UnFi vs pfsense May 2024

LTS_Tom · May 6, 2024, 5:37pm

Features	pfsense CE & Plus	UXG Pro	UDM Pro / Max / SE
Can Run on Your Own Hardware	Yes	No	No
Can Be Virtualized	Yes	No	No
Centralized Management	No	Via Self Hostable UniFi Network Server	Yes Via UI Site
Web interface	Yes	Via Self Hostable UniFi Network Server	Via Built in UniFi Network Server
License Fees	*No for CE or with Netgate Hardware	No	No
Operating System	FreeBSD	Linux	Linux
Automated Updates	No	Yes	Yes
Granular change & rollbacks	Yes (ZFS rollbacks in plus)	No	No
High availability	Yes	No	Yes, beta with certain models
VLAN Support	Yes	Yes	Yes
BGP / OSPF	Yes	Yes OSPF	Yes OSPF
Captive Portal	Yes	Via UniFi Controller	Via UniFi Controller
OpenVPN	Yes	Yes (very basic)	Yes (very basic)
IPSec	Yes	Yes	Yes
WireGuard	Yes	Yes	Yes
L2TP VPN	Yes	Yes	Yes
Automatic Site to Site	no	Via UniFi Network Server	Site Magic
Tailscale	Yes	No	No
IDS/IPS	Yes (Suricata or Snort)	Yes Basic	Yes Basic
Content filtering & Controls	No	Yes (basic DPI/no SSL)	Yes (basic DPI/no SSL)
Traffic Monitoring & Reporting	Yes (NTOPNG)	Yes	Yes
DNS filtering	Yes (pfblocker)	Yes Basic	Yes Basic
Advanced DNS Options	Yes	no	no
GeoIP filtering	Yes (pfblocker)	Yes	Yes
Traffic shaping	Yes (advanced)	Yes (basic on or off)	Yes (basic on or off)
Multi-WAN support	Yes	Yes Basic	Yes Basic
SNMP monitoring	Yes	No	No
Active Directory Integration	Yes Radius or LDAP	Yes Via Radius	Yes Via Radius
Policy routing	Yes	Yes (No WG)	Yes (No WG)
Packet Capture & Diag Tools interface	Yes	No (yes on command line)	No (yes on command line)
Netflow Export	Yes (pfsense plus)	No	No
Reverse proxy or WAF	Yes HAProxy	No	No
Let’s Encrypt Certificates	Yes	No	No

pavlos · May 6, 2024, 6:13pm

maybe ‘yes’ should be colored green and ‘no’ should be colored red.

LTS_Tom · May 6, 2024, 6:35pm

Text coloring is not supported in the markdown here.

ZebraOverlords · May 6, 2024, 7:46pm

Depending on the clients needs I have deployed UDM’s,I still prefer pfsense. Great breakdown!

Lucky · May 7, 2024, 12:52am

Tom,

I believe the most significant line items to capture in your tests are those important line items for which no published information exists on the Internet. And which Ubiquiti flat out refuses to provide:

What is the respective throughput for the site-to-site VPNs supported by both Ubiquiti’s gateways and pfSense? Which are the throughputs for:

Wireguard
IPSec
OpenVPN

To compare apples-to-apples, the throughput tests should be performed with IDS turned off.

Here is, verbatim, the response that Ubiquiti gave me when I asked for the throughput numbers for their various higher-end gateways:

Thank you for reaching out. I am Peter from the UniFi Security & VPN Team. I will be assisting in your case today.

We understand your concern regarding the VPN speeds across Site-to-Site VPNs. Regrettably, we don’t have specific values for the speeds that can be achieved.

However, we appreciate your feedback on this matter, and we will share it with our product team for consideration in future updates and improvements.

If you have any further questions or concerns, please don’t hesitate to reach out. We’re here to assist you in any way we can.

Thank you for your understanding and cooperation.

It is high time for somebody to determine the performance figures that Ubiquiti refuses to provide to their customers. I’ll let you speculate on the reasons for that refusal.

Best,

Lucky

LTS_Tom · May 7, 2024, 2:46am

Yeah, I might do some testing of speed in a separate video from the features comparison.

Scotty · May 7, 2024, 9:52am

Product ecosystem?

When comparing engines, a V8 against a V8 is a good comparison. However, some of us also need to drive a car. I can get to work faster with a V6 if it’s in ‘a car’, than looking at a beautifully tuned V8 sat on a workbench

Lucky · May 7, 2024, 7:51pm

That would be fantastic and you would do the community a great service. Nobody else in the vastness of Ubiquti product review channels and sites has published the results of Ubiquiti gateways VPN throughput testing. By contrast, Netgate has (some) of those performance figures on their product pages.

Best,

Lucky

liquidjoe · May 8, 2024, 12:27pm

Watched the video and was surprised with how far along unifi has come. Good video. Netgate is not sitting as pretty as I thought they were.

The more interesting question is, when will the feature set or GUI layout change enough to get Tom to jump ship?

My guess is never. It is for me. We all have our tribal camps. This has become a Ford vs Chevy debate.

xMAXIMUSx · May 8, 2024, 12:51pm

I have been with pfsense for over 8 years. But with the recent business decisions trying to push users to the “free” plus version and then bait and switch got me to not like them. I know they said it was going to be $129 but it was a terrible way to do it. I have supported them with submitting bug reports and paying for plus. The only thing that has me hanging on is no one else can compare to pfsense and my needs with it.

As soon as UniFi or someone else can get there I am jumping ship for sure. I don’t want to support a business that operates like netgate does.

LTS_Tom · May 8, 2024, 1:09pm

The one thing that I did not cover but may cover in a future video is VPN speeds. Netgate contributes a lot to the crypto libraries (they are also a major code contributor to FreeBSD) and has much faster VPN speeds than many other systems. As far as I know, UniFi does not currently publish their speeds and that is something of contention because that matters to a lot of people.

liquidjoe · May 8, 2024, 5:41pm

Just between you and me, you will never leave pfsense, right??

I can admit I will almost certainly never abandon my bare knuckles linux firewall. Unless the next version of unifi can do my taxes. That might get me to jump ship.

What they did to opnsense a while back was shameful. Says a lot about the character of their mgmt team. Not sure they even apologized.

Xebec · May 8, 2024, 6:00pm

I know that the SSH keys in the Unifi Controller GUI only support RSA and not elliptical keys. Also the SNMP key in the controller has to be downgraded from a max of 31 to 10 characters as soon as a Unifi switch is added. I don’t have a UBM to test, but its something to keep in mind.

xMAXIMUSx · May 8, 2024, 7:35pm

No I am ready to move away from pfsense. I’ve been in research mode evaluating everything from enterprise to open source. Or to possibly build my own solution or a mix of different options.

liquidjoe · May 8, 2024, 8:04pm

Oh sorry, I was responding to two posts there. Just poking at Tom a little bit, all in fun.

I kind of gathered you are sniffing around for something else. Surprised you are thinking about build your own. I won’t get on my soap box except to say if you want true freedom, nothing comes close. No more leash tied to any company.

And if you do go down that road post your experience here if you feel comfortable. It would be fun to see what you do and compare notes. I know I can learn a thing or two from you.

thondwe · May 11, 2024, 5:32pm

Being picky but Let’s Encrypt works for Unifi on a self hosted controller…

Useful comparison (Am sticking with Pfsense for now, but I wish Netgate’s marketing/comms would get their act together!)

LTS_Tom · May 12, 2024, 10:32am

You can use Let’s Encrypt, but it’s not integrated or automated.

thondwe · May 12, 2024, 12:35pm

But like pfblocker, haproxy etc it’s an add in, some of which are not supported/covered by Netgate - i know Acme is a Netgate item though but others aren’t so caveats apply?

But obviously added value for pfsense over unfi is the existence of the 3rd party package ecosystem?