Home > Firewalls, Linux > pfSense 1.2.3 vs Vyatta 6.1

pfSense 1.2.3 vs Vyatta 6.1

December 27th, 2010 Leave a comment Go to comments

I have been a long time pfSense user starting back in 2006. Recently I switched my main firewall from pfSense to Vyatta. It was a tough choice as both platforms have their advantages and disadvantages.

pfSense is based on FreeBSD and uses the BSD packet filter along with ipfw. The console is used for basic tasks, such as configuring the LAN IP, and for advanced users to access the shell. The web interface is the primary configuration interface. It offers point and click rule creating, duplication, and modification. There are also RRD graphs graphs of system and network utilization. I was able to use the WAN quality graph to alert me of packet loss happening on my ISP’s end.

Vyatta is based on Debian Linux and uses iptables and netfilter. The primary configuration interface is the console, which allows for complete configuration without needing another machine. The console commands are well structured and offer auto completion. It does have an optional web interface for configuration, but I find it more of an afterthought. Unfortunately there are no system or interface utilization graphs. You will need to use third party software like Cacti to monitor the system.

With IPv4 address exhaustion nearing Vyatta takes the lead by offering IPv6 support. Vyatta offers a stateful IPv6 firewall and the ability to connect to tunnel brokers. pfSense can only pass protocol 41, encapsulated IPv6, to a downstream device. The upcoming pfSense 2.0 release will not have IPv6 support either. There is a git branch with initial IPv6 support to be merged for a later release.

The BSD packet filter, unlike the Linux netfilter, doesn’t have modules for connection tracking helpers. It requires you to use proxy applications, which makes connections look like they originate from the firewall. For example if I was connecting with FTP from 2.2.2.2 through the firewall 1.1.1.1 to a server at 10.10.10.10 the server would see the connection originating from 1.1.1.1. This makes it impossible to use fail2ban or similar scripts to stop brute force attacks.

I initially had problems with VOIP behind pfSense due to UDP timeouts and the randomizing of ports. I was able to work around these issues by setting the state table optimization to conservative and enabling the advanced outbound NAT static port option. Vyatta worked out of the box with no configuration changes. This is partly due to the fact it doesn’t support randomizing the source port.

pfSense does have a package system to add additional software. However I have found some packages to be buggy. For example I installed siproxd a few days ago and the registered devices screen has a fatal PHP error.

If you need UPnP support then pfSense is really your only option. Vyatta doesn’t officially support UPnP. You could install the UPnP daemon from the Debian repo, but the configuration will not be integrated into the CLI.

In the end I choose Vyatta. Since I use Cacti to monitor my network I wasn’t worried about loosing the pfSense RRD graphs. With pfSense not supporting IPv6 I was running both pfSense and Vyatta. Consolidating these into one box makes for a cleaner less complex solution. Both platforms offer a wide range of VPN options so I was covered there. The Vyatta command line configuration was also a plus since I only have console CentOS and ESXi boxes in the server rack.

Categories: Firewalls, Linux Tags: , , ,
  1. Marc Pope
    March 6th, 2012 at 13:51 | #1

    I am having trouble trying to configure the Vyatta to have public IPs begind the firewall instead of Private w/NAT. I am coming from a Sonicwall.

    Any suggestions how to do this?

  1. No trackbacks yet.