Meraki MX64 or Sophos UTM9 or Pfsense

Burner27

Supreme [H]ardness
Joined
Oct 23, 2000
Messages
6,714
Currently at the 300/20 level for internet speeds from Spectrum. I would like to use the best possible router I can. I have the current hardware available to me:

Cisco Meraki MX64 (Got this free for attending a webinar) Yes, I know it is limited to 250Mbps download. Comes with 3yr advanced license - meaning everything is enabled

Or use pfsense or Sophos UTM9 on the following hardware (yes i know it is overkill)

I7-6700K
Gigabyte GA-Z170N Gaming 5 mobo
16GB DDR4-2400
256GB Intel 6 m.2 SSD (yes I know it is NVMe)

I want to use content filtering/IPS/Application filtering (probably eliminates pfsense just on that), and country blocking

I think it would be between Sophos and the MX64 based on the above criteria but not sure if it is a colossal waste of resources running it on that hardware or not.


Opinions/advice are welcome.

Thank you!
 
Last edited:
I would use the Meraki, in my opinion. It's going to be perfectly quiet and not use much power and the management is awesome.
 
I appreciate the votes but why the Meraki? The others arent good enough?
 
I appreciate the votes but why the Meraki? The others arent good enough?

Because it will do what you are trying to do and do it well. The hardware you have is pretty overkill for a pfsense box and I think you'll run into things you want to do with a pfsense box that it 1. wont do 2. cant do very easily
For Sophos, I just don't know too much about it. I have used Meraki for awhile so it's just a safe bet. All the things you want to do I know the Meraki does well.

Also I'm assuming you wont miss that 50mbps too much :)
 
Because it will do what you are trying to do and do it well. The hardware you have is pretty overkill for a pfsense box and I think you'll run into things you want to do with a pfsense box that it 1. wont do 2. cant do very easily
For Sophos, I just don't know too much about it. I have used Meraki for awhile so it's just a safe bet. All the things you want to do I know the Meraki does well.

Also I'm assuming you wont miss that 50mbps too much :)


I can hit 350Mbps with the Pfsense box though. So I'll be missing that 100Mbps........

I agree with you regarding pfsense. Although very stable, if I want to do certain things--like you said, it cant do or wont do easily.

If i could get Sophos to run on that HW that would be sweet....
 
I can hit 350Mbps with the Pfsense box though. So I'll be missing that 100Mbps........

but you only have 300mbps currently? or are you talking about throughput vs download speeds?

I'd be willing to bet that Sophos will run on that hardware, I think they have a trial you can give a shot if you are that interested in checking it out. also something to consider, how much is the licensing for Sophos UTM?
 
Sorry, I meant download speeds. I exceed the rate i pay for. Sophos gets stuck at 66% on that hardware and never completes the install. It has to do with a VGA port not being present.
 
Did a test. Installed pfsense on the hardware I have above and i get 350 down/23 up.
Installed the Meraki, and got 250 down/23 up.

Default settings used for both. No content filter/bandwidth shaping/Application control was enabled.

Overall experience so far......

Family complained that Netflix and other channels on the Roku loaded steams slower when the Meraki was in place.
 
Last edited:
That wouldn't really make sense - 1080p streams on Netflix are 3mbps. If you had success with the pfSense and you are getting what you want out of it, then I would just run with that.
 
+1 for the Meraki, we use their products extensively and they perform flawlessly and you aren't going to have problems with it.
 
That wouldn't really make sense - 1080p streams on Netflix are 3mbps. If you had success with the pfSense and you are getting what you want out of it, then I would just run with that.


Let me clarify the Netflix comment. Family states it takes longer for Netflix to start up and movies to play using the Meraki vs using pfSense. I would continue to use pfSense, but am not sure if I could do better (Sophos UTM/Meraki)??
 
For Meraki to work you need always to have active subscription. If you decide no to pay - all your meraki devices will become useless.
So..The technology is generally nice but if you want to have set it and forget it setup - it's not for you.

You could use Sophos UTM 9 Home - free version. Lacks some settings. I've tested it myself. definitely more difficult to setup.
 
For Meraki to work you need always to have active subscription. If you decide no to pay - all your meraki devices will become useless.
So..The technology is generally nice but if you want to have set it and forget it setup - it's not for you.

You could use Sophos UTM 9 Home - free version. Lacks some settings. I've tested it myself. definitely more difficult to setup.

This is a fair, quick rundown.
 
If I could get it to install on the hardware i listed above I'd be all over it. pfSense is the only one of those 2 that'll run on it. Perhaps the Sophos guys can update their code to make it work.
 
Version 9.5 of Sophos installed fine on the hardware I listed earlier, but it has many bugs still to work out. I am giving the Meraki a second chance. Why not use it for the 3 year subscription that came with it? Perhaps I can tweak it to play nice with Netflix.
 
Last edited:
And the Meraki locked up 2 times since Saturday. After the second reboot, it wouldnt allow my ipad to connect without prompting me with the Meraki splash page (which isnt even enabled). Sigh.....
 
Called up Cisco and told them my issues. They agreed to replace my unit. Received it today and been good so far....fingers crossed!!
 
Why choose to only use one? You could use both the Meraki and the Pfsense, just separate your network out. That way you can play around with things on the Pfsense for hobby related activities, and use the Meraki for all the other family related stuff.

Honestly "best" is a personal preference. The Meraki is going to have good standard functions with some variability, but is closed. The Pfsense is going to have a lot of options and its open, so you can change a lot more around and add more stuff to it. The hardware is going to be the main difference, the MX64 is going to be designed specifically for networking/routing, and its software is going to be optimized for it. Whereas a home built box is not going to have the same hardware, it may be slower in some functionality, but more powerful in others. Ultimately the home built box will have more options, but not be as efficient power/size wise.
 
A Cloud based security device screams all kinds of wrong to me.
 
This is the likely reason why people vote for Meraki...

ZK9vQtt.png
 
Does anyone think pfsense has a 'backdoor' that can allow 'big brother' in?
 
So i have been using the Meraki for about 2.5 years. No complaints. As stated, 'set it and forget it'. License renewal comes up next year and it looks pretty hefty. I can pay it, just dont know if anyone sees a reason not to (better devices?) Not sure if the Meraki can do Ad-Blocking. Cant seem to find anything on that.
 
Meraki is for IT departments and CIOs that don't want to invest in Network Engineers, hence the opex cost.

If you want to do application filtering, use PFSense and local applications installed directly on devices. Let a stateful firewall be a stateful firewall. If you want any sort of NGFW capability to work well, you're going to either have to open your wallet or spend the time tinkering with Linux based firewalls.
 
+1 for pfsense! The only upside for the Meraki I see is that you have 3 years of licensing.
 
I dont know if pfsense has gotten more feature or not in the past 3 years, but it will do ad-blocking, geo-blocking, intrusion detection and prevention, rudimentary antivirus, run a vpn server, and all other basic firewall things. So all the things you asked about years ago and the other day. You can also use Snort and add-ons for application detection and blocking:
https://www.netgate.com/blog/application-detection-on-pfsense-software.html
Performance is very high and you get patches for security issues. Im betting the Meraki is probably slower today than it used to be from patches, or you didnt even patch it which is an issue. So Id save a lot of money and use pfsense.
 
I dont know if pfsense has gotten more feature or not in the past 3 years, but it will do ad-blocking, geo-blocking, intrusion detection and prevention, rudimentary antivirus, run a vpn server, and all other basic firewall things. So all the things you asked about years ago and the other day. You can also use Snort and add-ons for application detection and blocking:
https://www.netgate.com/blog/application-detection-on-pfsense-software.html
Performance is very high and you get patches for security issues. Im betting the Meraki is probably slower today than it used to be from patches, or you didnt even patch it which is an issue. So Id save a lot of money and use pfsense.

Yeah, my Meraki is up to date with the latest firmware. Doesnt seem like it has slowed down over its service life. The Meraki uses SNORT for its IDS which is a single threaded application. I do like that pfsense has that option as well, but it also can use suricata which is multithreaded. I think the Meraki doesnt do as much as i'd like it to given its limited hardware at the MX64 level. To ask it to do more and not slow down would mean I would have to go up to a higher class which means more $$$$.
 
MX64, but not for performance. Also keep in mind that to block countries you'll need an advanced security license. This used to be standard but they paywalled it (those fuckers).

I manage an MSP and we use meraki everywhere we can. We're a small outfit and our resources are limited. It has some advantages in my scenario.
- Easy for my junior guys to understand.
- The automation stuff makes our job a lot easier.
-We get next day advanced replacement if a piece fails, no more managing smartnet or other warranties.

For the most part everything is laid out well in the single pane of glass. That said, I'm also a big critic of meraki. It's not all sunshine but for us it's our best option I feel like.
 
Last edited:
You can also get a free Fortigate if you listen to their sales pitch. That might be worth it.
 
You can also get a free Fortigate if you listen to their sales pitch. That might be worth it.

For clarification.

https://secure.fortinet.com/LP=6541

"By scheduling, you confirm that you are not a current Fortinet partner, government entity and your company has more than 250 employees."

"Recipient must be of the legal age of majority where the recipient resides, a legal U.S. resident, and not: an employee of Fortinet, a Fortinet reseller or partner, a consultant, a Fortinet competitor, or a government affiliate. To receive the gift you must: (a) be an IT professional currently employed at a company with at least 250 employees, (b) complete the phone or in-person meeting with a Fortinet Account Executive, and (c) sign Fortinet's Product Awareness Gift Acknowledgement Form. The initial conversation will be conducted by a Fortinet Business Development Representative to qualify the need prior to scheduling."
 
I tried the link but it says the link expired from the person who invited me. And I'd be in the same boat when the license expires. Is it worth it to renew or roll my own?
 
Last edited:
MX64, but not for performance. Also keep in mind that to block countries you'll need an advanced security license. This used to be standard but they paywalled it (those fuckers).

I manage an MSP and we use meraki everywhere we can. We're a small outfit and our resources are limited. It has some advantages in my scenario.
- Easy for my junior guys to understand.
- The automation stuff makes our job a lot easier.
-We get next day advanced replacement if a piece fails, no more managing smartnet or other warranties.

For the most part everything is laid out well in the single pane of glass. That said, I'm also a big critic of meraki. It's not all sunshine but for us it's our best option I feel like.

I just dont like the fact it's so expensive to renew.
 
Back
Top