Asking about Hardware Firewall Appliance pfSense Without Subscription Service

[dive_instr]

Hi,
Thank you for allowing me to join [H]ardForum.
I hope I can be useful to others in the future.

I've been informed that a pfSense capable appliance is ok to use for home use,
without the USD $400/year subscription service.

2 computers, TPLink T6000 smart router to Uverse Pace modem,
Professional grade ipCameras, printer, Synology DS218, and a
few other iOT devices.

It appears I'll need to make a list and research the TP-Link T6000-28TS
security features to see if a pfSense appliance without subscription
provides more (than the smart switch).

I was told that a WatchGuard T20 with subscription service goes way
beyond any smart switch out there; i was told that a WatchGuard
appliance will not work at all without subscription service.

Question becomes, what important security features would I
do without, for having hardware appliance without subscription service?

Many thanks!

 

[Nicklebon]

First be aware the Uverse Pace modem is in fact the Uverse Pace residential gateway aka firewall and in your case it ishould almost certainly be considered irreplaceable wit your own firewall. There will be things you simply cannot do because it is there. There are certain ports it thinks are reserved for it's own use. If you place another firewall behind it you will potentially have issues due to double NAT/PAT. If you are serious about your direction you should visit the uverse forum on dslreports there is a lot of discussion on these devices and potential work arounds as well as tips on how to just make best use of the Pace.

 

[WackyWRZ]

My old company (MSP) exclusively used / deployed WatchGuard devices. The device and basic firewall functionality are fully functional without a "support" subscription service. Without the basic support / subscription service you can't do firmware upgrades or get any support from WatchGuard. The other additional subscription services are above and beyond the basic support - such as web site filtering / AV / UTM - and just won't be accessible without the feature keys (https://www.watchguard.com/help/doc...are/basicadmin/subscription_expiration_c.html).

95%+ of our customers only had the basic support services without the extras. Also keep in mind actually using these services on a lower end device like a T20 will severely limit the throughput. I don't know what your internet speed it - but a T20 with the UTM services turned on will cap out at around 150Mbps speeds (https://www.watchguard.com/wgrd-products/tabletop/firebox-t20).

I can't attest to PFSense as I've never used it - but WatchGuards were fairly easy to setup and configure. Without the subscription services a WatchGuard in my opinion isn't much different than a regular router, and IMO less secure due to not getting firmware updates. A much more cost effective solution with "better" capability is something like an ASUS router running Merlin firmware. For something a little higher-end you could also look into Untangle - the home version runs $50/yr or Sophos UTM home edition is free.

 

[MrGuvernment]

Note, PfSense is not a "smart switch" PFSense is a firewall / router / security device. The TP device is an L2 management switch, so it really does not have any "security" features except maybe being able to do VLANs.

You can build them on old hardware (so long as it supports AES) Older watchguards you could install PFSense on to, but as of I think 2.4, most of those old watchguards are not longer properly supported because the core 2 duo CPU's used do not support AES encryption now needed in PFSense.

PFSense Subscriptions basically get you access to their support, that is it.
https://www.netgate.com/products/appliances/