The firewall and routing capabilities of my Ubiquiti UDM-Pro are OK if you are a home user and not super interested in granularity of logging, multiple WAN IPs or complex routing, however pfSense does a much better job.
I decided I wanted to install a pfSense firewall, mainly as a learning experience, but also to improve on my firewall/routing capabilities.
The official hardware for pfSense is Netgate, these appliances come with pfSense pre-installed and vary in processing/routing ability starting with the SG-1100 at $179.00 (143.00) and going up to the XG-1541 at $2649.00 (£4118.00) (The US prices are from Netgate.com, the UK prices are from Amica Networks).
I chose to use a second hand CheckPoint T-180 (4800) firewall that cost me £139.99 with free P&P from Ebay.
The CheckPoint T-180 (4800) boasts an Intel Core2 Quad CPU Q9400 running at 2.66GHz and 4GB of Ram (upgradeable to 8GB), 8 x 1GB network ports, an expansion port capable of adding various interface cards and a LOM interface. The firewall supposedly has the following capabilities: Firewall throughput 11Gbps VPN throughput 2Gbps, IPS throughput 1.5Gbps (datasheet).
This rates it above the Netgate XG-7100 ($999.00/£2022.00), but below the Netgate XG-1537 ($1949.00/£3132.00) in terms of throughput capabilities.
While officially these are 2012 models, mine was probably made in 2014 as that is the date of manufacture on the internal 250GB hard drive.
The CheckPoint T-180 (4800) like all of the 4000 series firewalls has an RJ45 serial console port. no matter what I tried, I could not persuade this to respond.
I tried a Cisco RJ45 to 9 pin serial, a bunch of adapters, gender changers, etc and a USB to serial adapter, however my Macbook refused to recognise the USB adapter (it was pretty old and one of the first USB to serial adapters back when USB 1.0 was still new).
Next I purchased a new Cisco style RJ45 to USB cable that was instantly recognised by my Macbook, but still no joy from the console of the firewall device.
I even tried from an old Windows XP netbook, after I had located some drivers and also downloaded putty, but still no joy at baud rates of 9600 or 115200.
I was doing some more reading up about the CheckPoint T-180 (4800) and noticed that this model, unlike its lower numbered bretheren also has a Lights Out Managament (LOM) port (LOM Admin guide). I connected this direct to my Macbook, with a network cable, set the IP of the Macbook to 192.168.0.10 and opened a webpage at 192.168.0.100 and connected with admin:admin.
The next hurdle was resolving a bunch of Java security related items, that were preventing me from opening the Java KVM console and the Java VM console.
This involved installing the latest version of Java, locating the Java console (hidden by default on a Mac), whitelisting the IP of the device and then disabling a line in the /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Home/lib/security/java.security to comment out the line starting with jdk.tls.disabledAlgorithms.
Once these had been resolved I could then use the Java VM console to map an ISO image to the firewall and then allow it to boot from that, I could then interract with the boot process via the Java KVM console.
The install itself was trouble free and I was then able to connect to the newly installed firewall to complete the configuration.
I have installed a number of additional plugins: freeradius3, haproxy, nmap, openvpn-client-export, pfBlockerNG-devel and suricata.
Tom Lawrence has some great videos on how to install/configure pfSense and many of the plugins I mentioned over on his YouTube channel.
I may yet add an additional 4GB of RAM, I can buy a stick of 4GB PC8500 DDR3 1066MHz 240 Pin memory from CEX for £6.00.
The pfBlockerNG plugin performs all of the functionality of my Pi-Hole, so I will be able to remove this Docker container as well as the one for unbound.
The CheckPoint T-180 (4800)also has a graphical display which is an EZIO-G500, however this does not yet appear to be fully supported by the lcdproc plugin.
So looks like I may have a bit more of a wait until I can make use of this as well.