A Detailed Comparison of The Latest pfSense and UniFi Firewalls in July 2023

Tailscale pfsense Video

Which VPN to use in pfsense

2023 Firewall Features Compared: pfsense | Arista | UniFi | Sophos | Fortinet | Meraki & What We Use

Magic Site-to-Site VPN feature

Mactelecom Networks Unifi Magic site to site Video

Time Stamps ⏱
00:00 ▶ pfsense vs UniFi firewall 2023
01:57 ▶ Firewall Comparison Chart
02:53 ▶ Running on Own Hardware
03:15 ▶ Central Management
04:18 ▶ Licence Fees & Support
04:58 ▶ High Availabilty
05:26 ▶ BGP & OSPF
05:37 ▶ VLAN support
06:17 ▶ OpenVPN & IPSEC
06:44 ▶ Wireguard
07:14 ▶ UniFi Site to Site Magic
09:48 ▶ Tailscale Support
10:39 ▶ IDS & IPS Suricata and Snort
11:12 ▶ Content Filtering
11:52 ▶ DNS Filtering
12:06 ▶ Traffic Shaping
12:24 ▶ Multiple WAN Support
12:55 ▶ Policy Routing
13:10 ▶ Reverse Proxy
13:37 ▶ Let's Encrypt
13:53 ▶ Captive Portal
14:05 ▶ Traffic Monitoring and Reporting

LAWRENCESYSTEMS

Good update Tom, thanks.
A suggested parameter for a future comparison is NAT.
UDM doesn't currently allow per-host 1:1 static NAT for outbound traffic -- the best it currently offers to people with multiple WAN IP addresses is the ability to assign an egress IP per network.

stevenmishos

When they finally updated the udm pro to the 3.1 branch, things got way better. Load balancing, failover, both with options that actually work, vpn client that works, like minutes to route my firetvs via unlocator vpn to the USA, great stuff. You can do a lot more basic routing now. The case for pfsense has reduced in that context. If you want to use the self hosted controller, buy the gateway. It is basically equivalent to the udm pro without controller and a drive bay for protect.

wiebowesterhof

0:05 - Uhh I have my arm in a sling as well. As soon as you came on I was like - it must be spreading. By the way I was JUST looking at the unifi gateway on the store yesterday. Perfect timing.

geekdomo

I run pfSense at home.
I have a Netgate router, Unifi switch and access points and a Raspberry Pi that run Unifi Controller.
This setup might be way overkill for what I need (decent adblocking and DNS filtering, a couple of VLANs and some basic firewall rules) but it works great.

henriklind

Great comparison explanations. I haven't used any of the Ubiquiti products, but love my pfSense for sure!

HomeSysAdmin

Great overview Tom! I use the UDMs at tons of businesses and they have worked great.

As for HA it’s “coming soon” to Unifi.

MactelecomNetworks

I'm using Netgate 1100 as my home router/firewall, but I wanted to upgrade since I've been having problems upgrading it to the latest version. But the problem is they stopped selling Netgate products here in my country, well at least for consumers. I can still buy it internationally or thru contractors who provide solutions to other companies, but it's pretty expensive. I am now considering the UDM Pro since I feel like they've really matured in the last 2-3 years and it's more affordable than the other Netgate offerings here in my country.

pransis

Nice video, Tom. Healing vibes on the arm (shoulder?)! Concerning Site-to-Site VPN, the plain ol' USG does this in "just a few clicks" as well of course. And both ends can have Dynamic IPs. I use Change IP which is totally free for this, and setup hostnames for the endpoints. Once both USGs are adopted to my cloud controller, I'm seconds away from a Site-to-Site VPN with the USGs. Now, obtaining said USGs... that's another story lol.
I also use EdgeRouters a lot in other cases in combination with UniFi APs managed on my cloud controller. The EdgeRouterX for example is like $60 (compare that with the UXG @ $500) and suprisingly powerful. Just marry up whatever VLAN structure you defined in UniFi and away you go. I really like the flexibility of EdgeOS for port forwarding and firewall rules. The main downside is they don't integrate with the Ubiquiti Controller, but if you have remote access into the site, this isn't so much of a big deal.

SomeGuyFromFlorida

For thos of use not totally into the lingo, a breif expansion of acronyms such as BGP and IDF would be useful. Yes, I know I could google those, but just a one-liner as part of your otherwise excellent tutorials would help a great dela in those areas.

jeanmichel

Great video! Very informative 🙂
I am grateful to be able to find such comparisons, thank you!

Myself using couple of UDM pros. They bought me with simplicity.

tdegler

Hey Lawrence. The latest UI update now allows you to create a local account to manage your console. You do not necessarily have to manage your Console by signing through you UI account👍...

Thanks for always being the goto guy when it comes to UNIFI and PFSense

niggybee

One thing that's worth mentioning is that the USG line supports auto site to site VPN (IPSec) and the UXG's don't but the USG's don't support magic VPN (Wireguard) either. It basically means there's no migration path between the two platforms if you've got multiple sites on a single controller. With the upcoming UXG hardware to replace the USG3's out there this will be a real pain if you're still using auto site to site VPN on USG's and want to upgrade to UXG's. Magic VPN relying on UBNT Cloud infrastructure is basically a requirement all other SDN platforms have. For my mind no big deal as it's pretty much a requirement for connections on CG-NAT or non static IP.

lordcarnorjax

Nice video, would be even coolER with untangle in the mix

cdoublejj

The UXG-Pro does have Wireguard in Unifi Network 7.4.142 and UXG Firmware 3.1.18. Not sure if it was added in a previous version.

JP-nofq

It would be nice if Unifi would support SNMP UPS support, while an ssh command to shut it down from another machine does work one of the biggest issues I see is that they can be corrupted by sudden power offs during extended power outages.

Even if Unifi doesn't want to support direct connection with a UPS, they could allow networked support. I know they sell their own solution, but it's moderately pricey for someone who just is looking for a UPS for stability, a few minuets of runtime, and a safe power off.

denton

Tom, can you elaborate on the VPN comparison? I am not familiar with unifi teleport, and run tailscale... But my pfsense tailscale is very slow, which bothers me (1/10th line speed). I saw this may be because of DERP, but I am not technical enough to address the issue. A follow up or direction to a previous video would be great. Keep up the good work.

philiptalbert

In a professional setting pfsense all the time. At home either, though I'm partial to unifi there.

Demios

He got in a fight with Linuz 😂🤣😅 just kidding! Get well soon Lawrence

TechnowulfTV

Tom, great video, as always! The chart ROCKED! May I point out one thing, which will keep me always using OPNsense/pfSense? And it might matter to others. Perhaps a new video idea for your team? :)

UniFi FW really really is dismal as a true firewall. Stick policy-based routing on it, with full ACLs, and a lot of them, and it tanks on 5G and 10G WAN. Well and with same speed LAN. My LAN is 10G and my WAN is 10G. pfSense (and now OpnSense) handles full ACLs at line-speed. I literally measure no major degradation (- 5% at most) . I am using a very good server-level piece of hardware as my host. But whether hard-iron or as a Proxmox/XCP-ng guest, the *Sense twins run great.

I HAVE a lot of Ubiquiti UniFi hardware, including UDM Pro. I've tried. Man I tried. But it just wasn't working well with full ACLs. Is it ME? Am I the problem? I'm not adverse to this being the case LOL but I have researched and gave up. pfSense won, then (now) OPNsense. I can destroy the OPNsense instance, bring up pfSense, same config, and be running if needed in 5 minutes (WITH ONE ZSH COMMAND LINE!. This includes spinning up a new VM in Proxmox. I had a UDM Pro die....uhmmmm, well, you know how that went.

I currently have one edge OPNsense cluster using HA. Then six other internal firewalls all handling "logical domains:" Dev, Test, Prod, Corporate, IOT, NotIOT, etc., and the 28 VLANs. Seems to work flawlessly, managed by Ansible from my (own) Github.

Doesntcomputek