pfSense Vs. Ubiquiti ERlite?

i've used OpenBSD, FreeBSD, pfsense, and just had an ER lite die on me.

OpenBSD: I've used this since the 2.2 days. Super fast/stable, rock solid, not for n00bs. OpenBSD has a primary focus on networking and is "upstream" for pf. If you want the most solid, up-to-date, secure firewall, use OpenBSD.

PFsense: I only used up to 2.1. I ended up having weird problems with it and found the GUI unintuitive. Last I checked had problems with ipv6 in general (high cpu usage on dhcpdv6) and prefix-delegation broken. I'd avoid it right now. I ran it in KVM with emulated nics and I couldn't get more than about 60Mbit/s down on it on a 1090T in a vm. I could on an intel atom with real nice which is what I was using until I found out IPV6 was broken. Is it fixed in 2.2? don't know.

ER-lite: I had one of these & it died with light use in under 6 months. Flash corrupted. I received approval for an RMA,but am not going to send it in yet as I'm about to go on vacation & probably won't be home if they send it back to me. I like the OS. ipv6 works. They recently got ipv6 with PD working. Yay! Downside is GUI doesn't have all features that CLI has. Supports PBR (very cool!)

What I'm using now: VYOS. I needed a working firewall while pfsense was getting flaky (upgrades failing, weird firewall rule problems) and my er-lite was dead. This is linux based & a fork of vyatta. Because it's based on debian, you can use virtIO nic drivers so performance is good. On my 1090T ivm box I typically am using sub 10% cpusage. very nice, and free to download/use. I've found some bugs (port-group objects that are large error out when you try to use them), but i've found workarounds for that. CLI ONLY.
 
Last edited:
Robstar said:
i've used OpenBSD, FreeBSD, pfsense, and just had an ER lite die on me.

OpenBSD: I've used this since the 2.2 days. Super fast/stable, rock solid, not for n00bs. OpenBSD has a primary focus on networking and is "upstream" for pf. If you want the most solid, up-to-date, secure firewall, use OpenBSD.

PFsense: I only used up to 2.1. I ended up having weird problems with it and found the GUI unintuitive. Last I checked had problems with ipv6 in general (high cpu usage on dhcpdv6) and prefix-delegation broken. I'd avoid it right now. I ran it in KVM with emulated nics and I couldn't get more than about 60Mbit/s down on it on a 1090T in a vm. I could on an intel atom with real nice which is what I was using until I found out IPV6 was broken. Is it fixed in 2.2? don't know.

ER-lite: I had one of these & it died with light use in under 6 months. Flash corrupted. I received approval for an RMA,but am not going to send it in yet as I'm about to go on vacation & probably won't be home if they send it back to me. I like the OS. ipv6 works. They recently got ipv6 with PD working. Yay! Downside is GUI doesn't have all features that CLI has. Supports PBR (very cool!)

What I'm using now: VYOS. I needed a working firewall while pfsense was getting flaky (upgrades failing, weird firewall rule problems) and my er-lite was dead. This is linux based & a fork of vyatta. Because it's based on debian, you can use virtIO nic drivers so performance is good. On my 1090T ivm box I typically am using sub 10% cpusage. very nice, and free to download/use. I've found some bugs (port-group objects that are large error out when you try to use them), but i've found workarounds for that. CLI ONLY.
Click to expand...

There was a batch of ER-Lites that had flash memory issues. It was one of the early batches that were still in plastic cases though.

The other thing to remember is that the Edgerouters are closer to servers than they are consumer routers. Lots of people restart these devices by just yanking the power cord out of the wall, not realizing that you can damage the filesystem if it happens to be writing data when you kill the power. A power outage/brown out can have the same result.
 
Uhm... wizdum, it's a consumer router in that regard unless UBNT did something very wrong with their firmware. OpenWRT on handles this fine even on the ERL so it's clearly a design issue in that case.
That said, they aren't rock solid as far as quality check goes and they do die just like everything else.
//Danne
 
wizdum said:
There was a batch of ER-Lites that had flash memory issues. It was one of the early batches that were still in plastic cases though.
Click to expand...

IIRC the ERLs simply use an internal USB flash drive, and there's instructions for replacing it and loading up firmware on Ubiquiti's site (maybe the forums).
 
gonzopancho said:
Your "ancient implementation" phrase just quotes the OpenBSD party line, which is not truth. Rather than re-post here, you can read the rebuttal on the pfsense list. Second link is just URLs for the paper and slides referenced in the first.

http://lists.pfsense.org/pipermail/list/2015-April/008611.html
http://lists.pfsense.org/pipermail/list/2015-April/008614.html
Click to expand...

All I see is bickering about performance. I never said performance is key in a firewall. I want my firewall to not completely fuck up IPv6, for example. Did they finally fix tcp reassembly or synproxy for IPv6?
 
BlueLineSwinger said:
IIRC the ERLs simply use an internal USB flash drive, and there's instructions for replacing it and loading up firmware on Ubiquiti's site (maybe the forums).
Click to expand...

I'm not dorking around with it if it's under warranty. That is why I paid money in the first place.
 
TCM2 said:
All I see is bickering about performance. I never said performance is key in a firewall. I want my firewall to not completely fuck up IPv6, for example. Did they finally fix tcp reassembly or synproxy for IPv6?
Click to expand...

Did you not say,

"IPv6 is basically broken for PF in FreeBSD and the performance of PF itself improved so much, it probably even offsets the performance advantage of FreeBSD."

The performance of PF on OpenBSD may have improved, but the problem they fixed likely was never an issue on FreeBSD. Moreover, we've clearly shown that the performance of pf in OpenBSD lags the one in FreeBSD by 3-4X.

I've allowed that the PF in released versions of FreeBSD has flaws *as they relate to IPv6", but this is now being actively worked:

https://svnweb.freebsd.org/base/head/sys/netpfil/pf/pf_norm.c?revision=281164&view=markup

https://svnweb.freebsd.org/base/head/sys/netpfil/pf/pf_mtag.h?revision=278843&view=markup

https://svnweb.freebsd.org/base?view=revision&revision=280956

https://svnweb.freebsd.org/base/head/sys/netpfil/pf/pf_norm.c?revision=280690&view=markup

https://svnweb.freebsd.org/base/head/sys/netpfil/pf/pf_norm.c?revision=278831&view=markup
 
Yeah, my remark about performance was hasty because I don't really care, and it was based on pre-FreeBSD-made-pf-multicore knowledge.

It's good to see that they catch up, though.
 
gonzopancho said:
So OPNsense forks pfSense in September/October, doesn’t fix a ton of issues with the then FreeBSD 10.0 base, releases their very buggy FreeBSD 10.0-based version on 3 Jan, and pfSense releases a 10.1-based on 23 Jan, but “they (OPNsense) used a much newer base than pfsense at the time”. I fail to see where your point is accurate or supportable.

I suggest that Danne/dizzy needs to take his(?) advice and review the commit logs, which, as he states, "are fully available" (for both projects).

BTW, the tools aren’t “closed”, they’re available via a license that says, “Don’t call the result pfSense (that’s our mark), attribute where you got it, and don’t remove the copyright statements”. Also, if the tools are “closed” as Danne/dizzy states, how did opnsense fork pfSense?
Click to expand...

Please don't go all hostile, they still used a newer base at the time and whether you think it's good or bad is another topic. You're all up to date now which I also mentioned so I don't really understand what you're arguing about. As for the logs, you don't need to register/sign anything to read commit msgs. I never said that it wasn't retrievable at all, sorry if it sounded like that because it wasn't intended although they were unavailable for a period when you decided to move the building tools.
//Danne
 
Last edited:
gonzopancho said:
MIPS toolchain is fscked, (strip breaks static libraries). Fix is in FreeBSD -HEAD, but impossible to MFC, so it won’t be in 10.2, never mind 10.1.

Since we don’t want to release pfSense built against -HEAD or -CURRENT, and don’t want to release pfSense with a custom toolchain, we’re likely
going to have to wait for FreeBSD 11 to make this happen.

We will likely make an experimental release available for ARM sometime this year.
Click to expand...

In all honestly I wonder if it's even worth the effort if you're going wait until FreeBSD 11 going for the EdgeRouter Lite. I have a vague memory of it doing about 230mbit or so using iperf and that's without any firewalling. ARM development is going at a pretty good pace in -HEAD but boards with multiple Ethernet connections are still expensive. Beageboard X15 looks like a pretty good candidate although there's (obviously) no official support for it yet but hopefully it's pretty similar to the otherboards using the Sitara SoC. iMX6 is probably the best supported SoC atm but due to design it's limited to ~430mbit using ethernet and the multiport boards/computers are even more expensive than x86 counterparts.
//Danne
 
diizzy said:
Please don't go all hostile, they still used a newer base at the time and whether you think it's good or bad is another topic. You're all up to date now which I also mentioned so I don't really understand what you're arguing about. As for the logs, you don't need to register/sign anything to read commit msgs. I never said that it wasn't retrievable at all, sorry if it sounded like that because it wasn't intended although they were unavailable for a period when you decided to move the building tools.
//Danne
Click to expand...

OPNsense did not use a newer base. They forked a broken version of pfSense (broken because we were doing the work of moving pfSense to 10, and weren't yet done, it took a TON of testing), they didn't follow the fixes that occurred after their fork, and they ended up shipping a broken first release. Hell, they only moved to 10.1 because people were pointing out that 10.0 would EOL in Feb.

What they did is rush a broken release to market. That isn't "first!" it's stupid and sloppy.

We were literally releasing something way better, based on FreeBSD 10.1, 20 days later.

Yeah, the tools were offline for a month. And people who wrote to me and expressed a need, were taken care of.
 
diizzy said:
In all honestly I wonder if it's even worth the effort if you're going wait until FreeBSD 11 going for the EdgeRouter Lite. I have a vague memory of it doing about 230mbit or so using iperf and that's without any firewalling. ARM development is going at a pretty good pace in -HEAD but boards with multiple Ethernet connections are still expensive. Beageboard X15 looks like a pretty good candidate although there's (obviously) no official support for it yet but hopefully it's pretty similar to the otherboards using the Sitara SoC. iMX6 is probably the best supported SoC atm but due to design it's limited to ~430mbit using ethernet and the multiport boards/computers are even more expensive than x86 counterparts.
//Danne
Click to expand...

People like running pfSense on inexpensive hardware. Since we're changing the architecture of how pfSense is built (and tested), it makes it easy to support MIPS and ARM.

Yes, I've noted that there are precious few ARM boards with multiple Ethernets. We're hooked up pretty closely with Circuitco (who make the Beaglebone/Beagleboard, and are quite involved in the 96boards.org effort. Incidentally, 96boards is the brainchild of George Grey, who is the CEO of Linaro. If you check, George (and Bob Booth, the CFO at Linaro) were the CEO and CFO at Tadpole Technology.

And if you know where I worked between 1992 and 1996, you can probably put the rest of the pieces together.

We've also been making some moves on Intel platforms of late. RCC-DFFv2 is less expensive than every 2-port ARM board on the market.
 
One thing I've notice on this thread is people referring to mips and arm based solutions as superior because they sip power. While this is true and there is no debating it, if you appropriately size your power supply your old desktop running PF sense will not draw ridiculous amounts of power. This is my pfsense build currenlty:

P4 3.0GHz | Generic Dell Desktop | 1GB DDR2 | 40GB HDD | 2 x HP NC112T PCI-E server NICs | picoPSU-160-XT + 160w external PS | pfsense 2.2.2 i386

Not exactly a power sipper. But with just one DIMM, the two HP NICs which are rebranded Intel server NICs, the hard drive and the 160w PICO-PSU that power hungry P4 rig only takes 50-55w at the wall. If you connect a kill-a-watt and measure the KwH over a few hours you'll know it is not expensive to run a full desktop running Pfsense in terms of electricity.
 
Unless you do something overly advanced stuff the new dual core MIPS SoCs uses 12V 2A does well beyond 300+ mbit/s while costing less than 100$. It doesn't run pfsense but it does run OpenWRT and can do quite fancy things anyway... D-Link DIR-860L B1 comes to mind...
//Danne
 
You must log in or register to reply here.
Back
Top