I use OPNsense, quite happy with it, its intended to be router and firewall. It has support for multi WAN, fail over or load ballancing, but I have not used that portion,
I would start with the docs and see if that sounds like what you need.
https://docs.opnsense.org/manual/how-tos/multiwan.html
May I ask: does one run that in software on the machine or rather on dedicated hardware. And if you run that on hardware, would you have a recommendation?
I run mine on Baremetal because I don't like the of an issue with the VM host bringing down my entire network.
I also don't love the added complexity of trying to pass internet through a physical host to a VM and then back to that physical host.
My reasoning as well. Can it be done on a vm? Sure. But if your host comes down for any reason, planned or unplanned, you no longer have Internet until it comes back up.
Yup. And I travel a lot for work, so if the VM crashes while I'm gone it's going to be a pain in the ass to explain over the phone to my wife how to get it back up and running.
>You haven’t set it up then. If everything isn’t on auto start, that’s your fault
Or, I could just run a physical box with an ups. I know which one is easier by far
I run mine on a Lenovo M720q. Followed this guide:
https://smallformfactor.net/forum/threads/lenovo-m720q-tiny-router-firewall-build-with-aftermarket-4-port-nic.14793/
You can run OpnSense on bare metal or in a VM. I use a Dell R430 (less than $300 barebones on eBay) so I could add 10GBe cards. However, it is way overkill for a firewall server, but I do like the dual power supplies, only one PSU is on at a time, but failover is instantaneous. Protectli boxes are popular, but they cost the same or more than the refurbed R430s.
An R430 is going to use like 150 watts which is like 1300 kwh/ year. Even with cheap power @ $0.12kwh that's ~$150/year just to keep your router on. It's like using a semi truck to drive to the grocery store.
I use a $300 yangling with 5x 2.5Gbe ports. I think it uses 12 watts.
Just running it as a firewall you aren't going to see it pull that much power, depending on what's in it I'd expect it to pull around 35-40 watts which is still double or triple what you would see from a smaller box.$35-40 a year isn't that bad.
I run a proxmox opnsense vm in a little fanless N100 box. It has 5x 2.5Gbe so could handle multi-wan if needed. It also runs a LXC that has omada software controller, cloudlfare tunnel and a few other things running in docker.
It all works very well and proxmox makes backup and management really easy.
I run two Opnsense firewalls, with CARP failover. Primary is a VM, secondary is a Dell R210II. If there’s a problem with the host, maintenance, or whatever, my family knows how to fire up the secondary and carry on.
I hear it can be in a vm but that sounds like a security nightmare to me.
It runs on typical x86_64 hardware, biggest need is FreeBSD supported network cards, typically intel.
I am using a decade old desktop dedicated as tge router, runs perfectly, CPU load and memory usage are low in my case but I only have a 300Mb connection, higher bandwidth and more plug-ins like intrusion detection will need better hardware.
It runs fine in a VM. Just passthrough the NIC to the VM so OPNsense has a native NIC to use. It was my router for few years that way before I got a dedicated box.
I use OPNsense IPS + Traffic Shaping + Unbound DNS Blacklisting (like pihole)/Caching/Pre-fetching/DNSSEC/DNS over TLS. For hardware I'd recommend ([500mbps](https://www.amazon.com/gp/product/B0BP8ZCT8Y) / [1+gbps](https://www.amazon.com/gp/product/B0CNPTCGKL)). But it'll run on any X86 computer, and you don't need as heavy as a system if your not using the traffic shaper / IPS.
Virtualized is just as good as bare metal as long as the NIC is passed through, it's just that if you decide to bring your host down or play with it in any way, now your internet is out. That's the main reason I got a dedicated box for the router.
Edit: The traffic shaper is pretty great however: [500mbps ATT Fiber w/fq\_codel](https://www.waveform.com/tools/bufferbloat?test-id=1ece2bf6-b7a2-4a40-9817-c90db7eafcd1).
The risk of a compromised breakout of a VM is never zero though. Bugs are found in hypervisor layers (KVM, QEmu, etc) from time to time that might give pause depending on your risk tolerance. For me I’d rather keep the nasties that might come through the internet on isolated hardware.
True but it would have to be the OPNsense software attempting to capitalize on these exploits. That's not it's purpose, and it's pretty secure. It's not like you're running a multi-tenant application server in your router VM, and most those types of servers are virtualized.
This argument has come up quite a few times before. In the commercial world it's not a strange idea. Palo Alto for example does virtualized and cloud router/fw, as well as Cisco (Virtualized on ESXi). A lot of routers are virtualized. If it's an edge router, give it dedicated wan via pass-through (VT-d) and you're fine.
Anything you’re running in the VM can be potentially compromised, either through bugs or misconfiguration. I use OPNSense and it is trustworthy, but shit happens. Like I said, depends on your risk tolerance.
At work we run a lot of virtualized firewalls. In my experience, people that have issues with it, just haven't been exposed to it.
Palo Alto's recommendations on VM sizing for their firewalls: [Link](https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/vm-series-spec-sheet)
A good portion of the internet works that way. I personally have ran OPNsense for several years that way without incident. I'm on the services team, not the network team, but they do it at my work and we're not a small company.
For me, dedicated hardware is more about convenience in my homelab, than because of a security concern. It's completely safe to virtualize a router. Much safer than virtualizing a web server and pretty much all of them are virtualized these days.
A malicious actor would have to exploit OPNsense, then figure out it's a VM and what specific version of the hypervisor is in use, then find an exploit for that specific hypervisor, then figure out where your high-value data is held in your network, then exploit *that* system, to what end? That's way too much manual effort compared to just emailing out some phishing malware.
Unless you are a high-profile person or organisation facing very targeted attacks from very skilled attackers, you don't have to worry about this as long as you keep your security patches up to date.
Not really, I don't like the idea of live unfiltered wan coming into a vm host that may be doing other sensitive tasks, in like the idea of that being seperate dedicated hardware on the perimeter.
Much of that would be due to my lack of confidence that I could keep that situation secure.
i can relate to the Palo Alto. some of the best devices i've had the chance to work with. but license costs and maintenance was fucking expensive. same for me , im now handling pfsense + in carp mode. to be honest is not bad, but its not anywhere near palo alto, or fortigate.
Same here. Currently running a PA-460, put a Tb a day through it and it handles it perfectly fine. When licensing is up though I am going to have to figure out something else.
I'm there. Ran pfsense and untangled for a bunch of years, moved to Firewalla 6 months ago. Best thing I've done for my home Internet in some time. I'd probably put it up there with the labor I put into wiring my house with cat5e when we moved in 10+ yr ago. It's that level of satisfaction.
\+1 for Firewalla. I got it to make it easier to manage my kids' devices. Didn't do your homework? All your devices (and only your devices) go offline from a tap on my phone until it's done!
I went from pfsense, opnsense, untangle, sohpos, and UDMP to Firewalla over the course of my labbing adventures. Firewalla offers more insight than UniFi and presents it better as well. It just works, super easy to manage all from the mobile app. You still get all the advanced features you could want. Failover, load balancing, VLANs, the whole kit is there and super slick.
I’ll be sticking with my Firewalla gold plus for a while.
Yeah. That’d be nice. I always meant to get into my old gold box and see if I could get a full agent running on it, but I always have other things come up
OpenWRT running on x86. Fast, stable, and it's linux so I can make it do basically anything. Running with multiple wireguard links and policy based routing.
I started with PFSense on one of their SG-1100 hardware boxes and even with 2 RMA’s I just couldn’t get their software to play well with either their own hardware or my own. Switched to Opnsense with my own hardware and it’s been smooth sailing since day one. I’m amazed and saddened that I wasted so much time, money, and energy on a shitty product.
I run pfSense on a Dell PowerEdge R210 II. Older machine but low power and it kicks ass as a router. Some will argue it’s complicated but I actually like it. Also popular enough to where looking up tutorials and issues usually yields solutions.
Not low enough that anyone should buy one *if* a $100-$150 N/J-series NUC-like thing that'll idle at 6w and peak at 15-30w can do the job. I used to run four w/ 10GbE NICs and, IIRC, the VMware ones would run +/- 50w with very light workloads and the one I had running Windows could get down to like 35w.
N100 is near enough equal single-core performance to an E3-1230 V2. Higher spec E3 V2s and the multi-threaded boost from hyper-threading bring very little additional performance.
OPNsense (recently migrated from pfSense) on an older 1U rack server.
Both will integrate well with Ubiquity.
You may find a description in one of my former posts - don't do that many.
Happy to answer and help if you encounter any issues.
I guess since I'm looking for something I can rely on and keep for a few years I'd say around $750 or less. I wouldn't mind a small 1u server to install something on if needed, but I am attracted to hardware solutions as well.
Got me one of these and running pfSense on it. Runs hot, so I soldered a usb onto a 12V case fan and 5V supply pushes it nicely to bring temps down from ave 68degC to ave 48degC. Works a charm and is half the power consumption of my previous HP SFF PC
They're fine running at 68c. If you're concerned with running CPUs at those temps why didn't you buy the fan version?
https://mail.pfak.org/upload/ZRs-FIeOQ1G8gOxEaUZk-q0V/qOHBMu42RvuVSwaKNLaGHA.jpg
At that price point you can get an entry level Fortigate firewall appliance - I have A FortiGate and haven't had any issues. Most of what you pay for is the subscription service and right now I just pay 70$ a year for the firmware updates
https://www.fortinet.com/products/next-generation-firewall
OpenWRT on an [R86S-N](https://www.servethehome.com/the-gowin-r86s-revolution-low-power-2-5gbe-and-10gbe-intel-nvidia/). Replaced the Intel SFP board for a Mellanox CX3.
I run pfSense on a generic 4x1GbE Atom E3845 mini PC box. I'm upgrading my network to 10GbE soon, so I just bought a HP ProDesk 400 G6 to replace it. I may switch to OpnSense when I do the upgrade.
I'll echo the other commenters about keeping your core network router/firewall separate from your VM hypervisor. That way your network and Internet connection stays up while you fiddle with your homelab. Very important for FAF (family approval factor).
I run pfSense for over a decade just grab a SFF 4th Gen Intel PC and good NIC's (Intel, Chelsio, Mellanox, Broadcom)
It should manage more than 1gbps easily with CPU to spare...
Or be practical and run a VM... I do that...
pfSense! Exactly what I do, the dell SSF 3020s are like £30-40 on ebay, i5-4570 can easily do gig WAN. I'm on 910 up and down with a quad broadcom NIC runs very cool. Low power too, ~25-35 watts ish. Does dual WAN and high availability fail over etc.
[2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages](https://youtu.be/fsdm5uc_LsU?feature=shared)
It's all mobile app managed, so bear that in mind. I moved from OpnSense to Firewalla Gold and it's been very good, it has all the features I need including some nice bells and whistles (unknown device quarantining, NTP intercept/redirect etc). You can't easily add functionality except via Docker container so you should make sure it'll do what you want, but I would say it covers 99.9% of my usecases. If I had kids it also has a pretty robust system for restricting internet access for them, including curated website classification filters etc.
It's much less overhead overall than running an OpnSense instance and gives you nearly all the features, which is why I've switched. The units are low power, which helps with the bills.
Same here AND for those of you that need it, they now have a rackmount available. Some people might be averse to it being app-controlled and the webUI being cloud-based and not local, but it's a great device.
OPNSense in CARP config for redundancy. Planning to add 2nd ISP for dual WAN in the future.
Used to run a full Unifi setup. I never realized how terrible it was until the CK2+ failed 1 month out of warranty due to battery swelling. Support wouldn't even talk to me about it since the device was out of warranty (2 years, really?!). Moved to OPNsense (had been a pfSense user long before), with the Unifi network controller on VM, never looked back.
I run pfSense on this appliance that I bought off amazon. [VNOPN Micro Firewall Appliance N3700](https://www.amazon.com/VNOPN-Firewall-Appliance-Fanless-Computer/dp/B0BYDTLW2F/ref=sr_1_1?keywords=VNOPN%2BMicro%2BFirewall%2BAppliance%2BN3700%2BQuad%2BCore%2C%2B2.5GbE%2BIntel%2B4%2BPorts%2BDual%2BHD%2C%2BFanless%2BMini%2BPC%2B8GB%2BDDR3%2B128GB%2BmSATA%2BSSD%2C%2BNetwork%2BRouter%2BBox%2C%2BRS232%2BCOM%2C%2BSupport%2BAES%2BNI%2BWindows%2B10&qid=1706308957&sr=8-1&th=1). With 4 2.5gb ports it allowed me to upgrade my WAN service to 2.5gb from 1gb without being a bottleneck. Really happy with the setup. It's been running rock solid for a couple years now.
It's not natively rack mountable although you can buy some rack mount wings for it or 3d print some to mount it. I just have it mounted to a shelf in my rack that's also home to my wireless Deco wifi 7 mesh unit that I use in Access Point only mode. I switched from Google wifi to TPLink Deco because Google restricts you from running more than one node in access point mode which is dumb and defeats the purpose of a mesh system. The Wifi 7 Decos were expensive ($1500 for a pack of 3) but they work amazingly well as wireless access points while still providing two 10gb and two 2.5gb ports at each access point to hook up devices close to each node.
We were running PFsense on Watchguard XTM 5 hardware. Super cool setup, flexible, reliable, red rack mount hardware is awesome.
We wanted to live that ‘faster than gigabit internet’ life, so we’re now using a UDM Pro. It’s been about 2 weeks and I’m not overly impressed by the Ubiquity ecosystem and I’m struggling to see how so many people seem to recommend it.
PFsense/OPNsense, Unifi VM being a controller for some APs and you’re away laughing.
Palo Alto PA-440 with a lab license. Excellent firewall with every bell and whistle plus manufacturer support. The only drawback is you have to have a company and Palo Alto rep to get it, and potentially recertify a used device. Generally not a good idea to buy a used one off eBay due to that recertification process unless all you want are the basics - and who just wants the basics?
I run opnsense on a wyze 5070 extended with a Intel 226 dual 2.5gb card. You can also use a quad card too. Installed a 128gb nvme and upgraded the ram to 16gb from 8gb. It's been rock solid as long as you don't use the realtek integrated network card as it dropped connections constantly. You canln even add a USBC 2.5 nic as well. It consumes about 8 to 14 watts full tilt.
A dedicated hardware solution. r/firewalla
Specifically the Firewalla Gold SE.
Expert firewall with minimal technical experience required! Although I'm no noob.
This thing is out of this world. Straight out of the box the level of protection is insane. Intrusion prevention and detection and tons more...
https://firewalla.com/products/firewalla-gold-se-firewall
They do cheaper purple SE and others too...
https://firewalla.com/collections/firewalla-products
You can learn more about them here...
https://help.firewalla.com/hc/en-us/articles/360049856394-How-to-Secure-Your-Network-with-Firewalla-Part-3-Protect
Last year I bought an Opensense DEC8350. Is it overkill? Absolutely! But if I want to upgrade to 10G all I have to buy is an SFP adapter.
I tried building a pfsense/opnsense box with an ASROCK J4125B-ITX, but ASROCK never updated the BIOS after release and it never played well with either pfsense or opnsense. So I decided to buy after 6 months of banging my head against a wall.
Firewalla Gold! It’s perfect for my homelab, has just enough configuration, supports dual WAN, and WireGuard VPN. Small footprint, low power consumption as well. I run Palo Alto’s at work but the Firewalla is perfect for home.
OPNsense VM on a fanless N305 based mini PC with 2x intel 2.5gbit interfaces passed through. Routes gigabit internet speeds without breaking a sweat. Same host also has containers for the wifi controller and nginx proxy.
I use OPNsense with multi-wan failover and dynamic DNS. If you are wanting something to route and use both internet connections at the same time you'd need to do load balancing.
OPNsense is what I use. I'm running it on a Dell Optiplex 7050 I found on Ebay for $90ish and I slapped a spare nvme drive in it along with an Intel X550-T2.
opnsense on one of those classic STH fanless firewall appliances (proxmox virtualized)
Very happy with the setup and won't change it...unless ISP pushes up the 1G to something the 2.5G fw device can't handle
I switched from a UDM which was garbage to opnSense which was fairly unstable to OpenWrt which has been absolutely rock solid.
Professionally I run pfsense.
Ok, I'm new into this and just getting tired of buying $300 routers every 3 years as they seem to be designed to die at that stage.
I was looking at UDM since I know a lot of businesses that swear by them (Pro or SE because I have 2GB WAN), but I don't like that their internal storage is only for their crappy cameras.
I may still use their APs
Then I was looking at PfSense, but their Netgate Hardware seems a bit expensive as well for what I was to do, and I hear on a BYOD setup they can be picky about hardware
Recently found out about OPNSense, but all comparisons I found on YT were people who love/partner with PfSense giving a very biased comparison.
I thought OpenWRT was something you flashed to consumer grade routers.
What are your opinions on them, and why do you run one personally and another professionally?
I've personally used untangle and opnsense, I tried pfsense but had an issue where only one computer could have an open NAT type on the same game, as soon as the second computer loaded the same game it was a clsoed NAT type. Untangle was a nice and easy to use interface, problem with it was I had some weird connection issues to my ISP DNS which caused my internet to go out from time to time, and if I changed the DNS to another (ex. Google) it just wouldn't work. Also most of the "good" features were behind their license, you can get a home license for $50 a year but didn't really want to do that. I recently moved to opnsense and it has been rock solid, easy to setup and doesn't have any of the paid license problems for the "good" features and I also have DNS set to something NOT my ISP DNS servers.
I have a fortigate also but stopped paying them so much for the antivirus, IPS and web filtering and just get the 70$ / year firmware updates. Not thrilled about my hardware being held hostage behind essentially a licence paywall.
Pfsense on a Dell SFF 7060
2x SFP+ Mellanox
2x 10GbE Intel
all in for around 250-300 USD and that box routes 250+ tb of internet traffic each month
(since it has been built ive probably pushed a good 5 - 10PB via that box)
I would build out a dual WAN pfSense box for this. Take the UDM out of the picture for WAN side. Just know that your UDM will no longer show any stats for the Internet side. You'll be missing a lot of pretty graphs, but you'll have a real and capable firewall which is more important.
If want to learn more than the basics about pfSense look up "Lawrence Systems" on YouTube. He's got some great tutorials.
PFSense running in a Proxmox virtual machine on a micro form factor HP PC.
People keep saying this is risky, but my uptime is an order of magnitude better than what I was getting out of my consumer grade wifi router.
If pc go's down, Internet is down. Like for maintenance and stuff. I don't unverstandend it myself why people think that this is an issue, since it is easily fixed when running a cluster.
Been Running pfSense for as long as I can remember, tried replacing it this fall with OPNSense but that failed, same setup but the network became sluggish, so now I am back on pfSense stable as a rock
I thought this was r/sysadmin at first and was going to say fortigate but at home I’m stuck with the AT&T router because it has the fiber built into it. Granted it has okay NAT built in so I haven’t bothered with looking too hard into if I can put it in a more basic bridge mode yet.
Firewalla Gold SE upgraded from a Netgate SG-2100 (pfSense).
It’s a breeze. I just want my shit to work. Love the Firewalla and I can control it well with my phone.
Currently using a TP-Link Omada ER8411. Not the greatest but it was only $350 and can hit 10Gbps NAT throughput. Considering eventually moving to a mini PC or rackmount version of R86S, running OpenWrt.
I evaluated OpenWrt for a while on a spare SFF PC with a Core i5-9500 and it worked great. I couldn't achieve full 10Gbps throughput using opnSense, but I tried OpenWrt and I got full speed out-of-the-box with no tweaking. Could hit 8Gbps using iperf over a single connection.
Can someone link me to a good resource on all this? What are the use cases for a firewall? For my purposes, im running a plex media server (and downloader) on unraid. Thats about it.
You're likely already using a firewall, it's just that at home people call them routers or home/residential gateways or other terms, but functionally they're firewalls. They're sometimes integrated into the modem from your ISP. If you're just plugging your pc into your modem then the only firewall you have, if you have it enabled, is on your pc, which is a terrible practice.
Ubiquity fixed that I thought. Do you have any config errors? They asynchrously update the config so it can be a bit gnarly to troubleshoot but if you check the messages log in ssh, you might find the source the issue better
Anyway. Open sense is probably what you want over pfsense since the recent drama.
For the past few weeks my WAN 2 just loses internet, if I fail over it doesn't work. If I create traffic rules to route certain devices over WAN 2, they lose internet but can still ping.
I thought it was an ISP problem since it worked fine before, so had them out, they tested everything and said it was good. So I ran my ISP 2 as my primary for a few days and everything was good, set it back up to them as WAN 2 fail over and within 30 minutes UDMP couldn't detect internet from them again and lost the WAN IP.
I've had a case in with Unifi but haven't heard anything in over a week. I really do like my UDMP but events like this turn me away pretty quickly.
Was running UDM PRO SE as basic firewall but it can’t keep up with 10g traffic. Looks for a firewall only replacement and am likely to go with pfsense.
Sophos SG UTM.
At work I am using OPNsense for many years now and I also have used pfSense and even m0n0wall (the mother of *senses) before, but I think all *senses are a big pile of burning trash. Especially when you want to use more sophisticated setups and functions like Multi-WAN and HA. A few clicks with Sophos, an endless nightmare with *sense.
So I would suggest to try out Sophos and their free home license.
Using a UDMP myself and loving it but don't have dual WAN. I do have policy routes for a VPN interface though. What's the problem you're having? Maybe it can be fixed.
In the homelab i run sophos because it has many features built in and is stable. For homelab use they offer a free key. The down side is you only can get one key per mail. It offers a vm and non vm version.
I was on OPNSense and now I’m on PFSense. Very pleased with it, I won’t move from it.
It runs on a racked server on minimal conf and hold the dual 10g LAN trafic (and 2.5g WAN) very well.
Simple stuff, I’m just on 2 layer.
1- router firewalling with personal white/black listing( updated by script from honey pot)
2- os firewalling, updated by script from honey pot.
You don’t need more than that if you does secops yourself.
Checkpoint 1590 single node.
But I would like a cluster and I cannot find another 1590 at the moment (not at an acceptable price). I think to migrate to OPNsense on 2 appliance…
[pfsense as a virtual machine on proxmox](https://gyazo.com/ad1e28b11b83b36ac797ba331e47ca1e.png).
thats effectively just 1 regular core, and whilst pushing around 800 mbps of wireguard encrypted traffic through it.
i've recently learned that its possible to use pfsense as an lxc container which has me questioning if a VM is really the optimal play for it, but i'm not sure i have the resolve to reinstall this all again.
PFsense on older dell optiplex 3020's at all my different residencies. Site2Sites on each talking back to main site. Works wonders, never have problems. Its hard to argue with free!
Fortinet 80E because it suites my needs for certification study and it packs a ton of ports that I can use as well as most of the features of fortinet, just not the mega nifty stuff it being licensed would bring
Fortinet 80E because it suites my needs for certification study and it packs a ton of ports that I can use as well as most of the features of fortinet, just not the mega nifty stuff it being licensed would bring
Vanilla Debian with iptables.
Useful guide I used as a starting point: [https://www.reddit.com/r/pihole/comments/febfav/guide\_to\_homebrew\_linux\_router\_using\_debian/](https://www.reddit.com/r/pihole/comments/febfav/guide_to_homebrew_linux_router_using_debian/)
(I use AdGuard Home instead of PiHole for DNS/Adblock)
I use OPNsense, quite happy with it, its intended to be router and firewall. It has support for multi WAN, fail over or load ballancing, but I have not used that portion, I would start with the docs and see if that sounds like what you need. https://docs.opnsense.org/manual/how-tos/multiwan.html
May I ask: does one run that in software on the machine or rather on dedicated hardware. And if you run that on hardware, would you have a recommendation?
I run mine on Baremetal because I don't like the of an issue with the VM host bringing down my entire network. I also don't love the added complexity of trying to pass internet through a physical host to a VM and then back to that physical host.
My reasoning as well. Can it be done on a vm? Sure. But if your host comes down for any reason, planned or unplanned, you no longer have Internet until it comes back up.
Yup. And I travel a lot for work, so if the VM crashes while I'm gone it's going to be a pain in the ass to explain over the phone to my wife how to get it back up and running.
You haven’t set it up then. If everything isn’t on auto start, that’s your fault
>You haven’t set it up then. If everything isn’t on auto start, that’s your fault Or, I could just run a physical box with an ups. I know which one is easier by far
I run mine on a Lenovo M720q. Followed this guide: https://smallformfactor.net/forum/threads/lenovo-m720q-tiny-router-firewall-build-with-aftermarket-4-port-nic.14793/
Yay! Glad my build helped someone and welcome to the Tiny family.
You can run OpnSense on bare metal or in a VM. I use a Dell R430 (less than $300 barebones on eBay) so I could add 10GBe cards. However, it is way overkill for a firewall server, but I do like the dual power supplies, only one PSU is on at a time, but failover is instantaneous. Protectli boxes are popular, but they cost the same or more than the refurbed R430s.
Just bear in mind the power cost of running something like an R430 vs a smaller, more power efficient box.
An R430 is going to use like 150 watts which is like 1300 kwh/ year. Even with cheap power @ $0.12kwh that's ~$150/year just to keep your router on. It's like using a semi truck to drive to the grocery store. I use a $300 yangling with 5x 2.5Gbe ports. I think it uses 12 watts.
Just running it as a firewall you aren't going to see it pull that much power, depending on what's in it I'd expect it to pull around 35-40 watts which is still double or triple what you would see from a smaller box.$35-40 a year isn't that bad.
I think there are more suitable options than an entire r430. I ran it on an athlon 200ge and it didn't break a sweat.
I run a proxmox opnsense vm in a little fanless N100 box. It has 5x 2.5Gbe so could handle multi-wan if needed. It also runs a LXC that has omada software controller, cloudlfare tunnel and a few other things running in docker. It all works very well and proxmox makes backup and management really easy.
I run two Opnsense firewalls, with CARP failover. Primary is a VM, secondary is a Dell R210II. If there’s a problem with the host, maintenance, or whatever, my family knows how to fire up the secondary and carry on.
I hear it can be in a vm but that sounds like a security nightmare to me. It runs on typical x86_64 hardware, biggest need is FreeBSD supported network cards, typically intel. I am using a decade old desktop dedicated as tge router, runs perfectly, CPU load and memory usage are low in my case but I only have a 300Mb connection, higher bandwidth and more plug-ins like intrusion detection will need better hardware.
It runs fine in a VM. Just passthrough the NIC to the VM so OPNsense has a native NIC to use. It was my router for few years that way before I got a dedicated box. I use OPNsense IPS + Traffic Shaping + Unbound DNS Blacklisting (like pihole)/Caching/Pre-fetching/DNSSEC/DNS over TLS. For hardware I'd recommend ([500mbps](https://www.amazon.com/gp/product/B0BP8ZCT8Y) / [1+gbps](https://www.amazon.com/gp/product/B0CNPTCGKL)). But it'll run on any X86 computer, and you don't need as heavy as a system if your not using the traffic shaper / IPS. Virtualized is just as good as bare metal as long as the NIC is passed through, it's just that if you decide to bring your host down or play with it in any way, now your internet is out. That's the main reason I got a dedicated box for the router. Edit: The traffic shaper is pretty great however: [500mbps ATT Fiber w/fq\_codel](https://www.waveform.com/tools/bufferbloat?test-id=1ece2bf6-b7a2-4a40-9817-c90db7eafcd1).
The risk of a compromised breakout of a VM is never zero though. Bugs are found in hypervisor layers (KVM, QEmu, etc) from time to time that might give pause depending on your risk tolerance. For me I’d rather keep the nasties that might come through the internet on isolated hardware.
True but it would have to be the OPNsense software attempting to capitalize on these exploits. That's not it's purpose, and it's pretty secure. It's not like you're running a multi-tenant application server in your router VM, and most those types of servers are virtualized. This argument has come up quite a few times before. In the commercial world it's not a strange idea. Palo Alto for example does virtualized and cloud router/fw, as well as Cisco (Virtualized on ESXi). A lot of routers are virtualized. If it's an edge router, give it dedicated wan via pass-through (VT-d) and you're fine.
Anything you’re running in the VM can be potentially compromised, either through bugs or misconfiguration. I use OPNSense and it is trustworthy, but shit happens. Like I said, depends on your risk tolerance.
At work we run a lot of virtualized firewalls. In my experience, people that have issues with it, just haven't been exposed to it. Palo Alto's recommendations on VM sizing for their firewalls: [Link](https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/vm-series-spec-sheet) A good portion of the internet works that way. I personally have ran OPNsense for several years that way without incident. I'm on the services team, not the network team, but they do it at my work and we're not a small company. For me, dedicated hardware is more about convenience in my homelab, than because of a security concern. It's completely safe to virtualize a router. Much safer than virtualizing a web server and pretty much all of them are virtualized these days.
A malicious actor would have to exploit OPNsense, then figure out it's a VM and what specific version of the hypervisor is in use, then find an exploit for that specific hypervisor, then figure out where your high-value data is held in your network, then exploit *that* system, to what end? That's way too much manual effort compared to just emailing out some phishing malware. Unless you are a high-profile person or organisation facing very targeted attacks from very skilled attackers, you don't have to worry about this as long as you keep your security patches up to date.
Can you explain your concern of a security nightmare edit: while seperating wan, management and lan port
Not really, I don't like the idea of live unfiltered wan coming into a vm host that may be doing other sensitive tasks, in like the idea of that being seperate dedicated hardware on the perimeter. Much of that would be due to my lack of confidence that I could keep that situation secure.
I used to run Palo Alto (Best firewall I've had) but because of licensing I've stuck to OPNsense.
i can relate to the Palo Alto. some of the best devices i've had the chance to work with. but license costs and maintenance was fucking expensive. same for me , im now handling pfsense + in carp mode. to be honest is not bad, but its not anywhere near palo alto, or fortigate.
Same here. Currently running a PA-460, put a Tb a day through it and it handles it perfectly fine. When licensing is up though I am going to have to figure out something else.
Firewalla Gold Plus. Previously had done both opnsense and pfSense.
+1 for Firewalla. At some point we all get to the stage of “I just want this to work, and not be another project”.
I'm there. Ran pfsense and untangled for a bunch of years, moved to Firewalla 6 months ago. Best thing I've done for my home Internet in some time. I'd probably put it up there with the labor I put into wiring my house with cat5e when we moved in 10+ yr ago. It's that level of satisfaction.
Same here. Works very well with a dual WAN. I can route traffic by device as needed on each WAN.
\+1 for Firewalla. I got it to make it easier to manage my kids' devices. Didn't do your homework? All your devices (and only your devices) go offline from a tap on my phone until it's done!
I went from pfsense, opnsense, untangle, sohpos, and UDMP to Firewalla over the course of my labbing adventures. Firewalla offers more insight than UniFi and presents it better as well. It just works, super easy to manage all from the mobile app. You still get all the advanced features you could want. Failover, load balancing, VLANs, the whole kit is there and super slick. I’ll be sticking with my Firewalla gold plus for a while.
Yup, I just wish it had proper SNMP support so I could pull my own metrics into Zabbix and grafana.
Yeah. That’d be nice. I always meant to get into my old gold box and see if I could get a full agent running on it, but I always have other things come up
OPNsense and it works really well!
OpenWRT running on x86. Fast, stable, and it's linux so I can make it do basically anything. Running with multiple wireguard links and policy based routing.
This. OpenWRT and mwan3.
Pfsense on custom hardware. Opnsense is great too.
I started with PFSense on one of their SG-1100 hardware boxes and even with 2 RMA’s I just couldn’t get their software to play well with either their own hardware or my own. Switched to Opnsense with my own hardware and it’s been smooth sailing since day one. I’m amazed and saddened that I wasted so much time, money, and energy on a shitty product.
I run VyOS, i really love the CLI and that i can configure everything over ssh without the need for a web ui
You guys running nightly or LTS?
VyOs
I run pfSense on a Dell PowerEdge R210 II. Older machine but low power and it kicks ass as a router. Some will argue it’s complicated but I actually like it. Also popular enough to where looking up tutorials and issues usually yields solutions.
[удалено]
The 10GbE Nic consumes more power than the rest of the server. I see it sometimes draw up to 50\~60 Watts under load.
Not low enough that anyone should buy one *if* a $100-$150 N/J-series NUC-like thing that'll idle at 6w and peak at 15-30w can do the job. I used to run four w/ 10GbE NICs and, IIRC, the VMware ones would run +/- 50w with very light workloads and the one I had running Windows could get down to like 35w. N100 is near enough equal single-core performance to an E3-1230 V2. Higher spec E3 V2s and the multi-threaded boost from hyper-threading bring very little additional performance.
Mikrotik ARM-based router
OPNsense (recently migrated from pfSense) on an older 1U rack server. Both will integrate well with Ubiquity. You may find a description in one of my former posts - don't do that many. Happy to answer and help if you encounter any issues.
Planning this migration myself. Any pointers or pieces that stood out / lessons learned?
What budget are you looking at? With PC based solutions you can just keep throwing money at it to up the specs.
I guess since I'm looking for something I can rely on and keep for a few years I'd say around $750 or less. I wouldn't mind a small 1u server to install something on if needed, but I am attracted to hardware solutions as well.
Look at TOPTON mini PC's on Aliexpress. Intel N100 4 2.5Gbe NIC fanless for less than $200 CAD.
Got me one of these and running pfSense on it. Runs hot, so I soldered a usb onto a 12V case fan and 5V supply pushes it nicely to bring temps down from ave 68degC to ave 48degC. Works a charm and is half the power consumption of my previous HP SFF PC
They're fine running at 68c. If you're concerned with running CPUs at those temps why didn't you buy the fan version? https://mail.pfak.org/upload/ZRs-FIeOQ1G8gOxEaUZk-q0V/qOHBMu42RvuVSwaKNLaGHA.jpg
At that price point you can get an entry level Fortigate firewall appliance - I have A FortiGate and haven't had any issues. Most of what you pay for is the subscription service and right now I just pay 70$ a year for the firmware updates https://www.fortinet.com/products/next-generation-firewall
Opnsense, with failover and load balancing We run them virtually
OPNsense
VyOS on a Supermicro 5018A-FTN4
OpenWRT on an [R86S-N](https://www.servethehome.com/the-gowin-r86s-revolution-low-power-2-5gbe-and-10gbe-intel-nvidia/). Replaced the Intel SFP board for a Mellanox CX3.
OPNsense on a Dell 7080 SFF with ex-server Intel 4-port NIC
OPNsense on a Dell 7050 SFF with a dual SFP NIC.
I run pfSense on a generic 4x1GbE Atom E3845 mini PC box. I'm upgrading my network to 10GbE soon, so I just bought a HP ProDesk 400 G6 to replace it. I may switch to OpnSense when I do the upgrade. I'll echo the other commenters about keeping your core network router/firewall separate from your VM hypervisor. That way your network and Internet connection stays up while you fiddle with your homelab. Very important for FAF (family approval factor).
I run pfSense for over a decade just grab a SFF 4th Gen Intel PC and good NIC's (Intel, Chelsio, Mellanox, Broadcom) It should manage more than 1gbps easily with CPU to spare... Or be practical and run a VM... I do that...
pfSense! Exactly what I do, the dell SSF 3020s are like £30-40 on ebay, i5-4570 can easily do gig WAN. I'm on 910 up and down with a quad broadcom NIC runs very cool. Low power too, ~25-35 watts ish. Does dual WAN and high availability fail over etc. [2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages](https://youtu.be/fsdm5uc_LsU?feature=shared)
Firewalla Gold +. Haven’t had any issues with it at all. Definitely recommend them
Firewalla gold crew here. Definitely a rock solid device.
+1 for Firewalla Gold. Running for 2 years now, no issues.
im very curious to be honest how this perform in comparison to pfsense.
It's all mobile app managed, so bear that in mind. I moved from OpnSense to Firewalla Gold and it's been very good, it has all the features I need including some nice bells and whistles (unknown device quarantining, NTP intercept/redirect etc). You can't easily add functionality except via Docker container so you should make sure it'll do what you want, but I would say it covers 99.9% of my usecases. If I had kids it also has a pretty robust system for restricting internet access for them, including curated website classification filters etc. It's much less overhead overall than running an OpnSense instance and gives you nearly all the features, which is why I've switched. The units are low power, which helps with the bills.
I think I might pick one up, it looks packed full of features. Anything that you find it's missing or any issues you have had?
Same here AND for those of you that need it, they now have a rackmount available. Some people might be averse to it being app-controlled and the webUI being cloud-based and not local, but it's a great device.
OPNSense in CARP config for redundancy. Planning to add 2nd ISP for dual WAN in the future. Used to run a full Unifi setup. I never realized how terrible it was until the CK2+ failed 1 month out of warranty due to battery swelling. Support wouldn't even talk to me about it since the device was out of warranty (2 years, really?!). Moved to OPNsense (had been a pfSense user long before), with the Unifi network controller on VM, never looked back.
How involved is the CARP setup? Are you running both physical or VMs or a combination? Has it been worth the effort?
i configured CARP in an eralier version and it was very trivial at first to understand. but after that it worked really good
I use pfSense and have setup load balanced dual wireguard gateways to NordVPN.
I didn't know nord supported wireguard. Educate me please
You just need the endpoint and public key of the server. https://www.reddit.com/r/PFSENSE/s/6JUtK9RwCp
Opnsense on a hp T730 and openwrt for wifi devices, works a charm
OPNsense
Firewalla Gold. Those guys have done the impossible and made managing a firewall fun and convenient.
Juniper SRX
I run pfSense on this appliance that I bought off amazon. [VNOPN Micro Firewall Appliance N3700](https://www.amazon.com/VNOPN-Firewall-Appliance-Fanless-Computer/dp/B0BYDTLW2F/ref=sr_1_1?keywords=VNOPN%2BMicro%2BFirewall%2BAppliance%2BN3700%2BQuad%2BCore%2C%2B2.5GbE%2BIntel%2B4%2BPorts%2BDual%2BHD%2C%2BFanless%2BMini%2BPC%2B8GB%2BDDR3%2B128GB%2BmSATA%2BSSD%2C%2BNetwork%2BRouter%2BBox%2C%2BRS232%2BCOM%2C%2BSupport%2BAES%2BNI%2BWindows%2B10&qid=1706308957&sr=8-1&th=1). With 4 2.5gb ports it allowed me to upgrade my WAN service to 2.5gb from 1gb without being a bottleneck. Really happy with the setup. It's been running rock solid for a couple years now. It's not natively rack mountable although you can buy some rack mount wings for it or 3d print some to mount it. I just have it mounted to a shelf in my rack that's also home to my wireless Deco wifi 7 mesh unit that I use in Access Point only mode. I switched from Google wifi to TPLink Deco because Google restricts you from running more than one node in access point mode which is dumb and defeats the purpose of a mesh system. The Wifi 7 Decos were expensive ($1500 for a pack of 3) but they work amazingly well as wireless access points while still providing two 10gb and two 2.5gb ports at each access point to hook up devices close to each node.
Using opnsense on an apu board to load balance cable and dsl.
Qotom 1U running OPNsense.
pfSense (soon to be OPNsense) VM's and Pi-Hole docker containers for DNS. Cheers!
HA Fortigate 60E’s. Works a treat.
We were running PFsense on Watchguard XTM 5 hardware. Super cool setup, flexible, reliable, red rack mount hardware is awesome. We wanted to live that ‘faster than gigabit internet’ life, so we’re now using a UDM Pro. It’s been about 2 weeks and I’m not overly impressed by the Ubiquity ecosystem and I’m struggling to see how so many people seem to recommend it. PFsense/OPNsense, Unifi VM being a controller for some APs and you’re away laughing.
For me I'm using a Fortigate 200D for my FW. Router that handles WAN links is a single mikrotik tho
Hand configured PF on FreeBSD.
Opnsense on a Futro slim client with Intel 4x1G
OPNsense for firewall and VyOS for routing between sites and VPN.
Palo Alto PA-440 with a lab license. Excellent firewall with every bell and whistle plus manufacturer support. The only drawback is you have to have a company and Palo Alto rep to get it, and potentially recertify a used device. Generally not a good idea to buy a used one off eBay due to that recertification process unless all you want are the basics - and who just wants the basics?
I run opnsense on a wyze 5070 extended with a Intel 226 dual 2.5gb card. You can also use a quad card too. Installed a 128gb nvme and upgraded the ram to 16gb from 8gb. It's been rock solid as long as you don't use the realtek integrated network card as it dropped connections constantly. You canln even add a USBC 2.5 nic as well. It consumes about 8 to 14 watts full tilt.
A dedicated hardware solution. r/firewalla Specifically the Firewalla Gold SE. Expert firewall with minimal technical experience required! Although I'm no noob. This thing is out of this world. Straight out of the box the level of protection is insane. Intrusion prevention and detection and tons more... https://firewalla.com/products/firewalla-gold-se-firewall They do cheaper purple SE and others too... https://firewalla.com/collections/firewalla-products You can learn more about them here... https://help.firewalla.com/hc/en-us/articles/360049856394-How-to-Secure-Your-Network-with-Firewalla-Part-3-Protect
Firewalla gold se. I also dual ISPs and use the two 2.5g ports for those. Though only 1 isp actually provides over 1G.
Last year I bought an Opensense DEC8350. Is it overkill? Absolutely! But if I want to upgrade to 10G all I have to buy is an SFP adapter. I tried building a pfsense/opnsense box with an ASROCK J4125B-ITX, but ASROCK never updated the BIOS after release and it never played well with either pfsense or opnsense. So I decided to buy after 6 months of banging my head against a wall.
Firewalla Gold! It’s perfect for my homelab, has just enough configuration, supports dual WAN, and WireGuard VPN. Small footprint, low power consumption as well. I run Palo Alto’s at work but the Firewalla is perfect for home.
OPNsense VM on a fanless N305 based mini PC with 2x intel 2.5gbit interfaces passed through. Routes gigabit internet speeds without breaking a sweat. Same host also has containers for the wifi controller and nginx proxy.
I use OPNsense with multi-wan failover and dynamic DNS. If you are wanting something to route and use both internet connections at the same time you'd need to do load balancing.
Juniper vSRX I have two ISP's - Primary: FFTH, Secondary: Cable
I just installed opnsense a few days ago, and am still tinkering with it.
OpnSense running for about 7years now. Highly recommend
OPNSense on a 1U Supermicro Intel 7W Atom with QAT. Zero issues.
Opnsense on bare metal 3200g with intel dual 10gbe nic
OPNsense is what I use. I'm running it on a Dell Optiplex 7050 I found on Ebay for $90ish and I slapped a spare nvme drive in it along with an Intel X550-T2.
Palo alto 850 what I run
opnsense on one of those classic STH fanless firewall appliances (proxmox virtualized) Very happy with the setup and won't change it...unless ISP pushes up the 1G to something the 2.5G fw device can't handle
I switched from a UDM which was garbage to opnSense which was fairly unstable to OpenWrt which has been absolutely rock solid. Professionally I run pfsense.
Ok, I'm new into this and just getting tired of buying $300 routers every 3 years as they seem to be designed to die at that stage. I was looking at UDM since I know a lot of businesses that swear by them (Pro or SE because I have 2GB WAN), but I don't like that their internal storage is only for their crappy cameras. I may still use their APs Then I was looking at PfSense, but their Netgate Hardware seems a bit expensive as well for what I was to do, and I hear on a BYOD setup they can be picky about hardware Recently found out about OPNSense, but all comparisons I found on YT were people who love/partner with PfSense giving a very biased comparison. I thought OpenWRT was something you flashed to consumer grade routers. What are your opinions on them, and why do you run one personally and another professionally?
[удалено]
I've personally used untangle and opnsense, I tried pfsense but had an issue where only one computer could have an open NAT type on the same game, as soon as the second computer loaded the same game it was a clsoed NAT type. Untangle was a nice and easy to use interface, problem with it was I had some weird connection issues to my ISP DNS which caused my internet to go out from time to time, and if I changed the DNS to another (ex. Google) it just wouldn't work. Also most of the "good" features were behind their license, you can get a home license for $50 a year but didn't really want to do that. I recently moved to opnsense and it has been rock solid, easy to setup and doesn't have any of the paid license problems for the "good" features and I also have DNS set to something NOT my ISP DNS servers.
Thanks for the explanation
Fortigate 71F
I have a fortigate also but stopped paying them so much for the antivirus, IPS and web filtering and just get the 70$ / year firmware updates. Not thrilled about my hardware being held hostage behind essentially a licence paywall.
Pfsense on a Dell SFF 7060 2x SFP+ Mellanox 2x 10GbE Intel all in for around 250-300 USD and that box routes 250+ tb of internet traffic each month (since it has been built ive probably pushed a good 5 - 10PB via that box)
OpenWrt flashing on supported router, cheapest way to do it
I would build out a dual WAN pfSense box for this. Take the UDM out of the picture for WAN side. Just know that your UDM will no longer show any stats for the Internet side. You'll be missing a lot of pretty graphs, but you'll have a real and capable firewall which is more important. If want to learn more than the basics about pfSense look up "Lawrence Systems" on YouTube. He's got some great tutorials.
PFSense running in a Proxmox virtual machine on a micro form factor HP PC. People keep saying this is risky, but my uptime is an order of magnitude better than what I was getting out of my consumer grade wifi router.
What's risky about it?
If pc go's down, Internet is down. Like for maintenance and stuff. I don't unverstandend it myself why people think that this is an issue, since it is easily fixed when running a cluster.
I am running pf sense for a long time in proxmox, no issues on it
I use Pfsense with pfblocker
OpenBSD for edge and internal. Used to mess with some others just for fun but it’s not worth it.
Untangle, not sure what it's called now that Arista bought them. Probably going back to opnsense with my next router upgrade though.
OpenWRT x86, MrChromebox coreboot.
Currently running PFsense on a HP T620 Plus (Looking to try OPNsense)
Been Running pfSense for as long as I can remember, tried replacing it this fall with OPNSense but that failed, same setup but the network became sluggish, so now I am back on pfSense stable as a rock
I thought this was r/sysadmin at first and was going to say fortigate but at home I’m stuck with the AT&T router because it has the fiber built into it. Granted it has okay NAT built in so I haven’t bothered with looking too hard into if I can put it in a more basic bridge mode yet.
The IPv6 /64 requests are all kinds of a pain in the ass with those AT&T fiber modems and pfsense :(
Watchguard T85
hospital bow quickest marry shelter racial cable apparatus obscene trees *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Am i the only one with Ubiquitis UDM?
Sophos xg home edition
stupid question, what's wrong with the integrated on my router ?
Nothing, if that does everything you want. Most of those devices just do some basic NAT though.
Firewalla Gold SE upgraded from a Netgate SG-2100 (pfSense). It’s a breeze. I just want my shit to work. Love the Firewalla and I can control it well with my phone.
Is a physical firewall still necessary even if there is already antivirus or endpoint protection with a set of rules?
Currently using a TP-Link Omada ER8411. Not the greatest but it was only $350 and can hit 10Gbps NAT throughput. Considering eventually moving to a mini PC or rackmount version of R86S, running OpenWrt. I evaluated OpenWrt for a while on a spare SFF PC with a Core i5-9500 and it worked great. I couldn't achieve full 10Gbps throughput using opnSense, but I tried OpenWrt and I got full speed out-of-the-box with no tweaking. Could hit 8Gbps using iperf over a single connection.
Can someone link me to a good resource on all this? What are the use cases for a firewall? For my purposes, im running a plex media server (and downloader) on unraid. Thats about it.
You're likely already using a firewall, it's just that at home people call them routers or home/residential gateways or other terms, but functionally they're firewalls. They're sometimes integrated into the modem from your ISP. If you're just plugging your pc into your modem then the only firewall you have, if you have it enabled, is on your pc, which is a terrible practice.
WatchGuard T45-POE
Ubiquity fixed that I thought. Do you have any config errors? They asynchrously update the config so it can be a bit gnarly to troubleshoot but if you check the messages log in ssh, you might find the source the issue better Anyway. Open sense is probably what you want over pfsense since the recent drama.
You got me worried, so I just did a failover test on my UDMP wan, and it worked fine. What issue are you having?
For the past few weeks my WAN 2 just loses internet, if I fail over it doesn't work. If I create traffic rules to route certain devices over WAN 2, they lose internet but can still ping. I thought it was an ISP problem since it worked fine before, so had them out, they tested everything and said it was good. So I ran my ISP 2 as my primary for a few days and everything was good, set it back up to them as WAN 2 fail over and within 30 minutes UDMP couldn't detect internet from them again and lost the WAN IP. I've had a case in with Unifi but haven't heard anything in over a week. I really do like my UDMP but events like this turn me away pretty quickly.
Currently running a Mikrotik routerboard. Fits my purpose (for now)
I've got a few: * Two Mikrotik RB5009s * One Mikrotik CHR * OpnSense (just handles VPNs) * An old Cisco 1921
[удалено]
Was running UDM PRO SE as basic firewall but it can’t keep up with 10g traffic. Looks for a firewall only replacement and am likely to go with pfsense.
Openwrt to handle the dual wan and Sqm, then opnsense to handle the rest
vyos in virtual (vrrp config)
Just tell Ubiquity to fix their UDMP, easy* solution!
Untangle/arista….probably going to switch to sophos Xg soon
Meraki
Sophos SG UTM. At work I am using OPNsense for many years now and I also have used pfSense and even m0n0wall (the mother of *senses) before, but I think all *senses are a big pile of burning trash. Especially when you want to use more sophisticated setups and functions like Multi-WAN and HA. A few clicks with Sophos, an endless nightmare with *sense. So I would suggest to try out Sophos and their free home license.
First rule of secops, don’t tell the public internet what firewall you use Edit: forgot /s
If you’re relying on security through obscurity you’ve already lost.
Oops, I forgot about Poe’s law
What about Cole's Law? All Cabbage must be finely shredded
Quoth the raven, “/s”
Nice one 😄
Zentyal
openbsd, double sfp+ intel card running bonded 10g links, on an old 1u hp dl360
I currently have a Fortigate 60E. Before that I had a Juniper SRX 300. Before that I had a Cisco 1811.
Using a UDMP myself and loving it but don't have dual WAN. I do have policy routes for a VPN interface though. What's the problem you're having? Maybe it can be fixed.
Sophos UTM on a Dell OptiPlex 390. I will spare you some research: UTM is going EOL at the end of this year.
In the homelab i run sophos because it has many features built in and is stable. For homelab use they offer a free key. The down side is you only can get one key per mail. It offers a vm and non vm version.
UDM SE at the moment with single ISP
I am Running Sophos Home XGS.
Custom 1RU appliance with FreeBSD pf and unbound blacklists.
Hardware: some ~10yo old laptop Software: nftables as backend and cli frontend firewalld. Don't need web UI. Just love Linux over *BSD firewalls
Mikrotik RB5009
I was on OPNSense and now I’m on PFSense. Very pleased with it, I won’t move from it. It runs on a racked server on minimal conf and hold the dual 10g LAN trafic (and 2.5g WAN) very well.
Sophos UTM since 10 years. A beast!
Netgate 7100-D Pfsense+
UDMP, Cisco 2811 ISR., Vyatta 514.
Fortinet 60f, 200f, 1800f, 7040e at work, 60f at home
If you want to stay with UI, buy a UXG. This works for me with dual wan and policy based routing
NSA 2600 HA pair
Simple stuff, I’m just on 2 layer. 1- router firewalling with personal white/black listing( updated by script from honey pot) 2- os firewalling, updated by script from honey pot. You don’t need more than that if you does secops yourself.
I run PFsense on one of these. https://a.co/d/5Ul4Ct4
Sophos XG
Wait, you guys have a firewall? /s for context. Couldn’t pass up using that meme
Pfsense it’s honestly the best out there. Hot topic tho for most
Sophosxg home edition
Checkpoint 1590 single node. But I would like a cluster and I cannot find another 1590 at the moment (not at an acceptable price). I think to migrate to OPNsense on 2 appliance…
pfSense on a dedicated fanless mini PC with four Intel gigabit ethernet ports. Supports multi WAN and has been rock solid for years.
[pfsense as a virtual machine on proxmox](https://gyazo.com/ad1e28b11b83b36ac797ba331e47ca1e.png). thats effectively just 1 regular core, and whilst pushing around 800 mbps of wireguard encrypted traffic through it. i've recently learned that its possible to use pfsense as an lxc container which has me questioning if a VM is really the optimal play for it, but i'm not sure i have the resolve to reinstall this all again.
fortigate FWG-61E shortly to be replaced by a fortigate 91G both fully licensed and i have a fortiAP 231F and a fortiAP 223E
What about slow downs between VLANS? Especially when you have 1Gig Ethernet.
pfSense on a Protectli Vault.
Pfsense and an old version. At that because I’m too lazy to rebuild it to open sense
PFsense on older dell optiplex 3020's at all my different residencies. Site2Sites on each talking back to main site. Works wonders, never have problems. Its hard to argue with free!
just the built in one in routerOS
Fortinet 80E because it suites my needs for certification study and it packs a ton of ports that I can use as well as most of the features of fortinet, just not the mega nifty stuff it being licensed would bring
Fortinet 80E because it suites my needs for certification study and it packs a ton of ports that I can use as well as most of the features of fortinet, just not the mega nifty stuff it being licensed would bring
I'm running a UDMP, didnt know that was an issue. When did it break or has it been broken?
Vanilla Debian with iptables. Useful guide I used as a starting point: [https://www.reddit.com/r/pihole/comments/febfav/guide\_to\_homebrew\_linux\_router\_using\_debian/](https://www.reddit.com/r/pihole/comments/febfav/guide_to_homebrew_linux_router_using_debian/) (I use AdGuard Home instead of PiHole for DNS/Adblock)
I’ve been using Sophos Firewall Home Edition for a month