Why I stick with Pfsense firewall and moved away from UDM Pro

I use pfSense because I can easily virtualize it and it has more routing and tunneling features than other options.

I too have recently made the swap back, used my UDMP for about 6 months again but went right back to my Netgate 6100.

Too many reliability issues, weird things that make rule management harder, bugs, and some performance issues with a huge number of states being tracked.

Yeah, of course, there are worse things in life than buying the “wrong” router.

I agree in general, BUT…

…when you see threads where people ask how they can do this or that with UniFi — things they could do before with pfSense, and then the answer is “you can’t,” well, let’s just say that’s… not great.

There’s a thread in this forum where someone set up an air-gapped camera VLAN and now no longer has an NTP server. I guess that person now has to ask themselves whether the fancy interface and the nice device design are really worth losing features that previously worked.

I mean, I could understand if they were just starting out and then decided to go with UniFi. But switching from something that works to something else without checking if it can do everything you need it to do… well, I don’t know, that does feel a bit like that person was influenced by all the social media posts and YouTube videos without really doing their homework. And If that was the case, it wasn’t really a ‘free’ decision — although you could of course argue that it’s still mostly that person’s fault for not informing themselves better.

Or the people who always want the “best” and think they need 24 or 48 10G PoE ports for all their access points and cameras — devices that will never push more than 2.5 Gbit/s or stream more than 10–20 Mbit/s — and then even feel insulted if they can’t have that. These are victims of your “free” market capitalism; the same type of people who drive an F-250 in the suburbs despite never transporting anything large or driving on a dirt road.

Don’t get me wrong — if they can afford it and it makes them happy, they should go ahead and buy those things. But complaining that 24× 10G ports are too expensive, even though they have no real use for them, just because they want the shiny UniFi interface to show “10G” everywhere… and thereby possibly sacrificing features they actually used before — that’s when they’ve become so influenced by “free” capitalism that their decisions aren’t truly free anymore. They’ve simply traded one form of coercion for another.

Just think about it. And no, I’m not a communist — but I do believe people should have a real chance to access neutral information. However, many of these so-called “free” capitalist companies not only create artificial needs to drive consumption, but also actively try to prevent neutral and objective reviews or make it unnecessarily difficult to find all the necessary information to make an informed decision.

To be clear, I’m not implying that Ubiquiti actively silences critical reviewers, or that Tom’s reviews aren’t neutral and objective.

You don’t have to worry about free/libre software that makes up pfsense going anywhere. That stuff is mostly kernel code. Pfsense is just GUI code to manage the packages doing the real work. No big deal if this GUI code becomes less free/libre. The CLI will always be there. And there will always be some knock off (or stripped down) version of GUI code that is fully free/libre.

Actually, let me correct myself, Netgate does do a lot of work that is not just GUI code. But that is an unnecessary cost they would probably love to avoid. Technical debt has got to be a significant drag on them one way or another. All the money they spend on kernel work is money Unifi never even thinks about spending. Netgate can divert that money to more productive resources. If Unifi chooses to spend just a portion of the money Negate does on kernel work, they could bury Netgate in features. Or they can take their time and slowly strangle them while paying their shareholders the savings.

From my experience people only want easy. If they want to climb the learning curve they demand that be easy too. Mostly that means bolting on services & features with a click of a button. Services that don’t belong on a router. Should a router have a VPN server running directly on the host OS? What about a public facing Proxy server? What could possibly go wrong?

At some point in the learning process isolation becomes more important than features. The router goes back to just being a router. The debate of who’s built-in VPN server has more features is irrelevant because the admin will roll their own anyway. For so many reasons.

To be fair, when it comes to firewall rules, pfSense is as easy as it gets. What it lacks is a modern web UI based on a modern framework, and a single pane of glass for all the networking devices. People who want a more modern UI can switch to OPNsense (although it’s still PHP-based, it looks nicer and more modern), and people who absolutely need a single pane of glass for everything, well, they can finally have that, without too many sacrifices regarding firewall rules.

However, firewall rules are never going to be truly easy, regardless of the presentation, but if I had to rate them, the pfSense variant is actually easier to understand, in my humble opinion.

But much more importantly, normal end users will never understand it, so it’s not necessary in a home router. And in an actual enterprise, it’s not necessary either, because they have dev/ops teams that program their routers and switches via Ansible or whatever the latest hype is.

Ubiquiti is therefore trying to lure small and mid-sized businesses and MSPs with a sexy UI and that single-pane-of-glass controller, which now is not only a controller anymore, but apparently a whole OS (which it of course is not). And don’t get me wrong, they’re doing a pretty good job. But I also think the new firewall functionality is still somehow a reaction to pfSense and OPNsense.

But yes, while Netgate and OPNsense must be careful, we’re still a long way from them becoming irrelevant. In fact, I think Ubiquiti, even with their latest improvements, will probably still replace more outdated Cisco SMB or Zyxel routers than pfSense or OPNsense ones.