Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG5100 + Protonvpn + NIDS/DPI

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    9 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      paulch7780
      last edited by

      Hi, sorry for a basic question, I have been out of the recent network protection for a while.
      My goal is to protect my home office traffic and increase privacy.
      The idea was to use protonvpn (openvpn), also it sadly caps at 100 mbps, where my broadband is 1 gbps.
      Does it make sense to add NIDS/DPI like snort, I am not sure how it will be able to look inside of the IPSEC traffic.
      Are those things mutually exclusive?
      Would be interested to hear how others are using SG5100/protect their home networks.
      Thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        They are not exclusive, you can run Snort (or Suricata) in combination with a VPN WAN.
        If it's IPSec you can't run it on the tunnel directly but for home/soho use you would probably want to run it on the LAN interface anyway. That gives much better visibility as you can see internal private IPs .

        Steve

        1 Reply Last reply Reply Quote 0
        • P
          paulch7780
          last edited by

          Thank you for the prompt response!
          I am a bit reluctant regarding sending the traffic via VPN due to the performance downgrade, only 100 mbps. Setting up my own proxy seems to be an overkill for a home office setup, maybe a cloud proxy.
          How is the community utilizing netgate products in consumer space?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I assume you mean the VPN provider is capped at 100Mbps? The SG-5100 should be capable of far more than that.

            Steve

            1 Reply Last reply Reply Quote 0
            • P
              paulch7780
              last edited by

              It is VPN capping for sure, I wonder how to overcome this limitation without losing privacy and security.

              B 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Use a different VPN provider?

                Use multiple VPN connections and load-balance them? That would require routed IPSec or OpenVPN.

                1 Reply Last reply Reply Quote 0
                • B
                  bcruze @paulch7780
                  last edited by

                  @paulch7780 said in SG5100 + Protonvpn + NIDS/DPI:

                  It is VPN capping for sure, I wonder how to overcome this limitation without losing privacy and security.

                  which plan do you have. are you connecting to the secure core servers? when i used them the secure core servers were extremely limiting

                  1 Reply Last reply Reply Quote 0
                  • P
                    paulch7780
                    last edited by

                    I tried the plus package for a week. 100 mbps seem to be the average also if you compare to other providers like NordVPN, etc. I think I‘ll need to give up the idea of using the VPN for all traffic and maybe just use a reliable and privacy aware DNS service for the start. What is the recommendation there - is anyone using 1.1.1.1/Cloudfare instead of the ISPs DNS settings?

                    1 Reply Last reply Reply Quote 0
                    • B
                      bcruze
                      last edited by

                      I’m suggesting use the standard servers instead of secure core. Nord? Yuck stick with proton

                      I’ve used alternate dns servers for over a decade

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.