I’ve been greatly enjoying the youtube videos, and recently had a terrible experience with a Unifi Dream Machine for my home to replace a dying Netgear Nighthawk R7000. I loved the promise, but it won’t stay up for more than a day before all the ports die and it needs to be reset. And yes, I tried a LOT of different firmware!
I’m getting it refunded, and I’m thinking of building out my network like this:
Does this make sense? Or can I avoid the edgerouter entirely if I am using a Netgate SG1100? It seems like the SG1100 would do IDS/IPS, and full gigabit routing - i would just run the modem into it and the LAN port would connect to the Unifi switch. I can tolerate a tiny bit of CLI work but I don’t want it to become a new hobby, and that’s what I hear most often about the Edgerouter devices… it doesn’t sound like it would be easy to craft a firewall for, for someone with little experience doing so. My internet connection is 150mbps so there’s no concern about a bottleneck (the main reason i’m not looking at a USG).
I’m also open to other avenues if they will be a better fit! My primary needs are port forwarding, static ip assignments, a really good firewall with little configuration, and i would really like IDS/IPS. My home automation stuff is on a homeseer pi controller and i try to keep everything zwave, but i’ll eventually be adding a video doorbell and some PoE cameras and they probably want to be on their own separate network (along with an ecobee)
Install Pfsense in a VM , give it a spin if it looks like too much effort then your decision is clear. If you intend to setup cameras I’d definitely put it on its own vlan, you’ll need to setup an OpenVPN server to access your network. Obviously OpenVPN can be setup on a RaspberryPi via the CLI but I’ve found the GUI in Pfsense pretty good.
well, I’m not really worried about the UI for pfSense - there’s no CLI for it, right? It’s all webgui?
my question is more if i actually need the edgerouter or not - or would it be superfluous if I have the netgate device and a switch?
Yes exactly you won’t need both, I don’t have an Edgerouter but it looks like it does the same job as a pfsense box. You might want to compare features.
Most in this forum would recommend pfsense but it might be a steep learning curve depending on your starting point.
I meant setting up OpenVPN on a RaspberryPi is via the CLI so you need to already know how to set it up. Pretty straight-forward in Pfsense.
On the other hand if you are a Unifi shop might make sense to stick with it.
nope, just a home user
are you saying the OpenVPN is needed in order to make a VLAN if i wanted a separate LAN for my IoT devices? I can’t do that in pfSense on the Netgate SG1100?
I meant if you are running unifi kit already then sticking with them might be a good option or you just go all in if not.
OpenVPN will allow you to connect to your home network remotely to view your cameras however it is setup.
However, cameras are a source of risk to your network, putting them on their own vlan and locking it down is generally a good idea. Alternatively you can also forward the IP camera ports and access it over the internet but I wouldn’t recommend that.
If you’ve got IoT I would put it on it’s own vlan separate to everything else.
I would really only recommend managed switches even if you only use one vlan now you will have options for the future.
To answer the questions you asked, yes the design does make sense, but you should ideally have VLANs for the cameras etc. Although they could be added later as the switches you have shown are managed (no you don’t need OpenVPN for VLANs). Yes the SG1100 would make the Edgerouter redundant. I wouldn’t recommend it for use with IPS/IDS as it isn’t really powerful enough, also to make you aware IPS/IDS isn’t something to just turn on, it takes time to tweak and configure. That’s partly what you pay the big players for. Yes the SG1100/pfSense is all GUI based, but it will take time to learn and configure. Personally I find it easy to understand, but then I’ve configured several different firewalls over the years.
ok, going one step further… i do have a smartRG SR808ac as my modem - it’s a capable wifi router but the range sucks. in theory i could probably just use that as my wired router (turning off the wifi radios) + firewall for now, correct? that would buy me some time to set aside the funds to get a better/proper security gateway. would I need a 3100 for decent IPS/IDS? I’ve heard it’s overkill for a home environment but i honestly feel like it’s only a matter of time before it becomes more commonplace.
If you are blocking most incoming ports, then ids/IPS may not make sense. But it can help hold back malware and other attacks after an infection. Tom says the sg1100 is not really powerful enough for Snort or Suricata. I still haven’t set Suricata up on my HP t620 Plus to see if it has enough processor, but it looks like it should have enough resources. My t620 Plus is at home, so not as heavily worked as my firewall at work which does have Suricata running. The firewall at work has plenty of resources left and is only an Atom c2758.
Yeah, I was watching The Hook Up on youtube and he made a good point - his UDM Pro was flagging stuff that was going after blocked ports… so it wasn’t really a problem anyway. Hadn’t thought of it that way. I’ve read of other people keeping the “Connectivity” setting in snort active on an SG1100 (a sort of highest-level IDS/IPS) without issue, so maybe that will be where i start and in a few years I can upgrade that component of the home network separately if I have the need.
You may want to look at some of the Protectli devices and load pfsense on it. Or take a chance on the HP t620 Plus, I think it would work for a few users at home, but I just haven’t tested to that level yet. My t620 plus came with a 4 port Intel card and was $160 shipped from eBay. Only thing I might do is put 8gb of ram in it because I have the memory sitting here, came with 4gb and 16gb of SSC. Only real issue is that it’s bigger than I would like, but quiet and runs cool. OpenVPN runs as fast as my junk Spectrum connection can handle, which isn’t really saying a lot, but no way to test faster.
There is a bit of info on the Serve the Home forum for the t6xx thin clients, might give you an idea of what they are capable of handling, can’t remember if anyone has Suricata running. I also have a t630 that I just bought, no pcie so no real way to add more wired ports. My t620 plus is slightly faster and seems to be one of the faster thinclient machines that you can buy for under $200usd.