pfSense or Untangle

P

prestonrichmond

n00b
Joined
Oct 8, 2004
Messages
53
Ok, so I have a new Supermicro X7SPA-HF-D525 Mobo 4GB ram comming in and am wondering what firewall software I should put on it. This is for home use. Currently im running DD-WRT on an Asus 520GU, so anything is a step up. I have played with both, though Untangle only for about 20 or so mins on a VM, and pfSense for about an hr or so on an old P4.

By first glance at the untangle, one thing I didnt like was it looked like if I wanted anything I had to pay a yearly subscription for the same stuff that was offered for free or already included in pfSense. But i see alot of people swaring by Untangle.

So my question is what firewall did you guys choose, and why?

Now I dont want this turning into a spamming/fighting contest, so remember everyone has the right to there own opinion.
 
Untangle does lots if you install the "LITE" version of the package.

What features do you use / need exactly ?

I run untangle at home with 4 network cards, 3 subnets :) and it works very well.

Dashhound
 
dashpuppy said:
What features do you use / need exactly ?
Click to expand...

This ^^
Both pfSense and Untangle have their respective strengths and weaknesses. pfSense is a great router/firewall distro by itself with tons of additional packages and a pretty packed support community.

Untangle has ease-of-use and some pretty sweet UTM/filtering features - they also have a really nice community as well. And dashpuppy is the resident expert on it :cool:

Personally, I take advantage of both when necessary. pfSense can pretty much run on any retired/old hardware and serves routing and firewall purposes. I run Untangle on a dual core rig to perform web filter duties (ads/virus/spam/spyware) if any friends/family come over.

The best thing to do is to make a list of what your needs, and match them to the available software features. Of course, there are also a whole ton of others available that can take advantage of that hardware (Astaro/Endian, etc). Check the thread: http://hardforum.com/showthread.php?t=1517454
 
-Jess- said:
This ^^
Both pfSense and Untangle have their respective strengths and weaknesses. pfSense is a great router/firewall distro by itself with tons of additional packages and a pretty packed support community.

Untangle has ease-of-use and some pretty sweet UTM/filtering features - they also have a really nice community as well. And dashpuppy is the resident expert on it :cool:

Personally, I take advantage of both when necessary. pfSense can pretty much run on any retired/old hardware and serves routing and firewall purposes. I run Untangle on a dual core rig to perform web filter duties (ads/virus/spam/spyware) if any friends/family come over.

The best thing to do is to make a list of what your needs, and match them to the available software features. Of course, there are also a whole ton of others available that can take advantage of that hardware (Astaro/Endian, etc). Check the thread: http://hardforum.com/showthread.php?t=1517454
Click to expand...

I am not the expert, however i have been running it for a year on and off and really like it. It does everything and works great. Just install it on good hardware and your set.

Curently just started a new job so i am saving money to build a 1 u server with 4 gig nic's to replace this 2u box i built.
 
dashpuppy said:
What features do you use / need exactly ?
Click to expand...

I dont really have needs per-se I have a network with about 20 devices ranging from phones, to a kindle, to computers. I have static dhcp and pretty much disable automatic dhcp from outsiders unless there MAC addy in in there because we have 4 kids who like to give out out wireless password to the whole school like its candy.

This may be a bit confusing to explain, but on my current set up i have my network set up like any address between x.x.x.224-255 the internet gets shut off from 9pm-3pm and I have dns set up on those set of addresses to point to opendns with strict rules, but on any address before 224 (x.x.x.1-223) i just use the ISP dns with no rules....Is that possible on any of these setups. Its actually done through the router and commands that I found on the dd-wrt forums a while ago.

I also have a procurve 1800-24g and I might in the future set up an ip phone system with freepbx, and google voice and set up a VLAN. Mainly to play around with and learn....might use it as my house phone, but pretty content with my cell phone as being my main contact

And port forwarding but thats probably given in any firewall set-up
 
Last edited:
prestonrichmond said:
I dont really have needs per-se I have a network with about 20 devices ranging from phones, to a kindle, to computers. I have static dhcp and pretty much disable automatic dhcp from outsiders unless there MAC addy in in there because we have 4 kids who like to give out out wireless password to the whole school like its candy.

This may be a bit confusing to explain, but on my current set up i have my network set up like any address between x.x.x.224-255 the internet gets shut off from 9pm-3pm and I have dns set up on those set of addresses to point to opendns with strict rules, but on any address before 224 (x.x.x.1-223) i just use the ISP dns with no rules....Is that possible on any of these setups. Its actually done through the router and commands that I found on the dd-wrt forums a while ago.

I also have a procurve 1800-24g and I might in the future set up an ip phone system with freepbx, and google voice and set up a VLAN. Mainly to play around with and learn....might use it as my house phone, but pretty content with my cell phone as being my main contact

And port forwarding but thats probably given in any firewall set-up
Click to expand...

Port forwarding for what ? Untangle has a really REALLY good web filter built in, should work good for your monsters surfing bad stuff, giving out the password to the wifi, well you could setup mac filtering on those machines :)

YOu could put a few nic's in this box, dedicate one for the wireless, one for the internal lan and create rules so your kid's & friends can't see the home computer's and infect them with their virused machines :)

Very close to how mine is setup.
 
Last edited:
dashpuppy said:
Port forwarding for what ? Untangle has a really REALLY good web filter built in, should work good for your monsters surfing bad stuff, giving out the password to the wifi, well you could setup mac filtering on those machines :)

YOu could put a few nic's in this box, dedicate one for the wireless, one for the internal lan and create rules so your kid's & friends can't see the home computer's and infect them with their virused machines :)

Very close to how mine is setup.
Click to expand...

I use port forwarding for my xbox, and my server (rdp and torrenting), and my desktop for realvnc.

On the web filter, can that go by groups, or does it have to be a whole subnet?

When I initially set up the current filtering I had thought about putting them on different subnets, but I have movies, and music stored on the server that they can watch, so instead I opted for the segregated network on the same subnet, plus they were macs brought home from the school, so the chance of infection would of been slim.

I went the static dhcp route because I access alot of my equipment through ip addresses (my htpc, wd live tv, realvnc computers, server ipmi, and just plain server) so i went for static leases so I remember what they are and the ip wont change every time we loose power. I guess i could of set each device manually too, but I like being able to control everything from one place, especially if something goes haywire on my router and i need to switch it out. the machines are still getting a dhcp lease....kinda redundant...I know, but iv been static dhcp-ing sense college days when I used to manage all the dorms on a microtik router and I would manually input each of the 70 or so computers in there.....but that was just for fun/because I could.
 
ditch the port forwarding with untangle and use the vpn :) it's very easy to setup and get running, if you can install untangle, you can get the vpn running :) trust me its way better than opening ports.

I think you can reate rules that the filter only applies / doesn't apply to.

Your setup sounds really close to mine, the reason i did 2 subnets is so no one on the wireless can see my serers wd live hdd and other things. Ie a friend comes over with a laptop and has a virus on it and infects my network/servers.
 
I'm probably gonna catch a shit load of flak but... look at my sig.... its TRUE.

Pfsense with its packages will do virtually everything Untangle does and it will do it FASTER (using the same hardware)

Untangle's state table is locked at 10K states if I remember correctly. A friend of mine was all over the Untagle Forums searching for a way to increase the state table size. Its hardcoded at 10,000 connections. Thats it. I have my pfsense set to 1,000,000 (thats a million) Each state for pfsense takes up 1K of ram. I have 2gigs so I dedicated 1gig to the state table and the other gig to the "os" and packages.

They both use ClamAV for the antivirus scanner. However someone here a couple months ago claimed that Untangle uses some super secret defintions that supposedly pfsense doesnt have. However couldnt elaborate further on it, which I believe to be FALSE. You can add links to custom defitnion files for ClamAV in pfsense anyway.

Qd4Eh.png


As you can see form the picture there is a daily updated definition file and one from google that updates every few weeks.

They both use Snort for intrusion defense. Theres no way that one works better one than the other.

Untangle's Web Filters = pfsense's DNS Blacklist which actually seems to have alot more categories than Untangles. Does it block more site? I cannot say.

Untangles Filter List
JMKys.png


Pfsense's Filter list
VfjbA.png


Untagles Phish and Ad blocker is included in pfsense's DNS blacklist. Known phishing and Ad sites are included in the black list.

The only thing pfsense doesnt do that the free version of Untangle does is a spam filter. Thats pretty much it. However theres probably close to 100 packages for pfsense that allow you to do things Untangle cant. Some useful, some stupid.

Pfsense will run circles around Untangle any day of the week as well. Pfsense's QoS will kick Untangle right in the nutz and run away laughing. It doesnt compare.

-----------------

That being said. Untangle is MUCH more user friendly. A monkey can setup Untagle, even the vpn. The same cannot be said for pfsense. Some of its config pages can be cryptic.

If you have any other questions about pfsense, I'd be more than happy to answer them.



dash.... please dont hate me i are sorry :D
 
Last edited:
furthermore. pfsense just relased 2.0RC. I'm intrigued by it. Lots of new features, and packages are supposed to follow. However when I was trying it in its beta stages I could not get it to function 100% correct 100% of the time. This is common for beta software I guess. I'll definitely be looking at it when its finally released.
 
I agree with jadams, I've been running pfsense full time for a few years now, and it's been fantastic, and incredibly stable on crap hardware. I tried untangle for a while, and liked the idea, but I can't stand the administration interface, and it just seems too fluffy for my needs, pfsense covers almost everything I could want.

Also, like he said, I tried 2.0 beta and had a few issues, but I'll be moving over to 2.0 RC1 this weekend and hopefully staying there this time.
 
back on topic. i backed up the files that contain all the DNS blacklists for pfsense. they can be found here:

http://www.megaupload.com/?d=0CI7UAP7

5MB or so zipped. 22MB unzipped.

EDIT: After some research I found that the default list to be outdated.

A managed list can be found: http://cri.univ-tlse1.fr/blacklists/index_en.php the .tar.gz file can be extracted to the packages directory in pfsense. Its a shame this cant be done automatically. Maybe the 2.0 release will have something built in. Would seem that hard for it to retrieve that file, extract, and restart the dnsmasq service.
 
Last edited:
Actually....Untangle leverages a lot more than just "clam" and "snort". It's not "super secret" at all..you can go right to Untangles website, into the modules..and drill further into the details of each module and see an explanation. Their Spyware Blocker module is quite effective, much more so against plain Clam.

I love PFSense also, I've praised it for years, played with it since its origins. It's a very very fast distro with top notch traffic shaping/QoS. But a UTM...it is not!

Untangles max state size of 10k....it's a limitation of Debian. But if you, a home user, find that to be a bottleneck..well...I highly doubt it. Having PFSense sit in hundreds of thousands of concurrent sessions...or even a million..for a home user, seriously, it's such over-drama..you'll never touch a 1/10th of that.


jadams said:
I'm probably gonna catch a shit load of flak but... look at my sig.... its TRUE.

Pfsense with its packages will do virtually everything Untangle does and it will do it FASTER (using the same hardware)

Untangle's state table is locked at 10K states if I remember correctly. A friend of mine was all over the Untagle Forums searching for a way to increase the state table size. Its hardcoded at 10,000 connections. Thats it. I have my pfsense set to 1,000,000 (thats a million) Each state for pfsense takes up 1K of ram. I have 2gigs so I dedicated 1gig to the state table and the other gig to the "os" and packages.

They both use ClamAV for the antivirus scanner. However someone here a couple months ago claimed that Untangle uses some super secret defintions that supposedly pfsense doesnt have. However couldnt elaborate further on it, which I believe to be FALSE. You can add links to custom defitnion files for ClamAV in pfsense anyway.

As you can see form the picture there is a daily updated definition file and one from google that updates every few weeks.

They both use Snort for intrusion defense. Theres no way that one works better one than the other.

Untangle's Web Filters = pfsense's DNS Blacklist which actually seems to have alot more categories than Untangles. Does it block more site? I cannot say.

Untagles Phish and Ad blocker is included in pfsense's DNS blacklist. Known phishing and Ad sites are included in the black list.

The only thing pfsense doesnt do that the free version of Untangle does is a spam filter. Thats pretty much it. However theres probably close to 100 packages for pfsense that allow you to do things Untangle cant. Some useful, some stupid.

Pfsense will run circles around Untangle any day of the week as well. Pfsense's QoS will kick Untangle right in the nutz and run away laughing. It doesnt compare.

-----------------

That being said. Untangle is MUCH more user friendly. A monkey can setup Untagle, even the vpn. The same cannot be said for pfsense. Some of its config pages can be cryptic.

If you have any other questions about pfsense, I'd be more than happy to answer them.



dash.... please dont hate me i are sorry :D
Click to expand...
 
Last edited:
YeOldeStonecat said:
Actually....Untangle leverages a lot more than just "clam" and "snort". It's not "super secret" at all..you can go right to Untangles website, into the modules..and drill further into the details of each module and see an explanation. Their Spyware Blocker module is quite effective, much more so against plain Clam.

I love PFSense also, I've praised it for years, played with it since its origins. It's a very very fast distro with top notch traffic shaping/QoS. But a UTM...it is not!

Untangles max state size of 10k....it's a limitation of Debian. But if you, a home user, find that to be a bottleneck..well...I highly doubt it. Having PFSense sit in hundreds of thousands of concurrent sessions...or even a million..for a home user, seriously, it's such over-drama..you'll never touch a 1/10th of that.
Click to expand...

I have the state table set to a million for shits and giggles... mostly because I can. Most home users probably wont use 1/10th as you've stated, but I can under some extreme circumstances. I've reached 250k at max before. pfsense default state table is also 10k if i remember correctly and I found it to be very limiting. A good number would be around 100k.

While you might say pfsense isnt a UTM i pretty much proved in my post it was. I've drilled down through untangles modules quite extensively and as I've pointed out theres nothing pfsense cant do that Untangle does (except spam filter). Not including PREMIUM modules. You mentioned that Untangle's spyware blocker goes beyond just clam AV

UT's Spyware Blocker's "How it does it" contains:
Uses dozens of custom-tuned community blacklists in addition to Untangle's Virus Blocker technology, based on ClamAV
Click to expand...

So DNS Blacklist Package + ClamAV = Untangle's Spyware blocker.


Full feature list for Untangle can be found here: http://www.untangle.com/Products/untangle-libitem-standard-package

as stated before, theres nothing on that list pfsense cant do.
 
Last edited:
jadams said:
pfsense default state table is also 10k if i remember correctly and I found it to be very limiting. A good number would be around 100k.

While you might say pfsense isnt a UTM i pretty much proved in my post it was. I've drilled down through untangles modules quite extensively and as I've pointed out theres nothing pfsense cant do that Untangle does (except spam filter). Not including PREMIUM modules.
Click to expand...

I don't need a full list of Untangle components...I'm a reseller of it, have been for years...I work with it almost every day at many different locations..it's burned into my retinas. Also well familiar with PFSense, and many other distros...for years....install various ones on almost a monthly basis just to dork around with them. Been there, done that, took home the free tee shirt!

PFSense doesn't have a default table size..it adjusts to what it detects upon installation...I've had it default to all sorts of combinations of a 100,000 depending on what was in the system. (at least the version prior to most recent did)

I saw your attempt at illustrating that PFSense can do what Untangle or Astaro does...but I won't agree that you proved a point. Well..."effectively" is what's important to me, and it cannot do that....it would still fall behind IPCop w/Copfilter...which itself is quite outdated. Sorry but Clam all by itself stinks...it flat out stinks, it cannot find a brown lumpy turd in a public toilet with its miserable nose. Yes Clam is what powers the freebie basic antivirus component of Untangle, but going back several years worth of posts I've made about Untangle in these forums, you've seen me talk about the Spyware Blocker module which leverages additional technologies that are constantly updated. URL blacklist, IP blacklist, long list of active x controls, and importantly..dozens and dozens of custom tuned community blacklists. The attack blocker module is similar. Ain't just Snort!

I have many clients (business networks) that I have Untangle protecting....and those clients have far fewer instances of malware related problems. If I swapped out PFSense with its "wannabe UTM features"...I guarantee you their malware problems would rise.

Again, I've been into PFSense for eons....it's a mighty sports car of a distro. But I'd not want to turn it into a Ford F450 Super Duty pickup like Untangle is. So yes a distro aimed at high performance (PFSense) will run circles around a distro that is designed from the ground up to be a UTM...a Layer 7 UTM appliance at that....dunno why that's surprising to you. It's two totally different animals...DUH!. And while yes on paper you can sort of make it a UTM because you can install components which are a primitive base of what constitutes a UTM....it's not very effective.
 
I for one would like to see some REAL tests. Not claims that "i bet malware attacks would go up"


I believe pfsense does have a default state table size. I've installed it recently on Pentium 2, Pentium 3, C2D, and virtual systems all with different sizes of RAM and if my memory serves me correctly its always been 10k, or at least a number that starts with a 1 that was too small for my liking.



I'd prefer you not say things as if my name were YeOldejadams I'd automatically know what I'm talking about. I am graciously respectful to pretty much everybody on this forum and I'd like the same. I would never automatclly think you knew nothing about something new given certain stereotypes that "old" people dont keep up on new technologies. I'd like the same done for me. Not sure if you meant it or realized it, but thats the vibe i got.

I have more, but I just got called out on a service call.... bbl
 
jadams said:
I believe pfsense does have a default state table size. I've installed it recently on Pentium 2, Pentium 3, C2D, and virtual systems all with different sizes of RAM and if my memory serves me correctly its always been 10k, or at least a number that starts with a 1 that was too small for my liking.
l
Click to expand...

I know for a fact my last install was over 500,000 as the default size, it was on an IBM Thinkpad laptop, T40 Pentium M 1.3 I think, had...hmmm...either 384 megs of 512 megs...yeah, 512 megs of RAM. And she defaulted to over 500k.

oh well, gimme a rope, there's an almost dead horse flailing on the ground.
 
YeOldeStonecat said:
I know for a fact my last install was over 500,000 as the default size, it was on an IBM Thinkpad laptop, T40 Pentium M 1.3 I think, had...hmmm...either 384 megs of 512 megs...yeah, 512 megs of RAM. And she defaulted to over 500k.

oh well, gimme a rope, there's an almost dead horse flailing on the ground.
Click to expand...

That's weird, default is set to 10k.
 
All petty tiny arguments aside I'd like to get into this a little more indepth.

I'd like to examine very closely what it is that Untangle offers and actually see if it can be duplicated on pfsense.

Just to say it utilizes a custom dns blacklist and av defnitions isnt enough. If Untangle uses these custom defintions they can be included in pfsense as well. I want to know exactly what it is that Untangle AV/malware scan has that cannot be implemented into pfsense. This goes for the rest of its modules.

I propose an actual study. If anyone is up for it Id like to dive into it. We can actually start a new thread about it. A pfsense vs untangle if you will.

The best part about me is that I am COMPLETELY UNBIASED and open minded. Something good that comes out of my youthfulness ;) (even though nobody here knows my true age) If at the end of this study I find enough compelling evidence I'd glady change my signature to "My pfsense box does virtually what your Untangle box does (almost as well).....FASTER" :D

Anyone up for this?
 
Sup bros,

I don't trust my imporntant network connections to any of this open-source unix based tomfoolery.

I actually use an oscilloscope and a telegraph key connected to my FiOS ONT. Sometimes, I feel like I'm cheating since I installed a PHY chip on the end. I only have one channel to look at for received data.

I overclocked the muscles in my finger so I can tap out like 200,000 times per second.

I dunno if the OP is up for that though, having to watercool my hands is kind of a pain in the ass.

In that case, if you want winnar performance so you can run it on mediocre hardware, go pfSense. If you want hella features and a crazy 9000 colour 3d user interface with 5.1 channel surround sound, go Untangle.
 
cymon said:
Sup bros,

I don't trust my imporntant network connections to any of this open-source unix based tomfoolery.

I actually use an oscilloscope and a telegraph key connected to my FiOS ONT. Sometimes, I feel like I'm cheating since I installed a PHY chip on the end. I only have one channel to look at for received data.

I overclocked the muscles in my finger so I can tap out like 200,000 times per second.

I dunno if the OP is up for that though, having to watercool my hands is kind of a pain in the ass.

In that case, if you want winnar performance so you can run it on mediocre hardware, go pfSense. If you want hella features and a crazy 9000 colour 3d user interface with 5.1 channel surround sound, go Untangle.
Click to expand...

Hahahaha. :D
 
jadams said:
[

CHA!

from my pfsense advanced system menu.
Click to expand...

So it looks like it default to 10k....I still believe older versions I had didn't default, but adjusted according based on specs being installed on......regardless, upping it youself to a higher setting is quite painless and moot.

Several months ago Tim Higgins had one of his guys start a "Built a UTM with PFSense" article
http://www.smallnetbuilder.com/security/security-howto/31433-build-your-own-utm-with-pfsense-part-1

There are 3 more parts to that article. You might find it interesting

Years ago over on Tims site, I had been pimping PFSense for a long time..and he finally started a review of it...giving credit to my pimping right in his article...so it's not like I'm against PFSense
http://www.smallnetbuilder.com/lanw...g-your-networks-bandwidth-hogs-part-1?start=1

Still, to me, I prefer compare true native UTMs to each other...."apples to apples" to use an overused phrase. Untangle vs Astaro vs Endian vs Gibralter...etc.

And...PFSense with its QoS...can't kick Untangles Traffic Shaper in the nuts and run away laughing...Traffic Shaper is mighty potent...granted not a freebie.
 
wow, i go to work for 8 hours and look what happens LOL!

Does any of these support vlans ?
 
dashpuppy said:
wow, i go to work for 8 hours and look what happens LOL!

Does any of these support vlans ?
Click to expand...

While it's not a VLAN per se....you can just have multiple NICs and treat them to separate racks. Or are you looking for tagged packets to pass through the gateway on the way to somewhere else? (dunno why..just askin')
 
YeOldeStonecat said:
While it's not a VLAN per se....you can just have multiple NICs and treat them to separate racks. Or are you looking for tagged packets to pass through the gateway on the way to somewhere else? (dunno why..just askin')
Click to expand...

Tagged, id like to buy a managed switch for the house and have separate vlans for each thing like i have now, with multiple subnets / nic's.
 
pfsense asks about vlan tagging during initial setup. I havent tried it myself.
 
YeOldeStonecat said:
So it looks like it default to 10k....I still believe older versions I had didn't default, but adjusted according based on specs being installed on......regardless, upping it youself to a higher setting is quite painless and moot.
Click to expand...

This is quite interesting. I just upgraded my pfsense from 1.2.3 to 2.0RC and when I went to change the state table size i see:

Maximum number of connections to hold in the firewall state table.
Note: Leave this blank for the default. On your system the default size is: 194000
Click to expand...

Keywords being "your system". Looks like this is something that they did in earlier builds pre v1.2.3 and put back in for 2.0RC
 
jadams said:
pfsense asks about vlan tagging during initial setup. I havent tried it myself.
Click to expand...

I might just order another 24 port dell rack mounted gigabit switch, and use 3 nic's like how i have it now.
 
dashpuppy said:
Tagged, id like to buy a managed switch for the house and have separate vlans for each thing like i have now, with multiple subnets / nic's.
Click to expand...

If you do something like port based VLANs....gateway is between switch and internet, VLANs are betweens switch and rest of the LAN...no need to worry about if the gateway supports VLANs or not.
 
jadams said:
This is quite interesting. I just upgraded my pfsense from 1.2.3 to 2.0RC and when I went to change the state table size i see:



Keywords being "your system". Looks like this is something that they did in earlier builds pre v1.2.3 and put back in for 2.0RC
Click to expand...

Lessee...what was that word you use? Oh yeah..."CHA!"
 
You can use the word "cha" when you're right. Which I certainly was. You're welcome, by the way that I went out of my way pointing out that you were too. Lesser people would have just sat on that fact. Thats not me.

However I could always install pfsense 2.0 on my spare P3 system here and see if it nets the same result, its not much for proof if its only done once. So dont get too excited there... dont want your pace maker acting up ;) :D :eek::cool:
 
Last edited:
dashpuppy said:
Does any of these support vlans ?
Click to expand...

Yes, pfSense does VLAN tagging. I have 10 VLANs here at work that pfSense is aware of and can route, though we generally use the core switches for routing the VLANs to eliminate bottlenecks.
 
YeOldeStonecat said:
So it looks like it default to 10k....I still believe older versions I had didn't default, but adjusted according based on specs being installed on......regardless, upping it youself to a higher setting is quite painless and moot.

Several months ago Tim Higgins had one of his guys start a "Built a UTM with PFSense" article
http://www.smallnetbuilder.com/security/security-howto/31433-build-your-own-utm-with-pfsense-part-1

There are 3 more parts to that article. You might find it interesting

Years ago over on Tims site, I had been pimping PFSense for a long time..and he finally started a review of it...giving credit to my pimping right in his article...so it's not like I'm against PFSense
http://www.smallnetbuilder.com/lanw...g-your-networks-bandwidth-hogs-part-1?start=1

Still, to me, I prefer compare true native UTMs to each other...."apples to apples" to use an overused phrase. Untangle vs Astaro vs Endian vs Gibralter...etc.

And...PFSense with its QoS...can't kick Untangles Traffic Shaper in the nuts and run away laughing...Traffic Shaper is mighty potent...granted not a freebie.
Click to expand...

I finally had a chance to read over this today. It indeed is a good read, however I dont agree with quite a few things.

The first is his grading system. Why are these specific grades given? What in the subsections of each test is it that constitutes the grades values? What are these grades compared to? What would it have taken to get an A++++ on these tests?

When he talks about the antivirus scanner it was the first I realized that it only scans HTTP traffic. Email and FTP are left out. I dont consider email to be that much of a problem (except spam which i touch on later). In the office we're not using pop/imap. At home the majority of people will login through web mail which will go through the HTTP scanner.

If someone did receive something malicious through email it would likely be a link pointing to a browser hijack or something similar. If its opening up a webpage then again... its going through the HTTP scanner and will probably even get stopped by the blacklist before anything hits the scanner to begin with. These days even the most uneducated ignorant of users I service know not to download things from unknown sources through email. If by chance they did, and it got by their pc's AV, it would have likely gotten through the firewall AV as well.

His grade of C again has nothing to compare it do. If it did indeed scan email, and ftp would it have gotten an A. Without these features is it really any less effective in the big picture? Also as far as I can tell https isnt scanned by pfsense or untangle. I can find no setting for https in untangles gui unless https is assumed in http. Care to shed light on that?


The content filtering grade while good was a B. But you can add any custom blacklist to Squidguard. What would it have taken in this section to get an A when you can customize the blacklist. Untangle offers a blacklist of 1million sites for the Lite web filter, and advertises some monstrous 450million site black list for premium. I have found a 3.5million site blacklist for SquidGuard. More != better. I have to wonder if that 450m list is maintained or its just a compilation of every domain ever put on any list anywhere. This means it could potentially take 450x longer to sift through this black list for every outgoing request. Untangles performance is already in question from the start.

His spam evaluation baffles me. He gives it a D but then goes on to praise SpamD and SpamAssassin (which untangle uses). SpamD has always been an installable package in pfsense for as long as I've been using it. SpamAssassin is supposed to be included in 2.0, but as of right now its not. I havent read anything about a timeframe But with at leats SpamD he makes it seem as though its something you have to install manually and will have trouble doing so. This isnt the case. So if he praises SpamD as a good solution and its easily installable on pfsense then whats the real grade?

I did like his guides to setup the various packages, that would have helped me greatly the first time I was setting up pfsense. I'll definitly agree pfsense is no where near as user friendly. It assumes some level of *nix based experience to which i have virtually none. My *nix professor in college was just like a typical *nix person you'd find on the internet.
 
yes, pfsense can do vlans. We have multiple tenants in our office that we provide network access to, so each one gets their own vlan, plus access to the shared printer vlan etc. L2 gigabit switches get kind of pricey, so I have pfsense do all the routing (and runs virtualized on vsphere). works well.
 
You must log in or register to reply here.
Back
Top