pfSense Vs. Ubiquiti ERlite?

Z

ZzBloopzZ

[H]ard|Gawd
Joined
Sep 18, 2004
Messages
1,330
Hello,

It is time to replace my old Netgear WNDR3700 v1. It is slowly starting to crap out. I have to restart it every 3-4 weeks, even with the latest trunk OpenWRT firmware. I want to replace it with something more powerful.

Debating between pfSense and the Ubiquiti ERlite. Will also be purchasing a Ubiquiti UAP AP. I have ~30+ devices on the network. There are two people in the house whom telework via VPN . Doesn't the encryption tax the router a bit? I would also like to use QOS since we are heavy downloaders/streamers. Currently on 50/50Mbit FiOS.

FYI, I have two ESXi systems with modern Xeon's with 32GB DDR3 each, so I would not need to spend more money if I go the pfSense route besides a dual Intel NIC card.

I am on the fence overall. Such great reviews with the ERlite and I like the idea of a dedicated device so if the ESXi system were to go down, we still have internet. On the other hand, pfSense seems very powerful/flexible. It would also be a great/fun learning experience. I do want learn more about networking/cyber security so perhaps pfSense is the solution?

Appreciate all feedback.
 
Well, it depends...
While the ERL is faster than the WNDR3700 it's not going to be night and day. Since you want to use QoS hardware acceleration is going to be deactivated so I would guess that you'll seeing about 150-200mbit or so in throughput. The ERL will do about 10-15mbit using OpenVPN per core (single threaded) so expect overall performance to drop when you're maxing out the VPN. Worth keeping in mind is that having a dedicated device is quite handy if you have family members who doesn't how to restart VMs. OpenWRT (trunk) does also run on the ERL so it might be an option especially if you want to use QoS. TP-Link Archer C5 might be a suitable replacement for the WNDR3700 otherwise and it's of cause supported by OpenWRT.
//Danne
 
wait a minute, two people in the house use VPN to telework...

so.... you're not actually going to be running your router as an endpoint, right?

if the clients are what's connecting to VPN, then it will not affect performance on your router...

this question seems to be asked a lot recently... i personally run pfsense, but i have a dedicated box

at work i got like.... 20 of the edgerouters deployed... i say they're both great, i think for home the pfsense is good tho... and i already had the hardware
 
diizzy said:
You also probably want to run http://opnsense.org/ rather than PFSense these days...
//Danne
Click to expand...

Uh, OK. Mind actually expanding on that and explaining your position instead of just doing a link-and-run?

So far as I can tell from a brief skimming of their website, OPNsense is simply a new fork of pfSense made for the sake of building/expanding a consulting business, with promises of code cleanup and features that may or may not happen. Maybe it'll work out well, similar to how Ubiquiti forked Vyatta for the EdgeRouter series, but until we see some actual reviews and shootouts between pfSense and OPNsense there's nothing to base your recommendation on.

(And, to be honest, your post makes you look like a shill.)
 
ZzBloopzZ said:
FYI, I have two ESXi systems with modern Xeon's with 32GB DDR3 each, so I would not need to spend more money if I go the pfSense route besides a dual Intel NIC card.
Click to expand...

You don't need another NIC as long as your motherboard(I'm assuming it's server grade since you have xeons) has 2 NICs.

I see so many people using a dedicated NIC for PfSense under ESXi and after doing it both ways, I see no real benefit over using the 2 onboard ethernet ports(one with only PfSense WAN connected, other port for management network and LAN)

The thought process seems to be that it will be more secure with dedicated NIC but with WAN on port by itself, I just don't see how the attack area is increased? An attacker would have to get through your firewall to gain access to management interface.

Not recommending someone run pfsense this way in production, but I see no problem for home use, however maybe someone more versed in security can call me out if I'm missing something here.
 
You could use pfsense as a router-on-a-stick if you have a vlan aware switch. No need for extra hardware with that.
 
pfsense has been good to me for years, I'll stick with the known quantity.

As far as the original question, I use pfsense at 8 or 9 locations, and have a couple of ERL's as backups. There is no comparison between the 2, pfsense is far more polished and capable.
 
@ sc0tty8
Mainly because it uses FreeBSD 10 instead of the very old FreeBSD 8-series. That said, pfsense finally released their new 2.2 branch that uses FreeBSD 10.1
//Danne
 
I think the main reasons are that OpenBSD does have a smaller user base than FreeBSD which means it attracts less interest overall meaning that there are less vendors, developers, users etc. While this might be arguable it essentially means that you're going to have a smaller user base and interest with some exceptions and that includes funding, work power etc. OpenBSD is famous for many of their own projects and they should be proud of them as many are very advanced well written applications however OpenBSD overall is known to be very strict about things in general which I guess makes co-projects a pain for larger corporations especially when some are "non business-friendly" when projects goes sour in public relations. This also reflects on drivers and performance where OpenBSD is in some areas are behind others by quite a bit. Work is being done but given the above progress is slower compared to other operating systems such as FreeBSD. FreeBSD does have more drivers, better overall compatibility and performance in general. That said, OpenBSD does have very good performance at some work-loads but not overall that excels FreeBSD. I also think that m0n0wall being based on FreeBSD also made the choice even more favorably and devs probably had in mind that applications such as Squid etc might be added later where FreeBSD is considered a very important platform compared to OpenBSD.

Just my take on it...
(corrected a bunch of typos...)
//Danne
 
Last edited:
That's all fine and good, but for a firewall, I want correctness first and performance next. IPv6 is basically broken for PF in FreeBSD and the performance of PF itself improved so much, it probably even offsets the performance advantage of FreeBSD.

And regarding drivers, you'd be surprised what works out-of-the-box in OpenBSD. Even my i218-V Intel NIC on my newest socket-1150 board is working just fine.

But I understand my advocacy isn't really helpful if you're dependent on the web interface that pfSense provides.

Edit: I don't really understand the point about the user base when the main module of the firewall - PF - comes from OpenBSD and FreeBSD has an ancient version of it. What good is the user base if the software is lacking?

The point about addon software and its performance is certainly valid, even though I personally think a firewall has to have zero listening ports.
 
Last edited:
There's a tradeoff, if you're a firewall junkie you don't want pfsense at all most likely. FreeBSD works well enough for the majority and ground work is already done on that platform. Since they're aiming for making pfsense their business you need to cover as many areas as possible without doing it poorly otherwise you'll just be one in the crowd. Yes, IPv6 needs work but a very small userbase that have IPv6 at all.

You're missing that you aren't the only user here, the majority of users just want it to work. Most can't/won't buy new "compatible" hardware just to make pfsense/* to work, they'll just use something else and in that regard FreeBSD is ahead of OpenBSD in terms of compatibility but Linux wins by far. This is most likely the reason why Askozia PBX switched from FreeBSD to Linux....

//Danne
 
Last edited:
That's why I love these forums. So many people use pfSense for home and business, yet here we have a knowledgeable person, a firewall junkie, voicing an opinion against. I plan on bringing more pfSense into production at work but I value all opinions and I for one am very happy to hear both sides. I'm glad this forum isn't one sided to hardware, software, and distros!!! :)
 
diizzy said:
@ sc0tty8
Mainly because it uses FreeBSD 10 instead of the very old FreeBSD 8-series. That said, pfsense finally released their new 2.2 branch that uses FreeBSD 10.1
//Danne
Click to expand...

So, OPNsense forked the pfSense 2.2 beta, slapped their name on it, and pushed it out?

We've still not heard why you believe OPNsense is the better of the two. I'd like to know, as I've been considering swapping in a virtualized pfSense instance to replace my ERL. What's so compelling about OPNsense to you?
 
@ BlueLineSwinger
No they didn't "only" do that, feel free to review the commit logs which are fully available.
I did mainly suggest it because they used a much newer base than pfsense at the time and they haven't closed off the building tools which pfsense have. From what I can tell, the webui seems to have been updated too.
https://github.com/opnsense

//Danne
 
@ TCM2

I think you have to realize that you aren't their main target and that your wishes isn't how the majority of users wants to use it. In that regard, you're better off with m0n0wall or a similar distro. While I personally have nothing against pfsense as software I do think however that the majority of users would be more than fine on a MIPS or ARM platform which would both save energy and money not to mention much lower heat dissipation.
//Danne
 
I guess that the majority of pfSense users isn't even aware 1) of PF specifically 2) where it comes from and 3) of its status in FreeBSD.

If anything, my criticism rhetorically targeted the makers of pfSense.

Personally, I run plain OpenBSD and vi /etc/pf.conf.
 
Man, this thread is all over the map... I used a dedicated pfSense basement box for years and ran it on a toaster. It was stable and did everything I wanted it to do. Maybe there are other solutions to consider, but pfSense/FreeBSD has a large support community and performed flawless for my needs.
 
@ TCM2
FreeBSD and /etc/pf.conf ;-)
That said, all these boxes do a lot more than just firewalling
//Danne
 
damarious25 said:
Man, this thread is all over the map... I used a dedicated pfSense basement box for years and ran it on a toaster. It was stable and did everything I wanted it to do. Maybe there are other solutions to consider, but pfSense/FreeBSD has a large support community and performed flawless for my needs.
Click to expand...

Yep. I also used pfSense for quite a while. It worked great. I only replaced it when the ERL was released, because the ERL was cheaper than getting gigabit NICs for my pfSense box.
 
I currently run pfsense on an old P4 server board with dual gig NICs without issue for over four years on a 100/100 meg internet connection. The setup works great with my UniFi UAP-AC WAP which I hope to get a second of when things get fully fixed with that unit on the software side. I like the flexibility pfsense has with moving the config between hardware without too much issue.
 
I've used pfSense on an old computer and toyed with the idea doing a pcengines build with pfSense. I ultimately decided to go with the ERL.

The main driver was the hardware package. I wanted something that had a similar physical and power footprint as standard consumer routers (ERL sips power). The second thing was that EdgeOS is Linux based which I liked. EdgeOS doesn't have as many bells and whistles as pfSense but it certainly holds it own on core features.
 
TCM2 said:
I'll never understand why you'd want PF (well I understand _that_) but then use an OS with an ancient implementation of it instead of the real deal (OpenBSD).

http://networkfilter.blogspot.de/2014/12/security-openbsd-vs-freebsd.html#pf_magic
https://lists.freebsd.org/pipermail/freebsd-pf/2014-July/007391.html
Click to expand...

Very very interesting. I'd love to hear from the FreeBSD (and pfSense) authors to explain why this is.

Not being a BSD/Linux guru, I'd love to see how many of those default and tweaked features are in other firewalls, or if they are even necessary and beneficial.
 
Never had to deal with him personally, but what you can see from the mailing lists, his bullshit detector is on a hair-trigger and he cares more about the technical side than about humans.

I don't even find that bad. You don't have to like the guy to use his stuff, and if the code he produces and approves is free from bullshit, it's better for me.

PS: The thread referred to in that (dead) pfsense.org link is this: http://marc.info/?l=openbsd-misc&m=126037728930452&w=2

Edit: Just reading that thread for the first time. The main issue seems to have been that OpenBSD guys have a fundamentally different definition of "user" from everyone else. If you need a CD you can boot, press Enter a few times and enter some minimal information to have a fully functional system with a web interface, you are not a user in OpenBSD terms. You're not even on the radar. A "user" in OpenBSD land is an admin that eats UNIX for breakfast and uses the shell blindly. That's why they viewed the ComixWall project as useless to the OpenBSD project and told the guy to take his ads elsewhere.
 
Last edited:
Still debating. I decided if I do pfSense, it will have to go on the TS140, which currently has only one port. I have to buy a PCIE 2.0 NIC for compatibility purposes so the NIC's are $100+. Same price as the ERL.

Decisions, decisions.
 
I must be missing something; why do you need a $100+ NIC to get pfSense running on a TS140?

If you need a "server-class" NIC, I bought a new dual-port Pro/1000 PT PCIE NIC off eBay a while back for like $35. There are hundreds of them on eBay.
 
@ TCM2 and Valnar
It's been clearly stated that FreeBSD and OpenBSD have diverged too much so it's not that simple to just commit everything from upstream. NetBSD made their own version of a packet filter called npf which does have portability in mind and there seems to be some interest in porting it to FreeBSD. That said, it's probably a better way (less work in porting and maintaining it) to go than trying to resurrect the current version of pf.

@ ZzBloopzZ
What iroc409 said, you're basically fine with anything that branded Intel but most Broadcom NICs works just as good and these can be found even cheaper.
//Danne
 
Last edited:
iroc409 said:
I must be missing something; why do you need a $100+ NIC to get pfSense running on a TS140?

If you need a "server-class" NIC, I bought a new dual-port Pro/1000 PT PCIE NIC off eBay a while back for like $35. There are hundreds of them on eBay.
Click to expand...

TS140 only has PCIe 2.0 slots, which are not backwards compatible with 1.0. Pro 1000 PT = PCIe 1.0. Also, on top of that BS, Lenovo whitelist their NIC's so can only use Intel OEM or Lenovo NIC, so HP/Dell system pulls will not work.

Bunch of threads on this on Lenovo forums and Amazon reviews. My only option is a PCIe 2.0 card, which would be the Intel I350-T2.

I ended up just ordering an OEM I350-T2 on eBay for $58, from China. Hope it is legit.
 
Last edited:
Valnar said:
Very very interesting. I'd love to hear from the FreeBSD (and pfSense) authors to explain why this is.
Click to expand...

Here's one of us, just took me a little bit to find the thread. :)

TCM2 said:
I'll never understand why you'd want PF (well I understand _that_) but then use an OS with an ancient implementation of it instead of the real deal (OpenBSD).
Click to expand...

This is really quite the myth. The "old pf" stuff that OpenBSD people like to reference would make sense if it was really years and years out of date and unmaintained. But it's not. FreeBSD pf is still actively developed, and for most all uses the only difference between them is the config syntax. Oh, and the fact FreeBSD pf is significantly more scalable if you have > 1 CPU core, since it was made SMP-capable for FreeBSD 10. Most of the issues noted in that link were fixed separately, and others have fixes in active development now (IPv6 fragmentation, specifically).

The paper from this talk should be available soon.
https://2015.asiabsdcon.org/timetable.html.en#P10A

Which shows OpenBSD does fine in comparison to FreeBSD pf and Linux with iptables when there is 1 CPU core. Beyond 1, FreeBSD 10.1 pf and Linux scale, OpenBSD doesn't. If your firewall's a Pentium II, OpenBSD is your OS. With most CPUs made in the past decade, if you want scalability, you don't want OpenBSD.

There are certainly a bunch of scenarios where the lack of scalability on OpenBSD doesn't matter. Many people have way over-scaled their firewall hardware relative to their throughput requirements. It's a solid OS choice if you want to manually configure things, or otherwise prefer it for some reason, and don't need more scalability than it's capable of. But the "old pf" vs. "new pf" argument doesn't hold up to scrutiny for the majority.
 
cbuechler said:
Here's one of us, just took me a little bit to find the thread. :)



This is really quite the myth. The "old pf" stuff that OpenBSD people like to reference would make sense if it was really years and years out of date and unmaintained. But it's not. FreeBSD pf is still actively developed, and for most all uses the only difference between them is the config syntax. Oh, and the fact FreeBSD pf is significantly more scalable if you have > 1 CPU core, since it was made SMP-capable for FreeBSD 10. Most of the issues noted in that link were fixed separately, and others have fixes in active development now (IPv6 fragmentation, specifically).

The paper from this talk should be available soon.
https://2015.asiabsdcon.org/timetable.html.en#P10A

Which shows OpenBSD does fine in comparison to FreeBSD pf and Linux with iptables when there is 1 CPU core. Beyond 1, FreeBSD 10.1 pf and Linux scale, OpenBSD doesn't. If your firewall's a Pentium II, OpenBSD is your OS. With most CPUs made in the past decade, if you want scalability, you don't want OpenBSD.

There are certainly a bunch of scenarios where the lack of scalability on OpenBSD doesn't matter. Many people have way over-scaled their firewall hardware relative to their throughput requirements. It's a solid OS choice if you want to manually configure things, or otherwise prefer it for some reason, and don't need more scalability than it's capable of. But the "old pf" vs. "new pf" argument doesn't hold up to scrutiny for the majority.
Click to expand...

Hey what ever happened to the plans to put pfsense on the edgerouters?
 
goodcooper said:
Hey what ever happened to the plans to put pfsense on the edgerouters?
Click to expand...

MIPS toolchain is fscked, (strip breaks static libraries). Fix is in FreeBSD -HEAD, but impossible to MFC, so it won’t be in 10.2, never mind 10.1.

Since we don’t want to release pfSense built against -HEAD or -CURRENT, and don’t want to release pfSense with a custom toolchain, we’re likely
going to have to wait for FreeBSD 11 to make this happen.

We will likely make an experimental release available for ARM sometime this year.
 
diizzy said:
@ BlueLineSwinger
No they didn't "only" do that, feel free to review the commit logs which are fully available.
I did mainly suggest it because they used a much newer base than pfsense at the time and they haven't closed off the building tools which pfsense have. From what I can tell, the webui seems to have been updated too.
https://github.com/opnsense

//Danne
Click to expand...

So OPNsense forks pfSense in September/October, doesn’t fix a ton of issues with the then FreeBSD 10.0 base, releases their very buggy FreeBSD 10.0-based version on 3 Jan, and pfSense releases a 10.1-based on 23 Jan, but “they (OPNsense) used a much newer base than pfsense at the time”. I fail to see where your point is accurate or supportable.

I suggest that Danne/dizzy needs to take his(?) advice and review the commit logs, which, as he states, "are fully available" (for both projects).

BTW, the tools aren’t “closed”, they’re available via a license that says, “Don’t call the result pfSense (that’s our mark), attribute where you got it, and don’t remove the copyright statements”. Also, if the tools are “closed” as Danne/dizzy states, how did opnsense fork pfSense?
 
TCM2 said:
I'll never understand why you'd want PF (well I understand _that_) but then use an OS with an ancient implementation of it instead of the real deal (OpenBSD).

http://networkfilter.blogspot.de/2014/12/security-openbsd-vs-freebsd.html#pf_magic
https://lists.freebsd.org/pipermail/freebsd-pf/2014-July/007391.html
Click to expand...

Your "ancient implementation" phrase just quotes the OpenBSD party line, which is not truth. Rather than re-post here, you can read the rebuttal on the pfsense list. Second link is just URLs for the paper and slides referenced in the first.

http://lists.pfsense.org/pipermail/list/2015-April/008611.html
http://lists.pfsense.org/pipermail/list/2015-April/008614.html
 
You must log in or register to reply here.
Back
Top