darkone (\/) (;,,,;) (\/) 11610 Posts user info edit post |
I'm thinking of using pfsense. Should I be using something else? If so, why? 4/28/2016 11:23:49 AM |
smoothcrim Universal Magnetic! 18966 Posts user info edit post |
Car/Tow Vehicle: Toyota camry or something else. I'm thinking of getting a camry. Should I get something else? If so, why? 4/28/2016 12:02:41 PM |
darkone (\/) (;,,,;) (\/) 11610 Posts user info edit post |
Ok. How about this. I'm replacing an ancient (circa 2005) Cisco firewall in my lab. I don't want to spend a lot of money. I don't need a lot of extravagant features but I do have 10-30 connected devices and I'd like to be able to saturate the outbound connection. 4/28/2016 12:18:33 PM |
FroshKiller All American 51911 Posts user info edit post |
For the love of God, don't use whatever Smath74 was using. 4/28/2016 12:23:33 PM |
darkone (\/) (;,,,;) (\/) 11610 Posts user info edit post |
No kidding. LSD and depression make for terrible network security. 4/28/2016 12:29:38 PM |
smoothcrim Universal Magnetic! 18966 Posts user info edit post |
without knowing your outbound connection, I've been a fan of ubiquiti for super simple stuff. mikrotik boards are great if you want to run open-wrt and swap in radios over time on various spectrums
[Edited on April 28, 2016 at 3:15 PM. Reason : pfsense seems like a good idea until you factor power cost] 4/28/2016 3:15:06 PM |
darkone (\/) (;,,,;) (\/) 11610 Posts user info edit post |
I'm on campus so most of the network links are gigabit though connections to the internet seem to be capped at 100 mbps. I don't know if that's per user or per port. 4/28/2016 3:46:08 PM |
Grandmaster All American 10829 Posts user info edit post |
I have about 20 pfSense/Netgate appliances. It's much cheaper than Cisco and no one really has been able to give me a huge negative about using them.
I also have one location I used the Ubiquiti router, but mostly just use their APs.
In addition to that, I've been using some form of it since before it forked off and was still m0n0wall. It's legit. I had like a 2 year uptime on an Opitplex with 3 NICs before I replaced the equipment with C2758.
[Edited on April 28, 2016 at 4:36 PM. Reason : ] 4/28/2016 4:28:41 PM |
darkone (\/) (;,,,;) (\/) 11610 Posts user info edit post |
Due to troublesome purchasing rules, I think I'm going to use this for a pfSense appliance: https://www.supermicro.com/products/system/1U/5018/SYS-5018A-FTN4.cfm Intel® Atom™ Processor C2758 CPU TDP 20W (8-Core) C2000 SoC I354 Quad GbE Controller adding 8GB RAM and a small SSD
Total cost: ~$640
Any problems jump out to anyone?
I know if I ditched the rackmount option I could get a little faster hardware for the same price point. 4/28/2016 5:33:09 PM |
Novicane All American 15416 Posts user info edit post |
isolated VLAN with ACL not suffice?
[Edited on April 29, 2016 at 8:45 AM. Reason : dd] 4/29/2016 8:45:30 AM |
darkone (\/) (;,,,;) (\/) 11610 Posts user info edit post |
Folks seem to like Ubiquiti. This seems like a cheaper option than what I posted above but I have no idea what the performance and feature trade offs are:
https://www.ubnt.com/unifi-switching-routing/unifi-security-gateway-pro-4/ 5/2/2016 12:54:10 PM |
darkone (\/) (;,,,;) (\/) 11610 Posts user info edit post |
Anyone have opinions on pfSense vs. Opnsense? 5/6/2016 3:16:15 PM |
Grandmaster All American 10829 Posts user info edit post |
wtf is opnsense. Dude just use pf 5/6/2016 3:26:57 PM |
darkone (\/) (;,,,;) (\/) 11610 Posts user info edit post |
I'm going to. I did some more reading and it seems the opnsense fork is mostly hype. 5/6/2016 4:41:07 PM |
Grandmaster All American 10829 Posts user info edit post |
Yeah and sketch as hell if you saw the same posts on reddit as I did and it looks like there's still drama going on with it.
https://twitter.com/gonzopancho
Like I said, I have nearly 20 of the netgate appliances about 50/50 whether I purchased them directly from pfSense (I try to do this for the 1 year free support and also to support the project). The unbranded ones where when I waited too long to order and the stock wasn't going to be refreshed in time. All are still going strong with years in service.
The support staff is awesome as well. I've only had a couple "HALP SHITS ALL FUCKED MAYDAYMAYDAYMAYDAY" incidents and they let me use one of my unused incidents from another device to cover the older one having an issue.
The last I remember was an issue with IPSEC where I had added a /18 and racoon had an auto-exclusion rule in place for the individual site's IP address, but when I upgraded one location to latest version of pfsense they had switched to StrongSwan and that exclusion never made it over, but they had intentions to bring it back. That was a year ago and honestly I had forgotten all about it.
I honestly have so much trouble maintaining the Ubiquiti stuff I don't think I could recommend that you use it over pfSense. I mean it's fine equipment and stable and cheap enough, but I can never get the L3 config right, the management tools are java based and it's just annoying as hell to try and manage an AP across VPN or through AWS. Part of that could be me of course, but pfSense just works.
-- Also worth mentioning I did what you're doing in the beginning of my pfSense adventure. 5 years ago I used old decommissioned hardware to replace residential routers, then 2 years ago I purchased a couple supermicro boards like SYS-5015A and now finally I settled on the preloaded appliances when my workload increased and 10mbit dsl was being replaced with fiber and the VPN became more and more important.
[Edited on May 6, 2016 at 8:11 PM. Reason : ] 5/6/2016 8:02:47 PM |
wwwebsurfer All American 10217 Posts user info edit post |
I use Untangle - if you're considering pfSense it's worth a look: it's core is based on it. When I used to do installs Untangle + Unifi was all I put in, they're unmatched for the coin in my book. For multiple buildings/locations they're unmatched period (unless you want to spend serious dollars on a cisco stack)
Pros: FREE Excellent VPN integration, including full-time split tunnels between locations Decent AdBlocking at the router Excellent QoS controls VLANs are easy to route/configure Maintains itself extremely well (very few late night calls about content filter updates breaking things)
Cons: The *choice* features are subscription (multiple WAN, advanced content blocking, WAN accelerator etc) Fully utilized routing stack adds 3-5ms
Test cases: Small office, 100/100Mbit fiber, 2 full time VPN employees, ~10 in-house employees Several home offices, 300/20 Cable Internet 5/8/2016 7:28:47 PM |
jimmypop All American 1405 Posts user info edit post |
What about Meraki?
https://meraki.cisco.com/
Several of our clients use them and a bunch of folks internal have them for their homes. Cisco gives them to partners who attend a training course. They are stupid simple to set up and manage. I've only dealt with the Switches, Firewalls and APs. 5/23/2016 9:57:51 PM |
wwwebsurfer All American 10217 Posts user info edit post |
^Meraki are the Cadillac of wireless networks; everything else in that product line is a support product that interfaces with their cloud manager thing. A direct comparison would be like an ASA device for just firewall/routing.
Meraki is also an order of magnitude more expensive than competing products. Cisco builds them as a "solution" - grab their firewall/vpn, WLC, a fist full of AP's, a stack of licenses, and your mcmansion/church/office will be blanketed in arguably the best wifi money can buy. Self configuring site-to-site VPN, meshing, fantastic deployment tools... and those Z1 telegateways are the things dreams are made of if you have, ahem, non-technical C-suite occupants.
Or you could put up an Untangle/pfSense box, a dozen Ubiquiti Unifi radios and fill a trashbag with small bills in leftover cash (or visit sawahash at the beach). The unifi cloud configuration tool isn't as slick or robust but it's more than serviceable. If you're worried buy the little management controller stick - it's still much, much, much cheaper than meraki licenses.
If you're swimming in enough cash that Meraki is on the table for your home, well, A+ 5/23/2016 11:53:08 PM |
Grandmaster All American 10829 Posts user info edit post |
Those internal folk that have them probably watched a webinar and are "perma-testing" the free one at their home office. 5/24/2016 6:59:02 AM |
jimmypop All American 1405 Posts user info edit post |
attended a class. I haven't had the chance to go yet. The "free" ones come with a 3 year license. What happens after that expires? I've got no idea. I know a lot of folks are using the free switches as a part of their home lab environment.
They are nice devices. I never really thought of them as the Cadillac. Compared to an ASA, Fortigate, Sonicwall or Juniper they are easy to set up and maintain. Palo's aren't too bad though. I just like them because I'm not a networking guy and they are easy for me to understand..lol 5/24/2016 5:27:51 PM |