We are a non-profit. Our parent organization is abandoning 3 Cisco UCSC-C220-M3S servers and I asked them to send them to us instead of dumping them.
The question is which would be better for us to use for pfSense
One of these servers?
or a NETGATE 6100 MAX PFSENSE+ SECURITY GATEWAY
In fact is an old 1U Rack mounted server dedicated to pfSense better for me than a Netgate Applicance? I dont care if it is overkill. (I am not into running my firewall as a virtual machine)
Power Consumption, Heat and Noise are not a consideration as the server room is isolated, runs via Solar Panels and has decent cooling. There are several other devices running in there anyway so this one unit will not be a significant additional load (I think), since we are also abandoning a huge old 4U Dell server.
My environment has 100 users with two internet connections. I use haProxy, WireGuard and OpenVPN, DNS, LetsEncrypt, Zabbix Agent, and I intend to add pfBlocker and maybe suricata (dont know yet if I need it)
On the internal side I have 4 networks only two of which need to get to the internet.
Also I have configured two VLANs 1 for regular WiFi users and the other for Guests. My switches and access poiints are ubiquiti unifi switches, although I might add some meraki wifi into a section of my network (a warehouse).
One other thing to note.
I have been using a combination of pfsense and untangle (now Arista) because untangle offers some decent reporting, Active Directory integration (for blocking by AD Group for example) and a few other minor things.
Basically it looked like this
Internet Connections —> pfSense —> Untangle —> Internal Networks
The change would be ti
Internet Connections —> pfSense —> Internal Networks
I prefer pfSense and I believe removing untangle would not only save me some money but also simplify my network management.
I don’t know what that means. I am not a formally trained network engineer.
What I know is based on experiments and experience.
I am actually a software developer that grew into management
Judging from what Google tells me I think you are asking about the stuff I currently use untangle for. I am guessing that is what I would use Suricata for.
If this is what you mean then I would only pull out untangle when I find a pfSense package that can replace the functionality. (or if I convince myself that I can live without the feature)
It becomes a much more manual process doing traffic inspection with pfSense packages than using a product such as Untangle. You want to make sure you are doing SSL/TLS decryption which you’ll need to use something in addition to Suricata for that.
Those are a bit old, but they should work. Going to be a lot of noise and heat with those servers. Their life will be limited by how quickly Linux and BSD adopt the x86_64 V3 standard, those old processors are not compatible. But they might get you a couple years down the road until you can save a bit of money towards more modern hardware.
The L7 inspection refers to application level filtering, not really something that works very well on PFsense.
People hate this, but Zenarmor can (probably) do this type of filtering, but for most things you will need the paid version. Non-profit might be able to get a 50% discount, but still going to be several hundred dollars a year. Good people, send them an email and ask. They have a full firewall that runs on Linux, or as a plugin to OPNsense. And you should probably look into this before deciding. I think you can cram Zenarmor into PFsense, but it isn’t a simple plugin which means updating the firewall can be interesting.
Doesn’t Untangle handle all the firewall duties as well as the traffic filtering? Or is this an Arista problem now that they own the product? Highly functional choice would be stay with Untangle, learning new stuff that may or may not save money might be Zenarmor.
I will say that if you go to OPNsense, the Suricata implementation is still confusing me. It’s working and seems to catch the things that Crowdsec doesn’t catch, but managing it is different from PFsense and I’m still having a hard time adjusting. That’s really my only complaint after switching from PF to OPN. Zenarmor free plugin is doing pretty much everything I had e2guardian doing on PF, and since it’s a plugin, it’s straight forward to get working. Figuring out how I can work the paid version into my budget to be able to get the other features and see how well they work for me. Is Zenarmor as good as Untangle? Not in the free version, not sure about the paid version yet.
If you need to filter sites, then either look for a Zenarmor method or stay with Untangle. I’d look at both and see what the costs are going to be, and how much learning curve you need to handle (time=money and we usually don’t have either).
If you decide to go with a Netgate appliance, the 6100 looks decent, I’d go for the MAX version and hope you can upgrade the RAM, I prefer 16gb in my devices (even if half or more sits idle). If you go OPNsense, I’d probably suggest the DEC2752 or DEC2770 which are both a bit more money.
Or as I said, you can probably get 2 years out of those old servers. If you have time, it would be worth giving them a test with the open source firewall of your choice. At least then you would know that you can build a backup quickly if you have a hardware failure of whatever solution you do decide to use. Knowing you can put a backup in place in a short time is a valuable thing for peace of mind.
As a person that had installed Untangle at numerous satellite offices for various businesses over the last 6 years I stopped using Untangle. Using Untangle L7 reporting required QUIC to be disabled which one increases the amount of web traffic for HTTP requests. And with future direction of the HTTP protocol standards the current methods used by Arista will become obsolete.
I have moved many of these sites to pfSense on the same hardware I was using for Untangle. The loss of L7 reporting hasn’t been catastrophic and I would say nobody really asked for rules based on time of day/application access.
For the one client that still wanted to see L7 traffic I built on a ntopNG transparent bridge box that sits between the PC VLAN and the pfSense router. A bit of a learning curve but the client is happy.
Make sure you buy some extra warranty with the Netgate devices. I had bad experience with my SG-4100. Nothing special, just home use. But the MMC died after 1,5 years.
Going with the official Netgate hardware you got more support. The $129 only covers pfSense plus and some basic initial setup.
It is an interesting thing to see how important L7 inspection, IDS/IDP for other companies. I was always turned off when I recommended pfSense compared to SonicWall.