Home network firewall/vpn
Tricks @ Sat Mar 09, 2019 1:11 pm
I feel like this is going to be pretty specific to the Doc and Bart. Do you guys use any firewall/vpn server solutions at home? I've been research pfsense as a proposed security/routing solution but am finding it hard to find the answers I'm looking for.
Basically what I would love to have is a firewall in place that operates both as a vpn server to remote connect to my home network and a vpn client to connect to a vpn provider. But it seems like since pfsense only works with openvpn, and it only uses single core, to fully use a fibre connection requires a monstrous processor. Whereas I could install a separate unit alongside a fairly simple firewall to operate the vpn and use wireguard, which pfsense doesn't currently support.
Subnetting and restricting access between shit in the home network is another issue that would need to be worked out. 
DrCaleb @ Mon Mar 11, 2019 5:55 am
I do a lot of subnetting. I have one switch that my internal stuff runs on. It has a wireless router that my things like Raspberry Pi or Arduino connect to, NAS and things that I want to keep to myself, and don't really need internet access such as my security cameras.
Then I have another switch that the wireless/wired router my ISP subjected me to uses through a firewall. It connects things that I care about, but doesn't contain any sort of private info, like my Media PC or NAS that I download things to (VMWare/Fedora ISO's etc) .
There is a firewall between these switches that limits traffic between them. I do use TorGuard VPN on my media PC (one of the few to support Linux), but it's on demand because Netflix really doesn't like VPNs.
There was a project I wanted to try, but haven't had the time.
https://arstechnica.com/gadgets/2017/05 ... l-options/
https://arstechnica.com/gadgets/2016/04 ... m-scratch/
https://arstechnica.com/gadgets/2016/01 ... wn-router/
I already had something similar as routers between my switches, but it might be time to upgrade. 
Tricks @ Mon Mar 11, 2019 8:02 am
I spent a disgusting amount of time trying to figure out how I would set things up. I figured I'd have a mini pc setup like the second link you've got with pfsense running as my firewall/router. This would need to have a sufficient cpu to handle duplex gigabit connection. Then another pc with a stronger cpu to run the vpn, since I'd want basically two connections able to operate at full gigabit speeds. One going to a vpn provider, and one for incoming connections to my network. The problem is that openvpn only uses a single core which fucking sucks. Wireguard is a new protocol, but not proven, even if everything so far is on the up and up.
But then since I have my media server which I share with family, that needs to be accessible in an easy way. So then I went down the path of subnetting everything, and setting up ACLs across the board that basically allows for one way traffic into that subnet (so that I can access it locally as well). Which then means I need to change out my switch and my router (soon to be access point) since my AP doesn't do vlan tagging.
So I'd have to pick up:
mini pc for router
build a system for vpn box
managed switch
AP that supports vlans
So basically two computers and a bunch of Ubiquiti equipment
That would allow me to basically have a constant vpn connection on my network for everything that is connected, that I'd probably only turn off for gaming if the ping sucks. Allow vpn connection into my network so that if I either need to access stuff or am in a public wifi I don't expose myself, and would still allow proper access to the various things i have set up for family.
BartSimpson @ Mon Mar 11, 2019 8:44 am
I have a Cisco ASA 5555 series with their FirePOWER suite of services installed. For VPN from my laptop to my home network I use F5 VPN - which automatically connects me to my home network from anywhere in the world.
Yes, it's overkill but my excuse is that this is the same stuff I use at work everyday so I'm very familiar with it and it's all easy to use.
Something more fitting for use in Canada (with the common bandwidth) would be something like the Cisco ASA 5506 series. It has VPN support but is more suited to a desktop and home network. 
Tricks @ Mon Mar 11, 2019 8:59 am
BartSimpson BartSimpson:
I have a Cisco ASA 5555 series with their FirePOWER suite of services installed. For VPN from my laptop to my home network I use F5 VPN - which automatically connects me to my home network from anywhere in the world.
Yes, it's overkill but my excuse is that this is the same stuff I use at work everyday so I'm very familiar with it and it's all easy to use.
Something more fitting for use in Canada (with the common bandwidth) would be something like the Cisco ASA 5506 series. It has VPN support but is more suited to a desktop and home network.
Yes, it's overkill but my excuse is that this is the same stuff I use at work everyday so I'm very familiar with it and it's all easy to use.
Something more fitting for use in Canada (with the common bandwidth) would be something like the Cisco ASA 5506 series. It has VPN support but is more suited to a desktop and home network.
I don't have a common bandwidth
And overkill is the spice of life! I don't think the cisco ASA would be able to handle the throughput I'm looking for, it's data sheet says only 150 mbps. I want to hit 1 gbps.
EDIT:It would hit 250, wrong one. Still not fast enough though. Also I fucking hate configuring cisco equipment
BartSimpson @ Mon Mar 11, 2019 9:53 am
For 1Gbps you'd want what I have: the 5555 as it can handled 2Gbps.
llama66 @ Mon Mar 11, 2019 9:57 am
I have two cans tired together by string.
BartSimpson @ Mon Mar 11, 2019 10:00 am
Yes, configuring Cisco is a bitch, but you have granular control over it and you can also import images that other people have configured.
On my little home network I have each of our two desktops on their own segmented VLAN, our DVR is on its own VLAN, and our wireless for our phones is on yet another VLAN. You can do all of that with Cisco and it pays off when you have one device compromised and your logs show you that there was not even a scintilla of lateral movement.
BartSimpson @ Mon Mar 11, 2019 10:01 am
llama66 llama66:
I have two cans tired together by string.
This is an extremely secure method for data and voice transmission.
DrCaleb @ Mon Mar 11, 2019 10:11 am
BartSimpson BartSimpson:
Yes, configuring Cisco is a bitch, but you have granular control over it and you can also import images that other people have configured.
On my little home network I have each of our two desktops on their own segmented VLAN, our DVR is on its own VLAN, and our wireless for our phones is on yet another VLAN. You can do all of that with Cisco and it pays off when you have one device compromised and your logs show you that there was not even a scintilla of lateral movement.
On my little home network I have each of our two desktops on their own segmented VLAN, our DVR is on its own VLAN, and our wireless for our phones is on yet another VLAN. You can do all of that with Cisco and it pays off when you have one device compromised and your logs show you that there was not even a scintilla of lateral movement.
That's why both of my switches are Cisco. Older ones, but still functional.
I can prioritize traffic to my games machine, and it doesn't get bothered when my Arduinos dump data about how my plants are being watered.
Tricks @ Mon Mar 11, 2019 10:26 am
BartSimpson BartSimpson:
For 1Gbps you'd want what I have: the 5555 as it can handled 2Gbps.
Yeah, which I'm not feeling the 10-20 grand I'd need to spend on it. If I build my own and use open source software I should be able to hit gigabit speeds.
Tricks @ Mon Mar 11, 2019 10:27 am
BartSimpson BartSimpson:
Yes, configuring Cisco is a bitch, but you have granular control over it and you can also import images that other people have configured.
On my little home network I have each of our two desktops on their own segmented VLAN, our DVR is on its own VLAN, and our wireless for our phones is on yet another VLAN. You can do all of that with Cisco and it pays off when you have one device compromised and your logs show you that there was not even a scintilla of lateral movement.
On my little home network I have each of our two desktops on their own segmented VLAN, our DVR is on its own VLAN, and our wireless for our phones is on yet another VLAN. You can do all of that with Cisco and it pays off when you have one device compromised and your logs show you that there was not even a scintilla of lateral movement.
That's pretty much exactly what I'm looking to setup, but running it through pfsense to do the routing I'm hoping to achieve the same thing without the astronomical price.
BartSimpson @ Mon Mar 11, 2019 10:47 am
Tricks Tricks:
BartSimpson BartSimpson:
For 1Gbps you'd want what I have: the 5555 as it can handled 2Gbps.
Yeah, which I'm not feeling the 10-20 grand I'd need to spend on it. If I build my own and use open source software I should be able to hit gigabit speeds.
Used they're running around $1k to $2k. I got mine through E-Bay a couple years back and it works fine. Just keep it cool and it stays happy.
Tricks @ Mon Mar 11, 2019 10:56 am
Yeah even e-bay it's running about 4k right now. I'm thinking I could do the entire network for half that.
Open source ftw
BartSimpson @ Mon Mar 11, 2019 11:31 am
Tricks Tricks:
Yeah even e-bay it's running about 4k right now. I'm thinking I could do the entire network for half that.
Open source ftw
Open source ftw
Check around with hardware liquidators or else be patient for the next tech crash and then swoop in with cash-in-hand when some local business goes tits-up and your $500 cash is just too tempting to pass up.
