[GRLUG] firewall

Grand Rapids Linux Users Group grlug at grlug.org
Thu Sep 5 02:21:39 EDT 2019


At my house, its

Cable modem -> D-link Switch -> 1gig Ports of my its cluster > Vmware Switch > pfsense vm / a ubuntu machine with lots of firewall stuffs

Then I run a vm of pfsense, this cuts down on my power, hardware and other stuff, while providing all those uptime benefits of vm's on a cluster, But it really sucks to recover when you do something stupid.

Josh

> On Sep 4, 2019, at 8:02 PM, Grand Rapids Linux Users Group <grlug at grlug.org> wrote:
> 
> +1 Edgerouter X.  Been using Ubiquiti gear (edgerouter 8-Pro, 10G switch, several Edge Lites, and an X) for YEARS.  They rock.  Love their Unifi gear too and have outfitted a church with all kinds.  Gotta recognize my pfSense though.  Tried it back before it was born (m0n0wall) and still love it.  For home use under $60 bucks <https://store.ui.com/products/edgerouter-x>, the EdgerouterX can't be beaten. Anything sub $100 with >= 3ports that can run pfSense though, has my vote too.  The SG-1100 <https://store.netgate.com/pfSense/SG-1100.aspx> comes in at $160, but I'm too cheap.  Heck I bought an old thin client for <$50 bucks once.  Modded it to add 2nd NIC and compact flash card and ran early version of pfSense for a long time.  Eventually the CF card died.  
> 
> On Mon, Aug 26, 2019 at 10:20 PM Grand Rapids Linux Users Group <grlug at grlug.org <mailto:grlug at grlug.org>> wrote:
> DD-WRT / Open Router should handle just about any netgear router, and is secure and solid.  I had it on an AC1200 range-extender for a few years, then ported the configs over to my current NightHawk, after I needed to expand my wifi range.  It was also able to handle 2 public IPs on the cox business connection.
> 
> Total cost is free.
> 
> -Van
> 
>> On Aug 26, 2019, at 18:50, Grand Rapids Linux Users Group <grlug at grlug.org <mailto:grlug at grlug.org>> wrote:
>> 
>> I suggest pfsense 
>> 
>> Best choice:
>> https://www.amazon.com/Firewall-Appliance-Gigabit-Celeron-AES-NI/dp/B07G9NHRGQ/ref=mp_s_a_1_3?keywords=pfsense&qid=1566870381&s=gateway&sprefix=pfsense&sr=8-3 <https://www.amazon.com/Firewall-Appliance-Gigabit-Celeron-AES-NI/dp/B07G9NHRGQ/ref=mp_s_a_1_3?keywords=pfsense&qid=1566870381&s=gateway&sprefix=pfsense&sr=8-3>
>> 
>> Cheaper
>> 
>> https://www.amazon.com/Firewall-Appliance-Gigabit-Celeron-AES-NI/dp/B07G9NHRGQ/ref=mp_s_a_1_3?keywords=pfsense&qid=1566870381&s=gateway&sprefix=pfsense&sr=8-3://www.amazon.com/SG-1100-pfSense-Security-Gateway-Appliance/dp/B07MTMPXKG/ref=mp_s_a_1_4?keywords=pfsense&qid=1566870453&s=gateway&sprefix=pfsense&sr=8-4 <https://www.amazon.com/Firewall-Appliance-Gigabit-Celeron-AES-NI/dp/B07G9NHRGQ/ref=mp_s_a_1_3?keywords=pfsense&qid=1566870381&s=gateway&sprefix=pfsense&sr=8-3://www.amazon.com/SG-1100-pfSense-Security-Gateway-Appliance/dp/B07MTMPXKG/ref=mp_s_a_1_4?keywords=pfsense&qid=1566870453&s=gateway&sprefix=pfsense&sr=8-4>
>> 
>> 
>> Or edge routers are nice and at 70 bucks.  They used to run a version of vytta 
>> https://www.amazon.com/gp/aw/d/B00YFJT29C/ref=psdcmw_300189_t1_B07MTMPXKG <https://www.amazon.com/gp/aw/d/B00YFJT29C/ref=psdcmw_300189_t1_B07MTMPXKG>
>> 
>> On Aug 26, 2019, at 5:52 PM, Grand Rapids Linux Users Group <grlug at grlug.org <mailto:grlug at grlug.org>> wrote:
>> 
>>> Dual interfaces: unfortunately, the RasPi only has one port, though it's gigabit if you want to do some vlan tinkering
>>> Open source: DD-WRT <https://dd-wrt.com/> is pretty good if they support your hardware, might be worth a look.  Tomato <https://en.wikipedia.org/wiki/Tomato_(firmware)> might also work for you, but it has a more limited set of supported hardware (hence my never having tried it).
>>> Unifi Security Gateway: I like my USG when it works, though I think I got a bad update and might need to ship it back.  It also requires a controller running if you want anything do to anything with it more than VERY basic stuff (dhcp and dns configuration), so that'd be another computer (or raspi-like device) running on a regular basis, though I guess since you already have a Unifi AP, you've solved that issue somehow.
>>> 
>>> If you're looking to get more into the Unifi space (and already have a controller), the USG would be pretty good.  I've had more than my fair share off issues with it, but I get the feeling that I'm in the minority as most of the people I know that have them are pretty happy.  Unifi ships updates pretty regularly and it generally gets out of your way.  The downsides are that it takes a while to boot up and you'll need to turn off deep-packet inspection if you have more than 300Mbps of throughput.
>>> 
>>> Otherwise, the Netgear Nighthawk <https://www.amazon.com/NETGEAR-R6700-Nighthawk-Gigabit-Ethernet/dp/B00R2AZLD2/ref=sxin_1_sp_qu_bss_is?crid=1WKY6HYSMV8IO&keywords=netgear+nighthawk&pd_rd_i=B00R2AZLD2&pd_rd_r=8c037a03-4e83-4b3f-b4e9-6483afc61ba8&pd_rd_w=UXP16&pd_rd_wg=Y2x3S&pf_rd_p=59c36603-576b-471f-8561-ef24e0883aa1&pf_rd_r=24VB8R4F31AFF8PVK7SJ&qid=1566867100&s=gateway&sprefix=chest+%2Caps%2C146> is very solid and it just gets out of your way.
>>> 
>>> --Thomas
>>> 
>>> On Mon, Aug 26, 2019 at 7:56 PM Grand Rapids Linux Users Group <grlug at grlug.org <mailto:grlug at grlug.org>> wrote:
>>> I'd be tempted by something like this.  https://www.cnx-software.com/2019/02/20/nanopi-r1-allwinner-h3-gateway-dual-ethernet-wifi-bluetooth/ <https://www.cnx-software.com/2019/02/20/nanopi-r1-allwinner-h3-gateway-dual-ethernet-wifi-bluetooth/>
>>> On Mon, Aug 26, 2019 at 6:47 PM Grand Rapids Linux Users Group <grlug at grlug.org <mailto:grlug at grlug.org>> wrote:
>>> I'm in need of a firewall/router and I really don't want yet another old computer running 24/7 in the house.
>>> 
>>> I have an old netgear wifi router that I have been using who's wifi wasn't reliable so I turned off the antennas and bought a unifi ap.  I'm still using the old netgear for port forwarding and firewall tasks, but recently settings have been changing and I suspect that this is due to unpatched vulnerabilities.  I've disabled most administration functions so I think I'm good for now, but I am looking for something to replace this.
>>> 
>>> Does the raspberry Pi have a dual ethernet interface?
>>> Maybe flashing the netgear with some opensource firmware?
>>> Maybe unifi Security Gateway?
>>> If running an old computer is the best I guess I could do that as well.
>>> 
>>> What are my best options?
>>> 
>>> Share and Enjoy <http://www.hhgproject.org/entries/shareandenjoy.html>
>>> Ben
>>> -- 
>>> grlug mailing list
>>> grlug at grlug.org <mailto:grlug at grlug.org>
>>> https://shinobu.grlug.org/mailman/listinfo/grlug <https://shinobu.grlug.org/mailman/listinfo/grlug>
>>> 
>>> 
>>> -- 
>>> Roger
>>> 
>>> Roger Roelofs
>>> Know what you value.
>>> -- 
>>> grlug mailing list
>>> grlug at grlug.org <mailto:grlug at grlug.org>
>>> https://shinobu.grlug.org/mailman/listinfo/grlug <https://shinobu.grlug.org/mailman/listinfo/grlug>
>>> 
>>> 
>>> -- 
>>> Thomas
>>> -- 
>>> grlug mailing list
>>> grlug at grlug.org <mailto:grlug at grlug.org>
>>> https://shinobu.grlug.org/mailman/listinfo/grlug <https://shinobu.grlug.org/mailman/listinfo/grlug>
>> -- 
>> grlug mailing list
>> grlug at grlug.org <mailto:grlug at grlug.org>
>> https://shinobu.grlug.org/mailman/listinfo/grlug <https://shinobu.grlug.org/mailman/listinfo/grlug>
> 
> -- 
> grlug mailing list
> grlug at grlug.org <mailto:grlug at grlug.org>
> https://shinobu.grlug.org/mailman/listinfo/grlug <https://shinobu.grlug.org/mailman/listinfo/grlug>
> 
> 
> -- 
> 
> ᕦ(ò_óˇ)ᕤ
> do you even lift bro?
> Ubber::Geek 
> http://grlug.org/ <http://grlug.org/>-- 
> grlug mailing list
> grlug at grlug.org
> https://shinobu.grlug.org/mailman/listinfo/grlug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://shinobu.grlug.org/pipermail/grlug/attachments/20190904/a857373d/attachment-0001.html>


More information about the grlug mailing list