Q&A Hardware Firewalls - Firewalla Blue Plus vs Ubiquiti UniFi Security Gateway

SecureKongo

Level 29
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,829
I am currently trying to dive a little more into network security and am trying to find a good hardware firewall with IDS and IPS functions, as the firewall of my router is quite basic and not customizable.
Which one would you guys pick? If you have any other alternatives that are not so hard to configure, feel free to share. :)
 

n8chavez

Level 9
Well-known
Feb 26, 2021
430
I am currently trying to dive a little more into network security and am trying to find a good hardware firewall with IDS and IPS functions, as the firewall of my router is quite basic and not customizable.
Which one would you guys pick? If you have any other alternatives that are not so hard to configure, feel free to share. :)

There's always Ubiquiti USG or firewalla.
 

kC77

Level 5
Aug 16, 2021
201
Ive got the Ubiqiti UDM Pro which has a nice useful IDS built in, app control, Geoblocking, IDS etc, its good, certainly not enterprise class, but for home use their OK.
I make lots of use of its vlans for separate isolated subnets (trusted lan/nixlan/wfhlan/iotlan/guestlan/cctvlan etc) keeping everything separated, or interlan allowed by specific firewall rules.
The IDS built into it, is basically something free called "surricata" Home - Suricata so there is no yearly subscription costs etc.
and while I didnt get the device for CCTV, it even has a unifi protect thing built in and the slot for a hard drive.

The UDM is quite weak for VPN it only has L2TP or teleport (unifi only vpn) you can though hack other services in as its linux based

never heard about firewalla, so cant comment

you could also take a look at crowdsec which is free IDS, could possibly run a pi (ive not really looked that much into it)

Have you possibly thought about Sophos XG which is free (you just need a small/cheap pc with 2nic's) route your traffic through that

something to look out for (depends on your internet provider speed) is firewalls throughput when any IDS/DPI etc is enabled... and this was one of the selling points for me with the UDM was that with DPI/IDS on full it can still do 3.5GPS throughput (ive only got 1gb anyway but futureproofing!)
Some older like the USG etc will have much lower throughput with IDS on (probably 85-300mb or so)
 
Last edited:

SecureKongo

Level 29
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,829
Have you possibly thought about Sophos XG which is free (you just need a small/cheap pc with 2nic's) route your traffic through that
I did, but I don't really want to run a virtual machine 24/7 tbh... Thanks a lot for your detailed explanation. I really liked the UI of the UDM Pro, but am not sure if it's actually a device that is meant for beginners in that field. Firewalla just needs you to connect it to your router, and then you're good to go. (At least in Simple Mode)
I am just not that much into network security etc, so I thought Firewalla would be the right device for me. Maybe you could take a look at it if you have some time to spare, and tell me your thoughts about it. :)
 

kC77

Level 5
Aug 16, 2021
201
I did, but I don't really want to run a virtual machine 24/7 tbh... Thanks a lot for your detailed explanation. I really liked the UI of the UDM Pro, but am not sure if it's actually a device that is meant for beginners in that field. Firewalla just needs you to connect it to your router, and then you're good to go. (At least in Simple Mode)
I am just not that much into network security etc, so I thought Firewalla would be the right device for me. Maybe you could take a look at it if you have some time to spare, and tell me your thoughts about it. :)
The UDM is a great device, secure, cheap, probably the fastest firewall with IDS/DPI in that pricerange (if you have a fast line above 1GBPS and want ids/dpi you need to look into the firewalls rated throughput with inspections on) the udm is rated 3.5GPS with full DPI/IPS On which is better than some of the enterprise gear our customers use.
you could get an old USG turn on all the advanced IDS/DPI and your throughput limited to 85mbps... So thats a really important factor when looking into a gateway security device, make sure it can handle the speed of your internet provider!

The interface is simple, well laid out has bags of features, something that really lets it down is the firewall logging, but you can get these by ssh'ing into it...

There is also more advanced stuff you can do via ssh, and install extra things.... you could even install a pihole onto the UDM or other linux apps if you so required, or wireguard VPN support etc (mines vanilla, and i have separete pi's for pihole etc)
by default its simple, but it can be semi hacked for more advanced stuff to.

Will have a read about firewalla later!

Pfsense gets lots of praise for being about the best firewall people use, not sure if youve looked into that either?
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,944
Max about 300 bucks. I even think that this is set quite high, considering that this will be my first hardware firewall to play with. But in the end the most important thing is, that I don't have to pay yearly subscriptions. :)
Understand and good to know, but it will restrict your options as most hardware firewalls does come with subscription services in one way or the other. Some even have that hidden. Similar some free AVs that have a basic protection working, but to gain the more and better features and modules, you simply have to chunk up and pay for a subscription. That's what the vendors genuine earn from even if many of the more " company/business " hardware firewall versions are a bit expensive for the main purchase, but your a " home " user, and with 300 bucks it's for sure not super easy. It's a great extra layer if you can get one. (y)

Personal I'm curious on the possible new upcoming router/firewall version from F-Secure, even if that of course will include a subscription.

Ubiqiti and Firewalla is easy to find reviews about on YT.

 

kC77

Level 5
Aug 16, 2021
201
yeah there are many great security devices out there but most have some yearly subscription....I think thats where the ubiqiti stuff is great, its cheap, fast, no subscription services at all, has most the features you would need...
Especially good when tied with its UnifiAP's! The wireless kit is brilliant too

the support is a bit weird in that there isnt really any, its more community/forum based
also it doesnt have any gateway AV, yes it does IDS/IPS/DPI/Content filtering/app control/geo blocking etc.. but there is no "AV" so if thats what your looking for, look elsewhere (fortinet/sonicwall/watchguard/sophos/paloalto etc but be prepared to pay)

there are a few different versions of the "dream machine" line
UDR - is a more home style router and wifi bundled into one cylinder type device Dream Router less than £100
UDM-Pro - 1u rack everything built in including a hard drive bay for the optional protect/surveillance stuff (note the 8 port switch in this model isnt POE)
UDM-Pro SE - same as above, except it has POE ports and a 128gb ssd built in

the SE version also runs a different software /OS version, both non SE & SE are still updated and maintained, and while they share mostly the same features, the underlying OS is completely different.

if you already have a controller doing other stuff (.e.g a cloudkey) then the next-gen model is better as it can be adopted by other unifi controllers (useful if you are managing multiple sites)

my biggest gripes
  • the "dual wan" can only work as failover and not in a load balancing mode (apparently load balancing is being re-added in the next firmware revision)
  • stock VPN is L2TP only (also something called teleport, a unifi only take on wireguard but only works from ios/android devices) **you can using ssh install wireguard etc but needs some ssh wizardry
  • when a hard drive is fitted in the UDM-PRO - the fans are loud! (otherwise without a drive its silent) **Hard drive is only needed if you want to record video from unifi protect/cameras**
  • default setup has everything cloud based/remote access enabled, while secure and 2fa is enabled, I prefer to disable the remote access.

also worth noting from a security point.... some people were hit by the log4j vulnerability as the unif controller uses that... but unifi were ontop of this and updating super quick.... the people affected were just not updating their controllers for weeks/months.

My main reason for buying was my old draytek was EOL, and firmware no longer updated... I never run any router past its EOL date, I also needed something with faster firewall throughput and this ticked the boxes. 3.5GPS firewall throughput with DPI on in a box this cheap... that was reason enough for me.
 
Last edited:

SecureKongo

Level 29
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,829
Understand and good to know, but it will restrict your options as most hardware firewalls does come with subscription services in one way or the other. Some even have that hidden. Similar some free AVs that have a basic protection working, but to gain the more and better features and modules, you simply have to chunk up and pay for a subscription. That's what the vendors genuine earn from even if many of the more " company/business " hardware firewall versions are a bit expensive for the main purchase, but your a " home " user, and with 300 bucks it's for sure not super easy. It's a great extra layer if you can get one. (y)

Personal I'm curious on the possible new upcoming router/firewall version from F-Secure, even if that of course will include a subscription.

Ubiqiti and Firewalla is easy to find reviews about on YT.

Thanks a lot for the explanation. May I ask what kind of firewall you're using? I remember that F-Secure had something similar to Bitdefender Box, but it got discontinued. Good to know that they are working on something new. (y)
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,944
Thanks a lot for the explanation. May I ask what kind of firewall you're using? I remember that F-Secure had something similar to Bitdefender Box, but it got discontinued. Good to know that they are working on something new. (y)
Yeah F-Secures previous router and their all-in one concept was for sure interesting and I wasn't far from buy one, but they never seemed to invest enough in it and the hardware specs died fast and no new versions was released. Hopefully they don't do the same mistake.

 

woodrowbone

Level 10
Verified
Dec 24, 2011
489
Wanted to get the Blue + one as I already have a new router.
Cant you return that new router?
The Blue is capped att 500Mbit I think and is using ARP spoofing only, not a "real" router mode, Purple handles 1Gbit.
The purple you can also use in "Bride mode" behind your existing router if you are not able to return it.

/W
 
  • Thanks
Reactions: SecureKongo

woodrowbone

Level 10
Verified
Dec 24, 2011
489
The best part with Firewalla is no monthly or yearly fees.

BTW! Blackice, you used a few other routers in this category if memory serves me right?
How about you get a Purple an gave us a review 😀😀😀 to compare your experiences 👍

/W
 
  • Like
Reactions: SecureKongo

SecureKongo

Level 29
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,829
Cant you return that new router?
The Blue is capped att 500Mbit I think and is using ARP spoofing only, not a "real" router mode, Purple handles 1Gbit.
The purple you can also use in "Bride mode" behind your existing router if you are not able to return it.

/W
My connection is quite slow, so I don’t really need 1Gbit speed. I also want to use my existing router, as it has a wider wifi coverage
 
  • Like
Reactions: blackice

blackice

Level 36
Verified
Top poster
Well-known
Apr 1, 2019
2,577
The best part with Firewalla is no monthly or yearly fees.

BTW! Blackice, you used a few other routers in this category if memory serves me right?
How about you get a Purple an gave us a review 😀😀😀 to compare your experiences 👍

/W
My spouse may remove me from the bedroom if I spend any more money on a network that has been optimized to death…