Comparison

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

This is a biased comparison page, that highlights the strengths of the security router. We don't revise this page very often, and the information might be out of date. Please contact us, if you find any errors.

securityrouter 3.7 pfSense 2.1 m0n0wall 1.33  Vyatta[1] Mikrotik 5.20 Smoothwall 3.0sp3
Cost Free/paid Free Free Free/paid Paid Free/paid
Platform OpenBSD 5.9 FreeBSD 8.3 FreeBSD 6.4 Linux 3 Linux 2.6 Linux 2.6
Firewall PF Forked PF[2] ipfilter iptables iptables iptables
Architecture Intel 32/64-bit Intel 32/64-bit Intel 32-bit Intel 32-bit Intel 32-bit Intel 32/64-bit
Management
Config format Clear-text XML XML Clear-text Semi-clear-text Binary (floppy)
Restore/rollback without reboot Yes No No No No No
Test/confirm without reboot Yes No No No No No
Revision-managed config Yes (Subversion) Yes (files) No Yes (file rotation) No No
Commit multiple changes Yes No No Yes No No
CLI config editor Yes No No Yes Yes No
API SOAP No No REST Custom No
VPN and encapsulation
VXLAN Yes No No No No No
L2TP Yes Yes No Yes Yes No
PPTP NAT passthrough Yes No[3] No Yes (iptables) Yes (iptables) No
DNS suffix in PPTP/L2TP Yes No No No No No
Client routes in PPTP/L2TP Yes No No No No No
Filter-ID for RADIUS Yes No No No Yes No
Routing
MPLS Yes (PE/VPN) No No No Yes No
OSPF/BGP Yes Package[4] No Yes (Quagga) Yes No
BGP TCP-MD5 Yes No[5] No Yes Yes No
IPv6
Firewall rules Dual-stack Rule duplication Rule duplication Rule duplication Rule duplication No
Layer-3 translation (eg. NAT64) Yes No No No No No
Others
SIP proxy Yes Package[6] No Yes Yes Yes
VMware image Yes (OVA) No[7] No Yes No No[8]
Layer 7 load balancing Yes No No No  ? No
  1. Bought by Brocade, terminated open source edition, forked
  2. pfSense uses a modified version of FreeBSD's PF, forked from OpenBSD 4.1's PF (but improved and updated in some areas)
  3. The package Frickin is sometimes mentioned, but it supposedly doesn't work in latest version
  4. OpenBGPD and friends are available as a package
  5. Last time we checked, it could be configured manually with setkey, but inbound TCP-MD5 was not verified
  6. The siproxd package is available, but it typically requires a bit of configuration as the traffic from the phones needs to be directed to the proxy
  7. Discontinued and is no longer offered for pfSense 2.1 and later
  8. Found no VMware release of latest version (3.0sp3)