Difference between revisions of "Comparison"

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search
 
(44 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
This is a '''biased''' comparison page, that highlights the strengths of the ''security router''. We don't revise this page very often, and the information might be out of date. Please contact us, if you find any errors.
 +
 
{| class="wikitable"
 
{| class="wikitable"
! !! Halon 3.0-p17 !! pfSense 2.0.1  !! m0n0wall 1.33 !! Vyatta 6.4 !! Mikrotik 5.20
+
! !! securityrouter 3.7 !! pfSense 2.1  !! m0n0wall 1.33 !! Vyatta<ref>Bought by Brocade, terminated open source edition, forked</ref> !! Mikrotik 5.20 !! Smoothwall 3.0sp3
 
|-  
 
|-  
| Platform || OpenBSD 5.0 || FreeBSD 8.1 || FreeBSD 6.4 || Linux 3.0.23 || Linux 2.6
+
| Cost || Free/paid || Free || Free || Free/paid || Paid || Free/paid
 +
|-
 +
| Platform || OpenBSD 5.9 || FreeBSD 8.3 || FreeBSD 6.4 || Linux 3 || Linux 2.6 || Linux 2.6
 +
|-
 +
| Firewall || PF || Forked PF<ref>pfSense uses a modified version of FreeBSD's PF, forked from OpenBSD 4.1's PF (but improved and updated in some areas)</ref> || ipfilter  || iptables || iptables || iptables
 +
|-
 +
| Architecture || Intel 32/64-bit || Intel 32/64-bit  || Intel 32-bit  || Intel 32-bit || Intel 32-bit || Intel 32/64-bit
 +
|-
 +
! Management !! !! !! !! !! !!
 +
|-
 +
| Config format || [[Configuration_file|Clear-text]] || XML || XML  || Clear-text || Semi-clear-text || Binary (floppy)
 +
|-
 +
| Restore/rollback without reboot || [[Backend|Yes]] || No || No  || No || No || No
 +
|-
 +
| Test/confirm without reboot || Yes || No || No  || No || No  || No
 +
|-
 +
| Revision-managed config || Yes (Subversion) || Yes (files) || No  || Yes (file rotation) || No || No
 +
|-
 +
| Commit multiple changes || Yes || No || No  || Yes || No || No
 +
|-
 +
| CLI config editor || [[Configure|Yes]] || No || No  || Yes  || Yes || No
 
|-
 
|-
| Firewall || PF (2011) || PF (2007) || ipfilter || iptables || iptables
+
| API || [[SOAP]] || No || No || REST || Custom || No
 
|-
 
|-
| Architecture || Intel 32/64-bit || Intel 32/64-bit  || Intel 32-bit  || Intel 32-bit || Intel 32-bit
+
! VPN and encapsulation !! !! !! !! !! !!
 
|-
 
|-
! VPN server !! !! !! !! !!
+
| VXLAN || Yes || No || No || No || No || No
 
|-
 
|-
| L2TP || Yes || Yes || No || Yes|| Yes
+
| L2TP || Yes || Yes || No || Yes|| Yes || No
 
|-
 
|-
| PPTP NAT passthrough || Yes || ? (Fricking) || No || Yes (iptables) || Yes (iptables)
+
| PPTP NAT passthrough || [[Proxies#PPTP_proxy|Yes]] || No<ref>The package Frickin is sometimes mentioned, but it supposedly doesn't work in latest version</ref> || No || Yes (iptables) || Yes (iptables) || No
 
|-
 
|-
| DNS suffix in PPTP/L2TP || Yes || No || No || No || No
+
| DNS suffix in PPTP/L2TP || [[VPN_server#Search_domain|Yes]] || No || No || No || No || No
 
|-
 
|-
| Filter-ID for RADIUS || Yes || No || No || No || ?
+
| Client routes in PPTP/L2TP || [[VPN_server#Routing|Yes]] || No || No || No || No || No
 
|-
 
|-
| Layer 7 load balancing || Yes || No || No || No|| ?
+
| Filter-ID for RADIUS || [[VPN_server#Groups|Yes]] || No || No || No || Yes || No
 
|-
 
|-
! Routing !! !! !! !! !!  
+
! Routing !! !! !! !! !! !!
 
|-
 
|-
| MPLS || Yes (PE/VPN) || No || No  || No || Yes
+
| MPLS || Yes (PE/VPN) || No || No  || No || Yes || No
 
|-
 
|-
| Built-in OSPF/BGP || Yes (OpenBGP/OSPFD) || No || No  || Yes (Quagga) || Yes
+
| OSPF/BGP || [[BGP|Yes]] || Package<ref>OpenBGPD and friends are available as a package</ref> || No  || Yes (Quagga) || Yes || No
 
|-
 
|-
! Management !! !! !! !! !!
+
| BGP TCP-MD5 || Yes || No<ref>Last time we checked, it could be configured manually with <tt>setkey</tt>, but inbound TCP-MD5 was not verified</ref> || No  || Yes || Yes || No
 
|-
 
|-
| Config format || Clear-text || XML || XML  || Clear-text || Semi-clear-text
+
! IPv6 !! !! !! !! !! !!
 
|-
 
|-
| Restore/rollback without reboot || Yes || No || No  || No || ?
+
| Firewall rules || [[IPv6|Dual-stack]] || Rule duplication || Rule duplication || Rule duplication || Rule duplication || No
 
|-
 
|-
| Revision-managed config || Yes || Yes || No || Yes || ?
+
| Layer-3 translation (eg. NAT64) || [[IPv6|Yes]] || No || No || No || No || No
 
|-
 
|-
| CLI config editor || Yes || No || No  || Yes  || Yes
+
! Others !! !! !! !! !! !!
 
|-
 
|-
| Re-arrange graphs || Yes || No || No  || ? || ?
+
| SIP proxy || Yes || Package<ref>The siproxd package is available, but it typically requires a bit of configuration as the traffic from the phones needs to be directed to the proxy</ref> || No  || Yes || Yes || Yes
 
|-
 
|-
! IPv6 !! !! !! !! !!
+
| VMware image ||Yes (OVA) || No<ref>Discontinued and is no longer offered for pfSense 2.1 and later</ref>  || No  || Yes || No || No<ref>Found no VMware release of latest version (3.0sp3)</ref>
 
|-
 
|-
| Firewall rules || [[IPv6|Dual-stack]] || Separate ruleset || Separate ruleset || ? || ?
+
| Layer 7 load balancing || [[Load balancing|Yes]] || No || No || No || ? || No
 
|}
 
|}
 +
 +
<references />

Latest revision as of 14:36, 10 April 2016

This is a biased comparison page, that highlights the strengths of the security router. We don't revise this page very often, and the information might be out of date. Please contact us, if you find any errors.

securityrouter 3.7 pfSense 2.1 m0n0wall 1.33  Vyatta[1] Mikrotik 5.20 Smoothwall 3.0sp3
Cost Free/paid Free Free Free/paid Paid Free/paid
Platform OpenBSD 5.9 FreeBSD 8.3 FreeBSD 6.4 Linux 3 Linux 2.6 Linux 2.6
Firewall PF Forked PF[2] ipfilter iptables iptables iptables
Architecture Intel 32/64-bit Intel 32/64-bit Intel 32-bit Intel 32-bit Intel 32-bit Intel 32/64-bit
Management
Config format Clear-text XML XML Clear-text Semi-clear-text Binary (floppy)
Restore/rollback without reboot Yes No No No No No
Test/confirm without reboot Yes No No No No No
Revision-managed config Yes (Subversion) Yes (files) No Yes (file rotation) No No
Commit multiple changes Yes No No Yes No No
CLI config editor Yes No No Yes Yes No
API SOAP No No REST Custom No
VPN and encapsulation
VXLAN Yes No No No No No
L2TP Yes Yes No Yes Yes No
PPTP NAT passthrough Yes No[3] No Yes (iptables) Yes (iptables) No
DNS suffix in PPTP/L2TP Yes No No No No No
Client routes in PPTP/L2TP Yes No No No No No
Filter-ID for RADIUS Yes No No No Yes No
Routing
MPLS Yes (PE/VPN) No No No Yes No
OSPF/BGP Yes Package[4] No Yes (Quagga) Yes No
BGP TCP-MD5 Yes No[5] No Yes Yes No
IPv6
Firewall rules Dual-stack Rule duplication Rule duplication Rule duplication Rule duplication No
Layer-3 translation (eg. NAT64) Yes No No No No No
Others
SIP proxy Yes Package[6] No Yes Yes Yes
VMware image Yes (OVA) No[7] No Yes No No[8]
Layer 7 load balancing Yes No No No ? No
  1. Bought by Brocade, terminated open source edition, forked
  2. pfSense uses a modified version of FreeBSD's PF, forked from OpenBSD 4.1's PF (but improved and updated in some areas)
  3. The package Frickin is sometimes mentioned, but it supposedly doesn't work in latest version
  4. OpenBGPD and friends are available as a package
  5. Last time we checked, it could be configured manually with setkey, but inbound TCP-MD5 was not verified
  6. The siproxd package is available, but it typically requires a bit of configuration as the traffic from the phones needs to be directed to the proxy
  7. Discontinued and is no longer offered for pfSense 2.1 and later
  8. Found no VMware release of latest version (3.0sp3)