1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

pfSense/Sophos vs ASUSWRT/RMerlin - Is there any reason to change?

Discussion in 'Asuswrt-Merlin' started by Bamsefar, Oct 15, 2016.

  1. Bamsefar

    Bamsefar Senior Member

    Joined:
    Oct 11, 2014
    Messages:
    219
    So I have this "thing" for network security.... Trying to avoid to get hacked to easily...

    So from a security perspective, running pfSense on a dedicated box - is that a better (?) solution than the built in into ASUSWRT/RMerlin firmware?

    Let's have a peak at how I use my Asus:

    No web server or anything, I normally ONLY have traffic from the inside to Internet - except when my mobile is outside WiFi when it connects over OpenVPN to my home network. So I have, in my ASUS router installed things like block countries, AdBlock Solution and a few other minor things. Feels okay in a way.

    So how can I improve on this setup? Would moving to pfSense firewall be a better choice, and install some of the modules that can run on pfSense? Has anyone any experience in this and are willing to share?
     
  2. DomFel

    DomFel Occasional Visitor

    Joined:
    Sep 24, 2014
    Messages:
    47
    Dude pfSense is a better choice overall, but 99.9% of the times Merlin's firmware is just fine for most users.
    Unless you have extreme broadband speeds or need OpenVPN at more than 50mbps just stick with Asus, way easier, reliable, and Merlin's/hggomes/any other fork make it even better and more updated.
    Sure that, if you work with very sensitive stuff an IDS would be required, thus pfSense would be a natural choice. If you are a regular home user then stick with what you have, it's more than enough!
     
  3. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    6,886
    Of course pfSense may be a better choice (depending on the configuration and expertise of the user), but for your use? Why? :)

    If you're still running 380.59 as is indicated in your footer, I would upgrade to 380.62_1 'now'. ;)
     
    trentm1 likes this.
  4. Bamsefar

    Bamsefar Senior Member

    Joined:
    Oct 11, 2014
    Messages:
    219
    Thanks to both of you!

    L&LD: No I have forgotten to change that on my footer - think I will remove the info since it might be incorrect from time to time...
     
    L&LD likes this.
  5. zoomee

    zoomee Regular Contributor

    Joined:
    Aug 25, 2015
    Messages:
    130
    Glad to see this thread - was going to post the same more or less yesterday!

    I have a Synology NAS with four ports open for the tinterwebs running through an AC-88U.
    Unfortunately I don't find AIProtection to be reliable (its actually broken on the latest firmware release - change your LAN IP range and it stops working for some reason).

    Was contemplating getting one of them cheapo barebones mini-pc's from china that some users have running pfsense. Seems easy enough to setup, and then can disable AIProtection?

    Not really interested in VPN as that would mean that I'd have to VPN in to access my CCTV, Notes, Sabnzbd etc - but more interested in securing the perimeter as I've noticed more and more blocked IP's in the NAS boxes.

    Any advice mucho appreciated.
     
    Last edited: Oct 16, 2016
  6. AimDev

    AimDev Occasional Visitor

    Joined:
    Jan 24, 2016
    Messages:
    20
    Re I have a Synology NAS with four ports open for the tinterwebs running through an AC-88U.

    For what reason may I ask?
     
  7. zoomee

    zoomee Regular Contributor

    Joined:
    Aug 25, 2015
    Messages:
    130
    Ds note
    Ds cam
    Ds file
    Sabnzbd

    Sent from my D6603 using Tapatalk
     
  8. AimDev

    AimDev Occasional Visitor

    Joined:
    Jan 24, 2016
    Messages:
    20
    Hi

    re Any advice mucho appreciated.
    I wouldn't put my trust in a piece of equipment or software I have no control over, running exposed services to the internet.
    With pfsense you have some control as you can access the code, and recompile it to remove the bits you are not happy with.
    Just my two cents worth.
     
    zoomee likes this.
  9. zoomee

    zoomee Regular Contributor

    Joined:
    Aug 25, 2015
    Messages:
    130
    Pls correct me if i'm wrong - the only benefit I will get from a pfsense server would be IPS//IDS scanning on the connections coming into the network?

    Most firewall providers charge for the IDS/IPS element with yearly subscriptions - is that the case with pfsense also?
     
  10. zoomee

    zoomee Regular Contributor

    Joined:
    Aug 25, 2015
    Messages:
    130
    Got a choice of two types of base devices:

    https://www.amazon.co.uk/HSIPC/b/re...10646488031&field-lbr_brands_browse-bin=HSIPC

    First is a braswell based Celeron Quad core N3150 cpu but has Realtek NIC's
    Second is a J1900 based Quad core but has Intel NIC's.

    Read somewhere that the realtek nic drivers ain't too good on FreeBSD and to stick with Intel NIC's? - Makes the choice harder as I would have preferred to go for the newer braswell based cpu type....

    My tinterwebz speed is 200down 20up
     
  11. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,506
    Location:
    San Diego, CA
    AsusWRT-RMerlin is secure enough, and it sounds like it meets your needs...

    If it isn't broken, then there is no reason to fix it...
     
  12. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    6,886
    The Braswell processor is about 4W more efficient at peak power, but the J1900 processor is the more powerful of the two. (I would choose the J1900 based models).

    Intel NIC's are highly recommended. :)
     
  13. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,506
    Location:
    San Diego, CA
    The Braswell supports AES-NI, which might be important for some folks... the J1900 Baytrail does not.
     
    L&LD likes this.
  14. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,506
    Location:
    San Diego, CA
    On that list of little boxes - there is a C1037U based unit - take a close look at it, as the 1037U is an IvyBridge Celeron, and those are nice processors...
     
  15. zoomee

    zoomee Regular Contributor

    Joined:
    Aug 25, 2015
    Messages:
    130
    I've already bit the bullet being an impatient git (as L&LD already knows me as lol ;)
    )
    https://forum.pfsense.org/index.php?topic=115673.0

    The C1037U cpu is only dual core and 22nm (2013 cpu) - I'd want a quad core at least (insert My phone is faster than your pc comment here :) )

    Went for the N3150 version - looking on the pfsense forums it has slightly better performance than the J1900 thanks to AES support (not by much but enough to warrant the purchase with slightly lower TDP).

    4Gb RAM with 64Gb SSD should hopefully be enough for my connection speed and what I'm aiming to secure it with - i.e. Just a bit of firewall and IPS/IDS stuff... It won't arrive until the end of the month so plenty of time for more research :)

    ta chaps.
     
    L&LD likes this.
  16. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,506
    Location:
    San Diego, CA
    It'll be fine for pfSense - the Realtek vs. Intel NIC issues with pfSense/FreeBSD isn't as big of a deal as it used to be in any event..
     
    zoomee likes this.
  17. zoomee

    zoomee Regular Contributor

    Joined:
    Aug 25, 2015
    Messages:
    130
    The plan is to stick this pfsense box in between my virginmedia cable modem and my Asus router - would that sound about right for what I'm trying to achieve?

    I have plenty of IT headaches at work, so don't really want to have to faff around with my stuff at home too much after initial config. I'm already dredding all the stuff that needs to get out (i.e. Xbox/PSN, Smart TV's, TIVO, Hive hub etc etc)
     
  18. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    6,886
    I'm quoting what I think you want to achieve, correct?

    If so, I think you'll have a lot of 'faffing' to do until you can say it is 'working' to your satisfaction or even to current levels.

    I don't find AiProtection broken (did you even try to solve the issues), but I don't have an RT-AC88U either. ;)

    I also really can't see why you are so averse to VPN as a (much better) solution than opening up (4) ports on your NAS?

    It seems to me that you do like having stuff to 'faff' around with, after work headaches. That's okay too. :)

    But, for you, I didn't see anything that was really broken, to begin with. ;)
     
  19. zoomee

    zoomee Regular Contributor

    Joined:
    Aug 25, 2015
    Messages:
    130
    Lol, Yeah I expect plenty of faffing for the initial config bud - but hopefully once its all sorted I should be able to let it all just chug away happily.

    AIProtection has been giving me a lot of false positives recently - I performed a full packet capture recently with Synology on my network and found no issues from the NAS but AIProtection was constantly going wild about it. Since changing the default range for my LAN from 192.x.x.x to 10.x.x.x AIProtection has completely stopped working (it says in the logs its sent an Alert Email but I just don't get them anymore).

    Anyways - my concern here is my NAS. I'm trying to ensure it's setup as securely as possible. The problem with using a VPN config and cutting it off from the internet is that A)- It sort of negates all of the DS mobile application useage without having to establish a VPN connection first, B)Sabnzbd links to the usenet service I use will break and C)- I doubt I'll be able to use VPN from work.

    Ever since I changed my DDNS over to the new one this router uses, my NAS has been getting attacked left right and centre - call it an added layer of security ;)
     
  20. zoomee

    zoomee Regular Contributor

    Joined:
    Aug 25, 2015
    Messages:
    130