By far one of the most overlooked things when it comes to pfSense is the ability to just make a router out of any piece of hardware that has 2 Rj45 ports. When the UniFi gateway or the Sophos device fails, you have to order a new one and can suffer serious downtime in situations where you may only have one router on hand with no redundancy. With pfSense in the same situation, you could virtualize it and load a backup and be back up and running in less than an hour, or you could simply take a spare network card and toss it in an older desktop and get back up and running. Emergency redundancy with pfSense is a $30 network card.
The most aggravating aspect I found in testing was the complete lack of real-time data supplied by the USG3. I was looking to “upgrade” from an ER-X and decided the lack of information was not worth the pretty interface.
Regarding “replacement times”…
*The MSP should have plenty in stock…and be able to quickly swap out a failed part within an hour (including travel to onsite). We used to do a lot of PFSense, we’re pretty much all Untangle now, but we don’t use any old scrap computer picked up out of the boneyard pile, we use specialized industrial x86 platforms…and we keep at least several different sized ones in stock as “quick backup”. And we keep a few older units on stock for emergency backup. We also keep at least 4x of pretty much every model Ubiquiti device on our stock shelves…all edge switch and unifi switch, edge routers, Unifi routers, all models of APs…and several of the smaller various airMax radios as well as a couple of bigger ones and airfibers. For clients that “must not have” downtime, back when setting them up we had our consulting had one, and we sold them double…so they already have spares in their server room. And two Untangle firewalls running…for failover! Regarding the comment of a USG taking too long, I’ve been building various *nix firewalls for over 20 years now but I can have a USG swapped out at a client and have them up and running again a heck of a lot faster than I can install a *nix distro.
I would most certainly hope an MSP kept that on hand. Unfortunately, I run a school district that does not give me quite the amount of technology funding that I would need to keep such reserves, and the equipment we purchase for networking comes from E-Rate funding. The nearest MSP that supports pfSense is over an hour away and would be an unnecessary expense as I could substitute with other equipment until a replacement arrived, which is the point I was trying to make… Luckily, I will have two SG 5100s arriving next year to replace my single SonicWall, so I shouldn’t ever have to deal with this situation, but again, not the point I was trying to make.
We’ve done a few school projects under eRate/EducationSuperHighway, I always quote in extra/spaces.
Before I used an edgerouter X, I used an ASUS RT-N16 with Shibby Tomato firmware. It provided per interface traffic graphs for the last 24 hours with 2 minute intervals, and LAN side per ip traffic graphs, which made it relatively easy to determine what device caused a spike in internet usage in the middle of the night. That’s one thing that the ER-X sorely lacks.
Tom’s pfsense reviews and showing ntopng use made me wish there was something similar on the ER-X.