1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Looking for Router/Gateway with Greater Security than traditional consumer equipment

Discussion in 'Routers' started by silekonn, Oct 17, 2018.

  1. silekonn

    silekonn Occasional Visitor

    Joined:
    Oct 9, 2010
    Messages:
    12
    I have tried the rest now the best? A few other people had various recommendations and nothing hit home. I currently utilize an off the shelf Netgear router (flashed to DD-WRT). I am hoping to move to something with better security. Higher grade hardware has geo blocking, IDS and IPS among other security features.

    I am not a network administrator. I do have technology expertise. I recently set up an Ubiquiti Unified Security Gateway (USG) and it cost less than $110. The streamlined interface made the experience straight-forward. In the future it should be easy to explain how to correct a problem and have a user that is not technically inclined accomplish things, e. g. a firmware update or whitelisting a blocked website/game.

    It leads me to believe consumer equipment should and can be bested and without paying for something astronomical (e. g. an $1x00 yearly Meraki subscription, before the price of the hardware). The city's connectivity starts at 200Mbps down and options for 1Gbps exist, meaning Meraki was not an option in any feasible sense if future expansion is planned. Can anyone recommend something that will be a step up?

    Some research shows options are numbered: Sophos, Sonicwall, Untangle, pfSense, Fortinet and Watchguard among the up and coming consumer offerings, Norton Core, Cujo (terrible reviews), BitDefender Box, etcetera. My budget is up to $1,000 and if necessary $250 for a yearly subscription. Others have consistently recommended pfSense and my only problem with that is the lack of definitions or any type of regular and automated updates to support the protection.

    Thank you in advance.
     
    Last edited: Oct 18, 2018
  2. abailey

    abailey Very Senior Member

    Joined:
    Mar 29, 2014
    Messages:
    541
    Location:
    Tennessee, USA
    I use Untangle and have been extremely happy with it. For home use it is $50 a year. There are videos to help you set it up and a very active forum to ask questions. Untangle employees are on the forums also and answer questions. Telephone support can be had but it is an additional charge. I have never found it necessary. The big drawback for Untangle is that it really is not IPV6 ready. I have no problem with that as I don't use IPV6 yet but if you do then there are probably better options available.

    Here is a demo to look at: http://demo.untangle.com/admin/index.do
    It may look complicated but its not bad once you get the hang of it.
     
    Testscript likes this.
  3. System Error Message

    System Error Message Part of the Furniture

    Joined:
    Oct 14, 2014
    Messages:
    3,978
    you can set up a linux OS and turn it into a router and security gateway, thats the most flexible and performance option in the cheapest way, otherwise you're looking at more complicated options.
     
  4. mtganzer

    mtganzer Occasional Visitor

    Joined:
    Feb 1, 2015
    Messages:
    38
    ...or pfSense, OPNsense, etc. BTW I have not set up a BARE Linux box as a router/firewall since...oh...probably 2000! Unless you are (or want to be) a wizard with raw iptables, best to find a distribution that has simple router/firewall front end (anyone remember Mandrake Single Network Firewall?).

    pfSense with pfBlockerNG and Snort plugins checks off the items you mentioned. I am really not all that enthralled with other "Unified Threat Management" options anymore now that most traffic runs over SSL/TLS. You can install a "man in the middle" break/inspecton on the UTM boxes, but it is not trivially easy to do (have to create trusted certificates and push them out to all systems on your network). Easier for me at home just to make sure to keep the antivirus and ant-malware updated on the end hosts.

    Re: "subscriptions" for updating signatures - pfBlockerNG updates from an extensive number of mostly-free published lists to set up DNS Block Lists and IP Block lists, and also does your GeoIP blocking. The Snort plugin uses standard Snort signature sets. The paid "Emerging Threats" lists is ~$30 year for personal use, or free of you are ok with the VDL list (basically a delayed release of the paid list).

    Be advised that if you really want to do IDP and IPS (or VPN) you will need MUCH more CPU power, especially as speeds get up to gigabit range. You said you had set up a Ubiquiti USG - I had an Edgerourer Lite, which was the unmanaged version of that device. For basically NAT firewall, it works quite well (I tested it to 900+ Mbps when I recently installed ATT Gigabit Fiber). And there are add-in scripts in the community to set up DNSBL (DNS Black List). But no GeoIP blocking, and none of the Ubiquiti hardware to date has the CPU horsepower to do IDPS. I am currently running pfSense in a VM on my Xeon Ubuntu server, but $1000 would easily get one of Netgate's pfSense appliances - the SG-5100 at $800 would more than handle what you are likely to throw at it. Nice thing is if you want to "kick the tires", you can easily set up pfSense in a spare PC - just throw in an extra NIC (Intel chipset preferred).
     
    Last edited: Oct 18, 2018
  5. lovan6

    lovan6 Occasional Visitor

    Joined:
    Nov 26, 2017
    Messages:
    11
    For $600 you can build a decent Pfsense box with Intel server Nic + $600 for Ubiquiti Unifi 8 port POE switch with 3 AC pro access points and cloud key. This combination works well. or you can buy Netgate XG-7100 for $899 and comes with warranty.

    Pfblockerng for geo ip block and Suricata inline for IDS/IPS. Pfblockerng can be set to auto update every hour. Suricata use Proofpoint/Emerging threats and gets updated every month. Snort update is free but you can buy a subscription to get the latest updates.

    If you were able to flash and tinker with DDWRT and was able to configure a USG, I think you can do that also with Pfsense. I started doing the same thing buying consumer router and flashing with 3rd party firmware but as my devices grew in number and gets complicated I have to look elsewhere.

    They have a large community for noobs and no experience with networking. You can also download the PFsense book for free but I would advice to read it first before you decide.

    https://www.netgate.com/docs/pfsense/book/
     
    Last edited: Oct 18, 2018
    Testscript likes this.
  6. System Error Message

    System Error Message Part of the Furniture

    Joined:
    Oct 14, 2014
    Messages:
    3,978
    pfsense and other such distributions have limitations. They are simpler to set up (not simple), but they limit what you can do too to some extent as its not a full blown OS that lets you install and use every feature you want. A normal linux OS like debian, BSD, SUSE can become an all in one router which is something pfsense cant (you cant use pfsense as a file server, on the network side, you cant create an applications cache (see steam and OS update cache as example) with pfsense as that requires installing software that these distributions wont allow or work with). Not even pro cisco can do it, and it really depends on what you're looking from a router. The most flexible router is still done by using a regular linux server OS rather than specialised, but if your needs arent as big than going specialised would be the way otherwise if you want everything for cheaper then the only way is to use a linux/unix server OS (not ubuntu) and spending all the effort and having the knowledge. You gotta pay somehow, if its not with money, its with skill.

    If you use RMerlin's firmware for asus routers you will be dealing with raw iptables, and you are outdated, in opensuse i can set up iptables and plenty of things via their GUI based networking utility which can even work over TTYL in such a pretty and intuitive way. However if you have the skill to properly configure a configurable router, you will find terminals and editing text files to be just as intuitive if not less restrictive in feel over GUI.
     
  7. mtganzer

    mtganzer Occasional Visitor

    Joined:
    Feb 1, 2015
    Messages:
    38
    A couple nits. First, pfSense is built on FreeBSD, and you can install any of the available FreeBSD packages. But yes it's FreeBSD not Linux.
    But also if you are advocating running firewall + file server + app cache + whatever on a single OS instance, I have to ask WHY? Management and security-wise it's a nightmare unless you use virtualization to provide some logical separation of the processes. I prefer to keep a single slimmed down OS with VM's and Containers to abstract the apps from the underlying OS. pfSense 2.4 runs fine in a VM on Ubuntu or other Linux OS. Or it could be Untangled, Sophos UTM, OpenWRT as your firewall software of choice.
     
    Testscript likes this.
  8. Testscript

    Testscript Occasional Visitor

    Joined:
    Sep 29, 2018
    Messages:
    16
    OpenVPN Client speed:

    Buy a "Mini PC" for install "pfSense or Untangle or Sophos''
     
    Last edited: Oct 24, 2018
  9. joegreat

    joegreat Very Senior Member

    Joined:
    Jan 9, 2013
    Messages:
    1,677
    Location:
    Vienna, Austria
    I think you should have a look to the 'Omnia' router from Turris: it's open source AND secure - also the new modular router 'MOX' is on the way (also outlined in this forum thread).

    On the security side the most important topic is the Distributed Adaptive Firewall (replaces the need for a seperate pfSense box): Distributed adaptive firewall is made out of a set of tools, which together form a protection system capable of reacting to new security threats.
     
    Last edited: Oct 22, 2018
  10. Testscript

    Testscript Occasional Visitor

    Joined:
    Sep 29, 2018
    Messages:
    16
    My recommendation:


    If you use "VPN" and/or want an "IDPS" (i.e Snort or Suricatta): Buy a "Mini PC" for install "pfSense or Untangle or Sophos'' (Any Mini PC from the previous post)​
    ........../
    Router
    ..........\

    If you will not use any feature above: EdgeRouter 4 or USG Pro 4 (In a few months Ubiquiti will release a new USG router and will use the same or better hardware than the EdgeRouter 4)


    Switch:
    UniFi PoE+ Switch 150W or higher (Need UniFi SDN Controller)

    AP: UniFi nanoHD or UniFi In-Wall HD (Need UniFi SDN Controller)

    Cameras: UniFi Video Camera G3 Micro or UniFi Video Camera G3 Dome or UniFi Video Camera G3 or UniFi Video Camera G3 PRO (Need UniFi Video or UniFi Protect)

    Other: Raspberry Pi 3 Model B+ (Only if you buy the EdgeRouter 4 or USG Pro 4 to install Pi-hole)


    Remote Management and Access:

    UniFi SDN Controller: UniFi Cloud Key Gen2 or Gen2 Plus

    UniFi Protect: UniFi Cloud Key Gen2 Plus (Link with information)

    Something like this:





    Off-topic
    - Stories - Ubiquiti Networks Community
    Beautiful Cable Management
    [​IMG]
     
    Last edited: Oct 24, 2018
  11. MichaelCG

    MichaelCG Senior Member

    Joined:
    Jan 4, 2017
    Messages:
    481
    Location:
    Central US
    I have been running pfSense for many years...and m0n0wall for many years prior to that. My current box is a $75 off-lease business desktop with an additional 2-port Gig card thrown in. Handles my 1Gbps connection just fine. I run a filtering proxy on the box, but its overall effectiveness is limited since as others have stated, most traffic is TLS now so it cannot be easily scanned.

    I have been testing a SophosXG box for the past couple of months. Overall, it probably can do what you are after. It for sure offers way more flexibility and features and can do traffic filtering even on TLS. It cannot easily scan TLS without doing intercept, but even without intercept it can still somewhat classify the type of traffic and FW rules can be applied.

    It is unlikely I will move forward with it though for my personal use. The OpenVPN performance seems to be a bit lacking....although it can still seem to get around 100Mbps so it isn't horrible...it just should be higher considering the hardware it is running on. I really like the simple interface of pfSense. The firewall rules are zone based and very clear at what flows are permitted. The FW rules within Sophos can be zone based, but presentation is not zone based and not always clear at what rules are permitting what flows. This is just personal preferences on how the FW rules are presented.
     
    Testscript likes this.
  12. Marica Calma

    Marica Calma Occasional Visitor

    Joined:
    Oct 2, 2018
    Messages:
    15
    Hi, I am also running pfSense for a couple of years and so far I am satisfied in its' features. It was easy to install in a physical computer or in a virtual machine to make a router for a network. See the link below to know more about its' features:
    https://www.pfsense.org/about-pfsense/features.html
     
    Testscript likes this.
  13. Testscript

    Testscript Occasional Visitor

    Joined:
    Sep 29, 2018
    Messages:
    16
    Last edited: Oct 24, 2018
  14. mtganzer

    mtganzer Occasional Visitor

    Joined:
    Feb 1, 2015
    Messages:
    38
    Nicely described, though I Would change 1st option to: If you use VPN and/or want an IDPS (i.e Snort or Suricatta)
     
    Testscript likes this.