Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Advice for home pro user

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    6 Posts 3 Posters 878 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lem0ncho
      last edited by

      Hello dear forum,
      I'm looking to get a new Newgate device.
      My main goals are:

      • IDS
      • Adblocker
      • VPN for access remotely
      • couple VLANS
      • Ubiquity AP roaming network - 4-5 APs with Controller
      • NAS with 3-4 webapps in DMZ with reverse proxy
      • same NAS in second VLAN for internal use for Multimedia
      • Uplink from ISP is on PON network, with their own converter 1000/600MBPS, max 1GBPS

      I see currently 3100/5100 are EOS, so which is good option in your opinion?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @lem0ncho
        last edited by Gertjan

        @lem0ncho

        The last 5 :

        couple VLANS
        Ubiquity AP roaming network - 4-5 APs with Controller
        NAS with 3-4 webapps in DMZ with reverse proxy
        same NAS in second VLAN for internal use for Multimedia
        Uplink from ISP is on PON network, with their own converter 1000/600MBPS, max 1GBPS

        can be done with any Netgate device, although, because your are using more then 500 Mbit/sec, I would not chose the "1100".

        VPN remote access s: just you, for remote admin tasks ?
        Or many people at the same time ?

        Adblocker ? Check the feeds you want to use. If they size up, start thinking about more RAM.

        IDS : There is only one requirement for this, and it's not 'device' related. Its an more an admin capability. You'll be needing a rather muscled device if you want to decrypt + encrypted multiple TLS streams, of course. But as this is actually never done in reality, not much is known about it. IDS is something from the past.

        @lem0ncho said in Advice for home pro user:

        I see currently 3100/5100 are EOS, so which is good option in your opinion?

        But, I'm pretty sure, as soon as you've have dropped IDS from your list, a 2100 will do just fine.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        L 1 Reply Last reply Reply Quote 1
        • L
          lem0ncho @Gertjan
          last edited by

          @gertjan Hello and thanks for the details

          • As far as VPN is more it less for remote tasks and accessing private NAS resources

          • IDS I got confused here, why you say it’s from past. I meant to say IDS+IPS use.

          GertjanG 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yeah the 6100 is the best choice there. At 1G it still has headroom for services and won't impact throughput on other connections.

            Steve

            1 Reply Last reply Reply Quote 1
            • GertjanG
              Gertjan @lem0ncho
              last edited by Gertjan

              @lem0ncho said in Advice for home pro user:

              I meant to say IDS+IPS use

              I know, as this question pops up every x days.
              The situation :
              [ Your computer ] <>=====[ many devices here, one off them is you is in front of you router, pfSense ] =======<> [Your bank ]

              As you already know, communication between your computer and your bank are encrypted.

              Entering TLS 1.2.

              True, the packets, travelling between your computer and your bank, still contain some readable info, like everything written on the outside of an envelop: your postal address, the banks postal address. Some other bits, like SYN flag and so on. And the two MAC addresses, but these are not the the point to point MAC's.

              You have to set up

              1. your router (or some other device),
              2. your computers on your LANs - and every other device from which you** want to "see" in clear the traffic. Your local devices have to use pfSense as a proxy. Your local devices have to trust this proxy, and by trust I mean : If hey ask for : www.mybank.com and pfSense replies back with "I am www.mybank.com" - login to me, then the browser on that computer used should say : ok, here you go, this connection is trusted, this device (your pfSense !) says its "www.mybank.com" so I believe it on it's word.

              There is already a huge non technical question to answer here :are you allowed to see traffic that is not yours ?
              ( and the less popular one : why should you want to see traffic that isn't for you ? )
              The traffic is from your kids ? Ok, this might be the only case where some legal stuff is on your side. All others : well, you risk to go to a place where your letters (postal) will get opened and read before they reach you. But you will be fine with that I guess.

              How to set up your router :
              Install your favourite web browser on your device, and type this question :
              How do I IDS or IPS ?
              Because you'll probably find the proposals of some known or less known scammers first, so have a look at some video's first.
              Use the good old platform, not the 10 max seconds news ones.
              Discard video's that are more then 4 years old, before that time, as traffic was still http (in clear) in the past, your looking for "IDS + IPS on TLS"as everybody is doing that.
              Have a look, see several video's.

              My favourite is : Transport Layer Security (TLS).
              This video is part of 3 or 4 others. See them all.
              Same thing for "Forward Secrecy ".
              You have to know and understand what the guy in the video tells you.

              When you want to "IDS+IPS" you will have to forget the "click here and click there" live.
              You need to understand what you're doing,. Not because I say so, as you will find out.

              Btw : I you pull this one off, Snowden will call you, and he will add your phone number in his contact list.
              Currently, he has none.

              Note : I'm not writing all this to say : 'no - it can't be done'.
              If you run a centralized proxy, needed to do IDS and or IPS, and some 'dumb' controlled terminals with web browsers, then yeah, it's feasible.
              Your set-up will need permanently, on going maintenance as all others involved parties will not be very cooperative, to say the least.
              And check your health assurance. People that discover that they are spied upon, tend to get aggressive.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              L 1 Reply Last reply Reply Quote 1
              • L
                lem0ncho @Gertjan
                last edited by

                @gertjan That's quite a reply!
                Thanks about it!

                So far I thought IDS is simply alerting suspicious traffic, while IPS does on top of that - adding firewall rule to block it.
                I tough simply this is perform while doing checks against IPS databases such as snort and there is no need to open the packets.

                Because like you said if I would like to have TLS open I need to have my router CA installed on trust stores on all my end pcs. which is too much and eventually if my CA is corrupt all goes shit.

                So is not IPS still on the table those days?!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.