Single or multiple appliances

[cloudbuster]

Trying to set up a more secure network at home.

Just wondering if you need more than one appliance or just one to do it all.

I’m consider the netgate sg-5100 to support the project pfSense.

But can I have one it do it all? Connect the ISP modem directly to it and then have it do:
firewall,Smart QoS, Suricata, squid, squidguard, Openvpn, router.
And then just add a Ubiquiti nanoHD AC for WiFi to one of the Ethernet port and some more items like fire TV cube to the other Ethernet ports and a switch to connect even more stuff like x box, nvidia Shield.

Or you need to split the services/security between two of them?

Thanks.

 

[SamirD]

You can always run all of it on one box--that's what virtualizing is all about, right?

The main question is will you have enough resources on the box to run everything you want at the speed you want.

 

[cloudbuster]

Thanks,
I was not sure one could do it all in one box.

You are right then the problem/limitation would be the CPU.

I’m looking at another box that state to have 2 LAN ports when you use pfSense can you assign one for WAN the other for LAN?

Or that depends on the appliance/device itself?

 

[SamirD]

I think your layout is perfect with modem, pfsense, and ubiquiti for wifi. The thing you have to make sure is that you have enough horsepower for pfsense to run with squid and all the other add-ons as they will take up quite a bit. Usually, I see pfsense configs like yours run on a dedicated computer either virtualized or just regular. And as cheap as computing power is right now (just check out all the new and used deals everywhere), you can easily use a 2nd/3rd gen i7 to create a pfsense platform with more than enough grunt on the cheap.

 

[cloudbuster]

Thanks,

I’m looking at a faster computer better CPU.

Rethinking my layout would it be okay to have 8 LAN instead of the 2 for WAN and LAN and a switch?
So it would be 1 WAN and 7 LAN?

And do you know if a PoE LAN would work just fine using pfSense?
In that case it would be 4 LAN and 4 PoE LAN ports. And have one of the LAN be the WAN so it would be 1 WAN 3 LAN and 4 PoE LAN on the computer and no need for external switch at this location.

For location #2 I would need a switch so just connect to one of the LAN.

 

[SamirD]

I wouldn't do switching inside pfsense--stand alone switches will do that with much more efficiency. You can have a single quad port card for anything and everything routing, and then run what you need to a switch, etc. You should have some spare ports with a quad card.

Why do you need poe? There aren't any poe nics, so you would have to use external poe injectors---a poe switch would be much neater. So again a switch is better.

 

[cloudbuster]

Thanks,

That would remove the computer I had in mind from the list as I could have it with up to 10 LAN 4 of them PoE.
They use this module to give it power http://www.cincoze.com/data/files/201812/Datashee-CFM PoE Module.pdf
Internal power to the NIC.

When you mention quad card I’m confused.
Quad card but only use Two LAN port 1 for WAN the other for LAN to the switch?
And then never use the other two LAN?

Just making sure, as the fanless computer I’m looking at only have 2 LAN ports.

 

[Red Squirrel]

I like to keep the firewall separate. WAN port to internet, LAN port setup as a trunk port, to a managed switch. VM servers and other servers can be setup on said switch as well.

 

[SamirD]

Thanks,

That would remove the computer I had in mind from the list as I could have it with up to 10 LAN 4 of them PoE.
They use this module to give it power http://www.cincoze.com/data/files/201812/Datashee-CFM PoE Module.pdf
Internal power to the NIC.

When you mention quad card I’m confused.
Quad card but only use Two LAN port 1 for WAN the other for LAN to the switch?
And then never use the other two LAN?

Just making sure, as the fanless computer I’m looking at only have 2 LAN ports.

I wouldn't add poe to the small computer serving as the router as poe produces a lot of heat. Better to have that in a poe switch.

Oops sorry. If you're building a computer for pfsense, you can get a quad port nic to have a few extra ports for the future. If you're using the cincoze computer, then you should be fine with just the two ports, 1 for wan, and 1 for lan and the switch can handle the rest.

 

[SamirD]

I like to keep the firewall separate. WAN port to internet, LAN port setup as a trunk port, to a managed switch. VM servers and other servers can be setup on said switch as well.

Wait, are you running VMs on your switch? I wouldn't be doing that as I would just want my switch to do its job.

 

[Red Squirrel]

Haha no like physical servers would connect to the switch. Yeah was not clear on that.

 

[SamirD]

Haha no like physical servers would connect to the switch. Yeah was not clear on that.

haha, that makes much more sense.

 

[cloudbuster]

Thanks,

Since is not good to have the multiple internal LAN I would look at a different model.
They have one semi small but the
LAN Controller (Intel I219V and Realtek RTL8111H). I would contact them to see if they can change the Realtek for another Intel.
Fanless https://www.logicsupply.com/ml510g-50/

Another fanned model have
LAN Controller (Intel I210 GbE
Intel I219V)
https://www.logicsupply.com/mc510-50/

They have plenty of CPU to choose from I wonder if the I7-8700T would be a great choice for Suricata and other programs.

But I rather get a fanless design.
They also have a smaller series ml100

 

[JackMDS]

OP, your mistake is that you are concentrating on Hardware rather than design first a solid network thet would provides your needs. Then choose the best type of hardware for it (Networking is different than building a Tower Game computer, or any type of computer).

As example POE is not an important conept per-se. It just a form of Power source that can be available in cases that there is No better source!!!

 

[Red Squirrel]

For POE I find most POE devices come with their own injector anyway, and half the time they don't comply with the 48v POE standard and do their own thing so even if you had a POE switch you would need to use their injector. Unifi for example is notorious for that. Their stuff runs on 24v.

POE is good for office environments that use a Voip PBX but for home unless you specifically have a bunch of 48v POE devices it's not really worth it.

 

[cloudbuster]

Thanks guys,

Maybe i was not clear on my last post i was just wondering for the regular LAN one PC have a two controller one Intel NIC the other LAN is Realtek.
I have read Realtek is not that good with pfSense.

I would not pursue PoE it was and idea I had at 1st but you guys advised me is not a good idea.


So now can I get some advise here,
I think I would narrow it down to I7 8700T vs Intel Avoton C2750 Octa-Core Processor with ECC RAM

Would those make a great system trying to avoid bottle neck.
Just flip a coin or one have a better advantage?

Thanks.

 

[JackMDS]

8700T scores higher than the C2750.

That said, since there is no indication that you are doing something that needs immense network power, it probably does not matter which one you would use. I.e., choose the less expensive and easy to deal with.

Easy to deal with? Download that pdf manuals of both and Read.

 

[cloudbuster]

Thanks jack,

It sound they are massively overkill I just want to make sure the no lacking in power if I do OpenVPN and all the other add on.

They offer a few other options that I could save $ but I just want to make sure to be on the safe side.

What you say should be the minimum to stay on the safe side?

 

[JackMDS]

Big Retailers and Financial institutions use a lot of strong safe measures and occasionally their Networks are bridges.

Why? Because they are attaced by thousnads of Hackers.

Security of private individuals is more about what the Individuals are doing on their outsdie connetioc rather then the Technology that is used by them.

100 of Millions people are using the regular Modem/Router and the Firewall Anti Virus provided by their
ISPs and their computer's OS and nothing happens to them.

On the otherhand if you are in a habit to Visiting dubious sources. Porn, Pirate software, questionable on line gaming, and open every email from unknow source. Your Network will be Bridged whether you use I7 8700T or Intel Avoton C2750

 

[sdifox]

What else are you running in your network? If you already have a server that is on 24/7 may as well run pfsense in a vm then dedicate two intel nic ports to it. Hook the wan one to your modem, the lan one to your switch.

Do pay attention to what the wap needs as power input. Some of them are not
802.3af or 802.3at compliant.

 

[cloudbuster]

Jack that is so true.
You make me reconsider my initial choice.
Ubiquiti router.

sdifox nothing else only a regular WiFi router.