PFSense (Netgate) or OpenSense (Protectli)

[squirrellydw]

Looking to finally upgrade my router, Should I go with a Netgate running PFSense or a Protectli running OpenSense?  I'm looking for more security then the current ISP router has and would like to run WireGuard.  Just not sure what one is better and easier to use.

[JonathanM]

You can run pfsense on either, the netgate is more expensive for a given amount of processor power.

 

The only advantage to the netgate hardware is the full support for pfsense vs community edition pfsense on protectli.

 

I'm so used to running pfsense community edition on generic hardware or VM that I can't comment on opensense.

[protectli]

Protectli hardware, for sure.  But we are biased.  (Protectli employee here, incase the username isn't clear).
Happy to answer any hardware questions you have.

Edited January 11, 2022 by protectli

[squirrellydw]

3 minutes ago, JonathanM said:

You can run pfsense on either, the netgate is more expensive for a given amount of processor power.

 

The only advantage to the netgate hardware is the full support for pfsense vs community edition pfsense on protectli.

 

I'm so used to running pfsense community edition on generic hardware or VM that I can't comment on opensense.

community edition pfsense on protectli???  I've never heard of this

[JonathanM]

Trying hard not to beat you up too much on this, but this is a screen from the link you posted.

[squirrellydw]

14 minutes ago, JonathanM said:

Trying hard not to beat you up too much on this, but this is a screen from the link you posted.

Lmao.  I didn’t even see that.  I was looking at the pre installed options.  Thanks for not beating me up

[JonathanM]

I'm not familiar with the protectli brand, but it appears to me to be generic chinese hardware that is carefully chosen not to suck, and they provide help and support vs. you winging it on your own after purchasing through ali or ebay or whatever venue you can find cheap chinese hardware.

 

I'm running some generic stuff that looks remarkably similar to their brand, obtained for a little cheaper directly from china.

 

@protectli will probably correct me if I'm way off base. 🤣

[protectli]

Mods, after reading my reply as follows, It's reading like a sales pitch.  That's not my intnet - i'm trying to highlight why many people may be more interested in purchasing from Protectli than generic hardware from China.  If I need to tone down the links and the sales pitch I'm happy to do so - please let me know.

 

First, we will try not to take too much offense at the implied lack of creativity in just reselling "generic Chinese hardware".  (J/k, it's a reasonable comment and we're happy to address it).  Second, there is certainly nothing wrong with much of the generic Chines hardware out there.  Plenty of people have had plenty of success doing so.  

 

That said, the Chinese market is full of knockoffs and copycats.  TBH, our original FW1 was just an off the shelf box that we sourced from China.  However, recent hardware (such as our FW4B, VP2410) is our own bespoke design.  There's a lot of suspiciously similar looking hardware out there, but what I would offer as our commitment to our hardware is that we not only create the hardware design, but we also port and support coreboot (https://coreboot.org) firmware for our hardware.  If unfamiliar, coreboot is an open source firmware that is MUCH more lightweight than a traditional BIOS, is custom built for the specific hardware, and is actually open source which is becoming more and more important at the firmware layer as we continue to learn about microcode and hardware vulnerabilities in closed ecosystems.

 

Finally, we do pride ourselves on customer satisfaction, as reviews on Amazon and elsewhere will attest to.  We go way outside of the box to help customers not only get their hardware in order, but also resolve issues with OS's that they're trying to install.  We provide a KB with loads of testing that we do with different OS's (and even specific VPN configurations like OpenVPN, and wireguard) to ensure that they work on our hardware and we'll even go as far as to help customers troubleshoot software issues if they appear to be reasonably adjacent to a potential hardware problem or conflict.  

 

Hopefully that helps?  Feel free to reach out incase of other questions.

[squirrellydw]

@protectli  why don’t you offer pfsense as in install option when configuring the hardware?

[protectli]

Netgate, which owns the pfSense trademark, helpfully posts their trademark Usage Guidelines: https://www.pfsense.org/trademarks.html

Specifically under "Unacceptable Uses" (quote below).  As such, we choose to stay away from pfSense, but we have embraced others who are happy to allow us to pre-install their software, like OPNsense.
 

Quote

Using the pfSense Marks in connection with commercial redistribution of pfSense software ("commercial redistribution" includes but is not limited to redistribution in connection with any commercial business activities or revenue-generating business activities), regardless of whether the pfSense software is unmodified, except as may be permitted above.

 

 

[JonathanM]

1 hour ago, squirrellydw said:

@protectli  why don’t you offer pfsense as in install option when configuring the hardware?

Honestly I think it's a GOOD thing to learn to install and configure your own pfSense community edition. These types of firewalls are insanely complex when compared to your typical home linksys router, and that's a good thing because options and power, but it means you need to at least be passingly familiar with how things are set up so you can more easily troubleshoot when things aren't running as planned.

 

Progressing from a blank box to something that functions on the surface like a plain home router only takes a few minutes on powerful hardware like they use, and you have so much more capability available to you.

 

Using a preinstalled box as shipped robs you of valuable experience that will come in handy when it's time to move your pfSense config to another box or install for whatever reason.

 

Personally I have a low powered standalone box available as a backup to my pfSense VM, and it's trivial to take a backup config from the VM, change a couple entries to correspond to the correct ethernet ports on the hardware box, and bring it back up just like nothing changed, including all my static IP's, firewall NAT rules, all my complex configurations intact. Try that trick when moving from an asus to a linksys home router.

 

I personally wouldn't want a netgate hardware product, they upcharge the hardware drastically to cover their support. Protectli at least looks to provide a quite competitive price on their hardware and will support OPNsense if you don't want to learn a new skill.

 

I always recommend learning new skills, keeps the brain young.

[JonathanM]

2 hours ago, protectli said:

First, we will try not to take too much offense at the implied lack of creativity in just reselling "generic Chinese hardware". 

🤣

No need to get defensive.

 

Wait, yes there is. I called you out, and wanted you to explain what differentiated you from generic chinese hardware.

 

Thanks for clearing that up from your perspective.

 

Now all we need is a rep from netgate to drop by the thread and explain how valuable their support options are to the companies that use them. 😎

 

My takeaway from all this is protectli made a compelling case for your product in the market for advanced home user all the way to small and medium business with tech savvy staff.

[protectli]

Agreed @jonathanM, there is a lot of value in being able to install your firewall OS from scratch.  Just being able to run through the installation process is valuable, in the event you need to switch hardware, and as you say, being able to make light modification to the config files can be invaluable.  Also, the security paranoid will appreciate that they can download the installation files, verify they haven't been tampered by comparing hashes and install themselves.

 

Appreciate the remarks and thanks for the engagement.  

[XPHOENIX]

Dear Protectli:

 

I have some doubts. 
 

1-Why don’t you offer WIFI ac in Europe?

2-Why don’t you offer 4 LTE options in Europe? Can I buy both of them in any way?

3-Can I use a Protectli Vault with two different WANs? I suppose that yes. I suppose I can confit each OPT port in pfSense like I want. the same manner than in my current VM pfSense. But I want your confirmation.  
4-Is it your intention to launch a new Vault near in the time with 10GB ports?

5-Why don’t you show in your website a comparative between the performance of your Vault’s and the Netgate products. 
How I am know as a consumer how important is the CPU in the control of the communications (states, max speed, etc…)

Netgate has a YouTube video where they guarantee in their 6100 model that each port is independent of the others and that one of them never will generate a bottleneck over the rest. Can Protectli guarantee the same? For me is strange that Netgate 6100 has a motherboard two times of the size of a Protectli i7 top. 
Does Netgate put their efforts in performance rather in mount top CPUs like  Protectli does? How can a costumer to know if the performance is better with a Netgate or with Protectli Vaults? I don’t find any YouTube video that compares both brands with the same infrastructure and test. But it should be really easy to do with iPerf. And it should be a devastating sales pitch for either brand.

 

Also for other users, I would like to say that even when the Netgate has internal ports to upgrade the hardware (NVME, even LTE ports) an employee of Netgate in a video explained that he doesn’t recommend to do it because they have implemented ports thinking in the “standards of the future” so is very easy to damage the hardware. 
 

Thanks for your answers. 

[protectli]

Hi @XPHOENIX, happy to address your doubts.

1. We don't yet offer WIFI AC in Europe because the AC cards we use from our Vendor are on a parts shortage.  These Qualcomm chipsets in general are super difficult to find right now.  We definitely would like to offer some and we're working on it.
2. Are you asking about LTE modems (hardware)?  Or LTE service?  Specific to the modems, the US only modems we currently offer are for use with LTE bands commonly found in the US.  We'd like to offer a EU specific one and we're currently evaluating some options.  Also, our EU operation is still relatively small and we want to make sure we're not "biting off more than we can chew".  In other words, we want to make sure that what we provide is tested and will work.  Our primary focus is our Vault lineup of products.
3. Each port on the Vault is connected to the Vault's CPU via PCIe.  This applies to every Vault that we sell.  As such, as long as the software you install on your Vault supports dual WAN, then the hardware will support it.  pfSense certainly supports this.  
4. In the near term, we have a lineup of 2.5G Vaults about to be released (in June, 2022) and we are targeting a 10G product later this year.
5. There's a lot to unpack in your 5th point here, so i'll try to address everything, below.

• There are a lot of different products out there and it would be very difficult for us to compare ourselves to every one of them.  Sure, lots of customers end up comparing us to Netgate because a lot of our customers end up using Protectli hardware with pfSense. One useful point of comparison is VPN throughput and you can find some throughput testing we did across our product lineup a while back here, here, and here.
• I'm not aware of the specific video you reference specific to the Netgate 6100 where they "guarantee...each port is independent of the others..." but I suspect this is related to Netgate having used an internal switch on some of their products, which the 6100 does not use.  In this way, the 6100 has network ports that are all connected directly to the CPU.  As stated above, all Protecli products have network ports directly connected to the CPU.  We have never used an internal switch.  

I hope this addresses your questions.  Please let me know if you have any other questions or if anything is unclear.

 

Thanks