Alternative to pfsense/Opnsense

[coxhaus]

I could be wrong but I think 2.7 likely would release with 23.09.

Here’s the tracker for CE/Plus

Issues - pfSense - pfSense bugtracker

Redmine

redmine.pfsense.org

Go to know. I am not going back to CE in pfsense. I will stay with pfsense plus until I find something else, or they break it.

 

[jasonreg]

Updated to 23.05 this am. Pretty seamless - all good so far.

 

[Smokey613]

I am back trying out Untangle, now named Arista NGF. I loaded it up on my mini pc that I have tried pfSense and OPNsense on.

So far, it’s even better than the last time I tried it about 18 months ago. It now supports the AES-NI capabilities on my little unit whereas last time, it did not.

I am using a pair of eero Pro units in wireless bridge mode.

So far, I am really liking it, time will tell.

 

[ddaenen1]

I would be very interested to get a bit of more details on why you really like it compared to OPNsense/pfSense. Always good to know what the alternatives are...

 

[Smokey613]

I would be very interested to get a bit of more details on why you really like it compared to OPNsense/pfSense. Always good to know what the alternatives are...

First off, it is far easier to setup and configure than either of the “sense” solutions.

Setting up vpn or wireguard servers/clients is very easy and intuitive. This is not the case for the others.

Dual WAN load balance/failover is the same.

Everything in Arista is easier to configure and manage.

The ONLY drawback is, to get all the features offered, it will cost $150 USD annually.

I have determined it is worth it for my home network. Heck, I just cancelled my Netflix service and that more than pays for Arista Home Protect Plus.

Now I need to find a new home for this shiny new RT-AX86U Pro……

 

[coxhaus]

First off, it is far easier to setup and configure than either of the “sense” solutions.

Setting up vpn or wireguard servers/clients is very easy and intuitive. This is not the case for the others.

Dual WAN load balance/failover is the same.

Everything in Arista is easier to configure and manage.

The ONLY drawback is, to get all the features offered, it will cost $150 USD annually.

I have determined it is worth it for my home network. Heck, I just cancelled my Netflix service and that more than pays for Arista Home Protect Plus.

Now I need to find a new home for this shiny new RT-AX86U Pro……

Are they limiting you on IP addresses using Untangle for home use? I thought I read somewhere that you could only have 25 IP addresses but I am getting old and things are starting to run together.

PS
I just got on the Arista NGF forums and my Untangle login account still works from years ago.

 

[Smokey613]

Are they limiting you on IP addresses using Untangle for home use? I thought I read somewhere that you could only have 25 IP addresses but I am getting old and things are starting to run together.

PS
I just got on the Arista NGF forums and my Untangle login account still works from years ago.

I am running the Home Protect Plus which has a 150 host limit. It’s $150 USD for an annual license.

 

[coxhaus]

I am running the Home Protect Plus which has a 150 host limit. It’s $150 USD for an annual license.

That should work. 25 IP addresses with all the IOT devices nowadays is a little on the short side. It looks like Arista NGF may have the resources to make Untangle good again.

The only thing hardware wise difference I noticed is Untangle took more ram to run well which is kind of a moot point now as ram is so cheap and I think 8 gig is enough for home use. I am only using 4 gig in my pfsense PC right now. Less ram less heat.

I am stuck right now as my granddaughter is here for most of the summer and the network can't be down with her. I have a new Cisco layer 3 switch coming that I need to work into my network sometime. If she goes home for a day, then I should be able to make the switch.

My pfsense is working well. The only thing is I wish SNORT was version 3. I don't really know the other intrusion protection system for pfsense. I would have to learn it.

 

[ddaenen1]

Updated to 23.05 this am. Pretty seamless - all good so far.

I updated to 23.05 today - first opportunity with noone else in the house and plenty of time to recover in case of. Update process was so smooth that it leans towards boring...

 

[Christos]

First off, it is far easier to setup and configure than either of the “sense” solutions.

Setting up vpn or wireguard servers/clients is very easy and intuitive. This is not the case for the others.

Dual WAN load balance/failover is the same.

Everything in Arista is easier to configure and manage.

The ONLY drawback is, to get all the features offered, it will cost $150 USD annually.

I have determined it is worth it for my home network. Heck, I just cancelled my Netflix service and that more than pays for Arista Home Protect Plus.

Now I need to find a new home for this shiny new RT-AX86U Pro……

Firewalls are supposed to be “set it and forget it” devices. In this perspective I don’t believe that spending $150 each year on a device that should be sitting there and doing its job, is worth it. I understand that there is a learning curve on *sense firewall and you have to spend some hours on the first day, but the next years they will run on their own.

 

[Tech9]

Firewalls are supposed to be “set it and forget it” devices. In this perspective I don’t believe that spending $150 each year on a device that should be sitting there and doing its job, is worth it.

For home use - probably. For business - I pay much more.

 

[Smokey613]

Firewalls are supposed to be “set it and forget it” devices. In this perspective I don’t believe that spending $150 each year on a device that should be sitting there and doing its job, is worth it. I understand that there is a learning curve on *sense firewall and you have to spend some hours on the first day, but the next years they will run on their own.

For a simple setup you are correct that it is not too complicated. Just FYI, I ran a pfSense box for almost 2 years so I do have some experience with the platform.

I too was initially not keen on spending the money but I determined for me it is worth it for the ease of configuration and very nice reporting.

Just one example, setting up opnvpn connection in pfSense requires jumping through all kinds of hoops. Creating certificates, manually creating firewall rules, manually configuring the client config.

In Untangle it’s as easy as Asus. Just import your vpn client .opvn file, insert your login credentials and done.

Port forwarding rules for an internal server, routing traffic from that server out my secondary WAN connection, wireguard server setup, etc.

If I had to sum it up, it’s as easy as an Asus router but with more robust hardware / software.

 

[coxhaus]

Firewalls are supposed to be “set it and forget it” devices. In this perspective I don’t believe that spending $150 each year on a device that should be sitting there and doing its job, is worth it. I understand that there is a learning curve on *sense firewall and you have to spend some hours on the first day, but the next years they will run on their own.

I think firewalls needs tons of support with security updates with the always evolving security threats. And somebody has to do the work. It needs to be paid for. Companies either sell hardware or software to make the revenue to support this.

 

[Tech Junky]

Firewalls are supposed to be “set it and forget it” devices. In this perspective I don’t believe that spending $150 each year on a device that should be sitting there and doing its job, is worth it. I understand that there is a learning curve on *sense firewall and you have to spend some hours on the first day, but the next years they will run on their own.

A subscription model is always an option for those that don't / can't get their hands dirty. Though simplicity in setup to block things is usually the best option. Having worked with complex setups in an enterprise environment it gets overly complicated as time passes and engineers come and go. Remnants of rules get left in place because they weren't documented or people are unsure of the result of cleaning things up. Others don't pay staff to handle security issues and outsource the task to other companies to deal with instead. I personally hate dealing with FWs but, can if I need to. I take the KISS approach and leave it at that at this point. My rules add up to maybe 15 lines and have yet to have any issues with a breach with the device connected as the "router" to the ISP directly w/o using some cheap / expensive piece of plastic off the shelf from your corner electronics store.

Most of this is just documenting packet flows though to see where the traffic is coming/going. Essentially though it's blocking anything that isn't originating from the LAN side. Nothing from the outside is permitted unless it has a session that started from the LAN,

IN = WAN
FWD = NAT
OUT = outbound traffic

There has to be permitted LAN to LAN to make things work so IN/OUT have lo/br0 permitted and everything else is tracked flows.

Then for the NAT portion which isn't exclusively detailed here is mostly sent through Nord but, there are some pinholes for particular traffic to bypass the VPN for everything else.

To pinhole the traffic you just add static routes pointing them out the bo0 (WAN) instead of taking the default route.


Once you understand how the magic happens you can do it yourself and kill the fluff injected by other GUI options. The less outside influence you have on your internal network the better off you are. When you have other entities making decisions for you is when there's going to be an issue.

 

[Centrifuge]

Once you understand how the magic happens

If it were just so easy.. Would you recommend something like Shorewall or firewalld as good place to begin, for a simple home network?

 

[Tech Junky]

If it were just so easy.. Would you recommend something like Shorewall or firewalld as good place to begin, for a simple home network?

Either one of those does the same thing. You have to start somewhere with something. The CLI approach minimizes clutter though. When you use a GUI it usually uses macros and makes it more complicated when it breaks to decipher things to figure out where the issue lies.

 

[coxhaus]

It looks like pfsense 2.7 released. It is available for download. Some security fixes are in place. I wonder if any of the security fixes were related to using the latest FreeBSD 14.

PS
I just found this. It looks like it is going to be released on June 29.
The Release Candidate (RC) builds of pfSense

CE software version 2.7.0, and pfSense

Plus software version 23.05.1, are now available. As we prepare for their final release (currently planned for June 29) we invite you to try out the release candidates and share your feedback with us.

Security​

pfSense CE 2.7.0-RELEASE includes fixes for the following potential vulnerabilities:

• pfSense-SA-22_05.webgui: A potential XSS vulnerability in firewall_aliases.php from URL table alias URLs.
• pfSense-SA-23_01.webgui: A potential XSS vulnerability in diag_edit.php from browsing directories containing specially crafted filenames on the filesystem.
• pfSense-SA-23_02.webgui: A potential XSS vulnerability in system_camanager.php and system_certmanager.php from specially crafted descriptions when editing entries.
• pfSense-SA-23_03.webgui: A potential authenticated arbitrary file creation vulnerability from the name parameter when creating or editing URL table aliases.
• pfSense-SA-23_04.webgui: A potential authenticated arbitrary command execution vulnerability in status.php from specially crafted filenames on the filesystem.
• pfSense-SA-23_05.sshguard: Anti-brute force protection bypass for GUI authentication requests containing certain proxy headers.
• pfSense-SA-23_06.webgui A potential Authenticated Command Execution vulnerability from the bridgeif parameter on interfaces_bridge_edit.php in the GUI.

 

[Smokey613]

For a simple setup you are correct that it is not too complicated. Just FYI, I ran a pfSense box for almost 2 years so I do have some experience with the platform.

I too was initially not keen on spending the money but I determined for me it is worth it for the ease of configuration and very nice reporting.

Just one example, setting up opnvpn connection in pfSense requires jumping through all kinds of hoops. Creating certificates, manually creating firewall rules, manually configuring the client config.

In Untangle it’s as easy as Asus. Just import your vpn client .opvn file, insert your login credentials and done.

Port forwarding rules for an internal server, routing traffic from that server out my secondary WAN connection, wireguard server setup, etc.

If I had to sum it up, it’s as easy as an Asus router but with more robust hardware / software.

I have temporarily gone back to my TP-Link ER605 for my network and will continue evaluating the Arista NGF.

It is a very nice firewall with lots of features but I found myself sliding back down the rabbit hole with spending way too much time “tinkering” with it. It easily will cause “information overload” if you allow it.

Then you fall into the trap of trying to secure your network even further but eventually the internet has greatly changed from just 5 years ago.

With the almost total reliance by providers on CDNs, it is almost impossible to “lock down” your network without breaking stuff. Throw in QUIC, https, DoH, etc it turns into a never ending endeavor.

BTW, I am still running the Arista firewall using the free 30 day license.

 

[sfx2000]

My pfsense is working well. The only thing is I wish SNORT was version 3. I don't really know the other intrusion protection system for pfsense. I would have to learn it.

Suricata?

Sometimes you just need to trust folks - Snort and Suricata are great tools, but there's an impact to performance, and these days with everything being https, well, that starts to limit the utility of those packages...

 

[coxhaus]

Suricata?

Sometimes you just need to trust folks - Snort and Suricata are great tools, but there's an impact to performance, and these days with everything being https, well, that starts to limit the utility of those packages...

I am hoping with a clock in the 3 GHz range there will not be too much lag. I don't know which IPS I will load. There are things that can still be blocked which the download rules sets will still work on. My plan is not to get too lost and granular. We will see.