This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Are there any Updates planed for the last UTM lifecyle ?

Or is this thing complete dead? 

nothing much  arround in the last days .

Whats the deal with the IPS hotfix ?  Issue solved ? anything new ?



This thread was automatically locked due to age.
Parents Reply Children
  • I moved to pfsense (after 8 years of UTM). I will miss the global object concept (define an entity once, use it where ever applicable), but *sense is far superior in its firewall configuration and nat capabilities. There's an INVERT flag available which can apply towards hosts or ports. IE, define a rfc1918 ip scope then use invert scope to limit host access to internet only targets (not on local subnet). Firewall rules are organized by interface, in addition to "floating" rules which can apply to multiple interfaces (and thus need to be defined once).

    For malware and adblocking im using pfblockerng with a number of lists.  There's also builtin wireguard support. I had issues with my ISP blocking adguard dns access (dns.adguard.com). Established a wireguard tunnel to cloudflare warp (free); set that as the gateway for any queries coming off the DNS server (adguard home, self hosted) using port 53/853 UDP.  All dns traffic is now fully encrypted between the dns server and upstream end points. I ran something similar when on UTM, except the wireguard client ran on the dns server instead of the firewall.

    I last looked at xg/sfos last year and its layout, ui and flow still seemed bonkers to me. Hard to move forward with it when the main UI itself is difficult to see with no options for different color schemes/themes. Too locked down for my needs as well.  The isp, att fiber uses 802.1x authentication. If one doesn't want to use their provided CPE, 802.1x needs to happen in software using extracted credentials. This worked in UTM using a self compiled wpa_supplicant, but wasn't worth the effort to even attempt with xg/sfos.  Pfsense includes and supports wpa_supplicant along with listening on vlan0 for both wpa_supplicant and dhclient right out of the box - something the isp uses to handle wan access and dhcp.

    Both UTM and now pfsense are virtualized under proxmox. In terms of cpu use, idle is better, under load is worse. This is tolerable given full line speed internet use is minimal.

    The conversion process is still a work in progress as I focus on various things I need to tweak or adjust. Sometime this month I will tackle haproxy (waf equivalent).

  • Ah yes, I remember the wpa_supplicant issue.

    Hope pfSense works out. You no longer will need to use a separate device for pihole or adguard home.

    This will sound weird, but I tried OPNsense and did not care for the interface. I also had no desire to try pfSense because I wanted to use Zenarmor (which is not supported by pfSense), but even that was too limited and expensive.

  • I don't care much for the opnsense ui either.  I find it as difficult to view as XG.  It does however support different themes/colors.  The UI is reminiscent of the older tomato firmware for the  routers. Expanding and collapsing left margin menus.  PF on the other hand is more like ddwrt or the linksys fw, top rows with tabs below for different functions.

    It's possible to get zenarmour installed in pf, but I don't think I will be doing so.  Maybe suricatta.