Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - occamsrazor

Pages: [1] 2 3
Hardware / Re: pfSense + Ubiquiti Unifi switch + UAP-AC-Pro APs
« on: March 02, 2018, 02:00:33 am »
Thanks. Do you still feel you are gaining something with Unifi in terms of simple management of the switch + APs vs more "normal" switches? There's still some synchronization between the switch and APs, right?
Re: the dashboard you should still get ssome monitoring capabilities even without the USG I thought. Like can you monitor per-client (as in per IP address, wired and wifi) realtime bandwidth usage even without the USG?
Can I ask what your setup is in terms of hardware and what you are doing with it?

Hardware / pfSense + Ubiquiti Unifi switch + UAP-AC-Pro APs
« on: March 02, 2018, 01:30:29 am »
I've read a few threads on this forum and the UBNT one. Currently have a Qotom i5 box running pfSense and very happy with pfsense so don't want to lose that. Running pfBlockerng and Suricata/Snort and when doing a torrent download at close to 200mbit the CPU hovers at only around 10-15%.

But looking to replace my current netgear switch (GS110TP) and a variety of wireless routers used as pure access-points with a Unifi switch and maybe 3 x UAP-AC-Pro APs. Just looking for people's experience with this and whether they feel they are still getting sufficient benefits from the "single pane of glass" type system when not using a USG gateway. This is for a home environment. I have a QNAP on 24/7 that I've been able to install the Unifi controller as docker container container.

Not currently doing VLANs but I plan to do some simple stuff and find the simplicity of the Unifi interface appealing, but wondering if keeping pfSense as the firewall/router limits that simplicity.

Anyway, any experiences with a smilar setup would be most welcome.....


In that case you can also use an RPI2 or 3 to run the controller on. Maybe you have one collecting dust somewhere.

Running the controller on the pfSense OS can have unforseen issues when pfSense upgrades or a controller upgrade installs conflicting packets. If you absolutely need to run both on the same hardware I'd strongly agree with johnpoz, put each into it's own VM.

Good points there. Thanks. I don't have an RPI but I do have a Macbook that runs 24/7 so could use that. Also I have a QNAP NAS running 24/7 and I believe you can run the Unifi controller as a package or via a docker.

Yeah if you want 10ge uplink You would have to go with the SG500X or 350X I do believe..

Sorry about that I didn't catch you wanted the ability to go to 10ge uplink - I overlooked the + on your sfp ;)

Yeah pricepoint the unifi 48 prob your best best to allow you to go to 10ge uplinks in the future.. How much in the future are you thinking?  Like something your going to do in next year or so - or just wanting to future proof?  For some unknown date down the road?

No worries, and thanks. The "future" would likely be within the next year. Really I'd like to now, but I want to take it a bit step-by-step. On switches with 10ge uplinks there is a great and very long thread here (just in case it's of help to anyone else):

At the more consumer end the TP-Link T1700G-28TQ:

is pretty great bang for the buck with 24 x 1GB RJ-45, 4 x 10ge SFP+, is completely fanless and goes for around $300 in the US. But I haven't been entirely happy with the firmware on the TP-Link router I use as a pure access point, so I'm not sure I want to go with them. Netgear GC728X...

is also interesting hardware [ignore the cloud aspect, it has a normal Netgear web GUI as alternative].

10ge gear is getting a lot more affordable these days. But the whole user experience is also important for me so.... more research to do first I think :-)

Yes they are sfp not sfp+

So what your looking for is 10ge uplink?

Yes, copper gigabit ports with at least 2 SFP+ uplink ports. Initially to run at 1G speed with SFP modules but later to upgrade my 2nd switch in another room and swap-in SFP+ modules to enable a 10ge link between the two.

Correct me if I'm wrong, but all those combo ports are SFP, not SFP+. i.e 1G not 10G.

How many ports would you need - 48 is a lot of freaking ports.. And its not even L3..

Yes I don't need 48. Need about 16-20 at the moment. But the only Unifi switch with SFP+ is the 48.
I'm not sure I really need full L3 functionality. I haven't segmented my network with VLANs yet but am hoping to experiment in the future. If I needed to do routing between the VLANs couldn't that be done at the pfSense level? Sorry, I'm still learning....

Why would you not look at say sg300 line, all of which have combo ports for sfp+

I actually have been looking at the Cisco small business line. But from what I could see amongst the dozens of models, the SG300 series do not have SFP+, for that you need the 350x or 550x..... or am I wrong?
Always hard to know from online reports/reviews, but I read mixed opinions about the small business line.

Once you have ports out your know what - why would you not just run the  cloudkey for your controller vs putting it on pfsense?  If your going to run it on the same hardware then I really would just run VM hosting on your box and then run your controller and pfsense in different vms.

What would be the advantage of the cloudkey over running the Unifi controller on my pfSense router or simply on my laptop? If I'm the only admin. I should add this is all for a home/homelab type situation.

You could also ditch the Cloud Key and run the UniFi Controller directly on pfSense.

I'm thinking of taking the plunge into a Ubiquiti switch, possibly the 48-port Unifi non-POE, to be connected to my Qotom i5 router. I don't need that many ports, but would like the SFP+ ports for future expansion. How well and easy does running the Unifi controller on pfSense work? How easy is it to upgrade - you are limited to what the maintainer of that script updates it to, right? Thanks

2.4 Development Snapshots / Re: router dead.. mountroot>
« on: February 17, 2018, 03:31:06 am »
I had the same on the latest development snapshot. Had to re-install and restore backup config....

Firewalling / Re: How to block cryptomining domains
« on: February 14, 2018, 09:03:12 am »
Yes I think the better way is to add that list as a DNSBL feed in pfblocker.
There's also another coinblocker feed I found:
I don't know how effective either is.
This is how I've done it, if that helps....

General Questions / Re: How To Remotely Access Router WebGUI ?
« on: February 12, 2018, 11:51:48 am »
"The convenience of not having to use a VPN, especially from mobile devices, is quite high."

How so - openvpn has client for both android and ios.. It takes like less than a second to connect to vpn on my phone.  Be it on wifi network or even just on cell coverage.. So why in the world would I not just use the more secure option with a vpn?

No dispute on that, each to their own of course. And I actually do have OpenVPN set up with both Mac and IOS client apps. But it's still quicker without. I remain genuinely curious what the possible vector of attack would be though, given webconfigurator's lockout table......

Passwords are such an inconvenience... I just make them all 12345678 to make it easier ;)  Why do we need pins on our Debit cards again?  Its such a PITA to have to type them in ;)

Not really an equivalent though... you still need the correct administrator username/password entered within a certain number of tries to access the router. BTW I have disabled the default  "admin" user login capability.

As mentioned, I'm no expert and genuinely interested in this.

2.4 Development Snapshots / Development snapshots changelog information
« on: February 12, 2018, 03:03:54 am »
Home user, currently running the development snapshots. Where can I see what are the changes in the nightly builds? Would be informative and also useful as a learning experience to see what changes have been made. Even better would be to have this info available in the actual GUI either under the System Information>Version widget, or via an RSS feed you could put in an RSS widget. Maybe this is already possible and I'm just not seeing it. Thanks.

General Questions / Re: How To Remotely Access Router WebGUI ?
« on: February 11, 2018, 02:20:16 pm »
The solution occamsrazor's provided works too.  Although, 8080 is a known admin port for many devices and applications, so I personally wouldn't open 8080 if I had other options.

Thanks for the advice. As I'm the only user I can set it to whatever. So a higher port like 5xxxx or suchlike would be less likely to attract attention? Second question, I noted your reply a couple posts above... what's the advantage of a port forward from 5xxxx > 443 vs just using 5xxxx in System/Advanced/Admin Access? Simply so you can continue to use 443 internally on LAN? Or something else?

Also, I would not leave the source as "any".  I would configure the source with an explicit list of the IP's you want accessing the firewall.

I guess if you only want to access from some fixed locations that would work, but if you want to access from a roaming laptop or mobile device on 4g, that wouldn't be possible.....

General Questions / Re: How To Remotely Access Router WebGUI ?
« on: February 11, 2018, 01:16:59 pm »
As an aside, and a genuine question....given that there is a webconfigurator lockout table preventing multiple incorrect logins within a time period, assuming you choose a reasonably secure password.... what realistically would be the security threat or possible vector of attack? I'm talking about a home setup here. The convenience of not having to use a VPN, especially from mobile devices, is quite high.

General Questions / Re: How To Remotely Access Router WebGUI ?
« on: February 11, 2018, 01:08:37 pm »
A VPN solution is of course the preferred solution security-wise. That said, IF..... you do want to open access to the WebGUI to the whole world, this would be the Firewall rule that you would create on the WAN interface to do so. In my case I am using Port 8080 as my Webconfigurator port, the one listed in System/Advanced/Admin Access.

Pages: [1] 2 3