Help me pick a replacement home firewall/router

Discussion in 'Networking' started by Diavuno, Jan 30, 2016.

  1. Diavuno

    Diavuno Active Member

    Joined:
    Jan 31, 2014
    Messages:
    839
    Likes Received:
    108
    So I'm familiar with most of the big name firewall guys. But I broke my hands and not a fan of mandated CLI.

    What do you gents (and ladies?) like?

    I'm currently using a SonicWALL TZ105W (formerly a TZ210 and an ASA5505)
    My colo's are using a Palo Alto and a PFSense

    My current TZ is "ok" but often starts to get slower and slower (over a week) until it needs a reboot. the WiFi sucks, and the Total security subscription plan just ran out.


    power and upfront costs are a concern. I'd like to avoid subscriptions and licensing fees if possible.

    It'll be used on a 100/20 pipe. with a good chunk of that being over SSL VPN to my other sites.


    *I've heard good things about MicroTik but have limited exposure... thoughts?
     
    #1
  2. gigatexal

    gigatexal I'm here to learn

    Joined:
    Nov 25, 2012
    Messages:
    2,697
    Likes Received:
    500
    you could rock pfsense without a command line (after the initial setup). the webgui works and once I have it set up I haven't touched it except for upgrades
     
    #2
  3. T_Minus

    T_Minus Moderator

    Joined:
    Feb 15, 2015
    Messages:
    6,838
    Likes Received:
    1,491
    Running a Zyxel USG50 @ home and does everything I need with a great (imho) web GUI
     
    #3
  4. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,573
    Likes Received:
    4,515
    The pfSense Web GUI is getting updated in the next major revision.

    pfSense -> pfSense is very easy. Unless there is a good reason, I would limit the number of different types of appliances you are using. Less nuances to learn.
     
    #4
  5. T_Minus

    T_Minus Moderator

    Joined:
    Feb 15, 2015
    Messages:
    6,838
    Likes Received:
    1,491
    I agree, lol!! Deployed the same at my parents, and have a 3rd I traded for going to my brothers place here soon. Only issue I ran into when doing router<->router ipsec was not realizing it wasn't actually saving my updates, and trying to troubleshoot the connection was a big circle of nothing being wrong, LOL!!
     
    #5
  6. RTM

    RTM Active Member

    Joined:
    Jan 26, 2014
    Messages:
    427
    Likes Received:
    142
    Another +1 for pfsense.

    I am not too fond of using Mikrotiks for firewalls, they have some weird security defaults and their new "fasttrack" functionality to improve routing performance is really just doing less connection tracking, which I suppose could be considered weakening of the SPI functionality of the FW (I have not seen any attacks using this however, and it can be disabled).

    Another reason why not to use Mikrotik for firewalls: No IDS/IPS and OpenVPN mode is gimped (no UDP mode and some other stuff is missing) so if you want SSL/TLS VPN they suggest you use SSTP.

    If you end up using pfsense and intend to use an IDS, remember to purchase the relatively inexpensive snort signatures, a personal license is only 30 USD/year. And for the record you can use snort rules even if you chose to use suricata rather than snort.
     
    #6
    Patrick likes this.
  7. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,865
    Likes Received:
    429
    I use for a router and edge router lite. Handled my 1g fiber connection fine. Cheap and high performance.

    For firewall I am considering a pfsense appliance shortly.
    Hardware Requirements and Appliances for pfSense
    Again low power, easy to setup and cheapish.

    Your setup must be a real power hog ! Aside from 20+ cents for kWh here I just hate the noise, heat, and principle of the big devices. (Leave that stuff in the datacenter where it's really needed)
     
    #7
  8. Visseroth

    Visseroth Member

    Joined:
    Jan 23, 2016
    Messages:
    61
    Likes Received:
    1
    +1 PfSense, been using it for 8 years. Don't get my wrong, it has it's bugs from time to time but they do fix the bugs and accept reports on them.
     
    #8
  9. bds1904

    bds1904 Active Member

    Joined:
    Aug 30, 2013
    Messages:
    271
    Likes Received:
    76
    Ready-to-roll: Edgerouter Lite

    Roll-your-own: atom c2xxx & pfsense or the $300 atom box from pfsense
     
    #9
  10. gigatexal

    gigatexal I'm here to learn

    Joined:
    Nov 25, 2012
    Messages:
    2,697
    Likes Received:
    500
    +1 to that: c2xxx series chips have onboard crypto for accelerated openssl/vpn which is really nice.
     
    #10
  11. RTM

    RTM Active Member

    Joined:
    Jan 26, 2014
    Messages:
    427
    Likes Received:
    142
    I assume you are talking about AES-NI, because support for the Quickassist engine is as far as I know not yet supported by pfsense.

    For the record: AES-NI is also supported by a lot of cheapish boards + CPU combos, like the newer Atom n3700 and the AMD AM1 "series" (sorry I forgot the codename, but look at athlon 5350 for an CPU). Just note that you will most likely want to add a separate NIC and you do not get many PCIe lanes (if there are extra devices you usually only get a single lane) for it.

    Nevertheless the "c2xxx series" is overall a nice platform, you usually get 4 "Intel" NIC ports (using a Marvell PHY, but the controller is Intel), and support for a lot of ECC memory.

    If you are feeling adventurous an interesting board might be pcengines' new APU2 series, Intel NICs and a decent CPU with AES-NI for not that much money, it looks ideal for home pfsense use.
    But do your own research, because pcengines had quite a bit of trouble with the BIOS of the APU(1) boards.
     
    #11
  12. gigatexal

    gigatexal I'm here to learn

    Joined:
    Nov 25, 2012
    Messages:
    2,697
    Likes Received:
    500
    hmm didn't know that about pfsense, thanks for the clarification
    from pfSense Digest » Recent developments in pfSense so perhaps we'll see it in the next version of pfsense if not there already

    i've been toying around with the idea of doing opposite of what the op wants, rolling my own router using openBSD probably but i am not fond of losing the comfort of the webui
     
    #12
    RTM likes this.
  13. Jeggs101

    Jeggs101 Well-Known Member

    Joined:
    Dec 29, 2010
    Messages:
    1,466
    Likes Received:
    216
    #13
  14. RTM

    RTM Active Member

    Joined:
    Jan 26, 2014
    Messages:
    427
    Likes Received:
    142
    Sounds like a pretty nice plan OpenBSD is awesome, and remember: rather than losing the comfort of the webui, you rid yourself of the attack vector it is.

    EDIT: Oh and I almost forgot, no starch press has a book on pf, that in itself is almost a reason to do a router/firewall with OpenBSD.
     
    #14
    gigatexal likes this.
  15. abulafia

    abulafia Member

    Joined:
    Jun 17, 2014
    Messages:
    49
    Likes Received:
    5
    Originally I used to use Edgerouters, for my extended LAN, but have come to despise them; 2 of 4 failed, maybe a third at a remote site recently. And the RMA time was painful, as it has been on UniFi. And you either have fail prone USB storage (see the forums, also see the replacement alternatives threads, this is used on ERL, ERPOE, own one of each) or onboard soldered down flash that can't be replaced (ER8, ERPro8) or reinstalled from scratch (unlike the cheaper ones) or done in RAID and a power loss at the wrong time in conjunction with UBNTs anti counterfeiting code will leave you with a $300-400 brick if out of warranty, and without a router for a couple of months or more of in warranty. (Ask me how I know).

    I do like the ER-X for $50 but only use it as a l3 segment switch (eth0/poe is not switched with the other four ports, but if bonded it is a nice place to put chatty low bandwidth 100BT devices, plus 12-18v passive poe or splittable out for a WISP type AP or anything else (like a 12v/USB for a rPi AirPrint/cups/USB-ethernet print server) and maybe some filtering or rate control on broadcast and multicast traffic. I actually bought a pair to have a simple physical VRRP lab plus an almost drop in backup for the ERL/ERPOE. Nice Swiss army knife. But that's about it.

    I swapped my ERPro8 for a Supermicro C2358 LN5F with the LAN bypass, intending it for failover after the router failure scars, and it actually draws 2/3 to 1/2 the wattage of the Pro8, running VyOS. Nevertheless, I wish I had spent the extra money on the C2758 LN7F for the cores and RAM so I could have just rolled over into VyOS as an appliance and then after tinkering, into a special use VM host, taking WAN ethernet in on a tagged VLAN and exposing it to various VMs in a VRRP group (to virtualize the router at the IP level, not VM, to make it hypervisor agnostic), possibly using the LAN bypass to fail into a second group.

    It's become even more important as this summer I pretty much was only untagged/tagged wifi for UBNT's mFi power monitoring (lovely hardware, abandoned software that the team wasn't competent to develop- as per UBNT's rep in that forum) and tagged 10GbE, but i now have 6 constant use VLANs, plus guest, lab, and L2TP, IGMP snooping/forwarding for my "consumer/dial home" device VLAN (though done at the switches and slow to discover/query) and now a broken router breaks inside and outside things. And my router is there chugging along a .7-3% CPU use on one of two cores and 1/16GB ECC used. Super reliable, but not enough cores or RAM to be repurposed as much more, and the power draw between that and my C2558F or C2750... it was a beautiful mistake not to get all 8 cores and the extra two DIMM slots.

    So if you want a single device, the ERL or ERPOE (particularly nice for the 3 switched ports and 24v/802.3af dual poe/on board choice) if you can suffer a failure and can wait to get at it and have time to do the edge router rescue kit/PXE/tftp routine (better - open the thing and image the USB before powering on) pass on the ER8/PRO; very nice is the Rangeley options - even if not cabled for VM host and egress routing failover, you can fail over VRRP or auto start another VyOS VMs if a misconfig kills you, plus the datastor can be RAID1, but for the price difference, get all 8 cores.
    But it doesn't have to be that - anything cheap with AESNI (I have yet to see a VyOS package which uses QuickAssist) and a PCIe slot and a spare DDR3 DIMM... it will draw much less than the 30-40W the ERPro8 does, have more RAM, and with even just two USB sticks, if not a pair of 16GB SSDs, you'll have more reliability and less brickability for maybe 1/3rd of the cost. With the right setup, you don't even need a second NIC, though... performance and definitely complexity.
     
    #15
    Last edited: Jan 31, 2016
  16. Diavuno

    Diavuno Active Member

    Joined:
    Jan 31, 2014
    Messages:
    839
    Likes Received:
    108
    So Im totally fine with a little cli, but its slow.
    I'm OK with pfsense, oven been using it on and off for years.

    As for power and heat, yes its a concern, but more a concern for power.
    Yes it needs to be pretty powerful as my business hosts VMs for some of my clients, and my home is a DR site. If the clients setup fails, I have a half rack in colo, if that fails my home takes the load, its also a collection of historical backups for said clients.
     
    #16
  17. Diavuno

    Diavuno Active Member

    Joined:
    Jan 31, 2014
    Messages:
    839
    Likes Received:
    108
    Depending on price I might build up a Cxxx atom with a couple of SSDs for squid.

    I know some vendors make mitx with 2+dimm and 4+GBE
     
    #17
  18. Quasduco

    Quasduco Active Member

    Joined:
    Nov 16, 2015
    Messages:
    125
    Likes Received:
    46
    If you have a more serious business need for good uptime, regardless of what solution you end up with, I would strongly suggest having redundancy. The pfsense solution is nice for the ability to throw it on an old backup pc easily.
     
    #18
  19. abulafia

    abulafia Member

    Joined:
    Jun 17, 2014
    Messages:
    49
    Likes Received:
    5
    Actually, even on EdgeOS, I barely use the web interface any more. Their new SPI web graphic stuff is nice, but very RAM intensive on such small boxes. And iptraf is more controllable. And logging is better done elsewhere. But it is nice, even if the current 1.8b3 EdgeOS locked up my girlfriend's router (yes, one of my "decommissioned" and she knows SPI is there, by request for other "users") in under two days, though it's been ok elsewhere on the 1.7 point release. But that's it for the GUI. Also, more attack surface, and the certificate is annoying to replace, not built in to anything, GUI or CLI, not a symlink to a persistent file in /config... and with 512MB, I'd rather it spent it on conntrack not lighttpd.

    But the CLI/autocomplete/inline help is pretty fast (in fact, the only thing of use with the EdgeOS GUI is the config key "map" to show all the CLI options, but even then, setting them is faster in the CLI vbash. Say you want to copy a single DHCP scope, comprising boot options and multiple subnets; like if you were doing some sort of multitenant thing. Or not multitenant, but same network, but you'll change the subnet for each, but VoIP phone tftp options and internal DNS is the same. Only one of these exists, called foo.

    ed<tab>it ser<tab>vices dhcp-s<tab>server
    co<tab>py sha<tab>red-network-name <tab>foo <tab> to <tab> shared-network-name bar1

    then press up arrow, erase the 1 and hit 2 for bar2, up arrow again, bar3 and so on.
    Everything in italics isn't a key press.
    Now you have a lot of clones of DHCP foo named bar1...

    and even faster is editing config.boot in a text editor, or doing the above in CLI to make nice templates and then just search/replace. Want a failover router? Copy your running router's config.boot, overwrite the default one in a VMs, set the new IP and make the new VRRP IP where it currently is. Then boot/cable switch to that new config. Or make the commit changes to the running HW router as the new ones wait for it to join them in an existing VRRP group.

    Want another? Take that new text file and paste it into a new VM and just change the inter-router and LAN IP. And a third. Bam, three failover routers. And if they are VMs, just clone after shutting down step one and change one or two numbers (literally) in a text file before plugging them into a vswitch. Or of course script it.

    The only advantages right now for EdgeOS are the new routing things in 1.8b3 mostly for external labeling (which doesn't apply to me and I can't speak towards) and the resolution of a VTI/L2TP conflict that has been around for a long time, which unfortunately does, and I will not go back to IPSEC tun. (yes, GRE, I know). But it's been a little unstable anyway.

    Doesn't matter. Yes, you could buy more than one Edgerouter, and have drop in spares - with service denial and hope your latest commits made it to your syslog and pull it from there. You could VRRP them, but with that cabling and ideally independent UPS/outlet/circuit chains, and with customer's services on the line, you probably have spent more than the box cost, and have a lot more in income to lose. Or you could have a roll your own Supermicro Rangeley with RAID (natively supported as part of a VyOS install) and swap a drive. Or buy a Lanner or Netgate box for a bit of middleman overhead.

    Or you could virtualize the IP at the service level inside the VM across (virtual) machines and (physical) hypervisors (hell, a VyOS VM and UBNT ERL will failover on the same gateway IP just fine, let alone VyOS/Hyper-V and VyOS/ESXi) *and* the cluster/replication you get with VMs. Don't migrate them though, even across the same hypervisor, you don't want the copy time and also it may limit the advantages of any CPU acceleration benefits if you have it going across CPU architectures; let them use the native CPU features if available (and won't cause failure if an Avoton takes over for a Rangeley, for example.)

    Much of it depends on what you can afford to lose with a service failure, and the cost of managing failure avoidance.
    It goes without saying that spinning up some VMs is as "free" as the hardware cost of what is probably the most reliable option; doesn't change the fact that someone has to manage the juggling balls and test the redundancy.
     
    #19
    Last edited: Jan 31, 2016
  20. gigatexal

    gigatexal I'm here to learn

    Joined:
    Nov 25, 2012
    Messages:
    2,697
    Likes Received:
    500
    So much good info here.
     
    #20
Similar Threads: Help pick
Forum Title Date
Networking Picked up an Emulex oce11102-nx 10G adapter, need help with firmware Oct 1, 2017
Networking Mikrotik Help Thursday at 12:35 PM
Networking [SOLVED] Help Needed - Brocade ICX 6450 + Ruckus R720 Nov 25, 2019
Networking Arista Switch setup for Media Network, Help! Nov 24, 2019
Networking Help with home 10GbE network (10Gbase-T and SFP+) Nov 19, 2019

Share This Page