I started with UTM when Astaro came out with the free version more than 15 years ago. Initially it ran on a decomissioned corporate notebook with a secondary Ethernet as PCMIA card, but eventually it graduated to a J1900 Atom with dual Ethernet NICs.
I've really liked the user interface, of course it was complex, but mostly because the appliance grew ever more powerful as well. Networking isn't my IT-primary but I really needed to keep my home, lab and family safe (two dozen physical computing devices from smartphones to big workstations).
When Astaro got bought up by Sophos, the pressure to purchase got stepped up but also my bandwidth increased from low Mbits to hundreds and a point where the Atom was becoming a bottleneck. I tried running the appliance as a VM on my 24/7 home-server, a entry level Xeon with plenty of RAM and muscle, but since that's based on Windows server (Terminal server and desktop as well as VM host and file/print server), all type 2 hypervisors seemed challenged with such I/O intensive loads (and no IOSR-V or similar). There are also simply too many good reasons to make your primary firewall an independent appliance.
I looked around the free personal firewall scene and evaluated a couple of them to settle on pfSense. Yes, even if I preferred *real* Unix like AT&T SysV R3 or 386BSD over that Linus T. kid's 0.9x OS with the Minix knock-off file system in the old days, CentOS has been my mainstay for at least a decade and BSD these days feels rather "raw". But pfSense is worth the overhead, and I practically never need to deal with the BSD underneath the Web-GUI.
The GUI is nowhere near as nice as Astaro/Sophos/UTM and it's still obvious that the original business model was based on selling the documentation not the software, but it works, it is very well supported and it can take the load... at least after I upgraded the appliance to an i7-7700T (35 Watt), which I Noctuad down to unnoticeable sound emissions. I got a very special motherboard for it, a Mini-ITX with 8 (eight!) Intel Gbit ports, sheer overkill, but I got it cheaper than new RAM, as it works with the very same two 8GB DDR3 SO-DIMMs, I had already paid and used in the Atom: It even fit into the same chassis!
You sure won't be in the same situation, but having Intel NICs on every end of your firewall is strongly recommended to use accellerated code paths in various modules of pfSense. You also want to have AES-NI instruction set support (which the J1900 lacked).
Typical pfSense appliances, even the ones they sell with support, are still Atom based and of course an Atom will let Gbit bandwidth pass from one end to the other. But I tend to go heavy on Suricata and Snort intrusion detection rule sets and that does cost a bit to significant CPU overhead. It's currently running on Suricata (Snort is still single threaded, I believe), using the biggest non-commercial ruleset (ETOpen + Snort subscriber) and doesn't throttle any of my current 400MBit bandwidth due to CPU limitations (that's where both the Atom and the VM bottlenecked).
I've also never had (or at least noticed) any intrusion or virus in the family network, where only
I ever worry about security.
The Sophos home edition is rather limited in features and even the Home Premium subscription tops out at 10 devices (no idea if that is enforced; don't want to find out at the wrong moment).
pfSense has no such restrictions, has good performance, kept us safe and proven to be very little effort to maintain. I am so happy, I really should start paying money...
Facebook
Twitter