Page 1 of 1

New router/firewall device

Posted: Fri Jun 23, 2017 10:12 am
by Genom
So, got myself one of those chinese micro pc's to load up one of the router/firewall OS's. So far pfsense seems to be the leading contender for me, but curious if anybody has compared it to the other ones like opnsense, ipcop or VyOS and had an opinion.

Re: New router/firewall device

Posted: Sat Jun 24, 2017 3:33 pm
by normalicy
I just so leery of Chinese electronics that are connected to the internet. I don't want to be part of some hacking program for them.

https://www.theregister.co.uk/2017/03/0 ... or_claims/

Re: New router/firewall device

Posted: Sat Jun 24, 2017 4:55 pm
by FlyingPenguin
I've been tempted to build myself a pfSense box, but I really like my Asus RT-N16 with Tomato Firmware. It does everything the fancy commercial stuff does, and should be a lot less hackable than off-the-shelf routers.

I've spent months tweaking my QoS settings so I really don't want to start over with a new router.

Re: New router/firewall device

Posted: Sat Jun 24, 2017 7:39 pm
by Losbot
I haven't played with pfSense yet. I've got a Sonicwall at home that works nicely.

Re: New router/firewall device

Posted: Sat Jun 24, 2017 11:38 pm
by Genom
I like the RT68 router I have been using for a bit with the Merlin firmware a lot, but wanted to play with something different and potentially better and am liking this setup so far. The box came with win10 (not licensed) but that gets blown out with the router install. The functionality is great, and it is super flexible. Realistically took about 15 minutes to get the basic router up and running and then I spent all day just learning all the different goodies it has. setup a vpn client connection to my work vpn and setup what machines should ride that network for what data, etc. Makes my work laptop (that has to sit on the VPN all day anyway) much nicer to live with as I only route work traffic through the VPN, and everything else is going over my regular connection.

Now that it is all setup and I have made a config backup, I'll blow it out tomorrow and setup opnsense and see how it compares. I already know opn doesn't have a adblocker addon that is quite as transparent, requiring setting up a transparent proxy, but there are workarounds for that. Once I have played with opnsense, I'll then try ipfire or ng Then whatever I ended up liking best will go back. Only downside is of course, right after I get the minipc, I find out pfsense is going to require processors with built in crypto instruction sets (that this celeron does not have), but that release is 2-3 years away so not too worried about it.

On the flip side, the mini pc is pretty decent. 190 bucks got me a quad core celeron 1900, 4GB RAM, 32GB SSD and 4 intel based 10/100/1000 ports. Tiny little fanless box so there is no noise, and it sits next to the modem on top of my main managed switch.

Re: New router/firewall device

Posted: Sun Jun 25, 2017 6:36 pm
by Losbot
Post the link to the mini pc. I'm curious.

Re: New router/firewall device

Posted: Sun Jun 25, 2017 7:57 pm
by Genom
This is the one I got:

https://www.amazon.com/gp/product/B01N6 ... UTF8&psc=1

It came with a USB wifi card, but thats trash as far as I am concerned. Besides, my other 2 wifi routers work perfectly fine as AP's

Played with opnsense today. It's been hardened a bit more than pfsense, but being a pfsense fork only 2 years old, it's still missing a few features that are more "comfort" things for home users. I've reverted to pfsense for now. Next weekend I will try out some of the other ones since I spent so much time in opn today.

On the flip side, the backup/restore process with pfsense was painless. Just reloaded the OS, loaded the backup config, and it did everything else including downloading and configuring some extra packages I set up.

Re: New router/firewall device

Posted: Mon Jun 26, 2017 6:04 pm
by psypher
pfSense is a great choice, much better than Tomato. You can through lots of hardware at it as a firewall with and without wifi. OPNsense is also another good alternative to it which was forked from pfSense, but mostly re-written.

Re: New router/firewall device

Posted: Sat Jul 01, 2017 2:33 pm
by ZYFER
normalicy wrote:I just so leery of Chinese electronics that are connected to the internet. I don't want to be part of some hacking program for them.

https://www.theregister.co.uk/2017/03/0 ... or_claims/
In all fairness, aren't they almost all Chinese electronics these days?

Re: New router/firewall device

Posted: Sat Jul 01, 2017 3:12 pm
by Genom
This also isnt a IOT device, just a mini pc. Yeah, there may be something in the BIOS I am unaware of, but the risk is minimal in that regard since the software is it's own thing and you cant get too paranoid or you wont use anything, since pretty much 100% of electronic devices out there today have something made or assembled in China.

Re: New router/firewall device

Posted: Sat Jul 01, 2017 4:12 pm
by normalicy
ZYFER wrote:
normalicy wrote:I just so leery of Chinese electronics that are connected to the internet. I don't want to be part of some hacking program for them.

https://www.theregister.co.uk/2017/03/0 ... or_claims/
In all fairness, aren't they almost all Chinese electronics these days?
I'll agree, it's increasingly hard to find anything that isn't made in China or at least Chinese parts. My main thing is that I'm terrified of anything that is "the internet of things" being of Chinese manufacture. Especially if it isn't a vetted out brand. I will say that there are some well known solid products out there that are Chinese made, but every security expert on the planet has seen them and had a chance to give them a go-ahead.

Just to clarify, I don't mind a Chinese capacitor or resistor or diode. But to be wholly designed and manufactured in China is a whole different thing. They can intentionally build a back door in the hardware. At least if it's made in another country that is one of our allies, it's unlikely that even using their components that a back door could be made, especially if the main chipsets are made in other countries. I'm even OK with Taiwan due to the fact that they really separate themselves from China. I'll even accept an item that was designed in the US and built in China, but it doesn't make me feel warm and fuzzy at night.

Not to say that other countries wouldn't or couldn't do a back door, it's just that the people of China are much more bold faced about it and are getting away with it.

Just out of curiosity, I checked into some of the router manufacturers country of manufacturer and I'm saddened:

Linksys: Mostly made in China
Netgear: All China
Asus: Almost all China
D-Link: About 50/50 China/Taiwan
TP-Link: China
Synology: Taiwan
Trendnet: China
Belkin: Mostly China

Re: New router/firewall device

Posted: Sat Jul 01, 2017 7:12 pm
by FlyingPenguin
I stick with my Asus RT-N16 with Tomato. One has to assume (hopefully) the Tomato firmware has nuked anything nasty that might have been in the factory firmware - be it a bug or intentional.

I'm running EasyTomato on the old house, but I've configured a new RT-N16 for the new house that's running the more advanced Shibby Tomato. It allows me to configure multiple VLANs. I have it setup with two isolated VLANS: one for the main (secure) network and one for the Guest/IOT (insecure) network. There will be a dedicated network jack in my office on the insecure network for bench testing client PCs to keep anything nasty from infecting the network.

I was thinking of picking up one of those Ubiquity EdgeRouters, but I hear they are a bitch to program. I'm very comfortable with Tomato.

Re: New router/firewall device

Posted: Wed Jul 05, 2017 3:17 pm
by b-man1
My R-16 blew a capacitor (based on the googles, it's pretty common) and I ended up going with an Edgerouter X. The config isn't bad at all, and it's quite powerful for $49 or whatever they go for now. I also set up a VPN through it so I can connect it from my mobile phone when on open wifi...works great.

Re: New router/firewall device

Posted: Wed Aug 02, 2017 3:47 pm
by Cap
Second the Edgerouter X, or the easier to setup USG by Ubiquiti. Recently moved up to the Charlotte area, and setup the new house with an Edgerouter X, Unfi POE Switches, and AP AC Pro's https://www.ubnt.com/unifi/unifi-ap-ac-pro/

So far all works amazingly, and the Router is a great value for all it does.