gzibell Posted November 7, 2017 Share Posted November 7, 2017 Hey All, Hoping to get some advice on what router/firewall you guys are running. I had been running a netgear router flashed with DD-WRT for quire a while but that died. We use the meraki product line at work so I brought one home and used that for a few months. The one really nice thing the meraki offers is the reporting. It is really nice to log into the management interface and see what devices, applications, etc are using bandwidth and how much. This can be filtered by day/week/month or custom time frame. Not that I need this reporting, but seeing SSL Encrypted traffic accounting for the majority of my usage for some reason makes me sleep better. I setup a pfsense box and have been using that for a couple of weeks on hardware I had laying around. It does the job but the reporting that is available is pretty minimal. I tried some add-on packages but could’t find one that I felt was worth it. I have it running on desktop hardware so the electricity cost will be much higher than an embedded device. Might takes years to make up the purchase price of a decent router but I can also re-purpose that hardware for something else. I started looking at the edge router/unifi security gateways as I currently have 2 unifi AP’s. Seems like the USG might be an ok option. If your using something that you love that gives you any cool bandwidth reporting let me know. Struggling to make a decision. Thanks! Quote Link to comment
tdallen Posted November 7, 2017 Share Posted November 7, 2017 Asus, but I'm looking at the USG and EdgeRouters right now as well. Quote Link to comment
gzibell Posted November 7, 2017 Author Share Posted November 7, 2017 1 hour ago, tdallen said: Asus, but I'm looking at the USG and EdgeRouters right now as well. The USG devices look pretty slick connecting to the unifi controller and since I already have the unifi AP's it seems like the way to go. I tried their controller demo and they have some application reporting but no way to filter it by day/week/month. Actually there is no time reference at all so the data is sort of useless but I imagine that will improve. Attached a pic of what that dashboard looks like. The Edge Router Lite (ERLite-3) apparently has the identical specs to the USG but the EdgeOS or whatever powers it is more mature with more options. I guess you can still do everything on the OSG but you have to jump into the cli to get some of it done. I think for the basics, lan, port forward, dhcp either would be fine though. The impression I get from the internet as a whole is go with the edgerouter over the USG. Anyone have either than can comment? Quote Link to comment
sadkisson Posted November 7, 2017 Share Posted November 7, 2017 I have both actually. I started with the ERL and it is by far more powerful with the options you can set from the GUI/CLI. I lacked the skills to program a lot of it however. I found that the USG is better suited for me as it works natively with UniFi controller. I do not use the advanced features the ERL offered anyhow. I liked the UniFi controller setup and it auto configured the USG for me. It is kind of like unRaid vs full blown Linux solution involving CLI setup and everything. If you need features that are not currently offered in the UniFi controller then the ERL is going to be the better option for sure. Quote Link to comment
gzibell Posted November 7, 2017 Author Share Posted November 7, 2017 That makes sense. I like playing around with stuff but I like it when stuff just works even better. unRaid has ran like a champ for me since the day I set it up and I am continuing to add to my setup to expand the functionality. Setting up unRaid was pretty much the best decision I have made right after Plex and buying 50 pairs of the exact same socks. I hate trying to find matching socks. Even went through a HDD failure a few months after moving all my data over. Replaced the drive and everything rebuilt from parity without issues. That finally got the wife on-board with the idea too. Tried to explain it before that happened that if we lost a drive her 100K pictures would just be gone. Never really made sense until the drive failed. Made explaining the cost of CP Pro pretty easy too. The more I think about it the more I feel like the USG is the way to go. Keep it simple and it has most of what I will ever need/want. I assume there is no issues with the USG utilizing my 100/100 connection to it's fullest? We have fiber right to our house so we can get 1Gb/1Gb connection if we want to pay for it. Whatever I do get I want it to be something that will handle the load I have now and what I might have tomorrow. Is the USG good enough or is jumping to the pro a good idea for future proofing? Quote Link to comment
StevenD Posted November 7, 2017 Share Posted November 7, 2017 I have a USG Pro and a pfSense, each with a static IP on FiOS. Quote Link to comment
1812 Posted November 7, 2017 Share Posted November 7, 2017 pfsense vm on my server. don't do this w/out a backup handy (I use a small emachines computers for that to limit network downtime.( Quote Link to comment
uldise Posted November 8, 2017 Share Posted November 8, 2017 Mikrotik user here - some devices for my house, and some for my clients too.. they are pretty cheap and have huge amount of configuration options with their RouterOS. if you wanna VPN on it, just choose model with builtin hardware encryption, this for example: https://mikrotik.com/product/RB750Gr3 Quote Link to comment
unevent Posted November 8, 2017 Share Posted November 8, 2017 pfSense. Use ELK, Greylog, pfLogstash, etc. to get your reporting with the pretty views. I run it on AMD 5350 Kabini and ASRock AM1H-ITX with 16GB, 4-port Intel card and external laptop power supply. Runs around 30W at full load, 10-15W average. Snort, pgBlockerNG, Squid, OpenVPN, Radius server, probably forgot something. Quote Link to comment
NotYetRated Posted November 8, 2017 Share Posted November 8, 2017 I am using pfSense on unRaid for routing control, multi-WAN, firewall and some tp-link EAP's for wireless access points. The system works well for me, though I do wish pfSense had some better visual reporting of traffic etc as the photos above in this convo have. My current weak point, is I do not have a suitable backup for my pfSense VM. If unRaid goes down, I would need to plug my old Asus flashed to dd-wrt in. I would lose any of the configuration changes I have made in the last year as well as dual WAN setup. But its a risk i am fine with. Quote Link to comment
HellDiverUK Posted November 8, 2017 Share Posted November 8, 2017 2 hours ago, unevent said: pfSense. Use ELK, Greylog, pfLogstash, etc. to get your reporting with the pretty views. I run it on AMD 5350 Kabini and ASRock AM1H-ITX with 16GB, 4-port Intel card and external laptop power supply. Runs around 30W at full load, 10-15W average. Snort, pgBlockerNG, Squid, OpenVPN, Radius server, probably forgot something. Looking to do similar myself, though with a MSI board and a dual port Intel NIC. pfsense is excellent, at work our firewall is pfsense running on an old Core2Duo Optiplex, though with pfsense 2.5 coming that needs AES-NI I'll have to upgrade that to something more modern. I currently have a TPLink VR2800 router/modem combo, but it chokes running OpenVPN. Quote Link to comment
gzibell Posted November 8, 2017 Author Share Posted November 8, 2017 2 hours ago, unevent said: pfSense. Use ELK, Greylog, pfLogstash, etc. to get your reporting with the pretty views. I run it on AMD 5350 Kabini and ASRock AM1H-ITX with 16GB, 4-port Intel card and external laptop power supply. Runs around 30W at full load, 10-15W average. Snort, pgBlockerNG, Squid, OpenVPN, Radius server, probably forgot something. Any chance you can point me in the right direction on the reporting side of pfsense? Did some searching after reading your post and it seems like the pflogstsh docker is no longer in development, is it still good? ELK look like that needs to run on a different machine/VM. I did install the squid package looked at the options and decided I didn't have the time for that right now. I would really like to get pfsense setup for some nice reporting though but not sure where to start. 1 hour ago, NotYetRated said: I am using pfSense on unRaid for routing control, multi-WAN, firewall and some tp-link EAP's for wireless access points. The system works well for me, though I do wish pfSense had some better visual reporting of traffic etc as the photos above in this convo have. My current weak point, is I do not have a suitable backup for my pfSense VM. If unRaid goes down, I would need to plug my old Asus flashed to dd-wrt in. I would lose any of the configuration changes I have made in the last year as well as dual WAN setup. But its a risk i am fine with. Yeah I toyed with that idea as well, the pfsense vm part. My two hangups were what if unraid goes down that means no internet at all without swapping in a different box. And the security side of things. Just seems like having the pfsense vm is somehow less secure that having a physical pfsense box. The general consensus from a security standpoint was a firewall should be a firewall even though I found no evidence at all that a VM of pfsense would be less secure than a physical box. I would like to get the eqipment I am currently running pfsense on back for other purposes but I would have to purchase a multi port nic card to do that so for right now until I figure out if I am going to stick on pfsense or move to a USG or something else leaving it as is. 34 minutes ago, HellDiverUK said: Looking to do similar myself, though with a MSI board and a dual port Intel NIC. pfsense is excellent, at work our firewall is pfsense running on an old Core2Duo Optiplex, though with pfsense 2.5 coming that needs AES-NI I'll have to upgrade that to something more modern. I currently have a TPLink VR2800 router/modem combo, but it chokes running OpenVPN. What is running your unraid server? I did setup openvpn through pfsesne and it worked fine but since I was switching routers in and out I figured it would be easier to run it as a docker on unraid with only the port forward setup in pfsense. That way if I can swap and change as much as I want and all I have to setup is 2 port forwards (Plex and OpenVPN) and my current setup is back up and running. My unraid box is currently and i5 16GB ram so it handles the openvpn connection with no problem. Quote Link to comment
unevent Posted November 8, 2017 Share Posted November 8, 2017 46 minutes ago, HellDiverUK said: I currently have a TPLink VR2800 router/modem combo, but it chokes running OpenVPN. Started similar, but with 600MHz MIPS ASUS router running Tomato. I miss Tomato's configuration GUI and QOS, but pfSense is much more powerful/capable. With the Kabini I can do VPN using PIA strong encryption to the full 100Mbit Internet I have which is usually around 14MB/s. OpenVPN being single threaded my only suggestion is to favor higher clock speeds vs. more cores at lower clock and of course AES-NI hardware support. Quote Link to comment
unevent Posted November 8, 2017 Share Posted November 8, 2017 12 minutes ago, gzibell said: Any chance you can point me in the right direction on the reporting side of pfsense? Did some searching after reading your post and it seems like the pflogstsh docker is no longer in development, is it still good? ELK look like that needs to run on a different machine/VM. I did install the squid package looked at the options and decided I didn't have the time for that right now. I would really like to get pfsense setup for some nice reporting though but not sure where to start. The logging/display would/could be done separately in a Docker or VM on unRAID. pfLogstash in Docker form here on the forums will work for pre 2.4.x release. The grok filters need an update to work with the latest pfSense release (which was release a couple weeks ago or so). Graylog is also available in a Docker here and can also spin up a VM using Ubuntu Server which I did for a while , but also needs filter update for 2.4.1. There are a few 'traditional' ELK stacks in Docker flavor floating around as well. There is a package or two available on pfSense to do some logging/sorting such as which websites an IP visited, but no fancy graphics like what is available using the external tools. Regarding running pfSense in a VM on unRAID , my suggestion is to not do it without an in-place backup to take over the tasks when you stop the array or shut down the server. I like KISS principal when it comes to network security, get a low power-draw dedicated system to run your firewall. There are numerous guides on the 'net for setting up just about anything pfSense. Squid is a caching proxy server and has limited use these days since Internet pipes are fat and fast. I only use it for some minor additional filtering and for basic antivirus (clamav) on unencrypted traffic. Quote Link to comment
HellDiverUK Posted November 9, 2017 Share Posted November 9, 2017 16 hours ago, gzibell said: What is running your unraid server? I did setup openvpn through pfsesne and it worked fine but since I was switching routers in and out I figured it would be easier to run it as a docker on unraid with only the port forward setup in pfsense. That way if I can swap and change as much as I want and all I have to setup is 2 port forwards (Plex and OpenVPN) and my current setup is back up and running. My unraid box is currently and i5 16GB ram so it handles the openvpn connection with no problem. Similar here, an i5-6500T. I prefer having the VPN on the router - the VPN isn't much use if the server dies/crashes or the network switch craps out or something. My previous router, an Asus RT-AC87U could run OpenVPN no problems, but it had a fast dual core SOC. I'm not sure what the TPLink has under the hood, but it's not as fast as the Asus. Quote Link to comment
NeoDude Posted November 10, 2017 Share Posted November 10, 2017 PfSense on a Jetway JBC313. No complaints. Quote Link to comment
digiblur Posted November 11, 2017 Share Posted November 11, 2017 Edgerouter Lite with 2 AC ARs for coverage. I looked at the USG but felt I needed a little more. I always ran into uses with segmenting guest traffic, IoT traffic, VPN, nat loopback, and separate DNS server all rolled into one mix.Not too much of a command line guy on routers but I have been learning after setting several things up. All I can say is I am impressed so far!One day I might do the pfsense thing if I can find something to run it on that works great and isn't power hungry. Quote Link to comment
DZMM Posted November 11, 2017 Share Posted November 11, 2017 54 minutes ago, digiblur said: One day I might do the pfsense thing if I can find something to run it on that works great and isn't power hungry. What spec is your unRAID server? I've just gone back to running pfSense in a VM as I've managed to free up a PCIe slot for my nic that only cost me £60 and it's barely using any resources: I've assigned 2 cores from my server. Admittedly, this is before setting up squid, vpn, snort etc (I'm doing a fresh install rather than restoring my backup) but they still only took my CPU usage to around 25% from memory. Compared to the ISP provided, netgear, d-link etc kit I've run over the last twenty years, pfSense is amazing. Quote Link to comment
Zonediver Posted November 11, 2017 Share Posted November 11, 2017 IPFire on an ASRock Q1900M and two Intel i210-T1 NICs Quote Link to comment
Stripe Posted November 13, 2017 Share Posted November 13, 2017 Asus AC-RT68U with Tomato by Shibby. Quote Link to comment
Frank1940 Posted November 13, 2017 Share Posted November 13, 2017 Ubiquiti EdgeRouterX (about $50.00US) I got it because it was the only one that I could find locally without built-in WiFi when my previous router failed. (I use an access point when WiFi is necessary.) It was a bit of a bear to setup because of the lack of a GOOD set of instructions! (Don't tell your Mother to buy one expecting it to be a plug-and-play device!!!) I did get it working and after getting on the Internet, I could download the manuals for it Quote Link to comment
Hoopster Posted November 13, 2017 Share Posted November 13, 2017 (edited) Currently - Netgear R6400 + old Asus RT-N66U in AP mode and D-Link Dir-655 configured as AP in basement. On order - Ubiquiti USG, Ubiquiti 8-port switch with PoE, two Ubiquiti UAP-AC-LR access points. Edited November 14, 2017 by Hoopster Quote Link to comment
gzibell Posted November 14, 2017 Author Share Posted November 14, 2017 Well decision was made for me. pfsense was working but didn't want to leave the board/cpu as it was way overkill for pfsense. Was by a microcenter yesterday and picked up a USG. Got it plugged in this morning, we'll see how it goes. Quote Link to comment
jpimlott Posted November 30, 2017 Share Posted November 30, 2017 I use an untangle next gen firewall. The paid version now $50 year for all apps for home use. I have 3 networks in it wan, lan and wifi.. All wifi devices but mine get the net but not the lan. It is running on a cheap 5 watt celeron 4 core micro itx system. Ads, viruses, unwanted countries, unwanted applications, and unwanted sites by category blocked. Great reports and network tunneling like tunnel bear for the whole lan. john Quote Link to comment
bonienl Posted November 30, 2017 Share Posted November 30, 2017 On 11/7/2017 at 11:13 PM, sadkisson said: I have both actually. I started with the ERL and it is by far more powerful with the options you can set from the GUI/CLI. I lacked the skills to program a lot of it however. I found that the USG is better suited for me as it works natively with UniFi controller. I do not use the advanced features the ERL offered anyhow. I liked the UniFi controller setup and it auto configured the USG for me. It is kind of like unRaid vs full blown Linux solution involving CLI setup and everything. If you need features that are not currently offered in the UniFi controller then the ERL is going to be the better option for sure. I also started with the ERL. This is a so called prosumer product. Don't know if it is still the case but back then the default factory setting was very sparse and you needed to configure everything. This isn't a problem if you know your way in networking (something I do for a living). The CLI is very powerful and allows you to do a lot more than the average home router, performance of the box is excellent, it actually outperforms more expensive Cisco and Juniper (professional) gear. Ubiquiti made a nice promo about it with subtile references. See: If you are really into it, you can make custom functions and add these to the GUI. I've made a couple and actually Ubiquiti took my DNS manager and have put it in their product The USG is based on the same hardware as the ERL, so performance wise top notch. The approach here is more accessible for the average user, most important features are preset and out-of-the-box experience is better. Under the hood there still is CLI, which gives access to the same advanced features as the ERL (though some trickery needs to be done to make CLI changes stick). The Unifi controller (available as a Docker container on unRAID) makes it very easy to manage both wired and wireless devices from a single interface. That is what I am doing at the moment. Certainly recommendable. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.