Don W

To pfSense, or not to pfSense, that is the question...but in this thread the answer is Sophos!

417 posts in this topic

I have an ASUS RT-AC66U router which I believe has done a good job, but I have started to read about building my own router and am wondering if it will be a worthwhile project. I read about how it can block countries, provides better security and many other things but I haven't had any problems with all the routers I have had in the past. What are the definite improvements that I will get out of a home built router?

Share this post


Link to post
Share on other sites

Every guy has his reasons. These are mine:
 
1. Better granularity on setting up the DHCP server:
ex. Any other device on my network uses the default gateway (ie. 192.168.0.254) when assigned a dynamic IP. Devices that has to go through a VPN (OpenVPN) will have a statically-mapped IP address with a default gateway pointing to the VPN router (ie. 192.168.0.253)
2. Ability to filter web content (ie. p0rn, gambling, flash games, sites unfit for children, etc.) using Squid3 and SquidGuard
3: As an extension to #2 and inspired by Ad-Trap (www.getadtrap.com), I've setup pfSense to block 99% of advertisements at the network level (No web ads, no Youtube pre-roll ads, etc.).
 
This is the link to my pfSense build: http://homeservershow.com/forums/index.php?/topic/6362-adtrap-the-internet-is-yours-again/page-2#entry71470

Share this post


Link to post
Share on other sites

I liked pfSense. Till I tried Sophos. It's a bit more complicated to setup, but .... damn is it awesome. 

I'm pretty sure it uses all the same things that pfsense does... but put together in an awesome, "simple" (once you get acquainted with it) package.

 

oj88 has covered pretty much all the good reasons. I need to look into the "ad" think, but Sophos does have an "ad" section to filter out by default.

 

And this is my router:

http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007

 

Even running ... well all of the features for the home use basically, ~1GB of RAM used, and the CPU runs about 5-15% most of the time. Great box, and very low powered. Just needs RAM and a drive. 

 

 

And if you're interested in Sophos, I plan on writing up a couple of guides on how to use it "at home". 

https://drashna.net/blog/category/networking/

Edited by Drashna (WGS)

Share this post


Link to post
Share on other sites

@Drashna, good call on Sophos.

 

When I was still looking for a free firewall to use, I stumbled upon Sophos UTM Home Edition. I didn't push through with the testing though, since I found out it can only protect up to 50 IP addresses (being free and all). I have way more than that, unfortunately. :D

 

@Don W. If the IP address restriction doesn't affect you, here's the link to Sophos' free UTM: http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

Share this post


Link to post
Share on other sites

Will be interested to hear others' experiences. Have been running pfsense from version 1.2.3 to current 2.1-PRERELEASE on a Supermicro X7SPA-HF motherboard w/ integrated Intel Atom D525 CPU. Since the D525 is now obsolete and I'm using more processor intensive features (i.e. QoS), I'm going to rebuild my hardware firewall with a new Intel Ivy Bridge Celeron G1610 CPU w/ 8 GB RAM.

 

I liked the idea of Untangle 10.1 until I looked at their pricing. Their Lite (free) package doesn't have a fraction of the functionality of pfsense though I'd imagine it has a better, more intuitive UI (important). Looked at their standard or premium packages - considered a monthly subscription - but even then 1-10 devices doesn't seem like much. Between iphones, ipads, Roku, PCs, Macs, AVR, etc. I've already exceeded their 1-10 device option without even having built the new box yet. Jumping up to the 10+ device option increases cost considerably.

 

Has anyone ever migrated an existing pfsense config from old to new hardware (i.e. new NICs, new NIC MAC addresses, etc.)? Will a pfsense x86 config work on a new x64 build? Since I'd be going from 4GB to 8GB RAM, I'd need a 64-bit OS build.

Share this post


Link to post
Share on other sites

Will be interested to hear others' experiences. Have been running pfsense from version 1.2.3 to current 2.1-PRERELEASE on a Supermicro X7SPA-HF motherboard w/ integrated Intel Atom D525 CPU. Since the D525 is now obsolete and I'm using more processor intensive features (i.e. QoS), I'm going to rebuild my hardware firewall with a new Intel Ivy Bridge Celeron G1610 CPU w/ 8 GB RAM. I liked the idea of Untangle 10.1 until I looked at their pricing. Their Lite (free) package doesn't have a fraction of the functionality of pfsense though I'd imagine it has a better, more intuitive UI (important). Looked at their standard or premium packages - considered a monthly subscription - but even then 1-10 devices doesn't seem like much. Between iphones, ipads, Roku, PCs, Macs, AVR, etc. I've already exceeded their 1-10 device option without even having built the new box yet. Jumping up to the 10+ device option increases cost considerably. Has anyone ever migrated an existing pfsense config from old to new hardware (i.e. new NICs, new NIC MAC addresses, etc.)? Will a pfsense x86 config work on a new x64 build? Since I'd be going from 4GB to 8GB RAM, I'd need a 64-bit OS build.

 

Jason,

One path I highly recommend since you are upgrading to a relatively high performance box (P.S. Im surprised you feel the D525 is incapable of handling the pfSense router responsibilities, even with multiple "CPU-intensive" addins) is to virtualize.

 

I run pfSense on an ESXi box, and it is fantastic. Bonus is no matter what hardware I migrate to, the pfSense instance just works (albeit obviously faster as I upgrade the hardware.)

 

Drashna, Don, oj88,

I can't comment on the Sophos vs. pfSense comparison, but regarding a software router (i.e. pfSense, Unangle, Sophos, etc) vs hardware is, as mentioned, the feature set vs. initial time to setup and learn the system. I've found pfSense to be completely stable once set up and running. I don't want to have to mess with my router. That said, for my home Internet use, I have stuck with a commercial wireless router just because I'm gone a lot, and the fix for them is unplug for 30 secodns and plug back in. Easy for the wife or kids.

 

I run pfSense for my lab and when deployed because its free, it runs on hardware I already have (don't need to carry another router with me) and allows for high-speed VPN access, allows for multiple metworks (i.e. an Internet conencted LAN, a separate Internet connected lap LAN, and a segregated (non-Internet connected) LAN for other lab work.) It also will have much more efficient QoS then basically any SOHO wireless router. I am using the Netgear Nighthawk at home (one of the top 3 "fastest" wireless routers on the amrket today) and it still doesn't hold a candle to the speeds I can get with pfSense on a low-powered box when you start applying QoS and IP blocking.

 

Oh - speaking of country blocking, yes pfSense has an add-in that makes that super simple. You literally check the box of the country/countries you don't want to allow access to or from and it will block those IPs. Obviously won't help if the hacker is going through multiple locations, but it does block a lot of malicious sites from known highly-active hacktivist locations.

Share this post


Link to post
Share on other sites

Jason,

One path I highly recommend since you are upgrading to a relatively high performance box (P.S. Im surprised you feel the D525 is incapable of handling the pfSense router responsibilities, even with multiple "CPU-intensive" addins) is to virtualize.

I run pfSense on an ESXi box, and it is fantastic. Bonus is no matter what hardware I migrate to, the pfSense instance just works (albeit obviously faster as I upgrade the hardware.)

 

timekills, to your point pfsense just works.  However unattractive its mgmt UI may be, after looking at pricing vs. features of Sophos and Untangle, it seems pfsense (FREE) is just a win.  Unfortunately, I have zero experience with ESXi for virtualization.  Only VMWare Workstation and Hyper-V both of which run under a Windows OS.  I was simply hoping I could builder this higher powered Celeron-based SFF box and migrate over my saved config from old pfsense hardware to the updated build...then just update the interfaces to match the new NICs and MAC addresses.  From what I've read Sophos is OK but takes some configuration because you even get any outbound internet access whatsoever.  Seems a bit counter-intuitive to me.  Also, despite how cryptic pfsense can be at times, it has a vast user community which goes a long way.  Untangle appealed to me based on it's paid feature set and I can't see myself paying $500/yr. for features I get in pfsense for free.  just thinking out loud.

Share this post


Link to post
Share on other sites

Restricting all outside access in the beginning is what it should be....DENY ALL.

Share this post


Link to post
Share on other sites

Sophos is the old Astaro product right?

Yes. Sophos bought them out, and then still offered a free/home version. 

 

timekills, to your point pfsense just works.  However unattractive its mgmt UI may be, after looking at pricing vs. features of Sophos and Untangle, it seems pfsense (FREE) is just a win.  Unfortunately, I have zero experience with ESXi for virtualization.  Only VMWare Workstation and Hyper-V both of which run under a Windows OS.  I was simply hoping I could builder this higher powered Celeron-based SFF box and migrate over my saved config from old pfsense hardware to the updated build...then just update the interfaces to match the new NICs and MAC addresses.  From what I've read Sophos is OK but takes some configuration because you even get any outbound internet access whatsoever.  Seems a bit counter-intuitive to me.  Also, despite how cryptic pfsense can be at times, it has a vast user community which goes a long way.  Untangle appealed to me based on it's paid feature set and I can't see myself paying $500/yr. for features I get in pfsense for free.  just thinking out loud.

Sophos is also free for home use, and yes, up to 50 devices. I'm not entirely sure how that is determined..., but for most "normal" people (oj88, yes I am referring to you), 50 IP addresses is plent. Even for me, and my 20 VMs (not concurrent) and 10 IP cameras.

 

And as for the firewall... There is a trick, add a rule to the firewall of "Internal (network), Any, All" (as in source, service, destination) and this will allow "normal" router functionality. Yes, it takes a bit to get used to... but I'm absolutely loving it. 

 

I've been going through it and documenting stuff for myself and why I like it. Next up is messing with the firewall stuff, and then NAT/port forwarding.

https://drashna.net/blog/category/networking/

Edited by Drashna (WGS)

Share this post


Link to post
Share on other sites

  From what I've read Sophos is OK but takes some configuration because you even get any outbound internet access whatsoever.  Seems a bit counter-intuitive to me. 

 

 

Restricting all outside access in the beginning is what it should be....DENY ALL.

 

It's been a while since I started a pfSense instance from scratch, buf if memory serves it also defaults to DENY ALL. Which, as jmwillis stated, is the network security professional's preferred default. That way you only let in or out who you want and when you want. Both systems require the same simple fix Drashna mentioned, allowing your internal (probably non-routable IP space) network or subnet of choice access in the software's firewall section.

 

As counter-intuitive as it appears for the home user, the typical user of a software (or true hardware) router is typically more network and security savvy than someone purchasing their ISPs recommended wireless router. So they default to the more secure settings, with the expectation that the user will configure as desired.

Share this post


Link to post
Share on other sites

One of my main reasons for going with a 'software' router/UTM is because most, if not all, consumer routers I've used have issues staying up for extended lengths of time. Many of them would run for about 2 weeks, then they would require a reboot. Also, most of them ran slower than my Untangle box.

 

As timekills says, it's simple to 'fix' a consumer router, even for the wife & kids. I just don't think it should be necessary. My Untangle has been running at least a year without being rebooted; I just don't remember how long for certain.

Share this post


Link to post
Share on other sites

My Asus router has been up for over six months now.

Share this post


Link to post
Share on other sites

One of my main reasons for going with a 'software' router/UTM is because most, if not all, consumer routers I've used have issues staying up for extended lengths of time. Many of them would run for about 2 weeks, then they would require a reboot.

Exactly what I've experienced with consumer routers I've had in the past (D-Link, Asus, TP-Link and Buffalo). They're between 5-10 years-old technology so maybe the newer ones are a lot more stable.

Share this post


Link to post
Share on other sites

I think consumer routers have gotten better, but I think there are still questionable ones out there.

 

From my experience, the main issue with consumer routers is (was?) that they had lousy memory garbage collection. The RAM would get filled up with old URL info and routing tables and eventually run out, causing a crash. With more RAM in today's routers they can last longer before crashing.

 

This RAM issue is, IMHO, the main reason why 3rd party firmware became so popular. Yes, 3rd party firmware also provided more features, but I think the issue of router crashes was the main reason.

 

jmwills apparently has a router that's one of the newer, better ones. 'Course, it could be that his router has been running at home in the USA while he's been overseas and so it didn't get that much activity ;)

Share this post


Link to post
Share on other sites

With more RAM in today's routers they can last longer before crashing.

lol... Crashing is inevitable. It's only a matter of time (or RAM). Cool idea for a bumper sticker.

 

But I agree. Put any more than 4 or 5 very active network users and most consumer routers just simply lock up.

Share this post


Link to post
Share on other sites

One of my main reasons for going with a 'software' router/UTM is because most, if not all, consumer routers I've used have issues staying up for extended lengths of time. Many of them would run for about 2 weeks, then they would require a reboot. Also, most of them ran slower than my Untangle box.

 

As timekills says, it's simple to 'fix' a consumer router, even for the wife & kids. I just don't think it should be necessary. My Untangle has been running at least a year without being rebooted; I just don't remember how long for certain.

Have I mentioned my WRT610N? Or apparently my E3000 that has the same issue?

A), if I enable QoS on the router, it crashes. Within an hour. And repeatedly. Even with DEFAULT SETTINGS.

B.) If I connect my Linksys IP cameras .... VIA LAN/CAT5, it causes the wireless chipset on either router to crash. The more of them connected, the worst it becomes. 

 

So, yes, consumer routers are AWESOME. And by awesome, I mean, let me get the drill and do some self-dentistry, as that will be less painful.

 

It's been a while since I started a pfSense instance from scratch, buf if memory serves it also defaults to DENY ALL. Which, as jmwillis stated, is the network security professional's preferred default. That way you only let in or out who you want and when you want. Both systems require the same simple fix Drashna mentioned, allowing your internal (probably non-routable IP space) network or subnet of choice access in the software's firewall section.

 

As counter-intuitive as it appears for the home user, the typical user of a software (or true hardware) router is typically more network and security savvy than someone purchasing their ISPs recommended wireless router. So they default to the more secure settings, with the expectation that the user will configure as desired.

pfSense doesn't deny all by default. Well, not for outgoing traffic. Sophos does, but has a few rules by default... (web, "terminal services", email, IM) ... but I had to explicitly allow video game ports to get it working. 

 

But as I said, the rule I posted will cause it to work like a normal, consumer router. Great if you're lazy. You can also set the rule to do this for specific (or groups of) devices. Great for increasing the WAF.....

 

lol... Crashing is inevitable. It's only a matter of time (or RAM). Cool idea for a bumper sticker.

 

But I agree. Put any more than 4 or 5 very active network users and most consumer routers just simply lock up.

Or 2-3 Linksys IP cameras, and the wireless will die. Apparently. :P

 

And yeah, that would be an awesome geek bumper sticker. :)

 

 

 

Also, another reason I'm really liking Sophos... country blocker is built in. And is Off, Incoming, outgoing, or both.

Additionally, it has a transparent proxy, that can do http and https, and has a bunch of default rules that work really well. (and if you're using a domain, import your DC's CA cert, and no cert errors on domain joined clients... another reason to use a domain!)

And the built in virus scanner.

And most of this is "flip switch" enable. Talk about a turn key solution.

Share this post


Link to post
Share on other sites

I looked at Astaro a couple of years ago. The issue then was it only allowed 15 IP's -- with it now allowing 50 it should be viable for my LAN, so I may have another look.

Share this post


Link to post
Share on other sites

I read the other day that the Linksys WRT54G is being revised albeit with a new model number but the price was crazy.

Share this post


Link to post
Share on other sites

I looked at Astaro a couple of years ago. The issue then was it only allowed 15 IP's -- with it now allowing 50 it should be viable for my LAN, so I may have another look.

Yeah, that sounds too limited. 50 is a great number though. And I'm loving all the features. :)

 

I read the other day that the Linksys WRT54G is being revised albeit with a new model number but the price was crazy.

I also read that Linksys sold to Belkin. And .... "Friends don't let friends by Belkin".... :)

Share this post


Link to post
Share on other sites

I thought Linksys was bought by Cisco. 'Course, the same caution could still apply..... ;)

Share this post


Link to post
Share on other sites

Cisco buying Linksys in 2003 was the first mistake. Branding it as Linksys by Cisco was the second. It tarnished the Cisco brand, even though the technology used on Linksys products didn't include anything from Cisco's enterprise product line.

 

Cisco eventually sold Linksys to Belkin last year.

Share this post


Link to post
Share on other sites

Ah. Thanks. Wasn't aware of that. Probably a good thing for Linksys. It never seemed like a good fit to me.

Share this post


Link to post
Share on other sites

Many had hoped that the acquisition and branding would mean an increase in quality to the linksys products.... but let me tell you.....

 

My Linksys Wireless routers are useless as wireless APs when my Linksys IP cameras are on the network (and wired even).  Each linksys IP camera attached to the network increases packet loss until you can't actually connect to the wireless. And these are ALL Linksys by Cisco devices.... 

As for the routers.... I've tried with stock and dd-wrt firmware: WRT54GSv7, WRT54GL, WRT610Nv2, and Valet E3000. 

as for the cameras: WVC54GCA and WVC80N. And ALL of them are wired. Wireless not even configured. Multicast disabled currently, which seems to help.

Edited by Drashna (WGS)

Share this post


Link to post
Share on other sites

I agree with the wireless radios crapping out on these routers at the first sign of real network loading.

 

For that matter, I use a couple of Cisco Aironet 1232AG access points I bought cheap from a company that closed down. These are the real deal, enterprise-grade hardware with technology that's already around 7-8 years old. And even though they're just 802.11a/b/g, they still whoop my TP-Link Wireless-N as far as stability and range are concerned.

 

The acquisition helped Linksys more than Cisco, unfortunately, as it added a perceived reputation to the brand. Cisco bought it to expand their market share into the consumer market. In a way, they did succeed in that respect. But at the cost of having a mixture of positive and negative reviews of the Linksys by Cisco brand. Prior to this, the only negative feedback you'll hear about Cisco is that they're expensive... but nobody questioned their performance.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now