Firewalls recommendations for fast Inet connections

Networking and broadband talkabout. Need help with that new router or setting up a network?
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: Firewalls recommendations for fast Inet connections

Post by FlyingPenguin »

Well I've joined the pfSense universe. I love that little Ubiquiti EdgeRouter X, but I want to start implementing some additional features that it doesn't have the horsepower for. I'd like to setup my own OpenVPN for one thing, and and do some more advanced logging and some intrusion detection/prevention. Also, we're supposed to have 1Gbit available from Comcast around here soon, and that EdgeRouter X maxes out at around 500Mbit - even less with QoS enabled. QoS is actually choking it a bit right now at my 200Mbit bandwidth.

It's a bit overkill but after a lot of soul searching I decided to go with the monster SG-5100. I was thinking of getting the SG-3100 to save money, but reading up on it, it sounds like it would be a little underpowered for everything I want to do AND a 1Gbit connection. Plus I like the idea of having the extra 3 ports to play with. I could see the utility of setting up a 3rd LAN segment for the Nanobeam connection to the old house, to isolate it from the trusted and guest LANs at the main house.

Pricey, but it was on sale for $100 off, and I had a credit with them for another $100 which helped.

Was up late last night configuring it. Took me a while to figure out how to setup one of the extra ports as a Guest network with a separate LAN segment, but I figured it out (one nice thing about the Ubiquiti, it has a wizard built in for two networks).

I must say, I like the elegant way the firewall rules work in pfSense. Now I need to play with traffic shaping.

The old Ubiquiti will stay on the shelf as a spare in case something nukes the new router.

https://www.netgate.com/solutions/pfsense/sg-5100.html

Image
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: Firewalls recommendations for fast Inet connections

Post by Losbot »

I love having extra ports. I ended up with the SonicWall TZ500W in the end. I don't use the WiFi on it but I will eventually turn it on.
I was able to save my old SW config and load it into this new one. Too easy.

Image
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: Firewalls recommendations for fast Inet connections

Post by FlyingPenguin »

I'm really liking this box. I've been studying how to configure the Traffic Shaper for the LAN and bandwidth limiter for the Guest network. Once I get that setup I'm going to play with setting up OpenVPN.

The box has a 4 core Atom processor, but it's fanless. The entire top cover is a heatsink.

It's a lot bigger that the old EdgeRouter-X but it just barely fit without moving anything else. In the photo below it's in the upper left corner to the left of the white Wifi access point.

I also took the opportunity to do a bit of wire management. The original patch cords I ordered for connecting the switch to the patch panel were 3 feet long and had a lot of slack. I replaced them with 1 foot patch cords which neatened things up a lot.

Image
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: Firewalls recommendations for fast Inet connections

Post by FlyingPenguin »

Okay, finally got the guts to configure Traffic shaping (QoS) on the trusted LAN and setup a bandwidth limiter on the Guest LAN (after making sure my configuration was backed up of course).

pfSense is definitely harder to work with than the Ubiquiti router, but I can see it's a lot more powerful. My biggest problem is remembering that "in" and "out" in the rules is from the perspective of the router seeing the LAN(s). "In" is upload and "out" is download. Once you get your head straight with that, it's all cool.

Had to dig around for some examples but I figured it all out. I used the simplest wizard for the QoS on the trusted LAN using bandwidth set for 15% less than my actual bandwidth, and giving preference to games and Teamspeak. Getting a nice "A" rating for buffer bloat on DSLReports speed test.

On the GuestLAN I've set hard bandwidth limiters of 15Mbit/s down and 3Mbit/s up (my total bandwidth right now is a fairly consistent 175/12). That should be sufficient for visitors and the two IoT devices I allow on there, and prevent anything that's misbehaving from hogging all the bandwidth.

NEXT PROJECT: Setting up OpenVPN!
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
Post Reply