Why I stick with Pfsense firewall and moved away from UDM Pro

Networking & Firewalls
1

Since Tom migrated from Pfsense as a firewall to Unifi firewall, I do have the impression that many people are following his example, just because Tom did the move. :wink: (nothing wrong with that, though)

However, I did the opposite:

I had a UDM Pro, switched to a Netgate 6100 Pfsense firewall and replaced the UDM Pro with a CloudKey Gen2 Plus (UCK).

One of the reasons to make the switch from UDM Pro to UCK was to get away from that annoying issue of the UDM to always act as a gateway. Having a pseudo uplink to the Pfsense just to satisfy the UDM Pro didnā€™t make much sense to me and added unnecessary complexity to the setup.

Another reason was that UCK is using less power than UDM Pro. Even if itā€™s ā€œjustā€ 20W less, that sums up over the year.

Using the Pfsense as a firewall and gateway over the UDM Pro was driven by some considerations as well:

As Tom stated in the past as well: there are not much Open Source Firewalls left. Supporting the few that are left, seems to be a good way to ensure that there will still be one in the future. And Unifi Network & Firewall is a nice environment, but it is not Open Source.

Another reason was to seperate network management and firewall into two different tasks, following the Unix paradigm of ā€œdo one thing, but do that well!ā€

Additionally I have the feeling that Pfsense is offering more features that are relevant for me like DNS server with Views support, haproxy as a reverse proxy, Wireguard site-to-site VPN, OSPF, and many more options. And that I do have more control over those service than what Unifi allows me to configure in their WebGUI. Plus that I do have more diagnosis and debugging tools on Pfsense than I have in Unifi.

In the end Unifi is a closed black box. Youā€™ll need to stick to what they offer you. Thatā€™s not necessarily a bad thing, though, but itā€™s your own decision if you buy into that more or less closed walled gardenā€¦

6 Likes
2

The part that I think a lot of people miss about ā€˜Tom moved to UniFIā€ is that I only moved my studio to UniFi but I still have my office that uses pfsense and about 30 businesses we have under contract using pfsense. I do agree I wish there were more open source choices for firewalls which would make a better ecosystem, but pfsense is still a solid and secure choice.

3 Likes
3

Yeah, and I think it would be easy for you to switch back and forth without problems. Others might have more issues with switching.

People that want to have a one-stop-shop will find a good solution in Unifi. And thatā€™s absolutely fine. But I wanted to argue pro the other side: there are also reasons not to follow that path, just because you did it.

Make up your own mind about what is important to you and not just follow other peoples path. And that was my intention: to show there might be other reasons.
I would like to know if others have more/different reasons to keep on using Pfsense?

4

I donā€™t use a Unifi firewall, so I donā€™t know whether it offers the aliases feature that pfSense has. When you have a lot of (virtual) machines on a network with many VLANs the pfSense aliases allow for consistent updates and changes across a lot of rule son different VLANs. I wouldnā€™t want to ever use any firewall that does not offer this feature.

1 Like
5

What pfsense device are you using for your office?

6

What I like most about pfsense is I can get 10G links for far less than $1000. Especially now that my ISP provides 5Gbps and just got email saying they are offering 8Gbps. The networking hardware companies are so far behind and currently hindering technology by over pricing bandwidths. A 24 port unmanaged switch where all 24 ports are 10Gbps is still around $1800 which is absolutely absurd in my opinion. Especially when you can buy a TrendNet 24 port 1Gbps unmanaged switch for $80. I just have no interest in Unifi until they can provide a decent cost effective solution.

7

I can kind of understand your frustration, at least to a certain extent, because I also feel the price difference between 1Gbit and 10Gbit is still too high. On the other hand, assuming this is a home network, do you really have 24 hardwired devices that can actually make use of 10Gbit, or would maybe an 4 port or 8 port be enough? (Yeah I know, still too expensive compared to an 8 port 1Gbit switch)

So with an 8-port 10 Gbit switch and a larger 1 Gbit or 2.5 Gbit POE switch with a 10 Gbit upstream port, you could still connect 6 devices directly with 10 Gbit and the rest to the 1 Gbit or 2.5 Gbit, which is more than enough for cameras, Wi-Fi access points, and normal Internet consumption such as streaming video, browsing the web, etc. And since this switch would be connected to the upstream switch with 10Gbt, it would still be an improvement compared to before, when all devices were sharing a 1Gbit pipe.

8

Youā€™re right, this is a home network. Whole house is Cat6a certified. I bought a TrendNet 8 port switch which is all 10G and it is fully populated. I have about 3 more wired devices to connect 10G to but itā€™s not imperative to run them. Any device I buy for the last 5 years (if possible) I pay the extra $100 to have 10G NICs unless they are already there.

I get the multi speed switches but in my opinion itā€™s cheap and more frustrating. To compare itā€¦ You own a Cadillac/Lexus etc but instead buy this Toyota Corollaā€¦ Iā€™d rather have the 1G than be insulted with 2.5 or 5G. However, that is all opinion and some people may have a use/desire for 2.5/5G I donā€™t really have a use and think it is the hardware manufacturers who pushed the idea of cheap hardware over precision holding back people from advancing technologies.

Sorry for the rantā€¦ Iā€™m just frustrated as a network engineer to see blatant disregard for advances in technology by hardware manufacturers reluctance to build 10G Hardware at a reasonable price.

9

For my home network, Iā€™m ok with 1G. At work, we use 10G.

10

No. Having 10Gbit on every port in your home is like using a race car on public roads: youā€™d get all the disadvantages (such as increased fuel consumption, heat generation and cost) without being able to make actual use of most of the advantages (such as increased performance and faster cornering speeds). :wink:

While I agree that 1G is more than enough for most home use cases, 2.5G can be beneficial for modern Wi-Fi 7 access points, as they can, at least in theory, reach such speeds.

Also, if a 1G or 2.5G switch is connected to a 5G or 10G internet connection via 10G, multiple devices can download at the maximum speed of that switch (e.g. 1G or 2.5G). With a 1G upstream connection, however, every device shares that 1G pipe. I think this is a good compromise for making at least some use of an internet connection faster than 1G without spending too much money.

And if that switch is connected to a 4- or 8-port 10G upsteram switch instead of directly to the modem, you could additionally connect two to six devices via 10G. These devices would then be able to benefit from the full 5G or 10G internet speed and also be able to communicate with each other at 10G.

11

Hmmm, I would prefer to talk more about the benefits of still using Pfsense over Unifi instead of link speed of switches.

12

Yes, sorry, I couldnā€™t resist responding to that rant. :wink:

On the actual topic: I also still use pfSense, mainly because itā€™s open source and I donā€™t like buying into a commercial, proprietary ecosystem. I do use a UniFi access point, though.

Other than that, it mainly comes down to the features.

However, many home lab users (myself included) and even IT professionals who arenā€™t network experts (and donā€™t aspire to be) donā€™t necessarily need most of the features you mentioned. For the most commonly needed ones, such as VLANs, firewall rules, DHCP, and DNS, UniFi has caught up considerably. So, Iā€™d say that for many who are switching to UniFi, the advantages of an easy-to-use, single-pane-of-glass interface simply outweigh any potential disadvantages, which may still exist compared to something like pfSense.

Also, Ubiquiti somehow manages to make network devices ā€œsexyā€. I think thatā€™s an important factor in why many people want it, especially home lab users. :slight_smile:

1 Like
13

Oh, and link speed is at least indirectly relevant.

Thanks to ā€˜fiber to the homeā€™, more and more people now have internet connections faster than 1 Gbit/s. Whether or not they actually need that speed, they certainly want to take advantage of it.

Now, UniFi devices that can route more than 1 Gbit/s are considerably cheaper on average than pfSense boxes that can do the same, at least compared to Netgate devices and probably compared to most DIY builds, too (at least in terms of power consumption)

Of course, the additional cost of 2.5/5/10 Gbit/s-capable equipment behind the router is another matter entirely, and must be considered for both solutions. :wink:

14

I switched to Unifi, and I miss Pfsense when it comes to logging, firewall rules, pfblockerng, and some other things.

But I chose a UDM Pro Max, because thatā€™s now my router and NVR and Unifi controller. And thatā€™s pretty neat, if you donā€™t want to have too many device. Still think that Pfsense is better as a router then Unifi. But they are improvingā€¦

15

I have been perfectly happy with pfSense, and donā€™t see any reason to change. I have one switch and one WAP. I donā€™t think I would benefit from Unifiā€™s management system. I hardly ever change/re-configure my switch or my WAP. I am also a bit put off by the fact that people seem to regularly say that Unifi has ā€œcaught upā€ with pfSense. Kind of makes me feel like Unifi is second rate. If someday, the Unifi firewall can do something I need that pfSense canā€™t, then I might become interested in a change.

16

I donā€™t think this is the whole story. I think most people on this forum and whoever watchā€™s Tomā€™s videos look at the features they need and make an educated decision on which firewall to use in their environment. I think UniFi has come a long way and offers almost everything that pfsense has.

not to mention UniFi offers features that pfsense doesnā€™t have. Like a site manager for all the firewalls and devices. Sure pfsense is getting there but they want to charge you a license to use it.

All Iā€™m saying is there are benefits to both and UniFi looks better and offers things negate doesnā€™t have. I donā€™t fully believe people are switching because Tom is using it.

17

From my POV:

Unifi

  • one-stop-shop
  • offers a nice GUI to management the most common network management tasks
  • is a complete eco system of switches, APs, surveillance cameras and access systems
  • focusses on ease-of-use

Pfsense

  • is just a firewall
  • does routing
  • offers network debugging tools (ping, traceroute, tcpdump, ā€¦)
  • offers more VPN options with more settings, more versatile

Contrary to your opinion I have the impression that many users are just following Toms example of switching, not necessarily based on their own educated decision. Canā€™t blame them for that. I think many are just following the software stack heā€™s using for the sake of his videos and tutorials. Thatā€™s a perfectly fine decision, but IMHO not a well educated own decision making.
Maybe the decision prior to the move towards Unifi as a firewall has been based on the same: using Pfsense as a firewall because Tom made so many videos about it. Maybe many of those who are now switching to Unifi didnā€™t need the full feature set of Pfsense anyway. Thatā€™s perfectly fine, as already said.

But when you want to learn about networking and firewalls, I think switching from Pfsense to Unifi is the wrong decision. Unifi is more a nicely polished black box and thatā€™s absolutely great if you just look for that. But when you want to learn about networking and have full control about your network, I think you are better off with Pfsense, because it gives you more options to configure and to debug things.

And about the licensing costs of the site manager for Pfsense: I canā€™t really blame Netgate that they want to earn some money. Unifi on the other hand is primarily a company that sells hardware. It does that by providing an easy-to-use eco system. Two different approaches.

I do enjoy both sides: having a specialised firewall with many options and debugging possibilties and having a great and nice looking networking eco systems of switching, access and cameras.

And this ease-of-use eco system comes with a price: the lack of many config and debug options. Pfsense on the other hand comes with the price of not-that-easy-to-use and not-that-good-looking UI.

For me I donā€™t see that Unifi fit my needs acting as a central firewall in my network, which is more or less complex as a hobbyist/homelaber:

  • 3 sites
    • colocation in datacenter with 3 servers
    • my home network with server and backup
    • my parents home network with server and backup & with VPN connection to my brothers home network
  • all sites interconnected with Wireguard VPN or IPsec
  • OSPF routing
  • multiple VLANs
  • about >200 TB storage and several TB of traffic each month because of backups

If there are issues in the network, I need to be able to debug the stuff. OSPF in Unifi is there, but have you tried to debug an OSPF issue there when something between Unifi, frr on Pfsense and bird on Linux is not working? Or finding the reason why your 10 Gbps SFP+ modules with single mode bidirectional fiber stopped working and intermittently disconnects between your switch in the cellar and your switch in your room while the 1 Gbps SFP modules are working fine? In the Unifi UI youā€™ll see just a red warning sign that it is not working. When looking on the switch you see the LED is lit for some seconds and then going dark for a moment just to come back again. In the end it is a black box. No offense! Unifi is doing a great job to provide an easy to use networking environment, but sometimes they canā€™t provide the information you need, because they cannot foresee every and each corner case. Maybe loging in via SSH could give you more informationā€¦ :man_shrugging:

That being said: Iā€™ll still stick with Pfsense and doesnā€™t make myself to dependent on one vendor and their interpretation how networking should be done. Diversification is basically a good ideaā€¦ :slight_smile:

18

Iā€™m not sure why it bothers you. Just like all consumers, they see a product that is well polished and easy to use. And then there is pfsense. Which I have been in support of for 9 years. Submitting bug reports, buying a personal license and putting netgate devices in well over 20 sites and business.

Even if people didnā€™t make an educated decision, itā€™s not the end of the world. In the words of Tom ā€œuse what makes you happyā€. We both agree they watch Tomā€™s UniFi videos and they like what they see.

Iā€™m considering the move to UniFi because it fits my environment, even replacing my pfsense and you stick with pfsense because of your reasons. I donā€™t see anything wrong with users seeing something they like and switching. I donā€™t like some of netgates business practices and stunts they have pulled in the past few years. Iā€™m not going to argue about any of that here on this post, Iā€™m sure you are already aware of what I am talking about. I absolutely take all of that into consideration when I want to spend money on a product that supports the business.

1 Like
19

I am a big fan of free market capitalism and people being able to spend their money how they see fit. I couldnā€™t agree with this more.

1 Like
20

Itā€™s perfectly fine to see it that way.

Until you wake up in a world where there are no more options other than those of big capital and no more Free/Libre Open Source Softwareā€¦

Remind you of xkcd: Dependency