Help me pick a replacement home firewall/router

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
A

abulafia

Member
Jun 17, 2014
49
5
8
Manhattan
One other reason to virtualize at both levels - with a hypervisor at the edge, a separate, independent, non networked even, IDS is free, not running on your router and increasing it's complexity, dependencies, and vulnerability/attack surface. It's not the same as a tap, but there's definitely no special mirror switchport to config and make sure no one uses, no expensive gigabit tap or several with cabling redundancy, and has no electrical overhead or infrastructure other than more CPU cycles.

Electrical power matters because more power = less UPS run time (and expansion and/or redundancy) and more heat both in machine and in room which means more fan speed with even warmer air which means more power which means...
 
Last edited:
A

abulafia

Member
Jun 17, 2014
49
5
8
Manhattan
Argh. One other thing about the CLI. I have seen many devices, in fact pretty much everything SoHo up, that allows you to apply changes to your running configuration independent of saving them in the startup config. What I have never seen is a web GUI that lets you make changes across multiple pages and page loads, possibly conflicting with each other or with the running config and then apply them, let alone save them. If that sounds useless, or bad even, consider remoting in to do a new VLAN, a subnet, a DHCP server, static route, a modification or added IPSEC tunnel to an existing IPSEC ESP/IKE group going to another site. In every web GUI I've seen, that's several pages of hitting apply, also not looking at the whole new config to sanity check it, and not having it run all the changes together at once.

It's not just that you have to be careful about the order of the applied changed, it's not just that you can look over all the changes at once before applying them, but there may not be any way to do it in sequential steps, those steps being somewhat arbitrary based on what a designer thought should go on a single page load, without cutting off a LAN segment at that site, breaking its tunnel to another site, doing God knows what to L3 routing with a wrong L2/VLAN setup, and God help you, cutting off your access to both sites. Remote VLAN changes are tricky enough, but if that perimeter router is doing tagging, you might not be able to avoid the mess in the first place and may not be able to clean it up remotely, or even have privileges to do it on site (wrecking someone's hosting/tenancy) etc.

I know that's already a risky practice, and there should be notices, emails, out of band cell access, whatever. But if you're making a service change that affects multiple OSI layers, web GUIs will wreck you and not just even give you a chance to look at what you're about to do, but force you to do it blindly and in possibly an arbitrary and /actually/ incompatible order.
 
Last edited:
Diavuno

Diavuno

Active Member
Jan 31, 2014
864
109
43
SF bay area, north of silicon valley
www.Diavuno.com
Oh I understand the argument of CLI vs WebUI but it comes down to a couple key issues (for me anyway)

First is I manage many companies and the Web UI's are all more or less the same 2 styles. It takes less for me to learn than learning each vendors CLI.

Second, I was in a nasty motorcycle crash and paralyzed my whole arm and really screwed up my opposite hand. Typing is no easy task for me these days. Using Voice to text helps, but that is not very accurate and not an option for CLI of any type.
 
C

canta

Well-Known Member
Nov 26, 2014
1,012
216
63
43
Diavuno said:
Wasnt there a huge argument on virtualizing a firewall as it would be open to attacks on both the firewall or to the hyper visor.
Click to expand...
totally still valid today ...

I believe Virtualizing router/firewall is nothing to worry as long as some rules in strict rules:
1) patch security update as soon as possible on baremetal.
2) update online virus database (I uses clamav, not good but free hahaha).
3) update security package on router/firewall

the most attack that should successfull is attacking for inside newtwork :D. Many security breach start with internal breach, such as: installing mallware unintentionally from shared USB stick, social engineering trick, and others...
 
N

Nnyan

Active Member
Mar 5, 2012
148
52
28
Just to throw my two cents in here but I'm currently (re) testing pfSense and Sophos UTM. I have them both running in VM's on ESXi 6. I haven't made my mind up yet and I'm trying to forget my previous experiences with both. I've read some of the concerns about running your firewall on a hypervisor but I tend to keep my things updated and patched. I think the risk is minimal.
 
R

RyC

Active Member
Oct 17, 2013
359
88
28
I also think for a home(lab) environment, virtualizing the router with pfSense is great. But it also may depend on how often you take the hosts down (to tinker or update etc) and whether you (and your household) is OK with the downtime to the Internet.

But in 4 years of running pfSense in a VM, I can't think of a single instance where things got messed up and I thought "man, having a dedicated box for the router would have prevented this from happening"
 
A

abulafia

Member
Jun 17, 2014
49
5
8
Manhattan
I think it's more than that, that it's just ok for lab or home, especially since the OP mentioned that there is a business element to it in a post. But let's assume, given that we're on this forum, that whatever the hardware or budget, the idea is to do the best with it (excepting crazy complexity/crazy failure home labbing). The minimal, but non zero, downsides of having an added vector in attacking the hypervisor are probably considerably less than having no failover whatsoever. And that doesn't just include hardware failures or LBFO, but potentially security vulnerabilities.

If this is single box and bare metal, then the only way to do, say, a kernel reinstall/module/significant library update requiring a reboot, will mean a choice between data loss/DOS/penetration and breaking a transfer, including archives, or a tunnel or remote sessions. Both are service failures to the needs of a user/users. Now that could be avoided with "in service" virtualization - i.e. VRRP, CARP - and rolling patches, and since we care about the service of moving packets, I'd rather a packet routing aware failover method over general VM clustering, but I'll take both.

But for a virtual gateway IP, which also means not waiting for clients to fail traffic until they go to the next router IP in their DHCP lease (if ever), and with a single box, that means VMs.

(And if there are two inband egress gateway IPs, why aren't they running as the same inside IP anyway, and two IPs likely means two boxes, so it's moot as to what to do with a single box).

Also, if they are doing VRRP load balancing, well the reason I went VyOS over pfSense, aside from experience with EdgeOS and preferences to a more "serious" heritage and smaller footprint, was pfSense/pf single threadedness, though I understand that has changed this year. Prior to that, the only way to leverage a multicore CPU, which is everything these days, for the primary and often latency dependent job of routing, would have been single vcore VMs in LB. But I guess that's historical now, assuming that the "new" pf is well tested.

Of course, better is two boxes and then there really is a debate between "two bare metal installs doing VRRP" or "two special purpose type-1 hypervisors with VRRP enabled routers." Note that I'm not talking about failing over to internal VM host clusters, or running other services on them, though I think if it's the only way to do an IDS too, it's a positive trade off. All that is certainly doable - Amazon doesn't have special racks for the virtual routers providing multitenancy for cloud compute; it sort of defeats the purpose, let alone google running user sessions in containers, not even VMs - but that is "factory" level economy of scale with teams upon teams of people managing an unending perimeter.

And that ties in nicely with the last thought I had - with all the baked in ASIC appliances we trust to doing L2 VLAN segmentation or L3 routes and firewalls, with lowest cost expenditures in fixed, SMD soldered down RAM and storage, and being a custom platform that only one team in a specific company can support... between the virtual switch code in ESXi, KVM, Xen, or Hyper-V, or the code in maintenance phase (with the equivalent staff reduction in the dev team) for a years old Broadcom embedded device like my 10G Dells, who do you expect to cover the next Heartbleed quicker, or be less likely to overflow something, lose Q tags and start putting BYOD wifi -or server- traffic through untagged on a trunk port? Everyone has tablets, whether a company bought them or not, and especially if it's their property, good luck getting OS level restriction control of the device. Even if you aren't Amazon, the perimeter and malware and fuzzers are already inside. Which patch release schedule do you want to be on - the x64 vswitch, or the old custom silicon? I'm only talking about the security element of patch frequency/interest and likelihood here, not suggesting replacing switches.

In double checking stuff and grabbing a handful of links, I came (back) across CloudRouter® | Router Distribution for the Cloud . I totally have to play with it, especially as its out of beta as it was when I first heard about it. More so now that I have a bunch of docker VMs. Not really the type of software/use case we're talking about, but interesting.
 
You must log in or register to reply here.
Top Bottom