 Tom here from Lauren systems, and we're going to talk about firewalls So if you want to learn more about me and my company head over to Lauren systems calm There's a hires button up at the top if you like to hire short projects such as configuring firewalls If you want to help the channel out in other ways or find discounts and deals on products and service that we talked about We have some affiliate links down below Now let's dive into the firewall comparison This is by no means an exhaustive list of very firewall and existence that would just well be beyond the scope of what I have time to do right now and Also, I wanted to cover ones that we frequently talk about on the channel because these questions come up a lot So I just wanted to kind of make a little matrix across about how these work Now we'll start with which ones we chose pfSense untangle a usg pro udm pro and the edge router series Operating systems pfSense fully open source and based on BSD untangle open source based on Linux But does have paid features not every feature in the untangle world is free Some of them are kind of like a sold as a subscription service because it's more than just the software It's also some of the feeds that come with it I won't dive into what is or isn't paid on this list because that's all documented on her site I've done reviews of it But in if you're thinking about any of these you have to look at some of the pricing and what features come with them Now these are a little different over here. I do know I'm saying edge OS I do know there's somewhat Linux based and things like that But I'm they're not the same as untangle and pfSense because the two the things that make pfSense Untangle stand out they're both software that you can just go download and load on your own hardware or There's software that can come on the appliances that they sell and it's the same software either way whether you buy an appliance from PfSense you buy a net gate appliance, which is the officially supported ones It's going to be the same software you get when you download it and the same goes for untangle They have the ability to sell you an appliance and or you can just go download software You cannot download and load your own build your own router with any of the ubiquity line up So I left on there what OS are running But I do I am aware that they are on Linux, but there that is a defining difference Which you can download is the unified software to find networking controller the unified SDN for the USG The unified SDN is a little bit different on the pro and then UNMS now They go more than just firewalls obviously So the unified software to find networking controller in the USG line will control the Wi-Fi will control the switches as well as the Firewalls and it supports multiple sites and we'll talk about that in the dashboard part the unified UDM and UDM Pro are a little different because the software defined networking controller comes on the box It's more of a everything integrated type of box And it doesn't allow you to host the software to find networking controller externally to manage the boxes And then the edge OS comes a UNMS and that's where the centralized management comes in PF sense does not net gate does not officially have any type of centralized management That is up to you logging into the firewalls to manage them yourself Untangle via their website does have centralized management So you can tie untangle boxes to a central dashboard to manage all the your untangle installs If you're a business that's managing multiple sites or an MSP like we are These software defined networking controller we hosted ourselves, but you can host it wherever you'd like and that is completely Allowed to control many sites at once in a single controller making it fairly easy to manage all of them And like I said, it goes beyond managing just the firewall But yes, it does have central management That you have the ability to host or get a hardware cloud key and hosted on that if you don't want to run it on Your own hardware or virtual machine or however you want to set it up the UDM the imperial like I said, it comes integrated and Completely integrated on the UDM system. So it's part of the management there But it does have let's say you deployed several of these and you want to manage them You can manage them through the unified dashboard It's each one of these can talk to the unified dashboard So you can start at the unified dashboard and then get into each of the ones that you've registered with it Edge Routers have UNMS the UNMS system is not as extensive as the software defined networking controller that you get with Unify But it is a way to manage it. I've not done any videos or deeper reviews on that particular product I will also mention. I've not reviewed yet the unified dream machine pro That's why it's in front of me is on my review list. It's in process But I've still looked at it enough to finish this little firewall chart Open VPN server now you're gonna see me talking about command line features We ourselves at Lawrence systems do not support it this time Configuring a lot of these things where it says yes via command line. They're kind of fuzzy on the official support There's documents on unifies website or ubiquities website on how to do some of these things But obviously they're a lot harder to manage because you're just setting it up all from the command line following several work instructions So they can be a little bit more challenging But at least I'm not gonna say no they don't support it But it'll be yes via command line and this is where people get confused because they think that hey It's got a web interface. Therefore every feature that it has must be accessible via the web interface And that's not true for some of the other devices So open VPN server Completely supported in PF sense none untangle. This is both for site-to-site VPNs or for users logging in There are different user managements built into both PF sense and untangle so you can integrate your users build lists Etc. And for example You have like a radius server you can set up or different user lists or use external authentication from there's A ton of diversity and how you can configure the open VPN server on both of these devices But over here you're just doing it via the command line So it depends on your ability to set up open VPN from the command line and add the features that you may want and get things going Working as a client same thing really easy now What does that mean when you have a firewall as a client for example if you wanted to use a VPN service? Then you could have policy routing where you say hey I want my whole house or at least these computers to go out via the VPN to wrap everything in the VPN it can facilitate that That is both supported on PF sense and untangle once again that comes down to command line configurations on the other ones IP sec is supported in all of them L2P VPN supported on PF sense does not appear at least I through Google searching and look I did not see any support for it on untangle They do support though the IP second open VPN. I did not see L2P specifically on there But not me I don't recommend using the L2TP VPN It's usually IP second open VPN or the two more popular ones anyways But yes via command line on the edge router now policy routing kind of mentioned it with the VPN This is just where maybe you have multiple WAN connections or WAN plus VPN or some mixes in between They have really Complicated policies that you can do within PF sense They're not complicated to do but they can get complicated. I've done videos about how policy routing works That is completely Fully enabled with the web interface is extensible as you want to do You can get really granular with it with all the options same thing with untangle They have a lot of policy routing options. Once again, we're back to a command line over here It's not like you can do it But of course if you're setting up a VPN and you want certain devices to go out that VPN You've already set up for the command line. So yes the policy routing is not to go through the command line as well Intrusion detection intrusion prevention system Saracada or snort you actually get two choices with PF sense you choose which one you want Untangles baked in Saracada is part of their offering When it gets over to the USG I pretty sure and someone will correct me if I'm wrong But it's a Saracada under the hood, but they're not really exposing it and what I mean is it's very basic It doesn't have the fine grain show me the rules every little detail in there Where you can adjust the feeds and a lot of fine tuning So it's kind of just I should have put yes basic, but that's best I can do is say yes It has it so this is where things get a little fuzzy of does it check the box of yes I wanted an IDS system or does it really dive deep into giving me fine grain control over my IDS system? And it's not available on the edge router system And I believe it's partly because the edge routers don't have the ability to run it at speed I'm not exactly sure but it's even free a command line. It doesn't seem to be supported very well from anything. I've read I Didn't find any instructions on it DNS filtering I've done plenty of videos on PF blocker gives you tons of fine grain control custom feeds Etc for doing everything from blocking certain sites blocking lists etc It's all based on DNS filtering it is supported on tingle not pf blocker But just DNS filtering in general not supported that I can find in a USG USG pro as of right now It's a beta feature so it's kind of basic they've started building it into here doesn't give you a lot of fine-grain Controls so beta basic and no one here g.o.i.p filtering same answer It's the facility by facilitated by pf blocker inside of pf sense But untangle it's part of this part of the integrated baked-in offering that they have it's not a separate Anything matter of fact that all the modules from untangle are just untangles modules that you either get for free or buy as part of their Premium features not featured here the basic feature here web content filtering So yes squids quick guard is supported in pf sense I've done videos on why I'm not a big fan of it to me It's not a smooth operation and Generally speaking man in the middle SSL filtering just becomes a headache of figuring out which sites are broken Which sites cause you problems on it? Untangle has a deeper integration for it. I've done a video on it So I think they've done a nice job of wrapping it all together making a lot easier to do it Especially when you want to have listings of sites and stuff like that There's a lot of people if you spend some time in the forums looking at squid You'll know why I don't care much for supporting it It's kind of becomes a job of sorting out what things go wrong with and this goes for untangle to some extent as well The difference is as part of the premium feature of the web filtering They seem to have pretty good feeds on it But the web filtering in man in the middle SSL can sometimes be challenging. This is an advantage I will admit some of the larger commercial firewalls have because they actually will have a package They load on each workstation to help manage them at the same time So it's not just installing a SERP with a whole system around it So there's some trickiness to doing that. It's not my favorite way to do it at the firewall level It's usually something I prefer other applications to at the workstation level. This is not something supported by USG The UDM or the edge router. They don't have any man in the middle SSL now QS traffic shaping It's advanced on psSense. It's advanced on untangle You have a lot of options a lot of fine-grained control you have over all the different traffic shaping things you can do It's kind of basic on USG. They do have certain quality of service They have it basic on the UDM. There is some command line options where you can get a little bit more advanced with the edge router WAN failover Yes, son of psSense not just WAN fell over multi WAN multi WAN And I say that twice because you can have three or four connections if you want There's a lot of different flexibility because when you're defining how many ports you have whether you buy a neck gate appliance Or you build it yourself you can configure as many ports as you want to WAN. You're not limited to just that you are On the hardware for depending on the USG They have hardware fail have two hardware ports on there So yes, you can do failover one or the other on there and then the UDM pro You can the UDM the unified dream machine just doesn't have a second WAN port on there So I don't see a way to make it do WAN failover and of course in the edge router. Yes Load balancing that's a little bit different than failover where you when you want to share and do that once again You've got a lot of advanced controls For how you may want to do that because you can tie it together with policy routing for load balancing on psSense and on tingle And the USG has it the UDM pro. I believe I seen it in there I did not test it yet So this is pre review of it and it's obviously a very new product But it appears to be the same unify USG software. So I believe the option should be there. Yes via command line there Active directory integration. I added this because this question comes up a lot about when you want to build Complete integration now. Can you do a pfSense? Well? Yes, I know someone's gonna point out a work instruction where you load something like LDAP Connector inside a pfSense and then create an LDAP connector inside of there But I'm referring to like native integration for active directory That is something that untangle does have any other ones don't have so you can start doing I'm not gonna dive deep into it But you can start doing more when you have untangle you want to have it connected to the way your users are tied to your active directory captive portal yes on the pfSense yes on the untangle I Said yes via the software to find networking controller on these because just to make sure I'm clear It's not actually the firewall that this lives on So you do need the software to find networking controller up and running to get the captive portal to respond to captive portal requests So that's important distinction now technically on the unified dream machine series because the unified software controller runs inside the same box It's gonna be on at the same time because they're one and the same and this is not a feature inside the edge router So but it does have it those are our features Let's encrypt certificates and I bring this up because this Question is coming up more and more of you know, how do I install a cert and how do you automate that? Well, that is a plug-in for pfSense that is integrated I seen some people talking about how to put it in some of the other things But it is a native web interface enabled just turn it on it supports the ACME protocol for doing let's encrypt certificates and that's important because HAProxy this is a really popular package to create reverse proxies for things and it's natively built into PfSense so you can turn on let's encrypt to have your certs and then you can pass those search around to all the things behind there and Right now the way things are going with some of the different browsers They're getting stricter and stricter on the way they prefer certs and you know, not everyone wants to do the click-through Running those two things together HAProxy with let's encrypt is a great option to take and put those proxies in and of course you can set up in front of other services you have in there and this is where PfSense has those some really advanced features to sit in front of Servers and then balance between them HAProxy between them and all the features that comes with it So I'm not going to dive deep into that right now, but it is a pretty advanced feature So obviously something a lot more than home users might use but people building a home lab or even businesses I know that are using HAProxy for their systems in there So it's definitely a cool feature and yes, I will do a video on it at some point in time It's on my to that is on my to-do list. I just got to figure out when to get it on there So hopefully this was helpful. I will leave a link to the spreadsheet I will try to do my best to keep it as up to date as possible for you And I'll revisit it once more because these features could change new features could be added and some of these things could change They could suddenly have a new version of the software-defined networking controller that opens up a lot more features on these The unified dream machine is a very really recent release that I haven't even reviewed yet here in February of 2020 Like I said so there could be a whole lot more features coming down the road and that's kind of the beauty of software-defined networking with Reasonable hardware it just keeps getting better. And of course we have the new version of PF sense We'll be out and guessing when it's when it's done. I don't have a date of course But there's more features coming in the new version is gonna be some more enhancements So hopefully this was helpful or maybe you're more confused than when you started But these are frequent questions and hopefully this matrix helps and maybe later If I feel real inspired I'll find another firewall to add to this list and slowly build this list up and add it on there But as you can tell the challenge to is they're not always yes or no Answers they're kind of more in-depth because saying it does something versus does it do it? Well is a very loaded question and I did leave out Dashboards because I don't even know how to define that the dashboards look wildly different on these different devices And that is combination of personal preference and how you want to you know How fine grain you want to do that that would be its own video I started in that part and that actually took me a long time to think about But was very difficult to be concise on so I omitted it from the video Just so I can get the video done. All right. Thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurancesystems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos. They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again Thanks for watching and see you next time