Home Build of Firewall / Monitor Help

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

RBNCO

New Member
Dec 27, 2017
2
1
3
47
I am a bit of newbie (ok, all the way new to this) when it comes to home firewalls. My requirements seem to be a bit different than what I have seen others doing. I am looking to add edge security to my home network with a few twists.

My requirements/needs are these:
1. Firewall/IPS
2. Malware protection
3. VPN support for remote connection to my network
4. Website/content logging for monitoring of my kids internet usage (unfortunately, we need to know what they view and post on different sites)
5. Throughput support as close to 1Gb as possible (I know with SSL inspection and other capabilities, this will be greatly reduced)

I am looking to keep the costs to below $1K if possible. I have a server rack for my VM farm and other appliances, so would prefer a reachable appliance or server. I currently have approximately 110 devices wight now on my network that have connectivity to the internet. Everything from smart home devices to 4K streaming TVs.

I have been looking into products like pfsense and others, but I can not seem to find reliable information in one place about all the additional components required to meet my needs. I have been looking at commercial products like Sophos, Zyxel, etc... but they are not complete either.

Any direction or input would be greatly appreciated. If I missed something about what I am looking for or my environment that would help in providing better direction, please let me know.

Thanks.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
PfSense or Sophos XG are both free’ish for home use.

Outside of that the devices like fortinet fg-61e with 3 years support should be in budget just.

Full inspection will drop rates to 300M or so but maybe you don’t need full inspection of all traffic types or IP’s etc

Cisco Meraki also maybe worth a look.

Required features is a pretty tough ask, do you need authentication either direct or via AD/ldap would be another consideration.
 

RBNCO

New Member
Dec 27, 2017
2
1
3
47
First off, thanks for the fast replies!

Also, I should have provided a bit of clarity in my original posting. I am new to home based variants on technology and unfortunately have spent most my career in large geographically dispersed enterprises. So dropping a few hundred grand on remote full featured firewalls has never been an issue. Carrier grade and above as we say. But trying to replicate anything close to this for the home has me denting my forehead from all the beatings it is taking by my wall.

gigatexal - I have been looking at doing something along the lines of pfsense, squid and clam AV, but being so new to this home base firewall niche, being concerned about upgrades and the management requirements all combine to worry me a little bit. See, I am hardly home and don't want to have to constantly manage this remotely if possible. So I have been googling like mad to find a a company that would provide some level of support for this type of setup. I was hoping that Netgate would work, but their support plans are expensive.

Evan - I have looked at Fortinet and Sophos a lot lately. They seem to be a very viable option. But when looking at them, I have started to wonder if I would be better served with a UTM appliance. As for Meraki, I will just that I work with Cisco as a partner currently and I can not see myself ever buying anything of theirs that is subscription based. As for authentication, I know all the devices on my network and their profiles are by hardware, not by user. We don't share many devices that would require tracking by person.

Let me add that I have add two "issues" over the last year that started all this. I traced several IPs that were sending large requests to my edge router (I have a Ubiquiti Edge Pro with basic firewall capabilities). At first it appeared to be a straight forward DDoS attack, but after some packet capturing it seems more likely that is was a brute force attack attempt. Not really sure why this started, but I have worked with my ISP to "hide" my presence a little bit better (read as DHCP leases no longer 30 days, but 24 hours and I am on an isolated vlan that changes every few weeks). I also use VPN servers to hide some of my traffic as well.

I guess at this point it sounds like a good solution will be two fold. Something like a Fortinet or Sophos appliance as my edge protection profile, a squid proxy server (and another app for reporting that still needs to be figured out) behind it in my "DMZ" for my recording of web activity and my edge pro as the firewall between the DMZ and my internal networks.

So, with all that said, unless someone sees something I do not, I guess my only option is to move towards my defense depth model.

Thanks again guys!
 
  • Like
Reactions: gigatexal

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Fortinet and Sophos are UTM devices as well.
Sophos XG is free to 4cpu/6gb ram to try is out even if you preferred one of their appliances.

Fortinet seems the best from what I can tell and who I see deploying it and for what but no free option. I see a lot of people using just a plain Cisco ASA (5506-X should do if using no UTM functions) as the edge protection and fortinet as the internal FW and UTM.

(Bluecoat is probably the most popular malware/virus scanning etc product as far as I have seen but is way way above any home use)

For me I would be tempted if not at home much to keep it really simple any use a Sophos or fortinet appliance only and nothing else.
 

gigatexal

I'm here to learn
Nov 25, 2012
2,913
607
113
Portland, Oregon
alexandarnarayan.com
I’m not convinced that you need more than the squid* suite on pfsense. What does it lack that the commercial products offer? I’m biased since it’s what I run at home though.


Sent from my iPhone using Tapatalk
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
I’m not convinced that you need more than the squid* suite on pfsense. What does it lack that the commercial products offer? I’m biased since it’s what I run at home though.


Sent from my iPhone using Tapatalk
The commercial products are a heap easier to setup than the pfsense squid solution and upgrades etc smoother. And it’s not as if pfsense is totally free, you still have even if not too expensive to buy the lists for the anti malware functions.

If your hands on then build your own hardware and use pfsense, if you just want an appliance then commercial seems a better way to go, bit sad that pfsense and netgate seems to be getting out of small home office type appliances. Does not look like c3000 replacements for the c2000 systems will come.
 
  • Like
Reactions: gigatexal

gigatexal

I'm here to learn
Nov 25, 2012
2,913
607
113
Portland, Oregon
alexandarnarayan.com
The commercial products are a heap easier to setup than the pfsense squid solution and upgrades etc smoother. And it’s not as if pfsense is totally free, you still have even if not too expensive to buy the lists for the anti malware functions.

If your hands on then build your own hardware and use pfsense, if you just want an appliance then commercial seems a better way to go, bit sad that pfsense and netgate seems to be getting out of small home office type appliances. Does not look like c3000 replacements for the c2000 systems will come.
I can see that. The peace of mind is worth paying for.
 

neggles

is 34 Xeons too many?
Sep 2, 2017
62
37
18
Melbourne, AU
omnom.net
bit sad that pfsense and netgate seems to be getting out of small home office type appliances. Does not look like c3000 replacements for the c2000 systems will come.
Netgate have been tweeting about their upcoming C3000 platform since March; they've even recently given it a name and shown a screenshot of PFsense running on it, it's called PLCC-B.

OP might even be able to get away with running one of their ARM-based SG-3100 units, or buying one of the J1900 / E3685-powered miniPC boxes you can grab off AliExpress and throwing the free Sophos XG image onto it (which is what I've done a few times now - 32GB SSD, 4GB RAM, 4x Intel I211-AT NICs works very, very well)
 

gigatexal

I'm here to learn
Nov 25, 2012
2,913
607
113
Portland, Oregon
alexandarnarayan.com
Netgate have been tweeting about their upcoming C3000 platform since March; they've even recently given it a name and shown a screenshot of PFsense running on it, it's called PLCC-B.

OP might even be able to get away with running one of their ARM-based SG-3100 units, or buying one of the J1900 / E3685-powered miniPC boxes you can grab off AliExpress and throwing the free Sophos XG image onto it (which is what I've done a few times now - 32GB SSD, 4GB RAM, 4x Intel I211-AT NICs works very, very well)
Wow. I might give this a shot.

Only thing is how do we know these vendors aren’t using something to phone home and mine our data? That’s the only thing keeping me on pfsense hell I might roll my own bare openbsd setup just to be sure there’s no funny business happening that or just VPN everything.
 

neggles

is 34 Xeons too many?
Sep 2, 2017
62
37
18
Melbourne, AU
omnom.net
The SG-3100? Or the AliExpress intel boxes?

The SG-3100 is made by a pretty reputable vendor, and (IMO most importantly) it'd cost them far, far more money than it's worth to spy on you.

The AliExpress units are just bare-metal PCs; you can buy 'em with no SSD/RAM inside and they just boot up to a regular old text-mode UEFI BIOS. You can actually find the OEM website for some of the motherboards - I'll see if I can dig it up. At the price they're selling them for, I find it a bit hard to believe there's any spare $ for dedicated spying hardware on the board & (again) spying on you is an extremely expensive operation without much reward for the OEM.

That said, if you buy them with an SSD included, I definitely wouldn't trust the OS image they come with - but it's pretty simple to zero out the mSATA SSD and put a nice fresh Sophos XG or pfSense install on it. If you're feeling ultra-paranoid, buy one without SSD or RAM and add your own 4GB DDR3L DIMM and small mSATA SSD (32GB or so are usually $20-30 2nd hand on eBay) and away you go.

They're neat little boxes; i've purchased four so far from the seller linked in my post above (this one) and they all do what they say on the box. They even included a correct AC cable for my country (Australia) - and the included PSU takes a regular IEC C13 cable in case you live somewhere super-exotic.

I'm hoping that before too long one of these manufacturers will slap a C2000 or C3000 chip on one of these boards so I can run a few small VMs or containers on them at the same time...
 

Rand__

Well-Known Member
Mar 6, 2014
6,626
1,767
113
Late to the discussion, but wanted to chime in nevertheless.
I use a Sophos UTM (not XG) box for the same requirements.
Only difference are
- I whitelist appropriate websites for the kids.
- I am on a 400mbit connection only but never had issues - not even sure why the spike is there, never noticed;)
upload_2017-12-31_13-13-37.png

I run it as VM on moving hosts (vsan) so it differs in actual used CPUs (from 2630L to 2667) but could sticky it if needed.
 
  • Like
Reactions: Evan