Review: 5 open source alternatives for routers/firewalls

By Eric Geier (Our Owner & Lead Wi-Fi Consultant)

Originally published on NetworkWorld

Open source software offers an economical and flexible option for deploying basic home, SMB or even enterprise networking. These open source products deliver simple routing and networking features, like DHCP and DNS. Plus, they are combined with security functionality, starting with a basic firewall and possibly including antivirus, antispam and Web filtering.

These products can be downloaded and deployed on your own hardware, on a virtual platform, or in the cloud. Many of them sell pre-configured appliances as well if you like their feature-set or support, but don’t want to build your own machine.

We reviewed five products: ClearOS, DD-WRT, pfSense, Untangle and ZeroShell. We found that ClearOS, pfSense, and Untangle could be appropriate for home use all the way up to the enterprise environment.

  • ClearOS is quite feature-rich, including many extra functionalities such as web filtering, antivirus, and a RADIUS server, but lacks a good captive portal—which all of the other solutions provide.

  • Untangle also provides extra functionality beyond routing and firewall protection, but some features require recurring monthly subscriptions.

  • The pfSense OS offers a more basic feature set, but seems to be the most “free” option.

  • DD-WRT and ZeroShell are targeted more toward home and SMB usage, rather than enterprise. Both support Wi-Fi, but their deployment options differ. The can both be installed on x86 machines—like the other three solutions as well—but DD-WRT can also be flashed onto wireless routers with their custom Linux-based firmware.

ClearOS

ClearOS is more than a simple router, it’s a unified threat management (UTM) solution that offers more than 120 functions via add-ons they call apps, all configurable via their web-based interface. ClearOS is the downloadable OS you can install on your own hardware or virtual machine with their CD (.iso) image. ClearBox is their hardware line with ClearOS pre-installed. There’s also ClearVM, which is a management solution you can utilize to deploy multiple VMs of ClearOS, other Linux distributions, and even Windows OSs on your physical server.

ClearOS version 7 has three editions with varying support and functionality: Community, Home, and Business. ClearOS Business pricing ranges from $108 to $1,308 per year, based upon which subscription you choose with varying functionality and support. Additional fees apply for some of the apps. The ClearVM solution is offered free for limited usage and monthly pricing options are offered for increased usage limits.

We installed ClearOS Business edition (version 7.2.0) to a VirtualBox VM. After a typical install wizard, you’re prompted to configure the network interfaces and then it goes to a simple GUI console displaying the IP of the machine, which you can enter to access the test console for CLI access. However, you’ll likely want to access the web GUI from another computer on the network.

The first time accessing the web GUI you are prompted with another setup wizard to configure the main settings, including the network connection, registration, domain names, and apps. The common apps, such as DHCP server, DNS server, and firewall, are installed by default, but you can choose others to install now or wait till later.

Once you’re in the web GUI, you’ll find a simple interface with four shortcuts on the top: Dashboard takes you to a customizable overview of the system, Marketplace lets you search for and install additional apps, Support brings you to all the support options, and Root is where you can change the system password or sign out. On the left side of the GUI is the main menu to access all the apps and settings, categorized by Cloud, Server, Network, System, and Reports.

On all pages of the web GUI, there’s a documentation icon (looks like a book/manual) that conveniently brings up the online documentation to the particular app or settings you’re currently configuring.

DD-WRT

DD-WRT is primarily known as a free and open alternative firmware for supported consumer-level wireless routers. It contains features and functionality typically only seen in business and enterprise class products, such as multiple SSIDs, VLANs, captive portals, and VPN server/client. In addition to consumer routers, it can be used with embedded hardware and even x86 platforms. They sell some hardware and also offer professional services for customizing the firmware interface and/or features.

You can put a router model number into the DD-WRT router database and it will list the compatibility details and show download links for the supported firmware versions. The firmware can typically be freely used on consumer-level routers, whereas using it with some business and enterprise class products requires the Professional Activation that starts at around $20.

Once you find and download the supported firmware version and edition for your particular router, you must flash it to the router. For some routers, this is a quick process using the firmware upgrade page on the factory web GUI, while a longer process for some routers involving TFTP transfers and other methods. We downloaded DD-WRT v24-SP2 and quickly flashed it to a spare Linksys E2500 we had lying around.

After logging into the web GUI of the DD-WRT firmware, you see a multi-tabbed interface that has a typical router look and feel. The main menu on the top categorizes the settings with most of those pages showing a sub-menu of additional related pages. The Setup page is where you’d set the WAN, DHCP, DDNS, routing, VLANs, and other general networking settings. The Wireless page is where you find the basic and advanced Wi-Fi settings, including the ability to create multiple SSIDs.

The Services page allows you to customize the DHCP and DNS options, configure SSH and Telnet access, configure the VPN server and/or client, and enable hotspot functionality. The Security page allows you to configure the firewall and log options. The Access Restrictions page lets you define WAN access policies and block services and websites. The NAT/QoS page is where you configure port forwarding and triggering, UPnP, DMZ, and QoS settings.

The Administration page is where you configure the admin access settings, including web and remote access, keep alive and Wake-On-LAN settings, and access the router reset, upgrade, and backup options. Also in the Administration settings is the Commands functionality that allows you to run custom commands and scripts, or save for the router’s startup or firewall. The Status page contains sub-tabs of details and stats categorized by the component or type, which includes simple graphs showing bandwidth usage for the LAN, WLAN, and WAN interfaces.

On most pages, there’s a Help column displaying descriptions for a few of the settings on that particular page and a link to a pop-up a window with usually more documentation on the settings. In addition to the help in the web GUI, DD-WRT also provides online documentation via a Wiki with tutorials and other details on installing and using the firmware.

pfSense

PfSense is similar to Untangle, but lacks some of the extra functionality like web filtering and antivirus, sticking more to the traditional router and firewall feature set. However, there are more than three dozen third-party add-ons for easy install via the package manager. The pfSense OS is based off of FreeBSD with a custom kernel that you can install on your own hardware or virtual machines with their CD (.iso) image or their USB or Embedded (.img) image. You can also buy pfSense preloaded on their hardware or even quickly deploy in the cloud via Amazon Web Services.

In addition to their professional support and services, they offer a fold membership for $99 per year. For support and services, you get resources like a library of developer lead videos and digital book on pfSense, plus automatic backups.

We downloaded the CD image of Community Edition 2.3.1 and ran it on a VirtualBox VM. We used their DOS-like GUI to install the OS onto the virtual drive. When the CLI booted up, we configured the WAN and LAN interfaces. Then we were taken to the console interface where you can further configure the network interfaces, utilize the CLI, enable SSH, and perform other admin tasks. It also displays the IP addresses for the WAN and LAN interfaces.

After logging into the web GUI for the first time, you’re presented with a wizard to help configure the host and domain names, time server configuration, network interface settings, and the admin password. Once the wizard is completed, you’re taken to their web GUI opened to the Status Dashboard page. It has the look and feel of a typical network appliance. On the top of the pages you see the main menu; clicking on the categories shows a drop-down menu of the pages or tasks. Some pages are single-paged whereas some contain a tabbed interface with additional related pages.

From the System category of the main menu you can access the general, advanced, update, and high availability settings, and the certification, package, and user managers. The Interfaces category is where you configure the WAN and LAN network interfaces. The Firewall category is where you can configure the aliases, NAT, rules, schedules, traffic shaper, and virtual IPs. The Services category is where most of the settings are for the servers and services, such as DHCP, load balancing, and captive portal. The IPsec, L2TP and OpenVPN settings, however, are under the VPN category.

Under the Status menu are pages for showing the stats and usage details for many of the different components of the server. Under Diagnostics you find many different server and network troubleshooting tools, such as an ARP table, Command Prompt access, DNS lookup, and packet capturing. Under the Help menu you find links to the documentation and other useful content.

On every page of the web GUI, you see a help button (question mark icon) that takes you directly to the online documentation for that particular page.

Untangle

Untangle is most similar to ClearOS. It’s a Linux OS currently based off of Debian 8.4. The basic network router functions are provided free and paid apps add additional functionality and features, all managed via a web-based interface. The technical name for the OS is NG Firewall. You can install the OS on your own hardware or virtual machine, or buy an appliance with NG Firewall pre-installed.

Beyond the free basic network features, you can purchase individual apps for $5 to $25 each per month to add functionality or features. Furthermore, you can buy the NG Firewall Complete subscription that includes all apps starting at $50 per month or $540 per year for up to 25 users. For residential non-commercial use, they provide a Home license for only $5 per month or $50 per year. Keep in mind, they do offer a 14-day free trial for their complete subscription.

The NG Firewall can be downloaded as a CD (.iso) image, USB (.img) image, or a VMware (.ova) image. We downloaded and ran the CD (.iso) image (version 12.0.1) in a VirtualBox VM. Once it booted up, we choose the graphical install option. Then we were prompted with the typical Linux OS installation options. After the first boot of the OS, you’re prompted with a wizard to configure the basic settings and login or create an Untangle account.

After clicking around the GUI, we noticed it’s a web-based interface in a Chromium browser, the same interface you’d see when accessing the web interface from other local computers. Closing the web browser shows the very basic custom Debian OS with a menu on the bottom for bring up the web interface, restarting or shutting down the machine, accessing recovery utilities, and bringing up Terminal access to the OS.

The web interface has a main menu on the left. The Dashboard page conveniently shows the main stats and reports of the OS, host machine, network and other basic server details, which can be customized to your liking.

The Apps page is where you can check the status of each app and change its settings. It’s a unique interface with each app appearing to be a rack mounted appliance, most of which show some type of status and have a power button to enable or disable that app. Clicking on an app’s Settings button takes you to a tabbed interface with all its settings. There’s a help button for each app on the Apps page and a help button on the bottom of each app’s settings page that takes you to the online documentation for that particular app.

The Config page shows you a tabbed interface similar to the app settings. There you can view and configure all the basic settings of the firewall/router. This includes the network interfaces, firewall, DHCP, DNS, and other main router functions.

The Reports page allows you to generate reports and graphs on historical data from all the functions and apps. These reports are rather detailed and customizable. They can also be quickly exported as an image.

ZeroShell

ZeroShell is a Linux distribution for servers and embedded devices, designed to provide the main network services a LAN requires. The basic features are installed by default and a handful of packages are offered to add functionality, such as Samba File Sharing Service and Asterisk VoIP PBX. The latest releases are provided via a CD (.iso) image that can be run in the live CD mode or installed on the machine’s hard drive and a USB (.img) image. Once the Linux distribution is running, you can configure and administer the platform via the web-based interface.

We created a VirtualBox VM and ran ZeroShell version 3.5.0 using their CD (.iso) image. By default, the live CD mode will run, giving you an operational router platform right away. On the console interface you can configure the main settings and configure the IP address where you can access the web-based interface. You can alternatively install the OS onto the hard drive by running the Installation Manager in the console, which prompts you for the main server settings.

The web-based interface has a look and feel like traditional network appliances. On the left side is the main navigation menu with the following: Setup, Logs, Utilities, and Monitoring under the System category, then Users, Groups, RADIUS, Accounting, and Captive Portal under the Users category, then Hosts, Router, DNS, DHCP, VPN, QoS, and Network Balancer under the Network category, and then Firewall, HTTP Proxy, X.509 CA, and Kerberos 5 under the Security category. Clicking on most of those links changes the main page of the interface, which typically is a tabbed interface with a sub-menu showing up on the top.

The interface and features of ZeroShell are for the most part straightforward to get around and configure. They offer some useful tutorials on their website, but some help or tips within the web GUI would be nice as well.

Out of the box, you can utilize the package functionality of ZeroShell to install any security or bug fixes that are released. However, to install the Add-Ons, New Features, or New Releases, you must obtain a subscription key. Nevertheless, this only requires either adding a link and description of ZeroShell to your website, posting a review on an external forum/blog, or donating any amount to ZeroShell.

See our Full List of Articles Here