HW setup for home network install with pfsense/unifi

Hello,

new to the forum and seeking some advice on HW selection. I intend to replace my current synology router with a pfsense/opensense FW and some unifi switche/AP + unifi protect. This is in a small office (< 10) setting. As i do not utilize the unifi firewall and need HW for that i wonder if i can skip any unifi OS HW-box (i do not want to run theu nifi OS in the cloud). Which HW set up would be appropriate? My thinking is along the lines of a Protectli to run pfsense and UnifiOS each in a container and potentially also pihole. Some VPN/IPSEC traffic should be catered for.

Is this a viable set up and if so which Protectli appliance would be suitable to not have a HW bottleneck.

Thank you for your comments and time
Antelion

I would run the firewall on dedicated hardware, not in a container or VM. yes a little more expensive, but just the way I would run mine.

I don’t run unifi equipment, so can’t really answer that part, but I bet it would work on something like an old HP T630 for under $100usd. Or you can step up to something like a Mele quieter2 mini PC Quieter2Q-Shenzhen MeLE I just bought one of these to replace an old celeron dual core that I run Zentyal on, it is a decent step up from there and should run the controller software. Most of them even have Windows 10 pro “licensed”. Licensed in quotes because I have not verified this, made a Clonezilla of the drive and erased it for Zentyal (Ubuntu based).

I have HP T620Plus and T630, the 620+ is my pfsense at home and it seems OK, the 630 runs my Xen Orchestra instance for my hypervisor lab. They are older hardware, but still seem to work pretty well for limited uses. Fanless Protecli would be nicer for a firewall, and I think they are faster processors too.

Read their Buyer's Guide - Protectli and buy with respect to your WAN speed, seems more powerful the better though obviously more expensive.

Just run any controllers in a vm.

You don’t need pihole as pfSense has pfBlocker doing the same job.

Hellom

thank you for the answers. Yes, the pfBlocker i could now figure out (thanks to Toms clear video). I guess my question then really comes down to if i want to have anything running virtual on the fw appliance or if it should be on anything behind (NASalso being an option)

I’d suggest running pfSense on it’s own hardware, until you suss it out. Otherwise troubleshooting will be doubled.

Can’t see too much sense running anything except pfsense on the router, just asking for trouble.

Not to be a contrarian – but it depends on what Protectli system your running. A lot of the higher end systems from Protectli – in my humble opinion – offer a lot of hardware which isn’t going to be utilized by just pfSense. This depends of course on how much RAM you want to provide your Protectli system. I’ve run pfSense virtualized with xcp-ng within my Protectli for a couple of years now and think it runs great. I’ve dedicated 8gb of RAM to the VM and it’s performed good for me – granted this is a home lab system and not for a business. I would guess for a business you’d prefer either a HA setup, or at a minimum possibly a device you could easily swap out say for example if the router just ups and dies. I imagine with backup and snapshots this could be done with a virtualized system, however the restore process isn’t going to be as fast and limiting downtime might be your biggest concern.

With the VPN desire, I’d say go with hardware, if you run it on a VM or other vlan based system, things might be able to jump across to bypass the firewall.

Even if the hardware is underutilized, it is generally money well spent. Start adding in Suricata or Snort, pfblocker or e2guardian, maybe a couple of other things and then start routing at gigabit or faster…

Hello, from the UNIFI point of view, it would be simple. I have a similar setup except I use Sophos XGv18. Setup the networks in Unifi as VLAN Only. Then setup the vLANS in your firewall and DHCP Servers / Ranges for eeach of those VLANS. Of course you will have an interface of the firewall on each of those vpans wihc will be the gateway for those Unifi VLAN’s Works a treat. Just so you know, I run my Sophos XG as a VMWare VM and not hardware. I use the Cloud Key Gen2 for the Unify Management but you can use a VM for this also if you wish.