Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#373157 - 01/12/2020 09:54 Home Firewall
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
So, if I wanted to install a firewall in my relatively complex home network - which became even more complex in the last year as I've been adding quite a few IOT devices -, what would you recommend?

Ideal features I'd like to have:
- fanless (not essentual, but a silent device is very welcome)
- 1Gbps throughput as it looks I may be finally having FTTH fiber at home, at some point in 2021
- solid web interface (assuming command line will be great anyway, since all these products are Linux based)

Currently, because of our remote-working, our bandwidth need has increased and we are using two data links to the same ISP, for a combined bandwidth of 240Mbps down and 45Mbps up.

My network has the two ISP modems feed two WAN pots on my Linksys LRT224 edge router, which performs load balancing and most importantly link aggregation of the two ISP feeds. From the Linksys router, one cable feeds my home main 16 ports switch. Switch is connected to my WiFi, and to all wired devices.

So, I was thinking to install a firewall physically between the edge router and the switch, so that everything goes both logically and physically through it.

I've been looking into Firewalla gold, which apparently could replace my Linksys LRT224 completely and operate as a main edge router itself. But, I suppose there are better solutions, less cloud-oriented, less smartphone app dependent, maybe?

Anyway, any recommendation is welcome.


Edited by Taym (01/12/2020 10:36)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373158 - 01/12/2020 10:05 Re: Home Furewall [Re: Taym]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5680
Loc: London, UK
I don't actually have a personal recommendation (I'm just using Synology kit these days), but if I was in the market for a "grown-up" firewall, I'd be looking at pfSense or Firebrick.
_________________________
-- roger

Top
#373159 - 01/12/2020 10:43 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Roger, just by looking at pfSense, it looks this is pretty much what I was looking for. Thank you. I'll check Firebrick too.

I did not know pfSense made appliances as well.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373160 - 01/12/2020 14:24 Re: Home Furewall [Re: Taym]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
I'll be boring and recommend a Unifi network as usual wink They even have WiFi 6 devices in early access release and nearly available.
_________________________
Matt

Top
#373161 - 01/12/2020 22:19 Re: Home Furewall [Re: Taym]
canuckInOR
carpal tunnel

Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
I've been happy enough with my OpnSense firewall. Easy enough setup and configuration. I have not gone too wild and crazy with it, though. I have it running on a Protectli 4-port Vault. If you plan on running a VPN on it, make sure whatever model you purchase has AES-NI hardware support.

Top
#373162 - 01/12/2020 22:34 Re: Home Furewall [Re: Taym]
canuckInOR
carpal tunnel

Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
I should add, there was a brief discussion on the differences between opnSense and pfSense in another thread on here -- it was Shonky who tipped me over the edge toward opnSense.

Top
#373163 - 02/12/2020 07:31 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Thank you all.

So, Ubiquiti is a very interesting solution indeed, but my network is pretty much as I want it now - except for the firewall of course, and I'd guess a Ubiquiti firewall device would make little sense in a non-Ubiquity network, right?

OpnSense and pfSense both look really great. Protectli Vault hardware is *very* nice too.

I'll try to make my mind between NetGate/pfSense vs Protectli/opnSense .

What I am mostly concerned about is that the firewall does not end up being a bottle neck on a 1Gbps fiber optics data link. So, while Netgate offers some official throughput data there, I am not sure (yet? still educating myself) about Protectli/opnSense; I am sure there is Protectli hardware to offer all power I need, but I can't yet figure out what I'd need and its cost, while with Netgate/pfSense I know.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373164 - 02/12/2020 08:23 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
... what is interesting about both is that it looks like I could use either of them as my main edge router and let it do link aggregation from my two ISP data links.

I am now looking into what kind of reporting system, if any, they offer. Let's say I wanted to know if/when a specific IoT device (namely, a Netatmo thermostat) is communicating to the outside world, how easy would that be? in what form would such info be provided to me?


Edited by Taym (02/12/2020 22:25)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373165 - 02/12/2020 20:41 Re: Home Furewall [Re: Taym]
canuckInOR
carpal tunnel

Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
With respect to the Protectli box, they recommend either the FW6B or FW6C for 1Gbps throughput requirements. I'm only at 100Mbps, and have had no issues with the cheaper machine.

BTW, Protectli can also run pfSense, if you don't want to shell out for the NetGate branded hardware.

I have not tried running reports from opnSense to look at what's communicating to the outside world -- I also run a pihole, and generally just look at that, instead, because if it's communication I don't want (i.e. to ad servers), I'm going to blacklist it there, anyway, before I start trying to craft special rules on the firewall.

Top
#373166 - 02/12/2020 22:33 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Thank you canuckInOR. It looks like I should probably go with either the NetGate SG-3100 (I spec'd it at $442) or the Protectli FW6C (I spec'd it at $568).

Each having pros and cons.

I am looking at some youtube videos about setup, gui, and hopefully some reporting.

They seem really nice products, anyway.


Edited by Taym (03/12/2020 01:57)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373167 - 03/12/2020 02:48 Re: Home Furewall [Re: Taym]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
Ah yes, sorry, I misunderstood what you were looking for.
_________________________
Matt

Top
#373168 - 04/12/2020 01:46 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
So, NTOP network analysis tool is basically all I was looking for in terms of reporting and statistics. Very nice!

And, it is available on both pfSense and opnSense.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373169 - 04/12/2020 16:39 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
OpnSense GUI seems so much clearer. Still educating myself on YoiTube...
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373170 - 04/12/2020 17:03 Re: Home Furewall [Re: Taym]
Attack
addict

Registered: 01/03/2002
Posts: 598
Loc: Florida
Work is using a Mikrotik router with RouterOS https://mikrotik.com/software and has a very nice GUI (Winbox). I only use it for checking our dual 100mb network connections to see if the connections are down or has high usage, so I'm unsure if it does everything you need. Since you can download it and install it on your own hardware, it is something you can test before spending any money on new hardware.
_________________________
Chad

Top
#373171 - 07/12/2020 23:18 Re: Home Furewall [Re: canuckInOR]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Originally Posted By: canuckInOR
I should add, there was a brief discussion on the differences between opnSense and pfSense in another thread on here -- it was Shonky who tipped me over the edge toward opnSense.

My name was mentioned ? smile

Other thread with my pfSense v OPNsense comments is here. Yes OPNsense seems "nicer" to use :
https://empegbbs.com/ubbthreads.php/ubb/showflat/Number/372550

If you don't feel like rolling your own, Ubiquiti as mentioned make pretty good stuff. Just be a little careful - there are some quite cheap routers they sell but they are a bit underpowered particularly on VPN performance in the days of gigabit home internet connections.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#373172 - 09/12/2020 01:57 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
I am definitely feeling like going either Protectli+opnSense or Netgate+pfSense .
Those are *precisely* the kind of devices I was looking for. I did not realize how relatively inexpensive they are, especially considering they'd be replacing my edge router quite nicely.

Just educating myself in my spare time, until I finally proceed and purchase one of those.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373173 - 16/12/2020 20:00 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
So, I got a Protectli + OPNSense, knowing that I can switch to prSense should I need to. I got the FW6 Core i5, to insure I have a device that can sustain a 1Gbps data link that, who knows, we may even have available here in the spring.

Thank you guys for the recommendations. These both seem really nice devices. They do all I want, an they seem a lot of fun wink

It should be here in Rome, from California, on Friday, after 1 week from shipping. Not bad considering the holiday season.


Edited by Taym (16/12/2020 20:02)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#373174 - 17/12/2020 17:11 Re: Home Furewall [Re: Taym]
canuckInOR
carpal tunnel

Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
Excellent choice!

Top
#373178 - 28/12/2020 03:12 Re: Home Furewall [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Firewall has been up and running for few days now.
Very happy with it so far. Playing with rules and configurations as I have some time to punt into it and I am really enjoying it.

I could do some nice analysis of traffic bein generated by my network. I am using NTOPNG, and testing other products. Not sure yet what is the best traffic analysis and reporting tool out there, yet, so if anyone has any recommendation please let me know. NTOPNG is really nice anyway.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top