Home lab network question
I posted this on Reddit but not getting any feedback. I was debating a pfsense firewall but this seems cheaper and just as effective.
So right now, I've got just a TP-Link Archer C7 router that has SPI in it (and a wireless AP). I'd like to get a firewall/router that's stateless (since it doesn't do that) as well as add a security onion. I'm thinking about buying a Ubiquity Edgerouter X. How well would the below work?
WAN -->Modem--->ERX--->TPLink--->Endpoints/Servers
ERX---->Security Onion
Obviously, I'll just have a SPAN port setup for my Onion. Since I have a lot of wireless devices I'll keep DHCP setup on my TP-Link and really only use the ERX for its ACLs.
Thoughts? Is there a better way of doing this? Trying to stay cheap.
So right now, I've got just a TP-Link Archer C7 router that has SPI in it (and a wireless AP). I'd like to get a firewall/router that's stateless (since it doesn't do that) as well as add a security onion. I'm thinking about buying a Ubiquity Edgerouter X. How well would the below work?
WAN -->Modem--->ERX--->TPLink--->Endpoints/Servers
ERX---->Security Onion
Obviously, I'll just have a SPAN port setup for my Onion. Since I have a lot of wireless devices I'll keep DHCP setup on my TP-Link and really only use the ERX for its ACLs.
Thoughts? Is there a better way of doing this? Trying to stay cheap.
Comments
-
gorebrush Member Posts: 2,743 ■■■■■■■□□□If you own a server then can't you just run a virtual pfSense? That's what I've done.
I have a WatchGuard XTM5 I was attempting to run pfSense on, but as I've got plenty of server hardware it just made no sense to add another device to m home rack. -
markulous Member Posts: 2,394 ■■■■■■■■□□That does make sense for a few reasons.
I guess two issues I have is that firstly my servers are fairly weak. I've run pfsense off pizza boxes before but I don't recall how much cpu/memory it used.
The second is that my router doesn't have any kind if span port or anything on it, so if I could put my server inline between my modem and router, I still wouldn't be able to run my security onion unless I put that and pfsense on one server, but I don't think it has more than 8 gigs of ram and not many cores.
Do you think pfsense and onion on the same server would work fine? Considering the amount of resources. -
Danielh22185 Member Posts: 1,195 ■■■■□□□□□□Hmm. I may have to look into testing out Pfsense. I have a layer 3 3560 switch at home I have been wanting to integrate / build out some kind of firewall segmentation for a while now. Looks like this could be a great option for me.Currently Studying: IE Stuff...kinda...for now...
My ultimate career goal: To climb to the top of the computer network industry food chain.
"Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi -
markulous Member Posts: 2,394 ■■■■■■■■□□So since pfsense uses snort, I'm going to try to get that up and running today. I'm just debating whether to use pfsense for dhcp instead of my router. Guess it's 6 on one hand a half dozen on the other.
-
boot Member Posts: 22 ■□□□□□□□□□The Archer C7 is pretty well supported in the custom firmware community. Traffic mirroring setup on OpenWRT device shows how to set up port mirroring on an OpenWrt device. I'd recommend using an image from the LEDE project though (an OpenWrt fork). The concepts and pretty much all OpenWrt documentation still applies, but it's better kept up to date.
Not sure if you can make the firewall behave like you want it to, How to Make a Linux Stateless Firewall for Performance and Resilience suggests that it's possible, but I don't know enough about what you need. -
markulous Member Posts: 2,394 ■■■■■■■■□□Ah dang I didn't know there was 3rd party firmware on this router.
Would you recommend going with one of those images and keeping dhcp on my C7 or just use it as a switch and wireless AP and shift everything to pfsense?
I actually just finished installing pfsense today so I think I'm going that route, especially since I can feed it into Splunk with an app. -
boot Member Posts: 22 ■□□□□□□□□□It seemed like you needed the EdgeRouter X for two features that the Archer C7 could not provide, port mirroring and stateless firewall. My suggestion was only an idea of how to work with what you have, as it seemed on the surface that the C7 could do both with a custom firmware. If you already have a different plan that will get you where you want to go, go with it - my suggestion is not superior, just an idea that seemed useful when I wrote it.
-
markulous Member Posts: 2,394 ■■■■■■■■□□It was a great suggestion. I bought the router since it seemed decent and it was still supported, but I didn't know it had custom firmware for it. I definitely appreciate the help.
-
markulous Member Posts: 2,394 ■■■■■■■■□□Tried putting the pfsense on my network but it wasn't working. The interface for my router was having problems loading but it for some reason wasn't able to get to the web interface on pfsense either. Couldn't ping it. Had it connected to the wan port on the tp link, maybe it didn't want to route it somehow
Edit: I wonder if it's a NAT issue. I need to turn that off on my router first -
markulous Member Posts: 2,394 ■■■■■■■■□□Never mind. Got it up and running finally. Got snort and pfblocker all configured too