Opnwrt is great but it's limited in what hardware you can install it on and is very basic as a firewall. I run it on my WAP but use Opnsense as my network wide firewall.
I wouldn’t include untangle. They stopped their home license & now a 12 month subscription in $572. Sophos is great but is really picky with newer hardware. I couldn’t get it working with my newish hardware (UEFI bios).Out of all of them my pick would be pfsense with something like NextDNS for filtering
Sophos XG (he calls it Sophos UTM home, but it's XG, UTM is the old one) is much much more user friendly and feature complete than PFSense, been using it for years. Just an heads up tho, it doesn't support IPV4 PPPoE with DHCPv6 IPV6 that a lot of ISP providers use (at least in europe). It will work only for IPV4. Pf/opnsense do support that (but pppoe performance is really bad). Also the logic you use to configure it is closer to enterprise firewalls (mostly because it's one even if not one of the top ones) compared to something like pfsense that's vastly different.
@@oliveirajmr if you really really want it you can use SSL Inspection and the antivirus but that's a can of worm I wouldn't touch with a 30ft pole outside of an enterprise environment.
@@oliveirajmr Your question raises an increasingly valid point. I support (as part of a team) the Sophos Enterprise devices. I've demo'd the Sophos XG Home firewall (free for anyone, free + features for anyone that already has a Sophos Central login - usually a Sophos partner but can possibly include other people)
Hello Thank you. Now I'm looking for a good solution for the firewall in the home lab and at home. I try Sophos on HP T620 Plus, but the community version does not support M2 HDD, after registration Sophos restarts and the disk goes into corrupion state. Now I've been trying pfSense for a few days, and so far I have mixed feelings.
Sophos is nice but hw limits are a deal breaker. I run opnsense and used to run pfsense . Opnsense gets updates biweekly while with pfsense i remember not having a single update in 5 months. So stating that opnsense gets less updates than pfsense is not accurate. Also i d like to see ipfire in that list instead of unifi.
Pfsense actually gets security updates and bug fixes via patches. Those get pushed out pretty quickly. Feature updates get added later after extensive testing.
Palo Alto lab units are awesome... if you have ""bad"" internet speeds. The only affodable lab units like the PA 4** series only have gigabit ports unfortunately so if you have multi-gig internet you will lose speed. If you have the cash to get the lab version of a 14** series or even the older 850, that's basically the best firewall you can have at home, bar none. Probably also the best firewall you can have in a business too, except that in that case the price will go way up :D Also it's notoriously hard to get lab licenses (at least in europe) if you don't work in IT either in networking or management ideally. Fortigate used to give you free lab units if you went to their events (small ones, but could do gigabit speeds with only firewall and decent enough speeds with all security enabled and vpn), unfortunately they don't do that anymore :(
@@abdullahX001 varies wildly. Not sure about the new PA-4** series as I never asked, but the pervious PA-2**, specifically the 220 got quoted to me (as a independent contract consultant and certified PA guy) at 450€ for the first year and 100€ for each renewal. Then going thru a company that spends high 7 figures yearly on PA hardware it got quoted as "sure, w'll just give them to you for your engineers, how many do you want?". It's also left to the reseller discretion, some are more generous with it than others. I expect the 410/415 to be at the same price and the 440+ to start costing a bit more. Some will even sell it to you without any requisite (I heard, but personally never found one that didn't at the very least expect you to be a working network engineer or consultant, but again, I had relations with... 4 total :D)
We use Fortigates at work and they're getting to be insanely expensive on their renewals to the point I've been looking into alternatives. For now for branches I've been buying Netgates with pfsense plus installed on them. They've been working great. But for our data center and corporate office I could replace the Fortigates with Netgates but like to check out Palo Alto. However, I don't want to get into the same expensive trap with the renewals for security suite like we do with the Fortigates.
@@Darkk6969 last time I got a compartive quotes between Fortigate and Palo Alto, Fortigate was like... 40% less at least. It's a shame that it went so up that even PA is preferrable.
I use Debian Linux as my Router/Firewall for my local network. GNU/Linux can be a great alternative for Firewall Solutions only if the SysAdmin or Network Administrator can handle it appropriately.
My home network runs on generic Linux distros as well. Started with OPNsense, went over to VyOS for some time and finally settled on Enterprise Linux. I find nftables much better to work with than pf. Having the ability to separately filter host destined/forwarding is awesome, and so is the ability to filter for inbound and outgoing interface in the same rule. Having a distro with less "assumptions" also makes some whacky setups possible (VRF for one). There are downsides however. Most notably it's more difficult to dump your configuration. VyOS can export its entire config as a series of commands, put a shebang on top and it's a recovery script. By comparison, using a generic Linux distro will require the configs to be collected from several locations (firewall, interface manager, DHCP server, DNS server…)
@@LordApophis100 Tom Lawrence pointed out that pfsense actually provides security updates via downstream to FreeBSD community which opnsense benefits from.
Never understood why half of the internet compare a firewall (like pfsense) to a freaking router (like mikrotik). Those are different things for different purposes, which may have a bit of overlap by accident, and are not replaceble (by category)
Working with both pfsense and Mikrotik now and still learning.
What about VyOS?
Would OpenWRT fall under the same category?
100% yes, I was really surprised it wasn't included in this review. None of the presented alternatives was of any interest to me.
I'm a big OpenWRT fan and use it but its firewall is pretty basic.
Opnwrt is great but it's limited in what hardware you can install it on and is very basic as a firewall. I run it on my WAP but use Opnsense as my network wide firewall.
I wouldn’t include untangle. They stopped their home license & now a 12 month subscription in $572. Sophos is great but is really picky with newer hardware. I couldn’t get it working with my newish hardware (UEFI bios).Out of all of them my pick would be pfsense with something like NextDNS for filtering
I use pfsense with pfblocker. Works really well. I was using PiHole but found pfblocker to be more configurable on what categories to allow or block.
The Sophos is an interesting option to investigate, Pfsense lacks antivirus etc. Normally you always pay a heavy premium annually for this.
Sophos XG (he calls it Sophos UTM home, but it's XG, UTM is the old one) is much much more user friendly and feature complete than PFSense, been using it for years. Just an heads up tho, it doesn't support IPV4 PPPoE with DHCPv6 IPV6 that a lot of ISP providers use (at least in europe). It will work only for IPV4. Pf/opnsense do support that (but pppoe performance is really bad). Also the logic you use to configure it is closer to enterprise firewalls (mostly because it's one even if not one of the top ones) compared to something like pfsense that's vastly different.
Why do you want antivirus on your firewall ? 90 percent of traffic is encrypted anyway these days
@@oliveirajmr if you really really want it you can use SSL Inspection and the antivirus but that's a can of worm I wouldn't touch with a 30ft pole outside of an enterprise environment.
@@oliveirajmr
Your question raises an increasingly valid point. I support (as part of a team) the Sophos Enterprise devices.
I've demo'd the Sophos XG Home firewall (free for anyone, free + features for anyone that already has a Sophos Central login - usually a Sophos partner but can possibly include other people)
@@oliveirajmr Yep. You're better off using DNS filtering with known lists of malware and virus websites. Pfsense with pfblocker works well.
Id like to know of any of the enterprise solutions like the PA 3020 can be reasonably power efficient or do they chew power (rated for 250w after all)
How come you said okay let's talk about the cons and then listed a bunch of pros about it....
😂
Hello Thank you. Now I'm looking for a good solution for the firewall in the home lab and at home. I try Sophos on HP T620 Plus, but the community version does not support M2 HDD, after registration Sophos restarts and the disk goes into corrupion state. Now I've been trying pfSense for a few days, and so far I have mixed feelings.
Thanks for sharing this caveat.
Sophos is nice but hw limits are a deal breaker. I run opnsense and used to run pfsense . Opnsense gets updates biweekly while with pfsense i remember not having a single update in 5 months. So stating that opnsense gets less updates than pfsense is not accurate. Also i d like to see ipfire in that list instead of unifi.
Pfsense actually gets security updates and bug fixes via patches. Those get pushed out pretty quickly. Feature updates get added later after extensive testing.
Lab units; finding, selection & keeping them updated without being made EOL? How?
Palo Alto lab units are awesome... if you have ""bad"" internet speeds. The only affodable lab units like the PA 4** series only have gigabit ports unfortunately so if you have multi-gig internet you will lose speed. If you have the cash to get the lab version of a 14** series or even the older 850, that's basically the best firewall you can have at home, bar none. Probably also the best firewall you can have in a business too, except that in that case the price will go way up :D Also it's notoriously hard to get lab licenses (at least in europe) if you don't work in IT either in networking or management ideally.
Fortigate used to give you free lab units if you went to their events (small ones, but could do gigabit speeds with only firewall and decent enough speeds with all security enabled and vpn), unfortunately they don't do that anymore :(
When you say affordable… how much is affordable?
@@abdullahX001 varies wildly. Not sure about the new PA-4** series as I never asked, but the pervious PA-2**, specifically the 220 got quoted to me (as a independent contract consultant and certified PA guy) at 450€ for the first year and 100€ for each renewal. Then going thru a company that spends high 7 figures yearly on PA hardware it got quoted as "sure, w'll just give them to you for your engineers, how many do you want?". It's also left to the reseller discretion, some are more generous with it than others. I expect the 410/415 to be at the same price and the 440+ to start costing a bit more. Some will even sell it to you without any requisite (I heard, but personally never found one that didn't at the very least expect you to be a working network engineer or consultant, but again, I had relations with... 4 total :D)
@@tbard hmm thank you very much for that intel. I will see what our security MSP can do…
We use Fortigates at work and they're getting to be insanely expensive on their renewals to the point I've been looking into alternatives. For now for branches I've been buying Netgates with pfsense plus installed on them. They've been working great. But for our data center and corporate office I could replace the Fortigates with Netgates but like to check out Palo Alto. However, I don't want to get into the same expensive trap with the renewals for security suite like we do with the Fortigates.
@@Darkk6969 last time I got a compartive quotes between Fortigate and Palo Alto, Fortigate was like... 40% less at least. It's a shame that it went so up that even PA is preferrable.
thinking to migrate from opnsense to sophos home.
Packet fence is cool as well but more of NAC not sure ware you use that fore home tho XD
I use Debian Linux as my Router/Firewall for my local network. GNU/Linux can be a great alternative for Firewall Solutions only if the SysAdmin or Network Administrator can handle it appropriately.
My home network runs on generic Linux distros as well. Started with OPNsense, went over to VyOS for some time and finally settled on Enterprise Linux.
I find nftables much better to work with than pf. Having the ability to separately filter host destined/forwarding is awesome, and so is the ability to filter for inbound and outgoing interface in the same rule.
Having a distro with less "assumptions" also makes some whacky setups possible (VRF for one).
There are downsides however. Most notably it's more difficult to dump your configuration. VyOS can export its entire config as a series of commands, put a shebang on top and it's a recovery script. By comparison, using a generic Linux distro will require the configs to be collected from several locations (firewall, interface manager, DHCP server, DNS server…)
Sophos UTM came from a product called ASTARO Security Gateway
Thank you.
I need a linux base.
IPFire
There is also VyOS based on Debian
Replaced pfsense+ on netgate 6100’s with VyOS..
Sophos, Smoothwall, Untangle and IPfire
OPNsense is a bit slower to release security updates ? You mean sometimes weeks slower. If security doesn't matter then sure that UI is nice.
Yep, considering you typically set it up once and then only access it quite rarely, I prefer better security over the better UI.
@@LordApophis100 Tom Lawrence pointed out that pfsense actually provides security updates via downstream to FreeBSD community which opnsense benefits from.
Never understood why half of the internet compare a firewall (like pfsense) to a freaking router (like mikrotik). Those are different things for different purposes, which may have a bit of overlap by accident, and are not replaceble (by category)
Untangle used to be good, now its just pure garbage ! Over priced & lack of updates and features !
Thomas Ronald Gonzalez Jason Martin Jessica
MicroTik ... ever heard of Kasperski? Arn't they both Russian companies?
Mikrotik is based in Latvia. Latvia is part of the European Union and is also part of NATO. So the answer to your question is no.
So what? I would probably trust a Russian company any day over an American/EU company
Thank you.