Where the heck am I going to get a firewall?

This is maddening. I’m a break/fix but I service a small number of commercial clients with their network needs. I’ve got a client I’ve done some work for in the past and she’s finally ready to bridge her FiOS router and get some real security in place. The problem? No firewalls. Netgate only has 4100’s in stock($599). UB has zero UDMP’s and their edgerouter page is covered in ‘sold out’ labels.

I’m a pfSense guy first and a UB guy second. For this client, to make this proposal work, I need a sub-$400 firewall. No VPN or anything fancy either. She owns an assisted living home. She’s got a couple company computers, 5 UB AP’s and a Hikvision camera system.

I’m really just looking to separate her guest wifi, camera system and company assets by VLAN and put the whole thing behind a decent firewall - you know… lock it down a little.

Any other options I’ve not thought of? I have run some Mikrotik gear in the past. Matter of fact, I run a few of their switches here in the shop. Mikrotik’s firewall config interface seems insanely complicated. To be fair, I find RouterOS as well as SwOS to be the same.

ugh… Looking for some ideas. Thanks!

You could get a dell 390 pc for $50, add net cards, install pfsense, add a managed switch, throw the cameras into a vlan. Wouldn’t that cover your client?

3 Likes

If you don’t want to go the PC route. You could go with a Protectli Vault, a simple 4 port and install pfSense on that. Protectli Vault FW4B - 4 Port, Firewall Micro Appliance/Mini PC - Intel Quad Core (Celeron J3160), AES-NI, Barebone. It’s currently $369 on Amazon at the moment. I know it’s more expensive then doing a cheap PC. Although I don’t know where you could get one for $50 that has storage, memory, and CPU. Plus your added cost of adding a four port NIC. If you can find one for $50 great.

1 Like

Don’t blame Netgate or Ubiquiti either - I work at a Fortune 500 company. We placed an order for 1500 whitebox firewall appliances in March 2020…. We are still waiting for 600 of them. They are essentially the same as a Netgate 6100.

On the flip side of that, we essentially flooded the used market with Cisco ISR 29xx routers, so if you’re desperate…. no, I still don’t recommend getting one of those.

You could grab up a Cisco ASA for less than $100 and do the same.

Edited:
Here is a link for one at around $60. CISCO ASA5505-BUN-K9 SECURITY FIREWALL UPGRADE ASA5505 | eBay

I think this is the same place I bought my home pfsense build, still working some 3 years later, and the price is still the same some three years later.

If you have a single copper and single fiber connection need, then the T630 or the non-plus version of the T620 can work, but you’ll need to buy the fiber card and connection since most do not come with it installed. You could build one as a temporary fix and wait until Netgate has them in stock if you want the Netgate branded product. As break fix it might be good to have one of these self built machines in your toolbox for a repair. Consider it like a good RJ45 punch tool, good ones can cost over $100 (though not sure why).

But to Fred’s suggestion, yup you can buy old ASA for cheap, and get them with warranties from Cables and Kits if you want to spend the extra money.

Just a couple of thoughts.

Arizona State University has a surplus store where they sell old systems for discounted prices. I got a dell 390, i5-2400 w/ 8GB ram for $49, added an Intel nic, an ssd and I have my basic pfsense.

Check with your local University if they have a surplus store.

Zero shortage of firewalls here…we use Untangle, a full blown UTM firewall, the Untangle license is for the software. We use industrial grade appliances to run it on (none of the cheap junk). Protectli, NexGenAppliances, various SuperMicro network hardware. Across those 3, no shortage.

I see Untangle is now part of Arista, I wonder how that will change the pricing? I may need to see what they can do for educational pricing, might help with a few things.

Appreciate the feedback. I’ve been very interested in checking out the untangle product but most clients I deal with are smaller (fewer than 10 employees) and averse to a subscription fee. Untangle looks like an amazing product but the appliances and fees are amazing too :frowning:

1 Like

Thanks for the link! I bought the exact machine you linked. That’s an excellent price!

It has been good to me so far and you can use it to connect several networks without getting into vlans if you have physically separated gear.

I currently do not run Suricata at home, I think it is capable of doing so as I don’t use very much processor at work (8 core at work). I did go up to 8GB and home, and CPU normally runs around 5% when I’m using it for internet stuff. No real routing done at home.

You may also look into Zentyal Community Edition for some clients, gives better features than consumer home routers, and will route out to other networks. I run this at home for a domain controller, but no routing. Not sure if Zentyal can run Snort or Suricata, I should probably look into that. Since it is Linux, it will run some of the other tools that pfsense won’t want to run easily like Crowdsec. Stuff to look into and options to be presented.

I do wish these “name brand” thin clients had newer options with a PCIe slot, they make great little devices for some things, and if they keep them cheap… Otherwise, as mentioned, go up to an SFF size chassis and you can get i5 and i7 6xxx series and newer for $200 and they make great bigger devices to have on hand for emergencies.

I second ProtectLi. I have one of their four port units. They have a good support team.

I third it. I’ve been happily running pfSense on a FW4A for 4+ years without a hitch. Great device and superb support team.

-MB

The following “fat” thin clients have a PCIe slot that you can drop a four port Ethernet card into:

HP T620 Plus
HP T630 Plus
HP T730
Fujitsu Futro S920

If you go for the Fujitsu, make sure you get one that already has a PCIe Ethernet card, or one with the discrete PCIe graphics card option. Not that you’ll use it, but that guarantees that it will have the PCIe riser that you need for an Ethernet card.

I’ll have to change my recommendation, some of the T730 are just as cheap as the T620+ with newer processor (by a generation).

1 Like

Be aware that some of the HP T730 come brand new in box with a BIOS password. This includes the first search result that eBay showed me.

From a brief Google search it seems the best (only?) way to remove the BIOS password is to remove the socketed BIOS chip and use a $20 chip reprogrammer to reflash the BIOS chip. Doesn’t seem too difficult but it does mean you wont have BIOS access when you receive it.

Probably going to get beaten to death for recommending this, but…

  • Netskope
  • ZScaler
  • Perimeter 81

Problem solved.

If we’re going to start naming “best of Gartner magic corner” SASE/SDWAN solutions, let’s include Versa Networks.

I only posted the ones I personally worked with (and still work with). I don’t read Gartner :slight_smile: These solutions are top notch, and the fact that the entire security stack is cloud based frees you from any hardware constraints. I love the SaaS aspect of it. And as an MSP, they all have partner and reseller programs.