2021 Firewall Review, Feature Comparison and Recommendations:

@LTS_Tom Would it be possible to include e.g. MikroTik Firewalls in the compression chart, too? (in the next iteration of this video) (E.g. using their CHR version for the testing and comparison)

I mean, they are coming out with a new series of routers. The newest edition being the CCR 2004-1G-12S+2XS in the 2000 series from MT. (+ a teaser about 100G in their Sep '20 (97) newsletter)

Between their convoluted interface making them more difficult to configure and lack of any amazing features over something like pfsense besides being low cost means I don’t really have a compelling reason to learn their platform. They have also had a dubious security history such as this exploit NVD - CVE-2020-11881

I admit the MT brand of ROS has had its fair shares of big issues. Thou I still think the platform - to an extent - has a powerful programmatic interface. Despite it being ‘low-cost’ and easily misconfigured by the average layman or Dohn Joe. Winbox, too, has had its share of vulnerabilities that - if not secured properly - is easily exploitable. All true. Thou, in my opinion, still does not think it does not deserve a rudimentary fair position in your FW comparison chart. Yes, the learning curve is not low. That has is up-and down-side of the ROS being flexible to configure. In exchange for requiring a ‘somewhat’ steep learning curve in the beginning.

pfSense (my comparison) had a steep learning curve, too. It was easy to get working with one LAN and WAN interface. All things after that, policy routing, multiple VPN tunnels + NAT, IPv6-PD over a PPPoE internet access, multiple VLAN’s and securing access properly between VLAN’s, in my honest opinion had their fair share of a learning curve (for me).

Having good documentation available is part of what makes a good firewall. So while there is a steep learning curve for both pfsense and MikroTik, pfsense has way better documentation to help people overcome that learning curve. Also, I am not telling people not to use MikroTik, I am saying that I don’t have an interest in using it.

1 Like

The killer feature in pfsense for me was no limit on OpenVPN servers.

Having previously used Asus routers with Merlin firmware, it was limited to 2 OpenVPN servers. However, the breaking point was having my “data” siphoned off to a 3rd party if I wanted to use some additional features !!

Pfsense will suit most home users, it has a steep learning curve but the information is out there if you are prepared to get hands dirty.

Fair enough, of course! :sweat_smile:

We all have our own personal preferences for what wi will support and invest our time into using (and learning to use!) :sweat_drops:

Your critique is completely fair. E.g. I would never dream of using e.g. untangle. (did a demo once and decided it was not for me)

True. We all have our make or break wishes for certain software solutions.

What has had me greatly annoyed with pfSense is how IPv6-PD is implemented. If I add another interface (either physical or VLAN) the IPv6 tracking interface must be restarted before recently created interfaces will receive an IPv6 prefix from the upstream Prefix Delegation.

Great video, Tom. I deploy a bunch of USGs because I have a ton of small clients and as you said, it’s better than the ISP router. For the basic, VLAN for LAN, guest, and printers/IOT, they are tough to beat because they deploy so fast and cost so little. Also if you are also using Unifi switches and APs the interface offers great visibility.

With that said, I’m looking for something better than SonicWalls for my larger clients. I was looking at Untangle and in the video, you mentioned features for $150. On the Untangle site, the basic features are $162 each, or $270/year for “NG Firewall Complete.” Am I missing something or is that dealer pricing?

Tom showed the pricing for the home licenses. Business licenses are more.

For the next firewall review video I may add this disclaimer to the beginning:

Just because I don’t use or review something does not mean I am against it, that mentality is very confusing to me. I have not been telling people not to use it, I just say there is nothing compelling about it to make me want to learn it or use it.

Maybe it will reduce the number of people that seem to be upset I did not review their favorite firewall. :slight_smile:


Many thanks once again for your reviews and your comparisons videos. Always an adventure and an exciting one at that.

I trialed Untangle some time ago so worth a revisit based upon your latest video. I have used pfSense for a little over a year and am a devout advocate of it and it’s great documentation. Yes, the more complex things you like to do with it do sometimes take a little learning, but it’s part of the game and the process. It’s still my best ‘goto’ and recommendation when talking to people that should all look into better protection than their default ISP provided router/firewall.

Thanks again for your efforts and the info you provide.

Disclaimers are always great. (E.g. mention the top FW requests you have been getting, and have decided not to review.)

1 Like