I always had this question - can something like pfsense be built on linux with comparable performance or is there something inherent to the whole stack that makes this effective?
I have always wondered if building pfsense on a modern linux kernel + selinux + BPF with something like nginx/lua scripting (for addon packages) would make more sense.
I would say it's nice enough for more than just "small" stuff. Depending on your definition of "small", I guess.
I'm running a VyOS machine (old desktop with a couple of NICs) which handles the traffic for our Copenhagen office. That's ~15 CI boxes, and 30 people. This is on a 100/100 connection.
For Ubiquiti, I'm a fan. I helped our co-working space setup a network on another floor, and we used an EdgeRouter Lite to handle the 200/200 connection. The ERL handles it without breaking a sweat. That's for 60 people on a daily basis.
For another building, I just finished setting up an ERPro (the 8-port rack-mounted version). It's again on a 200/200 connection, and for roughly 150 people on average, with a maximum around 300-500.
At home, I have an ERPoE, which handles my home lab just perfectly. I'm only on a 100/100 uplink at the moment, but will be upgraded to 1000/500 soon, and I know the ERPoE will handle that just fine as well (thank you hardware offloading ;)). 5 VLANs with full firewalling and routing between them, native IPv6 with prefix delegation, mDNS proxying between VLANs, OpenVPN handled by the router. I could do a lot of this with OpenWRT on an Archer C7, but the ERPoE is simply miles ahead.
The UI is nice for newcomers, and the CLI is amazing. I fell in love with the CLI on VyOS, and am very happy to see the same in the UBNT products. For $100, they are amazing devices. VyOS is my go-to choice when I need to have a virtual router.
are you talking about vyos or ubiquiti. Im not sure what the relationship is between them - could you talk about what's so amazing for a complete first timer?
VyOS is just software. So nothing to purchase there. It's what I use when I need either a virtual router, or want to use commodity hardware to act as a router. It's great to throw in ESXi or another hypervisor, or even EC2. It comes with all features you might need (probably), and because it's fairly standard Linux (Debian based), making it do extra things isn't very hard.
The ERL is $100, and comes with Ubiquiti's EdgeOS, which is largely based on VyOS (or something like that), and simply adds a (decent) web UI, and hardware offloading. This means that the ERL which runs on a dual core 700Mhz MIPS CPU can route 1Gbit/s, and not even break 30% CPU utilisation.
Where VyOS shines is when you need to cobble together a bunch of things. If you just need a pure firewall, I would probably stick with pfsense, as that is, after all, what it is good at. VyOS only offers iptables with some lipstick (which is well enough for a Swiss-army knife setting)
I guess VyOS would run on that box. I can't see specs, nor know what network chipset it is rocking, but I don't see why not.
What's 'more sense'? It seems like you're willing to rewrite and recreate existing and perfectly viable solution to a problem purely because the underlying OS is not Linux. In my world it doesn't make ANY sense - while you'll be doing all of that, I'd be already working on something else, after using existing solution to this particular problem and moving on. However, if you do have a justification for wanting Linux solving your problem, then it seems you might have different problem than 'a firewall appliance' and in such case it may have some sense ;)
Wanting pf or something pf-like on a non-BSD-based OS is not an unreasonable request, especially considering how awful it is to work with, say, iptables in the Linux world. Having a Linux-native pf would likely be highly desirable when Linux is already required in one's setup for other reasons (for example, if Docker is a dependency for what one's trying to do).
That said, my own general preference is to use OpenBSD (which means having immediate access to pf plus all the other goodies like relayd/httpd, OpenSMTPD, etc.) in all possible situations, and only resort to some other OS (like GNU/Linux) when actually necessary; thus, I can't really relate to a need for things to be the other way around :)
Chances of Linux-land adopting a NIH tech: .000001%.
They could have used kqueue, but didn't. They could have used accept_filters, but didn't, they could have adopted jails instead of creating i've lost count of how many "container" technologies, but didn't.
So basically they will toss iptables eventually and write something similar but not quite as good as pf.
The Unix world in general would be very grateful to see Linux adopt current tech rather than constantly reinventing the wheel in a "its just good enough unfortunately" incompatible way.
> could have adopted jails instead of creating i've lost count of how many "container" technologies
The "many technologies" are mostly user-level wrappers though. What actually happened in the kernel: they've added unshare(2) early on, but it only isolated filesystem mounts at first. Later they started gradually adding more things for it isolate: network, PID, IPC and users. The "users" part arrived really late and is kinda bad… that's why for a very long time you weren't supposed to give people root in a docker container, and I think it's still not recommended. That's quite hilarious, considering that jails' main purpose literally was "containing root", and it fucking worked great since the early 2000s.
> they will toss iptables eventually and write something similar but not quite as good as pf
I have always wondered if building pfsense on a modern linux kernel + selinux + BPF with something like nginx/lua scripting (for addon packages) would make more sense.
http://www.brendangregg.com/blog/2016-10-27/dtrace-for-linux...