• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Help with new home network?

///AMG

2[H]4U
2FA
Joined
Sep 19, 2012
Messages
3,887
I swapped from comcast to another provider with gig speeds, so now I have 2 ISPs both 1Gbps symmetrical (One paid for by work and one that is personal).

What I want is to keep one connection specifically for my workstation that is provided by work on the ISP that my work pays for. I want a second network just for my personal residential network. I want both networks to fail over to the other one just in case. I also need to have some 10GbE ports for transfer between some QNAP NAS (I have 3 now, 2 with 10GbE) and my personal computers.

I was thinking I need 2 Ubiquiti UDM-Pros, a few Unifi NanoHD/HD APs (I am thinking 4? I have 6500 sq ft indoors that my eeros currently do fine in and I want to add one outside my patio), and a Unifi switch 16 XG?

Do you guys think this would work and is there any alternatives that are easy to manage and cost effective? I'm not super knowledgeable with advanced networking things.
 
Wow.
That is some serious gear.

If I were doing it, I would keep it as simple as possible. Two network cards/ports/connections into your work machine, handle failover in that.

To clarify, work machine has a link to work network and uses it as failover from the home network.

Home network based around google nest wifi, as opposed to unifi. Put in as many points as you need for coverage and be done with it. Start with three points, add more if you need them. Simple to set up, simple to manage.

An alternative would be feeding the google network with a failover device (edge router comes to mind) as you mentioned, and just using google for wifi points.

found this...

https://xenappblog.com/2016/cheapest-dual-wan-router-for-failover/

If I went this route I'd just keep my eero's then add an edgerouter of some sorts for wan failover. To control the edgerouter I'd buy a cloudkey which would put me close to the UDM-Pros anyways price wise. I would still need something like the Unifi switch 16 XG for 10GbE switching. Unless I am missing something? I'm also not big on google anything lately.

From what I read during research the UDM-Pros are able to do IDS and DPS at full 1gbps which I find desirable not sure if its even good or useful though.
 
Do what works - I've used google's mesh wifi (admittedly in its first iteration) for a few years now and had zero issues, and zero maintenance to do on it. Updates itself, just works. New models have integrated google assistant if that floats your boat.

If your eeros are doing enough why change it? Grab the switch you need, job done. Keep it simple. There might be something Mikrotik which could be less expensive ...

I find the less time I spend on home networking the better (rather spend that time with family, dogs, house maintenance, gardening etc), it's why I moved away from pfsense.

Eeros do great but don't have enough features and moving forward I feel like since I am going to make changes might as well just do it well the first time, build out for what I could conceivably need and not mess with it for a long time. I am not a big fan of any voice assistance, I have none except the ones built into the ecobee 4 which I disable.
 
One UDM Pro should be able to handle 2x 1Gbps failover -- the only 'kink' I see is figuring out how to isolate your work system to the work connection and then have mutual failover between the two networks. Isolation could be done by running the work system to a separate interface on the router, or just using a separate VLAN / Subnet, I think, but getting the mutual failover config working would likely require some research.
 
One UDM Pro should be able to handle 2x 1Gbps failover -- the only 'kink' I see is figuring out how to isolate your work system to the work connection and then have mutual failover between the two networks. Isolation could be done by running the work system to a separate interface on the router, or just using a separate VLAN / Subnet, I think, but getting the mutual failover config working would likely require some research.
Can't speak for UDM Pro but this is trivial with a Fortigate. You can isolate anyway you like to the point of a single application being isolated to one link if you like.
 
You say you’re not super knowledgeable and want simple, but you’re implying you know a lot more and want complicated.

Here is what I am reading that you need:
  1. a few 10 gig ports for your NAS
  2. failover for dual net connections
  3. some (currently) undefined features for your mesh wireless
  4. IPS & IDS
Let me simplify:
If you are a potential high risk data store node/have huge potential loss risk, then you need IPS and IDS. Typically this is not needed for a home system and can cause a lot of issues that need time consuming work to fix. High maintenance.

Failover net connections: nice to have, these seem to be necessitating your infrastructure change, how often do these connections go down and how crucial is this? You want simple and low maintenance, you’re asking for an advanced feature.

Draytek have decent high end consumer/small-medium business gear in this space, easy to configure too:
https://www.draytek.com/products/load-balancing-routers/
10gig ports, there are an abundance of new 10gigE switches around, but ideally you want as few of these as possible or some power saving mechanism, do you have a rack? If so noise is less of an issue. These will eat power, is SFP+ an option? Much less power consumption...mikrotik have reasonably priced gear for switching 10gig sfp+ into 1gigE ports

If you want configurability in your mesh, the synology mesh network seems to be the one to go with, as it has a dedicated backhaul channel and all the latest and greatest features. Are your mesh points wired up? The more configurability you get, the more maintenance, in my experience, are you prepared to trade off some configurability for ease of use? (In which case, nest wifi)

Hope this helps

I have a server closet that has a ductless mini split with a rack (if I remember correctly its a 24u rack) so I don't care about noise or heat. It has my av stuff for my theater room, also where I keep my 3 QNAP NAS. Never heard of dray tek before so I'll take a look. All my mesh points are hardwired, if you mean where my eeros currently are. I didnt even known synology made mesh stuff.

When I had comcast I would always have a day or two every month where they would do maintenance for 6 hrs or so at night. I do a lot of work at night so this was a major inconvenience. The ISP that I use on my network machine goes out maybe once a month for a few hrs. I am not sure about the new ISP I switched to so lets just say its probably the most important feature I want that I currently don't have.

I want IPS and IDS more for my work machine and work laptop, talk to my boss and they said they can foot the bill for one of the UDM-Pros for me so I would only need to pay for one. I want the stuff provided from work as isolated as possible from my regular home network for various reasons.
 
I think you're overcomplicating - Suricata and Snort are very good IPS/IDS systems, you could virtualise one if you've got spare machine cycles. Suricata will even work on windows.

That said the Draytek units have basic IPS/IDS which you can use....

Another alternative is the netgate SG-3100 which you could configure for dual wan/failover with included IPS/IDS (which you can install as a package - Snort or Suricata). Heck of a lot more bang for buck than the UDM-Pros. I would suggest the ssd option if you want to run IPS/IDS

IPS/IDS will add latency - if this matters to you.
I'll look at the netgate, also by ssd option do you mean add one to the negate via what looks like the USB? I don't game that much and when I do I play stuff like WC3 or other RTS so latency isn't a huge issue unless its like 50ms+ penalty?
 
No I mean when you purchase it there is the option for a 32GB ssd, I recommend you pay for that extra option.

Latency wise with IPS/IDS it completely depends on:
  • Your filter/rule set size
  • Your available processing power for the software
  • Your amount of memory (whether the filter set can fit in memory)
  • Whether there is hardware acceleration
Effectively with a good IPS/IDS you're sniffing packets going in and out and comparing against the rules/filters you set, then passing it on or killing it in its track and not forwarding, creating a firewall rule to block it from the source. This takes processing power and memory, and adds a delay. If the size of the rule set is bigger than memory, the device needs to pull that off slow storage.

If you're doing all of this in memory and you have decent processing power, you're probably going to have a 1-10ms delay for the hop.

I see. Is it user upgradeable, I have a few msata and nvme ssds laying around.
 
I would suggest that, while you could, I wouldn't. It's about $40 for the privilege, which considering it is guaranteed to work is peanuts.

I see, Ill start looking at pfsense videos on youtube then.
 
You could build a rackmountable pfsense box cheaper using a sata or nvme - but you did say you didn't want complicated, and you want something that just works.

An intel 4 port nic, plus a mini itx J5005, 8 or 16 gig of ram, picopsu or something.. done, could put this in a rackmount box.. you are a bit SOL if you need support for random hardware though.

Yea, I would just buy it. I don't really want to build anything, for what I am doing I just want off the shelf stuff.
 
As an aside, processor speed will limit your bandwidth with IDS/IPS (see netgate site), may want to move up the range depending on your net connections

https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html
If there is the option not to have IPS/IDS or to have a cut down version of it, I would take that - to do it right is a lot of processing. An option would be an AWS instance with pfsense or tnsr that your network interfaces with, then you're not as bound by processor.

The setup here would be dual VPN (failover) -> AWS instance running IPS/IDS -> (net)

For the record, I had pfsense in Esxi @home, and went heavy on the rules, it worked, but ate some power. Full IDS/IPS with deep packet inspection for home networks (in nearly all cases) is like bringing a bazooka to a knife fight.

Most workplaces I know of need you to VPN into them - they handle the IPS/IDS.. I find it strange this is an option for you.

I do VPN in when I need to access work server clusters but I don't all the time, I'm not sure what work does on their side.
 
Hey I just had a look at the IPS/IDS features of the UDM-PRO (I was curious!) and I note that the threat lists predominantly come from uniFi and their partners, where when you're using suricata or snort(etc) you're using a whole lot of different suppliers of the threat info. If you're super security conscious, I think the latter would be want you want.

Something in the back of my mind with respect to IPS has been the similarity to antivirus / antimalware systems -- not only must the engine and supporting hardware be up to the task, but the threat definitions must be relevant and stay updated as well.

This isn't a nut that I'm sure there is a straightforward, remotely affordable means to crack for SMB / enthusiast let alone your average home user that is quickly adding clients including heaps of IoT.
 
I was looking at the suppliers for the bet gate stuff and there are some installers here in Houston that I am contemplating getting a quote so they can do this for me. I looked at YouTube videos of pfsense setups and to me it looked time consuming so I’m really considering paying to set it up.
 
I'm wondering if something like Sophos might be more ideal -- something that can be tossed on more powerful hardware than Netgate is willing to let out the door for anything remotely reasonable, and still at least moderately consumer friendly?
 
I'll again toss this out here. A Fortigate with a UTM license + Fortiswtich + FortiAP all managed from a single interface locally on the Fortigate using built in switch and wireless controllers or managed from Forticloud would make this next to painless. You can leave the home brew and consumer / prosumer crap on the floor where it belongs.
 
I'll again toss this out here. A Fortigate with a UTM license + Fortiswtich + FortiAP all managed from a single interface locally on the Fortigate using built in switch and wireless controllers or managed from Forticloud would make this next to painless. You can leave the home brew and consumer / prosumer crap on the floor where it belongs.

And a five-grand investment up front, plus whatever licensing is necessary for updates? If I'm reading it right- I wouldn't hesitate to use them for enterprise, but their buy-in for 2Gbps+ IPS etc. is hefty.
 
I just did some basic pricing on some entry level fortigate gear, it's not that bad, just under a grand up front for an entry level fortiswitch with dual wan and a year of support. That said it won't do 2Gps IPS. If you need that, then you're so much better off with a higher end netgate unit, price wise as you effectively get free updates of the UTM perpetually

I looked it up just now and the 100f is almost 4K. Also was not aware of needing to buy licenses for updates. Netgate and ubiquiti is less than half of that for everything. Is fortigate worth that much more? I’d have to ask my wife for a 5-10k build out.
 
I think the fortigate is enormous overkill for this setup.

Do you need IPS/IDS or is it just a nice to have?
I don’t know. I’ve never had it so I would say it’s nice to have. I was thinking 2k to build the network out. I could do 3k maybe 4 without asking my wife but anymore than that she would question me.
 
As mentioned - I think you should skip it and let work manage it, it's a lot of work and money if you don't need it.
It would be nice for my own home network. I do a bit of consulting on the side.
 
Checking it out...

1581906717514.png
 
You're saying on one hand it's nice to have, on the other it's not needed.

This is a 1-2k expense plus maintenance time - Your call. ipfire is easier to use than pfsense and implements suricata, pfsense is more enterprise ready. You could just use something like a new/secondhand dell server (with 3+ network ports) and install ipfire/pfsense/untangle/sophos on it.

Some kind of quad core midrange Xeon (3ghz+), haswell generation or better with 8-16 gig of ram which is dual channel would be able to handle most IPS/IDS through suricata at wire speeds.

I would definitely segregate home stuff into “work/home” vs home (DMZ)

think I could use my xenon e5-2683 v3? Planning on moving to TR4 anyways.
 
And a five-grand investment up front, plus whatever licensing is necessary for updates? If I'm reading it right- I wouldn't hesitate to use them for enterprise, but their buy-in for 2Gbps+ IPS etc. is hefty.
Should be able to get in well below that. Also, there is no reason to do IPS on 100% of your traffic. Any IPS product of merit will have update costs. This is simply the way of things as these are in constant flux. I would also add that if you expect to receive any benefit of this of service you do need to be doing mitm on your TLS. If you are not going to do that don't waste your money on IPS.
 
Yep update costs for the signatures etc. ET pro and Oink pro are still costs

I agree with the TLS comment, but again it’s a fair amount of work for someone new to it.
Honestly, staying on top of the mitm stuff is just a fair amount work .... new, seasoned professional or grizzled old curmudgeon. Does it need to be done? I think so but, others may argue. Make no mistake it is a giant PITA. FWIW at home I run a fortigate 201E with a fortiswitch 448D and a pair of AP I bought off craigslist to load balance a 1Gbps fiber connection and 400Mbps docis connection with pretty much every feature checked. The fw doesn't break a sweat ever. I double the throughput and it still would not an issue. One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this and take that load under consideration when sizing a FW. The switch and AP I picked up for less than $500. They have no support and never will. The gate was bought used off of ebay while still under support. I also bought an extended support license off ebay at a major discount to maintain support. I just looked and I see several decent deals on similar hardware now. If you went that route you would want to make absolute certain the seller agrees to transfer the devices to you via forticare. Full disclosure ... Please note that none of ebay deals are mine or anyone that I know. That said, I will eventually get around to posting a fortigate 60E + switch, not big enough for you OP, on ebay. I also do not work for fortinet. I do work with their gear, and most every other major enterprise level firewall provider, at work.
 
One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this and take that load under consideration when sizing a FW.

I felt the need to expand on this. Over the years I've taken a fair amount of heat on this forum for my generally disparaging remarks on consumer router/firewalls. The above statement is the one founding stones for my opinion on the matter. Every piece of consumer class gear I have ever touched bridges internal wireless with internal wired. That is to say that mobile devices are treated with the same security posture as fixed devices. This is considered normal in consumer network land and flat out fundamentally wrong. When you compound that with the fact that many of these mobile devices are in fact dual homed on the provider's LTE network while being attached to these internal wireless networks it gets ever worse. Wireless networks are inherently not as secure as wired networks and should be treated differently.
 
Hmm... If you don't know if you need IPS/IDS I can virtually guarantee you don't need it. IDS/IPS is often used as a false sense of security for home users. It needs to be actively babysat with a real security team to be of any benefit whatsoever, and in most instances IDS with other security measures is going to be better. Who is going to manage your rulesets? Are the paid and/or free rules going to be sufficient for your environment, or are they totally going to miss the boat? At the very minimum if you want something pretty hands-off I would not use a free/open rule set, you'll need a paid maintained set. Make sure it's tuned for the gear that is on your network so you're not unnecessarily blocking real traffic but also detecting issues that are relevant.

I ran an IPS for years until I did some research into real network security, and after that pretty much decided all of it was a total waste of my time for home use--even work. If you're not doing the TLS/MITM connection in today's encrypted world like previously mentioned, you're just pissing in the wind (pardon the crude phrase but can't think of a better one at the moment).

Now, I'll 100% support anyone that wants to do that for fun and giggles, or learning. It can be very interesting. Sifting through 30k poorly-written free open source IDS rule warnings a day is not.

Sophos UTM is a really cool product, I love a lot of features it has (not even considering the IPS features), but don't like how it handles traffic through the firewall. As I understand it, as long as traffic is allowed through the other traffic filters, it pretty much ignores the firewall rules (with exception to the Geo-IP blocking stuff). Strange.
 
I'm a little overloaded reading all these posts. I never knew about a lot of this stuff and TLS/MITM are new acronyms to me. I did however go ahead and order the netgate xg-7100 1U since its in my price range and seems to be good enough for me. Also had 10gb SFP+ ports so I can get a 10Gb switch. I got it with the 256gb SSD and 24gb RAM as Keljain suggested.
 
I'm not even sure if TLS/MITM can be done transparently to the point that it doesn't wind up breaking other stuff.

I think, other than cost, that was my main stopping point with IPS.

One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this

Honestly this is a basic assumption of network security. WPA2 isn't secure, therefore, traffic traversing wireless networks requires more security.

Beyond phones that are dual-homed by nature (if not run that way purposefully), the potential vectors that IoT devices expose pretty much necessitate more lower-level segregation and inspection. An untapped market for home users, in my opinion.
 
I think TLS/MITM can be done transparently to the user, but I am open to being corrected on that

Untapped market for sure, but how to get it to be easy enough for home users is a challenge in and of itself.
all that is needed is intuitive GUI.
 
I think TLS/MITM can be done transparently to the user, but I am open to being corrected on that

Untapped market for sure, but how to get it to be easy enough for home users is a challenge in and of itself.
It can certainly be done transparently assuming the correct certs are installed on the machine. One of the bigger issues that come up are applications by certain vendors that don't want anyone to know what they are doing, f**king microsoft chief among them, that use embedded certs and break when the server cert is replaced by the proxied connection. This means exceptions have to created and maintained. Frankly, CIOs and CSOs need to put a stop to this kind crap with a very simple mantra to the effect of all traffic on our networks will be inspected or it will be off our network.
 
A little update the netgate is going to be installed by a local company just for my work machines and my company is going to pay for it so I am not going to bother messing with that. I also got the UDM-Pro and its going to be just my personal home network. UDM-Pro came yesterday so I spent a bit last night setting it up, I went to microcenter to grab 4 nanohd aps, and a raspberry pi 4b to use for pihole. So far I can see why a lot of people like ubiquiti stuff.

Also waiting to get the POE Managed switch.
 
Also came home and saw a long list of queries from my NAS to a russian ip address? I never knew it was doing that but its consistent. I paid for eero secure which was supposed to do things like that but never caught it. Its nice to be able to see more detailed stuff like this and then be able to block it.
 
piHole is a 'hole' unto itself- worth taking a bit of time to get familiar with,as you've already seen.
 
piHole is a 'hole' unto itself- worth taking a bit of time to get familiar with,as you've already seen.

Yea, it took me a while but I created a vlan for it and then created an ssid on the nanohds for that vlan specifically for my wife's devices and streaming devices so its plug and play for those on that ssid. Has been very solid, blocks a lot of stupid popup ads too. Waiting on the PoE switch so I can power the PiHole through the switch instead of an adapter. Also have to print out a case for it.

For almost all of my life I just bought the best consumer router I could afford, but I think I am starting to like all of the features and the flexibility of these prosumer+ stuff. I am not in IT or networking at all so its going to take me a long time to figure things out.
 
Back
Top