Switch from pfSense to UniFi Dream Machine

jase-dk · February 28, 2025, 2:00pm

Hi,

I got a little carried away by the fact that Netgate seems to have discontinued support (and updates) for pfSense CE. I also got the impression that UniFi had cached up on functionality.

I have now bought a UniFi Dream Machine CE and attempted to move all the functionality from pfSense CE to my new UniFi setup. I like that everything is within the same ecosystem with UniFi but I must say that I am a bit disappointed with the lack of functionality in even the newest version of UniFi OS. Some examples:

No built-in functionality for issuing and renewing Let’s Encrypt certificates. WHY?
UniFi’s Dynamic DNS function does not support Cloudflare DDNS. WHY?
No built-in functionality for Reverse Proxy. WHY?

The solution is of cause to spin up a bunch of Docker containers but that unfortunately breaks my “one ecosystem” strategy.

Things are getting better with UniFi, but they are definitely not there yet. It’s such a shame that Netgate do not offer a one time licensing fee that’s more minded towards home lab users.

Best regards

Jase-dk

bb77 · February 28, 2025, 2:25pm

Please do not present rumors and speculation as fact.

Yes, there hasn’t been a new release of pfSense CE for quite some time, and new features have only been released for pfSense+, also for quite some time now.

However, as of February 2025, pfSense CE 2.8.0 is still under active development: https://redmine.pfsense.org/versions/74

…and 2.7.2 is still actively maintained and receives patches and security updates via the System Patches add-on: https://www.netgate.com/blog/using-pfsense-software-system-patches

dkggpeters · February 28, 2025, 3:45pm

PFSense CE is not dead, just slow on getting 2.8. If you are itching to get off PFSense then move to OpenSense.

The new Unifi changes peaked my interest, but they not there yet. I do have a unused Dream Machine sitting in the basement. As a result, I will stick with PFSense as it does so much and is rock solid for me. I do not want to transition firewalls unless it provides additional functionality that I would need. Transitioning can be a lot of work to get everything setup properly.

LTS_Tom · February 28, 2025, 6:11pm

Doubt they will get LE or Reverse Proxy options. While that is a nice feature in something like pfsense, there is not a huge business demand for that. Same with the DDNS.

jase-dk · February 28, 2025, 6:17pm

Fair enough, there has not been any official communication from Netgate about pfSense CE being discontinued. Still, not much has happened on CE compared to the paid Plus version - and there has been a lot of talk…

I hope that Netgear will continue development on pfSense CE, or introduce a one of payment for Plus (e.g. without Support) that is more digestable for home lab users. Personally I would rather spend a one-time amount of USD 585 for a UniFi Dream Machine SE, than USD 129 per year for a pfSense license without any hardware.

I have worked a bit more on setting up my new UniFi Dream Machine SE. I have to say that I really like the new zone based firewall rule scheme. I think it is now a lot easier to configure and maintain rules on UniFi DM than on pfSense. I also like in tntegration with UniFi switches and APs, which provides a (almost complete) ecosystem. The new build-in DNS setup is also really nice.

I do still miss a build-in feature for creating and managing Let’s Encrypt certificates as well has a Reverse Proxy. However, as Tom has recently demonstarated, Let’s Encrypt certificates and reverse proxy is easily solved with a Raspberry PI running Ngnix Revese Proxy in Docker.

UniFi includes automatic updates for DDNS and they do support a lot of DNS providers. However, for som strange reason they do not support Cloudflare DDNS - although this has been requested by the customer for a few years now.

All in all I am very happy with my new UniFi Dream Machine SE. It’s works really well so I properly will not go back to pfSense. I must admit though that I have been very happy with pfSense CE over the past many years (Thanks Netgate).

jasedk

LTS_Tom · February 28, 2025, 6:24pm

Netgate has the same option as UniFi for no recurring fees, BUY THEIR HARDWARE. It’s really the same model, selling hardware pays for the development of the software.

xMAXIMUSx · February 28, 2025, 6:51pm

I’m sure it will take a lot of work, but I think netgate needs to have a single code base on pfsense+ and if you pay for a subscription then you unlock all the features. Otherwise you run pfsense+ as if it was the community edition. I’m not sure why they are keeping 2 versions of the code for so long.

In this way all the packages and security updates are kept up to date all the time. Then we wouldn’t have these discussions on IF pfsense CE is going away or not.

LTS_Tom · February 28, 2025, 6:54pm

A few years ago they decided to split the code base creating this issue. It USED to be one code base.

xMAXIMUSx · February 28, 2025, 6:58pm

Sounds like a terrible idea to me. But I don’t know their reasons for doing that. At face value it sounds like common sense to have a single code base and then if you want to pay for the features then lock it behind a license.

jase-dk · March 1, 2025, 12:28am

Netgate hardware is unfortunatly very expensive in Europe. There is only one small distributor in Denmark and two (I think) in Germany. Ubiquiti is much easier to get at fair prices.

QComp · March 1, 2025, 12:04pm

I have been using pfSense+ and pfSense CE for many years, implementing about 10 boxes.
Main platform for my customers are ZyXEL USG Flex boxes
I recently had the opportunity to look into the cfg. UDM and this is how I see it.
Of course, I do not want to stir up passions among fans of both manufacturers, please take it as a topic for discussion,
I would be happy to welcome further knowledge on the topic

pfSense advantages:

Clear interface for administration
Detailed logging
Statistics of elapsed data in firewall rules
VPN site-to-site and client options
script support for IPSec VPN IKEv2 Windows and Mac (even better with ZyXEL)
working with certificates
UTM options using Snort, Suricata, pfBlocker
partial objectivity of addresses for firewall rules (Aliases), e.g. with ZyXEL or FGT even better
working with firewall rules (move, duplicate)
expansion using Package
relatively good cfg portability. from box to another box, configuration can be backed up
by areas and after editing in XML applied to another box.
extensive monitoring options, a number of network tools for traffic analysis
possibility of installation on your own hardware or as a virtual instance

pfSense DISADVANTAGES:

relatively difficult implementation of WireGuard
missing script for IPSec IKEv2 for Android (Strongswan)
Worse availability of NetGate Boxes in Europe

UDM advantages:

clear interface and basic statistics
management of corporate WiFi APs, statistics
very high-quality and easy implementation of WireGuard, QR codes for clients
interesting box design
administration in the cloud

UDM DISADVANTAGES:

limited logging options, mainly in the VPN area
unreadable configuration format
difficult portability of cfg. to another box
worse UTM protection options
difficult work with firewall rules

jase-dk · March 1, 2025, 1:50pm

Completly agree, however based on my recent experience Ubiquiti’s new zone based approach to organizing firewall rules have made work is a lot easier to work with rule on UniFi. I would even say that I now easier than with pfSense.

brwainer · March 2, 2025, 4:18am

Unifi Network Application 9.1.92 (and later) have support for Cloudflare DDNS: https://community.ui.com/releases/UniFi-Network-Application-9-1-92/749d7a84-6686-4637-b255-f8fbc5dc8fe0

This is in Early Access right now, 9.1.96 was released yesterday, so 9.1 is still under development before being moved to the Release Candidate channel and finally the Official Release channel

bb77 · March 2, 2025, 9:26am

Why is this an issue? I prefer less frequent updates and changes to a firewall as long as it is kept secure and does everything I want it to do.

Do you actually need the extra features in pfSense+? Seems to me you don’t, otherwise you wouldn’t have switched to Unifi, which has even less features than pfSense CE

michmoor · March 4, 2025, 2:38pm

I think a few things are going on in the thinking of people like the OP. Nothing bad but needs clarification.

pfsense CE minus the system patches has been quiet in regards to updates. People want to feel that the product is secure. You cant tell me there is absolutely nothing wrong within the CE version that wouldn’t warrant any updates. Palos, Fortinets, Ciscos, SonicWall, Checkpoint, all have frequent at times monthly updates to address either critical flaws, hotfixes, feature updates. Seems extremely odd to have a security product to go long periods without any updates.
Unifi is the shiny object right now. It does all the things home users want/need. Does the app filtering, VPN, DNS, DDNS. As of today, does it offer any compelling feature that pfsense cant do? Other than app filtering, not really. As of today, pfsense is still a bit advanced when it comes to the knobs you can turn.

bb77 · March 4, 2025, 6:35pm

Well, at its core, pfSense is still a traditional router and edge firewall with some added features, and the firewall relies on FreeBSD’s packet filter (pf).

Now compare that to Palo Alto, Fortinet and others you mentioned that are primarily Linux-based these days. How many of the security updates they received were actually related to iptables, nftables, or the NAT implementation, or any other core Linux feature they use? My guess is not many. So the risk isn’t necessarily in the core itself, but in the additional features and management interfaces.

The most commonly used built-in features in pfSense, besides firewall and NAT, are probably DHCP, DNS and NTP, which generally don’t present high security risks, but if there is a CVE it will be patched via the system partches, and of course the WebUI/management interface, which will also be patched if necessary.

Then, of course, there are many optional packages that are widely used, such as HA Proxy, Snort, Suricata, Wireguard, and many more. However, these packages must be explicitly installed by the user via the integrated package manager, which is also used to keep the packages up to date independently of the pfSense system updates.

EDIT: I forgot to mention the built-in VPN services, Ipsec and OpenVPN, which are also widely used, and I guess they are more prone to security issues than some of the other built-in services I mentioned, but I’d say they also get patched via the system patches when necessary.

michmoor · March 5, 2025, 4:42pm

You bring up a good point specifically about the core functionality of the various commercial products (pfsense included).
If there are no known vulns then there are no vulns.
It just seems interesting to point out that OPNsense does monthly update their core *sense product outside of plugins. What are they seeing that others arent? New libraries bring new problems but also i would imagine possible fixes to code that haven’t been updated in quite some time.

bb77 · March 5, 2025, 6:27pm

I don’t follow OPNsense that closely, but you could read their changelogs to see what these constant changes are about. I doubt most of them are security-related.

But yes, OPNsense seems to be much more actively developed than at least the community edition of pfSense, and they definitely release much more frequently, even more frequently than pfSense+.

They also have 3 or 4 branches: Development, Production 25 (stable), Production 24 (oldstable) and the Business Edition (extra stable, I guess). The latter is updated much less frequently, which is exactly the opposite of how pfSense does it.