Pfsense on Blue Iris PC or Separate PC?

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
I currently have a Linksys WRT1900ACS v2 router with DD-WRT flashed on it for firewall rules. The router works wonderfully when it's stock but WiFi performance is lacking with DD-WRT because of the Marvel chip and lack of good third party drivers.

I'm considering flashing the Linksys back to stock and running Pfsense instead for firewall and OpenVPN (not sure if I can then use the Linksys as an AP and disable routing with stock firmware). Since my Blue Iris PC is running 24/7 I'm wondering whether I should run Pfsense from the same PC or buy some other small hardware?

Or should I sell the Linksys and pick up a reliable Asus/Ubiquiti router which is known to work well with OpenWRT/DD-WRT? Is there any reason to step away from a router with open source firmware and move to something like Pfsense?
 
Last edited:

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Another option, keep the WRT1900ACSv2 and deploy the WRT610N with stock firmware as an AP ... I'm not sure whether the Linksys router with stock firmware allows you to disable routing and turn it into AP mode only?
 

mat200

IPCT Contributor
Joined
Jan 17, 2017
Messages
13,656
Reaction score
22,749
I currently have a Linksys WRT1900ACS v2 router with DD-WRT flashed on it for firewall rules. The router works wonderfully when it's stock but WiFi performance is lacking with DD-WRT because of the Marvel chip and lack of good third party drivers.

I'm considering flashing the Linksys back to stock and running Pfsense instead for firewall and OpenVPN (not sure if I can then use the Linksys as an AP and disable routing with stock firmware). Since my Blue Iris PC is running 24/7 I'm wondering whether I should run Pfsense from the same PC or buy some other small hardware?

Or should I sell the Linksys and pick up a reliable Asus/Ubiquiti router which is known to work well with OpenWRT/DD-WRT? Is there any reason to step away from a router with open source firmware and move to something like Pfsense?
Hi @bugsysiegals

pfsense iirc is open source - it has a lot of tweaks you can do to it, and can be very powerful. That also is a downside - it can get complex once you start to really play with it.

In general use the security settings within windows OS to help secure the system, and use some sort of decent firewall settings on a decent router. ( DD-WRT should be good! ).

If you want, you can also add a pfsense firewall into your setup. Up to you. If you just do the 2 above along with following the usual recommendations here on off with UPnP, off with P2P, use a VPN, and secure your ports, etc.. you should be doing very well.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Thanks! After a month of really playing with iptables I've got it locked down nicely and have OpenVPN working it's just slow with DD-WRT because of bad drivers for Marvel chip routers. I guess I'll try to add the other router as an AP and if it's still bad I'll trade out for something with good open source firmware support.
 

mat200

IPCT Contributor
Joined
Jan 17, 2017
Messages
13,656
Reaction score
22,749
Thanks! After a month of really playing with iptables I've got it locked down nicely and have OpenVPN working it's just slow with DD-WRT because of bad drivers for Marvel chip routers. I guess I'll try to add the other router as an AP and if it's still bad I'll trade out for something with good open source firmware support.
Hi Bugsy

yeah, I've been looking for a nice box to run pfsense on that is affordable yet powerful enough and does not take up much space. ( too little space in my place ). Turns out a lot of hardware with one ethernet port and not as much with 2... maybe I should take more time to look for a solution myself also.
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
pfSense has hardware available (looks like they discontinued the $99 version so cheapest is $180). PfSense is overkill for at least 99% of all home users, My setup runs an I3-6100T and its stupid overkill (1% to 3% cpu with TWO active vpn connections and running a speedtest). A single board ARM with dual NICs would handle 600+ Mbps.

However, ASUS router with default firmware can handle firewall and VPN, and for about the same price it would have WiFi, then repurpose your other as a second AP maybe?
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
I'm not sure what would be considered a "sophisticated" network warranting the need for such firewall ... I guess I need to do some more review but I figured it would be worthwhile since I run OpenVPN to remotely watch the cameras. I have netdata entware on the router but haven't used it yet to examine if the router is a bottleneck in the traffic but figured a Pfsense box would ensure it wasn't. Beyond that I thought it might be nice to block ads, children from porn sites, etc., and perhaps have some advanced IDS features just in case I've mistakenly misunderstood some firewall rules and traffic is leaking. In my situation, would you say a router with DD-WRT/OpenWRT would be sufficient?
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
If you are already comfortable with iptables, you’re starting with more knowledge I had, but for most of what you want to do a $100 ASUS router would be sufficient (it can host OpenVPN endpoint for connection from your mobile for example, and supports blacklist site lists to keep kids safer and secure). If you have a super fast internet connection you might need to buy into the very expensive tier routers to have enough CPU. Consumer Routers with built in firewalls solve the problem for 99% of people, and take significantly less effort to setup properly.

I don’t regret getting pfSense, just it isn’t as sensible a choice as a router which provides free updates for vulnerabilities and I have found that to be the case with my ASUS router. I have both ASUS and pfSense because I have two sites. For remote site pfsense acts as OpenVPN client (this can be challenging to setup on consumer router) and connects to ASUS OpenVPN server, pfSense also provides a separate OpenVPN server which I can connect my mobile to check cameras etc.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
How would I go about checking whether my Linksys is a bottleneck to VPN traffic? When I run the speedtest app while connected to the router with OpenVPN I'm getting about 2 to 6 Mbps download and .5 to 2.5 upload. Using the iPhone while connected to WiFi immediately afterward produces 36 down and 10 upload while using cellular only produced 17 down and .75 upload.

Is there a way to test how much faster the connection might be with a different router or Pfsense PC?
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
I see big variation like what you are seeing on my oVPN connection as well. I would suspect the mobile device CPU, or LTE network itself for contributing the most to your speed test results (moreso than your router, but I also am unfamiliar with DD-WRT which being aftermarket firmware might not be optimized for all platforms it works on?)
Anyway if you wanted to test you could boot any old computer you have laying around to test performance directly using the "Embedded (NanoBSD)" version from a bootable USB stick off their website without going to the trouble to install it on the hard disk futzing your computer all up. Ideally one with 2 network ports would be the easiest.

It could also be settings you are running in OpenVPN or the CIPHER you are using: see community wiki Gigabit_Networks_Linux – OpenVPN Community where they did some testing to optimize for higher speed networks.

======= these were all tested to the same remote speedtest host =======
over wi-fi on my home network my phone gets: 100/82up
if I'm on home network wi-fi and start OVPN (idk wth its doing exactly, unless it's just passing through my firewall 3 times) but I get: 30/28up
on LTE it's a little sporatic, but I get approx: 20/5 down to 10/3
on LTE with OpenVPN connection to my home pfSense I see: 17/1.5 and 6/1.8 (changes all the time). pfSense CPU never hits 3%.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
I just used speedtest.net from my computer, iPad, and iPhone to test my speed while having DD-WRT flashed on my router. The results, about 75/12 download/upload. I then flashed my router with stock firmware and ran the same tests. The results, 235/12 download/upload!!

That said, any ideas on the best method to firewall these cameras? Do I put another router in front of this one, with custom firmware for iptables, and use this router in bridge mode? Do I put Pfsense on the BI PC or a separate PC? Sophos? I'll have to do some digging around but figured I'd ask and see if anybody else is doing anything similar.
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
Some here use managed switches and setup VLANs - but some others just slap another network card (in my case I tossed a USB-to-GB Ethernet on a laptop first go around).

Doing it that way separates the cameras from your regular network entirely. Only hassle is to configure cameras you have to Remote Desktop to the BI machine, but you can get network cards/adapters for under $20.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
I currently have a managed switch but haven't used any of the management features. I know I can create separate VLAN's from the ports but if the switch is plugged into the router I don't suppose that prevents the cameras from reaching the internet and only stops them from communicating with other devices on the switch?

I bought another GB NIC for the PC to connect the cameras directly to the PC but discovered it's slower than connecting the PC to the switch and switch to the router and you lose email notifications for SD Card failure, etc., as well as what you said. Someday maybe I'll actually be able to install cameras rather than mess around with hardware!! LOL
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
I flashed my router back to stock today and went from 75/12 to 235/12 down/upload!!! I’m going to keep the Linksys stock but now have no firewall so cameras are offline.

I can buy an Asus and run OpenWRT for firewall and possibly use the Linksys in bridge mode but the cheapest solution is probably to add a 4 port NIC to the BI PC, install Pfsense, have it do my routing and OpenVPN, and turn the Linksys into an AP.

My BI PC is a former gaming PC which probably draws a lot of power but if it’s going to be running 24/7 why not take advantage of it? Any reason not to run Pfsense on the BI PC and to have an additional PC?
 
Last edited:
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
I’m going to keep the Linksys stock but now have no firewall so cameras are offline.
The Linksys might have some hardware firewall capability, not sure how good, would be worth looking to see if it's known to be vulnerable (if it is then putting it behind a better firewall would be best).

Any reason not to run Pfsense on the BI PC and to have an additional PC?
The main problem I see with that approach is that BI runs on Windows and pfSense runs on a pretty secure Linux version OS. Running them both on the same computer (for example as multiple VMs running on UnRaid or such) isn't impossible but also not recommended.
Blue Iris is recommended to run on a dedicated machine, and while some forum users go against that and run multiple systems together, the thinking is BI can be pretty much set-and-forget and you don't have to worry about resource contention or other complexity. so YMMV.
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
I currently have a managed switch but haven't used any of the management features. I know I can create separate VLAN's from the ports but if the switch is plugged into the router I don't suppose that prevents the cameras from reaching the internet and only stops them from communicating with other devices on the switch?
I'm not the right person to explain the proper way to setup VLANs because I don't use them -- but I suspect you can configure certain VLANs so they can't reach outside your network. There might be some explanation around that if you use "Search" on these forums for VLAN configurations others have been using.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Thanks, I’m picking up an Asus router which should run iptables without sacrificing WiFi speed. If I need to get all advanced in the future, I’ll pick up a used Dell computer and throw Pfsense on it. I agree, I don’t want to mess up my BI PC and miss some important footage.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
I just reformatted my SSD and put windows 10 on it. I’m only planning to install BI and NTP time server. Should I put any antivirus on it if I’m not putting anything else on it or will it only slow it down?
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
I really think you have selected the best option and also the cheapest. Keep your ASUS firmware updated (same like anything else you own that needs patching), and setup OpenVPN directly on the ASUS router and you should be gold on the firewall/OpenVPN front. Then repurpose your old router as an AP bridge in some poorly covered area of the house if it doesn't have insecure firmware or flash it with a new firmware that's more secure and live with slightly less performance (but on AP instead of your whole internet connection).

Use your managed switch to setup your VLANs, and Google-search for a quick solution to prevent internet access from camera VLAN (sorry I just lack experience on this). Being familiar with iptables, and depending on your switch this might be a piece of cake for you.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Btw, I also set the computer to not be discoverable to other PC’s which seemed like a smart choice to prevent any other devices from accessing any files from the drives.


Sent from my iPhone using Tapatalk
 
Top