old pfsense hardware dead, survey of current options pfsense, mikrotik, sophos, etc

[EngChi]

last night the Foxconn based Atom D2700 unit PSU died which disabled the router. I hooked Comcast directly to Acer C5 so it works for now but would like a replacement. My default route was to buy a decent Qotom from Amazon ( Celeron 3215U based unit with 4 intel NICs is ~150) throw in some RAM and HDD and put pfsense back on fanless hardware. However, I am also curious what are other choices before going the default route - basically in the market for UTM with primary features being firewall and routing. don't need wifi as it would be handled by another AP

Questions
1) anything good/bad to say about Mikrotik? I see a lot of cheap (~$60) units like these https://www.amazon.com/dp/B016E93IQS/?tag=snbforums-20 which in theory should do the routing trick. reading up on RouterOS now to understand difference between various "levels" of the license.

There are also slightly more expensive units like MikroTik Cloud Router Switch CRS109-8G-1S-2HnD-IN which is still cheaper than Qotom route
2) same for Sophos UTM

if you using any of the above, what are the carrying costs (annual licenses, etc).

Thank you

 

[sfx2000]

There's a QOTOM build thread that is good to review - guy was pretty happy with how it turned out...

Microtik on their HW, if I recall correctly, includes the license - there is a build for generic x86, but that license is out of pocket - RouterOS is quite capable.

I'm using pfSense 2.3.2 on a Netgate RCE-V 2440 (rebrand from the pfSense SG-2440) and it's quite good..

 

[abailey]

The Qotom build works well with Untangle if your looking for a good UTM. Untangle for home use is $50 a year.

 

[Trip]

How about corporate out-of-the-box solutions? Juniper SRX, Sophos SG, Fortinet FortiGate E-series, etc? May be worth a look if you just want to cut the fluff and go straight for rock-solid, in exchange for proprietary lock-in and less power per dollar of course.

Otherwise, a Qotom or equivalent x86 DIY box running an open-source or corporate community-version firewall is a solid route.

And while note full-blown UTM-level, UBNT and MikroTik boxes can still be made into effective basic firewalls. Just realize with their stuff that: 1) skillset is assumed, 2) support is wikis and veteran-biased forums, 3) they can be slightly buggy, depending on how deeply you're digging into the feature sets...

Best of luck.

 

[EngChi]

Thank you to all who responded. the way I see my options are as follows
- roll my own solution on x86 (Qotom hardware and one of many distros including pfsense). very familiar, known, slightly more expense than dedicated non-x86 hardware from Ubiquiti or Mikrotik . Another benefit is that if I get tired of this or change my mind, x86 is x86, put Windows/Ubuntu/whatever on it and you get a SFF desktop if desired. dedicated hardware is one trick pony and can not be repurchased
- get mikrotik or Ubiquiti special purchase devices. they are much cheaper than _any_ Qotom with things like RB750GR3 at ~$60 and learn that pony's language (EdgeOS, RouterOS, etc)
- get higher level special purpose devices (Juniper, Sophos, etc) and their capabilities.

is this roughly correct?
in terms of my needs what I want is
- firewall between my network and ISP (Comcast) that is better than whatever Asus 56N which is currently routing for me while I look for replacement. i.e. I loved pfsense functions like pfblockerNG and the flexibility pfsense has in general.
- ability to support multiple IPSs (Comcast + WOW/ATT) as soon as I move houses. all of the above should be able to do it, while cheap consumer switches would not without reflashing them (if they support it at all)
- VLANs
- limited or no on-going licensing costs.

what I do not care about
- power consumption, at the levels we are talking about this is less than a lightbulb. irrelevant.
- price optimization of initial purchase at all costs (as cheap as possible), $100-300 is ok if it provides value.


So I am reading up on what Mikrotik and Ubiquiti offering to see how deep the pool is before diving.

 

[Trip]

Good point on re-purposing ability by going x86. Also, it probably makes the most sense of any if you intend on running all services on the same box, as it's the easiest to scale your CPU power (ie. Celeron to start, i3 or i5 if need be) and you can run everything in-software, as opposed to relying on hardware offload schemas and/or other possible architecture limitations of the SoC alternatives you're looking at (UBNT, MikroTik, etc.).

 

[System Error Message]

you could get a new PSU, get your pfsense back up and running.
switches are mikrotik's weakest point, dont get a mikrotik switch till they get the basics right. Routers are ubiquiti's weakest point. Mikrotik is a focused router, the model affects speed (basically dependent on CPU and any hardware acceleration). Ubiquiti is more like a linux router. Not quite the usability of linux but not quite the router mikrotik is.

For just a router itself mikrotik is better than ubiquiti, but when you want more things thats where ubiquiti edgerouters help as you can install software on an edgerouter but you cant on mikrotik unless you hack the OS to gain developer shell. I've seen people mention on mikrotik forums using a CCR for media encoding after unlocking developer shell. pfsense however can do more things than an edgerouter as its more of a standard linux than the ubiquiti edgerouter is so has less trouble getting things to work together that didnt come with the router. Just remember that the edgerouter isnt an x86, it has limited software performance (like 80Mb/s of squid 3 performance per core on the ERPRO).

 

[EngChi]

as an update, I decided to try Mikrotik router and ended up ordering RB750GR3 and will be figuring out how to set it up once it arrives next week.