Another firewall advice

SSri

Regular Contributor
I have lost my second PfSense router to another friend of mine for the 2nd time in as many years! Anyway, they were on an old hardware and I was planning an upgrade; because, we have starting planning a home-automation project.

We want to lockdown the network before we do anything on this front.

The Virgin business broadband for home is on their Hitron router, connected to the Cisco Switch serving the whole house. The Unifi AC Pro does the Wifi duties.

Given the home automation project, we certainly require an IDS/IPS system to monitor the network. A decent system is what we require.

I am think of getting a refurbished 4 or 6 cores 10/11 Gen Intel Dell OptiPlex, which is available at Dell outlet for £400-£500. Another alternative is getting a used server from Bargain hardware

I am sure both are more than enough to support the IDS/IPS.

My only concern the Dell server and the CPU are older hardware. I also need to speak to Dell if their OptiPlex will allow me to stick an intel network card.

Please advise what you guys think.
 

sfx2000

Part of the Furniture
Take a look at the link below - servethehome.com has been running a series on the mini desktops in the 1L class...

many of these have the PCIe slot where one can drop in a mult-port ethernet card, and should be fine with pfSense


Here's a post specifically about building a pfSense box with the 1L class units

 

Tech9

Part of the Furniture
Please advise what you guys think.

I think you're crazy. For a little more than £500 you can get ready to go Netgate 6100 10Gbps firewall with pfSense Plus license. If you want to go DIY way, get a SFF PC under £100. Any HP/DELL business class PC with 3/4th Gen desktop i5 and 8GB DDR3 RAM is plenty fast and reliable.
 

SSri

Regular Contributor
Here's a post specifically about building a pfSense box with the 1L class units
Many thanks. I saw that post; I will read this article and the rest in detail.

I think you're crazy.
Thank you for your insight; haven’t seen the need to see a psych yet! ;-)

Tbh, I am indeed keeping my eyes open for a used low-powered SFF. Haven’t had much time to look at it seriously though!

With the current electricity prices, where it would be in the future and my requirements, I need to be very careful with my choice.

Furthermore, with our home automation plans for all switches, some sockets, radiators, blinds
garden, etc, I want a system that is very capable of handling IDS - IPS. I have heard the CPU load often hitting 100% with this. The last thing I want is the system bottlenecks and the need for an upgrade. I would rather play safe than other way around.

Frankly, I don’t know how detailed the IDS-IPS needs to be with our IoT devices. I know it is going to be a lot of them - a combination of wired and wireless perhaps.

Many thanks for your inputs. Appreciated!
 
Last edited:

Tech9

Part of the Furniture
Furthermore, with our home automation plans for all switches, some sockets, radiators, blinds
garden, etc, I want a system that is very capable of handling IDS - IPS. I have heard the CPU load often hitting 100% with this.

You're still crazy. :)

Netgate 6100 is under 10W in normal use and can do >Gigabit IDS/IPS multi-core. What home automation will have Gigabit traffic? And what IDS/IPS is going to do with mostly encrypted traffic? Are you planning to run network wide proxy and bang your head in a wall of other associated with it issues? What hardware your previous pfSense firewall was running on and what was the CPU utilization, with what packages?
 

coxhaus

Part of the Furniture
I think when you add IDS/IPS to pfsense it gets cumbersome with lots of manual support. If you want a good firewall look at Untangle. They have a low price for home users. You can load it on a PC the same as pfsense. I have run both.
 

Smokey613

Very Senior Member
I previously ran pfsense and currently have Untangle on this little box. It runs everything fine, has AES-NI support, built in wifi for remote admin if needed.

Vnopn Fanless Mini PC 4 Intel NIC Gigabit Ports, Micro Network Firewall Appliance/Gateway Soft Router Mini Computer Intel N3700 Quad Core, Support AES-NI, 8GB DDR3, 128GB mSATA SSD


Once I dug into what the requirements were to use IPS/IDS that could even half way monitor encrypted traffic, I determined I would be spending all my time administering the IPS/IDS system. Not worth it to me for a home network. The Untangle box is sitting on the bottom shelf in my network cabinet collecting dust. My subscription runs out soon and no plans to renew.

For now, my old RT-AC1900P is handling all routing duties and 2 eero pros are doing wifi duties.
 

Attachments

  • mini-pc.jpg
    mini-pc.jpg
    52.8 KB · Views: 38
Last edited:

Tech9

Part of the Furniture
Untangle is more user-friendly, but Home Pro package is $150/year. Snort in pfSense has easy to use pre-defined rules categories, Suricata is not very hard to setup for someone who already had pfSense firewall. pfBlocker may break things, if not used wisely. Another option is Sophos firewall, I think they have Home version too. None of that is needed for home automation though. If the firewall blocks what IoT needs, the IoT stops working - as simple as that.
 

SSri

Regular Contributor
Many thanks for all the inputs folks. Much appreciated.

Netgate 6100 is nice but makes it very expensive after import duties and Vat. I can have a better system at lower costs. I would rather get an over spec unit than cheapening here. I don’t want a buyer’s remorse. Call me crazy or what ever! :)

It’s not just securing the IoT devices on our network, the compromises may originate in many forms including the security vulnerabilities of the devices itself.

We are not comfortable assuming a secured IoT devices need not have to be monitored. Sure, we will encrypt / secure them, but we want to feel comfortable in the knowledge we have tools at hand to review the encrypted traffic.

I haven’t spent much time looking at Suricata yet; but I know it benefits from multi-core and decent RAM capabilities. It will be a pain and chore manage it manually, though.

I am indeed keeping my options open between PfSense, Untangle and Sophos.

As far as the home automation is concerned, if we choose to have them wired, it stays purely local with a remote access through VPN. It is a different story if we go wireless as we may not have the luxury of breaking the walls and opening the floor every where.

Thx
 
Last edited:

Tech9

Part of the Furniture
We are not comfortable assuming a secured IoT devices need not have to be monitored.

Put there some cloud cameras, video door bells, Google/Amazon microphones, Chinese smart switches and power plugs and you become the monitored one voluntarily. Someone in the world knows where do you live, what time you are usually home, what time you wake up in the morning, what color lights and what style music you prefer, someone may even have pictures of your family members. You unlock your door and secure it with piece of tape.
 

SSri

Regular Contributor
you become the monitored one voluntarily.
Do you think it doesn’t happen without it? Alas, certain section of our society do attract attention for certain possessions. They lose them in 30 mins window.

It’s all about protecting us from ordinary forces. We know any security is no security for determined thieves and hackers. No body stand a chance against them.

BTW, no vendor clouds or some big cloud services for us.
 

SSri

Regular Contributor
Of course, it happens all the time. Home automation makes it easier and more precise.
If we aren’t careful. Yes, the risk is elevated unfortunately. Automation on a local network is ok, though.

The problem is if we get smart plugs, which requires an account to be created and it sync on vendors’ cloud. They collect more than what is required. Seriously?

Most of the population don’t understand the implications. We have none of it at our place.
 
Last edited:

coxhaus

Part of the Furniture
You can monitor the encrypted traffic but pfsense does not have the ability to look into the encrypted traffic like Untangle. Are at least they did not possess that when I last looked? No consumer routers can.

I found Untangle pretty much ran its own IDS/IPS without much interaction. If you want to look into the encrypted traffic then I would think that would require interaction as I have not run that feature.
 

Smokey613

Very Senior Member
Is there a reason why you no longer use it please?

That’s expensive, is it not ? That’s the price of an enhanced CX! :)

Untangle has a very friendly user interface. After using it for awhile, I am not sure it provides enough increased security over what I am currently using to justify the subscription cost.
 

coxhaus

Part of the Furniture
I had a relative sleep over with his laptop when I was running Untangle. His laptop had SPAM on it and it tried to SPAM on the internet from inside my network. Untangle would not allow his laptop on the internet as it was blocked by Untangle. Untangle is the only firewall that I have run that does this sort of thing on outbound traffic.

Once I removed the SPAM on his laptop it worked fine.
 
Last edited:

Smokey613

Very Senior Member
Well, my Untangle box is still setup. All I have to do is replace the 1900P with it and my network will come right back up. I have 50 devices but if I setup a bypass rule for a couple of "benign" IoT devices I can stay under my 50 device limit required by my Home Protect Plus subscription. Who knows, I might give it another whirl.
 

Tech9

Part of the Furniture
You can monitor the encrypted traffic but pfsense does not have the ability to look into the encrypted traffic like Untangle.

Untangle can't look into encrypted traffic, @coxhaus. A proxy is needed for any firewall to do that. But this is way too much for what we discuss here. Separate IoT network with no access to main network is what most people use and it's good enough. Home routers use guest networks with some separation, more advanced routers/firewalls may use VLAN's. It can be done with Asus home routers as well, but not on Asuswrt. I believe @eibgrad runs similar setup or at least he was showing how to do with FreshTomato it in another thread.

Here is an example/guide, applicable to home network:
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top