What firewall are you using?

TL1096r · May 22, 2019

Anyone have any good info on firewalls and what you are using?

Liam Burke · May 22, 2019

Hi,
i'm using Sophos XG which is a free UTM offered by sophos.
I've got it running as a VM with 4gb ram, on an i5 Dell PC with 16gb ram, which itself runs VMWare ESXi.
It's got some great features like content blocking (keeping kids eyes of undesirable content on the interwebs) as well as highly configurable inbound and outbound firewall rules.
I use a business application rule to allow https through to my zoneminder install, so it can do inbound intrusion protection on any incoming connections (the firewall has my certify the web trusted cert, not my zm instance).
Hope this helps.
Liamo

TL1096r · May 22, 2019

It seems like a great setup/advanced. I was hoping for just a regular windows program easy to use model. Like:
Comodo (would probably not use)
Glasswire
ZoneAlarm
Tiny Wall

I looked into Sophos:
Free Firewall Home Edition | Sophos Firewall for Home

Seems interesting enough:
NOTE: The Sophos XG Free Home Use firewall contains its own operating system and will overwrite all data on the computer during the installation process. Therefore, a separate, dedicated computer is needed, which will change into a fully functional security appliance. Just right for the spare PC you have sitting in the corner!

pmcross · May 22, 2019

I use Untangle free, which is like Sophos UTM but the free offering is far less robust. I have had zero issues with Untangle and the UI is much simpler to manage/navigate than Sophos IMO. I also have several friends/clients running Untangle both free and paid. Once you set it up you basically forget about it. I've also heard good things about Ubiquiti EdgeRouter X and the Ubiquiti Unifi Security Gateway.

https://www.amazon.com/Ubiquiti-EdgeRouter-Advanced-Gigabit-Ethernet/dp/B00YFJT29C/ref=sxin_5_ac_d_pm?crid=1MOWB5D28904L&keywords=ubiquiti+router&pd_rd_i=B00YFJT29C&pd_rd_r=237ea490-e5fa-49ba-8eaa-aad9424df3bd&pd_rd_w=EvCRa&pd_rd_wg=gDUbg&pf_rd_p=5cc8abfe-8f78-4f34-b19f-d09d6ea0dca4&pf_rd_r=PGZ97XJ7JTASHC9D9KN2&qid=1558558452&s=gateway&sprefix=ubiquit,aps,155

https://www.amazon.com/Ubiquiti-Unifi-Security-Gateway-USG/dp/B00LV8YZLK/ref=sxin_5_ac_d_pm?crid=1MOWB5D28904L&keywords=ubiquiti+router&pd_rd_i=B00LV8YZLK&pd_rd_r=237ea490-e5fa-49ba-8eaa-aad9424df3bd&pd_rd_w=EvCRa&pd_rd_wg=gDUbg&pf_rd_p=5cc8abfe-8f78-4f34-b19f-d09d6ea0dca4&pf_rd_r=PGZ97XJ7JTASHC9D9KN2&qid=1558558452&s=gateway&sprefix=ubiquit,aps,155

crw030 · May 22, 2019

As per my sig, pfSense Community edition running on dedicated hardware.

TL1096r · May 22, 2019

Can you just load Sophos or pfSense on a computer and run it or do you need a dedicated hardware for Sophos?

pmcross · May 22, 2019

You would either need to load it on a Computer (as the OS), or run it in a VM environment. Typically old PC's are good candidates for running these products.

crw030 · May 22, 2019

a dedicated mini computer with 2 network ports is enough for pfSense. But why are you asking about firewalls, what are you trying to accomplish? A fully patched consumer router like a supported ASUS (consumer) router model will have an integrated firewall and does most everything most people need (even OpenVPN).

TL1096r · May 22, 2019

crw030 said:
a dedicated mini computer with 2 network ports is enough for pfSense. But why are you asking about firewalls, what are you trying to accomplish? A fully patched consumer router like a supported ASUS (consumer) router model will have an integrated firewall and does most everything most people need (even OpenVPN).

Just some added security. I was talking about programs on windows to help easily manage traffic. Glasswire does a fairly good job. But no VPN so I thought maybe there was some that had this option without having to add any hardware.

pmcross said:
You would either need to load it on a Computer (as the OS), or run it in a VM environment. Typically old PC's are good candidates for running these products.

Thanks it is what I thought after reading. I have an old computer that can run Sophos XG.

My goal is to run a VPN on this firewall to connect remotely more securely. I am using stunnel but not so happy with it. My router is from my ISP and cannot do anything with it. Is there a step by step guide how to run openvpn on windows 10 and connect it with your phone to watch videos securely?

Liam Burke · May 22, 2019

TL1096r said:
Just some added security. I was talking about programs on windows to help easily manage traffic. Glasswire does a fairly good job. But no VPN so I thought maybe there was some that had this option without having to add any hardware.

Thanks it is what I thought after reading. I have an old computer that can run Sophos XG.

My goal is to run a VPN on this firewall to connect remotely more securely. I am using stunnel but not so happy with it. My router is from my ISP and cannot do anything with it. Is there a step by step guide how to run openvpn on windows 10 and connect it with your phone to watch videos securely?

Yup, both Sophos XG and PfSense / OPNSense (another built from the origins of PfSense) and many more free / paid equivalents will do OpenVPN termination of clients, a quick search for tutorials comes up with:
PfSense: VPN Client with pfSense
Sophos XG: Sophos XG Firewall: How to configure SSL VPN remote access - Sophos Community
opnsense: Setup SSL VPN Road Warrior — OPNsense documentation

I use all three for various lab firewalls depending on requirements, but i use sophos xg as my main home firewall, it's not perfect, but has about 90% of the features that i need. one of the most frustrating things about it is that it doesn't register your DHCP client hostnames in it's DNS DB, so you can't use names for pings etc. I get around it by using a PiHole for DNS/DHCP with the added bonus of ad-filtering (though Sophos XG will also do this).
XG is my main content filter for the kids, along with google safesearch and google family link.

Of course, as already mentioned, you do need a separate old pc with multi-nics (wan/lan) to make it work.
Liamo

TL1096r · May 22, 2019

Liam Burke said:
Yup, both Sophos XG and PfSense / OPNSense (another built from the origins of PfSense) and many more free / paid equivalents will do OpenVPN termination of clients, a quick search for tutorials comes up with:
PfSense: VPN Client with pfSense
Sophos XG: Sophos XG Firewall: How to configure SSL VPN remote access - Sophos Community
opnsense: Setup SSL VPN Road Warrior — OPNsense documentation

I use all three for various lab firewalls depending on requirements, but i use sophos xg as my main home firewall, it's not perfect, but has about 90% of the features that i need. one of the most frustrating things about it is that it doesn't register your DHCP client hostnames in it's DNS DB, so you can't use names for pings etc. I get around it by using a PiHole for DNS/DHCP with the added bonus of ad-filtering (though Sophos XG will also do this).
XG is my main content filter for the kids, along with google safesearch and google family link.

Of course, as already mentioned, you do need a separate old pc with multi-nics (wan/lan) to make it work.
Liamo

Thanks good info. I just wanted to add more content here as I didn't see many talk about their setup. I only have a laptop but it doesn't have 2 nics. You need that with Sophos?

Those are some advanced options. If you want to go without the firewall and use basic firewall with windows10 is there an easy step by step to setup VPN on windows 10 to connect to BI through phone securely?

awahl101 · May 22, 2019

TL1096r said:
Thanks good info. I just wanted to add more content here as I didn't see many talk about their setup. I only have a laptop but it doesn't have 2 nics. You need that with Sophos?

if you have a managed switch you can create two vlans and use one for the lan and one for the wan. That is how my pfsense is setup,never had an issue.

Sent from my LG-LS997 using Tapatalk

TL1096r · May 22, 2019

awahl101 said:
if you have a managed switch you can create two vlans and use one for the lan and one for the wan. That is how my pfsense is setup,never had an issue.

Sent from my LG-LS997 using Tapatalk

I read about managed vs unmanaged switches and it seems the consensus is to go with managed. That seems even a bit more advanced.

Is there any other more basic setups?

I was thinking BI machine with 2 NICs like Looney suggests

awahl101 · May 22, 2019

TL1096r said:
I read about managed vs unmanaged switches and it seems the consensus is to go with managed. That seems even a bit more advanced.

Is there any other more basic setups?

I was thinking BI machine with 2 NICs like Looney suggests

dual nics are easier for sure but my small mini pc has no pcie etc to add a card plus i have switches galore from work.

the setup sounds a bit scary but it really isn't too bad.

Sent from my LG-LS997 using Tapatalk

crw030 · May 22, 2019

You can also add a network dongle to the laptop to get on the 2nd NIC, although the 1GBe one I bought maxed out about 350 Mb/s (which would be fine if your provided bandwidth is something lower (like 50/150 Mb) and the onboard 1GB would max out about 800Mb/s (so you might be losing a little network performance).

Nothing wrong with getting a managed switch and going the VLAN route, I’m even messing around with VLANs inside my LAN. Just depends on your budget because adding a dongle to the laptop you have is like $25 and buying an I3 used business desktop would be cheap, and a PCIE NIC wouldn’t add much to that cost if it didn’t have dual onboard. I would experiment with it in a VM or something first to see if it is something that interests you before making any investment.

Holbs · May 23, 2019

I am learning as I go (I think I said same thing in another post just the other day here!). Have not dabbled with firewalls since the hay day of Zonealarm. I have my BI with 2 nic cards (cams on different subnet) with the BI comp connected to my Netgear Nighthawk X10 router which says comes with OpenVPN. I have been... sadly woeful in the "needing to secure my network" other than default router values and no ports being manually blocked. I have 4 more cams coming in (5231's). Once they are up and running, I'll be taking a hard look at this pfSense or other firewall options, blocking ports, and starting to dabble for the first time with VPN.
Getting into BI and cameras has really opened my eyes to cyber and house security aspects

And how much I need to learn more.
Just wanted to toss it out there because I'm sure there are other's who are learning on the fly like me, and really do appreciate the posts here.

TL1096r · May 23, 2019

Very good Holbs. You are new like me but a step above for sure

I need to get 2 NICs one day. IPCAMTALK is a needed place for many starting to help secure their network. I simply wish it had more laymen terms.

Yes I was expecting people to suggest firewall software but this is way above and more in depth which is good. I see glasswire is decent for telling you what is connected and going on if you look at that. I have blocked a few things with it already.

Is zonealarm so bad now? It doesn't seem too bad from reviews. I was hoping others had experience with these toy firewalls for newbies

Anyone have more info on how to load pfSense. I am still wanting to do a VPN through windows10 software/app. I don't have router able to support VPN.

I am using Stunnel for now - the forum helped me immensely with this. I compiled it into 1 thread for others as it was a bit spread out:
What are you using/doing to make your camera more secure?

IReallyLikePizza2 · May 27, 2019

I am running pfSense on a 1u Supermicro box with an E3-1220 V2, 8GB DDR3 ECC, 60GB SSD etc. I have a dual port 10G SFP+ NIC, one port is used for LAN. This allows for interVLAN routing at speeds greater than 1Gb/s without needing to route on the switch. I run Firewall, DHCP, DNS, IPS, IDS and Packet inspection

For software firewalls, I am just using the Windows firewall for Windows Server VM's, and for my Debian VM's I don't use a firewall. Everything is segregated by VLAN's so not much firewalling is needed on the hosts

My CCTV VLAN is completely separated, with only Blue Iris being exposed to that network. I use Windows firewall to stop the rest of the network communicating with it. But I am thinking of switching to a port isolation configuration on the switch to help with that

JNDATHP · May 28, 2019

We have all UniFi gear including a gen 1 CloudKey. The CloudKey is a small Linux device powered by POE or adapter.

With the software on the CloudKey, I would see about 20 attack attempts a day that were denied by the firewall. When I went to a VPN, natively supported by UniFi, and putting an iOS VPN on our phones, we have had no intrusion attempts.

Yes, networking equipment is not sexy, but the foundation for your camera system should be solid.

Where in Reno? In South Meadows.

Holbs · May 28, 2019

JNDATHP said:
Where in Reno? In South Meadows.

Stead

Search

What firewall are you using?

TL1096r

Liam Burke

n3wb

TL1096r

pmcross

Pulling my weight

crw030

TL1096r

pmcross

Pulling my weight

crw030

TL1096r

Liam Burke

n3wb

TL1096r

awahl101

Young grasshopper

TL1096r

awahl101

Young grasshopper

crw030

Holbs

TL1096r

IReallyLikePizza2

Known around here

Attachments

JNDATHP

Holbs