Best Firewall for low to mid level Network Exp?

Airmanv

Limp Gawd
Joined
Aug 3, 2002
Messages
478
Hi guys, I am looking to put a firewall on the home LAN just to enhance protection.
Been in IT for awhile and have mainly infrastructure and hardware exp. I know enough networking to be dangerous but not fully leverage a firewall to its max capability.
What product if any would you recommend for a simple setup.

Right now home lan is

Cable Modem>Switch>Mesh Network setup
 
Pfsense, maybe in conjunction with a pihole or just going nuts with the internal filtering options (I do this, it works great).

If you aren't familiar with it, you have to either buy a ready made appliance or build your own hardware to go with it. The software is free.
 
If I was in your boat, I'd pick this up BNIB for <$100. It has killer capability and isn't EOL until the end of the year so you should be able to get all the current updates/subscriptions before it's EOL and you can't anymore. It will work even after it's EOL as we got our first one when it was EOL:
https://www.ebay.com/itm/354121653597
 
As an eBay Associate, HardForum may earn from qualifying purchases.
Between my Asus Routers included "AIProtection" , firewall and my own Adguard Home (pi-hole equivalent) I haven't had any trouble.
 
Thanks, I have used PiHole and Pfsense before but mainly focused on adblocking.

This is likely a stupid question, but does installing a firewall right behind modem offer any out of the box protection, or do you need to configure settings to offer any protection?

On my Pfsense I installed PGBlockerNG and was able to block ads and traffic to know malicious IPs. Have not leveraged much else as I am not sure what is optimal
 
Thanks, I have used PiHole and Pfsense before but mainly focused on adblocking.

This is likely a stupid question, but does installing a firewall right behind modem offer any out of the box protection, or do you need to configure settings to offer any protection?

On my Pfsense I installed PGBlockerNG and was able to block ads and traffic to know malicious IPs. Have not leveraged much else as I am not sure what is optimal
For quality firewalls, you will have to go through a setup process to get anything working at all, including pass-through routing, but in my experience, a very basic firewall doesn't take too much time to set up and everyone has tutorials and list suggestions to make it a straightforward process.

The adblocking alone goes a long way, especially if, like me, you're using a ton of those known lists that are maintained. For pfSense, add the Snort package; it's the firewall side and very robust. The config is pretty easy and you'll want to get a free subscription from the snort.org website to extend the capability.

Lastly, and this is for any firewall/router, if you don't already do it, create a new account as the admin account and disable the default admin account. There are bots out there trolling for login attempt attacks that just makes things annoying when the IDS starts shutting off IP address ranges (and in my setup, I have a little case speaker wired in, so it was constant login beeps).
 
Thanks, I have used PiHole and Pfsense before but mainly focused on adblocking.

This is likely a stupid question, but does installing a firewall right behind modem offer any out of the box protection, or do you need to configure settings to offer any protection?

On my Pfsense I installed PGBlockerNG and was able to block ads and traffic to know malicious IPs. Have not leveraged much else as I am not sure what is optimal
Most enterprise routers/firewalls like the one I posted block a lot of stuff that consumer ones let through by default. They also do a lot more packet inspection (and beyond for a fee) so you can see exactly what devices are doing in realtime.
 
A simple setup for a home network would be ISP router (or typical home router) + credible VPN provider + Raspberry Pi running Pi-Hole/AdGuard-Home for non-VPN devices.

For pro-sumer setup, I'd recommend an All-In-One solution - Ubiquiti's Dream Machine / Pro (router, switch, WLAN AP's). If you know Linux/Debian CLI and are willing to spend some time building custom scripts (or even use custom firmware), you can do a lot with it that isn't officially supported. Even on basic Dream Machine you can use CLI to force all Suricata IPS/IDS rules (27K+) instead of limiting yourself to the rules allowed by Ubiquiti via GUI (around 9K). Pi-Hole/AdGuard Home can be installed on UDM/UDM Pro in a container as well. Full OpenVPN support is coming in next firmware. WireGuard (even in-kernel) can already be implemented via available custom firmware and scripts. Its almost limitless, but not via GUI...

For enterprise, I don't know...
 
Hi guys, I am looking to put a firewall on the home LAN just to enhance protection.
Been in IT for awhile and have mainly infrastructure and hardware exp. I know enough networking to be dangerous but not fully leverage a firewall to its max capability.
What product if any would you recommend for a simple setup.

Right now home lan is

Cable Modem>Switch>Mesh Network setup
This is an impossible question to answer without more details. There are a lot of things that go into modern firewalls that may or may not be on your radar. The most common are:

web filtering
dns filtering
ips
app id / app control

Also, understand that several of these are going to require tls/ssl decrypt to useful which means you will need to install certs on your clients. I'll add that unless you're doing this you really don't need a special firewall. Save yourself the trouble and continue with your consumer gear, install pihole and use it. Hell, I even use it as a client pre-filter in front of my fortigate which is also doing dns filtering for defense in depth. It is a free tool that is stupidly easy to implement and extremely powerful for what it bring to them table.


Not exactly firewall features but included in many
dns server
s2s vpn
remote access vpn

I would add that it looks like you're currently bridging your wifi and your wired network. If you're actually interested in security that's your first and greatest sin. Your wireless network is less secure than your wired. That's not debatable. Anyone that says otherwise is selling wireless.
 
Last edited:
Back
Top