Firewalla Gold

[SwampKracker]

For you guys that run pfsense do you run IPS/IDS on pfsense? If not then Firewalla will be a higher level firewall because they run some kind of IPS/IDS.

I am trying to figure out if pfsense users really use SNORT etc.

Yes

 

[coxhaus]

I don't do IPS/IDS as it requires SSL decryption on router side, in order to work properly.
However, I use pfblocker that creates firewall IP lists using feeds from Talos, Spamhaus and many more.
It aslo creates rules for porn and ad blocking. This combined with Quad9 for malware, creates a very powerful DNS firewall.

I don't see Talos on the list. I see Spamhaus, Dshield, and iblocklist.com.
Packages — pfBlocker-NG Package | pfSense Documentation (netgate.com)
Talos is Cisco.

Threat Protection in OSI layer 7 is lacking in pfsense. I don't believe you can block at the application layer. You have to block at lower levels. I don't believe you can add block Facebook on pfsense. At least I don't remember it.

 

[Christos]

I don't see Talos on the list. I see Spamhaus, Dshield, and iblocklist.com.
Packages — pfBlocker-NG Package | pfSense Documentation (netgate.com)
Talos is Cisco.

Threat Protection in OSI layer 7 is lacking in pfsense. I don't believe you can block at the application layer. You have to block at lower levels. I don't believe you can add block Facebook on pfsense. At least I don't remember it.

It has a Talos-Snort list.
It is true that it cannot block an app on layer7.
However, you can add a feed from github that contain let's say Facebook's list of domains and IPs and you can block them on firewall and on DNS level. Here is an example.

 

[coxhaus]

It has a Talos-Snort list.
It is true that it cannot block an app on layer7.
However, you can add a feed from github that contain let's say Facebook's list of domains and IPs and you can block them on firewall and on DNS level. Here is an example.

My understanding is you need to pay for Talos lists and you need to run SNORT which you said you didn't run SNORT only pfBlocker.

DNS will not help you if you manually enter an IP for Facebook. Yes, if you block all the IPs but almost impossible with big sites like Facebook. The IPs are very dynamic for sites like Facebook. At least they were back when I worked.

 

[jasonreg]

I would probably recommend this over pfsense for new users,

@avtella - are you able to expand on this at all? I seem to be back and forth quite a bit between the ease of installation vs long term reliability between Firewalla and a Netgate pfsense box (4100/6100).

 

[Tech9]

Firewalla is a consumer product. It's made easy for people with no much networking knowledge. Will they survive on the competitive consumer market is unknown. Netgate has different target customers and pfSense is different application product. No direct comparison between the two.

 

[GHammer]

Firewalla is a consumer product. It's made easy for people with no much networking knowledge. Will they survive on the competitive consumer market is unknown. Netgate has different target customers and pfSense is different application product. No direct comparison between the two.

New Years Eve, really?

So, what do you recommend, and what do you use?

 

[Tech9]

New Years Eve, really?

It was New Year's Eve day... do you now how long it takes for 3 women to get ready?

what do you recommend

It depends on what the user is comfortable with. Home router is the easiest. Firewalla requires some networking knowledge. Next user friendly product is perhaps Untangle (50/year subscription), next Sophos XG firewall (free for home), next OPNsense, next pfSense. They all run on x86 hardware - some DIY or ready made box with at least 2x NICs. VLAN capable rest of the network is good to have to take advantage of network segmentation options.

and what do you use

I'm using Netgate 5100 appliance with pfSense for about 4 years already. It has Gigabit ports, but good enough for my home network.

 

[GHammer]

I'm using Netgate 5100 appliance with pfSense for about 4 years already. It has Gigabit ports, but good enough for my home network.

I've tried several approaches over the years. All have failed for one reason or another, so back to Asus with Merlin.
I have simple needs as I lead a boring life.

• Static IPs from DHCP
• Redirecting DNS to my two pihole
• 3 port forwards, both IPv4 and IPv6 to handle a server I run at home.

Seems simple enough, but pf/opn sense and OpenWRT failed to do so. All on IPv6 forwarding/opening ports in their firewalls for the traffic.
I have neglected to change my plan with Comcast and currently from the upgrades have 800 down 20 up. I'm not looking to run snort or any packet inspection, don't find a need for QoS. I'm happy with the piholes and their stats so no need for an on router ad blocking solution.

Suuure... you have to run something no longer available. Wonder how the 4100 would work for my modest needs?

 

[Tech9]

but pf/opn sense and OpenWRT failed to do so

Definitely possible on pfSense and Pi-hole is not needed.

Suuure... you have to run something no longer available.

I have 3x new Netgate 6100 units (Netgate 5100 is similar hardware, but no multi-Gigabit ports) for my business needs, but too expensive for home use. x86 box like the many available around is cheaper and you can change the OS easily even repurpose it as mini Windows PC if you want to. What I'm using is not what I would recommend in this forum for two main reasons - cost and user friendliness.