Which Firewall is RIGHT for YOU? pfSense vs. UniFi

pfSense and UniFi are both really popular firewalls and it would seem like an easy choice for all the videos I've done talking about access point switches and many other features of the UniFi ecosystem that we would just use UniFi firewall so it keeps it in one ecosystem and while that would be a deal for years it was never possible because of feature requests that clients had and businesses needed that just didn't fit the unify platform they were well falling short and I was very vocal about this but me being vocal about it was to hopefully

get change from UniFi or get them going in the direction that met my client's needs cuz then we can put things in a complete ecosystem and I think with Version 9 that they released in January 2025 UniFi really has caught up so in this video I'm not here to tell you which one to use because that's not really my style I'm here to present the data how the pfSense ecosystem Works how the UniFi ecosystem works specifically around firewalls for this video but do a feature comparison of them so you can make an informed decision of

which one fits your needs or maybe neither one of them do and you'll just stop watching the video here because those are the only two firewalls that are going to be covered in this particular video uh leave me some comments down below which other firewalls you want me to dig into and if I have experience with them I will also do a video on that now no matter what firewall you choose today's sponsor the video Microcenter is a great place to buy those devices that go behind that firewall at Micro Center you can pick up

a few cameras a UniFi NVR and then go from there and buy well all the other UniFi stuff that you might want such as access points switches or you can start building out your full rack from small Raspberry Pi Projects to fullon racing simulator builds micr Center has an amazing rayot Tech and their helpful store staff will help you find it all we thank them for sponsoring this [Music] video now to keep this narrowed down a little bit in scope I'm not covering all of the UniFi firewalls I'm covering the slightly higher-end models because if

we go down to the $129 models there's nothing wrong with them but I can't talk about W failover when they don't have two Wan ports and those models also don't support bgp but why would you expect $129 device to have bgp so I just narrowed those down and don't have them on the list also I want to note the uxg pro and uxg Enterprise that I do have on this list do not have a built-in controller therefore you can host them with the self-hosted instance of the UniFi controller software that is an option for those

versus the other ones can't be adopted to controller software because they come with built-in controllers so there is a little bit differ I just made a note at the top about it uh that is just to keep things a little bit narrower in scope and not have a whole extra column like I did previously for the uxg the other reason for removing that column is it's pretty much reach feature parody there's minor differences I'll note as we go through here but for the most part all these features are now available both in the uxg Enterprise

uxg Pro and the udm pro line of devices now with pfSense we're just talking about pfSense Plus plus and not any specific neade Hardware speaking of Hardware can you run it on your own Hardware with pfSense plus yes with UniFi I don't see that on the road map I don't think it's a really big deal it's kind of their model is here's a software that works with our Hardware specifically and all the customization is basically with their Hardware but can it be virtualized same answer no you cannot virtualize the udm or any of the UniFi

software now you can host the controller but that's not the same as the actual firewall Central management this was a no previous cmpf sense they have since released a beta version of their self hostable on a negate device software for managing other firewalls it's interesting I've tested it they have some uh documentation and videos on it you can watch UniFi had this for a long time via the UniFi site manager or the UniFi controller if you're using the uxg but then you can also tie it to their site manager that's that little Nuance difference on

there but you don't have to use their Cloud I want to make sure that's very clear there was a brief period in time where they did Force registration that is not the case any of these can be set up independently without tying to the UniFi uh cloud system but of course that will limit some of the features such as being able to have a central management place where all of your fir walls connect to web interface yes these both have web interfaces but you talk to the UniFi Network server whether you host it externally or

in the case of the udm pro series The built-in one that's where the web interface lives because it manages with unify more than just the firewall but it's where the central management is versus pfSense it's natively built in as part of the operating system license fees free with netgate hardware and because it doesn't run anywhere else there's no license fees with any of the UniFi lineup as well automated updates there are no automated update features inside of pfSense you can build your own you can force it to do updates but it's generally a manual process

it is not any easy mechanism just check Box by default and this makes me very happy UniFi has automatic updates turned on you can override that if you have a need to do that you can control and schedule when they get pushed you can do them completely manually but that is an option that is on by default when you set it up granular change in roll backs yes and ZFS OS rollbacks the PFS system not only has a XML file that has all the incremental changes that were made you can grab any one of those

changes and roll back to them or restore to that exact point not only that the ZFS os rollbacks are part of the update process now where when you update it it takes a snapshot of the entire operating system and has an automated system that will reboot the previous snapshot if needed if a update fails that is currently not a feature that UniFi has maybe it'll be on the road map for the future but they do tell you at least the changes that occurred they just don't have an option to roll them back high availability that's

been a long time with pfSense and it's supported on all pfSense models and it's referred to as Shadow mode and I put the little asteris there because it's not on every single device certainly not on their low-end ones do check with the model before you purchase it it'll say on the listing whether or not supports what they refer to as Shadow mode but that's their High availability it does work different than the way it works in pf sense I have not done a specific video on that but they do have good documentation on how that

works multi-wan support this was weird that I had to list this out but there was some nuances missing before this is one the features that UniFi took a little while to catch up on is not just multi-wan support assigning blocks of ips to those Wan interfaces was kind of a challenge there was always a behind the scenes way to do it from the command line but it wasn't in the UI and it's all in the UI now VLAN support yes we can do vlans on both of these platforms no because someone asked us on the

last video can we do VX land no nether one of these devices have specific support for vxlan but they both do now have bgp and OPF support and this goes for all the models now that I had listed like the uxg series didn't have that previously they used to only support OPF uh now they're both supported on there and even some of the smaller models do actually support OPF captive portal yes and via the unify controller yes so it does it in both it's just handled differently pfSense has a captive portal management tool and that's

what that next line is is let's encrypt or more specifically the Acme protocol because you can use the automation to pull in a wild card shirt and manage all of your certificates that way including your captive portal one so this is managed via the UniFi controller and you can bring in certificates manually there's just not at present an automated way to do that identity provider Integrations yes for ldap and radius it means you can integrate with a lot using that whether it's an external ldap server external radius server or you can use free radius inside

of netgate and essentially they've got similar where you have the radius server built into the UniFi platform but they've actually added now actor directory Ms santra Google and jumpcloud and this is really nice being able to just drop into the Microsoft entra ID or active directory or Google secure or just normal ldap as a directory service also worth noting outside the scope of this but they have their entire identity management system that UniFi offers that can be integrated in here as well now this needs a little bit more of a qualifier here when I say

openvpn that they both support it but I say that support is very basic in the UniFi system inside of UniFi when you create a new openvpn server even with the manual settings not a whole lot going on in here in terms of customization or every option or every setting let you create the user it does let you download configuration file and it's probably fine for most people but when we come over here to pfSense you can see there are far more options there's a lot of different ciphers you can choose there's a lot of details

you can put in here and if for some reason there's not an option you want but it's something that's supported you can add these custom options to pass it through to the openvpn server running behind in pf sense so this pretty much gives you anything you ever wanted to do or fine-tune inside of open bpn this is a double-edged short obviously because having a lot of options means people can Goof with a lot of options or be overwhelmed by all the choices and I think for most people a basic openvpn server might be all they

need but this is what I mean when I say basic support versus Advanced support now both platforms support IP Pac both platforms support wire guard but the current wire guard implementation doesn't support sight to site and I'm hoping they make it look like a more proper wire guard implementation where you have all the different pairing set up they have it set up like client server that's not exactly how wire guard works so I'm not a fan of the way it's presented inside of UniFi but it does work it does have the ability to be a

wire guard server as they call it or a wire guard client and they actually have a way you can download a config file and upload it to another system to get wire guard going but they don't seem to have all the features exposed I believe that will change in the future CU I know sight to site is on the road map Forum l2tp VPN is supported that's an older VPN but it's still in there built in automatic sight to sight this is an0 for pfSense but the site magic SD Wan is actually really cool you

have the Hub and spoke option up to 1,000 sites 20 sites for mesh and it's very automated and only one of these devices has to have a public IP address so when you get started I Cano choose one device with a public IP choose several other devices that don't have a public IP and then add them together and it will just automatically build all the routing so you don't have to go through all the manual process for this now pfSense does support tail scale which is really popular right now for an overlay VPN to easily

get around things like Gat and some of the firewall traversal problems they do offer teleport VPN I do want to make note teleport VPN if you're using a uxg right now does require that it's tied to a Cloud key because it needs something running the UniFi Cloud OS software on a cloud key not just the standard UniFi controller to get teleport working that may change in the future but that is the way it works now so just a real nuanced difference between the uxg versus the udm line it is supported natively and the teleport VPN

now has clients not just for the phones but for also the desktop apps as well now policy routing is a yes for both of these but IDs and IPS yes syot or snort and all the details you would ever want and probably more than you even need if you want to dive into how security works or how sraak cotta or snort sees these you have the option configuring it and all the rules are exposed and all the features are exposed but when you get into the way it works inside of UniFi it's a lot more

basic it may be adequate for you but there's a huge difference in the tunables that you have options for they also now have the proofo Cyber secure subscription that you can buy for extra threat protection you can do that with the netgate as well but you're buying a snort or cotta subscription or the more ET Advanced rules but those are separate and not at all purchase through netgate they're just separate feeds you may want to purchase with UniFi they are now offering the proof Point cyber secure but there's not any other options when you're putting

there you either buy that feed or you can use the free feed that comes with it which is adequate it's the basically the ET open rules because underneath the hood their IDS system is using sraak cotta content filtering and controls squid has been deprecated because it's got a lot of security problems and I never thought squid was a great way to do it it was never easy or well intuitive to manage versus you can do pretty basic application layer filtering it's doing Sni inspection but if you want full on SSL that's actually Now supported as

well so you have the basic features that are in a lot of the models but the SSL inspection where you do have to install a certificate on each of the clients and this is done on a per Network basis the EFG and uxg Enterprise do have support for that now traffic monitoring and Reporting yes and top PNG we've done videos on that this is just a built-in feature to tell you some traffic analysis and tell you what applications are using what bandwidth and which devices are doing it DNS filtering PF blocker which of course supports

many many feeds there's no custom feed option but they do have DNS filtering options built into UniFi now DNS management yes and yes but let's show that really quick unify now supports host records and MX records which I think is interesting and text and SRV and forward domain most people probably just need host records is enough but now they've got these Advanced options I think that's great but when we come over to pfSense there's a lot more advanced options so if you need some really Advanced DNS features there is just a lot you can do

in here that is not available inside UniFi and the same thing goes for DHCP server they have a basic working DHCP server inside of UniFi but DHCP inside of pfSense has way more options cuz while I am able to take any particular device and give it a fixed IP address that's not the same as having a fullblown DHCP server with every option exposed not just reservations goip filtering supported in UniFi mpf sense traffic shaping and qos there's some Nuance here I want to talk about inside of UniFi you can select the source as any a

specific device so maybe you want to apply qos to a device and maybe a specific category like online gaming or file transfer email it's application aware and then gives you options to set the download limit and bandwidth limit choose the interface or even a schedule now if you run the wizard there's a limited amount of application aware qos but what pfSense does instead is gives you really good details for Q management right down to choosing the different algorithms and fine-tuning each of those algorithms so you can get really fine grained in control but you don't

have the application levels but you do have application in UniFi so kind of can't really say that it's just qos it's done so differently in them but technically the boxes check they both do have qos and the ability to do this I've talked before about how to set up the limiters and there is a similar system to do traffic management inside of UniFi on the back end I'm pretty sure they're using the same coddle limiters and possibly tail drop I'm not exactly sure but this is something that UniFi doesn't really expose to you but you

can go in behind the scenes in ssh in and look at it but it's not anything you control through the web UI versus pfSense gives you full granular detailed control over how that's set up packet capture and diagnostic tools this is interesting it's been added now to unify but in pf sense we're going to go a little further on diagnostic tools so it's not just about packet capture it's really fine grain Diagnostics I think it's nice that pfSense exposes all of these and it's not just your basic tools it's all of them you can run

I perf you can run the PF toop which I've talked a lot about so we can see each individual connection we can look at the routes we can really dive deep with this CU it's kind of a Swiss army knife I've always liked that they built this in but I will admit having the packet capture being able to select the different networks on here or you can pivot to the devices that are managed in here to do packet capture on individual devices as well so I really welcome that feature maybe they'll add a few more

tools for a little bit deeper Diagnostics now SNMP monitoring is supported on both platforms now netf flow export is supported on both logging and alerting that is something that is lacking in the past but of course much more detailed today cuz we have activity logging that can be internally stored and we can now go full on Sim server monitoring and pipe this out now this is a feature it's been support in pfSense you're just shipping off all the CIS log and all that data to wherever you want as a destination but this gives you the

same ability now to push all of that data out and it is supported now with several other different clients for ingestion this was a feature that a lot of people needed for compliance and was one of the check boxes that has to be checked that you have to be able to take and do log ingestion now that they've set it up so it's doing proper log exporting there's now tooling available that does support the ingestion of those logs and it does give you more than just CIS log in terms of what data you want to

send time base fire rules that is supported on both systems and I mention this mostly because I use it and I know a lot of people that do based on the videos I've done on ha proxy it is nice having that built in I don't know it's really on the UniFi road map it's a cool nice to have I did like the convenience of it because as I noted earlier we have leton cryp built into pfSense so it's automatically pulling the certificates and then we can tile those certificates to ha proxy and have it serve

even if I'm not publicly exposing it as the reverse proxy that sits at the center of my my network and all of my different Services attached to so I have nice setup for that with a wild card search now let's talk firewall rules I am very used to the pfSense interface because I've been using it for so long anytime you have an interface and you assign an interface that interface can have firewall rules and that includes the vpns you can build virtual interfaces that way or vlans that way and then each interface gets its own

set of rules where you apply them to the way it works in UniFi or the way it used to work was just outright confusing I think this method even though I've not learned it well just yet presents much better cuz even with my lesser knowledge because I don't use unified firewalls as much it wasn't hard at all for me to figure out oh this is where I can filter to these specific policies or these external policies or the VPN rules or even creating a Zone and then applying rules to that zone and then as you

build networks you can move things in and out of it I think this is a much much better way to handle the firewall rules it is much less confusing and the nice thing is they gave people clear upgrade path so if you were using the previous rules before they give you an option to convert when you went from version 8 to Version 9 your existing rules into this format so I'll be diving deeper to this in the future but I do think this is greatly improved in the way they present firewall rules and makes it

a lot less confusing especially to newcomers that may be starting out with a firewall now this video so far has been covered covering the most common questions people have about UniFi or pfSense and they're the most common use cases for firewalls filtering or traffic management and just general firewall rules what about those of you that have these weird esoteric and really interesting ideas or needs or use cases well that's where pfSense can really shine because if I said I wanted to reassign all of these ports except for one to be landan and the rest all

toan all ports are reassign in any way you see fit UniFi has more limitations around that it just doesn't check those boxes but those are boxes most people need check this is kind of that oneoff unusual thing for example I can Bond these together to become a switch port and then do all kinds of funky management with that along with setting up transparent options and I've covered this before in other videos so you can transparently watch data that traverses it there's really some unique things but as I just said they're unique they're oneoff they're kind

of you know interesting and I think if you have those use cases then yeah UniFi will never satisfy those for you and it's not like that's the market they're trying to Target because that's not the majority market now another thing worth noting is security the most common question I guess that is not something that's a feature but just are these secure devices whether you're talking about pfSense or you're talking about UniFi now the way pfSense deliver software is different both the C and the plus version have a patching system and you have to apply those

patches UniFi does this with the software updates but both companies are very on top of security that being netgate the people behind pfSense and the team at UniFi UniFi even got a very Advanced bug Bounty program so there's never any qualms I've had about their security they are quite on top of that their problems have always been around the features that we're missing and that's ultimately what drives decisions is meeting clients needs and making sure those needs are met with the features that the devices offer when the firewall does not have for example the ability

to export Sim logs we can't use it in a Appliance environment that requires that typee of logging which has brought us all the way here in 2025 where we are selling more unified firewalls because now they have the features that are available that meets the client demand so now I can put in an entire UniFi ecosystem from the firewall down to the switches and down to the access points and have a single pain of glass a seed all I actually really like that I'm so happy to say that UniFi has caught up on features in

a firewall that meets most client demands in many many environments now but ultimately I'm curious which one do you choose UniFi or pfSense which one works the best for you leave those thoughts in comments down below or head over my forums for a more in-depth discussion on this and other topics like And subscribe to see more content from the channel head over to lawren systems.com to connect with me on whatever socials you'll find me on there or sign up for our newsletter to keep up with what's going on and I'll see you online thanks [Music]