#373157 - 01/12/2020 09:54
Home Firewall
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
So, if I wanted to install a firewall in my relatively complex home network - which became even more complex in the last year as I've been adding quite a few IOT devices -, what would you recommend?
Ideal features I'd like to have: - fanless (not essentual, but a silent device is very welcome) - 1Gbps throughput as it looks I may be finally having FTTH fiber at home, at some point in 2021 - solid web interface (assuming command line will be great anyway, since all these products are Linux based)
Currently, because of our remote-working, our bandwidth need has increased and we are using two data links to the same ISP, for a combined bandwidth of 240Mbps down and 45Mbps up.
My network has the two ISP modems feed two WAN pots on my Linksys LRT224 edge router, which performs load balancing and most importantly link aggregation of the two ISP feeds. From the Linksys router, one cable feeds my home main 16 ports switch. Switch is connected to my WiFi, and to all wired devices.
So, I was thinking to install a firewall physically between the edge router and the switch, so that everything goes both logically and physically through it.
I've been looking into Firewalla gold, which apparently could replace my Linksys LRT224 completely and operate as a main edge router itself. But, I suppose there are better solutions, less cloud-oriented, less smartphone app dependent, maybe?
Anyway, any recommendation is welcome.
Edited by Taym (01/12/2020 10:36)
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373158 - 01/12/2020 10:05
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
I don't actually have a personal recommendation (I'm just using Synology kit these days), but if I was in the market for a "grown-up" firewall, I'd be looking at pfSense or Firebrick.
_________________________
-- roger
|
Top
|
|
|
|
#373159 - 01/12/2020 10:43
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Roger, just by looking at pfSense, it looks this is pretty much what I was looking for. Thank you. I'll check Firebrick too.
I did not know pfSense made appliances as well.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373160 - 01/12/2020 14:24
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
I'll be boring and recommend a Unifi network as usual They even have WiFi 6 devices in early access release and nearly available.
_________________________
Matt
|
Top
|
|
|
|
#373161 - 01/12/2020 22:19
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
I've been happy enough with my OpnSense firewall. Easy enough setup and configuration. I have not gone too wild and crazy with it, though. I have it running on a Protectli 4-port Vault. If you plan on running a VPN on it, make sure whatever model you purchase has AES-NI hardware support.
|
Top
|
|
|
|
#373162 - 01/12/2020 22:34
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
I should add, there was a brief discussion on the differences between opnSense and pfSense in another thread on here -- it was Shonky who tipped me over the edge toward opnSense.
|
Top
|
|
|
|
#373163 - 02/12/2020 07:31
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Thank you all.
So, Ubiquiti is a very interesting solution indeed, but my network is pretty much as I want it now - except for the firewall of course, and I'd guess a Ubiquiti firewall device would make little sense in a non-Ubiquity network, right?
OpnSense and pfSense both look really great. Protectli Vault hardware is *very* nice too.
I'll try to make my mind between NetGate/pfSense vs Protectli/opnSense .
What I am mostly concerned about is that the firewall does not end up being a bottle neck on a 1Gbps fiber optics data link. So, while Netgate offers some official throughput data there, I am not sure (yet? still educating myself) about Protectli/opnSense; I am sure there is Protectli hardware to offer all power I need, but I can't yet figure out what I'd need and its cost, while with Netgate/pfSense I know.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373164 - 02/12/2020 08:23
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
... what is interesting about both is that it looks like I could use either of them as my main edge router and let it do link aggregation from my two ISP data links.
I am now looking into what kind of reporting system, if any, they offer. Let's say I wanted to know if/when a specific IoT device (namely, a Netatmo thermostat) is communicating to the outside world, how easy would that be? in what form would such info be provided to me?
Edited by Taym (02/12/2020 22:25)
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373165 - 02/12/2020 20:41
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
With respect to the Protectli box, they recommend either the FW6B or FW6C for 1Gbps throughput requirements. I'm only at 100Mbps, and have had no issues with the cheaper machine. BTW, Protectli can also run pfSense, if you don't want to shell out for the NetGate branded hardware. I have not tried running reports from opnSense to look at what's communicating to the outside world -- I also run a pihole, and generally just look at that, instead, because if it's communication I don't want (i.e. to ad servers), I'm going to blacklist it there, anyway, before I start trying to craft special rules on the firewall.
|
Top
|
|
|
|
#373166 - 02/12/2020 22:33
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Thank you canuckInOR. It looks like I should probably go with either the NetGate SG-3100 (I spec'd it at $442) or the Protectli FW6C (I spec'd it at $568).
Each having pros and cons.
I am looking at some youtube videos about setup, gui, and hopefully some reporting.
They seem really nice products, anyway.
Edited by Taym (03/12/2020 01:57)
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373167 - 03/12/2020 02:48
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
Ah yes, sorry, I misunderstood what you were looking for.
_________________________
Matt
|
Top
|
|
|
|
#373168 - 04/12/2020 01:46
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
So, NTOP network analysis tool is basically all I was looking for in terms of reporting and statistics. Very nice!
And, it is available on both pfSense and opnSense.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373169 - 04/12/2020 16:39
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
OpnSense GUI seems so much clearer. Still educating myself on YoiTube...
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373170 - 04/12/2020 17:03
Re: Home Furewall
[Re: Taym]
|
addict
Registered: 01/03/2002
Posts: 599
Loc: Florida
|
Work is using a Mikrotik router with RouterOS https://mikrotik.com/software and has a very nice GUI (Winbox). I only use it for checking our dual 100mb network connections to see if the connections are down or has high usage, so I'm unsure if it does everything you need. Since you can download it and install it on your own hardware, it is something you can test before spending any money on new hardware.
_________________________
Chad
|
Top
|
|
|
|
#373171 - 07/12/2020 23:18
Re: Home Furewall
[Re: canuckInOR]
|
pooh-bah
Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
|
I should add, there was a brief discussion on the differences between opnSense and pfSense in another thread on here -- it was Shonky who tipped me over the edge toward opnSense. My name was mentioned ? Other thread with my pfSense v OPNsense comments is here. Yes OPNsense seems "nicer" to use : https://empegbbs.com/ubbthreads.php/ubb/showflat/Number/372550If you don't feel like rolling your own, Ubiquiti as mentioned make pretty good stuff. Just be a little careful - there are some quite cheap routers they sell but they are a bit underpowered particularly on VPN performance in the days of gigabit home internet connections.
_________________________
Christian #40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)
|
Top
|
|
|
|
#373172 - 09/12/2020 01:57
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
I am definitely feeling like going either Protectli+opnSense or Netgate+pfSense . Those are *precisely* the kind of devices I was looking for. I did not realize how relatively inexpensive they are, especially considering they'd be replacing my edge router quite nicely.
Just educating myself in my spare time, until I finally proceed and purchase one of those.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373173 - 16/12/2020 20:00
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
So, I got a Protectli + OPNSense, knowing that I can switch to prSense should I need to. I got the FW6 Core i5, to insure I have a device that can sustain a 1Gbps data link that, who knows, we may even have available here in the spring. Thank you guys for the recommendations. These both seem really nice devices. They do all I want, an they seem a lot of fun It should be here in Rome, from California, on Friday, after 1 week from shipping. Not bad considering the holiday season.
Edited by Taym (16/12/2020 20:02)
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#373174 - 17/12/2020 17:11
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
|
|
Top
|
|
|
|
#373178 - 28/12/2020 03:12
Re: Home Furewall
[Re: Taym]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Firewall has been up and running for few days now. Very happy with it so far. Playing with rules and configurations as I have some time to punt into it and I am really enjoying it.
I could do some nice analysis of traffic bein generated by my network. I am using NTOPNG, and testing other products. Not sure yet what is the best traffic analysis and reporting tool out there, yet, so if anyone has any recommendation please let me know. NTOPNG is really nice anyway.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
|
|