PfSense vs Untangled

[ericmachine]

Hi everyone,

I got to know about pfsense from ubuntu forum. The person also recommended me zentyal, untangle and smoothwall.

If I understand correctly, pfsense is just a firewall. It's not an UTM like untangle.

Does that mean pfsense can't do as follows?

- works well with linux and apple, probably can link up with Linux OpenLDAP

- something instead of tracking by IP address?

- appmonitor - blocks facebook, facebook chat, block urls

- anti-virus and anti-spyware

- QOS - used for outbound SIP calls, priority port 5060

- SSL VPN, - with apps on iPhone and iPad, Apple Macs to connect

- IPSec VPN (site-2-site vpn between HQ and branch)

- basic wan acceleration

And I need both pfsense and untangle to work together?

They also said pfsense is not IPS so can't prevent hackers hacking PRI line (our main telephone line system) and sql injection related.

However from untangle perspective, I believe untangle should be sufficient without pfsense.

But many complained about untangle slowness and need a better machine to run it.

Currently, I am evaluating Palo Alto PA-500, but it's really too expensive. Then I evaluated Sonicwall NSA2400, still expensive but the custom reporting (most important feature) works on Windows Server (non linux).

My current office environment is 30 macs and 10 servers. Plan to hire more people, and total 50 macs and maybe 20 servers inhouse.

So can pfsense do all the above? or i still need to have a mixture?

Any help? Thanks.

[cybertimber2008]

I can't vouch for all of that but a few of those things seem biased.

However, I can say as far as IPSec, it does support that. http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43 (find IPSec). Any device or app supporting IPSec, OpenVPN (hint: SSL VPN), and PPTP should be fine with pfsense.

[ahhell]

I used pfsense at home. It's super easy to setup. I'm not totally sure if it will all that you want it to but since it's free, you should check it out. I highly doubt that it will do any anti-malware though.

[n_K]

pfSense can do all/most of those things.

Untangle is NOT an IPS/IDS. pfSense (and probably untangle) can use SNORT which is an IDS and can act as an IPS when used in an in-line mode. Setting up SNORT isn't the easiest thing in the world, you need to get a subscription on OINK (free for 1 month old definitions or paid for current definitions) to download updates and you need to pick which signatures to use and how to store them in memory, you can increase the speed/efficiency of which SNORT works by changing lots of settings and disabling normal logging and using BARNYARD, etc.

[majortom1981]

Keep in mind that with untangle some of the features you have to pay for. We use both here at work. PFsense as the router and untangle as a captive portal/router for our wifi. We also use untangle to do some virus scanning and things on our public network.

If your just looking for a router/firewall/vpn then pfsense is great at it.

Keep in mind though pfsense is free while some parts of untangle have to be paid for.

[ericmachine]

Noted and thanks. Will give both solution a try.

Do you have any links on the OINK subscriptions? Can't seem to find in google.

[n_K]

I have no idea why I said 'OINK', when it's sourcefire/snort! :p

http://www.snort.org/snort-rules/

[AnDom]

You have a giant list of things in your post that reads like a spec sheet from some other product... but doesn't really indicate exactly what you are trying to do.

Pfsense is capable of VPN+IPSEC, QOS (ALTQ/HFSC), IDS (Snort), etc. but there are many more questions that have to be answered. Also it is not clear to me why you would want a network device interfacing with OpenLDAP.

Its best to determine what you actually need it to do... and then go from there. Throwing the everything and the kitchen sink at a problem generally will just result in even more problems. Getting all the above to work on one device (or even multiple devices) will certainly require significant time investment and patience.

You also need to think about the upstream/downstream bandwidth you are going to be dealing with... all that thrown together is going to require multiple layers of traffic inspection, which depending on your requirements means you are going to need some hefty hardware (with the appropriately picked network adapters). Add to that the mention of VPN+IPSEC... you are going to be cutting throughput by a factor of 10 or more.

[ericmachine]

as for openldap

coz i see the sonicwall and palo alto solutions before this, i could only see IP address of each user. What if my user changes his own IP address, then how? I need to track by users name something like that. Unless I am looking at the wrong thing, oops :p

looks like pfsense quite sufficient for me :) plus it's free unlike untangle, still must paid for premium. But pfsense UI not as user friendly as untangle i think :p

[majortom1981]

as for openldap

coz i see the sonicwall and palo alto solutions before this, i could only see IP address of each user. What if my user changes his own IP address, then how? I need to track by users name something like that. Unless I am looking at the wrong thing, oops :p

looks like pfsense quite sufficient for me :) plus it's free unlike untangle, still must paid for premium. But pfsense UI not as user friendly as untangle i think :p

If you have the machines you can use both. On our public networks we use pfsense as the firewall and router and have untangle in bridge mode behind the router/firewall scanning for virus/adaware/intrusion protection and the other free stuff that untangle does.

Works really well and do not interfere with each other.

[ericmachine]

noted and thanks, that's clarifies stuff :)

just one more question. i check with untangle support and they said no need pfsense. is there a reason to have pfsense at the main fronting? untangle not sufficient and can't be used as router too?

[n_K]

Well they're gonna say don't use pfSense, they want you just to use/pay for their software, that's like phoning up microsoft support and asking how to run a linux server...

Do what you want to do and are comfortable with. If you're great with *bsd then try/use pfSense, or untangle if you like debian linux.

[ericmachine]

noted and thanks :)

[+BudMan MVC]

Untangle is very bloated and you need freaking rocket ship for it to run on. Pfsense happy in a vm on nothing for specs.

As mentioned you didn't really say what you NEED, kind of just posted their features list. Not exactly sure what

- something instead of tracking by IP address?

- basic wan acceleration

are?

Now if you have a spare supercomputer laying around to run untangle - sure have fun, and going to pay for any real features. On the other hand pfsense is FREE as in beer! And been using it for years - just plain rock solid!