Netgate Store

Author Topic: (SOLVED)Replacing Ubiquiti Edge Router X with PFsense  (Read 1724 times)

0 Members and 1 Guest are viewing this topic.

Offline tman904

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
(SOLVED)Replacing Ubiquiti Edge Router X with PFsense
« on: December 17, 2017, 12:19:59 pm »
Hello,

I've never used PFsense in production just labs but anyway.

I have a small soho network that consists of a few laptops/smart devices/printers as well as a netgear wireless router in access point mode for my lan. As well as another portion of my network that runs a server for my business.

At the moment I have my edge router x configured as such

LAN-192.168.0.0/24
DMZ-192.168.200.0/24
WAN-X.X.X.X/X

I didn't think it was a good idea to post my exact wan subnet unless it's necessary?

As far as the firewalling on the edge router goes. I set it up so my lan subnet can talk to the wan but the wan can't start a connection with the lan subnet.

The DMZ subnet has port forwards from the wan to the server for http, https, imaps, and smtp.

I usually access the server on the dmz subnet from my lan subnet at home. Because of this I don't have firewalling for traffic between the lan and dmz subnets I know I need to have some but I'm not sure what I should forward between them eg only the service ports I'm using on the server http, https etc or something else?

My main reasoning for the switch is I wanted more control and visibility into my network. The reliability of the edge router x is great I updated it's firmware on 10/31/2017 and it's been up ever since and I nearly forgot about it.

The edge router x has a traffic analysis tab but it only shows the source ip address of the client and rarely ever shows the layer 4 protocol tcp/udp or the port number. I just checked while writing this and for one of my android phones it shows the phones ip address then youtube followed by the amount of data transferred but that's all.

The last thing is how do I deploy PFsense while avoiding as much downtime as I can.

Thanks for all your time and help.
« Last Edit: December 21, 2017, 01:57:21 pm by tman904 »

Offline NollipfSense

  • Full Member
  • ***
  • Posts: 152
  • Karma: +8/-4
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #1 on: December 17, 2017, 12:55:19 pm »

I didn't think it was a good idea to post my exact wan subnet unless it's necessary?


That's correct and glad you didn't.  On the down time, I would plan on implement after working hours to avoid regular work related...should take five to ten minutes as you'll be just rebooting your main modem (that's taking you have already install PFSense on your hardware of choice), and for PFSense to issue your LAN IP address to all devices.

Offline tman904

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #2 on: December 17, 2017, 01:16:34 pm »
I'm not quite sure what hardware I need?

Plus I need help with the filtering of the lan and dmz.

Is there documentation that is for firewalling?

Offline ptt

  • Hero Member
  • *****
  • Posts: 2406
  • Karma: +488/-48
    • View Profile

Offline NollipfSense

  • Full Member
  • ***
  • Posts: 152
  • Karma: +8/-4
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #4 on: December 17, 2017, 04:07:48 pm »
I'm not quite sure what hardware I need?


I would suggest that you hang out the hardware section of the forum and don't discount what Netgate has to offer in your decision making process...especially if you don't want to tinker or don't already have an old computer sitting idle.  Also, here's a link to lots of setting up info: https://doc.pfsense.org/index.php/Category:Howto

Offline GoldFish

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +2/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #5 on: December 17, 2017, 04:17:55 pm »
The edge router x has a traffic analysis tab but it only shows the source ip address of the client and rarely ever shows the layer 4 protocol tcp/udp or the port number. I just checked while writing this and for one of my android phones it shows the phones ip address then youtube followed by the amount of data transferred but that's all.

I replaced my EdgeRouter X with pfSense for the same reason. ntopng is the package you want to look at for traffic analysis. Provides way more info than EdgeRouter X. Once you setup pfSense, you can download this from package manager. Below is the link for ntopng features in community edition

https://www.ntop.org/announce/say-hello-to-ntopng-2-0/
* pfSense Enthusiast *

Offline tman904

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #6 on: December 18, 2017, 10:12:48 am »
What hardware did you use to replace the edge router x goldfish?

Offline GoldFish

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +2/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #7 on: December 18, 2017, 10:26:50 am »
I have a Small Form Factor Dell Desktop.
Core i5, 4GB RAM, 240 Crucial SSD and a PCIe Gigabit Intel Network Card. All of this is overkill but its future proof.

I got this from one of our clients who was gonna throw it away. And now its the best firewall i ever used.
« Last Edit: December 18, 2017, 10:42:05 am by GoldFish »
* pfSense Enthusiast *

Offline tman904

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #8 on: December 18, 2017, 12:11:34 pm »
Does the cpu have aes-ni? What is the model number of the dell desktop?

Offline GoldFish

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +2/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #9 on: December 18, 2017, 12:32:21 pm »
Does the cpu have aes-ni? What is the model number of the dell desktop?

Its a Dell OptiPlex 780 Small Form Factor

It came with a Core 2 Duo but i had a motherboard and CPU sitting around again from another client. I used the Dell for Chassis and power supply and used different board and CPU. Yes. It has AES-NI.

Are you planning to buy hardware? There are tons of options online again depending on your budget.
* pfSense Enthusiast *

Offline tman904

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #10 on: December 18, 2017, 06:32:22 pm »
I was thinking of building something like this with parts from newegg.

COOLER MASTER Elite 110 RC-110-KKN2 Midnight Black Steel / Plastic Mini-ITX Tower Computer Case
   
Intel Pentium G4400 Skylake Dual-Core 3.3 GHz LGA 1151 54W BX80662G4400 Desktop Processor Intel HD Graphics 510
   
ASRock H110M-ITX LGA 1151 Intel H110 HDMI SATA 6Gb/s USB 3.0 Mini ITX Intel Motherboard

CORSAIR VS Series VS400 (CP-9020117-NA) 400W ATX12V / EPS12V 80 PLUS Certified Active PFC Power Supply
   
WD Caviar SE WD1600JS 160GB 7200 RPM 8MB Cache SATA 3.0Gb/s 3.5" Hard Drive Bare Drive
   
Intel EXPI9402PTBLK 10/100/1000Mbps PCI-Express Two Gigabit Copper Server Connections
   
4GB Samsung DDR4-2400MHz Non-ECC 288pin Memory M378A5244CB0-CRC
   
Grand Total:    $283.23

the G4400 cpu has aes-ni and once you add the shipping it's $294.42 still 71$ cheaper then the sg-3100 that's the appliance  I was thinking of buying instead.

What do you think?

The main reason I wanted to build one is I feel I have more flexibility with the hardware. If I buy an appliance as soon as netgate eols it I can't use it for anything else.

Offline GoldFish

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +2/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #11 on: December 18, 2017, 09:20:10 pm »
Right On. Apart from $7 saving, you have double the RAM plus ton of storage. They probably would not EOL it anytime sooner as it was just introduced (maybe Sep-Oct 2017) but like you said, you can re-purpose the machine anytime you want. You can upgrade it anytime you want. Building your own firewall has its own rewards. Maybe in the future replace the HDD with a 32GB or bigger SSD to make it more reliable.

Go for it !!!
* pfSense Enthusiast *

Offline NollipfSense

  • Full Member
  • ***
  • Posts: 152
  • Karma: +8/-4
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #12 on: December 18, 2017, 10:41:32 pm »
I was thinking of building something like this with parts from newegg.

COOLER MASTER Elite 110 RC-110-KKN2 Midnight Black Steel / Plastic Mini-ITX Tower Computer Case
   
Intel Pentium G4400 Skylake Dual-Core 3.3 GHz LGA 1151 54W BX80662G4400 Desktop Processor Intel HD Graphics 510
   
ASRock H110M-ITX LGA 1151 Intel H110 HDMI SATA 6Gb/s USB 3.0 Mini ITX Intel Motherboard

CORSAIR VS Series VS400 (CP-9020117-NA) 400W ATX12V / EPS12V 80 PLUS Certified Active PFC Power Supply
   
WD Caviar SE WD1600JS 160GB 7200 RPM 8MB Cache SATA 3.0Gb/s 3.5" Hard Drive Bare Drive
   
Intel EXPI9402PTBLK 10/100/1000Mbps PCI-Express Two Gigabit Copper Server Connections
   
4GB Samsung DDR4-2400MHz Non-ECC 288pin Memory M378A5244CB0-CRC
   
Grand Total:    $283.23

the G4400 cpu has aes-ni and once you add the shipping it's $294.42 still 71$ cheaper then the sg-3100 that's the appliance  I was thinking of buying instead.

What do you think?

The main reason I wanted to build one is I feel I have more flexibility with the hardware. If I buy an appliance as soon as netgate eols it I can't use it for anything else.

I see you do like to tinker...I agree with Goldfish, go for it!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16024
  • Karma: +1529/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #13 on: December 19, 2017, 04:43:33 am »
Just wanted to point out that your talking a few bucks difference in price... And buying the sg3100 would get you gold for a year don't forget that!  And huge part here is you fully support the project by getting hardware from them..  And your going to be freaking sure its a rock solid box vs something you threw together with cheap parts you got from online..

How much power is that box going to draw vs the sg3100?  Looks like you only have 2 nics there.. Don't forget the sg3100 comes with
"four-port 1 gbps Marvell 88E6141 switch, uplinked at 2.5 gbps to the third port on the SoC for LAN. "

Which can be used as switch or can be used as interfaces for different networks..  Your diy box doesn't seem to have that.. Why would you need that much space in your Router/Firewall?  an OLD hdd to boot.. Put in a SSD at min.. .

I am all for tinkering...  But as a new owner of a shiny new sg-4860... I say support pfsense/netgate and get hardware from them.. While some of their models might be high for a home/lab I just like to tinker budget, etc.  Clearly this is not the case with what you put together vs the 3100 model...

edit: BTW if you have question on when might be the eol date for the 3100, check here
https://www.netgate.com/support/product-lifecycle.html

They list the 3100 as replacement for the 2440..  The point to take away from that page would be this statement I think.. "End of Life (EOL) will typically occur within 1-3 years after the EOS date"

So when they stop selling the 3100, you most likely would have 3 years after that..  They have stopped selling the 2440 and its end of life date is end of 2020.. And just because is listed as eol doesn't mean it still won't work, or that it would not be able to run the current version of pfsense at that time, etc.  We have a 2440 in one of our branch offices with plans to change all the offices out to pfsense - they will all prob be 3100.. Was hoping to get a couple of more this year but didn't work out - my teamlead would never pull the trigger on the order even though I brought it up every few weeks ;)  I would love to put in the 4860s but they are way overkill for the needs of the branch offices ;)  And I don't think I will ever be able to make mine even break a sweat...  But won't stop me from trying - looking forward to playing with the new layer 7 stuff...
« Last Edit: December 19, 2017, 04:58:12 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline tman904

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Replacing Ubiquiti Edge Router X with PFsense
« Reply #14 on: December 19, 2017, 09:16:23 am »
I see your very good points johnpoz and you've giving me some things to ponder.