Rebuilding My Home Network for the Future - Opnsense Firewall / Router \ stacker news ~security

pull down to refresh

Rebuilding My Home Network for the Future - Opnsense Firewall / Router

2186 sats \ 16 comments \ @kepford 16 Jan security

I have had the same network setup for a long time now. Unifi stuff just works most of the time. I didn't really pick it. Its not open source and now that I have fiber and have been having some issues with some of the Unifi hardware its time to make the call.

Do I just upgrade with Unifi or start migrating to something more in line with what I value.

So I've been chatting with my very helpful colleges at Red Hat and after mentioning PfSense to them I was told to check out Opnsense instead.

I want to slowly move to 10g network gear
I need PoE switches that are 10g
I want a robust firewall / router
I don't really wanna build my router due to time

Currently looking at Protectli Buyer’s Guide who sell hardware that is pre-installed with many options. I haven't decided which one to get yet. I wanna buy with the future in mind though so 10g connections are a must and support for two WAN connection is as well. I'm glad I ran CAT6 in my house years ago instead of cheaping out.

After I replace my router / firewall I will want to replace my Unifi switches. I'm considering buying used Cisco switches from eBay.

Anyone have any advice on this plan or advice?

view all related items

100 sats \ 1 reply \ @trieska 17 Jan

I am using opnsense on mini-itx, for me it is ok because I have slow internet. Then I have unifi switch and two AP. My net is just 1g speed and it is enough for my family. Probably if I am going to upgrade I will stay in this setup, I mean router will be running opnsense and switch and AP will be unifi devices.

dont forget, cat6 can do 10g speed but if I remember correctly only up to limit distance.

maybe you need that speed, but mostly between few devices, e.g. server and workstation, so I think that you can use smaller switch for that.

maybe you already watch Toms video comparing pfsense and unifi firewall

0 sats \ 0 replies \ @kepford OP 17 Jan

Thanks! Aware of several of these factors but haven't seen that video. He does good work, I'll check it out.

85 sats \ 11 replies \ @nym 16 Jan

Good post and buyer's guide. Doesn't quite fit your requirement, but these are recommended by some.

https://www.gl-inet.com/ https://www.gl-inet.com/products/gl-mt6000/ https://www.gl-inet.com/products/gl-axt1800/

11 sats \ 2 replies \ @kepford OP 16 Jan

I've actually had a few of their routers. Still have some for travel. They're great. I recommend them to friends and family.

The 10g thing is the requirement that might drive up my costs. I might need to build my own from a 1 liter PC to save some money. Its always time vs. money.

0 sats \ 1 reply \ @nym 16 Jan

Yea a spare laptop would be plenty powerful to run any router software stack.

11 sats \ 0 replies \ @kepford OP 16 Jan

Yeah... The issue is the network side and I don't want a laptop form factor. I have a server rack this will go into. My setup is super over-kill.

10 sats \ 7 replies \ @kepford OP 16 Jan

This might be the lowest cost that would for me from these guys at least.

124 sats \ 5 replies \ @ZezzebbulTheMysterious 16 Jan

Buying old cisco devices can be a pain to get the newest patched firmware. Cisco will gate this behind subscriptions and maintenance contracts.

I'm not familiar with the Protectli kit, but it does look decent hardware for a good price, with no software vendor lock in. I'd probably go the i7 core over the i3, and run several instances in a hypervisor, maybe up the ram.

10 sats \ 0 replies \ @kepford OP 16 Jan

Is there a good alternative switch manufacturer besides Cisco that doesn't have these subscription / licensing issues but also can be found used on eBay?

8 sats \ 3 replies \ @kepford OP 16 Jan

Good to know. I'm not a network guy but I dabble. Why run several instances?

412 sats \ 2 replies \ @ZezzebbulTheMysterious 16 Jan

Hypervisor on the metal vs running an network/firewall os on metal (pf/opn/openwrt/etc):

isolate/compartmentalize functionality within a VM (eg: run IDS and routing in a different instance context)
rip out and replace the core firewall / routing functionality (dont like pf, switch to opn VM, etc).
VM images can are portable between devices + easier maintenance and upgrades

disadvantages:

performance hit due to virtualization

18 sats \ 1 reply \ @kepford OP 16 Jan

Very helpful. Thanks.

94 sats \ 0 replies \ @ZezzebbulTheMysterious 16 Jan

Id add that https://vyos.io/ is another open source alternative Firewall OS that implements the cisco configuration language, if that's your thing.

I tend to prefer Linux firewalls over BSD based, but that's generally a preference in features over simplicity.

A hypervisor lets you try them all with as minimal effort in swapping them out.

0 sats \ 0 replies \ @nym 16 Jan

Thanks, I haven't seen this product before.

61 sats \ 1 reply \ @j7hB75 16 Jan

When I switched to fiber I upgraded to a Netgate 4200 running pfSense and have been quite happy ever since. The support is awesome and the hardware is robust. What do you need 10 Gbps connections for? You can probably get away with 2.5 Gbps for most use cases.

0 sats \ 0 replies \ @kepford OP 16 Jan

Max performance of course ;) I have cat6 in the house so file transfer mostly. Just not wanting to make limiting points in the system as I replace parts of the system. Exploring ideas right now so you comment is helpful!