 Welcome to the homelab show episode 93 homelab firewalls, but we will be Talking and because we like taking and hearing the feedback from you I think we only have one feedback question We'll be answering in the beginning here, but it's some of the format we want to do to help encourage feedback We will read it's a really simple but very common question. It's there's a reason we haven't done an episode on it, right? Jay yeah, there's more than a few yeah, yeah Um, but today we're gonna be debating about firewalls talking about some choices This comes on the heels of me having a video about firewall comparison And I wanted to narrow it down for homelab so we can change the scope because I did our broader scope video Hey, that video is linked down below But let's narrow in scope some of your homelab discussion around firewalls And we're talking about a couple things that are up and coming as well in this episode Because I got another video on the release But it's something that the homelab people might be interested in before we dive into that Let's think our sponsor and that is Akamai. They have been a sponsor since they were linoad That's how I should start reading that They've been sponsored since they're linoad They've changed names, but they've kept on track matter of fact. I actually just did a Video with them. They're still moving forward. They're very Good dedicated to the community. That's actually something we've been optimistic about and they've held true to it So we thank them for being a sponsor They're a great place to host things still they actually have more features than they had when they first started They gives you get some of that back-end CDN features that came when the Akamai and linoad merger happened or acquisition So they are awesome for running things You don't necessarily want to run in your homelab or some of those things that you kind of need Running in the cloud and not necessarily in your system We have an offer go down below to get started with them and we thank them for being a sponsor of the show Yep. All right now The question comes up persistently both in the live chat and in the questions of people looking for the Alternative as if we're holding back a secret from you There are tools out there for doing this, but none of them are great And that is how do you do user management user management pretty much in a business world is going to be Fully all in on active directory. There's very few exceptions to this There are services like Acta and you know people getting things like even us We're using Google authenticator with OAuth for some things. So there's or Google What are they calling it state Google G suite Google workspace, whatever Google's calling it this week. Yeah, I don't know what it is this week I think But this week. I'm not sure. Yeah, we just know because they make money with it Those are the ones they don't kill so it's a Google service, but managing users is tricky Pretty much once you get into the enterprise though for compatibility reasons, it's all in on AD I think people always wonder why there's not just a Linux equivalent And it's there's a lack of drive for it because when you build an SJ would always like to point out Ansible is a great way to manage your service accounts and things like that inside your massive amount of configured Linux servers Which means you're not going to be dealing with as much with user management You're thinking from a service account standpoint and having auto accounts created Ansible So LDAP and things like that exist. They're just not popular or is deeply integrated for user management and By the way, Linux has bowed down to having compatibility. I can't remember if you did a video on this J or not But about how you can tie a bun two to active directory. I That's on my list. That is one of the number you testing it Yeah, I was testing it and I don't remember what I ran into but that was if one or two versions of the blue two So I got a just it's probably been fixed. So I'll take another look at it Yeah, there's so once again Linux kind of leans into when you do need user management that way there But as more and more things become a woth In more of your what websites are what you're logging into even from any of the service accounts that we have for my business It's how more things are going so it's even less of an issue So to speak from a user management standpoint because usually it's just a local user on the system Yeah, I think the last little change is the industry moves away from active directory But it's going to be a very very long moving away process That's going to take you know a number of years to say the least But you know as you're saying with these new technologies and everything And the industry moving naturally toward toward other things It's just going to be a natural phase out over. I don't know 10 20 years I mean there in it for the long haul Microsoft their solutions they stick around for a while. You know, yeah Um quick news announcement. So last week we talked about Proxmox and I was mostly starting to say it about the dark mode So screenshots people share are gonna look better Obviously Proxmox did more than dark mode But this week is XCPNG this year has released quite a few changes Including in a video that I'll be released later today on my channel a VMware import tool that automates the VMware Migration process and yes, it's part of their open source package. And yes, it's available to a homelab users who compile the Zen from sort X Zen orchestra from sources So that's kind of a big announcement because people have always gone Well, I want to get off VMware, but I have to clone these VMs and things like that and I get it That's me if you have 30 40 VMs That's 30 40 VMs and you can do and we've talked about clone zilla and other tools to clone it from point A to point B But that incurs downtime. Maybe not as big of a deal in your homelab But now you can connect and migrate and I say migrate, but actually they're copies You're not doing anything destructive VMware But when the migration works you can shut down your VMware retire it and use that hardware for better things So that's that's the kind of exciting on there for people that have been going look in for an excuse to look at alternatives Like XCPNG that VMware import tool is pretty cool. So yeah, I remember I don't know if it's still a thing the VMware tool P2V were for physical to virtual So did they call this V2V? They probably want to get them upset today. They call it V2V, but it has two meanings This is what so Vates is the company that supports this open source project. So they call it, you know, virtual to virtual or VMware to Vates Kind of like that other name there VMware to Vates. Okay, we'll go with that Hmm. Yeah, nonetheless, it's it's cool There's a lot of innovation going around around that side of the house So I figured I'd share share the knowledge here because I know at least a few of our users are probably using That as a tool or Jay's has his entire video series on OpenStack release So if you're also looking for that and looking people want the deal we've done a we've done a talk on it here But it requires how many videos in your series is it five or six? Well six, but they're longer ones I could have stretched it out longer, but each one is is a decent amount of time So so if you're looking for another thing to dive into Jay's got a great series on OpenStack Because I know people have asked about that tutorial and Jay I was like me and Jay are friends So we talked behind the scenes. We know the effort that went into making that series. It was it was a stretch There were there were two nine-hour recording sessions toward the end that were especially fun But you know, that's just how it goes you rehearse it over and over again And then you know just like in in the real world read when you're working and you have a Deployment at work and you run through the test and then it just bombs Sometimes that happens during a recording session and we have to figure things out So but you don't get you don't see that we spare you from that part of it right Okay, let's dive into the topic of firewalls and boy This was a I think there's like 300 comments on that video I released just a couple days ago because it's a it's a hot topic Next to it's not quite the argument that people have about their favorite distro But I would say it rivals it in terms of engagement of everyone has an opinion what their favorite firewall is and I'm not immune from this I have a firewall I like because I know it that's one of the things that's going to be very important on here now If you're just choosing that can be very hard because you don't know any of them You're like I'm just getting started But from the perspective of the things you know I get the reason you want to stick with it Just like I love staying in the Debian world for distros Because I'm used to the apt-get commands and it makes it easier for me to configure I stay a lot with pfSense because I know it very well and there's not any shortcomings it has that I have this deep need for and This also isn't really important because the firewall you know is the firewall You're going to configure better and you're less likely to leave yourself hanging out open in because you don't understand it This is where I've even in the enterprise space people You know sometimes it gets handed down to them through policy like this is what we're standardizing on But if you have users improperly trained you can also end up with users I'm saying users but actually their system ends if they don't know this material very well with this particular new brand of firewall And they aren't properly trained that they can end up misconfiguring it having rules that allow things that shouldn't happen Etc. So just a few considerations to take in there Now I have an entire list from that other one of this link down below so you can look like the spreadsheet of this and I'm gonna Change it up a little bit because there's probably a few features. I talked about in there that are less Interesting to the homelab people but are definitely More interesting that I add a couple other topics on here. One of them is going to be documentation. I didn't really Really want to dive into that because it kind of sent me off topic But hands down one of the reasons pf sense and I'm not just saying this because I'm somebody who has a lot of videos on the topic Because I'm certainly not the only ones with videos on this topic pf sense one of my favorites because of documentation There are so many write-ups not just the good pf sense documentation But if you Google how to do something in pf sense there are tons of people who have blog posts and write-ups that dive into how to set something up and You can run it on your own hardware pf sense being Pretty much well supported, especially with the latest releases based on free bsd 14 So the community edition 2.7 is just around the corner for release as of april 2023 that it is today you can get the pf sense plus edition That one is you know based on free bsd 14 So you've got better driver support than you had previously But running on your own hardware combined with easy to follow documentation Not just my videos, but many other people who make videos and details on it. There's so Much easy it's so much easier to get into it is basically what I would Why it's such a popular firewall and it works it works really well And that's one of the things that you know, I'll Disclose my bias towards it up front, but it's not the only firewall we're going to talk about Now one of the other features that makes pf sense popular Especially in the home user and homelab market kind of accommodation air is it's Really well supported with privacy vpns. I did not have this as a category But I'll be mentioning it as I talked to you about some of these firewalls So some of the challenges are sitting at privacy vpns Especially when you want very granular policy routing and this is obviously popular for a lot of reasons sometimes for Privacy hence the name privacy vpn sometimes it's because you're dealing with restrictions of content and Weird rules that are beyond your control But there's a vpn service that kind of puts you back in control so you can pop out of another place and Have that ip address or this is one of the things that Um is I think you know easy to do in pf sense and pretty good So that's uh, that's the first one i'll mention in terms of firewall But i'm bullish on pf sense and as I said i'm a little biased because I do like it Um open sense i'm going to give it an honorable mention here. I don't have any problem with open sense There's they're developed. They forked a long time ago. They the Uh differences are still there, but they're both based on bsd. They're both based on the pf filter system I don't have any reason to tell you not to use open sense. I tested it I didn't see any major issues with it Some of the homeland people particularly like open sense because of the frequent updates It always has package updates now package updates are not always because of security They're because of features sometimes just enhancements. They may do And this has been a complaint with pf sense from the business standpoint from managing pf sense I'm happy when my firewall doesn't have a ton of updates that could potentially cause problems pf sense is on top of security updates So just because the pf sense community edition has not had an update recently Does not mean it's insecure. This is where I get people's Conflated arguments on this all the time going if it hasn't an update Therefore it must be insecure and that's actually not true The team over at netgate that develops pf sense are very careful what they compile Matter of fact, when there were certain Bugs found I think I think it was in one of the dns systems a while back Their answer was really simple We don't compile that feature in because it's not used in pf sense the ping feature that was a problem in bsd Once again not act not something they even were worried about so could you use ping to possibly have that ping of vulnerability There's a way you could turn it on but it was it's not even used in their what they call d ping or system So they're very careful how they implement things and that means a lot to me. I can't say as much for the Open sense are always pushing packages. I just don't know. I don't know their platform But I'll I'll give them mentionly if you want to use it. I'm not telling you not to I just know they have more frequent updates and they have a few other packages that are different than what pf sense has Now one more thing on that list. I think this is supported by both open sense and pf sense is going to be tail scale I think there's a I've seen some write-ups. I don't know if it's native in there But tail scale is really popular with home users that are looking for easy vpn pf sense so the firewalls we're going to talk about it's the only one on the list that I Know has like official package support for it. I've done videos on tail scale It's a great way to get back into your network, which is sometimes an important thing Especially if you're stuck behind cgnat tail scale will punch through that without having to open up anything on your firewall So that's definitely a good feature that's in there All right Moving on to one of the other options and I'll I'll jump right to it. I see people have asked about it Is the sofos one now christian lemba Uh, I believe he actually works for sofos now. He changed his facebook Yeah, he changed his profile. He must have got a new job of working there So I now know why he's so uh He's liked it before he worked there from not mistaken because he's done videos on it over a year or two ago I'm going to defer to him as far as any video creation on it But the sofos firewalls are something that's popular. They have a registration you do and you can get a License for free. There are some limitations on it. That's um, you know in my sheet I link right to their home registration page, but their home user free edition Has a ton of features sofos Is got a lot of things you can do with it now Sophos kind of has a reverse proxy because they do have like a web application firewall in there um, they do have and I said this in my video A little because I was confused as christian lump actually it said no But the answer is yes to they do support some of the less encrypt certificates on there Uh, but sofos is a pretty full featured firewall now I lack experience using it to tell you how Good or bad it is in practice because this is one of those things where You can run into a challenge when you're trying to describe a product the Features that make marketing happy like marketing people said it does this this and this and then you get into some of the nuances And I'll not relate it as much to the home lab world, but I had 48 on there Um, one of the problems is 48. I said no originally to their reverse proxy Then someone pointed out it was a yes Then a friend of mine dm'd me who's a 48 person who like they're a reseller and have hundreds of these things He says we absolutely don't use it because it's the reverse Proxies hot garbage Like it's all command line driven and you have to copy and paste certificates in So how do you consider that usable and I'm like that doesn't sound very easy goes. It's not manageable He says it does it work. Yes. So you could check the boxes. Yes, but it's not used coming back to sofos I can't really speak in depth Someone did leave an interesting comment about like sofas supports bgp But how they support it they couldn't do more advanced bgp routing across multi-wan on it So there's some problem with the way it announces bgp routes according to some of the comments that were debated as I said in my firewall video So once again sofas, I don't see a reason not to use it You do register with them to get the free edition and it you know It's a it seems pretty popular amongst people. So I threw it on my list. It's uh Majority, I would say like it. That's where I would probably leave that Fair enough. Yeah, they seem to have a you know, at least they are supporting the home user market Now another one that's on that same List of supporting the home user market and they do have a free edition So they have a non home user, but they actually have a relatively cheap home user edition. I think it's called home user pro It's like a hundred dollars or a hundred fifty dollars a year and that's untangle which was bought by arista So they call it arista edge now, but it's still the untangle Interface they rebranded it all but it still seems to be we still sell these I can't really tell any major differences Um, even the pricing hasn't really gone up or changed since arista bought them This firewall is a little weird in terms of ui We we have a handful of these deployed and managed The big thing that home users are going to like and this is going to go towards so pos and arista But something pf. Sense is utterly lacking is going to be Good web filtering now. I'm not big on web filtering at the firewall I'm usually focused on the endpoint but for home users going. Hey, I want to block my kids from going to xyz site You're going to get a better experience out of the arista untangle system or the sopo system thing you will out of pf. Sense the problem is pf. Sense is terrible at ssl inspection. Yes, it has it. This is a box that's checked by pf. Sense But it's not something that's good. It's it managing things through squid is a headache um I I don't recommend it. So that's one of those check that marketing box that we have this ability to do it But have you ever done squid management, uh, jay? Nope, I haven't looked into that. So yeah, not very familiar. Don't don't waste your time with it Basically, you you have to you have to create some certificates and you have to install those certificates it's rather it's somewhat of a manual process inside of um pf. Sense to get those certificates and put them in each system So the ssl inspection can happen and get things unwrapped. They've made it a little bit easier on untangle Arista but the arista untangle system also can just do dpi now dpi means we're just going to identify some of the Layer seven traffic and apply some rules to it. They've done a nice job with that Making it relatively easy in the arista system. So I would say if you're looking if web filtering is your top thing you're looking for um No, I throw I throw a wrist on that list there if that's something you really like now as far as the way the rules go Take a closer look at that web interface. It's weird compared to pf. Sense They try to make like an if then statement out of the rules the way you chain them together It's a little bit of a learning curve or if you're just starting out firewalls Maybe it's not a learning curve because any of them are a learning curve. So I will say the Weird interface but also nice reporting. Uh, so that's that's not bad now pf blocker Being inside of pf. Sense because I figured someone would bring it up and I have um, it's nice because you can use Piehole level uh piehole filters in there now. That's not granular That's not like I'm gonna block this site for this user only But it does give you some ability to sinkhole ads and things like that much like you wouldn't piehole And of course any of these firewalls we talk about pie holes a separate project popular in a home lab Yes, you can set this up. So Oh, that's pretty good. Um Oh, I'll bring this up real quick because I I forgot to put this on my list fire walla I see that as a consumer product. It's a it was a Kickstarter campaign that seemed to do well They have some filtering tools Stacey on iot if you type in as a search stacey on iot fire walla or if you look at my firewall video I linked to her notes. Um, she's done a couple reviews of it It's very much a consumer product that you set up with a phone My understanding from anyone I've talked to who's used these and I just don't really have the time to dig into them They're very consumer friendly, but they're very limited in features So I think homeland people would just outgrow these really quick. They're they're usable. They're not Once again, it's not something to say and do not use this But their limitations and features are just kind of that but To the upside in something that stacey on iot and her write-ups reported Like hey, it's kind of cool to be able to manage a firewall from your phone So you can just slide a slider and block the kids from something. I mean You know very home user friendly not advanced routing or advanced learning friendly and maybe that's not your use case so once again not a Not something i'm going to tell you not to use but just think about the limitations because it's kind of a The consumer facing device also the weird weird to me that it all works to a phone app It doesn't have a web interface on it when I say phone app I'm not saying that's an add-on the first step on setting up your firewall Firewalla is loading app on your phone to get it set up. So that's Oh boy. Yeah, which is awesome for consumers. Um, probably less Um, you know for a homelab people going, huh, you know, it's a little strange Yeah, uh, I just did see people asking about hg proxy hg proxy is inside of pf sense. I've done videos on it. Um Uh, there's debates of where you should run your reverse proxy There's a lot of convenience having it right inside of pf sense. Uh, but you know using what uh, what do you use for reverse proxy j So I have an lxc or lexie. I keep saying it wrong container So it's just nginx on a container that I just have for it internally is needed Yeah, so there's other tools. There's also caddy. There's um, there's a lot of different reverse proxies And there's always a debate about whose which one's the best one Um, I like because my dns and my ha proxy and my let's encrypt search are all controlled within my pf sense So I have it all centrally managed But that can be people like to run it in a separate vm, but I like the fact that ha proxy is on there I see up traffic. That's the other one. I forgot a lot of people love, uh Uh, traffic as well. It's got a cool logo so Now a couple things i'll mention though the uh, aristo one their open vpn is nice But they actually build in the privacy vpn in a neat way Instead of having to go through the a little bit more complicated setup I have a privacy vpns. They have um, paa I think they have a couple of them paa I know is in there because I've tested it you can just put your username and password to one of those privacy vpns And it sets it up. You don't have to actually do the whole Configuration they put it in as part of the back end So if you go, hey, I have pa and it lets you pull down and choose the location. That's pretty slick It's really easy to do They're import expert tools for things like that They they also for wire guard have the qr code to tie your phone to it for wire guard I thought that was kind of cool too. Um, because both pfcents and aristo have wire guard Sophos does not support wire guard not that I know of I Did not see it on their list. I don't know where that is in terms of You know if it's on there, I don't think they have wire guard. Let me double check my list Yeah, your list doesn't show it I think wire guard was a no I don't know Yeah, it's a no for sofos. I don't know where it is on a roadmap. I didn't I couldn't find anything on there So if you're really looking for wire guard come back over to pfcents and I'll throw out the first I know open sense supports wire guard. Um the same so Wire guard is on both of those now This is where things get complicated We're gonna talk about unify Yeah, the first problem with the unify first Homeland people almost always if you're doing anything intricate with firewalls You feel as though you're going to outgrow the unify firewalls But they're getting better to try to keep people on their platform And this is where things get complicated. Cody from acto com networks. He's a friend of mine. He's tells us a lot of videos Oh The problem with it is the big challenge with the unify ones and like Cody says you just got to Read release notes to try and figure out what features are or are not supported with each release on each model Because you can't just read the release notes You have to go down to the bottom where little asterisks are If you have a udm pro se this is supported But if you don't have the special edition, it's going to be supported in the future and This is what gets confusing I don't know why unify does not have a good chart anywhere that I can find To compare their unify dream machine dream machine pro dream machine pro se dream wall and their usg or us Xg models and break it down So this was harder to research and even when I put it together in a spreadsheet Which you know, I wish unify would do I had to put some asterisks because it depends what version you're on of the software Now they finally I made a video poking fun at them I called it the weird way unify does vpns This is where they've gotten better and they're trying to invalidate my video, which is ultimately what I'd love them to do They have like when they said they had wire guard they weren't wrong But they said they had open vpn and they weren't wrong But and what those butts are is you wouldn't be able to set this up inside the firewall Normally like you think oh i'm going to go to the firewall and use the interface of the software to manage it No, they wanted you to go to their website called uid register with their cloud account Then the cloud account would then talk to the unify system to generate the config file and Pull it down from the cloud account. No other. Well, I can't see no other all the other vpns I mentioned you're doing this inside the vpn setup inside the firewall that makes complete sense to me I'm configuring open vpn or configuring wire guard. It's going to create all the things I need and i'm going to pull a config file so I can set it up other devices Unify went about it in a weird way because they were trying to get you hooked on their uid service Which is just weird to me. Um, I don't it made things complicated and The way they had implemented it means it was not easy for you to set up Or follow a tutorial or just connect your external devices to now They're coming around the other side and going oh look we we have open vpn in a different way Awesome, they still haven't figured out policy routing very well on this their policy routing is uh very basic For example, they added wire guard in one of the latest releases But they still don't have an ability to do a site to site with policy routing on wire guard Well Where someone may split hairs and leave comments going but tom I can go to the command line and Modify all the files because it's just a linux center to hood Which of course means the web interface if you change things will probably overwrite your config and one of the reasons we don't offer Supporting rewriting the config files from the command line because they'll get overwritten if you use the web interface It's kind of a messy way to do it, but they're getting better They are not a terrible firewall from a functionality standpoint. They do have some dpi So you can do some restrictions on them and I really like the unify Ecosystem in terms of having everything under one roof because I'm huge on their switches and their Access points and hey, why not just get one of their firewalls. So we have a whole workflow Except when I need vpn support and things like that it starts falling flat But they're doing better but better is a subjective thing their documentation is still Lacking to figure out which features are supported on which models So that can make it also a higher bar to entry because you're like I heard they support this But which model supports it find on their website not easy Make sure you understand your needs and understand the support for the different models They have prior to purchase and make sure it's a version of software that's out Not an upcoming feature because they've been promising since last year to fix the wire guard problem on the standard udm pro It's finally in beta right now and we're in april so Well, yeah, so they're getting there, but they don't offer projections or timelines. So that's one of those Really big challenges with them without the projection and timelines It's just It's hard to say when they're gonna get it So that's probably good advice for any software you're buying buy it on the features You know it has not the future not the features they promise in the future Yeah, just like we've been burned out on native linux games support on several games many times I think we've been burned on that. Yeah Yeah, yeah same thing basically Yep Now one more mention because this was not on my list, but what do I think of it and that's going to be maker tick Maker tick is kind of niched into a few spots We do consulting not on maker tick, but we do Consulting with like different setups Um for enterprise companies and we'll see it in like the wisp market That seems to be one place we see a lot of maker tick and you'll usually find some maker tick engineer Who's really good at it the problem of maker tick and this is why so many people ask me to do videos on it is because They're like the documentation is bad tom We need someone to make good videos on it And this is where it gets to be a challenge because without good documentation How does tom make videos on it plus? I just don't use it that often So i'm not taking the time to learn the intricacies of it You know and there's been tons of forum debates on there because even the way I seen in the economy me chuckle when someone had this quote There was a couple debates went on in my forums about this of maker tick's that device that always has some secret Incantation that you'll copy and paste out of their forums that we don't know what any of these commands do But we know if we paste them in our maker tick will start doing the thing. I wanted it to do And then we just back up the config and are happy it works I think their price point is what really drives people towards them They pack a ton of features in there, but they're very that steep learning curve now switch os on the other hand This is what's kind of cool about some of the maker tick because they have firewalls that they have switches um If you switch over to switch os and i've talked about this before I have videos on this topic switch os Is a lot easier to manage than the router os. They have anything to call router os And for switching and just setting up v-lands. I think maker tick's not bad now They're not as scalable for management unless you start building command line tools To do it and you can there's ways to do that. It's not anywhere near is friendly on By comparison to the way unify does it so maker tick it's kind of running up if you want to learn it But it's uh You've got a lot of learning curve on your hand and you may or may not run into it a lot in the enterprise world And we just don't see them all that often But we the markets like wisp where there's um very limited budget We will see a lot of them there because uh wisp is one of those things like providing wireless internet services Is not the most profitable thing. So that type of equipment kind of lends itself over there Now so I might ask about trend net. I'm not a big fan of them. I don't trust them in terms of security They exist. They're out there. Uh, some people like them. They're definitely cheap enough for the home lab They're basically unify at about a last I looked I think they're maybe 20 less in price depending that that's going to vary Of course where you're at in location Do I trust them on security? Not so much Easy example is going to be log for j. They were slow to update it compared to unify being extremely on top of it I feel like they just copied unify just to get into the market, but I don't feel that they're innovating in any way Um, so I'll throw it out there. They also aren't great last I checked their documentation was not good and their Kind of roadmap was a little fuzzy like how long is a product supported? What's the life cycle a little fuzzy? But hey For 25 savings if you're just going to use it for wi-fi, but may not be bad I think their life cycle is however long they feel like Yeah, until people get buying it, but that's kind of um that on there Now the last one I'll bring up and there's a lot more we could probably mention, but we'll throw vios in there um by us is neat But and maybe we'll throw Tinser the other one from neckade on her because they offer a homelab license for free as far as you know You can still get that for free for the homelab These are more targeted for the enterprise. It's not that they're not popular I don't see them as popular for the homelab world now They're command line driven firewalls, which hey, that's awesome to take the time to learn that That's what you want to learn. I just want to make sure people understand that with that great capability they have that comes with it you also have that other steeper learning curve But it's it's a good environment to start learning because once you've learned one of them You just kind of kind of learn the nuances to learn some of the other command line driven type of firewalls And you know, it's a good learning opportunity So there's a lot you can learn from deep networking and understanding it But if you're used to setting up rules on a ui come back to something I said at the very beginning of this talk here You could possibly leave yourself insecure because you're not familiar with setting it up and you're taking the device that divides You from the internet and are you doing an allow all rule? You weren't aware of it because of the learning curve That's a concern So make sure you take the time to sit down and learn some of that before then I don't the bias project been around for years. It's actually the basis But they've changed it a bit for the edge series from ubiquity. We don't really See much of the edge series once again with spin wireless provider market for the edge series But you know, there's nothing real wrong with Any of those if you take the time to learn it and want to dive into it It is definitely, you know, I would say bias is more well used than that higher level enterprise space There's definitely some love for it But once again, you're probably not going to get a video out of me on it I don't use it day to day. It isn't it's it's all those. It's so niche The people who want to take the time to learn it are going to more likely read it than watch some Buddy on youtube make a video on it. So Yeah, and I seen someone comment bios has been prepping a GUI for I think they announced it over a year Maybe two years ago. It's been a long time coming. I don't know when They're going to write a good UI for it. I don't know. I I can't really predict their roadmap for it Um, it's one of those things too because of the market they focus on I would probably say It's the same thing like when Cisco the high-end Cisco people they do not like UIs for Cisco One Cisco is terrible at making UIs, but the second The Cisco the people who admin these day to day go and spend 30 minutes in the UI or two minutes typing a command Which one do I want to choose and people who really get into automation Using all the different tools to automate This is where command line is awesome for doing that and probably why It's it doesn't have the drive like from them as a company They're going this brings us more into the home lab market But it's not going to be it's not the number one requested feature probably in the enterprise market that bios is in so That's kind of it all depends on where you want to learn things And where you want to dive into things and you know, it's another one with it as a tool It's just making sure people understand that concept because not I've had people where they asked me for a video And I'm like, do you know what's command line driven? You're like it is I was just I thought I needed a video because I couldn't find the UI like I've had some interaction Yeah, I'm like you're you're saying it because you know, there's probably Enterprise companies hiring for it. So you want to get into it, but you're not realizing It just has a steeper learning curve and I encourage people to learn whenever they want It comes down to what you want to dive into and hopefully this helps give you some Things to discuss or things to think about when you're choosing some of the firewalls But you know, go with ultimately what you make what makes you happy what you think works for you What you find easy to control. It's also kind of fun. Just like you distro hop. I have firewall hopped I have put I have put untangle Because you run the untangle slash arrest on your own hardware. I've loaded that I've never had the the desire really to play with so post xg I know some people that like it quite a bit. Um, so Hey, that's uh, you know Worth worth testing out christian has got some videos on it. It's got a nice interface to it. So functionality wise it doesn't It doesn't drive me and go man that fills this gap. I have with pf sense because pf sense is Oh, I'm obviously familiar with it not just because I create videos, but we manage it as a company We do consulting on it. We have businesses. We manage with it. So I'm very intimately familiar with exactly in a very predictable way How it works We're also good at securing it and I've got videos telling you how to secure it Me and jay had this discussion yesterday about firewall rules and stuff like that. So yeah, that was a fun day Sometimes you can have a brain fart and have uh firewall rules work differently than you think and uh, in my case It was why does this work? I didn't want it to work, right? Why do you work? You shouldn't work. Yeah fun times. We all have those moments. Yeah, absolutely I have a lot of them jays helped me with lots of linux things and stuff like that for sure Yep Uh Let's see see if there's any questions here. Um You know, I've never used it. There is a tool now. They have They have support inside of open sense and unofficial support that you can load it on pf sense. It's called zen armor I've not used it once again. I don't Really focus on the content filtering on the firewall side If you do can't focus on that those are a couple options for open sense and pf sense Content filtering as I said was with a wrist untangle is there as a feature built in it's there in the sofo system But the um, I've just not really used it from a business standpoint the way we manage content filtering is on the end points themselves because our Clients aren't always behind a firewall because remote work So we have our we have a slightly different path we go for managing it But if if your checkbox has that right at the top going I have to have content filtering for my kids Then you might want to look at maybe zen armor if you if you plan to go with pf sensor Open sense And I see people here saying vios is actually pretty easy to learn It's great if you want to practice cli and that's ultimate that comes down to um What are all the disciplines you want to learn? That's right. You are you going to be a programmer? Are you cool is your focus on firewalls at all or or your job career path have an interest in that Those are the things you just kind of decide for yourself because although there's um an infinite number It feels like an open source and fun project to play with there's a finite number of hours in the day to actually play with them Yeah, that is very very true That's why I would love to run all of these but you know It takes time to redo your entire network just to try a different firewall Yeah, and you know jay's Cranking out an amazing number of linux videos It would be a a bump in the road to swap firewalls and redo an entire network just to Just see if something works differently It's it can be challenging Uh, let's see I think let's see I recently upgraded my home internet to 1.5 gig having a hard time Finding a router firewall with two and a half gig ports came across firewall. Uh Is there any other system that supports that well? Yes, um I've talked about before and I have a recent video on pf sense and certain hardware You can buy so I For business purposes. I prefer to the net gate hardware, but I get it That's going to be expensive and if your message is coming from europe that's real expensive Or australia turns out it's even triple expensive So there are some of those boxes out there serve the home has reviewed them I've mentioned them in one of my recent videos. Uh, they have two and a half gig ports They do support pf sense and open sense natively out of the box Um, so that gives you that two and a half gig. So if you have a one and a half gig internet coming in Awesome, you should be able to use one of those boxes. There's even a box out there that patrick from serve the home did A few months maybe two months ago now that has 10 gig ports on it. So You know, that's an option uh as well and if you're really feeling, um Interested in this So I had mentioned this to the guys who run another I think it's called two guys tech They did pf sense on a zima board But they did it with a 10 gig card. I actually had messaged them and said, you know, you can do that with a 10 gig card because the zima Small computer has two network ports. Unfortunately, they're real tech But the good news is you can that has a pc a slot sleep But they put a 10 gig pc a now it's a celeron so it won't route it full 10 gig But I think it will route it like three gigs And if you have a one and a half gig internet You're on your way So that's actually a really inexpensive option to put together. You could build this Frankenstein of a system with an external card in it They had a design you can 3d print a holder for the card and make it all work Look up the zima boards. They're actually pretty neat. I thought about buying one just to have one These are x86 space so you can load a lot of different things on them, but definitely a Something something else to play with because Is we all know raspberry pies are well loved. They're they're loved to the point of extinction. I feel like Or extortion to the point of extortion for what people want to charge from right now Yeah, wow, it's it's uh, it's hard, but hopefully that gets rectified soon because there's a lot of people that would like to have one Yep Yep, so fun stuff. I see some people say sni or a mandatory proxy. Yeah If if all if all now is ssl How do we inspect traffic with man in the middle and that's the challenge if you want to do man in the middle inspection You need a system that can Install a certificate on those systems So you can't inspect traffic on something you can't install certificate on This is important because maintaining those certificates is a big part of the process It's a headache part of the process by the way, too And it has its own risk because some things don't like and this is where you have to put bypasses in Some things don't like when there's other things in their certificate chain. And if you're doing proper tls 1.3 Tls has an outer and inner encryption. There's a secondary internal key So you have your outer encryption layer like, you know, let's encrypt or whatever you're using for the external one There's another key an ephemeral key negotiated in tls 1.3 This is a problem and It's challenging to properly inspect tls 1.3 without breaking it. Um, that goes out of scope of today's time but Just that's something consider is the solution a lot of the firewalls have is they downgrade you to to that Well, they just remove that feature of tls 1.3 the second encryption because It it's designed not to have there. Um, there's actually a write-up I think by zscaler on how to do inspection on tls 1.3 They have a good description of it so you can understand the complexity of it because there is a way to do it where The um proxy will do the unwrapping and then renegotiate another key So it man in the middle is in a very different way, but that also requires Extra horsepower to do it. So there's there's some nuance to doing that. So Yep All right Any more comments you have on this j? Um, basically, no, I think you covered it very well. This is your, uh, you know wheelhouse You got this topic very well covered and um, you know, I'm learning a little bit too It's really making me wish I had that lab set up so I could just randomly set up You know firewalls and just have all sorts of fun. So it's a little bit of incentive for me. So Yeah, it's it's a lot of fun this um when it comes to the firewall topics I I seen someone say j's not saying much, but this is the same thing when uh when j was doing one of the zensible ones I'm I'm still the lightweight when it comes to that j is certainly the expert So we take turns being the student a lot of times. So yep. Yeah, we take we take turns doing that No one knows everything. We just make it look good on youtube because we do a lot of editing Yep, yeah, we take the swear words right out of there. So, you know, we messed up and you know say some things Yep, for sure. All right. Well, thanks everyone for joining love hearing from you feedback at the home lab show We'll take your questions and uh all that fun stuff and you know, send a bunch of them And we like doing these q&a episodes and helping you along the way of the journey But hey get out there has some fun and uh, let us know in the comments. What firewall is your favorite? That's always a good discussion. Thanks