User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » Firewall / Router: pfsense or something else Page [1]  
darkone
(\/) (;,,,;) (\/)
11611 Posts
user info
edit post

I'm thinking of using pfsense. Should I be using something else? If so, why?

4/28/2016 11:23:49 AM

smoothcrim
Universal Magnetic!
18968 Posts
user info
edit post

Car/Tow Vehicle: Toyota camry or something else.
I'm thinking of getting a camry. Should I get something else? If so, why?

4/28/2016 12:02:41 PM

darkone
(\/) (;,,,;) (\/)
11611 Posts
user info
edit post

Ok. How about this. I'm replacing an ancient (circa 2005) Cisco firewall in my lab. I don't want to spend a lot of money. I don't need a lot of extravagant features but I do have 10-30 connected devices and I'd like to be able to saturate the outbound connection.

4/28/2016 12:18:33 PM

FroshKiller
All American
51913 Posts
user info
edit post

For the love of God, don't use whatever Smath74 was using.

4/28/2016 12:23:33 PM

darkone
(\/) (;,,,;) (\/)
11611 Posts
user info
edit post

No kidding. LSD and depression make for terrible network security.

4/28/2016 12:29:38 PM

smoothcrim
Universal Magnetic!
18968 Posts
user info
edit post

without knowing your outbound connection, I've been a fan of ubiquiti for super simple stuff. mikrotik boards are great if you want to run open-wrt and swap in radios over time on various spectrums

[Edited on April 28, 2016 at 3:15 PM. Reason : pfsense seems like a good idea until you factor power cost]

4/28/2016 3:15:06 PM

darkone
(\/) (;,,,;) (\/)
11611 Posts
user info
edit post

I'm on campus so most of the network links are gigabit though connections to the internet seem to be capped at 100 mbps. I don't know if that's per user or per port.

4/28/2016 3:46:08 PM

Grandmaster
All American
10829 Posts
user info
edit post

I have about 20 pfSense/Netgate appliances. It's much cheaper than Cisco and no one really has been able to give me a huge negative about using them.

I also have one location I used the Ubiquiti router, but mostly just use their APs.

In addition to that, I've been using some form of it since before it forked off and was still m0n0wall. It's legit. I had like a 2 year uptime on an Opitplex with 3 NICs before I replaced the equipment with C2758.

[Edited on April 28, 2016 at 4:36 PM. Reason : ]

4/28/2016 4:28:41 PM

darkone
(\/) (;,,,;) (\/)
11611 Posts
user info
edit post

Due to troublesome purchasing rules, I think I'm going to use this for a pfSense appliance:
https://www.supermicro.com/products/system/1U/5018/SYS-5018A-FTN4.cfm
Intel® Atom™ Processor C2758 CPU TDP 20W (8-Core)
C2000 SoC I354 Quad GbE Controller
adding 8GB RAM and a small SSD

Total cost: ~$640

Any problems jump out to anyone?

I know if I ditched the rackmount option I could get a little faster hardware for the same price point.

4/28/2016 5:33:09 PM

Novicane
All American
15416 Posts
user info
edit post

isolated VLAN with ACL not suffice?

[Edited on April 29, 2016 at 8:45 AM. Reason : dd]

4/29/2016 8:45:30 AM

darkone
(\/) (;,,,;) (\/)
11611 Posts
user info
edit post

Folks seem to like Ubiquiti. This seems like a cheaper option than what I posted above but I have no idea what the performance and feature trade offs are:

https://www.ubnt.com/unifi-switching-routing/unifi-security-gateway-pro-4/

5/2/2016 12:54:10 PM

darkone
(\/) (;,,,;) (\/)
11611 Posts
user info
edit post

Anyone have opinions on pfSense vs. Opnsense?

5/6/2016 3:16:15 PM

Grandmaster
All American
10829 Posts
user info
edit post

wtf is opnsense. Dude just use pf

5/6/2016 3:26:57 PM

darkone
(\/) (;,,,;) (\/)
11611 Posts
user info
edit post

I'm going to. I did some more reading and it seems the opnsense fork is mostly hype.

5/6/2016 4:41:07 PM

Grandmaster
All American
10829 Posts
user info
edit post

Yeah and sketch as hell if you saw the same posts on reddit as I did and it looks like there's still drama going on with it.

https://twitter.com/gonzopancho

Like I said, I have nearly 20 of the netgate appliances about 50/50 whether I purchased them directly from pfSense (I try to do this for the 1 year free support and also to support the project). The unbranded ones where when I waited too long to order and the stock wasn't going to be refreshed in time. All are still going strong with years in service.

The support staff is awesome as well. I've only had a couple "HALP SHITS ALL FUCKED MAYDAYMAYDAYMAYDAY" incidents and they let me use one of my unused incidents from another device to cover the older one having an issue.

The last I remember was an issue with IPSEC where I had added a /18 and racoon had an auto-exclusion rule in place for the individual site's IP address, but when I upgraded one location to latest version of pfsense they had switched to StrongSwan and that exclusion never made it over, but they had intentions to bring it back. That was a year ago and honestly I had forgotten all about it.

I honestly have so much trouble maintaining the Ubiquiti stuff I don't think I could recommend that you use it over pfSense. I mean it's fine equipment and stable and cheap enough, but I can never get the L3 config right, the management tools are java based and it's just annoying as hell to try and manage an AP across VPN or through AWS. Part of that could be me of course, but pfSense just works.

--
Also worth mentioning I did what you're doing in the beginning of my pfSense adventure. 5 years ago I used old decommissioned hardware to replace residential routers, then 2 years ago I purchased a couple supermicro boards like SYS-5015A and now finally I settled on the preloaded appliances when my workload increased and 10mbit dsl was being replaced with fiber and the VPN became more and more important.

[Edited on May 6, 2016 at 8:11 PM. Reason : ]

5/6/2016 8:02:47 PM

wwwebsurfer
All American
10217 Posts
user info
edit post

I use Untangle - if you're considering pfSense it's worth a look: it's core is based on it. When I used to do installs Untangle + Unifi was all I put in, they're unmatched for the coin in my book. For multiple buildings/locations they're unmatched period (unless you want to spend serious dollars on a cisco stack)

Pros:
FREE
Excellent VPN integration, including full-time split tunnels between locations
Decent AdBlocking at the router
Excellent QoS controls
VLANs are easy to route/configure
Maintains itself extremely well (very few late night calls about content filter updates breaking things)

Cons:
The *choice* features are subscription (multiple WAN, advanced content blocking, WAN accelerator etc)
Fully utilized routing stack adds 3-5ms

Test cases:
Small office, 100/100Mbit fiber, 2 full time VPN employees, ~10 in-house employees
Several home offices, 300/20 Cable Internet

5/8/2016 7:28:47 PM

jimmypop
All American
1405 Posts
user info
edit post

What about Meraki?

https://meraki.cisco.com/

Several of our clients use them and a bunch of folks internal have them for their homes. Cisco gives them to partners who attend a training course. They are stupid simple to set up and manage. I've only dealt with the Switches, Firewalls and APs.

5/23/2016 9:57:51 PM

wwwebsurfer
All American
10217 Posts
user info
edit post

^Meraki are the Cadillac of wireless networks; everything else in that product line is a support product that interfaces with their cloud manager thing. A direct comparison would be like an ASA device for just firewall/routing.

Meraki is also an order of magnitude more expensive than competing products. Cisco builds them as a "solution" - grab their firewall/vpn, WLC, a fist full of AP's, a stack of licenses, and your mcmansion/church/office will be blanketed in arguably the best wifi money can buy. Self configuring site-to-site VPN, meshing, fantastic deployment tools... and those Z1 telegateways are the things dreams are made of if you have, ahem, non-technical C-suite occupants.

Or you could put up an Untangle/pfSense box, a dozen Ubiquiti Unifi radios and fill a trashbag with small bills in leftover cash (or visit sawahash at the beach). The unifi cloud configuration tool isn't as slick or robust but it's more than serviceable. If you're worried buy the little management controller stick - it's still much, much, much cheaper than meraki licenses.

If you're swimming in enough cash that Meraki is on the table for your home, well, A+

5/23/2016 11:53:08 PM

Grandmaster
All American
10829 Posts
user info
edit post

Those internal folk that have them probably watched a webinar and are "perma-testing" the free one at their home office.

5/24/2016 6:59:02 AM

jimmypop
All American
1405 Posts
user info
edit post

attended a class. I haven't had the chance to go yet. The "free" ones come with a 3 year license. What happens after that expires? I've got no idea. I know a lot of folks are using the free switches as a part of their home lab environment.

They are nice devices. I never really thought of them as the Cadillac. Compared to an ASA, Fortigate, Sonicwall or Juniper they are easy to set up and maintain. Palo's aren't too bad though. I just like them because I'm not a networking guy and they are easy for me to understand..lol

5/24/2016 5:27:51 PM

 Message Boards » Tech Talk » Firewall / Router: pfsense or something else Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.