Firewall Choice
Firewall Choice
You're evaluating two firewall options—SG-3100 and USG Pro-4. You have networking skills and are familiar with Openvpn, Suricata, PIA, and a Unifi 24-port switch. You're considering whether switching to a USG would mean losing control over your network, which you want to avoid. Your current setup includes a full gigabit connection and existing security tools, so you're not concerned about those services. Your main goal is to gain the centralized management features offered by Unifi. This approach could be a good step forward if you value unified control and automation.
Consider how much you enjoy experimenting and trying new things. PFSense offers more flexibility for tinkering, though it carries the risk of damaging devices. Unifi provides a cleaner interface and enables complex tasks with minimal damage risk. At least that’s my perspective. My brother prefers stable setups, so he runs Unifi, while I enjoy frequent modifications—like PFSense for firewall and a TP-Link managed switch. Cloud access with Unifi is particularly appealing.
I don't believe the USG Pro-4 will meet your bandwidth needs. It's unlikely even with QoS or IPS/IDS enabled. We rely on the Pro-4 at work while I use Untangle at home. The Pro-4 is inferior to Untangle, and I dislike dealing with JSON Hell when basic tasks are involved because the interface doesn't support it. The image below shows a 25/5 DSL connection using about 44% CPU, sometimes reaching 70%. I'm eager for our Gigabit Fiber connection and would appreciate your help in convincing them to upgrade. Untangle HomePro costs $40 per year and seems worthwhile. The TunnelVPN app works well, and the OpenVPN app is straightforward to set up. I haven't used pfSense much, so I'll skip discussing it.
This is great information!! After hearing about you using it in an enterprise environment, it tells me a lot about the performance I might expect from the box at home. While I wont have the load that an enterprise does, I do expect to get my fill gigabit pipe.ON a side note, I have really gotten past the tinkering phase, and if I wanted to tinker I'd just set up a new network for it instead of constantly playing with my live environment. Thanks for the feedback!!
The definition varies based on context. On a live system, you need to test changes and verify functionality. For a different network, you must adapt the firewall settings if it isn’t compatible.
What I mean by tinker is experimenting with new ideas and gadgets. I wouldn’t want to bring them into my existing network setup.
I previously relied on OpenWRT for my router setup, which worked well. Now I’m switching to pfSense and finding its configuration increasingly complex. My setup includes multiple VPNs for different purposes—web hosting, personal use, client traffic anonymity, remote access, and IP blocking with pfBlockerNG. I’ve also implemented dual-VDSL and rerouted bulk traffic to improve performance, while enabling failover for the rest of the network if the main WAN fails. This level of customization is valuable, and I wouldn’t trade it for anything.
Thats a great example. Right now I only have 2 VPNs, one for my game servers and one for remote access when I'm away. I would like to be able to keep this kind of customization. I was just unsure if i would be able to migrate my current solution to a USG. I love PFsense dont get me wrong, but it is the one oddball in my network of Unifi equipment. I havent really played around with a VDSL or pfBlockerNG. I do have Suricata installed and its been working great. Would I be opposed to keeping my current PFsense box, no not at all, but I would like to update it to the SG3100 in the near future if I did. Now that I have seen what you have done, I think that PFsense might be the route that I go. I will say I don't have a lot of experience with PFsense, but that can always change.
It's taken me a long time to grasp this complexity, since I didn't realize how valuable it would become. With the Internet becoming more intricate and security concerns rising, I believe having some adaptability is worth it, even if it adds a bit of learning difficulty.