Messages

1

Hardware and Performance / Re: AliExpress or Amazon Prime Day Deals?

« on: October 17, 2024, 05:57:20 am »

... how to get the single connection to the firewall when the firewall gets moved from host to host during patching? And also spoof the MAC while I'm doing all that?

Hi Greg!

Ouch! The more we talk about this, the more I'm convinced to go bare metal!

Just waiting for the Protectli v1410 to come off back order, or to see if maybe the v1610 is going to be released soon and if it is reasonably priced. I don't think I will need the extra ports, or even the faster processor. But I'm a little concerned about being tied to 8G ram forever. I don't have any experience with OPNSense. On the other hand, I've never regretted having more ram, or being able to upgrade it later.

Related, the soldered on ram concern is making the Topton N5105, 4x i226v box at $120 w/o memory or storage pretty tempting. I would like to support Protectli and benefit from their work and that community. But the cost delta is pretty significant, especially because I have a stick of DDR4 and some old 2.5" SATA SSDs on hand, which the Topton can use...

Too many choices! 

2

Hardware and Performance / Re: AliExpress or Amazon Prime Day Deals?

« on: October 15, 2024, 07:03:30 pm »

I will always advocate for a dedicated box doing security stuff at the edge
...
No hypervisor is designed to be internet facing
...
otherwise there would be no more physical firewalls to speak of in decades...

Hi again @newsense. Thank you for your inputs!

I agree the common/proved wisdom is to run edge security bare metal on it's own box. Another benefit not mentioned yet is decoupling maintenance cycles on the edge and the VM platform. It's nice to have the internet up as you're patching your VM platform.
...
I don't agree that hypervisors should not run public-facing hosts. In fact, I think it is common/best-practice to run most/all public facing hosts (eg. mail, web, etc.) virtualized as the security and non-security benefits outweigh the risks, which can be managed.
...
I believe the main reason for the persistence of physical firewalls is to maintain consistent performance without fear of resource contention and with relative freedom to develop complicated rulesets, DPI, VPN, etc. My experience managing networks with many hundreds of clients and many tens of thousands of connections using software-based firewalls (Checkpoint, Sonicwall) versus ASIC-based firewalls has imprinted me for life.  :'(

Fortunately, this is not my use-case here. I'm only building a residential gateway for 2-4 people and approximately zero public facing services.  (A future camera server behind a VPN is the only exception I can think of ATM.) My original concern was that possibly the overhead from virtualized I/O might prove too costly to maintain throughput on a small, fanless device. But since then I've read more about Proxmox CPU and NIC pinning, and I believe one can work around virtualized I/O overhead.

That said, I think it probably is wiser to run edge security/routing on bare metal, mostly to keep Internet access disconnected from internal maintenance events as mentioned above. So I will probably head that way and Protectly is still the leading option. And yeah, running a second internal firewall on a VM might be fun. I may look at that in the future.

Thanks again!

3

Hardware and Performance / Re: AliExpress or Amazon Prime Day Deals?

« on: October 14, 2024, 04:36:29 pm »

Okay, so I watched a bunch of servethehome videos and now I’m particularly interested in the Qotom Q20331G9. (https://youtu.be/AKUTzjA1grE?si=3wLSoO0jk99JTy4x)

The Qotom is more expensive than the Protectli V1410. And with the Qotom, I would give up coreboot and live with the stock AMI BIOS. (After doing further reading, I was probably over-concerned about rogue BIOS anyways.) But in every other regard, the Qotom is far superior/future-proof. Especially attractive to me is the Atom 8 core processor and more expansion for memory and storage.

There is just one niggle…

Part of my justification for spending more on the Qotom would be to also build a NAS server on the same system, which implies virtualization to keep the edge firewall isolated from the internal NAS. But I’ve seen some comments that putting OPNSense in a VM is not a good idea due to lower I/O on the virtualization stack. Is this true? Is it not possible to “hardwire” a few NICs to a VM to bypass the virtualization overhead?

Or would it be wiser to just keep it simple and purchase a less capable device (eg Protectli V1410) and run only OPNSense bare metal?

Thanks in advance for any comments or suggestions!


Sent from my iPhone using Tapatalk

4

Hardware and Performance / Re: AliExpress or Amazon Prime Day Deals?

« on: October 12, 2024, 07:14:47 pm »

Hello [mention]newsense [/mention]!

This is super helpful — thank you very much!

I had heard of coreboot, but really didn’t know much about it. After doing a little research, coreboot will definitely be a requirement for my build.

Likewise, I really like the Protectli products. Not much more expensive than comparable Ali products (maybe $50?) but includes coreboot out of the box and US based support. So I’m pretty sure I will go with them.

I just need to decide 2 or 4 ports. I have VLAN capable switches downstream, so 2 ports could be enough. But the 4 port V series comes with 8 rather than 4 gigs of ram and more physical ports is always good, right? (Multi-WAN? separate physical network for WiFi? other?)

Anyways, this gives me a good start.

Thank you again!

5

Hardware and Performance / Re: Advice needed - VLAN's, subnets.

« on: October 12, 2024, 05:44:10 pm »

Is it advisable to have the containers on a different VLAN? …
But if I do that, I would need an OPNsense rule to allow traffic between my main LAN and the VLANS so I can access them locally …
doesn't creating that rule make it a free for all between the LAN / VLANS, defeating the object of isolation in the first place ?

Hello. I’m also new to  OPNSense but have managed other firewalls so am happy to address the gist of your questions. In short:

1. Yes, it’s advisable (essential?) to put public (a.k.a. DMZ) services on a different VLAN than your main internal VLAN.
2. Correct, once you have them on different VLANs connected to the router, you will need to create rule(s) to pass the necessary traffic.
3. No, this is not at all the same as having the Docker containers on the same VLAN as your internal management hosts. 

I think the part you may be missing is the rules on a firewall can be used to create “pinholes“ that allow only a very narrow subset of traffic categories to travel between hosts. Moreover, unless your docker containers are initiating some kind of callback onto the internal management hosts, you would want to prevent all network connections initiating on the docker containers from reaching your internal VLAN. This to me would be the main security benefit as my primary concern would be a breach on the public facing docker containers providing a vector to allow a rogue actor onto your internal network.

Without the separate VLANs, a breach on a public facing docker container may allow the rogue to probe every service on every host on your internal network. That’s a very bad situation.

Hope this helps!


Sent from my iPhone using Tapatalk

6

Hardware and Performance / Re: AliExpress or Amazon Prime Day Deals?

« on: October 12, 2024, 12:18:41 am »

Okay! I will keep researching options from Topton and similar vendors.

Thank you again [mention]meyergru [/mention]!


Sent from my iPhone using Tapatalk

7

Hardware and Performance / Re: AliExpress or Amazon Prime Day Deals?

« on: October 09, 2024, 05:13:29 pm »

…do not buy devices with REALTEK NICs...

Thank you!

This excludes the Amazon option. The AliExpress option has 4x Intel i226 which I understand is supported FreeBSD/OPNSense.

Should one be concerned about the security of a BIOS provided by an unknown manufacturer? (Topton)

Is this even a reasonable question?

Thank you again!


Sent from my iPhone using Tapatalk

8

Hardware and Performance / AliExpress or Amazon Prime Day Deals?

« on: October 09, 2024, 04:38:52 am »

Hi All,

I'm new to OPNSense and would like to dip my toe in without spending much money. My eventual goal is to use OPNSense for my home network, replacing an older Fortinet N30. There's just two people using the network doing standard streaming, work from home, etc. and probably a dozen or so devices, wired and wireless. (I already have WiFi; just looking to replace the gateway.) So not very heavy network load, but would like to VPN in and play with and learn the various OPNSense modules.

Today and tomorrow are Amazon Prime Days. When I search "opnsense" they show a few mini PCs with dual NIC discounted about 30%. For example:

Beelink EQR6 Ai Mini PC, AMD Ryzen 5 6600H(8C/16T, Up to 4.5GHz), Mini Computer 16G DDR5 RAM 500GB NVMe PCIE4.0 SSD, Copilot Micro PC 4K@60Hz Dual Display HDMI/WiFi6/BT5.2/1000Mbps/W11 Pro https://www.amazon.com/gp/product/B09K39RJDQ/ref=ox_sc_act_title_1?smid=A1U8KYR6GMVLRX&th=1

Is this reasonable hardware to run a home firewall?

Or should I be shopping AliExpress, for example:

2024 pfSense Firewall Soft Router N100 N5105 N4000 4xIntel i226 2.5G LAN 2xDDR4 NVMe Fanless Mini PC HDMI2.0 DP AES-NI OPNsense
https://www.aliexpress.us/item/3256807066615315.html?src=google&pdp_npi=4%40dis%21USD%21164.81%2192.29%21%21%21%21%211%40%2112000039954707746%21ppc%21%21%21&src=google&albch=shopping&acnt=708-803-3821&isdl=y&slnk=&plac=&mtctp=&albbt=Google_7_shopping&aff_platform=google&aff_short_key=UneMJZVf&gclsrc=aw.ds&albagn=888888&ds_e_adid=&ds_e_matchtype=&ds_e_device=c&ds_e_network=x&ds_e_product_group_id=&ds_e_product_id=en3256807066615315&ds_e_product_merchant_id=106450275&ds_e_product_country=US&ds_e_product_language=en&ds_e_product_channel=online&ds_e_product_store_id=&ds_url_v=2&albcp=19678427463&albag=&isSmbAutoCall=false&needSmbHouyi=false&gad_source=1&gbraid=0AAAAAD6I-hFf8jXSWWgdtnnn-lsvPoC-1&gclid=Cj0KCQjwsJO4BhDoARIsADDv4vCQyHF2WXN6lWYQMkrdeP3nJDFbbDWUpla5hBl1qhkHGr8tA2YEg54aAodJEALw_wcB&gatewayAdapt=glo2usa

Any help on finding a cost-efficient way to start using OPNSense will be much appreciated!

Thank you!

9

Hardware and Performance / Re: Recommend approach for Wifi APs

« on: October 09, 2024, 04:07:15 am »

At 15 APs you want something with centralised provisioning, IMHO...

Agree!

I'm new here but thought I would share my experience using Ruckus. Ran two schools starting with about 15 APs and grew to about 60. The 700 series APs had fantastic client density. Management was a virtual Smart Zone VM. UI is a little wonky but once you get used to it, it's not bad.

I have two Ubiquiti at home and they're simpler to manage. But I cannot compare/offer advise on Ubiquiti WRT to client density. I still think Ruckus is probably the best in this area. IHMO.

Curious if others can compare Ruckus and Ubiquiti client density.