How long to learn OPNSense adequately for secure enthusiast home setup?

[IanBJ]

Hi folks.
I've a lot of IT experience but very little Networking knowledge. I want to replace my basic home LAN with new kit and a good, pretty secure network. I'll have about 20 Cat 6 wired ports + WiFi. I would like to introduce good security, network level VPN, VLANs (for less secure devices, etc.) and VOIP capability. I have a NAS and may add security cams and will be streaming AV. Time and ease of management are important to me.

I am considering either going with
a) Ubiquiti UDM-Pro + their 24 port PoE switch + AP(s) + a new modem (Draytek Vigor 166?) [for UK - BT/Openreach FTTC broadband] ; Or
b) OPNSense + hardware (modem, router and switch, APs ). But I realise that'll mean quite a lot of learning and time to configure and manage, so...

Can you please give me ballpark ideas for:

1. How long would it take me to get a fair understanding of the Networking principles etc. and skills etc., and then to set up an OPNSense network for the above scenario?  [ How long's a piece of string? Well - yes, but some idea would be useful. ]

2. Are there any Networking books etc. that you'd advise reading first, additional to the OPNSense documentation (and Forum + web articles)?  [I like to understand what I'm doing and why, rather than just follow formulae/directions.]

Many thanks,    Ian

[bartjsmit]

Hi Ian,

I looked at a full Ubiquiti stack a year or so ago, and would have went for it if it had supported multiple WAN IP addresses. I still use it for internal switch/AP gear.

You can get a basic OPNsense firewall up and running within the hour and add the other features as you learn more, if that's what you want. It took me a month to get fully conversant with VLAN and OpenVPN jargon. https://www.theregister.com/2017/06/30/vlans_at_20/ and https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/ will get you started.

The Unifi stuff has a different philosophy which is more SDN-like; you define your VLAN's and SSID's centrally and the controller will configure them on the devices that you select.

If you have a single WAN IP (which always was my lot with BT) then you need to decide if you want to get into networks or have stuff that does it all for you. There are of course other considerations about closed vs. open source but they are not related to your question.

Bart...

[IanBJ]

Hi Bart, and thank you for your helpful reply.
Did you start your "month's learning" from a no/little networking knowledge base or is that a month to tune in to OPNSense from a networking background?

What's your opinion of the Ubiquiti kit? Some seem to have issues with it's reliability and lack of support and missing features.

I think I like the concept of a SDN approach - but lack the networking knowledge/experience to know whether it's a good approach or not. Conceptually it sounds an improvement maybe.

If the Ubiquiti UDM-Pro kit/software is not too limiting, then the idea of reducing learning, implementation and maintenance load appeals.

Any recommended reading/books (additional to the 2 links you gave)?

Regards, Ian BJ

[bartjsmit]

Hi Ian,

I'm a veteran, I'm afraid - 30 odd years in the biz although mostly infra instead of networks. I started with the NT4 Microsoft ticket which had a good intro into its network stack. Cisco has been the gateway into networking for most though. Udemy has a few CCNA courses which will set you back a tenner if you buy them on your phone. There's loads of sites and vids on "ccna 200-301".

I very much like the Ubiquiti system and have had no bad experiences nor heard of any from those I recommended it to. Lack of features are a side effect from SDN I think. You are at least nudged into a general direction by the SDN design. Take a look at TP-Link as well. Their Omada kit is cheaper but doesn't look as nice and there is more peer support for Unifi.

Perhaps as a compromise between off-the-shelf and tinkering, you can run your Unifi controller in Docker on your NAS or on an RPi:

https://github.com/linuxserver/docker-unifi-controller
https://unifipi.com/

Bart...

[IanBJ]

Hi and thanks Bart.
I'm also a "veteran" - now retired several years with 40+ in IT, mostly analysis, design, a lot of database work (Oracle, etc), ETL, systems architecture, business analysis and process design. Some coding - Fortran IV, C, PL/SQL, etc. Data warehousing, automated warehouse systems, finance, general business processes, etc... All UK based.

Unfortunately TP-Link is a Chinese company, like Huawei. That's a security risk I won't take and a regime I won't support if I can avoid it. Regretable because TP-Link's approach looks interesting.

Looks like I'll be trying the Ubiquiti kit with a UDM-Pro etc. and go from there. Might then learn some networking skills in slower time as needs arise.

Best wishes,    Ian

[Greelan]

I went full stack UniFi about 2 years ago - USG, USW, UAP. While the idea of controlling everything in one place has its appeal, I’ve found overall my experience disappointing. I swapped out the USG for an OPNsense box about 8 months ago, and eventually I will replace the other kit. I became frustrated with the limitations of the GUI (exacerbated for the UDM because it doesn’t have the alternative of CLI configuration, like at least the USG did) and really, really disappointed by buggy firmware. My UAPs are running firmware that’s around 15 months old because that’s been the most stable of any version since. And even then I have random or persistent issues for which there is no sign of a fix (eg I have a cron job running on my controller to reboot the UAPs every week as otherwise mDNS eventually stops working).

YMMV, as I guess in part it depends on what your network design involves and what features are required. But I’ve been a LOT happier with OPNsense.

[lilsense]

Hi,
   So I started the same back in the NT4 days and Cisco, yada, yada, yada...

I use the Unifi Dream Machine Pro with couple of AP's. I didn't feel it was doing much from security perspective as I was unable to verify anything it did. I mocked around with it for a while and then realized the OPNSense makes more sense.

Now, I have an OPNSense as my WAN router... Still not sure how to set up the UDM Pro so that all the double NAT'ing would go away...