. Let that device do the firewall and VPN well and the other device be a high horse power router. Nice to do everything in one box but it also much better to not do it as a all in one.
I just gotta get off PFSense to go 25g+ Or get a better L3 switch and offload routing to that with a superior asic...but ACLs ugh.
Get a Layer 3 Switch that can do VRFs then you can have best of both worlds. SVIs on the layer 3 switch but traffic control decisions go through your firewall. More complex as it’s often used in larger enterprise environments but can work well.
If you have 25GE+, you can afford a commercial firewall that can handled it. Else you don't need 25GE+ at all.
@@Mitchell7790 have that...
Is it just me or Ubiquity does not yet have the option to do split tunnel VPN through OpenVPN? I find it shocking. Also, not being able to do multiple VPN servers/instances of the same kind is also a disappointment. Thank you, Tom!
I am sorry but Tom, if you are talking about Firewalling, why are you leaving out the most important point: logging.
I bought the UDM Pro but as soon as I tried to debug a problem I discovered that there is simply no usable logging within their UDM Pro Appliance. The fact that tinkering with rules is more fiddly and the lack of good logging just brought me to buying a passively cooled N100 mini PC with 6 2.5Gbit NICs. I think logging should be part of your list 🙂
Otherwise great video, again and many thanks!
I did cover netflow and diag tools, but diving into Syslog and what is or is not there would have made the video MUCH longer. Once you know they don't have a Netflow exporter you can assume they are missing more detailed firewall rules.
Oh, it's simple, UniFi still don't have SFA options/features found in other firewall/gateways. There is plenty of doubt about how much they actually catch/block The UniFi is only great for being one whole package but as for use in sensitive sites, nope, UniFi way to closed and limited.
It's unfortunate you didn't also compare OPNSense for those looking for a solution that doesn't have a guaranteed single point attack vector (the vendor).
OPNsense has been historically slower on security updates lawrence.video/opnsense
UniFi for schools, easy to manage, PfSense for home and lab-great video Tom, aloha from Hawaii
Only if schools are in USA
an important distinction that you missed out, is that pfsense plus absolutely destroys unifi in vpn because of intel-ipsec-mb - that library is huge for throughput over a vpn like wireguard and unifi doesn't have that as far as i know
I was debating about that, but talking about VPN speeds requires a lot of specifics about what traffic types and which models you are testing, that might be a separate video.
I really love Sophos firewalls, Licensing can get a bit expensive but have used them for years.
17:07 radius is on the way out. Microsoft doesn't even control the protocol anymore... I'd be wary of it imho (especially since Microsoft now has azure radius which is not radius 😂)
Great video though. Now I just have to bite the bullet and buy hardware for a pfsense firewall to replace my ancient USG (non pro) and actually use my 1.2gb internet 😢😅
pfsense for me, I think. I'd like my network devices not trying to behave like IOT devices. It feels like all these smart APs will be just that. I'm looking at Mikrotik's APs, they look powerful and basic - for me, these should be nothing but freaking antennae, and I just don't see any reason for themselves to reach out to the mother ship in the cloud to "upgrade" anything. I just want the antenna!
BGP incoming in UniFi OS 4.1, soonTM. I think UniFi got SNMP support with 4.0.3
Any idea if the unifi cloud gateway supports cloudflare dynamic DNS?
Not that I know of.
UniFi lacks modern traffic shaping capabilities offered by Netgate (pfSense) and Mikrotik (RouterOS) out-of-the-box. I can't recommend UniFi solely based on this.
Vpn performance and options, Maybe in a video?
Comparison to a FortiGate would be great
Hope to see this compare too. Especially about the NGFW features on Unifi compare to FortiGate.
May 2024 - still no internal nat with unifi :-(
Unifi HA = Shadow mode, basically yes you can.
pfSense for me strictly because of the no centralized management. Zero chance I ever create an account at UI.
The forum is down.
It's up now and nothing in my logs shows that it was ever down.
Thank you for the quick breakdown of the differences.
While I'm not a pfSense users (I run IPFire), it's great to see the level of detail that one can go into with pfSense, and that is something that I've noticed putting Unifi side by side with IPFire - IPFire has a more capabilities in regard to granular detail in nearly every aspect.
I'm still consider myself entry level with networking, so plenty of what you covered went right over my head, but that just means I have more to learn - and that is a great thing. :)
Any chance of a similar video showing the basic differences between IPFire, pfSense and Unifi?
Again, thank you for the quick breakdown.
Cool t-shirt 🐱
Unifi's self-hosted controller is deliberately gimped, it is notably less feature-rich than the included controller in the UDM.
That is not true.
Sounds like Chris Bueller has been busy at Unifi 😮😊
I think you are referring to Chris Buechler, he does not work at UniFi anymore.
Wondering why you never talk about mikrotik. Are they to bad?
They don't have great documentation and can be a bit buggy.
Thanks
I inherited a large unifi deployment (70 sites) and I’m replacing it all at soon as possible. There’s no room to grow in terms of technology stack, no SD wan above 15 sites, no orchestration of firewall rules and policies across routers, no SASE features eg network access control, no real route to ZTNA without buying a load more stuff from another vendor. It’s just not suited for a single company with a large deployment. I imagine it could work well for people with lots of single site customers wanting different configurations.
Pfsense REALLY needs to get sso working for VPN access.
I don't see that happening as it already can work via AD and Radius.
@@LAWRENCESYSTEMS saml sso is about more than authenticating with a directory. Conditional access, risk based access control, multi factor auth.
I said no to both and run OpenWRT on the equivalent to a toaster
Wouldn't even compare pfsense with unifi, should be pfsense Vs opnsense
One major difference. UniFi sucks you into their ecosystem. Like Apple. 😄
I hate the unifi firewall rules ui/options.
Tk U for sharing,
The NETGATE INSTALLER for CE is broken. Please do not use this! Try to find an older ISO or IMG and then upgrade. Netgate is aware of the problem and has done nothing about it. Essentially, you cannot install a fresh 2.7.2 deployment. You WILL get this error -- pkg-static: cached package pfSense-base-2.7.2: missing or size mismatch, fetching from remote
That is interesting. I just downloaded and installed pfSense CE onto a test system to test the new installer yesterday, and it was able to install just fine.
@@USSZulu2 So, I downloaded the installer several times, both the mem stick and ISO images, resulting in the same error each time. I called Netgate and created a ticket last night, and then this morning, they responded with the pre-installer ISO; pfSense-CE-2.7.2-RELEASE-amd64.iso. This ISO worked flawlessly. I was surprised to discover the installer is still in BETA. Furthermore, the Netgate-Installer DOES NOT allow pfSense installation without an internet connection, so there is no OFFLINE installation of CE.
@@USSZulu2 The Netgate-Installer needs to be better implemented. They have removed the pre-installer images and FORCED us with no option but the installer. This is another NETGATE F**k-Up, similar to the Free License Scam they pulled. Additionally, they have placed the Netgate-Installer behind a $0.00 paywall, which is a sign that there will be no more free CE and that in the next 3 years or less, we will BE FORCED TO PAY PFSENSE as Tom BAITED us about this in a previous video.