Pfsense instead SonicWall ?

mmruiz

Really Ubiquiti is doing impressive hardware. Also I like very much Mikrotik, cheap, and very powerful.

Here (Spain), in my company, we used to work with Sonicwall, but we found some issues and sometimes poor customer support and change brand. Client to site and SSL VPN was not free (only included one or two licenses, it depends on model)

I think one of important questions is Sonicwall is an UTM, acts like firewall, router and also security appliance. Acts also like a powerful load balancer. This lasts parts are also very important for me.

Now we work with Cyberoam, very powerful hardware, cheaper than Sonicwall (half the prize), includes reporting (CR25 up, hard disk inside), free SSLVPN, stable, and fantastic support. We are happy with them. Now is part of Sophos company, I hope the brand will continue this good work in future, and no surprises with the new owner, Sophos.

iroal

@mmruiz said:

Really Ubiquiti is doing impressive hardware. Also I like very much Mikrotik, cheap, and very powerful.

Here (Spain), in my company, we used to work with Sonicwall, but we found some issues and sometimes poor customer support and change brand. Client to site and SSL VPN was not free (only included one or two licenses, it depends on model)

I think one of important questions is Sonicwall is an UTM, acts like firewall, router and also security appliance. Acts also like a powerful load balancer. This lasts parts are also very important for me.

Now we work with Cyberoam, very powerful hardware, cheaper than Sonicwall (half the prize), includes reporting (CR25 up, hard disk inside), free SSLVPN, stable, and fantastic support. We are happy with them. Now is part of Sophos company, I hope the brand will continue this good work in future, and no surprises with the new owner, Sophos.

Thanks for you help.

PD: Parece que no soy el único español por aquí

scottalanmiller

Hay unos pocos. Más de España y más hispanohablantes. México, Panamá, España y más representadas.

gjacobse

@dafyre said:

@scottalanmiller said:

@iroal said:

Company, at end, let me buy the Pfsense.

I'm thinking in this model.

https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx

Any other best option ?

Answer is going to keep being the same, Ubiquiti is better than pfSense.

Can the Ubiquiti handle failover from one to another?

@iroal If the Ubiquiti has all the features you need, then the price will be significantly cheaper than the pfSense setup.

Yes - Even the ERL I have with 3 ports can. you can set two ISP and one LAN, One ISP, LAN and WiFi or one ISP and two LAN..

We actually have a client with two ISP and one LAN configured currently.

scottalanmiller

@gjacobse said:

@dafyre said:

@scottalanmiller said:

@iroal said:

Company, at end, let me buy the Pfsense.

I'm thinking in this model.

https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx

Any other best option ?

Answer is going to keep being the same, Ubiquiti is better than pfSense.

Can the Ubiquiti handle failover from one to another?

@iroal If the Ubiquiti has all the features you need, then the price will be significantly cheaper than the pfSense setup.

Yes - Even the ERL I have with 3 ports can. you can set two ISP and one LAN, One ISP, LAN and WiFi or one ISP and two LAN..

We actually have a client with two ISP and one LAN configured currently.

That aspect is for WAN failover. He's looking for router failover - where you have two routers instead of just one. It does that too but I don't believe we have any clients doing it. It is a more complicated setup and carries complications from the fact that you can't have the ISP link going to both routers at once by default.

wirestyle22

@scottalanmiller said:

@gjacobse said:

@dafyre said:

@scottalanmiller said:

@iroal said:

Company, at end, let me buy the Pfsense.

I'm thinking in this model.

https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx

Any other best option ?

Answer is going to keep being the same, Ubiquiti is better than pfSense.

Can the Ubiquiti handle failover from one to another?

@iroal If the Ubiquiti has all the features you need, then the price will be significantly cheaper than the pfSense setup.

Yes - Even the ERL I have with 3 ports can. you can set two ISP and one LAN, One ISP, LAN and WiFi or one ISP and two LAN..

We actually have a client with two ISP and one LAN configured currently.

That aspect is for WAN failover. He's looking for router failover - where you have two routers instead of just one. It does that too but I don't believe we have any clients doing it. It is a more complicated setup and carries complications from the fact that you can't have the ISP link going to both routers at once by default.

Can't you do 4 routers, two for each ISP?

scottalanmiller

@wirestyle22 said:

Can't you do 4 routers, two for each ISP?

Why would you need four? Why not do two, each ISP into each? What's the benefit of four?

coliver

@wirestyle22 said:

@scottalanmiller said:

@gjacobse said:

@dafyre said:

@scottalanmiller said:

@iroal said:

Company, at end, let me buy the Pfsense.

I'm thinking in this model.

https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx

Any other best option ?

Answer is going to keep being the same, Ubiquiti is better than pfSense.

Can the Ubiquiti handle failover from one to another?

@iroal If the Ubiquiti has all the features you need, then the price will be significantly cheaper than the pfSense setup.

Yes - Even the ERL I have with 3 ports can. you can set two ISP and one LAN, One ISP, LAN and WiFi or one ISP and two LAN..

We actually have a client with two ISP and one LAN configured currently.

That aspect is for WAN failover. He's looking for router failover - where you have two routers instead of just one. It does that too but I don't believe we have any clients doing it. It is a more complicated setup and carries complications from the fact that you can't have the ISP link going to both routers at once by default.

Can't you do 4 routers, two for each ISP?

Look at VRRP. It is a protocol that allows for hardware failure. You would just need two routers not four.

wirestyle22

@scottalanmiller said:

@wirestyle22 said:

Can't you do 4 routers, two for each ISP?

Why would you need four? Why not do two, each ISP into each? What's the benefit of four?

Never mind. I saw the 'by default' portion of your post now and realized there is no point

wirestyle22

@coliver said:

@wirestyle22 said:

@scottalanmiller said:

@gjacobse said:

@dafyre said:

@scottalanmiller said:

@iroal said:

Company, at end, let me buy the Pfsense.

I'm thinking in this model.

https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx

Any other best option ?

Answer is going to keep being the same, Ubiquiti is better than pfSense.

Can the Ubiquiti handle failover from one to another?

@iroal If the Ubiquiti has all the features you need, then the price will be significantly cheaper than the pfSense setup.

Yes - Even the ERL I have with 3 ports can. you can set two ISP and one LAN, One ISP, LAN and WiFi or one ISP and two LAN..

We actually have a client with two ISP and one LAN configured currently.

That aspect is for WAN failover. He's looking for router failover - where you have two routers instead of just one. It does that too but I don't believe we have any clients doing it. It is a more complicated setup and carries complications from the fact that you can't have the ISP link going to both routers at once by default.

Can't you do 4 routers, two for each ISP?

Look at VRRP. It is a protocol that allows for hardware failure. You would just need two routers not four.

Yeah I was thinking simplistically. My bad

wrx7m

Let's say you set up an EdgeRouter, what would you guys recommend for the additional services that a UTM platform would normally provide?

coliver

@wrx7m said:

Let's say you set up an EdgeRouter, what would you guys recommend for the additional services that a UTM platform would normally provide?

Like what?

Proxy/web filtering could easily be done via Squid.

coliver

The ER series has a client VPN built in. I think it will do OpenVPN as well.

wrx7m

Gateway AV, DPI, IDS, IPS

scottalanmiller

@wrx7m said:

Let's say you set up an EdgeRouter, what would you guys recommend for the additional services that a UTM platform would normally provide?

Standard recommendation is that those things don't belong on a firewall and should be either handled by another device or should not exist at all (much of the time they are negatives and sold via hype... most have their place but are not very commonly recommended.)

coliver

@wrx7m said:

Gateway AV, DPI, IDS, IPS

I've never seen Gateway AV work... but I Squid can also do this with some addons.

wrx7m

@scottalanmiller Interesting. So you would just go with endpoint protection after the router/firewall?

scottalanmiller

@wrx7m said:

@scottalanmiller Interesting. So you would just go with endpoint protection after the router/firewall?

Yes, in nearly all cases. AV on the firewall means huge network delays or tons of processing power needed at the end and it is rarely effective. If you are investing tens of thousands in Palo Alto gear, that's different. But other than that, I wouldn't even consider it.

scottalanmiller

I'm a big believer that the UTM concept is hype. I want my router to be a router, not be an all in one device like I'm a home user. All functionality should be broken out and should be determined discretely if needed. UTMs are sold almost exclusively based on marketing, not a need driving a search for a solution.

wrx7m

@scottalanmiller Thanks for the info. What about use of a proxy/application control?