Honestly Ethan, a lot of people has already said the route I would go. I highly recommend going with a turnkey router/firewall oriented distro such as PFsense/OPNSense.
They are very easy to deploy and require almost no linux knowledge to setup or deploy, so you won’t have to go out of your comfort zone at all to set it up or anything like that. There are old guides from the tek days that are still relevant now for the configuration. And both have really nice easy to use GUIs with a web interface if you ever want to change some settings and don’t want to plug it into a monitor or keyboard.
We can give you hardware recommendation for days, but the gist of the situation is if you want a cheap setup, just about any modernish computer (something from the last decade) will have far more power than you will need, you can run it off of 2 gigs of ram, so just about anything will work, you throw in an enterprise grade NIC, and get yourself a nice little 8-16 port switch, and a 650+VA UPS and you are good to go.
If you want specific recommendations, feel free to shout, a lot of us on the forums have extensive experiences building and working on these kinds of things, so don’t worry about getting overwhelmed, we’ve got your back.
Lets say a box gets compromised on your network, or your WIFI AP password gets hacked, or whatever.
How will you be alerted to this fact, if you have no actual monitoring on your network?
Inbound ACLs blocking WAN traffic from entering your network are all well and good, but if a trusted internal host has been compromised via a payload inside of traffic it initiated from inside (e.g, compromised web site) then how are you going to detect that this has occurred (short of breaking out wireshark if/when you just happen to notice something running slowly and then wonder why).
No IDS or monitoring on your “simple routing only” firewall means it is basically worthless from a security standpoint - it won’t be doing much more than you could achieve by simply enabling the firewall on end user machines.
My wifi password is about as secure as it can be. It’s just a base64 string of a random 15 byte spit out from openssl: clifford@Office-PC:/mnt/c$ openssl rand 15 | base64
But it did come from the command line and not a webpage, so maybe I shot myself in the foot?
I supposed my neighbors could crack it (I don’t actually know how secure wpa2 is), and push me over the my isp’s monthly data cap. That’s probably the first I would notice. At which point I would change my wifi password. Knowing my neighbors, the risk is low.
If I actually had a reason to look at the traffic, I would just let tcpdump loose on my wifi subnet:
clifford@router:~$ sudo tcpdump -n -i enp2s0 net fd00:8801:2909:6001::/64 or net 2600:8801:2907:b01::/64 or net 10.0.10.0/24
save the results and then grep through. I am not sure under what scenario I would have to do that; or, if I did do that, how pictures would make it easier. Better yet, I wouldn’t use the -n flag and I would let tcpdump resolve the IPs into hostnames since I spent an extra 10 minutes several years ago configuring dhcpd to update my local bind dns.
None of that seems onerous.
I am as vulnerable to this as up-to-date linux and windows hosts are. I am not sure how my choice of router os could protect me further.
Get yourself a simple wifi access point and plug it into your switch. No need to spend extra on a full fledged router since you will have one you are building yourself. Things like DNS/DHCP will all be handled by your router. Wifi access points such as those made by Ubiquiti can be easily meshed together if you have a large area to cover using only one SSID. They would each have their own line to your network switch.
Alternatively (and even cheaper): If you already own a typical home router with built in wifi, check its settings and see if you can disable the firewall and DNS/DHCP etc. You wouldn’t hook up its WAN port, just plug it into your swich via one of its LAN ports. The only thing you would be interested in is the wifi access features and let your pfSense box handle the routing and security.
Yes, should work very well. It includes a POE injector in the box that you can use to power it or if you have a switch with POE capabilities, the AP will pull power directly from the switch.
You will need to install the unifi controller software to configure it.
I am not sure if they are moral equivalents. But before just returning it, I plugged it into my network (via the switch through the patch panel, pretty similar to what you are proposing) and went through the configuration process.
But you don’t seem to know what you are talking about.
Which is why you keep conflating with enterprise, maufacturing nebulous security hand-wringing and exagerating what is necessary to reliably route packets, firewall, resolve dns and hand out IPs.
I’ll keep my five years of automatic security updates and simple configuration files despite your concern trolling.
You need only a 2 port nic one to serve as wan the other to serve as lan. The only reason I am purchasing a 4 port nic, going to dedicate those 4 ports to virtual machines, once I finish building my desktop.
You are aware that you can connect to the “normal” subnet by using a software bridge? Things like proxmox will give you normal bridging by default. This will still help speeds if a single VM would max out a single link however.
This is how many of us do our setups for home use. It’s really similar to how most consumer routers have 4 ports. Those 4 ports are basically just a switch.
You only really need 2 ports for most home use cases. If you have two ISP’s you could set up fail-over in case one of your service providers connections goes down for more reliability.
Other possible uses for more than 2 ports is to configure some of them to dedicated separate networks if you don’t own a smart switch, but each of those connections will need their own switches and those networks should be kept separated and not hooked into each other in this use case. This would be an alternative to vlans where you can have separate firewall rules for different networks such as a guest network or an IOT network.
Finally, you could use them to set up link aggregation to a NAS on a large network with lots of clients or simultaneous connections to improve network performance per client under high load situations. Its unlikely most home users would benefit much from this use case however.
I have heard of someone doing link aggregation between two slow ISP connections (in an area without high speed) to improve performance somewhat. It doesn’t necessarily increase single file download speed but can allow you to download multiple files quicker. This could improve general browsing tasks if your ISP is slow enough or if you have enough client computers that they can saturate a single internet link.
Again, most of these use cases aren’t common in home setups.
Switches are great for getting good quality wired connectivity to devices around the home. Managed switches are even better for isolating and creating pseudo independent network domains, but they take a long time to get right if you don’t know how to set them up in advance. Wireless is atrocious and something I avoid at all costs.
It’s also nice to setup your config interface on a nic port that you can leave unused, and hook the remaining ports up to things with no management capability that you can then connect to other switches to expand out.
That should be fine. Each switch you add between your device and your router does add some tiny amount of latency but in the scenario you describe, its not enough to worry about.
The cost of more switches might not be negligible though. If you are already set on running 1 cable through the wall, that is probably the most convenient time to run as many as you need at minimal added cost and effort.
Depending on the switch it’s usually around single digit microseconds under load. Even when non managed, there’s a small computer inside with some ram and software that takes a packet, parses it, looks at addresses, looks at some memory to determine where to send stuff, and makes a decision what to depending on whether it finds the entry. It also records the src mac address was seen on incoming port.
Only thing you’re likely to notice is that each cable can only carry the bandwidth of the network ports it’s connected to. You’ll be sharing 1gbps or 10gbps with multiple devices.
But since you mentioned cable drops would be going to places, it might be cheaper to double up the drops, and perhaps add more cabling around the TV home/office space.
And then just get a plain old managed fanless 24port switch for $100
