Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Mac OS 10.7 / CentOS 6(servers) / xubuntu 13.04
Posts: 1,186
Rep:
Monowall vs. Pfsense
So I have been tasked with setting up a core router/firewall for the organization that I do work for. I have looked at both Monowall and pfsense. They both look extremely similar, but Monowall looks easier to set up and maintain. Would there be a big advantage to go with Monowall over pfense? Or pfsense over monowall? Have you used either? Thoughts.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Distribution: Mac OS 10.7 / CentOS 6(servers) / xubuntu 13.04
Posts: 1,186
Original Poster
Rep:
It is my understanding that PfSense does load balancing. Didn't see mention of that though on the review of any of the seven solutions reviewed? We want load balancing between a T1 and HughesNet Satellite.
As a longtime pfSense and IPCop user, here's the short and quick of it:
IPCop is a fantastic linux-based router distro.
m0n0wall is a great BSD-based router distro.
pfSense is a great BSD-baded router distro, actually forked off m0n0wall ~5 years back. It primarily was intended to offer more advanced/enterprise-class features than those found in m0n0wall or other basic firewall distro's.
Both allow you to set up site-to-site and/or roadwarrior VPN connections, squid proxy configurations, static DHCP leases, easy saving/restoration of the configuration etc.
For a business environment I love pfSense, and have had it running at many offices, all the way back to release candidates of version 1.0. It offers some pretty nifty features like failover and load-balancing, as mentioned previously, in addition to processing network traffic with the BSD packet filter (pf) versus iptables in linux.
pf has some neat features by itself; one thing is being able to detect the Operating System of a computer on your network and have custom rules depending on the OS. Can be handy in certain mixed environments.
There are pro's and con's to each; I recommend fully researching both and a thorough pilot of the chosen platform in at least one office.
pfSense provides a great deal of extra features and options when compared to most firewall distro's, but it's a bit more technical, as well. It's not too bad, though--you still have an easy-to-use web-based GUI. You can run pfSense on a machine w/no hard drive, booting off a CDROM and loading the config from a USB thumb drive... less power use, and no worry of a head crash.
Load balancing is mentioned on the Info-->Features page at the pfSense web site (http://www.pfsense.org).
IPCop is a stable, linux-based firewall distro with a decent set of features, and tends to be a bit easier to install, perhaps. Works very well, but no support for load balancing, so I don't imagine it will work in your particular setup. Makes for a great home router box, though.
Though it should go without saying, read, read, and then read some more
Distribution: Mac OS 10.7 / CentOS 6(servers) / xubuntu 13.04
Posts: 1,186
Original Poster
Rep:
Strick: Thanks for that. I am going to mess with pfsense some more. Maybe I will get it figured out and working the way we want. Certainly want the fail-over and load balancing we will get with it. Have two identical servers here. Is it hot-fail over? When one fails does the second server automatically take over?
Strick had some good information. What anyone looking into a firewall needs to do is see what it does under stress. If you use a linux distribution (which uses iptables) then under an attack such as DDoS your firewall grinds to a halt until the attack is over. In a business atmosphere this is unacceptable. I like the features of Untangle and other linux firewalls, but I would only use them in SOHO installations. If you need something that will still pass data under an attack and do not want to shell out money to Cisco for a PIX then BSD is the base distribution you need to use. BSD under an attack will still pass data through the firewall/router. I have used Linux and BSD firewalls. The linux ones are sweet on ease of use and features. as opinions are like @ssholes the top 10 are all about the same. just look for the features you want. For BSD boxes, monowall and pfSense are the way to go. monowall is great for embeded applications. pfSense being a fork from monowall from a few years ago and is monowall + enterprise functionality. Remember that BSD is also more scalable and uses a lot less resources. A BSD firewall will need 256mb of ram and a 300mhz cpu where as a linux variant would require 1GB of ram and a 1Ghz cpu for the same amount of users. This means that under BSD you can use ancient or more cost effective hardware and get the same result. If I wanted the best firewall for reliability in a business atmosphere I would choose pfSense (that is if Cisco or Juniper were out of the budget). If it was for my house or small office I would use smoothwall or UnTangle. I hope this helps.
pfsense is way better than untangle. although untangle is much easier to install than pfsense and untangle has a sweet filtering options than pfsense, its hardware requirements exceed the most target system. PfSense is a great firewall distro, while untangle has much more filtering capabilities. look at my simple comparison about pfsense and untangle
Very nice write up. I only disagree with the capabilities of pfsense. pfsense can do everything that untangle can. The problem as you pointed out is configuration. That is very true. Pfsense is not cumbersome just advance. very advance. If you can add to your review pfsense hardware requirements that be great. I think you have something there.
When it comes down to comparing monowall to pfsense (the topic of this thread) as above monowall is best for embedded and pfsense is best for pc firewall router.
I agree the linux firewalls should also be looked at. Untangle is very good. When it comes down to it, end users need to look at features,
what it is going to be used for, and what is stable for their application. We can find examples where any of the bsd or linux distro's are better than each other in specific situations. I can attest that all of the ones described in this thread are stable and good to use. Totaling up features does not make one better than another. Look for features that matter for your application. Best thing to do is test a few out, load test and attack them and see which you like.
My goal is to use one of those tools (pfsense or m0n0wall) as a hotspot solution (captive portal), so im interested what is your opinion which is better.
On first they r basically the same, m0n0wall have extra vaucher abillity (thats big plus) but GUI looks little bit older (not that im a gui fanatic or smth)
and that is all i have noticed as a difference .
One of my problems is that i cannot find some kind of user managament on either of those servers (i would like to give different restrictions to different user)...
Well, if u have some experinece on captive portal management with those tools please write me some review...
Really, if you don't require 802.11n hardware support at the moment, it's hard to beat pfSense for all its features. They're likely very close to an official release candidate for version 2.0, which adds all sorts of nice stuff to an already-solid BSD-based firewall distro.
That said, you didn't specify just what level of user management in which you're interested... there is a limited amount of different user levels for administering the firewall itself, but if you're looking for web-related restrictions you will need to investigate squid and authenticated proxies, or perhaps even building custom rulesets defined by MAC's etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.