Jump to content
Don W

To pfSense, or not to pfSense, that is the question...but in this thread the answer is Sophos!

Recommended Posts

Don W    4
Don W

I have an ASUS RT-AC66U router which I believe has done a good job, but I have started to read about building my own router and am wondering if it will be a worthwhile project. I read about how it can block countries, provides better security and many other things but I haven't had any problems with all the routers I have had in the past. What are the definite improvements that I will get out of a home built router?

Share this post


Link to post
Share on other sites
oj88    102
oj88

Every guy has his reasons. These are mine:
 
1. Better granularity on setting up the DHCP server:
ex. Any other device on my network uses the default gateway (ie. 192.168.0.254) when assigned a dynamic IP. Devices that has to go through a VPN (OpenVPN) will have a statically-mapped IP address with a default gateway pointing to the VPN router (ie. 192.168.0.253)
2. Ability to filter web content (ie. p0rn, gambling, flash games, sites unfit for children, etc.) using Squid3 and SquidGuard
3: As an extension to #2 and inspired by Ad-Trap (www.getadtrap.com), I've setup pfSense to block 99% of advertisements at the network level (No web ads, no Youtube pre-roll ads, etc.).
 
This is the link to my pfSense build: http://homeservershow.com/forums/index.php?/topic/6362-adtrap-the-internet-is-yours-again/page-2#entry71470

Share this post


Link to post
Share on other sites
Drashna Jaelre    152
Drashna Jaelre

I liked pfSense. Till I tried Sophos. It's a bit more complicated to setup, but .... damn is it awesome. 

I'm pretty sure it uses all the same things that pfsense does... but put together in an awesome, "simple" (once you get acquainted with it) package.

 

oj88 has covered pretty much all the good reasons. I need to look into the "ad" think, but Sophos does have an "ad" section to filter out by default.

 

And this is my router:

http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007

 

Even running ... well all of the features for the home use basically, ~1GB of RAM used, and the CPU runs about 5-15% most of the time. Great box, and very low powered. Just needs RAM and a drive. 

 

 

And if you're interested in Sophos, I plan on writing up a couple of guides on how to use it "at home". 

https://drashna.net/blog/category/networking/

Edited by Drashna (WGS)

Share this post


Link to post
Share on other sites
oj88    102
oj88

@Drashna, good call on Sophos.

 

When I was still looking for a free firewall to use, I stumbled upon Sophos UTM Home Edition. I didn't push through with the testing though, since I found out it can only protect up to 50 IP addresses (being free and all). I have way more than that, unfortunately. :D

 

@Don W. If the IP address restriction doesn't affect you, here's the link to Sophos' free UTM: http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

Share this post


Link to post
Share on other sites
Jason    56
Jason

Will be interested to hear others' experiences. Have been running pfsense from version 1.2.3 to current 2.1-PRERELEASE on a Supermicro X7SPA-HF motherboard w/ integrated Intel Atom D525 CPU. Since the D525 is now obsolete and I'm using more processor intensive features (i.e. QoS), I'm going to rebuild my hardware firewall with a new Intel Ivy Bridge Celeron G1610 CPU w/ 8 GB RAM.

 

I liked the idea of Untangle 10.1 until I looked at their pricing. Their Lite (free) package doesn't have a fraction of the functionality of pfsense though I'd imagine it has a better, more intuitive UI (important). Looked at their standard or premium packages - considered a monthly subscription - but even then 1-10 devices doesn't seem like much. Between iphones, ipads, Roku, PCs, Macs, AVR, etc. I've already exceeded their 1-10 device option without even having built the new box yet. Jumping up to the 10+ device option increases cost considerably.

 

Has anyone ever migrated an existing pfsense config from old to new hardware (i.e. new NICs, new NIC MAC addresses, etc.)? Will a pfsense x86 config work on a new x64 build? Since I'd be going from 4GB to 8GB RAM, I'd need a 64-bit OS build.

Share this post


Link to post
Share on other sites
timekills    32
timekills

Will be interested to hear others' experiences. Have been running pfsense from version 1.2.3 to current 2.1-PRERELEASE on a Supermicro X7SPA-HF motherboard w/ integrated Intel Atom D525 CPU. Since the D525 is now obsolete and I'm using more processor intensive features (i.e. QoS), I'm going to rebuild my hardware firewall with a new Intel Ivy Bridge Celeron G1610 CPU w/ 8 GB RAM. I liked the idea of Untangle 10.1 until I looked at their pricing. Their Lite (free) package doesn't have a fraction of the functionality of pfsense though I'd imagine it has a better, more intuitive UI (important). Looked at their standard or premium packages - considered a monthly subscription - but even then 1-10 devices doesn't seem like much. Between iphones, ipads, Roku, PCs, Macs, AVR, etc. I've already exceeded their 1-10 device option without even having built the new box yet. Jumping up to the 10+ device option increases cost considerably. Has anyone ever migrated an existing pfsense config from old to new hardware (i.e. new NICs, new NIC MAC addresses, etc.)? Will a pfsense x86 config work on a new x64 build? Since I'd be going from 4GB to 8GB RAM, I'd need a 64-bit OS build.

 

Jason,

One path I highly recommend since you are upgrading to a relatively high performance box (P.S. Im surprised you feel the D525 is incapable of handling the pfSense router responsibilities, even with multiple "CPU-intensive" addins) is to virtualize.

 

I run pfSense on an ESXi box, and it is fantastic. Bonus is no matter what hardware I migrate to, the pfSense instance just works (albeit obviously faster as I upgrade the hardware.)

 

Drashna, Don, oj88,

I can't comment on the Sophos vs. pfSense comparison, but regarding a software router (i.e. pfSense, Unangle, Sophos, etc) vs hardware is, as mentioned, the feature set vs. initial time to setup and learn the system. I've found pfSense to be completely stable once set up and running. I don't want to have to mess with my router. That said, for my home Internet use, I have stuck with a commercial wireless router just because I'm gone a lot, and the fix for them is unplug for 30 secodns and plug back in. Easy for the wife or kids.

 

I run pfSense for my lab and when deployed because its free, it runs on hardware I already have (don't need to carry another router with me) and allows for high-speed VPN access, allows for multiple metworks (i.e. an Internet conencted LAN, a separate Internet connected lap LAN, and a segregated (non-Internet connected) LAN for other lab work.) It also will have much more efficient QoS then basically any SOHO wireless router. I am using the Netgear Nighthawk at home (one of the top 3 "fastest" wireless routers on the amrket today) and it still doesn't hold a candle to the speeds I can get with pfSense on a low-powered box when you start applying QoS and IP blocking.

 

Oh - speaking of country blocking, yes pfSense has an add-in that makes that super simple. You literally check the box of the country/countries you don't want to allow access to or from and it will block those IPs. Obviously won't help if the hacker is going through multiple locations, but it does block a lot of malicious sites from known highly-active hacktivist locations.

Share this post


Link to post
Share on other sites
jmwills    283
jmwills

Sophos is the old Astaro product right?

Share this post


Link to post
Share on other sites
Jason    56
Jason

Jason,

One path I highly recommend since you are upgrading to a relatively high performance box (P.S. Im surprised you feel the D525 is incapable of handling the pfSense router responsibilities, even with multiple "CPU-intensive" addins) is to virtualize.

I run pfSense on an ESXi box, and it is fantastic. Bonus is no matter what hardware I migrate to, the pfSense instance just works (albeit obviously faster as I upgrade the hardware.)

 

timekills, to your point pfsense just works.  However unattractive its mgmt UI may be, after looking at pricing vs. features of Sophos and Untangle, it seems pfsense (FREE) is just a win.  Unfortunately, I have zero experience with ESXi for virtualization.  Only VMWare Workstation and Hyper-V both of which run under a Windows OS.  I was simply hoping I could builder this higher powered Celeron-based SFF box and migrate over my saved config from old pfsense hardware to the updated build...then just update the interfaces to match the new NICs and MAC addresses.  From what I've read Sophos is OK but takes some configuration because you even get any outbound internet access whatsoever.  Seems a bit counter-intuitive to me.  Also, despite how cryptic pfsense can be at times, it has a vast user community which goes a long way.  Untangle appealed to me based on it's paid feature set and I can't see myself paying $500/yr. for features I get in pfsense for free.  just thinking out loud.

Share this post


Link to post
Share on other sites
jmwills    283
jmwills

Restricting all outside access in the beginning is what it should be....DENY ALL.

Share this post


Link to post
Share on other sites
Drashna Jaelre    152
Drashna Jaelre

Sophos is the old Astaro product right?

Yes. Sophos bought them out, and then still offered a free/home version. 

 

timekills, to your point pfsense just works.  However unattractive its mgmt UI may be, after looking at pricing vs. features of Sophos and Untangle, it seems pfsense (FREE) is just a win.  Unfortunately, I have zero experience with ESXi for virtualization.  Only VMWare Workstation and Hyper-V both of which run under a Windows OS.  I was simply hoping I could builder this higher powered Celeron-based SFF box and migrate over my saved config from old pfsense hardware to the updated build...then just update the interfaces to match the new NICs and MAC addresses.  From what I've read Sophos is OK but takes some configuration because you even get any outbound internet access whatsoever.  Seems a bit counter-intuitive to me.  Also, despite how cryptic pfsense can be at times, it has a vast user community which goes a long way.  Untangle appealed to me based on it's paid feature set and I can't see myself paying $500/yr. for features I get in pfsense for free.  just thinking out loud.

Sophos is also free for home use, and yes, up to 50 devices. I'm not entirely sure how that is determined..., but for most "normal" people (oj88, yes I am referring to you), 50 IP addresses is plent. Even for me, and my 20 VMs (not concurrent) and 10 IP cameras.

 

And as for the firewall... There is a trick, add a rule to the firewall of "Internal (network), Any, All" (as in source, service, destination) and this will allow "normal" router functionality. Yes, it takes a bit to get used to... but I'm absolutely loving it. 

 

I've been going through it and documenting stuff for myself and why I like it. Next up is messing with the firewall stuff, and then NAT/port forwarding.

https://drashna.net/blog/category/networking/

Edited by Drashna (WGS)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now




×