pfSense/Sophos vs ASUSWRT/RMerlin - Is there any reason to change?

[Bamsefar]

So I have this "thing" for network security.... Trying to avoid to get hacked to easily...

So from a security perspective, running pfSense on a dedicated box - is that a better (?) solution than the built in into ASUSWRT/RMerlin firmware?

Let's have a peak at how I use my Asus:

No web server or anything, I normally ONLY have traffic from the inside to Internet - except when my mobile is outside WiFi when it connects over OpenVPN to my home network. So I have, in my ASUS router installed things like block countries, AdBlock Solution and a few other minor things. Feels okay in a way.

So how can I improve on this setup? Would moving to pfSense firewall be a better choice, and install some of the modules that can run on pfSense? Has anyone any experience in this and are willing to share?

 

[DomFel]

Dude pfSense is a better choice overall, but 99.9% of the times Merlin's firmware is just fine for most users.
Unless you have extreme broadband speeds or need OpenVPN at more than 50mbps just stick with Asus, way easier, reliable, and Merlin's/hggomes/any other fork make it even better and more updated.
Sure that, if you work with very sensitive stuff an IDS would be required, thus pfSense would be a natural choice. If you are a regular home user then stick with what you have, it's more than enough!

 

[L&LD]

Of course pfSense may be a better choice (depending on the configuration and expertise of the user), but for your use? Why?

If you're still running 380.59 as is indicated in your footer, I would upgrade to 380.62_1 'now'.

 

[Bamsefar]

Thanks to both of you!

L&LD: No I have forgotten to change that on my footer - think I will remove the info since it might be incorrect from time to time...

 

[zoomee]

Glad to see this thread - was going to post the same more or less yesterday!

I have a Synology NAS with four ports open for the tinterwebs running through an AC-88U.
Unfortunately I don't find AIProtection to be reliable (its actually broken on the latest firmware release - change your LAN IP range and it stops working for some reason).

Was contemplating getting one of them cheapo barebones mini-pc's from china that some users have running pfsense. Seems easy enough to setup, and then can disable AIProtection?

Not really interested in VPN as that would mean that I'd have to VPN in to access my CCTV, Notes, Sabnzbd etc - but more interested in securing the perimeter as I've noticed more and more blocked IP's in the NAS boxes.

Any advice mucho appreciated.

 

[AimDev]

Glad to see this thread - was going to post the same more or less yesterday!

I have a Synology NAS with four ports open for the tinterwebs running through an AC-88U.
Unfortunately I don't find AIProtection to be reliable (its actually broken on the latest firmware release - change your LAN IP range and it stops working for some reason).

Was contemplating getting one of them cheapo barebones mini-pc's from china that some users have running pfsense. Seems easy enough to setup, and then can disable AIProtection?

We run a fortinet firewall system at work (me being one of the admins) so I think I've got enough experience for a pfsense setup? Doubt I need to get as complicated as the 2 tier DMZ we have there lol!

Not really interested in VPN as that would mean that I'd have to VPN in to access my CCTV, Notes, Sabnzbd etc - but more interested in securing the perimeter as I've noticed more and more blocked IP's in the NAS boxes.

Any advice mucho appreciated.

Re I have a Synology NAS with four ports open for the tinterwebs running through an AC-88U.

For what reason may I ask?

 

[zoomee]

Ds note
Ds cam
Ds file
Sabnzbd

Sent from my D6603 using Tapatalk

 

[AimDev]

Ds note
Ds cam
Ds file
Sabnzbd

Sent from my D6603 using Tapatalk

Hi

re Any advice mucho appreciated.
I wouldn't put my trust in a piece of equipment or software I have no control over, running exposed services to the internet.
With pfsense you have some control as you can access the code, and recompile it to remove the bits you are not happy with.
Just my two cents worth.

 

[zoomee]

Pls correct me if i'm wrong - the only benefit I will get from a pfsense server would be IPS//IDS scanning on the connections coming into the network?

Most firewall providers charge for the IDS/IPS element with yearly subscriptions - is that the case with pfsense also?

 

[zoomee]

Got a choice of two types of base devices:

https://www.amazon.co.uk/HSIPC/b/re...10646488031&field-lbr_brands_browse-bin=HSIPC

First is a braswell based Celeron Quad core N3150 cpu but has Realtek NIC's
Second is a J1900 based Quad core but has Intel NIC's.

Read somewhere that the realtek nic drivers ain't too good on FreeBSD and to stick with Intel NIC's? - Makes the choice harder as I would have preferred to go for the newer braswell based cpu type....

My tinterwebz speed is 200down 20up

 

[sfx2000]

No web server or anything, I normally ONLY have traffic from the inside to Internet - except when my mobile is outside WiFi when it connects over OpenVPN to my home network. So I have, in my ASUS router installed things like block countries, AdBlock Solution and a few other minor things. Feels okay in a way.

AsusWRT-RMerlin is secure enough, and it sounds like it meets your needs...

If it isn't broken, then there is no reason to fix it...

 

[L&LD]

The Braswell processor is about 4W more efficient at peak power, but the J1900 processor is the more powerful of the two. (I would choose the J1900 based models).

Intel NIC's are highly recommended.

 

[sfx2000]

The Braswell processor is about 4W more efficient at peak power, but the J1900 processor is the more powerful of the two. (I would choose the J1900 based models).

Intel NIC's are highly recommended.

The Braswell supports AES-NI, which might be important for some folks... the J1900 Baytrail does not.

 

[sfx2000]

Got a choice of two types of base devices:

https://www.amazon.co.uk/HSIPC/b/re...10646488031&field-lbr_brands_browse-bin=HSIPC

First is a braswell based Celeron Quad core N3150 cpu but has Realtek NIC's
Second is a J1900 based Quad core but has Intel NIC's.

Read somewhere that the realtek nic drivers ain't too good on FreeBSD and to stick with Intel NIC's? - Makes the choice harder as I would have preferred to go for the newer braswell based cpu type....

My tinterwebz speed is 200down 20up

On that list of little boxes - there is a C1037U based unit - take a close look at it, as the 1037U is an IvyBridge Celeron, and those are nice processors...

 

[zoomee]

I've already bit the bullet being an impatient git (as L&LD already knows me as lol
)
https://forum.pfsense.org/index.php?topic=115673.0

The C1037U cpu is only dual core and 22nm (2013 cpu) - I'd want a quad core at least (insert My phone is faster than your pc comment here )

Went for the N3150 version - looking on the pfsense forums it has slightly better performance than the J1900 thanks to AES support (not by much but enough to warrant the purchase with slightly lower TDP).

4Gb RAM with 64Gb SSD should hopefully be enough for my connection speed and what I'm aiming to secure it with - i.e. Just a bit of firewall and IPS/IDS stuff... It won't arrive until the end of the month so plenty of time for more research

ta chaps.

 

[sfx2000]

4Gb RAM with 64Gb SSD should hopefully be enough for my connection speed and what I'm aiming to secure it with - i.e. Just a bit of firewall and IPS/IDS stuff... It won't arrive until the end of the month so plenty of time for more research

It'll be fine for pfSense - the Realtek vs. Intel NIC issues with pfSense/FreeBSD isn't as big of a deal as it used to be in any event..

 

[zoomee]

The plan is to stick this pfsense box in between my virginmedia cable modem and my Asus router - would that sound about right for what I'm trying to achieve?

I have plenty of IT headaches at work, so don't really want to have to faff around with my stuff at home too much after initial config. I'm already dredding all the stuff that needs to get out (i.e. Xbox/PSN, Smart TV's, TIVO, Hive hub etc etc)

 

[L&LD]

Glad to see this thread - was going to post the same more or less yesterday!

I have a Synology NAS with four ports open for the tinterwebs running through an AC-88U.
Unfortunately I don't find AIProtection to be reliable (its actually broken on the latest firmware release - change your LAN IP range and it stops working for some reason).

Was contemplating getting one of them cheapo barebones mini-pc's from china that some users have running pfsense. Seems easy enough to setup, and then can disable AIProtection?

Not really interested in VPN as that would mean that I'd have to VPN in to access my CCTV, Notes, Sabnzbd etc - but more interested in securing the perimeter as I've noticed more and more blocked IP's in the NAS boxes.

Any advice mucho appreciated.

The plan is to stick this pfsense box in between my virginmedia cable modem and my Asus router - would that sound about right for what I'm trying to achieve?

I have plenty of IT headaches at work, so don't really want to have to faff around with my stuff at home too much after initial config. I'm already dredding all the stuff that needs to get out (i.e. Xbox/PSN, Smart TV's, TIVO, Hive hub etc etc)

I'm quoting what I think you want to achieve, correct?

If so, I think you'll have a lot of 'faffing' to do until you can say it is 'working' to your satisfaction or even to current levels.

I don't find AiProtection broken (did you even try to solve the issues), but I don't have an RT-AC88U either.

I also really can't see why you are so averse to VPN as a (much better) solution than opening up (4) ports on your NAS?

It seems to me that you do like having stuff to 'faff' around with, after work headaches. That's okay too.

But, for you, I didn't see anything that was really broken, to begin with.

 

[zoomee]

Lol, Yeah I expect plenty of faffing for the initial config bud - but hopefully once its all sorted I should be able to let it all just chug away happily.

AIProtection has been giving me a lot of false positives recently - I performed a full packet capture recently with Synology on my network and found no issues from the NAS but AIProtection was constantly going wild about it. Since changing the default range for my LAN from 192.x.x.x to 10.x.x.x AIProtection has completely stopped working (it says in the logs its sent an Alert Email but I just don't get them anymore).

Anyways - my concern here is my NAS. I'm trying to ensure it's setup as securely as possible. The problem with using a VPN config and cutting it off from the internet is that A)- It sort of negates all of the DS mobile application useage without having to establish a VPN connection first, B)Sabnzbd links to the usenet service I use will break and C)- I doubt I'll be able to use VPN from work.

Ever since I changed my DDNS over to the new one this router uses, my NAS has been getting attacked left right and centre - call it an added layer of security

 

[zoomee]

Pfsense or Sophos UTM?

https://www.sophos.com/en/products/free-tools/sophos-utm-home-edition.aspx