Need advice - dipping my toe into the pFSENSE world for home network



  • Please help…

    I've been reading about pfSense for a few months now and I am ready to start incorporating it into my home network which currently consists of a 50/5 connection to an ASUS AC66U, running Merlin firmware, and a cheap 1GB unmanaged switch to create more wired connections. Here is what I'm looking to accomplish:

    • AT&T just dropped GigaPower (1gb u/d) into my neighborhood and I'm looking to upgrade.

    • I have a shared file server on my home network (UnRaid) as well as multiple VMs and Dockers. I would like access to these securely outside my firewall (OpenVPN?)

    • When visitors come to my house and want to use my WiFi, I'd like to only provide them Internet access with rules (e.g. no access to my file server, no access to criminal focused websites, potentially even limit their bandwidth speed & quantity).

    • Low profile and silent hardware as this will sit in a media rack in the living room near the TV. The only existing hardware I think I have is an old i3 processor that I pulled from my server (which I upgraded to a Xeon chip a few years ago). I just need to find where I put that chip. Otherwise, I can buy new.

    • I'm looking at a ~$300 budget for the pfSense box/build.

    I have seen lots of posts out there recommending prebuilt hardware such as http://www.mitxpc.com/proddetail.php?prod=JBC313U591W-3160-B and https://www.amazon.com/Firewall-Micro-Appliance-Intel-PFSense/dp/B01AJEJG1A/ref=sr_1_1?ie=UTF8&qid=1484080135&sr=8-1&keywords=pfsense. I'm just sure where to begin.

    • Do I need 2 or 4 ports?

    • I've read the J1900 doesn't support OpenVPN and I want a secure way to access my home network through RDP, FTP, and potentially other methods. Is AES-NI an absolute must?

    • What about switches? I would like to have at LEAST 7-8 wired connections. Can I stick with cheap unmanaged switches or should I go with managed and the capability to create VLANs?

    • Do I need VLANS?

    • Something like https://www.packtpub.com/sites/default/files/Article-Images/matt-abr01-img03.png looks similar to how I think I want my network setup.

    • What about keeping wireless? The MITX above has built in wireless, but I've read wireless should be done outside of pfSense. Can I continue to use the ASUS AC66U as a wireless access point or should I look into something else? The AC66U covers my entire house for range with 5ghz, but transferring files wireless isn't great.

    • I am interested in running packages such as Snort and Squid.

    I hope some of you experienced users can please assist me here. I definitely see the value of beefing up my network but don't want to go down the wrong path too early in the process.

    Thanks!



  • I've been reading about pfSense for a few months now and I am ready to start incorporating it into my home network which currently consists of a 50/5 connection to an ASUS AC66U, running Merlin firmware, and a cheap 1GB unmanaged switch to create more wired connections. Here is what I'm looking to accomplish:

    Cheap can be also something around $25 - $45 but in that class often some features are given that are not will be seen
    by the unmanaged ones. Perhaps a nice start to think about, pending on your budget and/or the need amount of ports
    there will be some interesting switches out there that will be able to help in many cases to set up a nice network. But
    Before it would be better to know for us what you are planning exactly! And not only some information's will be provided
    by yours, tell us all please. (Services, packets, protocols, speed,…)
    Budget:

    • Netgear GS105E or GS108E
      Normal
    • TP-Link TL-SG2008
    • Zyxel GS2200-8
      Better
    • Cisco SG200-10 or SG300-10

    •AT&T just dropped GigaPower (1gb u/d) into my neighborhood and I'm looking to upgrade.
    •I have a shared file server on my home network (UnRaid) as well as multiple VMs and Dockers. I would like access to these securely outside my firewall (OpenVPN?)
    •When visitors come to my house and want to use my WiFi, I'd like to only provide them Internet access with rules (e.g. no access to my file server, no access to criminal focused websites, potentially even limit their bandwidth speed & quantity).
    •Low profile and silent hardware as this will sit in a media rack in the living room near the TV. The only existing hardware I think I have is an old i3 processor that I pulled from my server (which I upgraded to a Xeon chip a few years ago). I just need to find where I put that chip. Otherwise, I can buy new.
    •I'm looking at a ~$300 budget for the pfSense box/build.

    • Do you use or need to use PPPoE for the AT&T symmetric 1 GBit/s line?
    • How many must be coming out of this 1 GBit/s to you?
    • How many cores, GHz has the old Intel i3? HT? Which version or series is it? AES-NI?

    I have seen lots of posts out there recommending prebuilt hardware such as http://www.mitxpc.com/proddetail.php?prod=JBC313U591W-3160-B and https://www.amazon.com/Firewall-Micro-Appliance-Intel-PFSense/dp/B01AJEJG1A/ref=sr_1_1?ie=UTF8&qid=1484080135&sr=8-1&keywords=pfsense. I'm just sure where to begin.

    I don´t think that this both devices are able to handle a symmetric 1 GBIt/s line by using PPPoE and then on top
    of this also with installed packets such squid or snort or suricata. There fore the older Intel i3 CPU might be a better
    choice to go with. Surely pending on what you will need or wish to install.

    •Do I need 2 or 4 ports?

    Do you plan do build a DMZ for the servers or to place other multimedia things inside such smart TV, PS3, Internet radio,…...
    How many switches do you own? In normal you will need only one LAN and one WAN port. But if you are setting up a DMZ
    it would be nice to have third Ethernet port right there.

    •I've read the J1900 doesn't support OpenVPN and I want a secure way to access my home network through RDP, FTP, and potentially other methods. Is AES-NI an absolute must?

    You are mixing here some information´s I think, the J1900 comes without AES-NI and this is actual only speeding up IPsec
    so if you are using IPsec it should be better there as an option, or if later OpenVPN 2.4 is joining into pfSense perhaps it might
    be also speeding up the OpenVPN part. But for both the older Intel Core i3 will be perhaps a nice gain if he comes with;

    • AES-NI inside
    • runs at ~3,0GHz

    •What about switches? I would like to have at LEAST 7-8 wired connections. Can I stick with cheap unmanaged switches or should I go with managed and the capability to create VLANs?
    •Do I need VLANS?

    Watch out the prices and then take a switch or two with a web interface and the capability to create vlans, mostly in the same
    money class likes the dump unmanaged switches or only some coins more on top of it. One for LAN and one for the DMZ.

    •Something like https://www.packtpub.com/sites/default/files/Article-Images/matt-abr01-img03.png looks similar to how I think I want my network setup.

    •What about keeping wireless? The MITX above has built in wireless, but I've read wireless should be done outside of pfSense. Can I continue to use the ASUS AC66U as a wireless access point or should I look into something else? The AC66U covers my entire house for range with 5ghz, but transferring files wireless isn't great.

    Wireless is a thing for it self, if got it running mostly you will be fine, but if you get in trouble it is not even so easy to solve out.
    So the best bet to surround problems base on WiFi is really to go with external APs, UBNT UniFI series are well working, MikroTik
    has some nice parts ready to go with and yes your older router together with DD-WRT or OpenWRT will be a really nice recycler!

    I would be looking here more into or onto the security options that will be perhaps able to realize with the pfSense and right
    switches. Put WiFi inside of the LAN and create more SSIDs (multi-SSID) some for private (Radius Server & certificates) and
    over the Captive Portal with vouchers you could handle all WiFi guests (internet only) perhaps over OpenLDAP or the LDAP
    role on the DC for all wired clients and all is safe.

    •I am interested in running packages such as Snort and Squid.

    Nice for sure, but each of them is narrowing down the entire throughput and with this small units linked by you
    I think you will not get out all of the 1 GBit/s symmetric Internet connection. Perhaps if you not using PPPoE but
    only perhaps I said!

    I hope some of you experienced users can please assist me here. I definitely see the value of beefing up my network but don't want to go down the wrong path too early in the process.

    I would suggest you;

    • buy two smart switches one for the DMZ and one for the LAN
    • all cabled clients secured over the LDAP
    • create VLANs for the entire WiFi and LAN
    • secure the WiFi for private usage and guests
    • all servers with internet contact in the DMZ and all without in the LAN area


  • @BlueKobold:

    You are mixing here some information´s I think, the J1900 comes without AES-NI and this is actual only speeding up IPsec
    so if you are using IPsec it should be better there as an option, or if later OpenVPN 2.4 is joining into pfSense perhaps it might
    be also speeding up the OpenVPN part.

    I don't understand why you keep saying this: the current version of OpenVPN does use AES-NI and does run faster on CPUs with AES-NI. OpenVPN 2.4 enables AES GCM mode, which is even faster with AES-NI, but the current AES CBC mode does already use AES-NI via OpenSSL.


Log in to reply