 Time here for more systems and let's talk about firewalls. Picking the right firewall is challenging and there's a lot of choices in the market. To keep this video reasonable and narrower in scope we're only gonna cover the ones we recommend. This is by no means an exhaustive list of every potential firewall out there, a full feature set list in a comparison that becomes very difficult to do and especially with some of the larger enterprise ones which people asked me to review, it becomes a lot more fuzzy because their feature sets are so comparative to each other and it comes down really at that point to some of the support. The ones we recommend, both PF Sense and Untangle, do not require any type of reseller to contact, do not have to be bought, they are free to download but Untangle will be the one we talked about that offers licensing fees which you can buy direct from Untangle, it's not a partner-only program, anyone can just go download it and buy the extra add-ons as needed so I wanted to just put that out there up front. Now the other ones I'm gonna be covering is the equipment from Ubiquiti and I guess I could throw TP-Link in there, I didn't throw it on comparison chart but I did the review recently of the TP-Link firewall, it's basically they copied the Unify so most of the same feature limitations exist within the TP-Link and it's not gonna be on my highly recommended list. The reason I bring up the Unify firewalls is because that's the real question people ask. If you recommend the access points and you're recommending the switches from Ubiquiti, why wouldn't you recommend the firewalls? And I do if people have the most basic of needs and that's what brings the video to be a lot longer here is what does that mean exactly? And that's where we're gonna define the functionality of Untangle, the functionality of PF Sense and where that falls off in terms of using the USG or Unify Dream Machine. Before we dive into all these details, if you'd like to learn more about me and my company, head over to LawrenceSystems.com. If you'd like to hire a short project, especially things like firewall consulting and network design, there's a hires button right at the top. If you'd like to support this channel in other ways, there's affiliate links down below and plenty of ways to connect with us. Now let's start by looking at the chart here. We have NETGATE PF Sense, NETGATE is the hardware company, PF Sense is the project in the firewall you can download, there's no fees, there's no registration, you can just download it, you can either load it on your own hardware or you can buy the NETGATE appliance. That's how they fund the project is selling the NETGATE appliances that allow you to run this not only with PF Sense or PF Sense Plus. I'm not gonna get too off topic but I have a separate video and it's documented in our website. They've made a enhanced version of PF Sense called PF Sense Plus with very few features here in May of 2021. More features are planned like a few business add-ons if you buy their hardware but that's documented on their site and once again, no license fee but it does only come with PF Sense Plus right now if you get their hardware. Pretty much the same thing, minor differences. Now on Tangle you can load on your own hardware, they do sell appliances and they have a free version and a paid version. It is based on Linux versus PF Sense is based on FreeBSD. Now what comes with the free version which is open source but closed source add-ons with their complete checkboxes over here you can kind of go through and compare and see what's on there. I've also listed in the chart that many of these features like being able to use WireGuard within there is going to be a paid feature. So I wanted to just break that down to show some of the differences. Now you do not have to buy from a partner but we are a partner so I'm clear on that upfront. If you wanna buy it directly from Untangle there's no need to contact someone on a list you could just buy now right from their website. They do offer direct sales which I really like and their pricing is very upfront. Whether you're a business or as I brought up right here a home user, they do have options. So they have your HomeProtect Basic and HomeProtect Plus and at $150 a year getting all the bells and whistles and features I think it's a really solid system if you need some of the advanced web filtering and reporting that Untangle has. And that's one of the reasons I have it on the list. Now I have the Unify, USG, USG Pro, UDM Pro on this list and of course the edge router. The big reason for them is as I said we talk so much about ubiquity equipment that people want to know why we aren't recommending their firewalls because they give you that complete dashboard where you have all the devices and the firewall in there which sounds really compelling until you have to use it. And that's the one thing that this knowledge I'm sharing with you is based on our very real world use case of actually deploying many, many PF send systems and many, many Untangle systems. These systems that we're very familiar with we have reliably deployed them. So we're familiar with any problems or challenges that may arise from them. And we actually have worked with quite a few of the USG, USG Pro, UDM, UDM Pros well mostly UDM Pros because they seem to be quite popular compared to just the Unified Dream Machines. And yeah, that's the one problem though is so many people have regret because they contact us thinking they can configure it to do something that is just not supported in it. So let's start running down the list here and talk about the features. First one is centralized management. And there is no official system from Nekate PF Sense at this time that offers a central way to manage all the firewalls you've deployed. We use Xavix ourselves to log into and manage and monitor uptime as needed on these devices. But yeah, it is not something native right now to the PF Sense ecosystem. There are third parties out there I haven't used them, but they do exist to be able to manage these firewalls versus Untangle, especially if you're an IT company like we are in Managed Service Rider where you're managing a lot of firewalls for clients. It is nice the fact that they have a central dashboard so you can see all the statuses of all the firewalls in one place that is something that comes with the Untangle system, not really relevant for the home users unless you are monitoring just your firewall, but you're probably behind it. So it's less of a big deal, but it's so cool that they offer that as a feature. Now the software defined networking, the same tool that manages all the unified switches and access points does offer management for both the USG and UDM line. And UNMS is the separate system that manages the edge OS and edge router line. That is a separate lineups essentially of how that works in the Unify ecosystem is these two. And then in the edge line is the UNMS system. It's all under a company ubiquity being the company, but the edge line is kind of a separate line and they're actually decent little firewalls. The thing that scares people away from the most though is they require a lot more knowledge to configure because a lot of the things you do that are advanced on those outside of anything basic for routing becomes a command line option to really dive into and do things. They're nice little routers, they're really inexpensive, which makes them attractive to people. I've found them very reliable, but the configuration challenges of them doing everything by writing, basically the config files by hand makes them a little bit tedious and not up for everyone to manage, makes them overall harder to manage, I would say. Now, OpenVPN is a great place to start. There is a lot of problems where the marketing people want boxes checked because they want to be able to say a product has a feature, but real world use case, well, engineers versus the marketing team is always at odds with each other and that's what we're gonna run into as we go down this list here. OpenVPN support is extensive on PF Sense, also on Untangle. When it comes down to the USG and UDM, it's very, very basic and only command line when you're doing it from the edge router. And I wanna give a visual here at exactly what that means. So here we are in Untangle and we can see OpenVPN status page, we have the server page, we have just a test I have set up in here, but there's a lot you can configure, a lot you can set up, especially when you go under advanced, then there's plenty of reporting that gets attached to the VPN. Well, there's nothing logged in right now with this demo machine, but it has a lot of advanced reporting, all kinds of fine tuning on the options. So if we have these default options or wanna add a different parameter, you can put in fill in and expand on the parameters and get into the details of it. Then we look over here at PF Sense, and same thing, laid out differently, but we have all the different cipher options, lots of different algorithms you can choose, how you wanna do things in depth, in detail, and of course, even more extra parameters that can be added and passed through to the OpenVPN server behind there. And this is great, this is what you want because it's not frequently just one thing, you wanna do with VPN, you wanna be able to have a lot of diversity. And both of these have essentially wizards that will get you through the system to get the basics filled out and then leave you with the options to do something more advanced. Got tutorials I've done on these and like I said, I'll leave that link below. But when we get over here to the Unify, we can go over here and create a new network and we can say site to site VPN, OpenVPN. There we go. This is the feature set they offer us. And by the way, there's not anything here for managing users with this. That's not part of the functionality they've really built in there. If you want a remote user VPN, L2TP server, and once again, very basic, you can choose to use a radius profile and kind of goes back to, it made the marketing people happy to say it has OpenVPN support, but it really doesn't have any of those extensive features that you might be looking for that you're gonna get with OpenVPN on NetGate or on the Untangle. So PF Sense, NetGate has the ability to go in there and do policy routing, do privacy VPNs where you do selective routing on your network. You can do the same thing with Untangle, but that's just not really possible over here on these. There are some ways to unofficially is the way I look at it on the Edge Router and get some of that configured. I put yes command line, so possible, but once again, a lot more work to get that done. Same thing with IPsec. Yes, yes is a paid version on Untangle, lots of advanced options. It does work on the USG and UDM and this is where there's also a little bit of a divergence here. We have found the UDM pros less than stable and this has been something people contact us with. If you're trying to connect one of the Dream Machine line to a non-Dream Machine for site to site. It just, I've seen a lot of porkiness trying to get it connected to other firewalls. It seems to connect well to another Dream Machine pro, but I wouldn't call it stable when you're trying to connect it to a non-Dream Machine. So if you have two Dream Machines and you want to use their site to site IPsec, that works. L2TP, we have that in NetGate PF Sense as part of the paid features of Untangle. Yes, yes, but as you've seen, kind of basic radius profile tie in if you want to use that for remote user. Most people would still prefer something like OpenVPN for a lot of reasons. WireGuard, WireGuard was in PF Sense 2.5. It got removed in 2.51. It's being reworked and brought back in 2.6. It is paid if you want to use Untangle. Untangle does not offer it on a free version, which I know created some controversy in the Untangle forums, but they do have it as part of like that home pro complete version that they have. But it's not an option at all, but I will admit probably there's some forum posts I've had people ask me to do a video on this and I'm not going to, where you can side load it on some of the different devices. I've seen some projects. It's not officially supported by Ubiquiti, so I'm gonna leave it as no. Policy Routing, there are policy routing and very advanced policy routing with Untangle, as a matter of fact, part of the policy routing is really mostly paid features on there, so make sure to set that to paid. But policy routing, policy routing, no. This is where you can do it via command line. It's not an option at all on UDM, not even any command line documentation and command line again over here on edge router, but once again, you're writing rules by hand and it's fuzzy on the USG, USG Pro whether or not those rules survive upgrades. I've heard they don't, but like I said, I wouldn't, we don't help people with them because we don't find them very well supported and they'd be problematic at best. IDS IPS, Intusion Detection Systems, Intusion Prevention Systems, Surcata or Snort, both are supported in a very advanced way inside of the NetGate PF Sense. Untangle has this as well. Untangle is hiding it, but they're using Surcata on the background. I see hiding it, but really what they're doing is giving you a very basic interface, but also at the same time, you know, beating it all through their intelligence feeds to bring it in here. So they do a nice job on essentially kind of hiding so you don't have to dive into the details, but they do offer threat lookup and advanced management so you can fine tune all of the rules that are within there. And then same thing when we go over here like to PF Sense, they give you all the options to finally tune exactly how you want Surcata, for example, to handle things or Snort and then even give you the option to push that data over to another output. For example, we have it set to create JSON logs and push it over to Syslog. There's a lot of ways to tie this in. So very advanced levels of management when you get over here, but when you get down to the way it's handled in the USG and the UDM, they're threat management systems, just kind of some basic checkbox and restrictions on there. They don't give you as much of a fine grain control over how they're doing it. There's not a lot here. It works once again, checks the box that makes the marketing people happy to say they have it, but it's not really any more than a very basic system for doing that type of work. DNS filtering, PF Blocker is one of the most popular applications for PF Sense because it allows you to load up your own feeds, filter sites and everything else. There are filtering options within Untangle. They have their own ad blocking system that works and be tied to their policy. As far as I know that's paid, I think some of the basic features work without paid so I left it just as yes, but that's not a feature on USG. It's not on the UDM Pro used to be a beta feature, I remember, but right now it looks like they, after one of the updates, they took it out all together for the DNS filtering and it's not an option on the edge router. GOIP filtering, so you can restrict by geography. This is something PF Blocker does. This is something Untangle can do. It just lists as a beta feature, but once again, pretty basic. Web filtering SSL inspection. This is one of the number one reasons people start us down the road of recommending Untangle. If people need really advanced SSL inspection and web filtering and detailed granular permissions on websites for who gets what blocked, you wanna block a certain category based on a certain computer or user. This is where Untangle has just a really nice system. Now you can do a lot of that with Squid inside of PF Sense. I have a video, it's an older one where I rant about why I don't like Squid because it's just troublesome and cumbersome and not as simple to use and set up. Not impossible, but much more difficult and very much a challenge. It's not where you can just set it and forget it. And then in some sites may break, some sites may need some updates, it needs some fine tuning, but this is one of the things you're really getting with the paid version of Untangle is a really clean filtered list, a really simple, easy to use system on this. And it's one of the biggest reasons when people say I really need endpoint protection in terms of filtering what website a device can go to, but I don't wanna load anything on the particular device itself, then Untangle is an option. If you want it to be really good, you want SSL inspection so it can peel back that layer of security and the SSL manager in Untangle allows you to do this. So you can load the SSL manager, I've done this in a video before, Untangle does a good job on making that pretty pain-free to set up and manage all of those. It can be done and you can set up SSL certificates and WID to get some information and deeper insights, but it's, once again, a lot more work to get it done and I would not call it easy. But you know, your mileage may vary on that. Some people may be arguing with me saying it's easier but let's just say it's not simple. It's take a look at what's involved in getting that done, read through some of the write-ups. It is not a feature of the USG Pro, very basic DPI but no SSL inspection is all you're gonna get. So they have some basic DPI filters but not a lot of detail. So maybe it'll block something you want. Maybe it will just block it globally. It doesn't give you fine-grained control over it. It's, like I said, not very advanced enough to get the marketing box checked. QOS, advanced traffic shaping options, yes. Yes, on Untangle, yes, on NetGate PF Sense. It's kind of on or off. There's this basic on or off when it comes to these ones here and it's via the command line to be able to fine-tune anything on it on the edge router but it's still kind of limited what options they have built into it. WAN failover, yes, on the PF Sense, multiple WAN as many as you'd like. Same thing here with Untangle but it is a paid feature. So if you're using a free version, sorry, you don't get WAN failover. It does work on the USG Pros. It works on the UDM Pro because it's got multiple WAN and the edge router could be configured that way but when it comes to actual load balancing and figuring out what traffic under certain thresholds need to go out a other WAN, no, that's not a feature you're gonna get with other than just very basic in the USG and I believe it's command lines you have to configure on that. It's not a feature at all currently in May of 2021 on the UDM Pro, maybe in the future. I've heard people mention it's been a feature request for a while but I don't know when we're gonna get there with it. Active Directory integration. This is not something that is exactly native where you're talking directly to Active Directory, you're talking actually through LDAP but it does connect. So whether you're using PF Sense or Untangle there's ways to get these talking to Active Directory. Untangle actually builds in a lot more features for this because they tie it into their policy manager so you can really go in depth with the way everything works on there. It's a little bit more challenging to do on PF Sense but it is possible to get that on there. I'm not aware of any integrations you can do on these. Maybe you could tie it to radius but it's nothing officially supported so it doesn't really tie in all that well and this is often where there's a problem if you want open VPN with users you usually wanna tie it to wherever the centralized management of those users are for many businesses as Active Directory and that's not something easily done in any way on a Unify device. Captive Portal. I put it separate on here where I say Unify SDN even though the Unify SDN is technically part of like the Dream Machine Pro but wherever you have the software to find networking controller running is where the Captive Portal actually talks to and of course, yes, it's supported on NetGate PSense and Untangle. Untangle back to what I mentioned about Active Directory connectors has ways to tie users for your Active Directory in there for some of the authentication but that's not something all supported on the Edge router. Now, the final parts are the Let's Encrypt in HA Proxy. I bring these up and it kind of stands alone on the NetGate PSense side. When you're running HA Proxy or Let's Encrypt with it they usually kind of go hand in hand because a lot of people especially those building your home lab go hey, I'd like a endpoint termination I need SSL on here and I don't wanna click through on certificate errors for servers I have hosted behind the device. Matter of fact, if you only have one public IP and you have multiple services you wanna point at this, HA Proxy can not only handle that termination but then direct to each server internally where that needs to be. This is popular use case and maybe even higher end configs where someone puts a PF sense in a data center or in a colo location and you'll have the PF sense kind of forwarding to maybe multiple servers behind there or in a small business situation where they have a few internal servers and you tie it all to the LAN but they don't want any certificate errors when they're using many of their internal servers that have web interfaces on there. This is just kind of a cool standout feature to me that I really enjoy on the PF sense. It's just so handy to set this up and especially people in the home lab building it this becomes popular that way all their different servers even if they're not public facing they can set this up and I've got tutorials on it so you can manage it without having to have certificate errors and it's kind of a fun thing to play with how all that works on there. Now, in conclusion here, as I said when we talk about the USG and in the Unified Dream Machines we don't recommend them because of all the things I kind of mentioned all those extra functionality that people who have advanced uses they go, hey, I'd like to have these things working but they work so basically they're almost useless. Exactly. That people who want just basic routing is it better than what your ISP offers? Sure. Will it route packets? Absolutely. That's something it seems to do quite reliably. It's all that VPN and packet inspection and everything else that becomes very not so good with the Unify USG line. The final thing I will mention though is the dashboards on these when it comes to all these firewalls they all do have dashboards but whether or not you can get actionable or detailed intelligence from them is also another spot where we're splitting hairs. Because when you look at the dashboard on the Unified Dream Machine here you see 9.3 megs of HTTP traffic or we can go here to look at apps and see how much data was moved. The first problem you run into trying to sort any of this out is there's no time slicing. Without time slicing we know data was used but without knowing what time it was used for we start losing the quality of this data in terms of being useful. You start realizing it's just a really cool chart at some point as opposed to something that's actually actionable and helpful. And as things get more and more encrypted it has less insights into what that traffic is where it went so it becomes kind of fuzzy. Now it does have a clear button where I can reset the stats and start over as long as I remembered when I hit the clear so I can try to time slice it but you can see that's not necessarily the most ideal situation. Untangle on the other hand when it comes to reporting is extensive. They have a great reporting system that can dive into users, events and captive portal and firewall and open VPN and all kinds of stats. They have a great reporting system. I've talked about this when I did my review and I'll leave a link to that down below because there's not much in this device because this is just the demo when I turned on for, well just this demo here today. Now PF Sense has some pretty good reporting. The best reporting from PF Sense once you wanna get real advanced is often where you export this into a more extensive system. There's plenty of tutorials on there and I think the PF Sense toolbox they offer though under diagnostics is where it is a standout Swiss army knife of network engineering. Being able to do packet captures from here being able to really slice things up or look at PF Top and look at every little connection in there. This is something more so than even a dashboard is the actionable intelligence you can gather by diagnosing things. We got trace route ping and looking at the route tables diving into the limiter info and looking at how the data flows through. These are some of the things that I think they do a great job on with the PF Sense but like I said, it also has plenty of export options if you'd like to send the data somewhere else and into some other capture tools to make some really cool dashboards. There's a few projects out there unofficial from PF Sense or just different places you can export things and get the data out there. So that's kind of our overall recommendations on them. The other thing I'll mention because someone may ask is what about open sense because if you say PF Sense people ask about open sense which is also a very popular project. I think open sense is definitely better than probably whatever the ISP provided you. I don't have enough reason to use it. It doesn't compel me enough over using the PF Sense offering. We've been supporting and doing a lot of projects with PF Sense for a long time but if you'd like to substitute that for open sense feel free. There seems to be plenty of happy people. They love commenting on every PF Sense video to let me know I should do a video on it but I don't really plan to at this time. It's not a compelling use case and it is a fork of PF Sense with a lot of similarity. So yes, you'll probably find a lot of feature parity as far as what's supported on there but that's kind of my point. It doesn't go so far beyond it to make me go I need to switch to PF Sense because it's or switch from PF Sense I should say because it offers that much more of a compelling experience and all the features. Now I will mention the wire guard part. Open Sense does have wire guard under the go implementation and the coming in 2.6 wire guard with PF Sense is done under the kernel integrated integration, which would be a lot faster. So hopefully that clears that up. And like I said, this is not exhaustive list of every firewall. There's plenty of other really solid firewalls out there. I just don't have time to review all of them. These are the ones we use and we have had wonderful experiences using them. That's why we keep recommending them going here and going forward after May of 2021. That's what it is today. I bring it up because there could be some time in the future where there's a bunch of flaws and you know, it's always truth with context is also time-based when it comes to any technology because who knows what the future holds. I know what they've done in the past and I'm hoping they continue on a tracker like this in the future. All right, thanks. And thank you for making it to the end of this video. If you enjoyed this content, please give it a thumbs up. If you'd like to see more content from this channel hit the subscribe button and the bell icon. To hire a share project head over to laurancesystems.com and click on the hires button right at the top. To help this channel out in other ways there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts, and offers check out our affiliate links and descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly. So check back frequently. And finally our forums, forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thank you again and we look forward to hearing from you. In the meantime, check out some of our other videos.