New home network question - single smart switch vs pfsense+dumb switches combination

[simas]

In the process of buying a new house without a network and was wondering if people have an opinion on choices below in terms of switching

basic goals
- dual WAN failover capabilities (pfsense I run right now would work for it)
- firewall (pfsense right now )
- 2 AP for wifis (currently use single Asus RT-56 as AP, Ubiquiti?)
- whole house antivirus (no current solution, looked at Bitdefender Box but not sure how to fit it into the solution)
-ability to separate virtualization lab needs from the rest of the house (VLANs ?)


1) get a refurb enterprise switch from natex , i.e. this for $300
http://www.natex.us/Quanta-LB6M-Switch-p/quanta-lb6m.htm
+ relatively inexpensive , 10Gb from get go
- refurb, warranty unknown, high energy consumption, noise, single point of failure

2) splurge for real managed switch with warranty and support
3) have pfsense hardware do the switching and use unmanaged switches for the rest of connectivity

any thoughts? also, any recommendations for/against Ubiquiti (any alternatives) and/or whole house antivirus solutions - anything else exists beyond bitdefender box?
thank you

 

[MrMaster]

What do you plan to do on your local network?

If you got a UTM it would be your firewall, dual wan failover, antivirus, etc.
I am an Ubiquiti fan so yes to Ubiquiti
Why use a managed switch unless you are running a few servers?

 

[Genx87]

Sophos UTM 9 home edition. I believe it also allows for fail over in a dual WAN config. Has built in AV. It also free for up to 50 concurrent users.

 

[XavierMace]

Sophos UTM 9 home edition. I believe it also allows for fail over in a dual WAN config. Has built in AV. It also free for up to 50 concurrent users.

THIS.

Replaced pfSense with Sophos, haven't regretted it of for a second.

 

[simas]

@MrMaster
I will have 3 "groups" of devices on my network

1) 4 devices who are united into windows domains (2012 server essentials) - a domain controller and 3 workstations .

domain + essentials gives me single sign on on any device, access to unified profile/shares, built in recoverability up to bare bone reinstall, GPOs, etc.

2) utility devices - obihai voip adaptors, HDHR OTA network tuner , NAS for media information, nvidia shield and amazon firetv box for media access connected to TV, kindle/ipad/android tablet/etc. these devices generally do not need to know or care about domain controller/AD. I would like to lock this down as I see some devices from group 1 needing limited access to items in group 2 (for NAS) but not the reverse (Obihai adapter should never request anything from domain controller or Ipad should be able to hit my plex server running on Nvidia Shield but not anything in group 1 directly). Nothing here needs any access to group 3 which is virtualization lab.

3) server +virtualization lab to run evaluation version of software, some older VMs that I have and need software on which can not be upgraded. this does not need to access or know about primary windows domain or any of my utility devices at all. an evaluation version of Win 2016/SQL Server 2016 should not be able to interact with anything else on my network outside of the virtualization lab 'subnet'.

does this make sense? do i need VLANs in this situation?

 

[simas]

for Sophos - is the BYOD deal like PFsense? how would it fit into overall network map?

 

[Genx87]

for Sophos - is the BYOD deal like PFsense? how would it fit into overall network map?

You mean will it run on your own hardware? Yes it will with some limitations. It may not have network drivers for really old hardware. I have it running on an E5200 with the built in nic and an add in 1Gbs nic. If you have hardware newer than I would say 2009 should be ok.

It can fit where you desire routing between subnets. I dont have a complicated network at home so it sits on my perimeter.

 

[XavierMace]

for Sophos - is the BYOD deal like PFsense? how would it fit into overall network map?

You would normally use it to replace your pfSense box. You could also run it as a VM if you've got enough NIC's on the server for it.

 

[Red Squirrel]

Pfsense + managed switch with vlans is a great combo. You can get pfsense to do the intervlan routing and split up your network as you wish to segregate different things from each other. Ex: guest network, game servers, etc.

 

[IndyColtsFan]

Another recommendation for Sophos UTM. They do have a newer product called XG - it doesn't have the 50 IP limitation but lacks the AV server. I'm waiting for Sophos to release their promised UTM to XG migration tool and then I'll use it as my firewall and keep UTM around for AV.

I run Sophos UTM as a VM on my Hyper-V server and leverage the AV server, firewall, VPN, email filtering, and probably a couple of other things I'm forgetting. It runs very, very well.

 

[simas]

Thank you for all of the suggestions - few questions if I may
- for those of you using Sophos, how ready is that product? I went through some customer forums on their site and seen complaint after complaint (given that is what customers come in for). Also went to Ubiquiti to look at USG and saw similar 'it is on the roadmap', feature coming timing TDB, or 'this does not work yet' thing. with Pfsense, the feel I get is that of very active development and community and it has been rock solid for me for 4+ years straight in both simple and multi WAN configurations. I only wish it would be more flexible on licensing, i.e. I am willing to pay subsription for real AV engine (Bitdefender, Kaspersky,etc) and would love for it to be part of PFsense installation vs default ClamAV.

- for those of you with managed or semi managed switches, what key advantages does it give you? who issues IPs in your network (DHCP), do they run services like DNS, etc. in my case, in current house network, since I have a windows server, it does all that even for devices that are never going to be part of the domain - I set up a range there I allow wireless devices to go as part of DHCP assignment, assigned static to all others ,etc. my limited understanding is that as long as I would run a windows domain, all IP assignment would have to continue happen on DCs vs routers (4 years ago when I was setting this up, I had misconfigured pfsense and they were fighting with server , confusing the clients, fixed and not an issue since).

Thank you

 

[Genx87]

Sophos is actively developed. They have a paid version. It is pretty straight forward out of the box. afaik UTM 9 was born out of Astaro.

Unless things have changed, with PFsense to get the out of box capability of Sophos requires installation of modules.

 

[XavierMace]

Thank you for all of the suggestions - few questions if I may
- for those of you using Sophos, how ready is that product? I went through some customer forums on their site and seen complaint after complaint (given that is what customers come in for). Also went to Ubiquiti to look at USG and saw similar 'it is on the roadmap', feature coming timing TDB, or 'this does not work yet' thing. with Pfsense, the feel I get is that of very active development and community and it has been rock solid for me for 4+ years straight in both simple and multi WAN configurations. I only wish it would be more flexible on licensing, i.e. I am willing to pay subsription for real AV engine (Bitdefender, Kaspersky,etc) and would love for it to be part of PFsense installation vs default ClamAV.

- for those of you with managed or semi managed switches, what key advantages does it give you? who issues IPs in your network (DHCP), do they run services like DNS, etc. in my case, in current house network, since I have a windows server, it does all that even for devices that are never going to be part of the domain - I set up a range there I allow wireless devices to go as part of DHCP assignment, assigned static to all others ,etc. my limited understanding is that as long as I would run a windows domain, all IP assignment would have to continue happen on DCs vs routers (4 years ago when I was setting this up, I had misconfigured pfsense and they were fighting with server , confusing the clients, fixed and not an issue since).

Thank you

You're never going to find a product that doesn't have people complaining about it. Even more so with products like this as it's designed for usage by people with a certain skill level and you have people below that level trying to use it and getting mad that they can't. I've been using it at the house for probably two years now, zero issues. I've got a second one setup on my parents house. Theirs is handling DNS and DHCP.

DNS/DHCP is all handled by my Domain Controller, save for the guest wireless network which is in a walled garden with the WAP handing out it's one DHCP leases on a different network.

 

[IndyColtsFan]

Thank you for all of the suggestions - few questions if I may
- for those of you using Sophos, how ready is that product? I went through some customer forums on their site and seen complaint after complaint (given that is what customers come in for). Also went to Ubiquiti to look at USG and saw similar 'it is on the roadmap', feature coming timing TDB, or 'this does not work yet' thing. with Pfsense, the feel I get is that of very active development and community and it has been rock solid for me for 4+ years straight in both simple and multi WAN configurations. I only wish it would be more flexible on licensing, i.e. I am willing to pay subsription for real AV engine (Bitdefender, Kaspersky,etc) and would love for it to be part of PFsense installation vs default ClamAV.

Simas, Sophos UTM 9 has been rock solid for me ever since I implemented it 2 or 3 years ago. The only thing I found was that Netflix had some issues with intrusion detection enabled, but Sophos allows you to enter exceptions so I created exceptions for my Roku boxes and the Netflix servers and that resolved the issue quickly. When I first saw the issue, a quick Google search pointed me back to others having the same issue on the Sophos forum and it was an easy fix.

I currently only have 2 legs on my Sophos box (internal and the 'external' leg which goes into my DMZ) but at some point in the future, would like to add a dedicated leg for my entire wireless network to connect into. I also run an Exchange server and Sophos' email filter has worked great for me.

At any rate, Sophos is free for home use so you have nothing to lose (except some time) by trying it out. I think their XG product looks great and I intend to use it at some point, but I haven't had time to configure it from scratch and their migration tool, which was supposed to be released this summer, has been pushed back to 2017.

- for those of you with managed or semi managed switches, what key advantages does it give you? who issues IPs in your network (DHCP), do they run services like DNS, etc. in my case, in current house network, since I have a windows server, it does all that even for devices that are never going to be part of the domain - I set up a range there I allow wireless devices to go as part of DHCP assignment, assigned static to all others ,etc. my limited understanding is that as long as I would run a windows domain, all IP assignment would have to continue happen on DCs vs routers (4 years ago when I was setting this up, I had misconfigured pfsense and they were fighting with server , confusing the clients, fixed and not an issue since).

Thank you

I have a Windows 2012 domain and use Windows domain controllers running DHCP to issue IPs. I don't really see a reason to use Sophos or any other product to manage IPs.

 

[simas]

Thank you for all of the thoughts and feedback. Few more items for UTM for my learning
- would it be correct for me to assume that Sophos is taking the same place within your network (between external provider and internal router) that Pfsense firewall was occupying? if not, where do you put it and why? any network diagrams with why you have structured it that way would be helpful
- I keep reading Sophos on virtual , wasnt this a big no-no traditionally? even with best hypervisors it would be bringing unfiltered traffic to hardware where I may run other things . As I mentioned earlier in the thread, my devices are of three categories - I would care little if my virtualization lab is somehow accessed as this is limited term evaluation software from Microsoft that has no my information or anything real. I _do_ care strongly about my internal domain as it contain my data and want to limit interactions of other devices with it - thus wondering about where to put UTM

 

[IndyColtsFan]

Thank you for all of the thoughts and feedback. Few more items for UTM for my learning
- would it be correct for me to assume that Sophos is taking the same place within your network (between external provider and internal router) that Pfsense firewall was occupying? if not, where do you put it and why? any network diagrams with why you have structured it that way would be helpful

In my current topology, I have an "external" firewall (an old D-Link DIR-655 that I had laying around) and an "internal" firewall, which is Sophos UTM. The network in between them is my DMZ, where I have a few devices connected (mainly my Ooma telephone system, a workstation, etc)

- I keep reading Sophos on virtual , wasnt this a big no-no traditionally? even with best hypervisors it would be bringing unfiltered traffic to hardware where I may run other things . As I mentioned earlier in the thread, my devices are of three categories - I would care little if my virtualization lab is somehow accessed as this is limited term evaluation software from Microsoft that has no my information or anything real. I _do_ care strongly about my internal domain as it contain my data and want to limit interactions of other devices with it - thus wondering about where to put UTM

You can always dedicated NICs for use with Sophos only. The two legs of my Sophos UTM connect to my DMZ and to my internal network. The connection to my internal network is a NIC dedicated to Sophos, whereas the DMZ network connection is shared between Sophos and other devices which need that connection.

 

[simas]

Thank you. are the addresses within DMZ are still issued by domain controllers and D-link is set up as firewall device only?

 

[IndyColtsFan]

Thank you. are the addresses within DMZ are still issued by domain controllers and D-link is set up as firewall device only?

No, for the DMZ, I just use the D-Link to hand out IPs - it supports the use of DHCP reservations, so I make reservations for every DHCP device. Not worth managing those with a domain controller IMO since I have 4-5 DMZ devices max.

 

[gus6464]

Does Sophos UTM need to be run in a different mode in order to just have it function as an edge firewall? Basically modem > sophos > edgerouter lite > managed switch > unifi aps
I want my erlite to handle dhcp and all that as I have different vlans to segregate guest wifi.

 

[Genx87]

Why dont you VLAN off the Sophos and have it handle DHCP?

Modem>Sophos>Managed Switch

If you have multiple nics can do untagged VLANs to the Sophos. Or tag the VLANs if you have a single LAN port. Seems to me Edge Router lite is an extra un-needed layer. /shrug

 

[gus6464]

Why dont you VLAN off the Sophos and have it handle DHCP?

Modem>Sophos>Managed Switch

If you have multiple nics can do untagged VLANs to the Sophos. Or tag the VLANs if you have a single LAN port. Seems to me Edge Router lite is an extra un-needed layer. /shrug

Because I don't want a single point of failure. A computer is more likely to crash than a physical router so in case that happens I just have to move a cable and internet is still up. Whereas having to configure the router with vlans and stuff means I won't be back online quickly. Plus I had the erlite for a long time now so why not use it.

 

[XavierMace]

You still have multiple single points of failure doing it your way, you just moved one of them.

 

[gus6464]

You still have multiple single points of failure doing it your way, you just moved one of them.

Yes but like I said a hard drive is considerably more likely to die than the router.

 

[Genx87]

Because I don't want a single point of failure. A computer is more likely to crash than a physical router so in case that happens I just have to move a cable and internet is still up. Whereas having to configure the router with vlans and stuff means I won't be back online quickly. Plus I had the erlite for a long time now so why not use it.

Build a second sophos and configure the pair for active\passive failover.

 

[XavierMace]

Yes but like I said a hard drive is considerably more likely to die than the router.

If a hard drive failure takes something down, you are doing something wrong.