Meraki MX64 or Sophos UTM9 or Pfsense

Discussion in 'Networking & Security' started by Burner27, May 16, 2017.

  1. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    Currently at the 300/20 level for internet speeds from Spectrum. I would like to use the best possible router I can. I have the current hardware available to me:

    Cisco Meraki MX64 (Got this free for attending a webinar) Yes, I know it is limited to 250Mbps download. Comes with 3yr advanced license - meaning everything is enabled

    Or use pfsense or Sophos UTM9 on the following hardware (yes i know it is overkill)

    I7-6700K
    Gigabyte GA-Z170N Gaming 5 mobo
    16GB DDR4-2400
    256GB Intel 6 m.2 SSD (yes I know it is NVMe)

    I want to use content filtering/IPS/Application filtering (probably eliminates pfsense just on that), and country blocking

    I think it would be between Sophos and the MX64 based on the above criteria but not sure if it is a colossal waste of resources running it on that hardware or not.


    Opinions/advice are welcome.

    Thank you!
     
    Last edited: May 19, 2017
  2. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    I would use the Meraki, in my opinion. It's going to be perfectly quiet and not use much power and the management is awesome.
     
  3. 6foot4geek

    6foot4geek [H]ard|Gawd

    Messages:
    1,287
    Joined:
    Apr 27, 2008
  4. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    I appreciate the votes but why the Meraki? The others arent good enough?
     
  5. 6foot4geek

    6foot4geek [H]ard|Gawd

    Messages:
    1,287
    Joined:
    Apr 27, 2008
    Because it will do what you are trying to do and do it well. The hardware you have is pretty overkill for a pfsense box and I think you'll run into things you want to do with a pfsense box that it 1. wont do 2. cant do very easily
    For Sophos, I just don't know too much about it. I have used Meraki for awhile so it's just a safe bet. All the things you want to do I know the Meraki does well.

    Also I'm assuming you wont miss that 50mbps too much :)
     
  6. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000

    I can hit 350Mbps with the Pfsense box though. So I'll be missing that 100Mbps........

    I agree with you regarding pfsense. Although very stable, if I want to do certain things--like you said, it cant do or wont do easily.

    If i could get Sophos to run on that HW that would be sweet....
     
  7. 6foot4geek

    6foot4geek [H]ard|Gawd

    Messages:
    1,287
    Joined:
    Apr 27, 2008
    but you only have 300mbps currently? or are you talking about throughput vs download speeds?

    I'd be willing to bet that Sophos will run on that hardware, I think they have a trial you can give a shot if you are that interested in checking it out. also something to consider, how much is the licensing for Sophos UTM?
     
  8. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    Sorry, I meant download speeds. I exceed the rate i pay for. Sophos gets stuck at 66% on that hardware and never completes the install. It has to do with a VGA port not being present.
     
  9. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    Did a test. Installed pfsense on the hardware I have above and i get 350 down/23 up.
    Installed the Meraki, and got 250 down/23 up.

    Default settings used for both. No content filter/bandwidth shaping/Application control was enabled.

    Overall experience so far......

    Family complained that Netflix and other channels on the Roku loaded steams slower when the Meraki was in place.
     
    Last edited: May 17, 2017
  10. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    That wouldn't really make sense - 1080p streams on Netflix are 3mbps. If you had success with the pfSense and you are getting what you want out of it, then I would just run with that.
     
  11. VRT

    VRT Limp Gawd

    Messages:
    460
    Joined:
    Jul 15, 2016
    +1 for the Meraki, we use their products extensively and they perform flawlessly and you aren't going to have problems with it.
     
    Cmustang87 likes this.
  12. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000

    Let me clarify the Netflix comment. Family states it takes longer for Netflix to start up and movies to play using the Meraki vs using pfSense. I would continue to use pfSense, but am not sure if I could do better (Sophos UTM/Meraki)??
     
  13. sybreeder

    sybreeder Limp Gawd

    Messages:
    193
    Joined:
    Oct 24, 2010
    For Meraki to work you need always to have active subscription. If you decide no to pay - all your meraki devices will become useless.
    So..The technology is generally nice but if you want to have set it and forget it setup - it's not for you.

    You could use Sophos UTM 9 Home - free version. Lacks some settings. I've tested it myself. definitely more difficult to setup.
     
  14. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    This is a fair, quick rundown.
     
  15. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    If I could get it to install on the hardware i listed above I'd be all over it. pfSense is the only one of those 2 that'll run on it. Perhaps the Sophos guys can update their code to make it work.
     
  16. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    Version 9.5 of Sophos installed fine on the hardware I listed earlier, but it has many bugs still to work out. I am giving the Meraki a second chance. Why not use it for the 3 year subscription that came with it? Perhaps I can tweak it to play nice with Netflix.
     
    Last edited: Jul 2, 2017
  17. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    And the Meraki locked up 2 times since Saturday. After the second reboot, it wouldnt allow my ipad to connect without prompting me with the Meraki splash page (which isnt even enabled). Sigh.....
     
  18. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    Called up Cisco and told them my issues. They agreed to replace my unit. Received it today and been good so far....fingers crossed!!
     
  19. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,477
    Joined:
    May 14, 2008
    Why choose to only use one? You could use both the Meraki and the Pfsense, just separate your network out. That way you can play around with things on the Pfsense for hobby related activities, and use the Meraki for all the other family related stuff.

    Honestly "best" is a personal preference. The Meraki is going to have good standard functions with some variability, but is closed. The Pfsense is going to have a lot of options and its open, so you can change a lot more around and add more stuff to it. The hardware is going to be the main difference, the MX64 is going to be designed specifically for networking/routing, and its software is going to be optimized for it. Whereas a home built box is not going to have the same hardware, it may be slower in some functionality, but more powerful in others. Ultimately the home built box will have more options, but not be as efficient power/size wise.
     
  20. Meeho

    Meeho [H]ardness Supreme

    Messages:
    4,557
    Joined:
    Aug 16, 2010
    A Cloud based security device screams all kinds of wrong to me.
     
  21. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    Yeah, I hear you. One of the things I don't like. That, and the 250Mbps limit.
     
  22. MikeTrike

    MikeTrike [H]ardForum Junkie

    Messages:
    8,214
    Joined:
    Nov 16, 2005
    This is the likely reason why people vote for Meraki...

    [​IMG]
     
  23. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    Does anyone think pfsense has a 'backdoor' that can allow 'big brother' in?
     
  24. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    So i have been using the Meraki for about 2.5 years. No complaints. As stated, 'set it and forget it'. License renewal comes up next year and it looks pretty hefty. I can pay it, just dont know if anyone sees a reason not to (better devices?) Not sure if the Meraki can do Ad-Blocking. Cant seem to find anything on that.
     
  25. ComputerBox34

    ComputerBox34 Right in the Box

    Messages:
    11,074
    Joined:
    Nov 12, 2003
    Meraki is for IT departments and CIOs that don't want to invest in Network Engineers, hence the opex cost.

    If you want to do application filtering, use PFSense and local applications installed directly on devices. Let a stateful firewall be a stateful firewall. If you want any sort of NGFW capability to work well, you're going to either have to open your wallet or spend the time tinkering with Linux based firewalls.
     
  26. boss6021

    boss6021 Limp Gawd

    Messages:
    346
    Joined:
    Oct 11, 2006
    +1 for pfsense! The only upside for the Meraki I see is that you have 3 years of licensing.
     
  27. EniGmA1987

    EniGmA1987 Limp Gawd

    Messages:
    241
    Joined:
    May 2, 2017
    I dont know if pfsense has gotten more feature or not in the past 3 years, but it will do ad-blocking, geo-blocking, intrusion detection and prevention, rudimentary antivirus, run a vpn server, and all other basic firewall things. So all the things you asked about years ago and the other day. You can also use Snort and add-ons for application detection and blocking:
    https://www.netgate.com/blog/application-detection-on-pfsense-software.html
    Performance is very high and you get patches for security issues. Im betting the Meraki is probably slower today than it used to be from patches, or you didnt even patch it which is an issue. So Id save a lot of money and use pfsense.
     
  28. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    Yeah, my Meraki is up to date with the latest firmware. Doesnt seem like it has slowed down over its service life. The Meraki uses SNORT for its IDS which is a single threaded application. I do like that pfsense has that option as well, but it also can use suricata which is multithreaded. I think the Meraki doesnt do as much as i'd like it to given its limited hardware at the MX64 level. To ask it to do more and not slow down would mean I would have to go up to a higher class which means more $$$$.
     
  29. TheToE!

    TheToE! [H] Brewmaster

    Messages:
    6,789
    Joined:
    May 17, 2005
    MX64, but not for performance. Also keep in mind that to block countries you'll need an advanced security license. This used to be standard but they paywalled it (those fuckers).

    I manage an MSP and we use meraki everywhere we can. We're a small outfit and our resources are limited. It has some advantages in my scenario.
    - Easy for my junior guys to understand.
    - The automation stuff makes our job a lot easier.
    -We get next day advanced replacement if a piece fails, no more managing smartnet or other warranties.

    For the most part everything is laid out well in the single pane of glass. That said, I'm also a big critic of meraki. It's not all sunshine but for us it's our best option I feel like.
     
    Last edited: Nov 5, 2019
  30. SineDave

    SineDave Limp Gawd

    Messages:
    290
    Joined:
    Jun 9, 2004
    You can also get a free Fortigate if you listen to their sales pitch. That might be worth it.
     
  31. boss6021

    boss6021 Limp Gawd

    Messages:
    346
    Joined:
    Oct 11, 2006
    For clarification.

    https://secure.fortinet.com/LP=6541

    "By scheduling, you confirm that you are not a current Fortinet partner, government entity and your company has more than 250 employees."

    "Recipient must be of the legal age of majority where the recipient resides, a legal U.S. resident, and not: an employee of Fortinet, a Fortinet reseller or partner, a consultant, a Fortinet competitor, or a government affiliate. To receive the gift you must: (a) be an IT professional currently employed at a company with at least 250 employees, (b) complete the phone or in-person meeting with a Fortinet Account Executive, and (c) sign Fortinet's Product Awareness Gift Acknowledgement Form. The initial conversation will be conducted by a Fortinet Business Development Representative to qualify the need prior to scheduling."
     
  32. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    I tried the link but it says the link expired from the person who invited me. And I'd be in the same boat when the license expires. Is it worth it to renew or roll my own?
     
    Last edited: Nov 6, 2019
  33. Burner27

    Burner27 [H]ardness Supreme

    Messages:
    6,331
    Joined:
    Oct 23, 2000
    I just dont like the fact it's so expensive to renew.