Please share your thoughts on the use of hardware firewalls for home and home-based business networks.
Cotton
1 Like
Well wood burns pretty well, so.
For a home network, it seems unnecessary and is likely to not have any benefits. For a home-based business network however, depending on the industry, I would seriously consider it - to protect essential data, such as client info, intellectual property and especially if you run a web server. Of course it comes down to your needs though, and only you can make that determination
1 Like
@Rumple Thanks for the response. With no outward facing servers or services it might be overkill, right? How about with a VPN hosted within the network?
Yeah it might be if you don't really take advantage of your ISP connection i.e (gaming, file sharing, torrents). To answer your question about your VPN originating in your network, as long as you have your firewall secure a already secured VPN going out your default gateway would probably be unaffected since its still going to be encrypted whether it was started from a PC, or from the firewall itself heading out of your LAN.
Hardware firewalls are good for other things as well, especially in home environments.
You can use them to limit bandwidth, tunnel all your traffic or just tunnel traffic that comes through certain interfaces and stuff like that.
If you have ANY outwards-facing servers you should have a "hardware" firewall, without a doubt.
EDIT: They're also so cheap these days you might as well get one . ALSO, if you have a server you can just run PFSense in a vm and dedicate an extra nic to it, so when i use the term "Hardware firewall" I am using it loosely because you could just virtualize a PFSense firewall.
1 Like
I have many things to say about this......
When I get back from Lunch. Stay tuned.
2 Likes
This is the set-up I have for my VMs.
Basically, I have a virtual adapter for LAN coming out of PFSense, which then feeds to all of my VMs and puts them on a 192.168.2.X subnet.
Also, I know, I KNOW, I shouldn't be using Win server 2012 because Windows is a pile of shite, however there's a few programs I need to run at top-level at home which are Windows only.
My server @ work is running KVM and LIbvert so I guess that makes up for it ;)
That should help you understand how it works. WAN is the connection from my router, lets say for simplicity, then LAN is what is going to my VMs. I'm eventually going to setup a VLAN for my PFSense lan on my switch as well but that'll come later.
It sounds like I need to install another NIC onto my server and spin up a PFSense VM. I'll have familiarize myself with PFS before going production on it. I'm kind of excited to do this... is that weird???
Not weird at all.
Also, if you can install PFSense on it's own hardware, it would be better.
I like PFSense, or OpenPF, mainly because they are inexpensive by compared to the big alternatives that have the same level of functionality. Cisco ASA, Juniper devices, and the like.
But, yeah, 2 NICs one for outside the network. If you can do a dedicated NIC to the PFSense VM for external, the better. But still not as ideal as having a dedicated machine.
1 Like
I'm on team overkill for home use, if you don't have any internet servers. But I would love to be convinced otherwise. Could be a fun project.
I have been running a dual CPU 8 core Opteron, 16GB RAM, server as my PFSense Firewall at work for over 2 years.
we have 20 people in the office. It's spec'd for 2000... give or take.
1 Like
Yeah but for home use? I guess if you have the hardware laying around it would fine, but I don't think I would buy a server for specifically that purpose.
I use a 2 core intel celeron 1037u, 4gb of ram. passively cooled, it works very well.
Buy? I pick these things out of dumpsters when I can.
Realistically, I also find them in state auctions, surplus auctions and the like.
A buddy of mine once got a fleet of 5500 series Cisco Switches for 100 bucks. By Fleet, I mean over 50 of them.
1 Like
You can re-purpose a firebox x550e for use with PFSense. I don't know how much they go for in the US but they have 4x gigabit ports and there's quite a bit of documentation on how to flash PFSense to them.
I'm probably going to pick one up, or a x750e, when i get paid! :) I'll make to document everything and make a forum thread as well.
I can think of three things I'd use for home, depending on your needs:
- An ASUS or Netgear router running DD-WRT has great firewall options.
- More expensive: a used cysco firewall or a netgear. Wendell has good vids on this
- Like others have said, pfsense running on an old (or cheap itx build) pc. Again, check out Wendell's vids
I can vouch for DD-WRT, or OpenWRT, they're very basic though.
I'd still go for a box running PFSense, or if you want to be REALLY hardcore throw PF on a FreeBSD box ;)
1 Like
DD-WRT and OpenWRT they are awesome to upgrade those old linksys routers.
On my own I use a PFsense running in a Fujitsu-Siemens Esprimo E5730 with 4gb of ram.
On the custom stuff I am running got Avahi, backup stuff, Snort, bandwidthd, darkstat, pfBlocker and Squid3.
Both nics are gigabit.
Also got a Fedora Server (yeah.. dont hate.. I just have an overkill PC for that and I dump there my VM and mess around with some services..)
Overall, one of the best solutions I had as a home user and in my job sometimes I had to keep an eye on a pfsense that is laying around.. somewhere.