Migrating from Untangle NGFW to pfSense

Networking & Firewalls
1

Hi everyone,

I chose to post here rather than in the pfSense forum as when I looked at the multiwan section is pretty quiet and almost no one replies to questions there. As with almost all other Untangle/Arista home users, I’m on the hunt for a replacement routing platform.
My situation: 2x 1Gb fiber WAN (“main” Untangle router) + 2nd Untangle router upstream for 3x Starlink residencial services for backup. I live outside the US so fiber interruptions are almost 25x/year at 6h to 3d of outage. FO installs are also scarce, so I share my connections to 6 other neighbors. Switching to Starlink used to be uneventful, but with more SL subscribers in our area, SL seems to bottleneck now.

What I love about pfSense:

  1. Gateway groups- this should make WAN failover to SL more effective as with Untangle, I have to set up a two-router system to failover to multiple Starlink services.
  2. HFSC QOS. Untangle uses fq-codel and while I don’t know for sure yet (haven’t tested it yet), I’m hopeful that with the ability to monitor queues that I can tune the QOS so that my 12 neighbors and I can share Starlink bandwidth more effectively. Of course when we have FO, bandwidth isn’t a problem.

What I’d love some input on:

  1. Any way to monitor WAN failover. Untangle has stunning graphing capabilities that enable me to see at a glance where the WAN issues are. I’m not a CL person, so Grafana is going to be a steep learning curve. I would be happy to pay someone for help however!
  2. Using HFSC to throttle streaming services (YouTube/Netflex/Tiktok et al) when the network fails over to Starlink. I think I might be able to do that with floating rules in the FW, but I haven’t gotten that far year in my learning. In Untangle, configuring QOS is a layer 7 dream, but not so much in pfSense.
  3. Blocking certain applications (social media/youtube etc) at certain times of day. I will sorely miss Untangle in this aspect, but if pfSense “just works” in the more critical areas of WAN failover and QOS than this might be a trade-off that I have to accept.

Thanks in advance for your thoughts.

2

This might be what you are looking for, you can monitor the status of each WAN in pfsense with the built in tools, I have a video on that here:

It’s true that pfsense does not have good Layer 7 rules.

3

Thanks Tom! Thanks for all the work you’ve put into your content.

1 Like