Firewall Recommendation

[srvfan]

Good evening,
I’ll apologize if I posted this in the wrong section; was not sure if it needed to be in cyber security or the network section.
I currently have an EdgeRouter X running into a Cisco switch with several VLANs for TV, cameras, BI, WiFi, and so on. Through the EdgeRouter firewall rules I created, no network can access another aside from WiFi accessing the BI server and the master network accessing everything. Even on the wireless router, I have activated the guest network and hid the main configuration network on the router itself.
Outside of this, I was wondering if I needed to add another layer of protection with some type of additional firewall that would be installed between the edgerouter and the switch? My main goal would be to create another layer of protection for my entire network. Some type of ad block would be nice but is not a must-have right now.
I’ve looked at something like a Firewalla box but that just seems like something to record my every move like Microsoft. I’ve also looked at the Raspberry Pi, but I’m not sure that would offer a lot of security as it seems like it’s geared mainly to blocking ads.
Would an additional firewall be necessary? If so, any recommendations on a budget friendly device that does not store and report my info?

 

[Mike A.]

I could probably argue this either way.

Since you worded it as "necessary" I'll say that, no, you probably don't really need. And it will add complication to you network and whatever potential issues come along with that. If you had a network where you were running some internal services that must be exposed and filtering traffic to pass in/out for some specific reasons, or you had some things in particular that you needed to secure externally and/or internally, then more so. You already have gateway firewall at your router. You should not be having any unrequested traffic entering your network through the gateway (unless you open something up). You likely can do some out-going filtering there as well on the Edge Sounds like you have things pretty well segregated/limited internally.

That said, there are other reasons why you might want to run one. Pfsense is good as a firewall and you can do ad/site blocking within. There's some learning curve but you just need a decent computer of some sort with two network ports (unless you want to do somethIng more complex). Don't know how good the Edge is as far as this goes, but Pfsense will give you a lot of visibility into what's happening outside/within your network. Or can just do ad/site blocking with Pihole on a Pi. Works well for that and relatively cheap and simple to set up and maintain.

 

[srvfan]

I could probably argue this either way.

Since you worded it as "necessary" I'll say that, no, you probably don't really need. And it will add complication to you network and whatever potential issues come along with that. If you had a network where you were running some internal services that must be exposed and filtering traffic to pass in/out for some specific reasons, or you had some things in particular that you needed to secure externally and/or internally, then more so. You already have gateway firewall at your router. You should not be having any unrequested traffic entering your network through the gateway (unless you open something up). You likely can do some out-going filtering there as well on the Edge Sounds like you have things pretty well segregated/limited internally.

That said, there are other reasons why you might want to run one. Pfsense is good as a firewall and you can do ad/site blocking within. There's some learning curve but you just need a decent computer of some sort with two network ports (unless you want to do somethIng more complex). Don't know how good the Edge is as far as this goes, but Pfsense will give you a lot of visibility into what's happening outside/within your network. Or can just do ad/site blocking with Pihole on a Pi. Works well for that and relatively cheap and simple to set up and maintain.

I have seen information on Pfsense, but was not sure if there was a small dedicated box or if I had to run a separate computer. Again I have no type of network experience and firewall rules boggle my mind. I will definitely look into this and watch some videos on YouTube. Thank you for the info.

 

[Mike A.]

You can get various appliance-type boxes to run it and other firewalls, pre-built or roll-your-own. You pay a premium for the off-the-shelf stuff.

If you have a reasonable old computer lying around you can use that to try it out. Doesn't need much for a small home network. Add a network card and that gives you something to play with and get started with. Can go from there for smaller/nicer if you want.

 

[srvfan]

You can get various appliance-type boxes to run it and other firewalls, pre-built or roll-your-own. You pay a premium for the off-the-shelf stuff.

If you have a reasonable old computer lying around you can use that to try it out. Doesn't need much for a small home network. Add a network card and that gives you something to play with and get started with. Can go from there for smaller/nicer if you want.

I’m sure I can find a laptop around here somewhere. It will give me a chance to tinker around and get more experience before I put anything permanently in place. I have found that the more I tinker with this networking stuff, the more I want to learn.

 

[The Automation Guy]

I would not recommend adding a second firewall. It is redundant and could lead to issues where you actually expose yourself more because of the complexity of the system. For example, you don't write a rule on the main firewall because you are suppose to let the second firewall handle it, and then don't properly set it up on the second box. The more complicated a system is to manage, the more likely there will be mistakes made. This risk far outweighs the "what if" the first box is compromised scenario IMHO. If you have a robust, up to date firewall, the risk of compromise should be really low.

I'm not familiar with the Edgerouter (although I do use Ubiquity APs). I do use pfSense as well and it is great. It's very robust, but easy enough to set up (and there is plenty of online guides and support). I have no formal training in networks or IT, but was able to set up a pretty robust system in mulitple VLANs, a VPN for remote access as well as a site to site VPN (connecting my system to another family members for offsite backups) and extra features like ad blocking. It didn't happen overnight, but I was able to get a basic system up and running and then expand out from there, one step at a time.

I run my pfSense off a used HP thin client (the HP t620 plus) that you can still get for about $125. Honestly I would probably recommend something like the HP t730 now. Thet 620+ haven't declined in prices because they are so popular with pfSense users while the newer t730 has continued to decline in price - making the t730s sometimes cheaper than the t620 plus. I had to add an Intel network card which added another $40 or so to the cost, but I ended up with a small form, low energy device that is plenty powerful enough for my current situation. The good news is if someday need a more powerful device, the transition to a new device would be seemless. Just backup and restore what I already have on the new device and I would be up and running in minutes.

 

[srvfan]

I would not recommend adding a second firewall. It is redundant and could lead to issues where you actually expose yourself more because of the complexity of the system. For example, you don't write a rule on the main firewall because you are suppose to let the second firewall handle it, and then don't properly set it up on the second box. The more complicated a system is to manage, the more likely there will be mistakes made. This risk far outweighs the "what if" the first box is compromised scenario IMHO. If you have a robust, up to date firewall, the risk of compromise should be really low.

I'm not familiar with the Edgerouter (although I do use Ubiquity APs). I do use pfSense as well and it is great. It's very robust, but easy enough to set up (and there is plenty of online guides and support). I have no formal training in networks or IT, but was able to set up a pretty robust system in mulitple VLANs, a VPN for remote access as well as a site to site VPN (connecting my system to another family members for offsite backups) and extra features like ad blocking. It didn't happen overnight, but I was able to get a basic system up and running and then expand out from there, one step at a time.

I run my pfSense off a used HP thin client (the HP t620 plus) that you can still get for about $125. Honestly I would probably recommend something like the HP t730 now. Thet 620+ haven't declined in prices because they are so popular with pfSense users while the newer t730 has continued to decline in price - making the t730s sometimes cheaper than the t620 plus. I had to add an Intel network card which added another $40 or so to the cost, but I ended up with a small form, low energy device that is plenty powerful enough for my current situation. The good news is if someday need a more powerful device, the transition to a new device would be seemless. Just backup and restore what I already have on the new device and I would be up and running in minutes.

The majority of the firewall rules I created on the edgerouter are mainly geared towards the separated VLANs not accessing one another. The rules in place are set to also eliminate the other devices from seeing one another even if on same network.
Except for the few devices on the WiFi VLAN, everything else has been hardwired, so I figured that would increase both speed and security. WiFi devices are not allowed to access anything on the entire network except for the BI server. I’m sure this may take care of a lot of my security issues, but I’m always overthinking and over complicating things. In addition to studying Pfsense, I think I will go and study more firewall rules for the edgerouter. I just have to do everything via the GUI bc I’m not proficient with command line.

 

[Old Timer]

I run PFsense on a small fanless. We use it at work at several offices, and it works well.
It will be a wonderful change from the edge routerX.
Depending on how many network ports you need, you can buy a Protectili with 4 or 6 ports.
You can set up Vlan on the ports and reuse the configuration of your network.
I used the 6 port for my place. The software is free for home use.

Amazon.com: Protectli Vault 6 Port, Firewall/Mini PC - Intel Dual Core, AES-NI, 4GB RAM, 32GB mSATA SSD: Computers & Accessories

Amazon.com: Protectli Vault 6 Port, Firewall/Mini PC - Intel Dual Core, AES-NI, 4GB RAM, 32GB mSATA SSD: Computers & Accessories

smile.amazon.com

The 4 port version will work fine. Does not need a lot of horse power or disk space.

Download pfSense Community Edition

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more

www.pfsense.org

There is a lot of videos on you tube, look for Lawrence systems

https://www.youtube.com/results?search_query=pfsense+lawrence+systems

 

[Old Timer]

PFsense has all sorts of add blocking, anti hacking, anti SPAM, and open VPN client available.

 

[srvfan]

PFsense has all sorts of add blocking, anti hacking, anti SPAM, and open VPN client available.

Awesome! Thank you for the info.

 

[srvfan]

PFsense has all sorts of add blocking, anti hacking, anti SPAM, and open VPN client available.

Sorry one last question. Please keep in mind I have no networking experience except what little I have done on my own network. Firewall experience is just as limited.
Would a box like this be something I would put behind or in front of my existing edgerouter, or would it just completely replace the edgerouter altogether?
Thanks!

 

[Mike A.]

Generally you'd want your firewall up front on a network like this. Yes, you could replace the Edge. It will function as a router. Or you could leave the Edge in place to start so you could easily pull the pfSense and go back to it if you have a problem or if you want to segregate part of your network behind the firewall. Etc., etc. Lots of ways to do depending on what you need/want.

 

[crw030]

I haven't used the Ubiquity Edgerouter, but I think you'd want to use either the Edgerouter OR the pfSense box, not both. Adding another firewall+router layer is probably not required provided you can get updates for whichever firewall is internet facing, as an up-to-date firewall > best-out-of-date-firewall imho.

I'm guessing the Edgerouter is probably a more user-friendly device just based on how easy my Ubiquity APs are to setup. Not perfect, but takes a little of the difficulty out of the equation for a more basic user. I'm not clear how much of an improvement Edgerouter provides over say a consumer ASUS router/AP, but my guess is feature set & complexity increase as you move from - ASUS consumer grade --> Ubiquity Edgerouter ---> pfSense or similar --> commercial Threat Management hardware.

I can speak as a pfSense user as well as an ASUS user:

• there is nothing I have been unable to setup (AD blocker, VPN server, limiting access for console systems, VLANs, multiple network subnets, device network authentication etc), but usually I have to find a video (and usually its from Lawrence Systems on Youtube) to understand how to properly configure pfSense.
• there are some things that the ASUS router isn't very proficient at (at least the old version I have), but at least it's always got up-to-date patches available to address vulnerabilities.

 

[srvfan]

Generally you'd want your firewall up front on a network like this. Yes, you could replace the Edge. It will function as a router. Or you could leave the Edge in place to start so you could easily pull the pfSense and go back to it if you have a problem or if you want to segregate part of your network behind the firewall. Etc., etc. Lots of ways to do depending on what you need/want.

Great, thank you!

 

[srvfan]

I haven't used the Ubiquity Edgerouter, but I think you'd want to use either the Edgerouter OR the pfSense box, not both. Adding another firewall+router layer is probably not required provided you can get updates for whichever firewall is internet facing, as an up-to-date firewall > best-out-of-date-firewall imho.

I'm guessing the Edgerouter is probably a more user-friendly device just based on how easy my Ubiquity APs are to setup. Not perfect, but takes a little of the difficulty out of the equation for a more basic user. I'm not clear how much of an improvement Edgerouter provides over say a consumer ASUS router/AP, but my guess is feature set & complexity increase as you move from - ASUS consumer grade --> Ubiquity Edgerouter ---> pfSense or similar --> commercial Threat Management hardware.

I can speak as a pfSense user as well as an ASUS user:

• there is nothing I have been unable to setup (AD blocker, VPN server, limiting access for console systems, VLANs, multiple network subnets, device network authentication etc), but usually I have to find a video (and usually its from Lawrence Systems on Youtube) to understand how to properly configure pfSense.
• there are some things that the ASUS router isn't very proficient at (at least the old version I have), but at least it's always got up-to-date patches available to address vulnerabilities.

As far as the ease of edgerouter, I had to search videos and do everything through the GUI. I could not follow the videos on command prompt, but again, I’m an amateur. I actually went this route bc I saw an enterprise type router for $60, and so far it has worked. Big learning curve though.
Thank you for the info. Will definitely be researching over the next little while.