[aklug] Re: EdgeOS vs Pfsense

From: Royce Williams <royce@tycho.org>
Date: Sat Jun 28 2014 - 07:33:56 AKDT

I'm in the same boat as Jeremy, and that's what I concluded, too.

Interesting background in this pfSense forum thread:

https://forum.pfsense.org/index.php?topic=63926.0

... a pfSense developer, talking about plans to port pfSense to
Ubiquiti hardware, says:

my one concern with this is that the factory firmware from UBNT has a
proprietary bit of code that acts as a very fast IPv4 packet
forwarding engine. This is how UBNT gets the "1mpps" numbers. I'm
not going to support that, so pfSense will be "slower" than the stock
firmware *at forwarding IPv4 packets*. Since the Cavium architecture
dedicates a core to running that, pfSense will still make use of both
cores, so it may be (with the multi-threaded support for pf in FreeBSD
10/pfSense 2.2) that packet filtering is faster under pfSense than the
stock firmware.

He's being a little vague here, but I would have thought that that
means that UBNT does some stuff in ASICs that FreeBSD isn't going to
be able to access.

In a larger sense, I think that this comes down to what you're trying
to accomplish. EdgeOS appears to be primarily command-line driven
(like a Cisco). pfSense has a command line that's really just a "drop
into the back-end shell" feature and not really intended to do much
tweaking of the config with -- but it's great for troubleshooting.
That's what the pfSense GUI is for, and it's quite rich, has many
knobs, and many great third-party plug-ins, including snort, squid,
pfBlocker (GeoIP blocking), etc.

That being said, the pfSense config is plain-text XML, and you can
tweak it however you want as long as it's still a valid config when
you're done. So to Robert's point, it's also scriptable.

Another angle is hardware support. You can also put pfSense on any
hardware supported by the OS - and because the underlying OS is
general-purpose, that means a lot of hardware. You can install it in
a commodity PC that doesn't even have a hard drive - just run the
entire OS from a CD, and store the config on a USB stick. Upgrading
is literally putting in the new CD, and will automatically detect the
config and upgrade it if needed. In this setup, you can even
automatically move to an entirely new hardware setup! Just move the
USB and the CD, and on first boot, pfSense will say, "Hmm, new NICs
detected. Which one is WAN? OK, which one is LAN?" and then finish
booting and Just Work. It's awesome. Also, with pfSense you can
compile a new kernel module (or borrow it from somewhere else), and
add support for hardware that isn't currently supported. It does make
upgrades fragile (because you have to do it again), but it can buy you
time until pfSense supports your hardware (usually by moving to a new
version of FreeBSD).

But these features may mean nothing in the context of your plans.
Honestly, if you're talking about depending on either of these for
production, I would definitely do a proof-of-concept bake-off. Buy or
borrow one of each, and try them out in your own local version of The
Real World. :-)

Royce

On Sat, Jun 28, 2014 at 6:44 AM, Jeremy Austin <jhaustin@gmail.com> wrote:
> On Fri, Jun 27, 2014 at 7:41 PM, Christopher Howard
> <christopher.howard@frigidcode.com> wrote:
>>
>> Can anybody tell me any more about their thoughts on EdgeOS
>> vs. Pfsense? EdgeOS certainly is advertised well (Good documentation,
>> all the features I wanted to see). And the EdgeRouter Lite at under
>> $90 looked like a good buy to tinker with. But after about five
>> minutes hanging out at the pfsense forum, you'd think EdgeOS was the
>> most horrifying monstrosity ever conceived. Maybe sometime could tell
>> me a bit about the differences in terms of interface or other
>> considerations?
>
>
> My $.02. I have no direct experience with EdgeOS, although a fair amount
> with AirOS, the Ubiquiti radio software/distro on which it is based. And I
> have had pfsense in active use for many years.
>
> pfsense is usually run embedded but it is fairly close to a full BSD distro.
> I don't use it for my core router because (at least at the time I had to
> choose) it didn't support asymmetric load balancing. Essentially anything
> can be compiled against it and installed as a package. I do use it for some
> edge and remote routers though.
>
> EdgeOS reportedly is high performance, yada yada. You've read the
> literature. You are unlikely to find a $90 router with pfsense embedded that
> has anywhere near the performance of EdgeOS, but that's speculation on my
> part, not experience. I haven't used it yet because I can't use it as a core
> router, and haven't needed any new edge routers.
>
> YPMV = Your Packets May Vary
>
> Sometimes a setup that works fine for 20 nodes just doesn't scale to 200, or
> 400, and it's tough to simulate that in a lab. Network traffic is a moving
> target. What works for one may not work for others in a different
> environment.
>
> jermudgeon
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Jun 28 07:34:52 2014

This archive was generated by hypermail 2.1.8 : Sat Jun 28 2014 - 07:34:52 AKDT