CPU and RAM - which does what i.t.o. performance?
-
@nocling Great info, thank you very much. It has made me more aware of what IDS/IPS can and can't do.
What I would like to do is use my Synology to serve as a cloud server for our family, like Dropbox. So I want my clients (our family MacBooks, phones etc) to connect to that service from outside the firewall.
I have no clue how to secure this and if a VPN would work for this service and if it would work on phones. I am a noob when it comes to securing WAN side ports, but I will dive into this now, get it working on my USG and then after a couple of weeks decide on a netgate model.
Regards, Pete -
You may find that PfBlockerNG blocking most known bad IPs and URLs does more than enough for you and if your open ports are limited to 1-2 ports coming in from the WAN, then you're likely over thinking your security.
If your NAS is accessed using a link by the vendor and is not directly open on your WAN side, you've even less to worry about.
Do remember that you can put all the security you want at the gate, but if someone lets a file in by downloading something they don't know, then you can still be vulnerable.
IDS/IPS is heavy on resources and may be more than you want to use for the gain you get from it, especially for such a low network of users, if you have no incoming ports open on you WAN, I wouldn't bother personally.
Perhaps before you spend any money on hardware, you could run a Pfsense VM or light setup on old hardware to get a feel for the features you want vs the use you'll get from them.
-
As far as your userbase and wanting to use the NAS like dropbox, you may want to look at NextCloud/OwnCloud and simply have that running as a VM and mount the storage on your NAS - NC/OC both have apps to install on the devices named, including phones so you can simply configure folders to automatically upload.
If you're not great with Linux there are pre-configured downloads for the above or you can look at a turnkey solution.
Just an option if you have the ability to run a VM or use older hardware for this.
Depending on your QNAP model, some even allow for NC to be installed here.
-
@rod-it
Thank you for your reply and suggestions. I really appreciate it.
I am confused though because vendor access (like synology quick connect) is considered less safe by some and often the better solution recommended is a remote access vpn.I am aware that such a vpn requires an open port but I’m assuming no one can get in except for clients that have that vpn key configured on the client side. Still reading up on that though.
Maybe pfBlockerNG will be all I need, but I figured running some form of IDS (without blocking, just monitoring initially) for a few weeks would either confirm this (if no threats are found) or prove necessary (if otherwise). I am coming to realise though that suricata on pfSense isn’t a “set and forget” tool like the Unifi simplified threat management implementation (which is also suricata but without being able to tweak rules). So running suricata on pfSense will require more time to invest reviewing rules and such. I am curious how this works in practice, but wary if it eats too much of my time in the long run.
I also looked at NextCloud but wondered what benefit it could have over synology cloud server.
More importantly: it looks like that one essential feature is missing: having local copies of all files synced on the end user devices and have seamless macOS finder integration. Just like the dropbox functionality. My kids will take no less or staton dropbox. -
@rod-it
Forgot to mention that I would also like to access some other resources on my LAN while being away from home, so the VPN option sounds like a great (and quite safe) solution, by which I could achieve all requirements in one effort. I say “sounds like” as I’ve never actually tried it.Pete
-
Why do the files need to be synced locally, why would streaming or downloading on demand not be an option? (I'm curious, not asking you to change your requirements)
Earlier in the post you said 200/200 was a crucial, but if everyone is remotely connecting either over VPN or even via a HTTPS session, there is a chance they're mobile on a data plan or on another connection that may not be able to reach 200, also If they do come in via VPN you need to look at that image again, speeds drop to 68Mbps, and this will be in ideal conditions.
Those figures will change as more packages are run, especially the more demanding.
I'd still suggest you setup a cheap PC or old kit, even a VM a this stage to do your own testing, even if it's 1 VPN user and Suricata, to get a feel for how involved you'll be or what Mbps you'll see before you buy dedicated hardware.
What you want and what you actually get may vary, but may also still be within a reasonable limit, you may be over estimating what you need vs what is acceptable without spending double.
Do note that if your final decision is VPN, your speeds are not going to be 200 in either direction.
-
@cabledude said in CPU and RAM - which does what i.t.o. performance?:
I am confused though because vendor access (like synology quick connect) is considered less safe by some and often the better solution recommended is a remote access vpn.
Connecting via VPN is the most secure way to connect. It's also pretty much required if you need to access other resources on your LAN. You should use that if you can.
Steve
-
@rod-it said in CPU and RAM - which does what i.t.o. performance?:
Why do the files need to be synced locally, why would streaming or downloading on demand not be an option? (I'm curious, not asking you to change your requirements)
When offline, we have the files at our disposal. Also, easy Finder integration. Synology cloud server works the same way.
Earlier in the post you said 200/200 was a crucial, but if everyone is remotely connecting either over VPN or even via a HTTPS session, there is a chance they're mobile on a data plan or on another connection that may not be able to reach 200
Well we mainly use the 200/200 connection for what we download and stream while at home on our LAN. I agree that for the remote access VPN clients we don't need 200/200, more like 50-ish. The clients are usually on a WiFi connection while out and about (school / work).
also If they do come in via VPN you need to look at that image again, speeds drop to 68Mbps, and this will be in ideal conditions.
I apologise I have no knowlegde on this. Which speeds drop to 68? Upload? Download? And why? If we are all at home the VPN is not used so we should have the 200/200 available I would think. What am I missing?
Those figures will change as more packages are run, especially the more demanding.
Okay may I get it now, do you mean the firewall throughput will go down because the firewall appliance is executing packages? Isn't that mostly dependant on appliance type/model, i.e. the higher end models will be able to use the full ISP bandwidth regardless of packages running?
I'd still suggest you setup a cheap PC or old kit, even a VM a this stage to do your own testing, even if it's 1 VPN user and Suricata, to get a feel for how involved you'll be or what Mbps you'll see before you buy dedicated hardware.
I have used a rental SG-1100 for 6 weeks or so, just shipped it back to the rent company. I wanted to see how I had to adjust settings in my UniFi controller to get a pfSense FW working with UniFi. I have 7 VLANs set up so that was an important part for me, learning how to transcript the firewall rules. I also used pfBlockerNG the whole time, which went well for ad blocking. But as I haven't opened up ports I have no experience with blocked stuff.
Before the SG-1100 I created a VM on an old Mac Pro 2010 model, plenty of power but no way to issue the VLAN tags. Hence the decision to try a dedicated device.
What you want and what you actually get may vary, but may also still be within a reasonable limit, you may be over estimating what you need vs what is acceptable without spending double.
Do note that if your final decision is VPN, your speeds are not going to be 200 in either direction.
-
In no order;
VPN speeds for all traffic will be reduced to the figures noted above on your diagram, however you do need to bear in mind that it's in ideal conditions too, this may not be what you actually get. VPN is harsh so speeds drop quite drastically, the overall drop depends on the protocol and configuration, but it's something to bear in mind. I've picked the figure from mixed workloads for reference.
Your internet speed wont be affected, it's only clients connecting in over the VPN, but this does include them using your internet connection while connected - all LAN based devices back at home still see 200/200.
I am not sure why you was not able to setup VLANS on the VM, what application did you use to virtualize your Pf box, parallels, fusion or something else? Either way your answer is to configure the VLAN tags on the virtual switch, one will have been required to get the pf out to the internet, any application based virtualization isn't a true test and may not have the features you needed. But your virtual switch configuration is where you would have applied the tags
For your synced files - if sync is something you need, would it not be possible to sync over the LAN when the devices are connected, prior to them being off the network, any files missing can be downloaded on demand - I dont have a mac to test this, but i'm fairly sure in the Nextcloud client (and probably your Synology) you can configure this.
Your bandwidth wont change and in most cases you will likely get 200/200 regardless of packages, but you'll need a beefier box to keep those packages running and not impacting on the other features. (especially for SNORT or Suricata - neither of which i use)
In most cases above, what was your verdict of the rental, did it fulfil your needs, did you miss anything you wanted to test?
Only you will know what suits your needs, for me, i run mine virtual, 2 cores, 4GB ram, PfBlockerNG, Acme, CA, DNS, DHCP Relay, OpenVPN, HAProxy, Dynamic DNS and Telegraf running.
4% CPU and 18% ram in use, about 250k PfBlocker domains/IPs in the list, so not huge, 6 VLANS, 3 NICs in use
My firewall rules are strict, both inbound and outbound, that is to say, specific VLANS can only go online, and only for HTTP/HTTPS traffic, everything else is blocked.
I hope you find the solution that works for you
-
@rod-it Ah, I see, when you say "your diagram" you probably refer to the SG-2100 specs sheet I inserted above. I just scrolled upward and noticed it says 68 Mbps for IPsec VPN.
But that sheet / diagram I posted before starting to think about cloud file services. Actually 68 seems to be more than enough for us, but I may need to step up to the SG-3100 if I want to stick with "original Netgate". I am not so thrilled to use pfSense in a VM permanently as the host computer to run that VM would draw way too much power.The VM I used was on a 10 year old Mac Pro running a prehistoric VMware Fusion 7 I think. There were no settings I could see to pass vlan tags to an interface.
-
Like i said, each person has their own requirements, for me, running it as a VM makes more sense as i have other VMs and containers running anyway, so another VM adds little to nothing to the existing power draw.
While for me personally, looking for the next model up at a higher cost may not yield me much with 200/200, if you upgrade your ISPs package, you may need a higher throughput - you have to ask yourself, is that likely and if so, is it soon, if not, grab one suitable enough for today and the next few years, the prices of the others will come down and you can re-evaluate.
The one you rented should have given you an insight in to if that's enough for your needs or not.
I should have also added, my CPUs are Intel Xeon E5-2650V3 @ 2.3Ghz and my ISP provides me 380/36.
If your not proud and don't mind used or ex-corporate kit, why not see if eBay or other such sites have a higher spec, used device but at a fraction of the cost?
Or ask the rental place if they sell any ex-demo units?
