(SOLVED)Replacing Ubiquiti Edge Router X with PFsense



  • Hello,

    I've never used PFsense in production just labs but anyway.

    I have a small soho network that consists of a few laptops/smart devices/printers as well as a netgear wireless router in access point mode for my lan. As well as another portion of my network that runs a server for my business.

    At the moment I have my edge router x configured as such

    LAN-192.168.0.0/24
    DMZ-192.168.200.0/24
    WAN-X.X.X.X/X

    I didn't think it was a good idea to post my exact wan subnet unless it's necessary?

    As far as the firewalling on the edge router goes. I set it up so my lan subnet can talk to the wan but the wan can't start a connection with the lan subnet.

    The DMZ subnet has port forwards from the wan to the server for http, https, imaps, and smtp.

    I usually access the server on the dmz subnet from my lan subnet at home. Because of this I don't have firewalling for traffic between the lan and dmz subnets I know I need to have some but I'm not sure what I should forward between them eg only the service ports I'm using on the server http, https etc or something else?

    My main reasoning for the switch is I wanted more control and visibility into my network. The reliability of the edge router x is great I updated it's firmware on 10/31/2017 and it's been up ever since and I nearly forgot about it.

    The edge router x has a traffic analysis tab but it only shows the source ip address of the client and rarely ever shows the layer 4 protocol tcp/udp or the port number. I just checked while writing this and for one of my android phones it shows the phones ip address then youtube followed by the amount of data transferred but that's all.

    The last thing is how do I deploy PFsense while avoiding as much downtime as I can.

    Thanks for all your time and help.



  • @tman904:

    I didn't think it was a good idea to post my exact wan subnet unless it's necessary?

    That's correct and glad you didn't.  On the down time, I would plan on implement after working hours to avoid regular work related…should take five to ten minutes as you'll be just rebooting your main modem (that's taking you have already install PFSense on your hardware of choice), and for PFSense to issue your LAN IP address to all devices.



  • I'm not quite sure what hardware I need?

    Plus I need help with the filtering of the lan and dmz.

    Is there documentation that is for firewalling?


  • Rebel Alliance

    @tman904:

    Is there documentation that is for firewalling?

    https://doc.pfsense.org/index.php/Category:Firewall_Rules



  • @tman904:

    I'm not quite sure what hardware I need?

    I would suggest that you hang out the hardware section of the forum and don't discount what Netgate has to offer in your decision making process…especially if you don't want to tinker or don't already have an old computer sitting idle.  Also, here's a link to lots of setting up info: https://doc.pfsense.org/index.php/Category:Howto



  • @tman904:

    The edge router x has a traffic analysis tab but it only shows the source ip address of the client and rarely ever shows the layer 4 protocol tcp/udp or the port number. I just checked while writing this and for one of my android phones it shows the phones ip address then youtube followed by the amount of data transferred but that's all.

    I replaced my EdgeRouter X with pfSense for the same reason. ntopng is the package you want to look at for traffic analysis. Provides way more info than EdgeRouter X. Once you setup pfSense, you can download this from package manager. Below is the link for ntopng features in community edition

    https://www.ntop.org/announce/say-hello-to-ntopng-2-0/



  • What hardware did you use to replace the edge router x goldfish?



  • I have a Small Form Factor Dell Desktop.
    Core i5, 4GB RAM, 240 Crucial SSD and a PCIe Gigabit Intel Network Card. All of this is overkill but its future proof.

    I got this from one of our clients who was gonna throw it away. And now its the best firewall i ever used.



  • Does the cpu have aes-ni? What is the model number of the dell desktop?



  • @tman904:

    Does the cpu have aes-ni? What is the model number of the dell desktop?

    Its a Dell OptiPlex 780 Small Form Factor

    It came with a Core 2 Duo but i had a motherboard and CPU sitting around again from another client. I used the Dell for Chassis and power supply and used different board and CPU. Yes. It has AES-NI.

    Are you planning to buy hardware? There are tons of options online again depending on your budget.



  • I was thinking of building something like this with parts from newegg.

    COOLER MASTER Elite 110 RC-110-KKN2 Midnight Black Steel / Plastic Mini-ITX Tower Computer Case

    Intel Pentium G4400 Skylake Dual-Core 3.3 GHz LGA 1151 54W BX80662G4400 Desktop Processor Intel HD Graphics 510

    ASRock H110M-ITX LGA 1151 Intel H110 HDMI SATA 6Gb/s USB 3.0 Mini ITX Intel Motherboard

    CORSAIR VS Series VS400 (CP-9020117-NA) 400W ATX12V / EPS12V 80 PLUS Certified Active PFC Power Supply

    WD Caviar SE WD1600JS 160GB 7200 RPM 8MB Cache SATA 3.0Gb/s 3.5" Hard Drive Bare Drive

    Intel EXPI9402PTBLK 10/100/1000Mbps PCI-Express Two Gigabit Copper Server Connections

    4GB Samsung DDR4-2400MHz Non-ECC 288pin Memory M378A5244CB0-CRC

    Grand Total: $283.23

    the G4400 cpu has aes-ni and once you add the shipping it's $294.42 still 71$ cheaper then the sg-3100 that's the appliance  I was thinking of buying instead.

    What do you think?

    The main reason I wanted to build one is I feel I have more flexibility with the hardware. If I buy an appliance as soon as netgate eols it I can't use it for anything else.



  • Right On. Apart from $7 saving, you have double the RAM plus ton of storage. They probably would not EOL it anytime sooner as it was just introduced (maybe Sep-Oct 2017) but like you said, you can re-purpose the machine anytime you want. You can upgrade it anytime you want. Building your own firewall has its own rewards. Maybe in the future replace the HDD with a 32GB or bigger SSD to make it more reliable.

    Go for it !!!



  • @tman904:

    I was thinking of building something like this with parts from newegg.

    COOLER MASTER Elite 110 RC-110-KKN2 Midnight Black Steel / Plastic Mini-ITX Tower Computer Case

    Intel Pentium G4400 Skylake Dual-Core 3.3 GHz LGA 1151 54W BX80662G4400 Desktop Processor Intel HD Graphics 510

    ASRock H110M-ITX LGA 1151 Intel H110 HDMI SATA 6Gb/s USB 3.0 Mini ITX Intel Motherboard

    CORSAIR VS Series VS400 (CP-9020117-NA) 400W ATX12V / EPS12V 80 PLUS Certified Active PFC Power Supply

    WD Caviar SE WD1600JS 160GB 7200 RPM 8MB Cache SATA 3.0Gb/s 3.5" Hard Drive Bare Drive

    Intel EXPI9402PTBLK 10/100/1000Mbps PCI-Express Two Gigabit Copper Server Connections

    4GB Samsung DDR4-2400MHz Non-ECC 288pin Memory M378A5244CB0-CRC

    Grand Total: $283.23

    the G4400 cpu has aes-ni and once you add the shipping it's $294.42 still 71$ cheaper then the sg-3100 that's the appliance  I was thinking of buying instead.

    What do you think?

    The main reason I wanted to build one is I feel I have more flexibility with the hardware. If I buy an appliance as soon as netgate eols it I can't use it for anything else.

    I see you do like to tinker…I agree with Goldfish, go for it!


  • Rebel Alliance Global Moderator

    Just wanted to point out that your talking a few bucks difference in price… And buying the sg3100 would get you gold for a year don't forget that!  And huge part here is you fully support the project by getting hardware from them..  And your going to be freaking sure its a rock solid box vs something you threw together with cheap parts you got from online..

    How much power is that box going to draw vs the sg3100?  Looks like you only have 2 nics there.. Don't forget the sg3100 comes with
    "four-port 1 gbps Marvell 88E6141 switch, uplinked at 2.5 gbps to the third port on the SoC for LAN. "

    Which can be used as switch or can be used as interfaces for different networks..  Your diy box doesn't seem to have that.. Why would you need that much space in your Router/Firewall?  an OLD hdd to boot.. Put in a SSD at min.. .

    I am all for tinkering...  But as a new owner of a shiny new sg-4860... I say support pfsense/netgate and get hardware from them.. While some of their models might be high for a home/lab I just like to tinker budget, etc.  Clearly this is not the case with what you put together vs the 3100 model...

    edit: BTW if you have question on when might be the eol date for the 3100, check here
    https://www.netgate.com/support/product-lifecycle.html

    They list the 3100 as replacement for the 2440..  The point to take away from that page would be this statement I think.. "End of Life (EOL) will typically occur within 1-3 years after the EOS date"

    So when they stop selling the 3100, you most likely would have 3 years after that..  They have stopped selling the 2440 and its end of life date is end of 2020.. And just because is listed as eol doesn't mean it still won't work, or that it would not be able to run the current version of pfsense at that time, etc.  We have a 2440 in one of our branch offices with plans to change all the offices out to pfsense - they will all prob be 3100.. Was hoping to get a couple of more this year but didn't work out - my teamlead would never pull the trigger on the order even though I brought it up every few weeks ;)  I would love to put in the 4860s but they are way overkill for the needs of the branch offices ;)  And I don't think I will ever be able to make mine even break a sweat...  But won't stop me from trying - looking forward to playing with the new layer 7 stuff...



  • I see your very good points johnpoz and you've giving me some things to ponder.



  • I've had some time to ponder and I happened to find this http://pcengines.ch/apu2.htm

    It seems like a good compromise between the  performance of the SG-3100 and the SG-4860.

    I'm saving more money then buying the SG-3100 or building one with the parts from the last post. It came out to $200.20 at the most seeing as the site states about $30-$40 shipping for one system.

    For the apu2 4GB ram version with a case, power adapter and a 16GB mlc ssd it's $200.20

    My main concern is if the ssd is reliable enough for all the logging of pfsense. As well as if in the future I want to install ntopng that it will keep up and not become a bottleneck.

    I can save even more money by buying the 2GB ram version. Is the 2GB version enough to run most packages? I have about 20 users at most.

    Finally with the money I saved I figure I can buy a $99 gold subscription and still be donating to the project.

    Sorry to be long winded but what do you guys think?



  • @tman904:

    Finally with the money I saved I figure I can buy a $99 gold subscription and still be donating to the project.

    I would go for SG-1000 which is $50 extra and get a free gold subscription with it. So all in all the device would cost you 50+shipping. Then you can use this for lab, testing, etc



  • I am heavily leaning toward the sg-1000 but I have two problems with it.

    1. It only has two ports whereas I need three subnets and I can't afford to buy a managed switch to implement vlans.

    2. The specs state it has 512MB of ram, I'm not sure if I can run ntopng with that amount of ram.

    My end goal is to move the edge router x out of production in favor of a device running pfsense.


  • Rebel Alliance Global Moderator

    1. Because they are so expensive?

    https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08P/dp/B008ABLU2I?th=1
    $29

    Or save a couple of bucks if you want and get the 5 port version for $25..

    With a smart switch that does span ports you can run ntop on any box you want..  Doesn't have to be run on your router…

    Here is the thing if your planning on moving into better network setup.. Your going to want a smart switch... While you can get them for cheap the above dlink 1100 for example works.. But its very feature starved.. For home budget I am a fan of the cisco sg300.. I picked up a 28 porter because was tired of being interface starved ;)  And wanted to be able to leverage the 6 interfaces on my 4860 to spread my vlans out, etc. Have ports to play with laggs if someone had an issue I was trying to duplicate to help them.. I personal see ZERO reason for a lagg setup in a home/lab setup - its a waste of ports for no real benefit..

    So I have plenty ports now.. Moved the sg300-10 I had to my av cab and replaced the cheap netgear I had there.. I have 3 cheap switches that come up a lot here to be able to help.. The netgear, the dlink I linked to and the utter POS... Not worth the 20$ I got it for price tag tplink one -- you can not remove vlan 1 from any ports..

    I would be willing to sell you any of them... But even if I sold them to you for $15 by time you paid for the shipping it would be just easier to order from amazon and have it in 2 days, etc.

    The sg300-28 I show for 232, I had gotten it for 200.. The sg300-10 I show for 120... Well worth the price point... The money you save if you went with the sg-1000 would pay for the sg300-10..



  • Thanks for that johnpoz I wasn't aware d-link made 8 port managed switches.

    Well with that here is what I'll do.

    I'll buy the SG-1000 along with the d-link 8 port smart switch.

    Instead of having
    port 1 LAN-192.168.0.0/24
    port 2 DMZ-192.168.200.0/24
    port 3 WAN-0.0.0.0/0

    I'll do this

    port 1 vlan 2-LAN-192.168.0.0/24
    port 1 vlan 3-DMZ-192.168.200.0/24
    port 2 WAN-0.0.0.0/0

    Thanks for everyones help.