I’m not sure if this is the right place to ask this question. If not, please move the thread to the appropriate forum.
So, now i’m mostly finishing the setup and want to include a pfSense Firewall device to secure the network as some of them will be exposed to the internet.
I got to know that for the best security practices, its suggested to use a managed switch which supports VLAN. So, now as I’m moving to 25G and 100G, I’ve my old switch (still in use) with the old NAS device and clients. So, my questions are:
Do i need a new managed switch? Already having Mikrotik CRS312-4C+8XG-RM. If yes, then what brand and model would you guys recommend? Looking under 16 ports for the moment.
Do I need to have the SFP+ ports on the Firewall Device?
Currently, planning to use an old Lenovo ThinkStation Tiny (Core i3-9100+32GB DDR4 RAM+i350-T4 NIC). Is the CPU sufficient or do i need to upgrade it so that it does not bottleneck when most of the devices are connected to the Firewall via a Switch?
As the ThinkStation Tiny does have i350-T4, can i use the rest of the ports to the desired devices (such as Plex/CCTV) or i would still need them to route through the managed switch?
Do i need a machine with ECC support for the Firewall device? I plan to use ZFS on the pfSense installation.
Any suggestions and recommendations are more than welcome!
Do you intend to place the firewall between devices in your own network, or between your network and the outside world? In the latter case, the firewall only needs to be as fast as your WAN link…
What is the ThinkStation Mini planned for? Firewall duty or NAS?
You already have a switch. The firewall would sit between the switch and the ISP box, as a transparent filtering bridge (video for OPNsense in this post). And a mini-PC with at least 2 interfaces is just fit for the role.
Thank you. Just wanted to confirm with someone who knows it.
BTW, any idea, why some firewall device have SFP+ ports when it does not need to have that much of speed from the ISP box? Not unless the speeds are 1GB/s. Is that correct?
Well, future expansion would be one possibility–even if you don’t have greater than gigabit speeds from your ISP now, you might in the future. Another reason–and the reason my new-to-me firewall/router does have a couple of SFP+ ports, one of which I’m using for LAN–is if you have multiple local networks on different VLANS, and may want gigabit bandwidth between them occasionally.
I run dual 10Gb ports on my pfsense bonded together with LACP for redundancy, but also because I was lazy and my VLAN’s all pass through PFSense (instead of my Brocade ICX doing the heavy lifting) so this is why, I do not want my pfsense to be limiting to my internal network VLANs
Am I understanding this correctly that if I have a 25GbE device that I want to secure, I need a firewall device that has 25G SFP28 port right? If yes, then how are the 100GbE networks being protected? Without a firewall? Or just the internet is just what needs to be routed and in that case firewall device with 1GbE ports are sufficient?
Also, what if I bridge the ISP box for using the pfSense and install pfSense on my Lenovo which has 4x1GbE port and that goes into few of my switches and devices. Will this be secure enough? Or is this a dummy firewall, with just internet packet filtering and no traffic routing? Here’s a quick summary, what I want to explain.
Mikrotik 25GbE/100GbE Switch>25GbE clients, 100GbE NAS
CCTV
Can i connect my devices (such as a PC or a CCTV) directly to the Firewall or i would always need them to connect via a switch?
Also, @etorix mentioned that my Lenovo one is probably fine (has 4x1GbE ports) for a transparent filtering bridge. Is there anything other than that? I mean any other filtering type which is more secure?
No, you are not. Presuming all the high-speed devices are on the same network, your firewall only needs to be fast enough to pass data to and from your WAN link at the speed of that link.
That depends entirely on how you configure the pfSense box. As you describe it, all your traffic will pass through it, so it will control what happens with that traffic.
Via a switch. WAN port on your firewall (i.e., your pfSense box) goes to your ISP’s modem, LAN port on your firewall goes to a switch, everything else connects to that switch.
So, that means a capable device (pfSense box) with X amount of ports (minimum two, one for ISP box and the other for switches) that can filter the internet to the firewall and from the firewall to the other devices and switches right? If that’s the case, why are there 25GbE OpenSense firewalls? Sorry, I’m not asking this in a rude manner but asking in general as i want to understand the basic
Oh i see. And how would i know how much powerful CPU/RAM would i need for the firewall device. Yesterday, i got to know about some CPU instructions set which are important for pfSense. Also, I’m confused about whether i need the ECC RAM on the firewall side or not.
Yes, i totally get that. But this Lenovo ThinkStation has 1x1GbE onboard, which will go into my ISP modem and then it has i350-T4 installed which has 4x1GbE ports. So, will the following pattern work?
ISP Box (1GbE) to my Onboard (I219-V, 1GbE) pfSense box. Then, this pfSense box has also (i350-T4 NIC) which has 4x1GbE ports and i plan to hook the following:
Mikrotik 25G/100GbE Switch (25GbE and 100GbE systems)
CCTV
Lastly, having an existing Mikrotik CRS312-4C+8XG-RM. Is this a managed switch and supports VLAN? Moreover, is this a good choice for me (will be lying after i upgrade to the 25GbE switch) or you guys have some other more robust suggestion with some other good features which i might need or not aware of?
Because some businesses have very fast WAN links, and/or need inter-VLAN routing at very high speeds.
That’s really a question better asked of the folks providing the software in question. The major factors are going to be how fast it needs to move data, and what it needs to do with that data as it’s moving it. Simple packet-filtering on a 200 Mbps WAN link is going to take a lot less than trying to run a VPN at multi-gigabit speeds. For most home purposes, up to and including a Gigabit WAN link, the CPU requirements are pretty modest.
That would likely be AES-NI, and while they’ve long since dropped it as a requirement, they’re a good idea for any application involving encryption. You’d be looking at very old CPUs to not have that.
Always a good idea if possible, but not especially important–TCP/IP data is checksumed, so it should detect if not correct errors.
I wouldn’t–I’d designate one as the LAN port, feed that into a gigabit switch, and connect the other devices to that. Unless you’re going to designate them as separate networks–maybe one network for CCTV, another for WiFi, to isolate traffic. Of course, that’s getting to be a more complicated network design.
I assume you could just bridge all those ports together, assign that bridge a single IP, and go from there–but I don’t think I would.
I’d assume so, but checking their docs would give you a better answer.
Bingo! This was a very simple question i wanted to know and no one answered me yet, except you
You’re my man. Seems like i have to invite you for the dinner
Will research more into it. I think you already gave me a turbo charge by answering me the basic questions friend. Very very happy for this. Cannot Thank you enough!
Hmm. What do you think about the i3-9100? That’s what i have at the moment and 32GB RAM.
I think this was it. Sounds good!
Hmm. So mark it as an optional requirement?
Yes, but for some days, i want my devices down, let’s say for regular maintenance work or on holiday. Then, during the maintenance time, i would just need the WiFi so if i connect my Access Point directly to the pfSense box, i would not need to have my Switch always on. I can power down all the devices (including the switches) and only my ISP box, pfSense box, and Access Point are powered. Do you think am i doing it right?
I think i would want to do that, if not for the rest, for the CCTV for sure.
The ports on i350? If so, i don’t think i would do it either. I would run individual devices from there.
Sounds good!
For the Access Point, I’m looking at TL-WA3001. Is that a good choice? Having a few WiFi 6 capable devices and have owned TP-Link products for so long, a reason to go for them, as their products have been reliable. Not sure about in recent years. Any advice on this would be beneficial and highly appreciated
Should be more than enough, as should the 32 GB of RAM (I have 16 GB in my router and it’s rarely more than 25% used, even with ZFS caching). It does support AES-NI, but doesn’t seem to support QAT–though pfSense CE doesn’t do QAT anyway.
I’d call ECC “nice-to-have” for a router, but not essential.
No idea on that; I’ve been Unifi gear for the last several years. But TP-Link’s Omada ecosystem sounds pretty nice.
It’s a Supermicro 5018D-FN8T running OPNsense. Xeon D-1518 CPU, 16 GB of RAM (which, again, is overkill, even when running a couple of VPN links, the Caddy reverse proxy, and the Zenarmor firewall software), 240 GB SSD (also gross overkill).
It appears that it does.
I like OPNsense better; others have other preferences. There’s a thread here, linking to another thread on the old forum, discussing differences between the two:
I know QAT is a form of crypto acceleration; I presume it’d help out things like VPNs. Beyond that, I haven’t really looked into what it would do. Neither my current nor previous hardware supports it, so it wasn’t really a big deal for me.
Yeah, that’s a nice excuse. But I’m not a pro, and my Aliexpress special wasn’t really bottlenecking me in any way. What it didn’t have, though, was IPMI, and I was getting tired of not being able to see the console when I had to reboot the router. This system does have IPMI, so I can watch the router console from anywhere on my network. Don’t need it that often, but it’s nice to have when you need to do an update and reboot it.
