pfSense router/firewall on the edge & OpenVPN
-
My ISP (Verizon FIOS) directly connects by ethernet straight into my pfSense router. No other edge device / modem / bridged router etc. Is it safe to run FreeRadius server + Remote Access OpenVPN + Certificate Authority server, all on the one pfSense edge router.
I've read on the OpenVPN site that it's best to have a separate machine, not connected to the network, to be the CA.
I guess I'm looking for pros/cons of using the pfSense to do all this vs. including a separate pi for the CA or even rung the OpenVPN itself on an Ubuntu server and let the pfSense just do routing & firewall?
-
I'd rather take special care of only one device (keep the Software up to date, check the forum for security issues, and so on) than administrate one device per service, which could turn out to be the bigger security hole. Small zoo = less problems.
pfSense is my main network security solution and I trust it to run any service/package I need, this is what it's built and hardened for.
Follow the usual Firewall best practises like a dedicated Management Interface for Admin business, no open WAN ports (besides VPN), strong passwords, no unencrypted traffic, take Backups, don't install your own or inofficial packages/software, and so on.-Rico
-
What are the issues with installing your own? I’m pretty good at Linux base servers.
Mine was currently fresh installed by me on a dedicated Intel computer system, low power with integrated Pentium processor, and a 4 port Intel NIC.
I have no problem purchasing a Netgate product(s) but for my home network, not sure what’s best? I believe in supporting those that make pfSense.
I do not want to be replacing the device every 2 years.
I’ve read horror stories about device firmware becoming outdated which becomes a huge risk factor for security. Some manufacturers stop supporting devices which presses consumers to purchase new equipment.
I know Netgate is not cheap stuff but I’m willing to pay for quality. What’s the best router/firewall to buy from Netgate that can reliably do what I’m asking for here, and where I don’t have to re-purchase in five years?
Thanks
Allen -
Wait...we did not discuss the hardware part here yet.
I talked about one centralized place running your network services with pfSense (take any hardware you want) VS install another Pi with OpenVPN, another one for Cert Management, another maybe with Squid Proxy and so on.-Rico
-
I agree with everything suggested, what peaked my interest is when you mentioned the part about “don’t install your own”....I took that to mean avoid building your own router/firewall. I didn’t mean to change the subject.
Thanks!
-
Ahhh I see....meant if you really care about security I suggest you not to install any custom/unofficial pfSense packages via the commandline.
Only use the official repository.-Rico