Firewall Compare
Home Comparisons Topics
Compare Tools Glossary Resources About
Engineering / MLOps network
LLMOps Report ML Monitoring Report ML Observe MLOps Platforms SentryML

Tools

A curated directory of 6 tools we use, evaluate, and recommend across the AI security landscape — with our take on each.

Interactive tool

Firewall Platform Spec Matrix & Picker →

Compare 8 platforms (pfSense, OPNsense, OpenWrt, MikroTik RouterOS, Sophos, Untangle/Arista, Firewalla, UniFi) across 18 normalized attributes — or answer 7 weighted questions and get a ranked match with per-criterion reasoning. Shareable via URL.

Open-Source Firewall Platforms

OPNsense

open-source (BSD) Free

FreeBSD-based firewall and routing platform forked from pfSense in 2015. Six-month release cadence. ZenArmor, Suricata IDS/IPS, and HAProxy plugins.

Our take

Our default recommendation for new builds in 2026. Faster release cadence than pfSense, more modern UI, plugin ecosystem ahead in features like ZenArmor. Pair with Protectli or Netgate hardware.

pfSense CE

open-source (Apache 2.0) Free

FreeBSD-based, maintained by Netgate. The original of the OPNsense/pfSense split. Larger installed base, slower release cadence.

Our take

Still excellent and probably what you should stick with if you already run it. The pfSense Plus / CE confusion (Plus is closed-source on Netgate hardware) is the main reason we now lead with OPNsense for new builds.

OpenWrt

open-source (GPL) Free

Linux-based firmware for routers and embedded networking devices. Strong on prosumer/consumer router hardware; less common as a primary firewall.

Our take

Best fit when your firewall is also your AP and the hardware is a consumer router. Not the right pick for a dedicated x86 firewall appliance — go OPNsense/pfSense there.

VyOS

open-source Free (rolling) / commercial LTS

Linux-based router OS with a Junos-style CLI. Heavy emphasis on routing and BGP; the firewall is more of a stateful packet filter.

Our take

The right pick when you want a router-first device with serious routing protocol support and a real CLI workflow. Less polished as a home/SMB firewall than OPNsense or pfSense.

Firewall Hardware

Protectli Vault

n/a $300–$1200

Fanless mini-PCs with Intel NICs (i225/i226), AES-NI, and coreboot/SeaBIOS support. Pre-validated for OPNsense and pfSense.

Our take

Best dedicated firewall hardware for home/SMB labs. The 4-port FW4C handles gigabit OPNsense+IDS comfortably; step up to FW6 for 2.5G/10G. Coreboot option is worth it for distrust-the-firmware threat models.

Netgate appliances

n/a $200–$3000+

Official pfSense hardware. Ships with pfSense Plus pre-installed; supports CE. Range from $200 home boxes to multi-Gbps datacenter appliances.

Our take

The right pick if you want first-party pfSense support. The $200 SG-1100 has been EOL'd; current entry is the SG-2100. Worth comparing against Protectli on a per-spec basis — Netgate's hardware is good but not always price-competitive.