iPfire vs PFsense – Firewall Review

I have posted in the past about all the great things you can do with DDWRT or with PFsense.   After a few years with PFsense I have changed to iPfire.  If you have not heard of iPfire I would suggest reading about this awesome firewall platform.  The main focus of iPfire is for Security.  This is my simple review of the two systems

HARDWARE

The hardware for my firewall is a small ASUS dual core Intel Atom computer. It is configured with 2 gigs of RAM and a 64gig SSD drive.    Both firewall versions ran very well on this platform.

From a hardware perspective it is probably an overkill for a router but you never know.   Here is a quick view of “top” from my ipfire firewall – Note that squid and snort are only using about 9%.  This is a reason that I enjoy iPfire vs other platforms.

ipfire_top

PFsense vs IPfire

As for a comparison of PFsense vs ipfire it has been interesting.   Overall I prefer ipfire, but pfsense has a lot of good features:

User Interface:   IpFire is the winner.  The  GUI is both easy to use and intuitive.  PFsense has everything but can sometimes be confusing with the vast options.   The UI for reporting in iPfire has been pretty good.  There are a lot of options but once you get comfortable you can get great overview and detailed information.

ipfire_usage

Performance:   I think this is a tie in overall usage performance.  For what we do at my house,  20-30 ish devices things work well. This Thanks Giving we had over 50 devices and kids were steaming Netflix, youtube and other games and the firewall was not taxed at all.   When using PfSense I could see  a spike in the  memory / CPU when using snort and a proxy.

Configuration:   If you like to just get into the setting pfsense is the winner.  I think the end result for me after using Pfsense many times I can say that iPfire seems a bit refreshing.  Once you determine the usage of colors : Red (external), Green (internal), and Blue (wireless)  it becomes pretty easy.  Since pfsense uses FreeBSD I find any custom configuration harder.  IPfire is built on Linux and I have better background in using that.  The configuration add-on section for IPfire is the Pakfire system.   It is a secured and encrypted app store of sorts.   Pfsense has a package manager, it worked well but I found it somewhat confusing.ipfire_menyu

Features:  Both Pfsense and iPfire have similar features.  I really liked the entire range of features that Pfsense has for router/firewall/ network appliance.   I think that iPfire has as many features if not more, but it is hard to tell.   I feel that ipfire with add-ons could be a small business server, file server, and much more.  In the end, I found that I don’t use many of those features; basically firewall, reporting, proxy, ids, and vpn.

Security:  I think this is a close race.  Both devices use  Clam AV , SNORT,  webproxy ,and other process.  Pfsense was harder to configure and setup these processes.  I really do find the reporting from ipfire to be a winner in the end to allow you to see what is happening with your device.    The openVPN setup for ipfire was great, and easy to configure.  PFSense is a challenge to setup openVPN but works all the same.

ipfire_firewalllog
Firewall Log – ipfire

Proxy and reporting – One main reason I initially chose a new firewall over ddwrt was to implement a transparent proxy. I think both ipfire and pfsense do this very well.  The reporting from ipfire is about equal to pfsense when using SARG.  I do like the Proxy Log viewer that ipfire has available that lets you get a look a recent traffic.ipfire_proxylog

ipfiresarg

Overall the past few firewalls I have used and tested have all been really good.   I have had opportunities to use Untangle, Pfsense, Zentyal, Endian and ipfire.    Each device has it’s benefits and I would suggest that you test each.  I have selected ipfire for my device to protect and run the connection to my house.

The overall conclusion I can bring regarding PFsense vs IPfire is that both have similar features.  I think that ipfire appears to have a more frequent update cycle and security patches.   I would have no issue with recommending IPFire to anyone.   It has proven to have great performance and very reliable.

I have tried a lot of features using IPFire from the TOR proxy.  One nice feature for IPfire is the WIKI pages are really easy to follow.

My Configuration

  • Transparent Proxy:  http://wiki.ipfire.org/en/configuration/network/proxy
  • SNORT: http://wiki.ipfire.org/en/configuration/services/ids
  • OPEN VPN: http://wiki.ipfire.org/en/configuration/services/openvpn
  • ClamAV: http://wiki.ipfire.org/en/addons/clamav/start
  • SARG: http://wiki.ipfire.org/en/addons/sarg/start

Things Tested

  • TOR:  http://wiki.ipfire.org/en/addons/tor/start
  • OwnCloud: http://wiki.ipfire.org/en/addons/owncloud/start
  • IMspector: http://wiki.ipfire.org/en/addons/imspector/start

If you have any questions drop me a line.  I love talking about firewalls and performance.  Also the expectations you can get from each.

 

8 thoughts on “iPfire vs PFsense – Firewall Review”

  1. Jim, have you tried any outgoing (egress) packet filering on any of these firewalls? It seems to me that with ClamAV knowing about malicious IP addresses & filtering them out for inbound traffic, I’m wondering if it’s also able to filter them for outbound traffic. Or, if that’s even a good idea. Thanks.

  2. I think scanning outbound packets is a crucial part of Intrusion Detection, especially when you have mobile users that go in and out of your LAN frequently. So I would like to add plus one to Frank’s question.

  3. Jim – thanks for the review. I tried IPFire but gave it up because I’ve been unable to get dnat/port fowarding to work to work correctly for incoming email. Basically, I host my own email domain at home, and use a 3rd-party service for a public MX record. That host then forwards email destined for my domain to port 26 on the public IP of my ISP’s router. I have a “DMZ rule” on the ISP router that forwards all incoming external traffic to the RED interface of my firewall. Then I have a dnat rule that’s supposed to forward all tcp port 26 traffic to my home email server for delivery to my home accounts. This works w/Microsoft’s ISA 2004 server, but fails miserably w/IPFire. Any suggestions?

    Thanks,
    Víctor

  4. Really good article, but im little confuse with an feature. Can I use web filtering with pfsense or OPNsense or IPFire is the only who can do this kind of job.

  5. hello, can I use it for a server that is running Apache and a SaaS application ?

  6. Nice article, I’d love some more details of the differences on them.

    A feature I’m looking for and believe to have been more common lately is support for dynamic IPv6 prefix delegation. Many ISPs are changing prefix to harass their customers and routers aren’t prepared to quickly detect this change and propagate it to their softwares and LAN devices. This makes devices keep outdated invalid IPv6 addresses and cause downtime, then shift to IPv4.

    It’s even worse when we have multi-homing and require masquerading of LAN addresses to public addresses, so we can have load balancing and failover.

Leave a Comment