Home network project : opinions request



  • Hi all,

    First off, please note that english is not my mothertongue, I do my best here but it's important to keep that in mind.

    Second, I would like to thank every direct and indirect contributors of this amazing project. I discovered pfsense about 10 years ago and was amazed by all its features and reliability. At the time I was in the middle of a big, badly planned and poorly managed infrastructure migration and had to deal with crappy commercial bugged blackboxes, and pfsense just solved the crisis. I used to deploy an active/passive HA with CARP for a small hosting company (~1K customers) and I discovered the rock solidness of this elegant BSD based solution. Also, nobody is bias free but you may imagine what this product represents to me.

    At the time I also deployed and played at home with an ALIX card for a 20/2 cable connection and it worked smoothly for years. Then I did not use it for some years as I was going around the world.

    Now, I'll relocate in a few weeks and will benefit of a symetric 1/1Gbps FTTH so it's time to determine which appliance I'll purchase. Supporting the project through buying a netgate product and keeping the TOC low both appear great to me.

    Altough I have some experience with it, pfsense is the kind of product that help you keep humble and I would say I'm kind of an "experienced newbie". Therefore I ask for some opinions regarding the sizing :

    Here are the specs/requirements of my home network :

    • no hosted services, every wan ports closed, but an IPsec for being able to connect from outside.
    • pfblockerng to do the job instead of my current raspberry+pihole. Basically I use different block lists representing an average of 800'000 dns entries, weekly updated. No GeoIP planned at the moment or if so in the future, not many, altough it might be huge ones though (...)
      -  pfsense as a DNS-over-TLS "relay" (currently handled by pihole/stubby too, quite light)
    • A permanent VPN tunnel for safe surfing purpose (ProtonVPN or NordVPN) - I would say ~20% of home network traffic.
    • A ubiquiti nanohd using included PoE injector as WLAN access point (with 3 SSIDS on 3 VLANs, maybe 2 ports LAGG for fun and optimization)
    • Not sure about suricata IDS/IPS and I think this is the most determining factor here for sizing consideration. As I'll have no open port on WAN side, I guess I would put it on LAN only with few, optimum rulesets. I'm still thinking about it as so much traffic is encrypted compared to years ago. Also there are only linux desktops/laptops run by power users on the LAN, using official repos only, browsers with disabled javascript / common withelist, no java, no wine no mono or that kind of thing.
    • 1 sony gaming console that will be on a dedicated VLAN trough wired connection, with dedicated rules/nat/outbound nat and stuff like that. Little traffic but low latency required.
      -  I plan to use the raspberry pi 3b+ (currently serving as pihole and DNS-over-TLS) as the unifi controller for the nanohd.

    I still hesitate between the SG-3100 and SG-5100, altough I'm quite convinced by the SG-3100 and his Marvell switch and think that the SG-5100 would be a bit overkill. Plus I like ARM processors especially since last years news regarding MDS attacks on Intel procs.

    Only thing that make me hesitate is the 2GB of RAM regarding my needs (because of pfblockerng). Regarding CPU, I wonder if a few rulesets and optimized settings in suricata may still handle 1Gbps on SG-3100.

    What do you guys think ?


  • LAYER 8 Global Moderator

    Why do you think you need IPS if your not running any services to public. Do you think its going to help you discover infected machines? What experience do you have in running IPSes? Are you wanting to use it as a learning tool?

    If you think clicking a button for ips is going to do anything for you without huge amount of effort, you been misinformed.. What it will do is cause you lots and lots of false positives without management of the rule set and understanding what they mean, etc.

    If you do not plan on doing anything with geoip, why not stick with your pihole?

    How exactly do you think a MDS attack would come into play on your firewall?? Do you run VMs on your firewall where you will have unknown players accessing your vms? People that are concerned over these sorts of attacks, don't seem to comprehend the attack vector at all..



  • Thanks for your post. It gives some information to indeed meditate on.



  • Just curious... why the UniFi nanoHD model? For the 4x4 MU-MIMO on 5GHz?

    Jeff



  • @akuma1x said in Home network project : opinions request:

    Just curious... why the UniFi nanoHD model? For the 4x4 MU-MIMO on 5GHz?

    Jeff

    Partly. All devices will be on 5Ghz. I also read good reviews on it and find these devices fancy. Any remark, suggestion or alternative AP is welcome though.



  • @xavi3r Yeah, the AP AC Lite is $100 less and also supports 5GHz. AC Lite just doesn't offer the beam forming stuff and the multi-antenna thingies the nanoHD does.

    https://www.ui.com/unifi/unifi-ap-ac-lite/

    The nanoHD does offer almost double the 5GHz speed at 1733 Mbps vs. 867 Mbps, however... That's a BIG plus.

    Your final call though, I was just curious why you picked that one.

    Jeff



  • @akuma1x said in Home network project : opinions request:

    @xavi3r Yeah, the AP AC Lite is $100 less and also supports 5GHz. AC Lite just doesn't offer the beam forming stuff and the multi-antenna thingies the nanoHD does.

    https://www.ui.com/unifi/unifi-ap-ac-lite/

    The nanoHD does offer almost double the 5GHz speed at 1733 Mbps vs. 867 Mbps, however... That's a BIG plus.

    Your final call though, I was just curious why you picked that one.

    Jeff

    Exactly. I prefer to pay more now for one of their 3rd gen device instead of 2nd than wanting to buy another one in 2 years. I wonder about LAGG between the AP and pfsense but as far as I see it should be ok.



  • @johnpoz said in Home network project : opinions request:

    Why do you think you need IPS if your not running any services to public.  Do you think its going to help you discover infected machines?  What experience do you have in running IPSes?  Are you wanting to use it as a learning tool?

    If you think clicking a button for ips is going to do anything for you without huge amount of effort, you been misinformed.. What it will do is cause you lots and lots of false positives without management of the rule set and understanding what they mean, etc.

    I have to admit I have no experience per se in IPSes, apart from lab conditions. I do not consider it a magic security thing, especially taking into consideration that most of the traffic is encrypted nowadays, which is a good thing by the way, but make the IPS at least a bit blind. I find it interesting for detecting basic suspicious activities on the LAN, such as scans. After having watched some tutorials these last weeks, I'm conscious it needs fine tuning and is indeed not a click-a-button and go on hollydays :).

    If you do not plan on doing anything with geoip, why not stick with your pihole?

    Right now I do not plan but might be useful in the future. Also, despite pihole being a great product, it's great if the pfsense can handle the same tasks and can free my raspberry of this duty. I like also the fact that ads might be replaced by a pixel.

    How exactly do you think a MDS attack would come into play on your firewall??  Do you run VMs on your firewall where you will have unknown players accessing your vms?  People that are concerned over these sorts of attacks, don't seem to comprehend the attack vector at all..

    I feel like I should go back to some readings here. A bit rocket science stuff, at least from my point of view, plus there are various contradictory sources. Also I have to admit I suffer a bit from paranoia (no joke) and I'm working on it. Nevertheless, all these Spectre/Meltdown/Zombieload is a bit concerning. Bonus question : do you think hyperthreading should be disabled or not on a desktop machine ?


  • LAYER 8 Global Moderator

    @xavi3r said in Home network project : opinions request:

    do you think hyperthreading should be disabled or not on a desktop machine ?

    Yeah your tinfoil hat getting a bit tight ;) You really should read up on the attack vs all the scare mongering.. Sure such an attack could be a huge thing for something like AWS or AZURE, etc.. where you have clients VMs on shared hardware..

    Again what do you think could leverage that vector on your PC?? If your machine has been exploited to the extent code is running - don't you think there is easier ways to get info off the machine ;)

    There will always be the chicken little screaming the sky is falling - and yeah overall its a fail in the design sure.. But for every day joe running his PC.. There are much bigger concerns to be worried about, etc.

    Also you understand your pi can do much more than just run pihole at the same time ;) Running a dns server for some home network doesn't even tick its cpu most likely ;)

    As to your AP choice - yeah I have been thinking of adding the hd to my setup, Pro, Lite and LR -- but hey why not go with the shd.. go big or go home ;) With your tinfoil hat being so tight I would think the security radios in the shd would big seller ;) While that would be fun to play with, I would be more interested in the airview and airtime stuff..



  • If you simply want to learn more about networking and cybersecurity, and you view your home network as just a learning project, then go ahead and knock yourself out with all the stuff you plan. But if others in your home will depend on the network for rather mundane stuff like watching streaming video, reading emails, visiting web sites and perhaps playing the occasional Internet game, then what you have outlined in your original post is a recipe for a giant headache with lots of unnecessarily blocked traffic and angry house mates (especially bad if one of those angry house mates is your spouse ... 😉 ).

    Oh, and please explain to me how using a VPN tunnel gives you "safe surfing". A VPN for generic outbound traffic does exactly zero for security. Where a VPN offers security is when you use one to remote back into your home network from a public network.

    Before you go off and spend a lot of time and effort on locking down your network like the NSA or Fort Knox, first consider its "strategic value" to an outsider. A home network is not a government agency protecting state secrets, it is not Apple or Google or Tesla protecting valuable intellectual property, and it is not Citibank or Credit Suisse with a gazillion dollars of monetary assets to pilfer. It's just a few files and maybe some family photos and such. Valuable to you I'm sure, but not so much to an attacker. No nation-state actors are going to be attempting to break into your home network. So don't be paranoid about all the CPU microcode based exploits or virtual machine exploits and such. Just worry about the more mundane stuff like teaching your house mates how not to click on every attachment and link in an email and how not to visit dodgy web sites. That's 90% of cybersecurity right there -- being careful what you click on!

    Really basic stuff like keeping your PCs updated with the latest security hotfixes and running some kind of anti-virus client on them is probably good enough. And having pfSense out in front of the network with its default deny-all inbound rules in place, you will be sitting pretty good in terms of a security posture. And you want get lots of spurious blocks from all those security tools triggering on false positives to boot!

    But as I said, if you want to toy with an IDS/IPS go ahead. Just don't enable blocking out of the gate and read and research both here in the IDS/IPS sub-forum and on Google to learn how to administer an IDS/IPS rule set.



  • Thanks for your insights and perspectives sharing.

    I think I will let the IPS stuff and pfblocker aside, and therefore use pfsense without additional package. An APU4C4 should do the job fine then, and to support the project I can still donate directly to the FreeBSD Foundation as it is well explained on your blog.

    I plan to stick with the nanohd  as we have only 5Ghz devices and take a US-8-60W switch, add a PoE hat to the pihole so the switch can power it. Pihole is indeed very good at his job and dashboard/reporting is great too.

    For VPN, I meant "surfing with more privacy", not "safe surfing", bad wording, my mistake


  • LAYER 8 Global Moderator

    @xavi3r said in Home network project : opinions request:

    For VPN, I meant "surfing with more privacy"

    Says who? Your handing over everything you do on a silver platter to this vpn company.. And your source IP is just 1 tiny piece in the tracking information used by places you go.. There is fingerprinting, there are cookies.

    The argument could be made that using a vpn actually lowers your overall privacy ;)
    https://gist.github.com/joepie91/5a9909939e6ce7d09e29



  • Very interesting indeed. So it seems better to ensure that browser plugins like HTTPS everywhere and Privacy badger are activated. With ublock origin I think it's a good combo.


  • LAYER 8 Global Moderator

    That users think they have some ability to remain private is what is the funny part.. OMG my isp might know I went to amazon.com - but hey its ok to let my phone track where I go and when, and how I text, etc. And use my CC when I stop and pickup a sixpack of beer and condoms on the way home... While the toll booth tracked my car, and every camera I pass sees my face and license plate of the car registered to me..

    If you want to remain private - you should drop off the grid and live in a cave somewhere in the Alaska wilderness - hunt your own food, etc.

    There is zero chance of having "privacy" in the world we live in to be honest.. That companies use such scare tactics to be honest is more on how to get user X to send me MORE info easier so I don't have to work so hard in tracking him ;)

    Prob a better tactic to enact laws and regulations to prevent companies from doing this tracking, and if they get caught doing something against the rules to be held accountable for it.. And that that info they do store about you in doing business with you is stored secure.. So some scrpt kiddie hacker hit some url on the public internet and download a companies millions of user info, names, email address, cc number, etc. etc. Can we go a week without hearing about the latest data breach where account information for X millions of users was compromised... But yeah hey you should be concerned that your isp might know you went to amazon.com or pfsense.org ;)

    These companies have million and millions of dollars to spend and some of the best talent on the planet on how to do it, but sure you going to be private and secure in spending $2.95 for that vpn service ;)

    You have your cell phone company selling your real time location info to anyone willing to pay for it.. But hey yeah your privacy is protected by that fly by night vpn service..



  • @xavi3r said in Home network project : opinions request:

    A ubiquiti nanohd using included PoE injector as WLAN access point (with 3 SSIDS on 3 VLANs, maybe 2 ports LAGG for fun and optimization)

    The NanoHD only has 1 ethernet port, so not sure how/what your plans are for LAGG. If you really want 2 ports and LAGG you'll need a UAP-HD or UAP-SHD.

    That said the NanoHD is a decent device, I run 3 of them at my house. The 2.4ghz bandwidth is less than the UAP-HD or UAP-SHD, but the 5Ghz is the same and it is a lot cheaper. Basically those two are more for where you have a LOT of users on 2.4ghz, which isn't your home situation. How big is your home? You may want more than one for good 5Ghz bandwidth everywhere. The way I have mine set up is my main devices (Macbook, iPhones, etc) use 5Ghz and my low-bandwidth devices such as various IoT stuff use the 2.4Ghz.
    Are you planning to use Unifi Controller software for the NanoHD? It is possible to not use it, and just set it up using an IOS app, but if you like to tinker you'll probably want to use a controller e.g. installed on a computer. Note that the controller does not have to be running the whole time (unless you want to use guest login portal) but it's nice if you can.
    If you're on 1gbps and want to run a number of packages including VPN I would say the APU4C4 is likely not powerful enough for your needs. If you do choose not to go down the Netgate hardware path, I would say better to get something like an Intel Qotom device. Note that OpenVPN on pfSense is (I think) still not multi-threaded so single-core performance is more important than multi-core. However extra cores will be useful for running multiple packages.



  • Yes you are right. I think that I mixed up AP models specs, watching too many of them..

    I'll use this APU4C4 without any packages, just core pfsense, as I'm happy with the pihole. I'll do some tests with the APU4C4 and go for a 200/200 FTTH instead of 1Gbps if needed. This is still huge bandwidth for my needs compared to the 40/8 I have now. And should I upgrade to a 1Gbps in some years I could still opt for another hardware, like a netgate model ;)

    I've also reconsidered VPN and realized I do not need a permanent VPN tunnel at all, only thing I really need is to connect to home (IPSec or OpenVPN I don't know, need to study) from outside when I'm on a public or untrusted wifi. This way I do not need any VPN provider. I'm a lambda guy living in Switzerland, not an activist fighting for human rights in a dictatorial country.

    For the wifi, at first I was quite seduced by Ubiquiti products but might go with Zyxel finally. The Zyxel GS1900-8HP-EU0102F managed switch has 8 PoE/PoE+ ports (perfect for my raspberry pies) and seems to have no excessive heating compared to the US-8-60W I first planned to get. Plus this would avoid me to need an external controller as it has its own web interface. Different kind of solution.

    So I'll probably go for a Zyxel AP, as they have interesting stuff too. Will see.


  • LAYER 8 Global Moderator

    @xavi3r said in Home network project : opinions request:

    (perfect for my raspberry pies)

    So you modified your pi's to be poe? You bought a poe hat? I just bought a 6 port anker usb charger ;) It powers 4 pis, my alexa dot and charger for my fitbit right on my desk...

    Far cheaper option then buying a poe switch as well.. My 3 AP just use the injectors.. Which I have plugged into UPS as well - so even when the house looses power my network and wifi is still up ;)



  • Not yet. Mhh. That's interesting. With good cable management it can be clean and avoid power interruption because of switch firmware update for instance. Thanks. Plus I do not want fans on these devices and not sure if the usb power issue is now fixed (guess so).

    Just got an APU4C4 today, updated coreboot to latest legacy version and installed pfsense. Got a solid 700 mbits (iperf3) with peaks at 800. Not yet played with inets queues and offloading checksums yet to see if it can improve. Need to study this.

    For residential customers, my ISP offers either 200/200 or 1000/1000 on FTTH with a difference of ~10$ per month. Will go for the 1000.

    It's a bit sad that pfsense/netgate does not accept direct donation anymore, will donate to FreeBSD foundation tough.

    Thanks for your insights and inputs guys.


  • LAYER 8 Global Moderator

    10$ dif for 200 vs gig - yeah that is a no brainer.. What I would go for gig as well at that sort of price point and difference.. What I really want is the up.. But if I went gig from my 500/50 it only goes to 1000/100 - and its like 20+ more a month.. And I really can not justify the download side.. I have no real use for it, and the up is only for my friends and family to share my plex.. And 50 is handling the current load without any issues.

    But if I could get 1000/1000 I would jump on it for sure if only 20 more, for 10 = no brianer..

    So if your going to do gig/gig - 1100 prob bit under powered.. 3100 would be what you would want. Just ordered 4th 3100 for work ;) pretty happy.. Just wish they would let me use them for some other devices with more umph... Its been a slow process.. But out of the blue my team lead said today - hey order another one of those firewalls ;)